PUSCS6042 Ethical Hacking

BY
MRS. SNEHA SHIRKAR
Textbook(s):
1) Certified Ethical Hacker Study Guide v9, Sean-Philip Oriyano, Sybex; Study Guide Edition,2016
2) CEH official Certified Ethical Hacking Review Guide, Wiley India Edition, 2007

Additional Reference(s):
1) Certified Ethical Hacker: Michael Gregg, Pearson Education,1st Edition, 2013
2) Certified Ethical Hacker: Matt Walker, TMH,2011
 Unit 1 Chapter 1: Introduction
❖Terminology,
❖Hacking Technology Types,
❖Ethical Hacking Phases,
❖Hacktivism,
❖Hacker Classes,
❖Skills Required for an Ethical Hacker,
❖Vulnerability Research,
❖Ways to Conduct Ethical Hacking
What Is Security?
Information security, sometimes shortened
to InfoSec, is the practice of preventing
unauthorized access, use, disclosure, disruption,
modification, inspection, recording or destruction
of information.
The information or data may take any form, e.g.
electronic or physical.
Information security's primary focus is the balanced
protection of the confidentiality, integrity and
availability of data while maintaining a focus on
efficient policy implementation, all without
hampering organization productivity.
Key principles of information security
 Terminology
❖Ethical Hacking:
❖To crack passwords or to steal data?
❖No, it is much more than that.
❖Ethical hacking is to scan vulnerabilities and to find potential
threats on a computer or network.
❖An ethical hacker finds the weak points or loopholes in a
computer, web application or network and reports them to the
organization
 What is Hacking?

❖An effort to attack a computer system or a private network inside a

computer is known as hacking.
❖Simply, it is unauthorized access to or control of computer network
security systems with the intention of committing a crime.
❖Hacking is the process of finding some security holes in a computer
system or network in order to gain access to personal or corporate
information
 What is Hacking?
❖One example of computer hacking is the use of a password cracking
technique to gain access to a computer system.
❖The process of gaining illegal access to a computer system, or a group of
computer systems, is known as hacking.
❖This is accomplished by cracking the passwords and codes that grant
access to systems.
❖Cracking is the term used to describe the process of obtaining a
password or code.
The hacker is the individual who performs the hacking.
Following are some of the things that can be hacked:
•Single systems
•Email account
•A group of systems
•LAN network
•A website
•Social media sites, etc.
Hacker Classes
•White Hat Hackers:
•White hat hackers are the one who is authorized or the certified hackers
who work for the government and organizations by performing
penetration testing and identifying loopholes in their cybersecurity.
•They also ensure the protection from the malicious cyber crimes.
•They work under the rules and regulations provided by the government,
that’s why they are called Ethical hackers or Cybersecurity experts.
❖Black Hat Hackers:
❖They are often called Crackers. Black Hat Hackers can gain the
unauthorized access of your system and destroy your vital
data.
❖The method of attacking they use common hacking practices
they have learned earlier.
❖They are considered to be as criminals and can be easily
identified because of their malicious actions
❖Gray Hat Hackers:
❖Gray hat hackers fall somewhere in the category between white hat and
black hat hackers.
❖They are not legally authorized hackers.
❖They work with both good and bad intentions; they can use their skills
for personal gain. It all depends upon the hacker.
❖If a grey hat hacker uses his skill for his personal gains, he/she is
considered as black hat hackers.
•Green Hat Hackers:
•They are also amateurs in the world of hacking but they are bit different
from script kiddies.
•They care about hacking and strive to become full-blown hackers.
•They are inspired by the hackers and ask them few questions about.
•While hackers are answering their question they will listen to its novelty.
❖Blue Hat Hackers:
❖They are much like the white hat hackers; they work for
companies for security testing of their software right before
the product launch.
❖Blue hat hackers are outsourced by the company unlike white
hat hackers which are employed by the (part of the) company.
❖Red Hat Hackers:
❖They are also known as the eagle-eyed hackers. Like white hat hackers,
red hat hackers also aims to halt the black hat hackers. There is a major
difference in the way they operate.
❖They become ruthless while dealing with malware actions of the black
hat hackers.
❖Red hat hacker will keep on attacking the hacker aggressively that the
hacker may know it as well have to replace the whole system.
Hacking Technology Types
Phishing –
● In this type of hacking, hackers intention is to steal critical
information of users like account passwords, MasterCard detail, etc.
● For example, hackers can replicate an original website for users
interaction and can steal critical information from the duplicate
website the hacker has created.
Virus –
● These are triggered by the hacker into the filters of the website
once they enter into it .
● The purpose is to corrupt the information or resources on the net
website.
 UI redress –
● In this technique, the hacker creates a pretend interface and once the
user clicks with the intent of progressing to a particular website, they are
directed to a special website.
Cookie theft –
● Hackers access the net website exploitation malicious codes and steal
cookies that contain tips, login passwords, etc. Get access to your
account then will do any factor besides your account.
Distributed Denial-of-service(DDoS) –
● This hacking technique is aimed toward taking down a website so that a
user cannot access it or deliver their service.
● Gets the server down and stops it from responding, which may cause a
condition error constantly.
 DNS spoofing –
● This essentially uses the cache knowledge of an internet website or domain that the user
might have forgotten keeping up to date. It then directs the data to a distinct malicious
website.
Social Engineering –
● Social engineering is an attempt to manipulate you to share personal info, sometimes by
impersonating a trustworthy supply.

Missing Security Patches –

● Security tools will become outdated as a result of the hacking landscape advancement and
needs frequent updates to protect against new threats.
 Malware-Injection Devices –
● Cyber-criminals will use hardware to sneak malware onto your pc.
● You would have detected infected USB sticks which can allow hackers remote
access to your device when it is connected to your pc.

Cracking Password –
● Hackers will get your credentials through a technique known as key-logging.
Ethical Hacking Phases
 1. Reconnaissance
❖ This is the first phase where the Hacker tries to collect information about
the target. It may include Identifying the Target, finding out the target’s IP
Address Range, Network, DNS records, etc.

❖ Let’s assume that an attacker is about to hack a websites’ contacts.

❖ He may do so by using a search engine like maltego, researching the target

say a website (checking links, jobs, job titles, email, news, etc.), or a tool like
HTTPTrack to download the entire website for later enumeration, the
hacker is able to determine the following: Staff names, positions, and email
addresses.
2. Scanning:
❖ This phase includes the usage of tools like dialers, port scanners, network
mappers, sweepers, and vulnerability scanners to scan data.
❖ Hackers are now probably seeking any information that can help them
perpetrate attacks such as computer names, IP addresses, and user
accounts.
❖ Now that the hacker has some basic information, the hacker now moves to
the next phase and begins to test the network for other avenues of attacks.
❖ The hacker decides to use a couple of methods for this end to help map the
network (i.e. Kali Linux, Maltego and find an email to contact to see what
email server is being used).
❖ The hacker looks for an automated email if possible or based on the
information gathered he may decide to email HR with an inquiry about a
job posting.
3. Gaining Access:
❖ In this phase, the hacker designs the blueprint of the network of the
target with the help of data collected during Phase 1 and Phase 2.

