Unit-1 CyberSecurity
Unit-1 CyberSecurity
Unit-1 CyberSecurity
Cybersecurity risks relate to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems and
reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation) and assets, individuals, other
organizations, and the Nation.
What is Risk? An organization’s risk profile fluctuates depending on internal and external environmental factors. It incorporates not just
the potential or probability of a negative event, but the impact that event may have on your infrastructure. And though risk can never be
100% eliminated—cybersecurity is a persistently moving target, after all—it can be managed to a level that satisfies your organization’s
tolerance for risk. No matter how you deal with it, the end goal remains the same—to keep your overall risk low, manageable and known.
It’s important for organizations to maintain complete and continuous visibility of all entities within their entire network. Third-party risk
management enables organizations to take advantage of the benefits that vendors can provide without compromising on security.
Organizations should implement a Zero Trust Security model, which is a security method that operates around the belief that access should
be administered based on each user or device’s specific job function. This helps to limit the number of opportunities for insiders to
negligently or maliciously take advantage of their access controls.
Lacking compliance measures
As data privacy increasingly becomes a concern for customers, more regulatory compliance standards such as PCI, HIPAA, and GDPR are
being put into place. While these regulations are an important point of consideration that should be followed, it’s important to understand
that maintaining compliance with these standards does not guarantee an organization is secured from attackers.
Traditional point-in-time assessments are no longer sufficient as organizations can drift in and out of compliance between audits. Instead,
an effective cybersecurity strategy should include the ability to continuously monitor your entire network ecosystem for non-compliance so
that your organization can shift to meet evolving industry requirements.
Data Breach
A data breach is an incident where information is stolen or taken from a system without the knowledge or authorization of
the system’s owner. A small company or large organization may suffer a data breach. Stolen data may involve sensitive,
proprietary, or confidential information such as credit card numbers, customer data, trade secrets, or matters of national
security.
The effects brought on by a data breach can come in the form of damage to the target company’s reputation due to a
perceived ‘betrayal of trust.’ Victims and their customers may also suffer financial losses should related records be part of
the information stolen.
Most data breaches are attributed to hacking or malware attacks. Other frequently observed breach methods include the
following:
Insider leak: A trusted individual or person of authority with access privileges steals data.
Payment card fraud: Payment card data is stolen using physical skimming devices.
Loss or theft: Portable drives, laptops, office computers, files, and other physical properties are lost or stolen.
Unknown: In a small of number of cases, the actual breach method is unknown or undisclosed
Research
The attacker, having picked a target, looks for weaknesses to exploit: employees, systems, or the network. This entails long
hours of research on the attacker’s part and may involve stalking employees’ social media profiles to find what sort of
infrastructure the company has.
Attack
Having scoped a target’s weaknesses, the attacker makes initial contact either through a network-based or social attack.
In a network-based attack, the attacker exploits weaknesses in the target’s infrastructure to instigate a breach. These
weaknesses may include, but are not limited to SQL injection, vulnerability exploitation, and/or session hijacking.
In a social attack, the attacker uses social engineering tactics to infiltrate the target network. This may involve a maliciously
crafted email sent to an employee, tailor-made to catch that specific employee’s attention. The email can phish for
information, fooling the reader into supplying personal data to the sender, or come with a malware attachment set to execute
when downloaded.
Exfiltrate
Once inside the network, the attacker is free to extract data from the company’s network. This data may be used for either
blackmail or cyberpropaganda. The information an attacker collects can also be used to execute more damaging attacks on
the target’s infrastructure.
Reasons for how data breaches happen might sometimes be traced back to intentional attacks. However, it can just as easily result from a
simple oversight by individuals or flaws in a company’s infrastructure.
An Accidental Insider. An example would be an employee using a co-worker's computer and reading files without having the proper
authorization permissions. The access is unintentional, and no information is shared. However, because it was viewed by an unauthorized
person, the data is considered breached.
A Malicious Insider. This person purposely accesses and/or shares data with the intent of causing harm to an individual or company.
The malicious insider may have legitimate authorization to use the data, but the intent is to use the information in nefarious ways.
Lost or Stolen Devices. An unencrypted and unlocked laptop or external hard drive — anything that contains sensitive information —
goes missing.
Malicious Outside Criminals. These are hackers who use various attack vectors to gather information from a network or an individual.
