CyberSecurity

PRACTICAL-1

AIM: Introduction of LINUX operating system

Linux is a version of UNIX operating system, the original ancestor of Linux. UNIX is a
command-driven operating system in which the user has to type in commands at the computer
console in order to operate the computer (“Introduction to Linux, 2001). UNIX is one of the
most popular operating systems worldwide because of its large support base and distribution.
It was originally developed in the 1970’s at AT&T as a multitasking system for
minicomputers and mainframes. Since then, it has grown to become one of the most widely-
used operating systems.
Linux is known as an open source operating system and also called free software because
everything about Linux is accessible to the public and is freely available to anyone. Since the
Linux source code is available, anyone can copy, modify, and distribute this software. This
allows for various companies such as Fedora, Red Hat, Caldera and others to sell and
distribute Linux; however, at the same time, these companies must keep their Linux
distribution code open for public inspection, comment, and changes. Despite of the
command-line origins of Linux, these distributing companies are working to make the
Graphical User Interface (GUI), the primary means of user interface; thus more user
friendly.
Overall, Linux is not just a simple operating system; it is an entire server and desktop
environment, equipped with add-ons, GUI tools and interfaces, and supplementary programs.
Although Linux distribution varies, the following list is a summary of what to expect from
any version of Linux:
▪ File Services: NFS, Samba
▪ Graphics program: image manipulation, retouching, and paint capabilities
▪ Mail server software: SendMail, POP, and IMAP servers
▪ Multimedia tools: Support JPEG, GIF, PNG, TIFF, MPEG, AVI, and QuickTime
video files.
▪ Programming tools: Linux systems supports C, C++, FORTRAN, Pascal, assembler,
BASIC, perl, python, Tcl/TK,LISP, Scheme, pus a debugger and a memory
debugging

1
CyberSecurity

▪ X Windows system
A. Linux Distributions
A Linux distribution is an assemblage of software with its own packaging schemes, defaults
and configuration methods. The following is a list of some of the major Linux distributions
● Fedora Linux : The Fedora Project welcomes OEM distributors, but providers must
adhere to the same trademark guidelines as other vendors. Specifically, you may not
modify the Fedora installation and maintain the Fedora name. The nearest you may do is
completely rebrand the distribution to comply with the trademark guidelines, make your
modifications, and distribute the product under a different name. You may also not then
say that your product "contains Fedora" or is an alternate "edition" of Fedora. You may
say that your product is "a derivative of Fedora" or is "built upon Fedora", but you must
make it clear that your product is NOT Fedora. If you use the Fedora name in such a
manner, you must also note that Fedora is a registered trademark, and not attempt to
confuse users or allude to a non-existent relationship between you and the Fedora Project
or Red Hat.
● Corel Linux: This is a new Linux distribution that has made an impressive entrance.
The installation process is simple and does a great job of detecting and automatically
configuring many sound and video card adapters. It also comes together with Corel’s
WordPerfect word processing package which has been ported to run on Linux.
● Debian GNU/Linux: This distribution is one of the oldest and recognized favorites
among advanced technical groups. It is relatively difficult to install due to the very high
number of installation options.
● OpenLinux (Caldera): The OpenLinux distribution has shrink-wrapped software
packages that include the first graphical Linux installation. This distribution allows the
user to play a game in the foreground while the computer loads software in the
background during installation.
● Red Hat: Red Hat is the first company to mass market the Linux operating system.
They have validated Linux by packing the GNU/Linux tools in shrink wrapped packages
and have included valued-added features to their product such as: telephone support,
training, and consulting services.

2
CyberSecurity

● Slackware: Of all of the surviving Linux distributions, Slackware has been around the
longest. The installation interface had remained the same since its beginning, until a
couple of years ago.
● SuSE: This distribution derives from Germany. SuSE works closely with the XFree86
project (the free X graphical server component of all Linux distributions). As a result,
they have a terrific graphical configuration tool called SaX.
● TurboLinux: This distribution provides a great graphical desktop environment along
with a few tools for configuring the system. TurboLinux has lead the way in the turnkey
installations by providing CD installations exclusive to Server, Workstation, and
Clusters.
B. Configuring Your System
After the installation process of the files is complete, the next step is configuring the system.
These
steps involved:
1. Selecting a language
2. Choosing automatic or manual partitioning
3. Type of software to install
4. Choosing which drive to boot from
5. Adjusting the time settings
6. Configuring the hardware aspect of the system
7. Creating the root password (for the Administrator), as well as the user name and
password for users
8. Hardware configuration
C. Linux Applications
Once the user is familiar with navigating the KDE GUI, it is time to explore the numerous
applications Linux has to offer. Unlike Windows operating system, Linux distributions such
as SuSE already come with all the programs and applications needed. Programs for the SuSE
Linux include:
▪ OpenOffice: word processing, spreadsheets, drawing
▪ Adobe Acrobat Reader
▪ Konqueror: The KDE File Manager and Web Browser

