CHAPTER 2

CYBER CRIMES
TYPES OF HACKERS

It's not easy to become a

hacker but it is possible.
WHITE HAT HACKERS

Description: White hat hackers are cybersecurity

professionals who use their skills to identify
vulnerabilities and weaknesses in computer
systems, networks, and applications. They do so
with permission and aim to improve security by
patching or mitigating these vulnerabilities.
Purpose: Enhance cybersecurity, protect systems,
and prevent cyberattacks.
BLACK HAT HACKERS

Description: Black hat hackers are malicious

individuals or groups who engage in unauthorized
and illegal activities to exploit vulnerabilities for
personal gain or malicious purposes. They often
engage in cybercrimes such as data theft, fraud,
and cyberattacks.
Purpose: Personal gain, financial theft, data
breaches, cyberattacks, and disruption.
GREY HAT HACKERS

Description: Gray hat hackers fall between the

white hat and black hat categories. They may
identify and exploit vulnerabilities without
authorization but do so with the intention of
notifying the affected organization afterward, often
in exchange for a reward or recognition.
Purpose: Identify vulnerabilities and improve
security, sometimes with an expectation of
compensation.
SCRIPT KIDDIES

Description: Script kiddies are individuals with

limited technical skills who use pre-written scripts
and tools to launch cyberattacks. They typically
lack deep understanding but can still cause harm.
Purpose: Often seek to disrupt systems or
networks for fun, notoriety, or to prove their
abilities.
HACKTIVISTS

Description: Hacktivists are individuals or groups

who hack for political, social, or ideological
reasons. They use cyberattacks as a means to
promote their agendas, raise awareness, or
protest against specific organizations or
governments.
Purpose: Promote their causes, raise awareness,
and often engage in digital protests.
STATE-SPONSORED OR
NATION-STATE HACKERS:

Description: Nation-state hackers are

government-backed or state-sponsored entities
that conduct cyber espionage, cyber warfare, and
cyberattacks against other countries,
organizations, or individuals for political, economic,
or military purposes.
Purpose: Espionage, sabotage, information
gathering, and advancing national interests.
CRACKERS

Description: Crackers are individuals who focus on

breaking digital rights management (DRM)
protections, software licensing, and encryption
systems to circumvent security measures and gain
unauthorized access to software or content.
Purpose: Bypass licensing or access restrictions,
often for piracy.
BLUE TEAM & RED TEAM

Description: Blue team members are defenders

responsible for maintaining and improving
cybersecurity within an organization. Red team
members, on the other hand, simulate attacks and
vulnerabilities to test an organization's defenses.
Purpose: Blue team defends and secures, while
red team assesses and identifies vulnerabilities.
VULNERABILITIES,THREATS &
RISKS
VULNERABILITY

Definition: A vulnerability is a weakness or flaw in a

system, application, network, or process that could
be exploited by a threat to compromise the
security or functionality of that system.

Example: Imagine a computer system running an

outdated operating system that no longer receives
security updates. This system has a vulnerability
because it lacks protection against newly
discovered security threats. An attacker could
exploit this vulnerability by using a known exploit to
gain unauthorized access to the system.
THREATS

Definition: A threat is a potential danger or harm

that can exploit vulnerabilities in a system,
potentially causing damage, data breaches, or
disruptions.

Example: A common threat in the digital world is

malware, such as viruses and ransomware. These
malicious software types represent the threat
because they can exploit vulnerabilities in
computer systems. For instance, a phishing email
delivering ransomware poses a threat to a user's
data and files by exploiting their interaction with
the email.
RISKS
Definition: Risk is the likelihood and impact of a
threat exploiting a vulnerability. It quantifies the
potential harm or loss an organization or individual
may face due to a cybersecurity incident.

Example: Let's consider an e-commerce website

that stores customer data, including payment
information. If a vulnerability exists in the website's
database security and an attacker successfully
exploits it, the risk involves the potential loss of
customer data, financial penalties due to data
breach regulations, and reputational damage to
the company. The risk is assessed by considering
the probability of the threat exploiting the
TYPES OF MALWARE
VIRUSES

Modus Operandi: Viruses attach themselves to

legitimate programs or files and replicate when
those files are executed. They can spread to other
files, programs, or devices.
Example: The "ILOVEYOU" virus, which spread
via email attachments in 2000, was a destructive
virus that overwrote files on infected computers.
WORMS