❖ The hacker has finished enumerating and scanning the network and
now decides that they have some options to gain access to the
network.
4. Maintaining Access:
❖ Once a hacker has gained access, they want to keep that access for
future exploitation and attacks.
❖ Once the hacker owns the system, they can use it as a base to launch
additional attacks.
5. Clearing Tracks (so no one can reach them):
❖ Prior to the attack, the attacker would change their MAC address and run the
attacking machine through at least one VPN to help cover their identity.
❖ They will not deliver a direct attack or any scanning technique that would be
deemed “noisy”.
❖ Once access is gained and privileges have been escalated, the hacker seeks
to cover their tracks. This includes clearing out Sent emails, clearing server
logs, temp files, etc.
❖ The hacker will also look for indications of the email provider alerting the
user or possible unauthorized logins under their account.
Hacktivism
Who are “Anonymous”?
● There are many hacktivist groups worldwide, all working towards different,
through sometimes the same, goal of disrupting or exposing the inner
workings of government or private organizations in the name of transparency
and the public good

● The most famous of these types of hactivist group is that known as

“Anonymous”

● Hacker group aim to question, provoke and challenge governments,

organizations and companies who go against their moral position
❖ Made up from the two words “hacking” and “activism,” hacktivism is a term
used to describe hacking into unauthorized networks to expose a perceived
injustice.

❖ Hacktivism is much like activism in our physical world, whereby people

cause disruption to bring about change.

❖ With hacktivism, the disruption is entirely online and usually conducted

anonymously.

❖ While not all hacktivists have malicious intent, their attacks can have real-life
consequences.
❖ For example, personal information exposed by hacktivists may be
picked up by other bad actors to carry out cyberattacks.

❖ Not only that, but hacktivist attacks can expose sensitive information,
like where a person lives, which can be dangerous if found by the
wrong people.

❖ In some cases, hacktivists may use their skills to fight for a cause,
even if the outcome is malicious
1. Computer Networking Skills
● One of the most important skills to become an ethical hacker is
networking skills.
● The computer network is nothing but the interconnection of multiple
devices, generally termed as Hosts connected using multiple paths to
send/receive data or media.
● Understanding networks like DHCP, Supernetting, Subnetting, and
more will provide ethical hackers to explore the various
interconnected computers in a network and the potential security
threats that this might create, as well as how to handle those threats.
2. Computer Skills
● Computer skills are knowledge and ability which allow one to use
computers and related technology.
● Typically, basic computer skills include data processing, managing
computer files, and creating presentations.
● Advanced computer skills include managing databases, programming,
and running calculations in spreadsheets.
● Some of the most essential computer skills are MS Office,
Spreadsheets, Email, Database Management, Social Media, Web,
Enterprise systems, etc.
● An ethical hacker needs to be a computer systems expert.
3. Linux Skills
● Linux is a community of open-source Unix like operating systems that
are based on the Linux Kernel.
● It is a free and open-source operating system and the source code can
be modified and distributed to anyone commercially or non
commercially under the GNU General Public License.
● The main reason to learn Linux for an ethical hacker is, in terms of
security, Linux is more secure than any other operating system.
● It does not mean that Linux is 100 percent secure it has some
malware for it but is less vulnerable than any other operating system.
So, it does not require any anti-virus software.
4. Programming Skills
● Another most important skill to become an ethical hacker is
Programming Skills. So what does the word programming in the
computer world actually means?
● It means, “The act of writing code understood by a computational
device to perform various instructions.” So, to get better at
programming, one will be writing a lot of code!
● Before one writes code he/she must choose the best programming
language for his/her programming.
5. Basic Hardware Knowledge
● Computer hardware comprises the physical parts of a computer, like
the central processing unit (CPU), monitor, mouse, keyboard,
computer data storage, graphics card, sound card, speakers and
motherboard, etc.
● By contrast, the software is the set of instructions that can be stored
and run by hardware.
● For example, suppose one wants to hack a machine that is controlled
by a computer.
● First, he needs to know about the machine or how it works. Last, he
has to get access to the computer that controls the machine.
● Now, the machine will have a very good software security system;
however, hackers don’t care about hardware security, so he can play
with the hardware if he can access it.
● If one doesn’t know about hardware, then how will he/she know how
the motherboard works, how USBs to transfer data, or how CMOS or
BIOS work together, etc.?
● So one must have basic hardware knowledge also to become an
ethical hacker.
6. Reverse Engineering
● Reverse Engineering is a process of recovering the design,
requirement specifications, and functions of a product from an
analysis of its code.
● It builds a program database and generates information from this.
● The objective of reverse engineering is to expedite the maintenance
work by improving the understandability of a system and to produce
the necessary documents for a legacy system.
● In software security, reverse engineering is widely used to ensure that
the system lacks any major security flaws or vulnerabilities.
● It helps to make a system robust, thereby protecting it from hackers
and spyware.
● Some developers even go as far as hacking their system to identify
vulnerabilities – a system referred to as ethical hacking.
7. Cryptography Skills
● Cryptography is the study and application of techniques for reliable
communication in the presence of third parties called adversaries.
● It deals with developing and analyzing protocols that prevent
malicious third parties from retrieving information being shared
between two entities thereby following the various aspects of
information security.
● Cryptography deals with converting a normal text/message known as
plain text to a non-readable form known as ciphertext during the
transmission to make it incomprehensible to hackers
8. Database Skills

● DBMS is the crux of creating and managing all databases.