Phishing
Malware
Phishing. These social engineering attacks are designed to fool you into causing a data breach. Phishing attackers pose as people or
organizations you trust to easily deceive you. Criminals of this nature try to coax you into handing over access to sensitive data or provide
the data itself.
Brute force attacks. In a more brash approach, hackers might enlist software tools to guess your passwords.
Brute force attacks
work through all the possibilities for your password until they guess correctly. These attacks take some time but have become rapid as
computer speeds continue to improve. Hackers even hijack other devices like yours via malware infections to speed up the process. If your
password is weak, it might only take a few seconds to crack it.
Malware. Your device’s operating system, software, hardware, or the network and servers you’re connected to can have security flaws.
These gaps in protection are sought out by criminals as the perfect place to shove malware into. Spyware specifically is ideal for stealing
private data while being completely undetected. You might not find this infection until it’s too late.
1) Malware
Malware attacks are the most common cyber security threats. Malware is defined as malicious software, including
spyware, ransomware, viruses, and worms, which gets installed into the system when the user clicks a dangerous
link or email. Once inside the system, malware can block access to critical components of the network, damage the
system, and gather confidential information, among others.
2) Phishing
Cybercriminals send malicious emails that seem to come from legitimate resources. The user is then tricked into
clicking the malicious link in the email, leading to malware installation or disclosure of sensitive information like
credit card details and login credentials
3) Spear Phishing
Spear phishing is a more sophisticated form of a phishing attack in which cybercriminals target only privileged users
such as system administrators and C-suite executives.
Man in the Middle (MitM) attack occurs when cybercriminals place themselves between a two-party communication.
Once the attacker interprets the communication, they may filter and steal sensitive data and return different
responses to the user.
Denial of Service attacks aims at flooding systems, networks, or servers with massive traffic, thereby making the
system unable to fulfill legitimate requests. Attacks can also use several infected devices to launch an attack on the
target system. This is known as a Distributed Denial of Service (DDoS) attack.
The year 2019 saw a staggering 8.4 million DDS attacks.
6) SQL Injection
A Structured Query Language (SQL) injection attack occurs when cybercriminals attempt to access the database by
uploading malicious SQL scripts. Once successful, the malicious actor can view, change, or delete data stored in the
SQL database.
SQL injection accounts for nearly 65.1% of all web application attacks.
7) Zero-day Exploit
A zero-day attack occurs when software or hardware vulnerability is announced, and the cybercriminals exploit the
vulnerability before a patch or solution is implemented.
It is predicted that zero-day attacks will rise to one per day by 2021.
An advanced persistent threat occurs when a malicious actor gains unauthorized access to a system or network and
remains undetected for an extended time.
45% of organizations feel that they are likely to be the target of an APT.
9) Ransomware
Ransomware is a type of malware attack in which the attacker locks or encrypts the victim’s data and threatens to
publish or block access to data unless a ransom is paid. Learning more about ransomware threats can help
companies prevent and cope with them better.
2021.
A DNS attack is a cyber attack in which cybercriminals exploit vulnerabilities in the Domain Name System (DNS).
The attackers leverage the DNS vulnerabilities to divert site visitors to malicious pages (DNS Hijacking) and remove
data from compromised systems (DNS Tunneling).
1) Nation States
Cyber attacks by a nation can inflict detrimental impact by disrupting communications, military activities, and
everyday life.
2) Criminal Groups
Criminal groups aim to infiltrate systems or networks for financial gain. These groups use phishing, spam, spyware,
and malware to conduct identity theft, online fraud, and system extortion.
3) Hackers
Hackers explore various cyber techniques to breach defenses and exploit vulnerabilities in a computer system or
network. They are motivated by personal gain, revenge, stalking, financial gain, and political activism. Hackers
develop new types of threats for the thrill of challenge or bragging rights in the hacker community.
4) Terrorist Groups
Terrorists conduct cyber attacks to destroy, infiltrate, or exploit critical infrastructure to threaten national security,
compromise military equipment, disrupt the economy, and cause mass casualties.
5) Hacktivists
Hacktivists carry out cyberattacks in support of political causes rather than for financial gain. They target industries,
organizations, or individuals who don’t align with their political ideas and agenda.
6) Malicious Insiders
97% of surveyed IT leaders expressed concerns about insider threats in cyber security . Insiders can include
employees, third-party vendors, contractors, or other business associates who have legitimate access to enterprise
assets but misuse that accesses to steal or destroy information for financial or personal gain.