Modus Operandi: Worms are self-replicating

programs that spread independently by exploiting
vulnerabilities in a network or system. They do not
require user interaction to spread.
Example: The "Conficker" worm, which emerged in
2008, exploited Windows vulnerabilities to spread
across millions of computers worldwide.
TROJANS

Modus Operandi: Trojans masquerade as

legitimate software or files to deceive users into
downloading and executing them. Once executed,
they perform malicious actions, such as stealing
data or granting remote access to attackers.
Example: The "Zeus" Trojan, designed for stealing
banking credentials, allowed attackers to silently
capture login information from infected computers.
RANSOMWARE

Modus Operandi: Ransomware encrypts the

victim's files or entire system and demands a
ransom payment in exchange for the decryption
key. It often displays a ransom note and threatens
to permanently delete data if the ransom is not
paid.
Example: "WannaCry" ransomware, which caused
a global outbreak in 2017, encrypted files and
demanded Bitcoin payments for decryption.
SPYWARE

Modus Operandi: Spyware secretly monitors and

collects information about a user's activities,
including keystrokes, browsing history, and
personal data, without the user's knowledge or
consent.
Example: The "FinFisher" spyware, used by
governments and law enforcement agencies for
surveillance purposes.
ROOTKITS

Modus Operandi: Rootkits are stealthy malware

that gain privileged access to a system's core
functions (the "root" or administrative level) to hide
their presence and maintain long-term control.
Example: The "Stuxnet" rootkit, discovered in
2010, was designed to target and disrupt industrial
control systems, particularly those used in Iran's
nuclear program.
BOTNET

Modus Operandi: Botnets consist of a network of

compromised computers (bots) controlled by a
central server (command and control, or C&C
server). Botnets are often used for activities like
DDoS attacks or spam distribution.
Example: The "Mirai" botnet, which infected IoT
devices and launched massive DDoS attacks in
2016.
FILELESS MALWARE

Modus Operandi: Fileless malware operates in

memory, leaving little or no trace on the disk. It
exploits vulnerabilities or uses legitimate system
tools to carry out malicious activities.
Example: The "PowerShell Empire" framework,
which allows attackers to run PowerShell scripts in
memory to evade traditional antivirus detection.
CYBER KILL CHAIN
 WEAPONISATION EXPLOITATION COMMAND & CONTROL

2 4 6

1 3 5 7
RECONNAISSANCE DELIVERY INSTALLATION ACTION ON OBJECTIVES
The cyber kill chain is a framework used in
cybersecurity to understand and analyze the
stages of a cyberattack, from the initial
reconnaissance to the final objective of the
attacker. It was developed by defense contractor
Lockheed Martin and is often used to improve an
organization's defense strategy by identifying and
mitigating threats at each stage of the attack
lifecycle.
RECONNAISSANCE
Objective: In this initial phase, the attacker gathers
information about the target, including potential
vulnerabilities, systems, and individuals.
Methods: Attackers may use open-source
intelligence, social engineering, or passive
scanning to identify potential targets and
weaknesses.
Example: Scanning public websites and social
media for information about the target
organization's employees or systems.
WEBSITE REGISTRATION
DETAILS

• WHOIS.COM
• URLSCAN.IO
ORGANISATION DETAILS

• CRUNCHBASE - Contains info on public and

private companies on a global scale
SEARCH DIRECTORIES

Almost everything is a directory even web

applications.
Exploiting all the files and directories are extremely
helpful for the attacker to understand the structure
of the web application, developers’ mindset of
placing things.
• GoBuster
• Dirb
• DirBuster
And many more....
TIME MACHINE ON A SITE

If we get to see the previous versions of a site we

get to know many things.
• Waybackmachine.com
• Archive.is
WEAPONISATION

Objective: During this stage, the attacker creates

or acquires a weapon, typically malware or an
exploit, that can be used to compromise the target.
Methods: Attackers may craft malicious
documents, develop custom malware, or purchase
exploit kits from the dark web.
Example: Creating a malicious email attachment or
a weaponized document designed to exploit
software vulnerabilities.
DELIVERY
Objective: The attacker delivers the weaponized
payload to the target system or network. This often
involves using social engineering or exploiting
vulnerabilities.
Methods: Attackers may use phishing emails,
malicious links, or compromised websites to
deliver malware to the victim.
Example: Sending a phishing email with a
malicious attachment that, when opened, executes
the payload.
Methods: Attackers employ various methods to gain access, including:

Exploiting Vulnerabilities: Attackers identify and exploit weaknesses or vulnerabilities in

software applications, operating systems, or network devices. This could involve taking
advantage of unpatched systems, misconfigured security settings, or known software
vulnerabilities.

