SWARRNIM STARTUP & INNOVATION UNIVERSITY

Swarrnim School of Computing & IT (BCA)

CYBER SECURITY (CODE:13030601)
Semester: VI
NOTES
# Unit 1: Cyber Security - Introduction to Vulnerability Assessment

Overview of Vulnerability Scanning

Vulnerability scanning is a systematic process used to identify, rank, and report

vulnerabilities in a system, application, or network. It involves automated tools to scan for
known vulnerabilities, helping organizations to understand their security posture and
prioritize remediation efforts.

# Key Concepts:
- Open Port / Service Identification: Involves discovering open ports on a network and
identifying the services running on those ports. This is crucial for understanding the attack
surface of a system.
- Banner / Version Check: Retrieves information about the software version running on open
ports to identify known vulnerabilities associated with specific versions.
- Traffic Probe: Involves analyzing network traffic to identify anomalies that may indicate the
presence of vulnerabilities or active attacks.
- Vulnerability Probe: Directly tests systems, applications, or networks for known
vulnerabilities, typically using automated tools.
- Vulnerability Examples: Common vulnerabilities include SQL injection, cross-site scripting
(XSS), buffer overflows, and misconfigurations.

Practical Tools for Vulnerability Scanning

# OpenVAS
OpenVAS (Open Vulnerability Assessment System) is a comprehensive vulnerability
scanning and vulnerability management tool. It's free and open-source, providing a
framework for scanning and managing vulnerabilities.

# Metasploit
Metasploit is an advanced open-source platform for developing, testing, and using exploit
code. It can be used for penetration testing and identifying vulnerabilities in networks and
systems.

Networks Vulnerability Scanning Tools

# Netcat and Socat

- Netcat is often referred to as the "Swiss army knife" of networking, used for reading from
and writing to network connections using TCP or UDP. It's valuable for scripting and
probing.
- Socat is a more complex version of Netcat, capable of establishing two bidirectional byte
streams and transferring data between them.

# Port and Services Tools

- Datapipe, Fpipe, and WinRelay are tools designed for forwarding ports or creating simple
TCP/UDP proxies, useful for testing network services.

Network Reconnaissance Tools

# Nmap
Nmap (Network Mapper) is an open-source tool for network exploration and security
auditing. It can discover hosts and services on a computer network, thus building a "map" of
the network.

# THC-Amap
THC-Amap is a tool designed to identify application protocols, irrespective of the port they
are running on. It helps in the identification of services in cases where ports are not running
on their standard ports.

Network Sniffers and Injection Tools

# Tcpdump and Windump

- Tcpdump and Windump are powerful command-line packet analyzers. Tcpdump works on
Unix-like operating systems, while Windump is the Windows version of Tcpdump.

# Wireshark
Wireshark is a widely-used network protocol analyzer that lets you see what's happening on
your network at a microscopic level. It is available for both Windows and Unix-like systems.

# Ettercap
Ettercap is a comprehensive suite for man-in-the-middle attacks on LAN. It features sniffing
of live connections, content filtering, and many other interesting tricks.

# Hping
Hping is a command-line oriented TCP/IP packet assembler/analyzer. It's useful for network
testing, firewall testing, IP spoofing, etc.

# Kismet
Kismet is a wireless network detector, sniffer, and intrusion detection system. It works with
any wireless card that supports raw monitoring mode and can sniff 802.11a, 802.11b,
802.11g, and 802.11n traffic.

Case Studies and Examples

# Case Study: The Equifax Data Breach

The Equifax data breach, one of the most significant and impactful data breaches to date,
serves as a poignant example of the critical need for regular vulnerability scanning and timely
patching of known vulnerabilities. This incident exposed the personal information of
approximately 147 million people, leading to widespread consequences for individuals and
the company.

Overview of the Breach

- What Happened? Hackers exploited a vulnerability in the Apache Struts framework, a
popular open-source development framework for creating enterprise Java applications. The
specific vulnerability, CVE-2017-5638, allowed remote code execution on the server.
- Discovery and Timeline: The breach occurred from May through July 2017, but Equifax did
not discover the breach until July 29, 2017. It was publicly disclosed on September 7, 2017.
- Impact: The attackers accessed sensitive data, including Social Security numbers, birth
dates, addresses, and, in some instances, driver's license numbers.

The Role of Vulnerability Scanning and Network Reconnaissance Tools

1. Missed Vulnerability Scanning and Patching: At the core of the Equifax breach was a
failure to timely patch a know n vulnerability. The patch for CVE-2017-5638 was available
in March 2017, months before the breach began. Regular, automated vulnerability scanning
could have identified this unpatched vulnerability and flagged it for urgent remediation.