3
CyberSecurity

▪ Kmail: The KDE Mail Application

▪ Evolution: An Email and Calendar Program
▪ Sound Application, TV, Video, Radio, and Webcam
▪ K3b: The KDE Burning Application
▪ Digital Cameras
▪ Kooka: Scanning Application
▪ Graphics with the GIMP
▪ Shell system

It is useful to note that the Linux operating system allows the user to continue to use old
files that were created in different operating systems. Standard program in Linux such as
StarOffice and the GIMP can handle most file formats that the user has previously utilized;
whether it is for word processing documents, pictures, or video data. SuSe Linux allows the
user to work with old files without difficulty.
D. Files, Folders, and Directories
To use the shell efficiently, it is useful to have some knowledge about the file and directory
structures of Linux. Directories can be thought as electronic folders where files, programs, and
subdirectories are stored.The place where the entire directory tree begins is called the root
directory. The root directory is identified by a slash (‘ / ’). Root is one of the several users on
the Linux system, which as mentioned before, is a multiuser system. The root is responsible for
the entire Linux system, making sure it runs reliably.
The Linux file system is then subdivided into many branches known as subdirectories. Table
provides a short description of these standard directories.
Table Overview of Important Directories
Directory Description
/ Root directory, starting point of the directory tree
/home (private) directories of users
/dev Device files that represent hardware components
/etc Important files for system configuration
/etc/init.d Boot scripts
/usr/bin Generally accessible programs
/bin Program needed early in the boot process

4
CyberSecurity

/usr/sbin Programs reserved for the system administrator

/sbin Program reserved for the system administrator and needed for booting
/sbin/init.d Boot scripts
/usr/include Header files for the C compiler
/usr/include/g++ Header files for the C++ compiler
/usr/share/doc Various documentation files
/usr/man System manual pages (man pages)
/usr/src Source code of system software
/usr/src/linux Kernel source code
/tmp Temporary files
/var/tmp Large temporary files
/usr Contains all application programs
/var Configuration files (e.g., those linked from /usr)
/var/log System log files
/var/adm System administration data
/lib Shared libraries (for dynamically linked programs)
/proc Process file system
/usr/local Local, distribution-independent extensions
/opt Optional software, larger add-on program packages (such as KDE, GNOME, Netscape

Linux Command:
ls
The ls command - the list command - functions in the Linux terminal to show all of the major
directories filed under a given file system. For example, the command:

ls /applications : It will show the user all of the folders stored in the overall applications
folder.The ls command is used for viewing files, folders and directories.

1. cd
The cd command - change directory - will allow the user to change between file directories. As
the name command name suggest, you would use the cd command to circulate between two
different directories. For example, if you wanted to change from the home directory to the Arora
directory, you would input the following command:
cd/arora/applications : As you might have noted, the path name listed lists in reverse order.
Logically cd/arora/applications reads change to the arora directory which is stored in the
applications directory. All Linux commands follow a logical path.

5
CyberSecurity

2. mv
The mv command - move - allows a user to move a file to another folder or directory. Just like
dragging a file located on a PC desktop to a folder stored within the "Documents" folder, the mv
command functions in the same manner. An example of the mv command is:
The first part of the command mv/arora/applications/majorapps lists the application to be
moved. In this case, arora. The second part of the command /arora/applications/minorapps lists
where arora will be moved to - from majorapps to minorapps.

3. man
The man command - the manual command - is used to show the manual of the inputted
command. Just like a film on the nature of film, the man command is the meta command of the
Linux CLI. Inputting the man command will show you all information about the command you
are using. An example:

man cd

The inputting command will show the manual or all relevant information for the change directory
command.

4. rmdir
The mkdir - make directory - command allows the user to make a new directory. Just like making
a new directory within a PC or Mac desktop environment, the mkdir command makes new
directories in a Linux environment. An example of the mkdir command
mkdir testdirectory
The example command made the directory "testdirectory".

5. rm
The rm command - remove - like the rmdir command is meant to remove files from your Linux
OS. Whereas the rmdir command will remove directories and files held within, the rm command
will delete created files. An example of the rm command:
rm testfile.txt
The aforementioned command removed testfile.txt. Interestingly, whereas the rmdir command
will only delete an empty directory, the rm command will remove both files and directories with
files in it. This said, the rm command carries more weight than the rmdir command and should be
used with more specificity.

