Tools and Methods Used in Cybercrime

❑ The basic stages of an attack to understand how an attacker can

compromise a network are:
Initial Uncovering: The attacker begins by gathering information about the
target network. This phase, also known as reconnaissance, involves identifying
key details such as IP addresses, domain names, network topology, and
potential vulnerabilities. The objective is to understand the target's
environment and identify weak points that can be exploited in subsequent
stages.
Network Probe: The attacker actively scans and probes the network to detect
open ports, services, and potential vulnerabilities. This involves using tools like
network scanners and vulnerability assessment tools. The objective is to map
the network's defenses and identify exploitable points of entry.
Crossing the Line Toward Electronic Crime (E-crime): The attacker moves
from reconnaissance and probing to actively exploiting identified
vulnerabilities. This might involve delivering malware, exploiting software
flaws, or leveraging social engineering techniques. The objective is to gain
unauthorized access to the network and establish a foothold within the target's
infrastructure.
 Tools and Methods Used in Cybercrime
Capturing the Network: At this stage the attacker attempts to “own” the
network. The attacker gains a foothold in the internal network quickly and
easily by compromising low-priority target systems. Once inside, the attacker
works to escalate privileges, move laterally within the network, and take
control of critical systems. This often includes installing backdoors, rootkits,
or other persistent threats to maintain access. The objective is to achieve a
level of control over the network that allows for sustained access and the
ability to manipulate network resources.
Grab the Data: Now that the attacker has ‘captured the network’, he/she takes
advantage of his/her position to exfiltrates sensitive data from the
compromised network. This can include personal information, financial
records, intellectual property, and other valuable assets. The objective is to
steal data for financial gain, competitive advantage, or other malicious
purposes.
Covering Tracks: The attacker takes steps to conceal their presence and
activities within the network. This can involve deleting logs, altering
timestamps, and removing malware or other indicators of compromise. The
objective is to evade detection and forensic investigation, ensuring that the
attack remains undetected for as long as possible and making it difficult to
trace back to the perpetrator.
 Proxy Servers and Anonymizers
Proxy Server
❑ A proxy server is an intermediary server that separates end users from
the websites they browse.
❑ Proxy servers act as a gateway between users and the internet, providing
various functions such as security, privacy, and caching.
❑ When a user requests a web page, the proxy server retrieves it from the
internet on behalf of the user and then forwards it to the user. This can
help hide the user's IP address, manage internet traffic, and enhance
security.
❑ A proxy server has following purposes:
Anonymity and Privacy: Proxy servers can mask a user's IP address, making
their online actions more anonymous. This is useful for protecting privacy and
avoiding targeted ads or online tracking.
Access Control: Organizations often use proxy servers to control and monitor
internet usage by employees or users. This can include blocking access to
certain websites or content that may be deemed inappropriate or harmful.
Bandwidth Savings and Speed Improvement: By caching frequently accessed
content, proxy servers can reduce bandwidth usage and speed up access to
resources. When multiple users request the same content, the proxy can serve
it from its cache instead of downloading it repeatedly from the internet.
 Proxy Servers and Anonymizers
Security and Protection: Proxy servers can provide an additional layer of
security by acting as a barrier between the user and potentially malicious
websites. They can filter out harmful content, block known threats, and
prevent direct connections to vulnerable internal systems.
Logging and Monitoring: Proxy servers can log user activities and monitor
traffic, which is useful for auditing and analysis. Organizations can review
these logs to ensure compliance with policies or investigate security incidents.
Anonymizers
❑ Anonymizers are tools or services that enable users to hide or disguise
their online identity, primarily their IP address, thereby allowing them to
browse the internet anonymously.
❑ These services typically work by routing a user's internet traffic through