● Accessing a database where all the information is stored can put the
company in a tremendous threat, so ensuring that this software is
hack-proof is important
9. Problem-solving Skills
● Problem-solving skills help one to determine the source of a problem
and find an effective solution.
● Apart from the technical skills pointed above, an ethical hacker also
must be a critical thinker and dynamic problem solver.
● They must be wanting to learn new ways and ensure all security
breaches are thoroughly checked.
● This requires tons of testing and an ingenious penchant to device new
ways of problem-solving
 Vulnerability Research
● Vulnerability can be defined as an issue in the software code that a
hacker can exploit to harm the systems. It can be a gap in the
implementation of cybersecurity procedures or a weakness in the
controls.
● Vulnerability research is the process of analyzing protocols, services,
and configurations to discover the vulnerabilities and design flaws that
will expose an operating system and its applications to exploit, attack,
or misuse.
A security administrator needs vulnerability research:

● To gather information about security trends, newly discovered

threats, attack surfaces, attack vectors and techniques.
● To find weaknesses in the OS and applications and alert the
network administrator before a network attack.
● To understand information that helps prevent security problems.
● To know how to recover from a network attack.
Ways to Conduct Ethical Hacking
Ethical hacking techniques are used by security professionals to find and
fix vulnerabilities that threaten computer systems and networks. These
techniques include:
Penetration Testing
● The term "pentesting," which is short for "penetration testing," refers to
a sort of cybersecurity evaluation in which a computer system,
network, or web application is subjected to a simulation of an attack in
order to find vulnerabilities that could be exploited by malevolent
hackers.
● Pentesting seeks to find potential security flaws before attackers can
exploit them, allowing for their remediation or mitigation to stop
security breaches.
● Pentesting often entails probing the target system or application for
vulnerabilities using a combination of automated tools and manual
procedures, and then making an effort to exploit those vulnerabilities
to get access to private data or resources.
Social engineering
● Social engineering is the practice of using psychological trickery and
deception to persuade individuals to take specific activities or divulge
private information.
● Cybercriminals frequently employ this tactic to deceive people into
disclosing sensitive information or taking part in activities that could
result in security breaches.
● Attacks using social engineering techniques include phishing emails,
luring, pretexting, and quid pro quo, among others.
● These attacks can be difficult to recognize and resist because they
usually feed on human emotions like fear, trust, and haste.
● Therefore, it is important for individuals and organizations to be aware
of social engineering techniques and take preventative measures to
avoid them.
Network scanning
● Identifying all active hosts and devices on a network — as well as their
operating systems, open ports, and other pertinent data — is the aim of
network scanning.
● This knowledge can help network administrators and security
professionals recognize potential vulnerabilities, comprehend the network
topology, and increase network security by putting the required security
measures in place.
● However, before launching an attack, attackers can use network scanning
to learn more about a target network. This involves using software tools to
scan networks for open ports, vulnerabilities, and other weaknesses.
Vulnerability assessment
This involves identifying vulnerabilities in software or hardware that could
be exploited by attackers, and often includes running scans on systems or
analyzing code.
Password cracking
This involves attempting to guess or crack passwords using various
techniques, such as brute force attacks, dictionary attacks, or rainbow
table attacks.
SQL injection
This technique involves inserting malicious code into a SQL database
through a web application that does not properly validate user input. This
can allow attackers to gain unauthorized access to sensitive data.
Cross-site scripting (XSS)
This technique involves injecting malicious code into a web page that is
then executed in the victim's web browser. This can allow attackers to
steal sensitive information, such as usernames and passwords.
Denial of service
Ethical hackers use denial-of-service attacks to test the resilience of
computer systems and networks. This involves overwhelming systems
with traffic to see how they respond to a simulated attack.
 Unit 1 Chapter 2 Footprinting
❖ Definition,
❖ Information Gathering Methodology,
❖ Competitive Intelligence,
❖ DNS Enumeration,
❖ Whois and ARIN Lookups,
❖ Types of DNS Records,
❖ Traceroute in Footprinting,
❖ E-Mail Tracking
Definition
The act of gathering information about a targeted system and creating a network
and systems map of an organization is known as Footprinting.

It falls in the preparatory pre-attack phase, where all the details regarding an
organization’s network architecture, application types, and physical location of
the target system are collected.

Post Footprinting, the hacker gets a better understanding and picture of the
location, where the desired information is stored, and how it can be accessed
What is Footprinting in Ethical
Hacking
❖ Footprinting in Ethical Hacking is basically the ethical and legal use of
Footprinting to safeguard the systems from hacking or any cyber attack.

❖ You can hack into the system to identify vulnerabilities, open ports of the system,
and many more.

❖ Knowing these reduce the chances of an attack, even though the threats always
exist.
 Types of Footprinting
There are 2 types of Footprinting:
• Active Footprinting
• Passive Footprinting
Active Footprinting
When the hacker tries to perform footprinting by getting directly in touch with the
targeted system, it is known as Active Footprinting.
Passive Footprinting
On the other hand, when the attacker gathers information about the target system
through openly available sources, it is known as Passive Footprinting. There are many
such sources available on the internet from where hackers can get the necessary
information about the organizations or individuals.
❖ Information Gathering Methodology
There are two types of traditional methods of information gathering:

• Passive information gathering

• Active information gathering
Passive Information Gathering
❖ Before the active information gathering, passive information gathering will occur
during the information-gathering phase.
❖ The purpose of passive information gathering is to collect information about the
target network without establishing direct interaction with the target.

❖ It uses the intermediate system for interaction.

❖ In the information gathering, a blueprint of the target network infrastructure is

prepared
❖ Each and every branch has a unique blueprint. Passive information gathering
does not directly interact with the target; that's why it is harmless for the target
organization.
❖ Active information gathering is more aggressive as compared to passive
information gathering.

❖ Passive information gathering does not require direct interaction with the target
organization as compared to active information gathering.

❖ Passive information gathering, the client probes the target system for
information using the intermediate system
 In passive information gathering, when we perform information gathering, we have
four intentions. These are as follows:
• We want to gather all the available information on the network about the target and
about the target actively or passively.
• We want to find the versions of web servers, platforms, operating systems, etc.
• We want to perform techniques like DNS fingerprinting, Whois lookup, other queries
related to network and organization.
• We want to identify vulnerabilities and exploits so that we can launch the attack.
Active Information Gathering

where the target is directly probed by the client

❖ Active information gathering is the process of collecting more information about
the target network by directly interacting with the target.
❖ It is illegal to do this without authentication. Active information gathering can
use OS fingerprinting, port scanning, DNS enumeration, etc.
❖ The main goal of active information gathering is to collect all the possible
information about the target, just like passive information gathering
❖ As compared to passive information gathering, active information gathering
may reveal much more information. In active information gathering, there are
always chances that security alarms of the target system are going off.
❖ Since the target system and the attacker have a direct connection. All the
requested information would be logged and can later be traced back to the
source.
❖ In active information gathering, we can conduct a port scan to find out all the
open ports on the target.
❖ We can also conduct scans to find out all the services that are running on the
target network.
❖ Another opportunity for exploitation is given by the running services or each
system.
❖ While performing active information gathering, if we become careless, we might
be caught by the IPS (intrusion detection system) or IDS (intrusion detection
system).
❖ Competitive Intelligence
Competitive intelligence gathering is the process of gathering information
about the competitors from resources such as the Internet.
Eg: company website, search engine, internet, online databases, press
releases, annual reports, trade journals
❖ DNS Enumeration
❑ DNS Footprinting is a technique that is used by an attacker to gather DNS
information about the target system.
❑ DNS Footprinting allows the attacker to obtain information about the DNS Zone
Data, which includes:
• DNS Domain Names
• Computer Names
• IP Addresses
• Network related information
Some of the main records that are important in DNS Footprinting are as follows:
❖ Whois and ARIN Lookups
❑ Whois Footprinting is an ethical hacking practice that collects data about targets and
their condition.
❑ This is the pre-attack phase and the activities performed will be stealthed and best
efforts will be made to prevent the target from tracking you.
❑ The footprinting is then the first significant advance, as intrusion testers know how
hackers see this system