6
CyberSecurity

EXERCISES:

1. Advantages of Linux OS compared to all other OS.

2. Perform various Linux commands.

EVALUATION:

Understanding / Timely Completion Total

Involvement
Problem solving
(4) (3) (10)
(3)

Signature with date: ________________

7
CyberSecurity

PRACTICAL-2

AIM: Study of different types of vulnerabilities for hacking a websites / Web Application
Learning Objectives
After going through this session, you should be able to:

● Know the reasons for attacking web applications

● Identify different types of Web Application Vulnerability

Reasons for Attacking Web Applications

Currently there are many privacy risks in web applications. Today too many websites are hacked by
anonymous. They target website because of different types of reasons. They are mentioned in table 1.

Attack Goal %
Stealing Sensitive Information 42%
Defacement 23%
Planning Malware 15%
Unknown 08%
Deceit 03%
Blackmail 03%
Link Spam 03%
Worm 01%
Phishing 01%
Information Warfare 01%

Table 1: Reasons for Attacks

Web Application Vulnerability

There are several different types of attacks used by hackers. These types of attacks and its usage are
mentioned in following Table 2.

Attack/Vulnerability Used % of use

SQL Injection 20 %
Unintentional Information Disclosure 17 %
Known Vulnerability 15 %
Cross Site Scripting (XSS) 12 %
Insufficient Access Control 10 %
Credential/Session Prediction 08 %

OS Commanding 03 %
Security Misconfiguration 03 %

8
CyberSecurity

Insufficient Ant automation 03 %

Denial Of Service 03 %
Redirection 02 %
Insufficient Session Expiration 02 %
Cross Site Request Forgery(CSRF) 02 %

Table 2: Types of Attacks

This all are the Vulnerability types and how much it’s usage. The SQL Injection and Cross Site
Scripting are the most famous vulnerabilities in web application. Generally web servers, application
servers, and web application environment are affected to following types of vulnerabilities. The
OWASP (Open Web Application Security Project) listed all security vulnerability at .There are two
types of attacks which are frequently used by hackers namely SQL Injection attack and XSS (Cross Site
Scripting) Attack. The following are the brief explanation of each type of attack.

SQL Injection Attack

Injection means tricking an application into including unintended commands in the data sent to an
interpreter. Here what interpreters do? They take strings and interpret them as command. (SQL, OS
Shell, XPath, LDAP etc.) Any web application which accepts the user input as a basis of performing
database query may be vulnerable to SQL Injection. It uses loopholes in the web application that
interact with database. In this attacker exploits input vulnerability and attempt to send incorrect
command or SQL query to the web application. These queries can fraud the interpreter to display
unauthorized data to hacker. By this attack hacker can Read the important information related to user
(user name, password, email) from database. Access admin account and perform all the operation
which is done by only admin. Hacker can also modify data by passing query. He run operating systems
command on database server. There are also some parts in SQL Injection;
● Union Based SQL Injection
● String Based SQL Injection
● Error Based SQL Injection
Cross Site Scripting (XSS)
XSS is also one of the danger attacks. In this attack hacker simply inject script in WebPages. These
pages are returned to client and malicious code will be executed in the browser of client with alert
popup. And by simply
responding the web application hacks. (Ex. Attacker sets the trap – update my profile then victim
views page – see Attacker profile and script silently sends attacker victim’s session cookie). Hacker can
Access cookies, session tokens, do remote code execution and get sensitive data. We can classify XSS
into two classes’ server XSS and client XSS. There are three types of XSS;

● Stored XSS
● Reflected XSS
● Dom based XSS

Stored XSS also known as persistent XSS .This occurs when hacker stored malicious script

9
CyberSecurity

permanently in target server like database, visitor log, and comment field or in URL. Reflected XSS
occur when hacker insert inject script into some input field.

Broken Authentication / Session Management

This attack also like bypass authentication. Authentication is method utilized by web application to
verify that whether the user is authorize or not. Valid user’s password and username stored in to
database. This is a most frequent system for web application. Various actions can break the
authentication no matter its strong. If the user authentication system of website is weak then Hacker can
take full advantage he can change the password, modify account information, and get sensitive
information.
Cross site request forgery (CSRF)
This attack also like a XSS but there is one difference that is here attacker create forged http request
(e.g. Update account, login – logout, purchase process) and forced victim in to submitting malicious
action via image tags, XSS, or other techniques. In which he is authenticated such as submitting http
request through alert box or with other techniques. If the user is authenticated the attack succeeds. By
this attack attacker can steal all the information or get the password or username.

Insecure Direct Object References

When developer expose references to initial implementation object like file, dictionary, database key.
Without access control check or other protection attacker can manipulate these references to access an
authorized data hacker who is unauthorized simply changes a parameter value that directly refers to the
system object to another object the user isn’t authorized for .

Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application,
frameworks, application server, web server, database server and platform. In these types of attack
hacker accesses default accounts, unused pages, un-patched flaws, unprotected files and dictionaries
to gain unauthorized access or for the knowledge of the system.

Sensitive Data Exposure

Many applications do not properly protect important information like credit card; tax ID’s,
authentication Ids. Hacker may steal or change such weekly protected data to conduct credit card fraud,
id theft or other crimes. Hacker generally does not break cryptography. They break something else such
as steal keys, do man in middle attacks or steal clear text data of the server while transit or from user’s
browser.

Using Components with Known Vulnerability

Components like frameworks or software module always run with full privileges. If vulnerable
component exploited then attack can facilitate important data loss. In this hacker search a weak
component by scanning. He customizes the exploit as need and executes the attack.

Invalidated Redirects and Forwards

Generally web application redirects users to another page or website and use un-trusted data to
consider designation pages without proper validation. Hacker can redirect victims to phishing site.

10
CyberSecurity

Hacker links to redirect and forced victim to click. Since the link is to a valid site. Attacker targets
unsafe forward to bypass authentication.

Missing Function Level Access Control

Mostly web applications verify function level rights before making that visible in the UI. Application
need to perform the same access control checks on the server when each function is accessed. If
request are not verified hacker, it will be able to forge requests in order to access functionality without
proper authorization. Hacker who is authorized user simply changes the URL or a parameter to
privileged system. He can also access private functions that aren’t protected.

EXERCISES:
1. List and discuss the different types of attack used by hackers.
2. What do you mean by Cross Site Scripting (XSS).
3. What is Encryption? Why is it important?
4. What do you understand by Risk, Vulnerability & Threat in a network?

EVALUATION:

Understanding / Timely Completion Total

Involvement
Problem solving
(4) (3) (10)
(3)

Signature with date: ________________

11
CyberSecurity

PRACTICAL-3

AIM: Study of Network Address Translation (NAT)

The principle of NAT

Network address translation or NAT was developed in order to respond to the shortage of IP
addresses with IPv4 protocol (in time the IPv6 protocol will respond to this problem).
In fact, in IPv4 addressing the number of routable IP addresses (which are unique in the world) is
not enough to enable all machines requiring it to be connected to the internet.
The principle of NAT therefore consists of using a gateway connection to the Internet, having at
least one network interface connected to the internal network and at least one network interface
connected to the Internet (possessing a routable IP address), in order to connect all the machines
to the network.

It is a question of creating, at gateway level, a translation of packets coming from the internal
network to the external network.
So, each machine on the network needing to access the Internet is configured to use the NAT
gateway (by specifying the IP address of the gateway in the "Gateway" field with its TCP/IP
parameters). When a network machine makes a request to the Internet, the gateway makes the
request in its place, receives the response, then sends it to the machine which made the request.

Since the gateway completely conceals the internal addresses on the network, the network
address translation mechanism provides a secure function. In fact, to an external observer of the
network, all requests seem to come from the gateway IP address.

12
CyberSecurity

Address space
The organization managing public address space (routable IP addresses) is the Internet Assigned
Number Authority (IANA). RFC 1918 defines a private address space enabling any organization
to allocate IP addresses to machines on its internal network without risk of entering into conflict
with a public IP address allocated by IANA. These addresses known as non-routable relate to the
following address ranges:

● Class A: range from 10.0.0.0 to 10.255.255.255;

● Class B: range from 172.16.0.0 to 172.31.255.255;
● Class C: range from 192.168.0.0 to 192.168.255.55;

All the machines on an internal network, connected to the internet via a router and not having a
public IP address must use an address within one of these ranges. For small domestic networks,
the address range from 192.168.0.1 to 192.168.0.255 is generally used.

Static translation
The principle of static NAT consists of linking a public IP address to a private internal IP
address on the network. The router (or more precisely the gateway) thus allows a private IP
address (for example 192.168.0.1) to be linked to a public routable IP address on the Internet and
conducts the translation, in either direction, by changing the address in the IP packet.
Static network address translation therefore enables internal network machines to be connected
to the Internet in a transparent way but does not resolve the problem of the lack of addresses
insofar as n routable IP addresses are necessary to connect n machines to the internal network.

Dynamic translation
Dynamic NAT enables a routable IP address (or a reduced number of routable IP addresses) to
be shared between several machines with private addresses. So seen from outside, all the
machines on the internal network virtually possess the same IP address. This is the reason why
the term "IP masquerading" is sometimes used to indicate dynamic network address translation.
In order to be able to "multiplex" (share) the different IP addresses on one or several routable IP
addresses, dynamic NAT uses Port Address Translation (PAT), i.e. the allocation of a different
source port for each request in such a way as to be able to maintain a correspondence between
the requests coming from the internal network and the responses of the machines on the Internet,
all addressed to the router's IP address.