a proxy server or a series of servers, masking the user's original IP
address and replacing it with another, often from a different location.
This process makes it more difficult for websites, advertisers, and other
entities to track a user's online activities or identify their real-world
location.
 Proxy Servers and Anonymizers
Listed are few websites where free Proxy Servers can be found:
❑ https://www.sslproxies.org/
❑ http://free-proxy.cz/en/
Listed are few websites where more information about anonymizers can be
found:
❑ https://www.macrometa.com/articles/-anonymizer
❑ https://nordvpn.com/blog/anonymous-proxy/
 Phishing
How Phishing Works?
❑ Phishers work in the following ways:
1. Planning: During this phase, cybercriminals identify their targets
(individuals, organizations, or sectors) and determine their objectives
(e.g., stealing credentials, financial information, or intellectual
property). They research their victims, often using open-source
intelligence (OSINT), to craft convincing pretexts and select the most
effective attack vectors.
2. Setup: This involves creating or acquiring the tools necessary for the
phishing campaign. Attackers may:
• Register domain names that mimic legitimate websites
• Set up fake websites that look identical to trusted ones
• Create email accounts or spoof existing ones
• Develop malware or acquire phishing kits from the dark web
• Configure servers to receive and store stolen data
3. Attack: This is when the attacker initiates contact with the target.
Common methods include:
• Sending deceptive emails (the most common form)
• SMS phishing (smishing)
• Voice phishing (vishing)
 Phishing
4. Collection: As victims fall for the phishing attempts, attackers collect
the compromised information. This might include:
• Login credentials
• Financial data (credit card numbers, bank account details)
• Personal information (Social Security numbers, dates of birth)
• Corporate secrets or intellectual property The data is often automatically
sent to the attacker's servers or stored for later retrieval.
5. Identity Theft and Fraud: With the collected data, attackers can
assume the victim's identity or use the stolen information for financial
gain or other malicious purposes. This might involve:
• Creating new accounts in the victim's name
• Applying for credit cards or loans
• Making unauthorized purchases
• Selling the stolen data on the dark web
 Password Cracking
❑ Password cracking is the process of attempting to gain unauthorized
access to a computer system or digital account by systematically guessing
or recovering the password that protects it. This technique involves using
various methods and tools to discover, bypass, or break the authentication
mechanism.
❑ The purposes of password cracking can be both legitimate and malicious:
1) Security Testing: This involves, identification of weak passwords in an
organization's systems, performing authorized penetration testing etc.
2) Account Recovery: This involves, helping users regain access to their accounts
when they've forgotten their passwords or assisting system administrators in
accessing critical systems in emergencies
3) Malicious Intent: This involves, unauthorized access to personal or corporate
accounts, Identity theft, Financial fraud, Corporate espionage, Gaining initial
access for further system compromise.
❑ Password cracking techniques often involve:
Brute-force attacks: Systematically trying every possible combination of
characters
Dictionary attacks: Using lists of common words and phrases
Rainbow table attacks: A rainbow table attack is a precomputation technique
used to recover passwords from their hash values. It involves creating and
using large, pre-computed tables (rainbow tables) that contain possible
plaintext passwords and their corresponding hash values.
 Password Cracking
Social engineering: Exploiting human psychology to trick people into
revealing passwords
Hybrid attacks: Hybrid attacks leverage the strengths of multiple password
cracking techniques to overcome the limitations of individual methods. They
typically start with a base word or pattern from a dictionary and then
systematically apply various transformations or additions to create a larger set
of password candidates.
Strong, Weak and Random Passwords
❑ Weak Passwords: Passwords that are easily guessable, commonly used, or
can be cracked quickly using standard password-cracking techniques.
❑ Characteristics:
Short (typically less than 8 characters)
Use common words or phrases
Contain personal information (birthdays, names, etc.)
Use simple patterns (123, abc, qwerty)
Commonly used passwords (e.g., "password", "admin", "123456")