Domain Name Information

You can use http://www.whois.com/whois website to get detailed information about a
domain name information including its owner, its registrar, date of registration, expiry,
name server, owner's contact information, etc.
❑ The cybersecurity footprint process involves profiling your organization and
collecting data about your network, hosts, employees, and third-party partners.
❑ This information includes the operating system, firewall, network card, IP address,
domain name system information, target computer security
configuration, URL, virtual private network, employee ID, email address, and phone
number used by your organization.
❑ It is included.
• Whois foot printing is the act of collecting information of an organization or large group of
internet users by requesting whois public records from a hoster like .com, .net.
• The main purpose of foot printing is to find out who owns domains that are hosted on
different domains and what we can do with this information.
• There are two main ways of obtaining this information- passive and active. Passive
information gathering means that you simply use search engines to get what you need,
while active means that you will query the Whois database directly.
• When it comes to active scanning, you need to be aware that this is illegal in many
countries.
• There are a number of ways to run Whois foot printing, though some are better than
others. The easiest way would be to use online lists which contain information on
thousands of registrars and hosting providers. This can include domain search engines,
domain registrars, hosting companies and many others.
ARIN
IP Address Ranges
Small sites may have a single IP address associated with them, but larger
websites usually have multiple IP addresses serving different domains and
sub-domains.
You can obtain a range of IP addresses assigned to a particular company
using American Registry for Internet Numbers (ARIN).
You can enter company name in the highlighted search box to find out a
list of all the assigned IP addresses to that company.
ARIN
ARIN is the American Registry for Internet Numbers, a non-profit corporation that
assigns IP addresses to organizations in North America and beyond. ARIN stands for
the American Registry for Internet Numbers, a non-profit corporation that assigns IP
addresses to organizations in North America and beyond.
ARIN’s Whois system is used by more than 46 million people worldwide to look up
how to contact the owner of an IP address in order to make sure they are getting
“what they pay for” from their internet service providers. The APNIC system
provides similar services for Asia Pacific countries.
Footprinting is a part of reconnaissance process which is used for
gathering possible information about a target computer system or
network. Footprinting could be both passive and active.
Reviewing a company’s website is an example of passive footprinting,
whereas attempting to gain access to sensitive information through social
engineering is an example of active information gathering.
Footprinting is basically the first step where hacker gathers as much
information as possible to find ways to intrude into a target system or at
least decide what type of attacks will be more suitable for the target.
❖ Types of DNS Records
✔ The domain name system, or DNS, is a global system responsible for mapping
human-readable hostnames to their corresponding Internet Protocol (IP) addresses.
✔ For example, if you want to access a website using a domain name like example.com,
that domain name must point to a valid IP address.
✔ The human-readable hostname is a string of words that are easy to remember.
✔ IP addresses (IPV4), on the other hand, contain numbers separated by dots and are
harder to remember.
✔ In our example above, example.com is the human-readable hostname or domain
name, while 93.184.216.34 is the current IP address for example.com. Also, note that
the IP address associated with a domain name may change depending on the server
hosting the website
1. A record
The A record is the most important DNS record type. The "A" in A record stands for
"address." An A record shows the IP address for a specific hostname or domain. For
example, a DNS record lookup for the domain example.com returns the following
result:

From figure 1 above, we can see that the current IP address is 93.184.216.34. The A
record only supports IPV4 addresses. Later in this post, we'll see how to point a
domain to an IPV6 address using another DNS record type.
Use of a record
The main use of A record is for IP address lookup. Using an A record, a web browser
is able to load a website using the domain name. As a result, we can access
websites on the internet without knowing their IP addresses.
Another use of A record is in the domain name system-based blackhole list (DNSBL).
Here, the A record is used to block mail from known spam sources.
❖ Traceroute in Footprinting
❖ E-Mail Tracking
Mail Transfer Agents
Unit 1 Chapter 3:Social Engineering
Common Types of Attacks
 Social Engineering
❖ Social engineering is the term used for a broad range of malicious activities
accomplished through human interactions.

❖ It uses psychological manipulation to trick users into making security

mistakes or giving away sensitive information.
❖ Social engineering attacks happen in one or more steps.

❖ A perpetrator first investigates the intended victim to gather necessary

background information, such as potential points of entry and weak
security protocols, needed to proceed with the attack.

❖ Then, the attacker moves to gain the victim’s trust and provide stimuli
for subsequent actions that break security practices, such as revealing
sensitive information or granting access to critical resources.
❖ Traits of Social Engineering Attacks

❖ Social engineering attacks center around the attacker’s use of

persuasion and confidence.
❖ When exposed to these tactics, you are more likely to take
actions you otherwise wouldn’t.
❖ Heightened emotions : Emotional manipulation gives attackers the upper
hand in an any interaction. You are far more likely to take irrational or risky
actions when in an enhanced emotional state. The following emotions are all
used in equal measure to convince you.

❖ Fear
❖ Excitement
❖ Curiosity
❖ Anger
❖ Guilt
❖ Sadness
❖ Urgency:

❖ Time-sensitive opportunities or requests are another reliable tool in an

attacker’s arsenal.
❖ You may be motivated to compromise yourself under the guise of a serious
problem that needs immediate attention.
❖ Alternatively, you may be exposed to a prize or reward that may disappear if
you do not act quickly. Either approach overrides your critical thinking ability.
❖ Trust:
❖ Believability is invaluable and essential to a social engineering
attack. Since the attacker is ultimately lying to you, confidence
plays an important role here.
❖ They’ve done enough research on you to craft a narrative that’s
easy to believe and unlikely to rouse suspicion.
❖ Social Engineering Attack Lifecycle
❖ What makes social engineering especially dangerous is that it relies on
human error, rather than vulnerabilities in software and operating
systems.
❖ Mistakes made by legitimate users are much less predictable, making
them harder to identify and thwart than a malware-based intrusion.
Social engineering attack techniques
❖ Baiting
❖ Scareware
❖ Pretexting
❖ Phishing
❖ Spear phishing
❖ Baiting
❖ As its name implies, baiting attacks use a false promise to pique a
victim’s greed or curiosity.
❖ They lure users into a trap that steals their personal information or
inflicts their systems with malware.
❖ The most reviled form of baiting uses physical media to disperse
malware.
❖ For example, attackers leave the bait—typically malware-infected
flash drives—in conspicuous areas where potential victims are
certain to see them (e.g., bathrooms, elevators, the parking lot of
a targeted company).
❖ The bait has an authentic look to it, such as a label presenting it as
the company’s payroll list.
❖ Victims pick up the bait out of curiosity and insert it into a work or
home computer, resulting in automatic malware installation on the
system.
❖ Baiting scams don’t necessarily have to be carried out in the
physical world.
❖ Online forms of baiting consist of enticing ads that lead to
malicious sites or that encourage users to download a
malware-infected application.
❖ Scareware
❖ Scareware involves victims being bombarded with
false alarms and fictitious threats.
❖ Users are deceived to think their system is infected
with malware, prompting them to install software
that has no real benefit (other than for the
perpetrator) or is malware itself.
❖ Scareware is also referred to as deception software,
rogue scanner software and fraudware.
❖ A common scareware example is the
legitimate-looking popup banners appearing in your
browser while surfing the web, displaying such text
such as, “Your computer may be infected with
harmful spyware programs.”
❖ It either offers to install the tool (often
malware-infected) for you, or will direct you to a
malicious site where your computer becomes
infected.
❖ Scareware is also distributed via spam email that
doles out bogus warnings, or makes offers for users
to buy worthless/harmful services.
 Pretexting
❖ Here an attacker obtains information through a series of cleverly
crafted lies. The scam is often initiated by a perpetrator
pretending to need sensitive information from a victim so as to
perform a critical task.
❖ The attacker usually starts by establishing trust with their victim
by impersonating co-workers, police, bank and tax officials, or
other persons who have right-to-know authority.
❖ The pretexter asks questions that are ostensibly required to
confirm the victim’s identity, through which they gather important
personal data.
❖ All sorts of pertinent information and records is
gathered using this scam, such as social security
numbers, personal addresses and phone numbers,
phone records, staff vacation dates, bank records
and even security information related to a physical
plant.
❖ Phishing
❖ As one of the most popular social engineering attack
types, phishing scams are email and text message
campaigns aimed at creating a sense of urgency,
curiosity or fear in victims.
❖ It then prods them into revealing sensitive
information, clicking on links to malicious websites,
or opening attachments that contain malware.
❖ An example is an email sent to users of an online service that
alerts them of a policy violation requiring immediate action on their
part, such as a required password change.
❖ It includes a link to an illegitimate website—nearly identical in
appearance to its legitimate version—prompting the unsuspecting
user to enter their current credentials and new password.
❖ Upon form submittal the information is sent to the attacker.
❖ Given that identical, or near-identical, messages are sent to all
users in phishing campaigns, detecting and blocking them are
much easier for mail servers having access to threat sharing
platforms.
❖ Spear phishing
❖ This is a more targeted version of the phishing scam whereby an
attacker chooses specific individuals or enterprises. They then
tailor their messages based on characteristics, job positions, and
contacts belonging to their victims to make their attack less
conspicuous.
❖ Spear phishing requires much more effort on behalf of the
perpetrator and may take weeks and months to pull off. They’re
much harder to detect and have better success rates if done
skillfully.
❖ A spear phishing scenario might involve an attacker
who, in impersonating an organization’s IT
consultant, sends an email to one or more
employees.
❖ It’s worded and signed exactly as the consultant
normally does, thereby deceiving recipients into
thinking it’s an authentic message.
❖ The message prompts recipients to change their
password and provides them with a link that
redirects them to a malicious page where the
attacker now captures their credentials.
Quid pro quo

Quid Pro Quo, "something for something" in Latin, involves a request for
information in exchange for a compensation.
● Example: the attacker asks the victim's password claiming to be a
researcher doing an experiment, in exchange for money.
Quid pro quo attacks are relatively easy to detect given the asymmetrical
value of the information compared to the compensation, which is opposite
for the attacker and the victim. In these cases the best countermeasure
remains the victim integrity and ability to identify, ignore and report.
Access Tailgating Attacks

Tailgating , or piggybacking, is the act of trailing an authorized staff

member into a restricted-access area.
Attackers may play on social courtesy to get you to hold the door for them
or convince you that they are also authorized to be in the area. Pretexting
can play a role here too
 Social engineering prevention

