Module Code & Module Title

CC5004NI - Security in Computing

Assessment Type
weekly assignment

Semester
2022 Autumn

Student Name: Upendra Chaudhary

London Met ID: 21049716
College ID: NP01NT4A210127
Assignment Due Date: March 27, Monday
Assignment Submission Date: March 27, Monday
Word Count (Where Required):
I confirm that I understand my coursework needs to be submitted online via Google Classroom under the
relevant module page before the deadline in order for my assignment to be accepted and marked. I am
fully aware that late submissions will be treated as non-submission and a mark of zero will be awarded.
Question 01. What makes post connection network attacks severe from an
organization’s view of their information security posture?

Ans: In context of an organization’s view of their information security posture, post

connection network attacks are serious concerning subject because if an attacker has
already gained the access of network or system they can compromise and bypass the
organization’s initial security controls such as firewalls and access control. Which can
result in significant damage to the organization including data theft, financial loss and
reputational harm.

Question 02. Define what are eavesdropping attacks in computer networks. List
and elaborate a few possible outcomes of this information threat.

Ans: Eavesdropping attacks is also known as sniffing attacks, A type of information

security threat in computer networks where an attacker intercept network traffic and listen
to the conversation between two parties to gather sensitive or confidential information.
Some possible outcomes of this information threat are elaborate below:

• Identity and Data theft: The attack can result in theft of personal information,
confidential and sensitive data.
• Information leakage: This type of attacks are mostly used for gathering sensitive
information of individuals as well as corporate which can consequences the loss of
privacy, strategies, plans.
• Compromised system security: Attackers can also compromise the security of
the network or gain unauthorized access to systems.
Question 03. Write a detailed entry on man in the middle attacks.

Ans: A man-in-the-middle is a cyberattack type where a malicious actor intercepts the

communication between two parties to spy or alter the message. Such attacks can be
happened in any communication channel, including email, phone calls, web browsing etc.
The most common form of MITM attacks is through unsecured Wi-Fi networks. Where
the attackers set up a fake Wi-Fi networks or infiltrate the existing Wi-Fi network which is
in control of the attacker. When the user connects to this network, the attacker can
intercept and read all the data communicate between the user and the internet. The data
could include sensitive information which can be misused in the wrong hand.

Question 04. Describe the use case of the ARP network protocol and also elaborate
what makes them vulnerable to getting their cache poisoned using false data.

Answer: The Address Resolution Protocol (ARP) is a network protocol used to map a
network address (such as an IP address) to a physical address (such as a MAC address)
on a local network. When a device needs to communicate with another device on the
same network, it sends an ARP request to obtain the physical address of the destination
device. The ARP request is broadcast to all devices on the network, and the device with
the matching IP address responds with its physical address. ASHISH K.C. However, ARP
is vulnerable to ARP cache poisoning or ARP spoofing, where an attacker sends false
ARP messages to a device on the network, causing future communication to be
intercepted by the attacker. ARP cache poisoning can be used for attacks such as man-
in-the-middle or denial-of-service attacks. To prevent this, network administrators can use
measures like static ARP tables, monitoring ARP traffic, and configuring devices to detect
and prevent ARP spoofing. Tools like ARPsec can also add cryptographic security to the
ARP protocol to protect against ARP cache poisoning.

Question 05. Which terminal command in Linux and windows can be used to view
the ARP cache of a computer system?
Answer: In Linux, the terminal command to view the ARP cache is "arp -a". This
command displays the current ARP cache entries in the system.

In Windows, the terminal command to view the ARP cache is "arp -a". This command
displays the current ARP cache entries in the system.

Question 06. How can we initiate the process of verifying if a machine’s ARP cache
can be poisoned, using the arpspoof tool?