❑ Strong Passwords: Passwords that are difficult to guess, resistant to

brute-force attacks, and not found in common password dictionaries.
 Password Cracking
❑ Characteristics:
Long (at least 12-16 characters, preferably more)
Combine uppercase and lowercase letters, numbers, and special characters
Avoid common substitutions (like '@' for 'a' or '1' for 'i’)
Don't contain easily guessable personal information
Unique for each account
❑ Random Passwords: Passwords generated using a random or
pseudorandom process, typically by a computer algorithm, resulting in a
string of characters with no discernible pattern or meaning.
❑ Characteristics:
High entropy (randomness)
Extremely difficult to guess or crack
Often challenging for humans to remember
Typically generated by password managers or specialized software
❑ Examples:
"eH8*fJ3^vN1!pR"
"Uy2$Bx9#Nw4%Fz"
 Password Cracking
General guidelines applicable to the password policies, which can be
implemented organization-wide
❑ Implementing a robust password policy is crucial for any organization's
security posture. Here are some general guidelines that can be applied
organization-wide:
1) Minimum Length Requirement: Enforce a minimum password length of at
least 12 characters.
2) Complexity Requirements: Require a mix of uppercase and lowercase letters,
numbers, and special characters.
3) Password Expiration: Password shall be changed every 30/45 days or less.
Also implement event-based changes (e.g., after a suspected breach)
4) Password History: Maintain a password history of at least 10 previous
passwords. Prevent reuse of these passwords to avoid password recycling.
5) Account Lockout: Implement account lockout after a specified number of
failed login attempts (e.g., 5-10).
6) Multi-Factor Authentication (MFA): Mandate MFA for all user accounts,
especially for remote access and privileged accounts. Provide options for
various second factors (e.g., mobile apps, hardware tokens).
7) Password Strength Meters: Implement real-time password strength indicators
during password creation.
 Password Cracking
8) Training and Awareness: Provide regular security awareness training on
password best practices.
9) Session Management: Sessions should be suspended after 15 minutes (or other
specified period) of inactivity and require the password to be re-entered.
10) Logon and logoff time: Successful logons should display the date and time of
the last logon and logoff.
11) Suspension of Logon IDs and passwords: Logon IDs and passwords should be
suspended after a specified period of non-use.
Password cracking tools
❑ Hashcat: Hashcat is one of the most powerful and widely used password
cracking tools available. Key features of the tool are- Supports a wide
range of hashing algorithms, Offers various attack modes (dictionary,
brute-force, combinator, hybrid, etc.)
❑ John the Ripper: It is an open-source password cracking tool with
following key features- Supports numerous password hash types, Offers
both brute-force and dictionary attack modes, Highly customizable with
the ability to add custom cracking rules
❑ Hydra: Hydra is a parallelized login cracker that supports numerous
protocols. Key features- Supports a wide range of protocols (e.g., HTTP,
FTP, SMTP, SSH), Can perform rapid dictionary attacks against multiple
hosts in parallel, Flexible and extensible with the ability to add new
modules.
 Keyloggers and Spywares
❑ Keylogging: Keylogging is the practice of recording or monitoring the
keystrokes entered on a computer keyboard, typically without the
knowledge or consent of the user.
❑ Keylogger: A keylogger is a software program or hardware device
designed to covertly capture and log all keystrokes made on a computer
or mobile device keyboard.
Software Keyloggers
❑ Software keyloggers are programs designed to monitor and record
keystrokes on a computer or mobile device without the user's knowledge.
Software keyloggers operate by intercepting keyboard input at various
levels of the operating system. Examples of Software Keyloggers:
Spyrix Free Keylogger: Often marketed for parental control or employee
monitoring
KidLogger: Designed for parental control
Revealer Keylogger: Captures keystrokes, screenshots, and clipboard content
in Windows. Can send logs via email or FTP.
PyKeylogger: Open-source keylogger written in Python. Captures keystrokes
and screenshots
Blackshades RAT (Remote Access Trojan): Used in cybercrime operations.
Demonstrates how keyloggers can be part of larger malware packages
 Keyloggers and Spywares
Hardware Keyloggers
❑ Hardware keyloggers are physical devices designed to capture keystrokes
directly from the keyboard without relying on software installed on the
target computer. Hardware keyloggers intercept keyboard signals before
they reach the computer. Examples of Hardware Keyloggers:
KeyGrabber USB: Inline keylogger that looks like a standard USB adapter.
KeyCarbon: Fits inside the keyboard, making it invisible externally
Antikeylogger
❑ An antikeylogger is a type of security software designed to detect,
prevent, and remove keylogging software or hardware from a computer
system. These tools work to protect sensitive information such as
passwords, credit card numbers, and other personal data from being
captured by malicious keyloggers.
❑ Advantages of Using Antikeyloggers:
Firewalls cannot detect the installation of keyloggerson the system; hence,
antikeyloggers can detect installation of keyloggers
This software does not require regular update of signature bases
Prevents Internet banking frauds.
It prevents ID theft
It secures E-Mail and instant messaging/ chatting.
 Keyloggers and Spywares
Spywares
❑ Definition: Spyware is a type of malicious software (malware) designed to
infiltrate a computing device, gather user and system information, and
transmit this data to a third party without the user's knowledge or
consent.
❑ Spyware can monitor user activities, collect personal information, and
even take control of the device. It often enters a system bundled with
seemingly legitimate software or through security vulnerabilities.
❑ Types of Spyware:
Adware: Displays unwanted advertisements and collects browsing data.
Trojans: Disguised as legitimate software but performs malicious activities.
System Monitors: Records system activities, including keystrokes and
screenshots.
Tracking Cookies: Persistent cookies that track browsing habits across
websites.
❑ Examples of Spyware:
CoolWebSearch: Hijacks web browsers, changes homepages, and modifies
search results
FlexiSpy: Marketed as a monitoring tool for parents and employers. Can
intercept calls, messages, and track GPS location
 Keyloggers and Spywares
FinFisher (FinSpy): Commercial spyware sold to law enforcement and
governments. Capable of intercepting communications, keylogging, and
remote access.
 Viruses and Worms
Virus
❑ A computer virus is a type of malicious software program that, when
executed, replicates itself by modifying other computer programs and
inserting its own code. These modifications can be considered
"infections," and the virus spreads from one computer to another when
the infected program or file is transferred to the uninfected computer.
❑ Key characteristics of computer viruses:
Self-replication
Requires a host program
Activates when the host program is executed
Spreads through file sharing, networks, or removable media
❑ Computer Virus can take some typical actions:
Attaches itself to executable files and modifies file content to include viral code
May corrupt or destroy files
Modifies system settings or disables security features
Sends copies of itself through email or network shares
Replaces system files with infected versions
Slows down system performance
 Viruses and Worms
Computer Worms
❑ A computer worm is a type of malicious software program that replicates
itself and spreads across computers and networks independently, without
requiring human interaction or a host program to propagate. Unlike
viruses, worms are self-contained and do not need to attach themselves to
existing files or programs to spread.
❑ Difference between computer virus and worm