❖ Social engineers manipulate human feelings, such as curiosity or

fear, to carry out schemes and draw victims into their traps.
Therefore, be wary whenever you feel alarmed by an email,
attracted to an offer displayed on a website, or when you come
across stray digital media lying about.
❖ Being alert can help you protect yourself against most social
engineering attacks taking place in the digital realm.
❖ Moreover, the following tips can help improve your vigilance in
relation to social engineering hacks.
❖ Don’t open emails and attachments from suspicious sources –
❖ If you don’t know the sender in question, you don’t need to answer
an email.
❖ Even if you do know them and are suspicious about their
message, cross-check and confirm the news from other sources,
such as via telephone or directly from a service provider’s site.
❖ Remember that email addresses are spoofed all of the time; even
an email purportedly coming from a trusted source may have
actually been initiated by an attacker.
❖ Use multifactor authentication –
❖ One of the most valuable pieces of information attackers seek are
user credentials.
❖ Using multifactor authentication helps ensure your account’s
protection in the event of system compromise.
❖ Imperva Login Protect is an easy-to-deploy 2FA solution that can
increase account security for your applications.
Unit 1 Chapter 4 Scanning and Enumeration
● Port Scanning, Network Scanning,
● Vulnerability Scanning, CEH Scanning Methodology, Ping
Sweep Techniques, Nmap Command Switches, SYN, Stealth,
XMAS,
● NULL,IDLE, FIN Scans, Anonymizers, HTTP Tunneling
Techniques,
● IP Spoofing Techniques, SNMP Enumeration, Steps Involved in
Enumeration.
Scanning and Enumeration
❖ Scanning is a technique that allows for a deep dive into a system to
seek out valuable data and services in an IP address range.
❖ Scanning techniques locate potential entry points on a system to
exploit
❖ Enumeration is the process of extracting meaningful information from
the openings and information you found during scanning, such as
usernames, share data, group information, and much more.
Port Scanning
❑ Port Scanning is the name of the technique used to identify available ports and
services on hosts on a network.
❑ Security engineers sometimes use it to scan computers for vulnerabilities, and
hackers also use it to target victims.
❑ It can be used to send connection requests to target computers and then track ports.
❑ Network scanners do not actually harm computers; instead, they make requests that
are similar to those sent by human users who visit websites or connect to other
computers using applications like Remote Desktop Protocol (RDP) and Telnet.
❖ A port scan is performed by sending ICMP echo-request packets with specific flags
set in the packet headers that indicate the type of message being transmitted:
❖ Type 8 indicates the request to be an echo-reply packet with the source IP address
as the responding host, while Type 0 indicates that no response is expected from
the responding host.
 Types of Port Scans:
To protect your network from port scans, it is essential to understand the different
types of port scans used by hackers.
• Vanilla: The scanner tries to connect to all 65,535 ports ) – The scanner looks for
open UDP ports
• Sweep: The scanner pings an identical port on over one computer to envision which
pc is active
• FTP Bounce: The scanner goes through an FTP server to mask the source
• Stealth: The scanner locks scanned computer records Scan of port
 Types of Ports:
• Open: The host replies and announces that it is listening and open for queries. An
undesired open port means that it is an attack path for the network.
• Closed: The host responds but notices that no application is listening. Hackers will
scan again if it is opened.
• Filtered: The host does not respond to a request. This could mean that the packet
was dropped due to congestion or a firewall.
 Tools Used in Port Scanning:
• Nmap
• Angry IP Scan
• Netcat
• Zenmap
• Advanced Port Scanner
• MASSCAN
Network Scanning
❑ Network Scanning is a process where an attacker uses tools and techniques to
gather information about the target.
❑ This information may be as simple as the active hosts within the network, to
complex discoveries like gathering the OS of the hosts, open ports and active
vulnerabilities on the host.
❑ Network scanning is the method used to scan a network, primarily for security
assessment and maintaining the system.
❑ Hackers use it for carrying out attacks.
❑ Ethical hackers and technical teams use network scanning to check whether the
devices in work are working as expected and whether there are no vulnerabilities
and loopholes.
❑ By finding the issues, they can then troubleshoot them.
❑ Network is the backbone of any information technology infrastructure, over
which data and resources are shared.
❑ In today’s world, when the network is being used for almost everything, “Network
Security” is of critical importance.
❑ If the network is not secure, any other control is not worth applying! Network
scanning is the process or technique by which we scan the network to gain
details such as active hosts, open ports including running TCP and UDP services,
open vulnerabilities, details about the host like operating system and much
more.
❑ For IP (internet protocol) networks, generally “ping” is used for reaching a host
and checking its status. Ping is an ICMP (Internet Control Message Protocol)
utility and sends packets to the target and receives an ICMP echo reply.
❑ Within an organization, network scanning is used by monitoring and
management systems.
❑ These are legitimate uses of scanning and are very regularly used by network
management tools and network administrators.
❑ On the other side, scanning used by an attacker relies on the same tools and
protocols as used by network administrators for monitoring and management.
The attacker would first obtain the IP address range of the target network
generally using DNS or the who is protocol.
❑ Once the attacker has the IP range, he would scan the network for active host,
their operating systems and related details as discussed above. Finally, with all
this information, the attacker may attempt to breach the target systems.
Network Scanning tool – NMAP
with examples
Let us have a look at nmap, a very commonly used network scanning tool and
see some examples of its use.
You can install nmap (Zenmap is the UI interface for Windows) from nmap [dot]
org. Below is what the Zenmap looks like:
Vulnerability Scanning
❑ Vulnerability scanning is the process of scanning IT networks and systems
to identify security vulnerabilities in hardware and software.

❑ Vulnerability scanning is a security technique used to identify security

weaknesses in a computer system.

❑ Vulnerability scanning can be used by individuals or network

administrators for security purposes, or it can be used by hackers
attempting to gain unauthorized access to computer systems.
 Vulnerability scanners range from very expensive enterprise-level products to free
open-source tools.
Types of vulnerability scanners include:
• Port Scanner: Probes a server or host for open ports
• Network Enumerator: A computer program used to retrieve information about users and
groups on networked computers
• Network Vulnerability Scanner: A system that proactively scans for network vulnerabilities
• Web Application Security Scanner: A program that communicates with a Web application
to find potential vulnerabilities within the application or its architecture
• Computer Worm: A type of self-replicated computer malware, which can be used to find
out vulnerabilities
CEH Scanning Methodology
Certified Ethical Hacker (CEH) :
Network Scanning
❖ The next phase of Ethical hacking is Network scanning.
❖ It this phase We need to get more information about networks such as live
devices, port status(open or closed), operating systems type, used the
application, running services and etc.
❖ To collect that information hackers use the network scanning
methodology:
• Look for live systems
• Port discovery
• Evading IDS
• Banner Grabbing or OS fingerprinting
• Scan the network for vulnerabilities
• Use Proxies
• Idle Scan
• Make a network diagram
• NMAP security scanner
• SCAPY packet manipulation tool
• HPING3 packet analyzer tools
1. Look for live systems: ICMP Echo scanning is used for identifying active
devices. The response of that identifies host/device live or not.
2. For example, Host 1 – 172.16.171.3 sends an ICMP echo request to the
target host 2 – 172.16.171.21. If the response is an ICMP reply, then you
know the target is alive.
Ping Sweep Techniques
❑ A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to
determine which of a range of IP addresses map to live hosts (computers).

❑ Whereas a single ping will tell whether one specified host computer exists on the network, a
ping sweep consists of ICMP (Internet Control Message Protocol) echo requests sent to
multiple hosts.
❑ To do this, the ping requires an address to send the echo request to, which can be an IP
address or a web server domain name.
Nmap Command Switches
❑ Nmap is probably the most famous reconnaissance tool among Pentesters and
Hacker.
❑ It is essentially a port scanner that helps you scan networks and identify
various ports and services available in the network, besides also providing
further information on targets, including reverse DNS names, operating system
guesses, device types, and MAC addresses
 Nmap is Linux command-line tool for network exploration and security auditing.
This tool is generally used by hackers and cybersecurity enthusiasts and even by
network and system administrators. It is used for the following purposes:
• Real time information of a network
• Detailed information of all the IPs activated on your network
• Number of ports open in a network
• Provide the list of live hosts
• Port, OS and Host scanning
 Working with Nmap Command
1. To scan a System with Hostname and IP address. First, Scan using Hostname
nmap www.geeksforgeeks.org
nmap -T4 for Timing

In the scanning process, nmap transmits packets to the target machine in

a specific time period (interval). We can use the namp -T switch to
increase or decrease the time period. However, the -T option requires an
attribute, we should use 1,2,3,4 as needed. T4 has fast speed than T1, T2,
and T3.
SYN
SYN Scanning:

● SYN scanning involves the establishment of a half connection with the destined target.
● SYN scanning does not involve a full connection establishment, and thus it is also referred to as a
half-open scanning technique.