7) Corporate Spies
Corporate spies conduct industrial or business espionage to either make a profit or disrupt a competitor’s business
by attacking critical infrastructure, stealing trade secrets, and gaining access
A cyber attack is an attempt to disable computers, steal data, or use a breached computer system to
launch additional attacks. Cybercriminals use different methods to launch a cyber attack that includes
malware, phishing, ransomware, man-in-the-middle attack, or other methods.
1. Malware
Malware is a term that describes malicious software, including spyware, ransomware, viruses, and
worms. Malware breaches a network through a vulnerability, typically when a user clicks a dangerous
link or email attachment that then installs risky software.
2. Phishing
Phishing is the method of sending fraudulent communications that seems to come from a reputable
source, usually through email. The goal is to steal or get sensitive data like credit card and login
information or to install malware on the victim’s machine. Phishing is an increasingly common
cyberthreat.
3. Man-in-the-middle attack
Man-in-the-middle (MitM) attacks, also called eavesdropping attacks, occur when attackers insert
themselves into a two-party transaction. Once the attackers interrupt the traffic, they can filter and steal
data.
On unsecure public Wi-Fi, attackers can insert themselves between a visitor’s device and the network.
Without knowing, the visitor passes all information through the attacker.
Once malware has breached a device; an attacker can install software to process all of the victim’s
information.
4. Denial-of-service attack
A denial-of-service attack fills systems, servers, or networks with traffic that exhaust resources and
bandwidth. That makes the system incapable to fulfill legitimate requests. Attackers also use multiple
compromised devices to launch this attack. This is known as a distributed-denial-of-service (DDoS)
attack.
5. SQL injection
A Structured Query Language (SQL) injection happens when an attacker inserts malicious code into a
server that uses SQL and forces the server to reveal information it normally would not. An attacker could
carry out a SQL injection simply by submitting malicious code into a vulnerable website search box.
6. Zero-day exploit
A zero-day exploit hits after a network vulnerability is announced but before a patch or solution is
implemented. Attackers target the disclosed vulnerability during this window of time. Zero-day
vulnerability threat detection requires constant awareness.
7. DNS Tunneling
DNS tunneling utilizes the DNS protocol to communicate non-DNS traffic over port 53. It sends HTTP and
other protocol traffic over DNS. There are various, legitimate reasons to utilize DNS tunneling. However,
there are also malicious reasons to use DNS Tunneling VPN services. They can be used to disguise
outbound traffic as DNS, concealing data that is typically shared through an internet connection. For
malicious use, DNS requests are manipulated to exfiltrate data from a compromised system to the
attacker’s infrastructure. It can also be used for command and control callbacks from the attacker’s
infrastructure to a compromised system.
Here are some examples of common cyber attacks and types of data breaches:
There are 7 key strategies we recommend to use to protect a Small and Medium Business or
organization from cyber attacks.
One of the most effective ways to prevent cyber attacks is to ensure that multi-factor authentication has
been enabled for all applications that access the internet in an organization.
Having only a password login for employees is not enough. If employee passwords are compromised
through a hack or through a phishing scam, cybercriminals may be able to easily access to the systems.
Enabling a multi-factor authentication process for logins instead will require employees to provide
several pieces of information instead of just one. As a result, security will be heightened. It will be much
more difficult for any unauthorized person to access the systems.
To prevent cyber attacks in an organization it’s also crucial that there are robust internal controls in
place. Access controls will help ensure that system access is updated immediately once employees,
contractors, and vendors leave the organization.
Controlling access for the system is essential for cyber attack prevention. When someone leaves the
organization, then access must be revoked due to security reasons. If the access is not revoked for the
former employees, contractors, and other relevant parties, they may be able to access the
organizational system later on.
By monitoring who has access to the organizational systems, one can ensure greater security and can
prevent security threats and potential problems in the future.
In order to prevent cyber attacks and security threats, it’s also critical that one takes measures to
manage third-party cyber risk.
It’s important to understand the responsibilities when it comes to third-party security. If there are any
vendors or third parties who need to access organizational system, it’s crucial to be aware of the risks
and to ensure heightened security.
Creating tight security controls, identifying potential cyber threats, and monitoring the network are all
crucial to ensure that the system is secure.
Employee education is also one of the biggest keys to improving business security.
Organization should conduct cyber security awareness training when onboarding new employees.