13
CyberSecurity

EXERCISES:

1. What do you mean by Port Forwarding

2. Explain Port Triggering.
3. Why do you need DNS monitoring?

EVALUATION:

Understanding / Timely Completion Total

Involvement
Problem solving
(4) (3) (10)
(3)

Signature with date: ________________

14
CyberSecurity

PRACTICAL-4

AIM: Study of Cybercrime and types of cybercrime.

Cybercrime is defined as a crime in which a computer is the object of the crime (hacking,
phishing, spamming) or is used as a tool to commit an offense (child pornography, hate crimes).
cybercriminals may use computer technology to access personal information, business trade
secrets or use the internet for exploitative or malicious purposes. Criminals can also use
computers for communication and document or data storage. Criminals who perform these
illegal activities are often referred to as hackers.Cybercrime may also be referred to as computer
crime.
Common types of cybercrime include online bank information theft, identity theft, online
predatory crimes and unauthorized computer access. More serious crimes like cyberterrorism are
also of significant concern.Cybercrime encompasses a wide range of activities, but these can
generally be broken into two categories:

● Crimes that target computer networks or devices. These types of crimes include viruses
and denial-of-service (DoS) attacks.
● Crimes that use computer networks to advance other criminal activities. These types of
crimes include cyberstalking, phishing and fraud or identity theft.

The FBI identifies cybercrime fugitives who have allegedly committed bank fraud and trafficked
counterfeit devices that access personal electronic information. The FBI also provides
information on how to report cybercrimes, as well as useful intelligence information about the
latest cybercriminals.

DDoS Attacks
These are used to make an online service unavailable and take the network down by
overwhelming the site with traffic from a variety of sources. Large networks of infected devices
known as Botnets are created by depositing malware on users’ computers. The hacker then hacks
into the system once the network is down.

Botnets
Botnets are networks from compromised computers that are controlled externally by remote
hackers. The remote hackers then send spam or attack other computers through these botnets.
Botnets can also be used to act as malware and perform malicious tasks.

Identity Theft

15
CyberSecurity

This cybercrime occurs when a criminal gains access to a user’s personal information to steal
funds, access confidential information, or participate in tax or health insurance fraud. They can
also open a phone/internet account in your name, use your name to plan a criminal activity and
claim government benefits in your name. They may do this by finding out user’s passwords
through hacking, retrieving personal information from social media, or sending phishing emails.

Cyberstalking
This kind of cybercrime involves online harassment where the user is subjected to a plethora of
online messages and emails. Typically cyberstalkers use social media, websites and search
engines to intimidate a user and instill fear. Usually, the cyberstalker knows their victim and
makes the person feel afraid or concerned for their safety.

Social Engineering
Social engineering involves criminals making direct contact with you usually by phone or email.
They want to gain your confidence and usually pose as a customer service agent so you’ll give
the necessary information needed. This is typically a password, the company you work for, or
bank information. Cybercriminals will find out what they can about you on the internet and then
attempt to add you as a friend on social accounts. Once they gain access to an account, they can
sell your information or secure accounts in your name.

PUPs
PUPS or Potentially Unwanted Programs are less threatening than other cybercrimes, but are a
type of malware. They uninstall necessary software in your system including search engines and
pre-downloaded apps. They can include spyware or adware, so it’s a good idea to install an
antivirus software to avoid the malicious download.

Phishing
This type of attack involves hackers sending malicious email attachments or URLs to users to
gain access to their accounts or computer. Cybercriminals are becoming more established and
many of these emails are not flagged as spam. Users are tricked into emails claiming they need to
change their password or update their billing information, giving criminals access.

Prohibited/Illegal Content
This cybercrime involves criminals sharing and distributing inappropriate content that can be
considered highly distressing and offensive. Offensive content can include, but is not limited to,
sexual activity between adults, videos with intense violent and videos of criminal activity. Illegal
content includes materials advocating terrorism-related acts and child exploitation material. This
type of content exists both on the everyday internet and on the dark web, an anonymous network.

Online Scams

16
CyberSecurity

These are usually in the form of ads or spam emails that include promises of rewards or offers of
unrealistic amounts of money. Online scams include enticing offers that are “too good to be true”
and when clicked on can cause malware to interfere and compromise information.

Exploit Kits
Exploit kits need a vulnerability (bug in the code of a software) in order to gain control of a
user’s computer. They are readymade tools criminals can buy online and use against anyone with
a computer. The exploit kits are upgraded regularly similar to normal software and are available
on dark web hacking forums.

EXERCISES:
1. What is cybercrime? Explain types of cybercrime.
2. Discuss the impact of cybercrime on society.
3. List some common cyber attacks.
4. What are black hat, white hat, grey hat hackers?