Sr. Facet Virus Worm

No.
1 Different Stealth Virus, Polymorphic Email Worm, Network
types Virus, Encrypted Virus, Worm, Internet Worm,
Multipartite Virus, Macro Instant Messaging (IM)
Virus, File Infector Virus etc. Worm, File-sharing Worm
etc.
2 Spread mode Viruses spread by attaching to Worms spread
files and programs, requiring autonomously through
human action (like opening an network connections,
infected file) to propagate. exploiting system
vulnerabilities without
needing user interaction.
 Viruses and Worms
Sr. Facet Virus Worm
No.
3 What is it? A computer virus is a A computer worm is a
malicious program that standalone malicious program
attaches itself to and infects that self-replicates and spreads
other files or programs to independently across networks
replicate and spread without needing a host file.

4 Inception The creeper virus was The first computer worm was
considered as the first created in 1988 by Robert
known virus. It was spread Morris, marking the beginning
through ARPANET in the of worm-based threats.
early 1970s.
5 Prevalence Viruses were more prevalent Worms have become
in the early days of increasingly prevalent in
computing but have become recent years due to their
less common with improved ability to spread rapidly across
security measures interconnected networks.
 Viruses and Worms
Types of Viruses
❑ Computer viruses can be categorized based on attacks on various
elements of the system
Boot Sector Viruses: Boot sector viruses infect the storage media where OS is
stored i.e. the master boot record of hard drives or the boot sector of
removable media. They activate when a system boots, gaining control before
the operating system loads, which makes them particularly dangerous and
difficult to remove.
Program Viruses: Program viruses attach themselves to executable files (.exe,
.com, etc.) and activate when the infected program is run. They can spread to
other programs when the infected file is executed, potentially infecting an
entire system over time.
Multipartite Viruses: Multipartite viruses combine the characteristics of boot
sector and program viruses, infecting both executable files and boot sectors.
This dual infection method makes them particularly virulent and challenging
to eradicate, as cleaning one area doesn't eliminate the virus entirely.
Stealth Viruses: Stealth viruses use various techniques to hide their presence
from antivirus software and system tools. They may intercept system calls that
would detect them, returning fake "clean" information or temporarily
removing themselves from infected files during scans.
 Viruses and Worms
Polymorphic Viruses: Polymorphic viruses change their code structure with
each infection, making them difficult to detect with signature-based antivirus
software. They use encryption and code mutation techniques to create
functionally equivalent but structurally different variants of themselves.
Macroviruses: Macroviruses infect documents and spreadsheets that support
macros, typically spreading through email attachments. They are written in
macro languages like VBA (Visual Basic for Applications) and can affect
cross-platform applications like Microsoft Office.
ActiveX and Java Applet Viruses: These viruses exploit vulnerabilities in
ActiveX controls or Java applets to infect systems through web browsers. They
can be embedded in web pages and execute when a user visits an infected site,
potentially bypassing traditional antivirus measures due to their web-based
nature.
 Trojan Horses and Backdoors
Trojan Horses
❑ A Trojan Horse, often simply called a Trojan, is a type of malicious
software that disguises itself as legitimate software to trick users into
installing it. Unlike viruses or worms, Trojans do not self-replicate.
Instead, they rely on social engineering tactics to spread i.e. via E-Mail or
in a bundle with other software downloaded from the Internet.
❑ Once installed, a Trojan can perform various malicious actions, often
providing unauthorized access to the infected system.
❑ Key characteristics:
Disguised as useful software
Does not self-replicate
Requires user action to install
Often used to create backdoors
❑ Typical Examples of Threats by Trojans:
Remote Access Trojans (RATs): Allow for file manipulation, keylogging, and
webcam/microphone access
Banking Trojans: Often use web injection techniques to manipulate banking
websites in order to steal financial information and login credentials
Backdoor Trojans: Bypass authentication and security measures in order to
create hidden access points for attackers
Mobile Trojans: Often disguised as legitimate apps
 Trojan Horses and Backdoors
Backdoor
❑ A backdoor is a covert method of bypassing normal authentication or
encryption in a computer system, network, or software application. It's
essentially a secret entry point that allows someone to gain unauthorized
access to a system, often with elevated privileges.
❑ What does a Backdoor do?
Provides unauthorized access: Allows attackers to enter a system without
going through proper authentication procedures.
Maintains persistent access: Ensures that the attacker can return to the system
even if the initial entry point is discovered and closed.
Bypasses security measures: Circumvents firewalls, intrusion detection
systems, and other security controls.
Enables remote control: Allows the attacker to manipulate the system, execute
commands, or exfiltrate data from a remote location.
Conceals malicious activities: Often designed to hide its presence from system
administrators and security software.
❑ Examples of Backdoor Trojan
Back Orifice: A notorious Windows backdoor from the late 1990s. Provided