Employees should be provided with extra training at regular intervals. Holding annual training sessions
can help ensure that the entire staff is aware of how to guard against security threats.
It’s also important to educate all the employees in the organization about phishing. Employees should
be aware of as to what are and what aren’t considered normal requests via email and other
correspondence methods.
This will create a business mode that is much more secure overall.
Organization should make regular backups of important business data. Backing up the data is an
essential way to keep the business going strong. It’s an important measure to avoid a worst-case
scenario whereby any crucial business data is lost.
Ensuring regular data backups makes sure that whatever happens the business won’t be at a total loss.
Keeping the systems and business software up to date is also a critical part of protecting any business.
Running the latest software makes the data more secure and also makes business remain strong against
all odds in the long run.
While some business owners find it frustrating for any need for constant updates, they’re necessary.
New problems and vulnerabilities will come up in business software from time to time. Updates exist to
patch software vulnerabilities and to guard against potential security threats.
There are sometimes significant expenses associated with updates to software and hardware. Yet, the
result is usually well worth it.
Finally, one must prevent security breaches and cyber attacks by installing antivirus software. Every
computer in the organization should have an antivirus installed and then it must be updated regularly.
One should ensure that a firewall is always in place.
What Is an Exploit?
An exploit is a program, or piece of code, designed to find and take advantage of a security flaw or vulnerability in an
application or computer system, typically for malicious purposes such as installing malware. An exploit is not malware itself,
but rather it is a method used by cybercriminals to deliver malware.
Software
Software bugs, a normal consequence of software development, can become vulnerabilities open to exploits if not patched or fixed. Some of the common
exploit methods include memory safety violations, input validation errors, side-channel attacks, and privilege confusion bugs.
Network
Each of the components of a network offers the possibility of vulnerability, whether hardware, software, or firewall configurations. Some attacks that
may be part of an exploit can be domain hijacking, DoS and distributed denial-of-service (DDoS) attacks, and malware.
Personnel
Even personnel can be exploited. Cyber criminals may target their devices and credentials by means of social engineering attacks, spear phishing,
and honey trapping. Training and access control are crucial to mitigating this vulnerability.
Physical Site
Exploits can be conducted on-site and if deficient physical security or inadequate access control exists. Just as a thief can break in and steal, a cyber
criminal can break in (physically or remotely) and conduct an exploit that compromises an entire network.
Known Vulnerabilities
Known vulnerabilities have been identified and documented. Patches and other “fixes” can be issued, but cyber criminals can also get hold of the documentation and
design an exploit. The main risk factor is that organizations often do not apply the patch or repair an issue quickly enough to eliminate a vulnerability.
Local Exploits
Local exploits can only be run if the malicious party has access to a machine on the network using a compromised account.
Client Exploits
Client exploits influence or attack a user, misleading the user to click and download malware that can then compromise the network or system.
Often, the goal is to gain control of devices in a simplified and automated manner. A sequence of events takes place within an exploit kit for the attack to be
successful. It starts with a redirect to a landing page, followed by the execution of the exploit, and finally, the delivery of the payload, gaining control of the host.
Exploit kits can also be used in penetration testing to evaluate the security of the system. For example, the Fortinet exploit kit is used to run a simulation exercise
on a system to detect vulnerabilities.
Information Gathering
Gathering information is the first step where a hacker tries to get information about the target. Hackers use different sources and tools to get
more information, and some of them are briefly explained here. This informations will be useful for you to become an ethical hacker.
Information Gathering is the act of gathering different kinds of information against the targeted victim or system. It is the first step or the
beginning stage of Ethical Hacking, where the penetration testers or hackers (both black hat or white hat) performed this stage; this is a
necessary and crucial step to be performed. The more the information gathered about the target, the more the probability to obtain relevant
results. Information gathering is not just a phase of security testing; it is an art that every penetration-tester (pen-tester) and hacker should
master for a better experience in penetration testing. There are various tools, techniques, and websites, including public sources such as
Whois, nslookup that can help hackers gather information. This step is necessary because you may need any information (such as his pet
name, best friend's name, age, or phone number to perform password guessing attack or other kinds of attacks) while performing attacks on
any target.
1. Footprinting
2. Scanning
3. Social engineering
1. Footprinting
Footprinting is the technique to collect as much information as possible about the targeted
network/victim/system. It helps hackers in various ways to intrude on an organization's
system. This technique also determines the security postures of the target. Footprinting can
be active as well as passive. Passive footprinting/pseudonymous footprinting involves collecting
data without the owner, knowing that hackers gather his/her data. In contrast, active footprints
are created when personal data gets released consciously and intentionally or by the owner's
direct contact.