EVALUATION:

Understanding / Timely Completion Total

Involvement
Problem solving
(4) (3) (10)
(3)

Signature with date: ________________

17
CyberSecurity

PRACTICAL-5

AIM: Study of SQL Injection and it’s prevention

SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious
SQL statements. These statements control a database server behind a web application. Attackers
can use SQL Injection vulnerabilities to bypass application security measures. They can go
around authentication and authorization of a web page or web application and retrieve the
content of the entire SQL database. They can also use SQL Injection to add, modify, and delete
records in the database.
An SQL Injection vulnerability may affect any website or web application that uses an SQL
database such as MySQL, Oracle, SQL Server, or others. Criminals may use it to gain
unauthorized access to your sensitive data: customer information, personal data, trade secrets,
intellectual property, and more. SQL Injection attacks are one of the oldest, most prevalent, and
most dangerous web application vulnerabilities

How and Why Is an SQL Injection Attack Performed

To make an SQL Injection attack, an attacker must first find vulnerable user inputs within the
web page or web application. A web page or web application that has an SQL Injection
vulnerability uses such user input directly in an SQL query. The attacker can create input
content. Such content is often called a malicious payload and is the key part of the attack. After
the attacker sends this content, malicious SQL commands are executed in the database.
SQL is a query language that was designed to manage data stored in relational databases. You
can use it to access, modify, and delete data. Many web applications and websites store all the
data in SQL databases. In some cases, you can also use SQL commands to run operating system
commands. Therefore, a successful SQL Injection attack can have very serious consequences.

● Attackers can use SQL Injections to find the credentials of other users in the database.
They can then impersonate these users. The impersonated user may be a database
administrator with all database privileges.
● SQL lets you select and output data from the database. An SQL Injection vulnerability
could allow the attacker to gain complete access to all data in a database server.
● SQL also lets you alter data in a database and add new data. For example, in a financial
application, an attacker could use SQL Injection to alter balances, void transactions, or
transfer money to their account.
● You can use SQL to delete records from a database, even drop tables. Even if the
administrator makes database backups, deletion of data could affect application
availability until the database is restored. Also, backups may not cover the most recent
data.

18
CyberSecurity

● In some database servers, you can access the operating system using the database server.
This may be intentional or accidental. In such case, an attacker could use an SQL
Injection as the initial vector and then attack the internal network behind a firewall.

There are several types of SQL Injection attacks: in-band SQLi (using database errors or UNION
commands), blind SQLi, and out-of-band SQLi.
The following example shows,how an attacker can use an SQL Injection vulnerability to go
around application security and authenticate as an administrator.
The following script is pseudocode executed on a web server. It is a simple example of
authenticating with a username and a password. The example database has a table named users
with the following columns: username and password.
# Define POST variables
uname = request.POST['username']
passwd = request.POST['password']

# SQL query vulnerable to SQLi

sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” +
passwd + “’”

# Execute the SQL statement

database.execute(sql)
These input fields are vulnerable to SQL Injection. An attacker could use SQL commands in the
input in a way that would alter the SQL statement executed by the database server. For example,
they could use a trick involving a single quote and set the passwd field to:
password' OR 1=1
As a result, the database server runs the following SQL query:
SELECT id FROM users WHERE username='username' AND password='password' OR 1=1'
Because of the OR 1=1 statement, the WHERE clause returns the first id from the users table no
matter what the username and password are. The first user id in a database is very often the
administrator. In this way, the attacker not only bypasses authentication but also gains
administrator privileges. They can also comment out the rest of the SQL statement to control the
execution of the SQL query further:
-- MySQL, MSSQL, Oracle, PostgreSQL, SQLite
' OR '1'='1' --
' OR '1'='1' /*
-- MySQL
' OR '1'='1' #
-- Access (using null characters)
' OR '1'='1' %00
' OR '1'='1' %16

19
CyberSecurity

How to Prevent an SQL Injection

The only sure way to prevent SQL Injection attacks is input validation and parametrized queries
including prepared statements. The application code should never use the input directly. The
developer must sanitize all input, not only web form inputs such as login forms. They must
remove potential malicious code elements such as single quotes. It is also a good idea to turn off
the visibility of database errors on your production sites. Database errors can be used with SQL
Injection to gain information about your database.
If you discover an SQL Injection vulnerability, for example using an Acunetix scan, you may be
unable to fix it immediately. For example, the vulnerability may be in open source code. In such
cases, you can use a web application firewall to sanitize your input temporarily.

EXERCISES:

1. What do you mean by SQL Injection and how it is performed?

2. Difference between Cyber security and Network Security?
3. What techniques can be used to prevent brute force login attack?