remote administration capabilities. Could be easily hidden from the user.
Bifrost: A remote access tool that can be used as a backdoor. Provides features
like file management, keystroke logging, and screen capture.
 Trojan Horses and Backdoors
Netcat: A legitimate networking utility that can be misused as a backdoor.
Allows for creating network connections and executing remote shells
Tini: A tiny backdoor for Windows systems. Creates a remote shell with
system-level privileges. Extremely small in size, making it difficult to detect
 Steganography
❑ Steganography is the practice of concealing information within another
piece of data, typically a digital file, in such a way that it's not easily
detectable. Unlike encryption, which makes data unreadable,
steganography hides the very existence of the secret information.
❑ How Steganography Works:
 1.
Steganography
Carrier Selection: Choose a carrier file (e.g., image, audio, video) to hide the
secret data.
2. Data Embedding: Insert the secret information into the carrier file using
various techniques:
Least Significant Bit (LSB) insertion: Modifying the least significant bits
of pixel values in images.
Spread Spectrum: Spreading the secret data across the frequency
spectrum of audio files.
Discrete Cosine Transform (DCT): Altering coefficients in JPEG
compression.
3. Stego-object Creation: The result is a stego-object that appears normal but
contains hidden information.
4. Transmission: The stego-object is sent through normal communication
channels.
5. Extraction: The recipient uses a corresponding extraction algorithm to
retrieve the hidden data.
❑ While steganography has legitimate uses (e.g., watermarking, secure
communication), it can also be misused for malicious purposes like data
exfiltration or covert communication by threat actors.
 Steganography
❑ Examples Tools:
Steghide: Open-source steganography software. Supports embedding data in
BMP, JPEG, WAV, and AU files. Uses strong encryption for the embedded
data.
OpenStego: Java-based steganography tool. Supports various algorithms
including LSB and random LSB. Can hide any type of file within image files.
Stegosuite: Java-based steganography tool. Supports BMP, GIF, JPEG, and
PNG formats. Offers password protection for hidden data.
Steganalysis
❑ Steganalysis is the study and practice of detecting and extracting hidden
information from files or communications that have been concealed using
steganography techniques. It's essentially the counterpart to
steganography, aimed at uncovering covert messages and data.
❑ Purpose of Steganalysis:
Identify whether a file or communication contains hidden information.
Recover the concealed data if present.
Render the hidden information unreadable or destroyed.
Determine the nature and size of the hidden data.
 DoS and DDoS Attacks
Denial of Service (DoS) Attacks
❑ A DoS attack is a malicious attempt to disrupt the normal functioning of a
targeted system, service, or network by overwhelming it with a flood of
traffic or exploiting vulnerabilities that cause the system to crash or
become unresponsive.
❑ Symptoms of a DoS Attack:
1. Unusually slow network performance
2. Unavailability of a particular website or service
3. Inability to access any website
4. Dramatic increase in the number of spam emails received
5. Disconnection of a wireless or wired internet connection
❑ What DoS Attacks Can Do:
1. Render websites or services completely inaccessible to legitimate users
2. Cause intermittent or degraded service availability
3. Consume all available network bandwidth
4. Deplete system resources like CPU, memory, or disk space
5. Incur costs for mitigation and recovery efforts
6. Erode customer trust and satisfaction
 DoS and DDoS Attacks
❑ Types of Denial of Service (DoS) attacks:
1. Flood Attack: Flood attacks overwhelm a target system or network by sending
a massive volume of traffic, exhausting resources like bandwidth, CPU, or
memory. Common types include ICMP floods, UDP floods, and HTTP floods,
all aiming to make the target unavailable to legitimate users.
2. Ping of Death Attack: The Ping of Death attack involves sending oversized or
malformed ping packets to a target system. These packets, when reassembled,
exceed the maximum allowable size, potentially causing buffer overflows and
system crashes in vulnerable systems.
3. SYN Attack: SYN attacks exploit the TCP three-way handshake by sending
numerous SYN requests but never completing the handshake. This leaves
half-open connections on the server, exhausting its resources and preventing
legitimate connections.
4. Teardrop Attack: Teardrop attacks send fragmented packets with overlapping
offset fields to the target. When the system tries to reassemble these
malformed packets, it can crash or freeze, especially in older operating
systems with vulnerabilities in their TCP/IP fragmentation reassembly code.
5. Smurf Attack: A Smurf attack involves sending ICMP echo requests (pings) to
a network broadcast address, spoofing the source IP as the victim's. All devices
on the network respond to the victim, amplifying the attack and overwhelming
the target with responses.
 DoS and DDoS Attacks
DoS Attacks
❑ Tools used to launch DoS attack :
1. Jolt2: Jolt2 is a tool designed to exploit fragmentation handling vulnerabilities
in older TCP/IP stacks. It sends a stream of fragmented IP packets to the
target, potentially causing system crashes or freezes in vulnerable systems.
2. Nemesy: Nemesy is a network packet crafting and injection tool that can be
used to generate various types of malformed packets. It allows for the creation
of custom packets with specific attributes, making it useful for testing network