Sub branches Footprinting
Other than types of footprinting, some branches of footprinting a learner should know before gathering information.
Open-Source Footprinting.
Network-based Footprinting.
DNS Interrogation.
Open-Source Footprinting
This type of footprinting is the safest, holding all legal limitations, and hackers can do it without fear because it is illegal and, hence, coined
the term Open-source. Examples of this type include: finding someone's email address, phone number, scanning IP through automated tools,
search for his age, DOB, house address, etc. Most companies provide information about their companies on their official website without
realizing that hackers can benefit from that information provided by them.
Network-based Footprinting
Using this footprinting category, hacktivists can retrieve information such as user name, information within a group, shared data among
individuals, network services, etc.
DNS Interrogation
After gathering the information needed from the different areas using various techniques, the hacker usually queries the DNS using pre-
existing tools. Many freeware tools are available online to perform DNS interrogation.
2. Scanning
Scanning is another essential step, which is necessary, and it refers to the package of techniques and procedures used to identify hosts, ports,
and various services within a network. Network scanning is one of the components of intelligence gathering and information retrieving
mechanism an attacker used to create an overview scenario of the target organization (target organization: means the group of people or
organization which falls in the prey of the Hacker). Vulnerability scanning is performed by pen-testers to detect the possibility of network
security attacks. This technique led hackers to identify vulnerabilities such as missing patches, unnecessary services, weak authentication, or
weak encryption algorithms. So a pen-tester and ethical hacker list down all such vulnerabilities found in an organization's network.
Network Scanning
Port Scanning
Vulnerability Scanning
Port Scanning
It is a conventional technique used by penetration testers and hackers to search for open doors from which hackers can access any
organization's system. During this scan, hackers need to find out those live hosts, firewalls installed, operating systems used, different devices
attached to the system, and the targeted organization's topology. Once the Hacker fetches the victim organization's IP address by scanning
TCP and UDP ports, the Hacker maps this organization's network under his/her grab. Amap is a tool to perform port scanning.
Vulnerability Scanning
It is the proactive identification of the system's vulnerabilities within a network in an automated manner to determine whether the system can
be exploited or threatened. I this case, the computer should have to be connected to the internet.
Open Windows OS
Press Win+R (Run) buttons in combination
In the Run, type- cmd
Type the command: ping IP Address or type: ping DomainName
3. Social Engineering
Hackers and malicious attackers always try to gain information by other means if they couldn't access otherwise. They continuously keep
searching for information they can obtain from their victim and wreak havoc on the network's resources. Social Engineering is something
different from physical security exploits (like shoulder surfing and dumpster driving). Shoulder Surfing is the direct observation technique,
such as looking over victims' shoulder to get information - what he/she's typing or what password, PIN, security pattern locks the victim is
entering. Dumpster diving is a form of modern salvaging of wastes such as papers, hard copy, documentation, paper-based records
discarded in large commercial, residential, industrial, and construction containers. Hackers do this famous dumpster driving to search for
particular information from that discarded waste.
Social engineering is the term used for a broad range of malicious activities accomplished through human
interactions. It uses psychological manipulation to trick users into making security mistakes or giving away
sensitive information.
Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended victim
to gather necessary background information, such as potential points of entry and weak security protocols,
needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli
for subsequent actions that break security practices, such as revealing sensitive information or granting
access to critical resources.
1. Baiting
As its name implies, baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure
users into a trap that steals their personal information or inflicts their systems with malware.
The most reviled form of baiting uses physical media to disperse malware. For example, attackers leave the
bait—typically malware-infected flash drives—in conspicuous areas where potential victims are certain to see
them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic look to
it, such as a label presenting it as the company’s payroll list.
Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic
malware installation on the system.
Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of baiting consist
of enticing ads that lead to malicious sites or that encourage users to download a malware-infected
application.
2. Scareware
Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to
think their system is infected with malware, prompting them to install software that has no real benefit
(other than for the perpetrator) or is malware itself. Scareware is also referred to as deception software,
rogue scanner software and fraudware.
A common scareware example is the legitimate-looking popup banners appearing in your browser while
surfing the web, displaying such text such as, “Your computer may be infected with harmful spyware
programs.” It either offers to install the tool (often malware-infected) for you, or will direct you to a
malicious site where your computer becomes infected.