SYN Scanning Process:

● SYN scanning attack involves the mechanism where an SYN packet is sent to an open
connection.
● There are two conditions that arrive at this mechanism.
● First, if the response/result from the computer or server is SYN-ACK, then it directly
indicates an open port in the connection.
● The client then unknowingly sent RST packet, and it makes the server believe that client
has not yet asked for the connection establishment and the port remains in the open
state.
● Second is the case when a server sends an RST packet from a destined port showing
that the port is closed and secured.
● In such cases, the hacker sends a huge volume of SYN packets then the server accepts
those packets but no communication or connection establishment between Client and
server takes place there.
An SYN Scanning is preferred by attackers because SYN scanning is generally adopted by hackers as it
is fast in execution and easy to cause harm to the computer/server using the SYN Scanning process.
Another advantage of SYN Scanning that hackers find is the speed with which open ports are detected.

Prevention from SYN Scanning:

To prevent SYN Scanning attacks, users/ organizations with computer systems should ensure the
following:
● Proper firewalls are set up in a computer network system which blocks suspicious calls to the
user setup.
● Proper security is present by ensuring that there is ‘No open ports’ present in the cyber network
setup that can be used by cyber attackers to breach the vulnerability of the system.
Stealth
What is a non-stealthy scan?
A TCP connection works through a three-way handshake, where a client and a server communicate in a
particular manner before establishing a connection. This communication happens in the following steps:
● The client sends a TCP packet to the server with the SYN flag set
● The server responds to the client with a TCP packet with the SYN and ACK flags set if it says a probed
port is open
● If the port is closed, the server will respond with a TCP packet with the RST flag set
● In case the port is open, the client will respond to the server with an ACK

The communication above is known as a three-way handshake and must happen before a TCP connection
can be established between a client and server.
❖ A non-stealthy scan will implement the TCP “connect()” method, which is enabled by
operating systems for connection to target hosts.
❖ This scan employs the three-way-handshake described above and will only respond with a
list of hosts with open ports as specified at the onset of the scan.
❖ This scan is easily detected, due to the numerous attempts by the scanner to establish a
connection to many ports on a target host over a short period of time.
❖ Also remember that login attempts which fail will most certainly be logged and can be
retrieved during a security audit.
What are stealthy network recon strategies?

In computer security and hacking, stealth is considered the ability to remain undetected within a
network as we perform activities, whether malicious or not.
These activities will often be counteractive to the defense mechanisms and may or may not be
authorized. We of course encourage you to ONLY run the commands here with authorization from
the network owners.
The two main perspectives here are:
● Identification of ports and services for defense: This will be true for the Blue Team
● Identification of ports and services for attacking: This will be true for the Red Team

There are a couple of stealth scans that can be executed. These include inverse mapping, half-open,
X-mas tree, UDP, null and more.
 Stealth scans
❖ A stealth scan (sometimes known as a half open scan) is much like a
full open scan with a minor difference that makes it less suspicious on
the victim's device.
❖ The primary difference is that a full TCP three-way handshake does
not occur. Looking at the following diagram, the initiator (device A)
would send a TCP SYN packet to device B for the purpose of
determining whether a port is open.
❖ Device B will respond with a SYN/ACK packet to the initiator (device A)
if the port is open. Next, device A will send an RST to terminate the
connection.
❖ If the port is closed, device B will sent an RST packet:
Inverse mapping

❏ The inverse mapping scan involves sending specially customized packets,

including SYN-ACK packets, RST packets and DNS packets, which only discover
which hosts are online within the network and which ones are offline.
❏
❏ The hosts that were discovered to be offline would result in an “ICMP host
unreachable” error message. This scan does not attempt to discover open ports,
thus achieving some level of stealth.
Slow scan

★ This is one of the most effective stealth scans that can be performed within the
network.
★ The idea is to greatly reduce the speeds at which port scans take place.
★ The attacker introduces a delay that prevents host-based IDS or firewalls from
picking up excess attempts to connect to a TCP port.
★ Even though this scan has great success in achieving stealth, the major
disadvantage would be the amount of time that it takes to complete a scan.
★ The only way of detecting this scan is by analyzing traffic log files.
XMAS
★ It is used to identify listening ports on the targeted system.
★ The scan manipulates the URG, PSH and FIN flags of the TCP header.
★ This is also called as inverse TCP scanning.
★ This works by sending packets set with PSH, URG, FIN flags. The targets do not
respond if the ports are open and send a reset response if ports are closed.
NULL
nmap -s<scan_type> <target_host>

● NULL (-sN): The target systems do not know how to

respond to a Null scan as all the flags inside the TCP
header are off or set to null.
 IDLE
❖ Idle scan works by using a controlled zombie computer to scan a victim’s
port to find vulnerabilities.

❖ Because the hacker is not using his own computer, thus the victim can
only block the zombie IP, not the hacker. Therefore, idle scan is a very
stealthy scan.
Packet 64 shows that 192.168.52.135 (zombie) send SYN frame to
the victim. however, actually the one who send this frame is the
source (192.168.52.136).

The IP is spoofed to make as if zombie workstation as the one who

sends the frame.
 FIN Scans
❏ FIN scan: Fin flag is set in the TCP packets sent to the target. open ports does not
respond while closed ports send a reset response.
 Anonymizers
❖ An anonymizer is an intermediate server placed in between
the end user and web site that accesses the website on behalf
of you, making your web surfing untraceable.
❖
❖ An anonymizer eliminates all the identifying information (IP
address) from your system while you are surfing the Internet,
thereby ensuring privacy.
❖
❖ Most anonymizers can anonymize the web (http :), file
transfer protocol (ftp :), and gopher (gopher:) Internet
services.
❖ To visit a page anonymously, you can visit your preferred anonymizer site, and
enter the name of the target website in the Anonymization field.

❖ Alternately, you can set your browser home page to point to an anonymizer, so
that every subsequent web access will be anonymized.

❖ Apart from this, you can choose to anonymously provide passwords and other
information to sites that request you, without revealing any other information,
such as your IP address.

❖ Crackers may configure an anonymizer as a permanent proxy server by making

the site name the setting for the HTTP, FTP, Gopher, and other proxy options in
their applications configuration menu, thereby cloaking their malicious activities.
Why Use an Anonymizer

Ensures privacy: It protects your identity by making your

web navigation activities untraceable. Your privacy is
maintained until and unless you disclose your personal
information on the web by filling out forms, etc.

Accesses government-restricted content: Most governments

prevent their citizens from accessing certain websites or
content in order to avoid them from accessing
inappropriate information or sensitive information. But
these people can access even these types of resources by
an anonymizer located outside the country.
Protect you from online attacks: Anonymizers protect you
from all instances of online pharming attacks by routing all
customer Internet traffic via the anonymizer's protected DNS
servers.