stacks and potentially launching DoS attacks.
3. Targa: Targa is a suite of network stress testing tools capable of generating
multiple types of DoS attacks. It includes modules for various attack vectors
like Ping of Death, Teardrop, and Land attacks, making it a versatile tool for
testing network resilience.
4. Crazy Pinger: Crazy Pinger is a simple but effective tool designed to flood a
target with ICMP echo requests (pings). It can rapidly generate a large volume
of ping packets, potentially overwhelming the target's ability to process and
respond to these requests.
 DoS and DDoS Attacks
DDoS Attacks
❑ DDoS attacks are a more sophisticated form of DoS attacks where
multiple compromised systems (often a botnet) are used to target a single
system, service, or network. This distributed approach amplifies the
attack's power, making it more difficult to mitigate than a single-source
DoS attack.
❑ DDoS attacks can overwhelm targets with traffic, exhaust resources, or
exploit vulnerabilities at a massive scale.
❑ Tools used to launch DDoS attack :
Trinoo: Trinoo is one of the earliest DDoS tools, using UDP flood attacks
coordinated across multiple systems. It consists of masters and daemons, with
the masters controlling the daemons to launch synchronized attacks on
targets.
Tribe Flood Network (TFN): TFN is a more advanced tool than Trinoo,
capable of launching various types of attacks including SYN floods, UDP
floods, and ICMP floods. It uses a similar master-daemon architecture but
with encrypted communications between nodes.
Stacheldraht: Stacheldraht combines features of Trinoo and TFN, adding
encrypted communication between attackers and masters. It can perform
multiple types of floods and includes automatic update capabilities for the
attack network.
 DoS and DDoS Attacks
Shaft: Shaft is similar to Trinoo but with enhanced features like encrypted
communications and the ability to switch master servers during an attack. It's
known for its ability to generate high-volume UDP and ICMP flood attacks.
MStream: MStream is designed specifically for launching massive TCP SYN
flood attacks. It uses a master-slave architecture and can spoof source IP
addresses, making the attack harder to trace and mitigate.
 SQL Injection
❑ SQL Injection (SQLi) is a type of cyber attack where an attacker exploits
vulnerabilities in an application's software by inserting or "injecting"
malicious SQL code into a query. This allows the attacker to interfere
with the queries that an application makes to its database. If successful,
an SQL injection attack can lead to unauthorized access to database
contents, including sensitive data, or even control over the database
server.
❑ Thus it’s a vulnerability that consists of an attacker interfering with the
SQL queries that an application makes to a database
 SQL Injection
❑ In an SQL Injection attack, the attacker takes advantage of user input
fields (such as login forms, search boxes, or any web form) that are not
properly sanitized or validated. By injecting specially crafted SQL
commands into these input fields, the attacker can manipulate the SQL
query executed by the database, potentially gaining unauthorized access
to data, modifying or deleting data, or even executing administrative
operations on the database.
Impact of SQL Injection Attacks
❑ Unauthorized access to sensitive data
Confidentiality – SQLi can be used to view sensitive information, such as
application usernames and passwords
Integrity – SQLi can be used to alter data in the database
Availability – SQLi can be used to delete data in the database
❑ Remote code execution on the operating system
 SQL Injection
Steps for an SQL Injection Attack
❑ The attacker first identifies input fields in a web application where user
input is directly included in SQL queries. These could be login forms,
search boxes, feedback forms, etc.
❑ Once a vulnerable input field is identified, the attacker crafts malicious
SQL code designed to alter the intended SQL query. For example, instead
of entering a legitimate username, the attacker might enter something
like:
' OR '1'='1'; --
This code might trick the database into executing a query that always
returns true, potentially bypassing authentication
❑ The attacker enters the malicious SQL code into the vulnerable input
field. If the application is not properly sanitizing the input, this code will
be executed by the database.
❑ The attacker analyzes the response from the server to determine if the
attack was successful. If the injection worked, the attacker might see
unauthorized data, gain access to the database, or receive confirmation
that the query was manipulated.
 SQL Injection
Example of an SQL Injection Attack
❑ Suppose a web application has a login form where users enter their
username and password. The application might use the following SQL
query to check if the user exists in the database:
SELECT * FROM users WHERE username = 'user' AND password = 'pass';
❑ An attacker could input the following into the username field:
' OR '1'='1
❑ This would result in the following SQL query:
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = ‘’;
Types of SQL Injection
❑ T
S
 SQL Injection
❑ In-Band SQL Injection: In-band SQLi occurs when the attacker uses the
same communication channel to both launch the attack and gather the
result of the attack
Retrieved data is presented directly in the application web page
❑ Easier to exploit than other categories of SQLi
❑ Error-based SQLi is an in-band SQLi technique that forces the database
to generate an error, giving the attacker information upon which to refine
their injection.
❑ Example:
Input:

Output:

❑ Union-based SQLi is an in-band SQLi technique that leverages the

UNION SQL operator to combine the results of two queries into a single
result set
❑ Example:
Input:
 SQL Injection

Output:

❑ Inferential (Blind) SQL Injection: SQLi vulnerability where there is no

actual transfer of data via the web application
❑ Just as dangerous as in-band SQL injection
Attacker able to reconstruct the information by sending particular requests
and observing the resulting behavior of the DB Server.
❑ Takes longer to exploit than in-band SQL injection
❑ Boolean-based SQLi is a blind SQLi technique that uses Boolean
conditions to return a different result depending on whether the query
returns a TRUE or FALSE result.
Example URL:
 SQL Injection
Backend Query

Payload #1 (False):

Backend Query:

Payload #2 (True):

Backend Query:

Example - Users Table:

Payload:

Backend Query:
 SQL Injection
Payload:

Backend Query:

❑ Time-based SQLi is a blind SQLi technique that relies on the database

pausing for a specified amount of time, then returning the results,
indicating a successful SQL query execution.
❑ Example Query:
❑ If the first character of the administrator’s hashed password is an ‘a’,
wait for 10 seconds
→ response takes 10 seconds → first letter is ‘a’
→ response doesn’t take 10 seconds → first letter is not ‘a’