Scareware is also distributed via spam email that doles out bogus warnings, or makes offers for users to buy
worthless/harmful services.
3. Pretexting
Here an attacker obtains information through a series of cleverly crafted lies. The scam is often initiated by
a perpetrator pretending to need sensitive information from a victim so as to perform a critical task.
The attacker usually starts by establishing trust with their victim by impersonating co-workers, police, bank
and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that are
ostensibly required to confirm the victim’s identity, through which they gather important personal data.
All sorts of pertinent information and records is gathered using this scam, such as social security numbers,
personal addresses and phone numbers, phone records, staff vacation dates, bank records and even
security information related to a physical plant.
4. Phishing
As one of the most popular social engineering attack types, phishing scams are email and text message
campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into
revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain
malware.
An example is an email sent to users of an online service that alerts them of a policy violation requiring
immediate action on their part, such as a required password change. It includes a link to an illegitimate
website—nearly identical in appearance to its legitimate version—prompting the unsuspecting user to enter
their current credentials and new password. Upon form submittal the information is sent to the attacker.
Given that identical, or near-identical, messages are sent to all users in phishing campaigns, detecting and
blocking them are much easier for mail servers having access to threat sharing platforms.
5. Spear phishing
This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or
enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging
to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of
the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better
success rates if done skillfully.
A spear phishing scenario might involve an attacker who, in impersonating an organization’s IT consultant,
sends an email to one or more employees. It’s worded and signed exactly as the consultant normally does,
thereby deceiving recipients into thinking it’s an authentic message. The message prompts recipients to
change their password and provides them with a link that redirects them to a malicious page where the
attacker now captures their credentials.
Nmap: Discover your network
What is Nmap?
Nmap is an open-source utility for network discovery. Network Mapper is a security auditing and network scanning independent tool
developed by Gordon Lyon. It is used by network administrators to detect the devices currently running on the system and the port number
by which the devices are connected.
Many systems and network administrators are used for managing network inventory, service upgrade schedules, monitoring
hosts and service uptime.
Nmap Definition
At the top-level, Nmap is defined as a tool that can detect or diagnose services that are running on an Internet-connected system by a
network administrator in their networked system used to identify potential security flaws. It is used to automate redundant tasks, such as
monitoring the service.
Working of Nmap
Nmap is convenient during penetration testing of networked systems. Nmap provides the network details, and also helps to determine the
security flaws present in the system. Nmap is platform-independent and runs on popular operating systems such
as Linux, Windows and Mac.
It is effortless to work with the Nmap. With the release of a new graphical user interface called GenMap User, it performs many tasks such as
saving and comparing scan results, scanning the results in a database, and visualize the network system topology graphically, etc.
Advantages of Nmap
Nmap has a lot of advantages that make it different from other network scanning tools. Nmap is open-source and free to use.
Essential skills
Nmap offers various technologies to scan the networks, such as TCP Connect scanning, FTP bounce scanning, TCP reverse identification
scanning, etc. to scan the Network. One should start with Nmap to learn all of the techniques.
Nmap is used for regular network audits. Nevertheless, it can perform redundant tasks such as managing network inventory, scheduling
service upgrades, and monitoring various uptime and downtime services.
It also lists the status of services such as open, filtered, unfiltered or closed.
The output is extended to reverse operating system type, MAC address, device type, and also DNS names.
TCP Scan
It completes a three-way handshake between you and a closet target system. The TCP scan is very noisy and cannot be detected with
almost any effort because services can log onto the sender IP address and trigger an intrusion detection system.
UDP Scan
The UDP scan is used to check if there is a UDP port and listening for incoming requests to the target the machine. Unlike the TCP, UDP has
no mechanism to react with positive acceptability, so there is a chance for false-positive scan results. UDP scans are used to reveal Trojan
horses, which run on a UDP port or to reveal the hidden RPC services. These scans are slow because the machines slow down their
responses to such traffic as a precaution.
SYN Scan
It is another form of TCP scan. Nmap crafts a sync packet, the first packet sent to establish is a TCP connection.
ACK Scan
ACK scans are used to determine a particular port that has been filtered. It proves to be extremely helpful when trying to check for firewalls
and their current regulations.