Social Engineering: Social engineering techniques, such as phishing emails, can trick
users into revealing login credentials or other sensitive information. Attackers may also
use pretexting, baiting, or tailgating to gain physical access to a target's premises.

Credential Theft: Attackers may acquire valid login credentials through various means,
such as password cracking, credential stuffing (using previously stolen usernames and
passwords), or keylogging.

Malware: Malicious software, such as trojans or backdoors, can be used to infect a

target system, allowing the attacker remote access and control. Malware can be
delivered through infected attachments, malicious links, or drive-by downloads.
Brute Force Attacks: Attackers attempt to gain access by systematically
trying all possible combinations of usernames and passwords until they
find the correct credentials.

Zero-Day Exploits: In some cases, attackers may use previously unknown

vulnerabilities (zero-day exploits) to gain access before security patches
are available.

Example: Consider a scenario where an attacker identifies a vulnerable

web application with an unpatched security flaw. They exploit this
vulnerability by injecting malicious code into the application, which allows
them to bypass authentication and gain access to the application's
backend. Once inside, the attacker can manipulate or exfiltrate data,
escalate privileges, or launch further attacks.
EXPLOITATION

"Exploitation" is a crucial phase in the cyber kill

chain, where an attacker successfully leverages a
vulnerability or weakness in a target system or
application to gain unauthorized access or control
over that system. The exploitation phase is
typically preceded by the "gaining access" stage,
where the attacker first establishes a foothold in
the target environment.
OBJECTIVE

The primary objective of exploitation is to take

advantage of the vulnerabilities or weaknesses
identified during the reconnaissance and gaining
access stages to achieve specific malicious goals.
These goals can include further compromise of the
system, data theft, privilege escalation, or the
execution of malicious payloads.
METHODS
Use of Exploits: Attackers may employ known or zero-day exploits that
target specific vulnerabilities in the target's software, operating system, or
network infrastructure. These exploits can be code or techniques that take
advantage of security flaws to execute malicious actions.

Payload Delivery: Once a vulnerability is identified, attackers often deliver

malicious payloads to the target system. These payloads can be in the
form of malware, scripts, or code that enable the attacker to establish
control over the compromised system.

Injection Attacks: Attackers may use techniques like SQL injection or

command injection to manipulate the target application or system, allowing
them to execute arbitrary commands or gain unauthorized access.
METHODS
Buffer Overflow: In some cases, attackers exploit buffer overflow
vulnerabilities to inject malicious code into a system's memory, potentially
allowing them to take control of the system or execute arbitrary code.

Client-Side Attacks: Attackers may target vulnerabilities in client-side

applications such as web browsers, PDF readers, or media players to
compromise user systems.

Social Engineering: In addition to technical methods, attackers may use

social engineering techniques to trick users or administrators into taking
actions that lead to exploitation. For example, they may manipulate users
into running malicious attachments or clicking on malicious links.
EXAMPLE

Example: Let's say an attacker identifies a known

vulnerability in a widely used content management
system (CMS) that the target organization uses for
its website. The attacker exploits this vulnerability
by sending a specially crafted HTTP request to the
CMS, allowing them to gain unauthorized access
to the website's administrative control panel. From
there, they can deface the website, steal sensitive
data, or further compromise the organization's
systems.
PRIVILEGE ESCALATION

Privilege escalation is a cybersecurity attack or

exploit in which an attacker gains unauthorized
access to higher levels of privileges, allowing them
to access resources, systems, or data that would
normally be restricted to them. This attack occurs
after the attacker has initially gained some level of
access to a target system, often during the
"gaining access" or "exploitation" phases of a
cyberattack. Privilege escalation can have serious
consequences, as it enables attackers to move
deeper into a system or network and potentially
gain control over critical assets.
OBJECTIVE

The primary objective of privilege escalation is to

elevate the attacker's level of access or
permissions within a system or network. This
allows the attacker to carry out more advanced
and potentially malicious actions, such as
compromising other accounts, installing persistent
malware, or accessing sensitive data.
METHODS
Privilege escalation can occur through various methods, depending on the
specific vulnerabilities or weaknesses present in the target system.
Exploiting Software Vulnerabilities: Attackers may identify and exploit
software vulnerabilities (e.g., buffer overflows, misconfigurations) to gain
elevated privileges. This can involve using known or zero-day exploits.