Answer: We can initiate the process of verifying if a machine's ARP cache can be
poisoned, using the arpspoof tool by following the elaborated step listed below:

• Identify the IP address of the target machine and the gateway/router on the
network.
• Open a terminal and type the following command: "arpspoof -i [interface] -t
[target IP] [gateway/router IP]"
• Replace "[interface]" with the name of the network interface being used (e.g.,
eth0, wlan0, etc.). • Replace "[target IP]" with the IP address of the target
machine you want to test.
• Replace "[gateway/router IP]" with the IP address of the network gateway/router.
• Press Enter to execute the command.
• Check if the target machine is able to connect to the internet or communicate
with other devices on the network. If it is unable to do so, it is likely that its ARP
cache has been successfully poisoned by the arpspoof tool.

Question 07. What logical modifier are we looking for, when we are verifying if an
ARP cache has been compromised?

Answer: When verifying if an ARP cache has been compromised, we are looking for the
logical modifier "is-at" in the ARP cache entries. This modifier indicates the MAC address
of the device associated with a particular IP address. If the MAC address for a particular
IP address is not the expected MAC address of the device, it could indicate that the ARP
cache has been compromised by ARP cache poisoning or ARP spoofing.

Question 08. How can we initiate the process of verifying if a machine’s ARP cache
can be poisoned, using the bettercap framework?

Answer: We can initiate the process of verifying if a machine's ARP cache can be
poisoned using the bettercap framework, by following steps:

• Install bettercap on machine by following the installation instructions provided on

the bettercap website.
• Open a terminal and type the following command: "sudo bettercap -T [target IP] -
G [gateway/router IP] arp.spoof on"
• Replace "[target IP]" with the IP address of the target machine you want to test.
• Replace "[gateway/router IP]" with the IP address of the network gateway/router.
• Press Enter to execute the command.
• Check if the target machine is able to connect to the internet or communicate
with other devices on the network. If it is unable to do so, it is likely that its ARP
cache has been successfully poisoned by the bettercap framework.

Question 09. When using bettercap for initiating network attacks, what does the
following commands do:

a. help

This command displays a list of available commands in the bettercap framework, along
with their descriptions and usage examples. It can be useful for users who are not familiar
with the syntax and functionality of bettercap.

b. net.show
This command displays a list of active network interfaces on the current machine, along
with their IP addresses and MAC addresses. It can be useful for users who need to
identify the IP and MAC addresses of devices on the network they are attacking.

c. caplets.show

This command displays a list of available caplets in the bettercap framework. Caplets are
prewritten scripts that automate certain attacks or tasks in bettercap. Users can browse
this list to find caplets that are relevant to their attack scenario and use them to streamline
their attack workflow.

Question 10. What are caplets used for in bettercap framework?

Answer: In the bettercap framework, caplets are pre-written scripts that automate certain
attacks or tasks. Caplets can be used to streamline an attacker's workflow by automating
repetitive tasks, performing complex attacks with a single command, or simplifying the
syntax of certain commands. Caplets can be written in several programming languages,
including Ruby, Python, and Lua, and can be easily shared among the bettercap
community. Some common use cases for caplets include automating SSL stripping
attacks, performing credential harvesting attacks, and exploiting common vulnerabilities
such as weak passwords or unpatched software.

Question 11. Write a detailed entry on DNS spoofing.

Answer: DNS spoofing, also known as DNS cache poisoning or DNS hijacking, is a type
of cyber-attack that exploits vulnerabilities in the Domain Name System (DNS) to redirect
users to malicious websites. DNS is a system that translates domain names (such as
google.com) into IP addresses (such as 192.168.1.2) that can be understood by
computers. When a user types a domain name into their web browser, the browser sends
a request to a DNS server to obtain the IP address associated with that domain name.
The DNS server responds with the IP address, and the browser then connects to that IP
address to access the website.
In a DNS spoofing attack, an attacker intercepts the DNS request and sends a fake
response to the user's computer with a different IP address. The fake response is cached
by the user's computer, and all future requests to that domain name are redirected to the
IP address specified by the attacker. This allows the attacker to redirect users to a fake
website that can steal sensitive information such as login credentials, credit card
numbers, or personal data.