2. Network Reconnaissance: Once inside Equifax's network, the attackers likely used network
reconnaissance tools to map out the network, identify valuable data stores, and plan their
movements without detection. The use of such tools by attackers highlights the need for
organizations to conduct their own reconnaissance to identify and mitigate potential entry
points and weaknesses.

Lessons Learned and Best Practices

- Regular Vulnerability Scanning: Organizations must implement regular vulnerability

scanning routines to identify and remediate vulnerabilities before they can be exploited by
attackers. Tools like OpenVAS and commercial products can automate this process, ensuring
that no critical patches are overlooked.
- Timely Patch Management: The importance of a robust patch management policy cannot be
overstated. Once a vulnerability is known and a patch is available, organizations should
prioritize and expedite the patching process, especially for critical vulnerabilities that allow
remote code execution.
- Enhanced Detection and Response: Equifax's delay in detecting the breach underscores the
need for advanced threat detection and response capabilities. Tools like network sniffers,
anomaly detection systems, and security information and event management (SIEM)
solutions can help identify suspicious activity early on.
- Comprehensive Security Posture: Beyond vulnerability scanning, organizations should
adopt a comprehensive security posture that includes encryption, access control, network
segmentation, and regular security training for employees to recognize phishing and other
social engineering attacks.

Conclusion

The Equifax data breach is a stark reminder of the consequences of neglecting cybersecurity
fundamentals. It underscores the necessity of regular vulnerability scanning, timely patching,
and a comprehensive approach to security to protect sensitive information from increasingly
sophisticated cyber threats. By learning from such incidents, organizations can better defend
against future attacks.

Figures, Diagrams, and Practical Exercises

-

The diagrams above visually represent key cybersecurity processes:

 Vulnerability Scanning Process: Showcases the steps involved in conducting a

vulnerability scan, highlighting the importance of regular assessments for network
security.
 Network Reconnaissance Process: Illustrates the use of tools like Nmap for
discovering live hosts, open ports, and services, which is critical for security
assessments and penetration testing.
 Exploitation with Metasploit: Details how Metasploit is used to exploit
vulnerabilities, from selecting an exploit to gaining unauthorized access, underscoring
the need for timely patching and robust security measures.

- Creating a safe lab environment for practicing cybersecurity tools like Nmap, OpenVAS,
and Wireshark is crucial for hands-on learning. Below are practical exercises designed to
introduce users to these tools, ranging from basic to more complex tasks. Before starting,
ensure you have permission to scan and test the networks and systems you are working with
to avoid legal and ethical issues.

# Setting Up a Safe Lab Environment

1. Virtualization Software: Use software like VMware or VirtualBox to create isolated virtual
machines (VMs) for your lab. This prevents any potential harm to your real network or
systems.
2. Virtual Network: Configure a virtual network within your virtualization software to allow
VMs to communicate with each other, simulating a real network environment.
3. Target Machines: Install vulnerable machines for testing, such as Metasploitable or
OWASP WebGoat, within your virtual environment. These systems are designed to be
insecure for educational purposes.
4. Tools Installation: Install Nmap, OpenVAS, and Wireshark on a separate VM or your host
machine, depending on your preference and the exercise requirements.

# Practical Exercises

Exercise 1: Basic Port Scanning with Nmap

- Objective: Discover live hosts and open ports on a target machine.

- Task: Use Nmap to perform a basic scan on a target VM. The command `nmap -sS -T4
target_ip` performs a SYN scan, which is less intrusive and fast.
- Learning Outcome: Understand how to identify active devices on your network and the
services they are offering.

Exercise 2: Vulnerability Scanning with OpenVAS

- Objective: Perform a comprehensive vulnerability assessment on a target system.

- Setup: Ensure OpenVAS is installed and updated with the latest vulnerability definitions.
- Task: Configure OpenVAS to scan a target VM. Analyze the report to identify critical
vulnerabilities.
- Learning Outcome: Learn how to use vulnerability scanning tools to identify and prioritize
vulnerabilities for remediation.

Exercise 3: Analyzing Network Traffic with Wireshark

- Objective: Capture and analyze network traffic to identify protocols, ports, and potentially
malicious packets.
- Task: Use Wireshark to capture traffic on your virtual network while accessing a web
service on one of your VMs. Filter the results to analyze HTTP traffic.
- Learning Outcome: Gain insights into how data travels across a network and how to identify
unusual patterns that could indicate security issues.

Exercise 4: Exploit Simulation with Metasploit

- Objective: Use Metasploit to exploit a known vulnerability on a target VM.

- Pre-requisite: Identify a vulnerability with OpenVAS that can be exploited with Metasploit.
- Task: Select the appropriate exploit module and payload in Metasploit, set the target, and
execute the exploit.
- Learning Outcome: Understand the process of exploiting a vulnerability and the importance
of securing systems against known vulnerabilities.