Abusing Misconfigurations: In some cases, misconfigurations in the target

system or application can be leveraged to escalate privileges. For example,
an attacker might manipulate settings to grant themselves administrative
access.

Using Weak or Stolen Credentials: If an attacker has compromised a

lower-privileged user's account, they may attempt to use additional
techniques, such as password cracking or password guessing, to escalate
their privileges to a higher level.
METHODS
Accessing Administrative Interfaces: Attackers may discover and exploit
administrative interfaces, such as web-based admin panels or control
panels, to gain administrative privileges.

Kernel Exploits: Kernel-level exploits can be used to compromise the core

of an operating system, allowing the attacker to gain high-level privileges.
EXAMPLES
Consider an attacker who initially gains access to a company's employee
portal with limited privileges. Through careful reconnaissance and
exploitation of a vulnerability in the portal's software, the attacker discovers
an unpatched vulnerability that allows them to execute arbitrary code with
administrative privileges. By exploiting this vulnerability, the attacker
escalates their privileges from a regular user to an administrator, gaining
control over the entire portal and potentially compromising sensitive
employee data.
COMMAND & CONTROL

In the context of the Cyber Kill Chain framework,

"Command and Control" (C2) represents one of
the key stages in the progression of a cyberattack.
The Cyber Kill Chain is a model developed by
Lockheed Martin that describes the stages of a
cyberattack, providing a structured approach to
understanding and defending against cyber
threats. The C2 stage focuses on the attacker's
ability to control and manage compromised
systems
OBJECTIVES
Maintain Control: The primary objective of the C2
stage is for the attacker to maintain control over
the compromised systems or devices that have
been infected with malware or otherwise
compromised.

Communication: Establish a secure and covert

communication channel between the attacker and
the compromised system(s) to enable remote
management, data exfiltration, and the execution
of additional malicious actions.

Persistence: Ensure that the attacker's presence

on the compromised system(s) is persistent,
METHODS
Remote Access Tools (RATs): Attackers often
deploy RATs that provide them with backdoor
access to compromised systems. These tools
allow remote control and data exfiltration.

Covert Communication: Attackers employ

techniques to hide their communication with
compromised systems, making it difficult for
security tools to detect. This may involve
encryption, tunneling through legitimate channels,
or using steganography.

Command Servers: Attackers may set up

command-and-control servers to send instructions
METHODS
Domain Generation Algorithms (DGA): Some
malware uses DGAs to generate a large number of
domain names, making it challenging for
defenders to block C2 communication.

Protocol Manipulation: Attackers may manipulate

network protocols or use non-standard protocols to
communicate with compromised systems, evading
detection.
EXAMPLES
Botnet Control: A common example is a botnet,
where compromised devices are controlled by a
central command server. The attacker can send
commands to the botnet to launch coordinated
attacks, such as distributed denial-of-service
(DDoS) attacks.

Advanced Persistent Threat (APT) Operations:

Sophisticated threat actors, such as
nation-state-sponsored groups, often establish
long-term C2 channels to maintain access to their
targets for espionage or data theft.

Data Manipulation: Attackers with C2 access can

modify, delete, or manipulate data on
ACTION ON OBJECTIVES

"Actions on Objectives" is the final stage of the

Cyber Kill Chain framework, which describes the
various stages of a cyberattack. In this stage,
cyber adversaries aim to achieve their ultimate
objectives, which can vary widely depending on
their motivations and the specific target.
OBJECTIVES

Achieving the Primary Goal: The primary objective

in this stage is to accomplish the attacker's
ultimate goal, which could include data theft,
exfiltration, espionage, system disruption, or any
other malicious intent.

Maintaining Persistence: Attackers may seek to

maintain their presence within the target
environment to continue carrying out malicious
activities even after the initial breach has been
discovered and mitigated.
METHODS
Data Exfiltration: Attackers may focus on
exfiltrating sensitive data, such as intellectual
property, financial information, customer data, or
classified documents, depending on their
objectives.

Data Destruction: In some cases, attackers may

aim to disrupt or damage systems by deleting or
altering data, causing operational disruption or
data loss.

Establishing Backdoors: Attackers may create

additional backdoors or maintain existing ones to
ensure continued access to the compromised
METHODS
Lateral Movement: Attackers may move laterally
within the target network to access additional
valuable assets or escalate privileges to gain
higher-level access.