Bang Scan
The bang scan is like SYN scans. It sends the TCP fin packet instead of RST packet (reset packet) if it receives the input so that false scans and
negativity are seen in the scan. But it may be under the radar of some IDS programs and many countermeasures.
Full Scan
The null scan is very secretive, and as the name suggests what they do - they set all header fields to zero. It is not a valid packet, and targets
will not know how to deal with packet.
Xmas Scan
Computers running windows will not respond to X MAS scans due to the way they implement their TCP stack. A set of flags triggered within
a scanning packet derives its Name that is sent for scanning. XMAS scans are used to manipulate PSH, URG and FIN flags in TCP headers.
RPC Scan
RPC scans are used to search for machines that respond to Remote Procedure Call services ( RPC). It allows remote to run on a particular
machine under a particular set of connections. The RPC service can run on various ports. Therefore, regular scans are challenging to detect if
RPC services are running.
IDE Scan
IDE scan is the most secure scan as packets are bounced from external hosts. Control is not required on the host, but the host must fulfil a
specific set of conditions.
Nmap Functions
1. Ping Scanning
The ping scanning gives information about every active IP on your Network. We can perform a ping scan by using the below command:
1. #nmap-sn<target>
2. -PS/PA/PU/PY[portlist]: TCP SYN/ ACK, UDP or SCTP discovery to given ports.
2. Port Scanning
Port scanning is one of the most popular forms of reconnaissance ahead of a hack, helping attackers determine which ports are most
susceptible.
1. # sS TCP SYN scan
2. # sT TCP connect scan
3. # sU UDP scans
4. # sY SCTP INIT scan
5. # sN TCP NULL
3. Host scanning
Host scanning provides a detailed description of a particular host or IP address. As mentioned above, you can scan a host using the following
command:
1. # Nmap -sp <target IP range>
4. OS Scanning
OS scanning is the most powerful feature of Nmap. It sends TCP and UDP packets to a port and analyzes the response when using this type
of scan. It compares the response to a database of operating systems and returns information on a host's OS. To run the OS scan, use the
command, given below:
1. Nmap -O <target IP>
If you are running Nmap on a home server, this command is easy. It scans ' popular' ports for a host. You can use the command given below
to scan the popular ports:
1. Nmap - Top-ports 20 192.168.1.106
Replace "20" with the number of ports you want to scan. It gives a brief output that details the most common ports status and allows you to
see if you have any unnecessarily open ports.
6. Output to a file
If we want the output of results of Nmap scan of any file, you can add an extension to the command.
1. Add:-oN output.txt
1. -oX output.xml
Finally, we can speed up your Nmap scan by using the -n parameter to disable inverted DNS resolution. It is useful to perform a wide network
scan.
For example, add-en to turn off the DNS resolution for the required ping scans.
Zenmap
Nmap(Network Mapper) is the second program that we're going to look. It is a huge tool and has many uses. Nmap is used to gather
information about any device. Using the Nmap, we can gather information about any client that is within our network or outside our network,
and we can gather information about clients just by knowing their IP. Nmap can be used to bypass firewalls, as well as all kinds of protection
and security measures. In this section, we're going to learn some of the basic Nmap commands that can be used to discover clients that are
connected to our network, and also discover the open ports on these clients.
We're going to use Zenmap, which is the graphical user interface for Nmap. If we type zenmap on the Terminal, we'll bring up the application
like this:
In the Target field, we're going to put our IP address. In the Profile drop-down menu, we can have various profiles:
In the Target filed, if you want to gather information of only one IP address, we can just enter that address. We can also enter a range like we
did with netdiscover. We're going to enter 198.168.1.1/24. Then we are going to select the Ping scan from the Profile drop-down menu and
hit the Scan button:
The preceding scan is kind of a quick scan, but it doesn't show too much information, as we can see in the preceding screenshot. It only
shows the connected devices. This scan is very quick. We are able to see the connected devices on the left-hand panel, and we can see their
IP addresses, their MAC addresses, and their vendors.
The next scan we're going to learn is the Quick Scan. Now, the Quick scan is going to be slightly slower than the Ping scan. But in Quick
scan, we will get more information than the Ping scan. We're going to be able to identify the open ports on each device:
In the above screenshot, we can see that it shows the open ports on each one of the discovering devices. The main router has an open port
called 53/tcp. 80/tcp is the port used at the router setting page because it runs on a web server.