# Best Practices

- Always operate within a controlled, ethical, and legal framework.

- Document your findings and steps taken during each exercise for future reference and
learning.
- Use these exercises as a foundation to explore more advanced topics and tools in
cybersecurity.
# Unit 2: Cyber Security - Network Defense Tools

Introduction to Network Defense Tools

Network defense tools are essential components of cybersecurity, designed to protect data
and resources from unauthorized access and cyber threats. They include a variety of
mechanisms, such as firewalls, packet filters, and intrusion detection systems, each serving a
unique role in securing the network.

Firewalls and Packet Filters

# Firewall Basics

A firewall is a network security device that monitors and controls incoming and outgoing
network traffic based on predetermined security rules. It acts as a barrier between a trusted
internal network and untrusted external networks, such as the internet.

# Packet Filter Vs Firewall

- Packet Filter: Operates at the network layer and makes decisions to allow or block traffic
based on source and destination IP addresses, ports, and protocols. It does not retain state
information about connections.
- Firewall: More advanced than packet filtering, offering features like stateful inspection,
application-layer filtering, and VPN support. Firewalls can be stateless or stateful and can
filter traffic based on a comprehensive set of attributes.

# How a Firewall Protects a Network

Firewalls protect networks by:

- Blocking unauthorized access
- Permitting authorized communications
- Logging and alerting on detected threats

# Packet Characteristic to Filter

Firewalls and packet filters can examine various packet characteristics, including:
- IP addresses (source and destination)
- TCP/UDP ports
- Protocol types (TCP, UDP, ICMP, etc.)
- Packet size, type, and flags

# Stateless Vs Stateful Firewalls

- Stateless Firewalls: Filter packets based on static rules without considering the state of
network connections. They are faster but less secure.
- Stateful Firewalls: Keep track of the state of active connections and make decisions based
on the context of the traffic, offering better security.

# Network Address Translation (NAT) and Port Forwarding

- NAT: A method used by firewalls to modify network address information in IP packet
headers while in transit, allowing for the remapping of IP addresses from one realm (e.g., a
local network) to another (e.g., the internet).
- Port Forwarding: Redirects a communication request from one address and port number
combination to another while the packets traverse a network gateway, such as a firewall.

# Basics of Virtual Private Networks (VPN)

A VPN extends a private network across a public network, enabling users to send and receive
data across shared or public networks as if their computing devices were directly connected
to the private network. This provides confidentiality, integrity, and authenticity.

# Linux and Windows Firewall

- Linux Firewall: Typically managed through `iptables` or `firewalld`, providing a powerful

interface for configuring firewall rules.
- Windows Firewall: Integrated into Windows, offering an easy-to-use interface for
controlling network traffic and applying security rules.

Snort: Introduction to Detection System

Snort is an open-source network intrusion detection system (NIDS) capable of performing

real-time traffic analysis and packet logging on IP networks. It can detect and prevent
attempts at unauthorized access, exploits, and other malicious activities.

# Practical Examples and Case Studies

Practical Example: Configuring a Basic Firewall Rule

- Objective: Block all incoming traffic from a specific IP address using both Linux `iptables`
and Windows Firewall.
- Linux: `sudo iptables -A INPUT -s <IP_ADDRESS> -j DROP`
- Windows: Use the Windows Defender Firewall with Advanced Security to create a new
inbound rule to block a specific IP address.

Case Study: The Role of Firewalls in Preventing the WannaCry Ransomware Attack

WannaCry ransomware exploited vulnerabilities in older Windows operating systems.

Firewalls that blocked access to SMB ports (139 and 445) from external networks were
effective in preventing the ransomware from spreading.

Figures, Diagrams, and Practical Exercises

-

The diagrams provided illustrate key concepts in network defense and data transmission
security:
1. Stateless vs. Stateful Firewalls: This diagram differentiates how stateless firewalls
filter traffic based solely on the current packet's information without considering
previous packets, whereas stateful firewalls track the state of active connections,
offering more nuanced and secure filtering based on the history of the connection.
2. NAT and Port Forwarding Process: It explains how Network Address Translation
(NAT) modifies IP address information in IP packet headers, allowing multiple
devices on a local network to share a single public IP address. Port forwarding is
depicted as a method of redirecting external communication requests to the correct
internal IP address and port, facilitating access to services within a private network
from an external network.
3. VPN Data Transmission Security: This diagram shows how Virtual Private
Networks (VPNs) secure data transmission across public networks. It highlights the
role of encryption in safeguarding data, the process of tunneling to create a private
 communication channel, and the importance of endpoint authentication to ensure that
only authorized users can access the VPN.

- Practical Exercises: Set up a lab environment to practice configuring firewall rules in Linux
and Windows, analyze traffic with Snort, and simulate a VPN connection.