Further Exploitation: Once the attacker has a

foothold in the target environment, they may
continue exploiting vulnerabilities, deploying
additional malware, or launching secondary
attacks.
EXAMPLES
Data Theft: A cybercriminal breaches a company's
network to steal customer credit card information
and personal data, which can be sold on the dark
web or used for financial fraud.

Corporate Espionage: An attacker infiltrates a

competitor's network to steal proprietary
information, trade secrets, or research and
development data to gain a competitive
advantage.
Critical Infrastructure Disruption: Attackers may
aim to disrupt critical infrastructure, such as power
grids or water treatment plants, to cause
widespread chaos or damage.
HIDING FILES

Steganography is the practice of concealing one

piece of information (the secret) within another (the
cover) in such a way that it is difficult to detect. In
digital steganography, this typically involves hiding
data within digital images, audio, video, or other
files.
STEGANOGRAPHY TECHNIQUES
Image Steganography: This is the most common
form of steganography, where secret data is
hidden within an image file. It can be done by
altering the least significant bits of the image pixels
or by modifying the color values in a way that is
not easily perceptible to the human eye.

Audio Steganography: In audio steganography,

data is concealed within audio files, such as MP3
or WAV. Similar to image steganography, this
involves manipulating audio samples to embed the
hidden data.

Video Steganography: Video steganography hides

data within video files. This can be achieved by
STEGANOGRAPHY TOOLS
Steghide: Steghide is a popular command-line tool
for Linux and Windows that allows users to embed
and extract data from image and audio files. It
supports various encryption and compression
methods to protect the hidden data.

OpenStego: OpenStego is an open-source

steganography tool that provides a user-friendly
graphical interface. It supports embedding and
extracting data from image files and includes
encryption options.

Steganography Studio: Steganography Studio is a

Windows-based steganography tool that offers a
range of features for embedding data in images,
STEGANOGRAPHY TOOLS
OutGuess: OutGuess is a command-line tool for
Unix-like operating systems that specializes in
hiding data within image files. It aims to maintain
the visual quality of the cover image while
embedding the data.

SteganoG: SteganoG is a web-based

steganography tool that allows users to hide and
extract data from image files online. It's accessible
through a web browser and is easy to use.

SilentEye: SilentEye is a cross-platform

steganography tool that supports various image
and audio formats. It provides a graphical interface
COVERING TRACKS

Covering tracks, also known as "covering one's

tracks" or "anti-forensics," is a set of techniques
and strategies employed by cybercriminals or
threat actors to hide their activities and evade
detection by cybersecurity professionals, digital
forensics experts, or law enforcement agencies.
These techniques aim to make it more difficult for
investigators to trace the origin and actions of the
attacker.
METHODS
Log Deletion/Modification: Attackers may attempt
to delete or modify log files on compromised
systems to remove evidence of their presence or
actions. This includes event logs, access logs, and
system logs.

File and Data Deletion: Deleting files and data

related to the attack can help attackers remove
traces of their activities. This may include deleting
malware, scripts, or any files they used during the
attack.

File Timestamp Manipulation: Attackers might alter

the timestamps of files to make them appear as
though they were created or modified at different
METHODS
Using Encrypted Communication: Attackers may
use encrypted communication channels to hide the
content of their conversations, making it difficult for
security tools to analyze the data being
transmitted.

Using Proxy Servers: By routing their traffic

through proxy servers or anonymizing services,
attackers can obfuscate their IP addresses and
make it harder to trace their location and identity.

Spoofing IP Addresses: Attackers may use IP

address spoofing techniques to forge the source IP
address of their network packets, making it appear
as though the traffic is coming from a different
METHODS
Data Encryption: Encrypting files, communications,
or data storage can prevent investigators from
easily accessing and analyzing the content of
compromised systems.

Covering Tracks in Memory: Attackers may inject

code into memory or tamper with the memory
space of processes to erase evidence of their
activities or the presence of malware.

Overwriting Free Space: Attackers may overwrite

the free space on a system's storage devices to
ensure that any remnants of deleted files cannot
be recovered.
METHODS
Using Rootkits: Rootkits are malicious software
that can hide themselves and other malicious
processes from detection by security tools and
system administrators.

Changing User Accounts and Passwords:

Attackers may change the credentials of
compromised user accounts or create new
accounts to maintain access to the system.

Clean-Up Scripts: Some attackers may deploy

scripts or automated tools to perform a series of
clean-up actions after the attack, such as removing
traces and backdoors.
THANK YOU
I HOPE YOU LEARNED
SOMETHING NEW!