Port scanning
Port scanning is a method of detecting vulnerable nodes in a network by accessing different ports on a host (a device connected to the
network) or the same port on different hosts. It can be used by cybercriminals in the preparatory phase of an attack to harvest information
about the target host, as well as by information security experts as a tool for locating vulnerable nodes in IT infrastructure.
Horizontal scanning or network scanning sends requests to the same port on different hosts. Attackers use horizontal scanning
to prepare for a mass attack.
Vertical scanning sends requests to different ports on the same host. Attackers typically use vertical scanning to look for
vulnerabilities in a preselected target.
There are various methods of checking which ports are open and accessible externally. The most common are:
SYN scanning. The attacker sends a SYN (synchronization) request to the target port over TCP. If the port is open, it returns a
SYN-ACK (synchronization acknowledgment) packet. The scanner then terminates the session without establishing a connection.
If the port is closed, it responds with an RST (reset) packet, indicating that it cannot be accessed. If the port is located behind
a firewall, the request does not generate a response at all. This is the most common scanning method because it does not require
an established connection and is not logged by most simple event-tracking tools. On the other hand, SYN scanning requires
superuser privileges on the device that sends the requests and which might not belong to the attacker.
TCP scanning. This is the simplest scanning method that does not require special rights. It uses the network functions of the
operating system to establish a full TCP connection. However, this type of scan is easy to detect and block.
UDP scanning. Determines the status of ports used by UDP services. Unlike TCP, UDP is a connectionless protocol. That means
if the port is open and the sent data is delivered successfully, the scanner does not receive a response, whereas a closed port
returns an ICMP error message. This method can give a false indication of the available network services: if the target port is
protected by a firewall or the system blocks ICMP messages, the scanner does not receive a response and deems the port open.
FIN scanning. Used to reveal open ports hidden behind a firewall, the method is similar to SYN scanning but involves sending
FIN (finish) packets (requests to end the connection). Unlike SYN requests, many firewalls do not block such packets. Closed
ports generally answer with an RST packet. Open ones do not respond. In some operating systems, however, all ports respond to
FIN requests in the same way, so the method is not very precise.
ACK scanning. Used to collect information about firewalls, their rules, and ports filtered by them. ACK packets are normally used
in established connections, so simple traffic filtering rules let them through. If a packet fails to get through, that means the port is
protected by a firewall with more advanced rules.
Port-scanning objectives
Cybercriminals use this information in preparing attacks. For example, they can exploit vulnerabilities in externally accessible network
services, the device operating system, and elsewhere.
Information security experts use this information to better protect company resources. The scan identifies vulnerable services that should be
placed behind a firewall and unused ports that can be closed.
Network Scanning
INTRODUCTION
Network scanning refers to the use of a computer network to gather information regarding computing systems. Network
scanning is mainly used for security assessment, system maintenance, and also for performing attacks by hackers.
Recognize available UDP and TCP network services running on the targeted hosts
Recognize filtering systems between the user and the targeted hosts
Determine the operating systems (OSs) in use by assessing IP responses
Evaluate the target host's TCP sequence number predictability to determine sequence prediction attack and TCP
spoofing.
TYPES
Scanning is primarily of three types. These are network scanning, port scanning, and vulnerability scanning.
A) Network scanning
Network scanning helps to discover any live computer or hosts, open ports, and the IP address of a victim. It helps to
discover the services that are running on any host computer. It allows the decoding of the system architecture of any target
and the operating system. The method helps to deal with and discover if there are any vulnerabilities in a live host.
B) Port scanning
Post scanning is a conventional method that is used to penetrate into the hackers and the testers to search if there are any
open doors from where the hacker will be capable of accessing the system of the organization. It tries to figure out the route
of the hacker, to find out the live hosts, the operating system that is used, and the installed firewalls as well as the topology
of the targeted organization.
Once the hacker gets the IP address of the organization of the victim using the UDP and the TCP ports the hacker will map
the network of the organization and put it in his grab. A map is a tool that is used to carry out port scanning techniques.
C) Vulnerability scanning
The vulnerability scanning method proactively identifies the vulnerability of the network in an automated method that helps to
find out whether the system may be threatened or exploited. To carry out this type of scanning the computer needs to be
connected to the internet.
USES
Using the tools for network scanning is important if you are running several devices on the network. It is also useful if you
have a large network to include various subnets. It is impossible to manage such a vast network and this can expose the
business to various security threats. This is why you need scanning networks to scan the system.