EVALUATION:

Understanding / Timely Completion Total

Involvement
Problem solving
(4) (3) (10)
(3)

Signature with date: ________________

20
CyberSecurity

PRACTICAL-6

AIM: Study Virtual Private Network (VPN)

A VPN (Virtual Private Network) is a service that lets you access the web safely and privately by
routing your connection through a server and hiding your online actions.
a VPN is a method used to connect to the internet privately. It does this by hiding your real IP
address and routing all of your internet traffic and data through a private, securely encrypted
tunnel over public networks.VPNs are popular because they let you browse the internet without
giving your personal identity, location, or data away. When all of your data is encrypted inside
the VPN tunnel, ISPs, search engines, marketers, hackers, and others can't see or track your
activities on the web.

How Does a VPN Network Work to Protect You?

VPNs protect you in three main ways:

1. By disguising your real IP address and location. After connecting to a VPN service,
you're sent onto the internet from a new gateway server. This spoofs your IP address and
makes it appear as if you're in a different city or country than the one you're actually in.
2. By encapsulating all of your internet traffic through a private VPN tunnel. Data on
the internet moves in packets. With a VPN, all of your data packets are encapsulated
inside additional data packets. This encapsulation effectively creates a private tunnel
inside public networks.
3. By scrambling your private data with encryption. When using a VPN service, all of
your internet traffic and personal information inside the tunnel is scrambled via
encryption. This makes a VPN connection virtually impossible to hack by outside forces.

When Should You Use a VPN Network?

There are many times you may want to use a VPN, including when you're browsing over public
networks, at home, at the office, when traveling or living in a country with geo-restrictions, or on
mobile devices. Basically, anytime you want to browse privately (or spoof your IP address), you
should use a VPN.
Using a VPN over public networks
Many of us use public Wi-Fi without giving it much thought. The problem is, even with a
password, it's easy for hackers and other entities to view and steal private data over public
networks. At the very least, it's important to use a VPN to protect sensitive information, such as
logins and passwords, when you're on public Wi-Fi. This includes Wi-Fi hotspots at airports,
hotels, cafes, schools, and libraries.

21
CyberSecurity

Using a VPN at home

Home networks are generally private with tightly controlled access. However, you may not be
aware that everything you do online — from your Google searches to the websites you visit to
the things you buy — can still be linked back to your IP address. In many cases, this information
is being compiled and assigned an ID for marketing purposes, and is often permanent and can't
be erased.
If you don't like the idea of search engines and advertisers tracking your every move, using a
VPN will thwart these attempts to spy on your online activities. Anyone (ISPs, search engines,
marketers, governments, etc) who attempts to track your activities will see your VPN tunnel
only, not what's inside. This keeps your web browsing private, even at home.

Using a VPN at the office

Many companies allow employees to use the internet at work. Nevertheless, you may not want
your employer keeping tabs on the websites you visit. This includes browsing the internet over
your mobile phone while using the company's network. If this is the case for you, a VPN on your
computer or mobile device can be used to anonymize your browsing activities while on the job.

Using a VPN to Bypass Geo-Restrictions

Thanks to a VPN's ability to spoof your IP address, you can use a VPN to access geo-restricted
content, blacklisted websites, and prohibited VOIP services when you're in a country that has
geo-blocking in place. This allows you to access your favorite websites, TV shows, and free
communication services wherever you happen to be.

Using a VPN on mobile devices

In addition to using a VPN on your laptop or desktop, there are many VPN apps available to
protect your data and identity when using mobile devices. This is handy when you're away from
home or traveling.

22
CyberSecurity

EXERCISES:

1. What is VPN?
2. Discuss when to use VPN.
3. What is port blocking within LAN?
4. What is the difference between VPN and VLAN?

EVALUATION:

Understanding / Timely Completion Total

Involvement
Problem solving
(4) (3) (10)
(3)

Signature with date: ________________

23
CyberSecurity

PRACTICAL-7

AIM: Study of DDoS Attack

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a

targeted server, service or network by overwhelming the target or its surrounding infrastructure
with a flood of Internet traffic.DDoS attacks achieve effectiveness by utilizing multiple
compromised computer systems as sources of attack traffic. Exploited machines can include
computers and other networked resources such as IoT devices. From a high level, a DDoS attack
is like a traffic jam clogging up with highway, preventing regular traffic from arriving at its
desired destination.

How does a DDoS attack work?

A DDoS attack requires an attacker to gain control of a network of online machines in order to
carry out an attack. Computers and other machines (such as IoT devices) are infected with
malware, turning each one into a bot (or zombie). The attacker then has remote control over the
group of bots, which is called a botnet.
Once a botnet has been established, the attacker is able to direct the machines by sending
updated instructions to each bot via a method of remote control. When the IP address of the
victim is targeted by the botnet, each bot will respond by sending requests to the target,
potentially causing the targeted server or network to overflow capacity, resulting in a denial-of-
service to normal traffic. Because each bot is a legitimate Internet device, separating the attack
traffic from normal traffic can be difficult.