Bypass IDS and firewall rules: Bypassing of firewalls is

mostly done in organizations or schools by employees or
students accessing websites they are not supposed to access. An
anonymizer service gets around your organization's firewall by
setting up a connection between your computer and the
anonymizer service.
HTTP Tunneling Techniques
❖ The HTTP CONNECT method is the most commonly used HTTP tunneling method.
❖ A client requests an HTTP proxy server to forward a TCP connection to a desired destination
using this mechanism.
❖ On behalf of the client, the server makes the connection. After the server establishes the
connection, the proxy server continues to proxy the TCP stream to and from the client.
❖ The server will simply proxy the established TCP connection after the initial connection request
is sent via HTTP.
❖ Tunneling
❖ The tunneling technique, also known as "port forwarding," encapsulates private network data
and protocol information for transmission over public networks.
❖ What is HTTP Tunneling?
❖ In HTTP tunneling, communications are encapsulated using the HTTP protocol.
❖ How do we achieve it:
❖ Tunneling over HTTP is primarily used to avoid firewalls. Protocol encapsulation occurs with
HTTP tunneling, which encapsulates data packets of one protocol (e.g. SOAP, JRMP, etc.)
within another protocol packet.
❖ As normal internet traffic, HTTP packets are then sent across the firewall.
❖ A technique of inter-networking called Tunneling is used when source and destination
networks of the same type are to be connected through a network of different types.
Tunneling uses a layered protocol model such as those of the OSI or TCP/IP protocol
suite.
❖ So, in other words, when data moves from host A to B it covers all the different levels of
the specified protocol (OSI, TCP/IP, etc.) while moving between different levels, data
conversion (Encapsulation) to suit different interfaces of the particular layer is called
tunneling.
IP Spoofing Techniques
❑ IP Spoofing is essentially a technique used by a hackers to gain unauthorized access to
Computers.
❑ Concepts of IP Spoofing was initially discussed in academic circles as early as 1980.
❑ IP Spoofing types of attacks, had been known to Security expert on the theoretical level.
❑ It was primarily theoretical until Robert Morris discovered a security weakness in the TCP
protocol known as sequence prediction.
❑ Occasionally IP spoofing is done to mask the origins of a Dos attack.
❑ In fact Dos attacks often mask actual IP address from where attack has originated from.
 Process :
❑ With IP spoofing, intruder sends message to a computer system with an IP address indicating
message is coming from a different IP address than its actually coming from.
❑ If intent is to gain unauthorized access, then Spoof IP address will be that of a system the
target considers a trusted host.
❑ To Successfully perpetrate an IP Spoofing attack, hacker must find IP address of a machine
that the target System Considers a trusted source.
❑ Hackers might employ a variety of techniques to find an IP address of a trusted host.
❑ After they have obtained trusted IP address they can then modify packet headers of their
transmission so its appears that the packet coming from the host.
❑ Different ways to address IP Spoofing include :
❑ Do not reveal any information regarding your internal IP addresses.This helps prevent those
addresses from being “spoofed”.
❑ Monitor incoming IP packets for signs of IP spoofing using network monitoring software.
❑ One popular product is “Netlog”, is along side similar products, seeks incoming packets to the
external interface that have the both source and destination IP addresses in your local
domain.
❑ This essentially means an incoming packet that claims to be from inside network is actually
coming from outside your network. Finding one means that an attack is underway
 The risks associated with IP Spoofing include:
✔ Denial-of-service attacks: An attacker can use IP Spoofing to flood a network or
system with a large number of requests, making it unavailable to legitimate users.
✔ Unauthorized access: An attacker can use IP Spoofing to bypass access controls and
gain unauthorized access to a system or network.
✔ Data interception: An attacker can use IP Spoofing to intercept sensitive data, such
as login credentials, financial information, or personal information.
✔ Reputation damage: IP Spoofing can damage the reputation of legitimate
businesses and organizations, as the attack can appear to be coming from their IP
address.
SNMP Enumeration
❑ Simple Network Management Protocol (SNMP) is an application layer protocol that runs on
UDP and maintains and manages IP network routers, hubs, and switches. SNMP agents run
on networking devices in Windows and UNIX networks.

❑ SNMP (Simple Network Management Protocol) is an application layer protocol that utilizes
the UDP protocol to manage routers, hubs, and switches on an IP network. SNMP is a widely
used protocol that is enabled on a wide range of operating systems, including Windows
Server, Linux servers, and network devices such as routers and switches.
❑ On a target system, SNMP enumeration is used to list user accounts, passwords, groups,
system names, and devices.
❖ Component:
❖ SNMP Enumeration is made up of three major parts:

❖ Managed Device: A managed device is a device or a host (technically referred to as a node)

that has the SNMP service enabled. These devices include routers, switches, hubs, bridges,
computers, and so on.
❖ Agents: An agent is a software component that runs on a managed device. Its primary
function is to convert data into an SNMP-compatible format for network management via the
SNMP protocol.
❖ Network Management System (NMS) : NMS are software systems that are employed to
monitor network devices.
❖ Management Agent: An application that resides in managed devices such as hosts, bridges,
routers, and so on. The agent responds to the operative’s requests for data and actions and
may send asynchronous messages to the operative in the event of a critical event.
❖ Management Station: It serves as the human network manager’s interface to the network
management station (or network operation center NOC), from which he monitors and
manages the network and assists in fault recovery.
❖ Network Management Protocol: The network management protocol (SNMP) is used to
transfer data and commands between agents and managing entities. For communication
between managers and agents, SNMP employs the User Datagram Protocol (UDP) as the
transport protocol. The reasons for exploitation of UDP for SNMP area unit are as follows:
❖ First, it has low overheads in comparison to the protocol, which uses a 3-way handshake for
the association.
❖ Second, in large networks, SNMP over protocol may be a risky strategy because the protocol
to ensure dependability can flood the network with retransmissions. SNMP sends and
receives requests on UDP port 161, and receives traps from managed devices on UDP port
162.
❖ Management database (MIB) : A management database is represented as a
collection of managed objects. These objects together form the MIB virtual
database. Although an agent may implement multiple MIBs, all agents must
implement a single MIB, known as MIB-II. This standard defines variables for things
like interface statistics (interface speeds, MTU, octets sent, octets received, and so
on) as well as various other things related to the system itself (system location,
system contact, etc.). MIB-primary II’s goal is to generate general TCP/IP
management data.
Steps Involved in Enumeration
Enumeration and its types – Tool box
Enumeration as a process extracts the user names, machine names, network
resources, shares and services from the ecosystem.
There is a robust toolbox that helps the enumeration process become scalable.
This is a mix of software and hardware systems.
There are free and commercial software tools for the enumeration.
The hardware tools are mainly the key loggers and special wireless hardware.
The pentesters find the right and optimum way to reach the various components
of the systems.
Techniques for Enumeration
Process of
Enumeration