What are common types of DDoS attacks?

Different DDoS attack vectors target varying components of a network connection. In order to
understand how different DDoS attacks work, it is necessary to know how a network connection
is made. A network connection on the Internet is composed of many different components or
“layers”. Like building a house from the ground up, each step in the model has a different
purpose. The OSI model, shown below, is a conceptual framework used to describe network
connectivity in 7 distinct layers.

While nearly all DDoS attacks involve overwhelming a target device or network with traffic,
attacks can be divided into three categories. An attacker may make use one or multiple different
attack vectors, or cycle attack vectors potentially based on counter measures taken by the target.

24
CyberSecurity

Application Layer Attacks

The Goal of the Attack:

Sometimes referred to as a layer 7 DDoS attack (in reference to the 7th layer of the OSI model),
the goal of these attacks is to exhaust the resources of the target. The attacks target the layer
where web pages are generated on the server and delivered in response to HTTP requests. A
single HTTP request is cheap to execute on the client side, and can be expensive for the target
server to respond to as the server often must load multiple files and run database queries in order
to create a web page. Layer 7 attacks are difficult to defend as the traffic can be difficult to flag
as malicious.

Application Layer Attack Example:

HTTP Flood
This attack is similar to pressing refresh in a web browser over and over on many different
computers at once – large numbers of HTTP requests flood the server, resulting in denial-of-
service.
This type of attack ranges from simple to complex. Simpler implementations may access one
URL with the same range of attacking IP addresses, referrers and user agents. Complex versions
may use a large number of attacking IP addresses, and target random urls using random referrers
and user agents.

Protocol Attacks

The Goal of the Attack:

Protocol attacks, also known as a state-exhaustion attacks, cause a service disruption by
consuming all the available state table capacity of web application servers or intermediate
resources like firewalls and load balancers. Protocol attacks utilize weaknesses in layer 3 and
layer 4 of the protocol stack to render the target inaccessible.

25
CyberSecurity

Protocol Attack Example:

SYN Flood
A SYN Flood is analogous to a worker in a supply room receiving requests from the front of the
store. The worker receives a request, goes and gets the package, and waits for confirmation
before bringing the package out front. The worker then gets many more package requests
without confirmation until they can’t carry any more packages, become overwhelmed, and
requests start going unanswered.
This attack exploits the TCP handshake by sending a target a large number of TCP “Initial
Connection Request” SYN packets with spoofed source IP addresses. The target machine
responds to each connection request and then waits for the final step in the handshake, which
never occurs, exhausting the target’s resources in the process.

Volumetric Attacks

The Goal of the Attack:

This category of attacks attempts to create congestion by consuming all available bandwidth
between the target and the larger Internet. Large amounts of data are sent to a target by using a
form of amplification or another means of creating massive traffic, such as requests from a
botnet.

Amplification Example:

26
CyberSecurity

DNS Amplification
A DNS Amplification is like if someone were to call a restaurant and say “I’ll have one of
everything, please call me back and tell me my whole order,” where the callback phone number
they give is the target’s number. With very little effort, a long response is generated.
By making a request to an open DNS server with a spoofed IP address (the real IP address of the
target), the target IP address then receives a response from the server. The attacker structures the
request such that the DNS server responds to the target with a large amount of data. As a result,
the target receives an amplification of the attacker’s initial query.
What is the process for mitigating a DDoS attack?
The key concern in mitigating a DDoS attack is differentiating between attack and normal traffic.
For example, if a product release has a company’s website swamped with eager customers,
cutting off all traffic is a mistake. If that company suddenly has a surge in traffic from known
bad actors, efforts to alleviate an attack are probably necessary. The difficulty lies it telling apart
the real customer and the attack traffic.
In the modern Internet, DDoS traffic comes in many forms. The traffic can vary in design from
un-spoofed single source attacks to complex and adaptive multi-vector attacks. A multi-vector
DDoS attack uses multiple attack pathways in order to overwhelm a target in different ways,
potentially distracting mitigation efforts on any one trajectory. An attack that targets multiple
layers of the protocol stack at the same time, such as a DNS amplification (targeting layers 3/4)
coupled with an HTTP flood (targeting layer 7) is an example of multi-vector DDoS.

27
CyberSecurity

EXERCISES:

1. What is DDos Attack?

2. Explain different types of DDos Attacks.
3. How DDoS attack is mitigated?

EVALUATION:

Understanding / Timely Completion Total

Involvement
Problem solving
(4) (3) (10)
(3)

Signature with date: ________________

28