Cyber Security Full course - 11 Hours |

Cyber Security Training For Beginners |

Edureka
Main image

Introduction
• Cyber security is the practice of protecting computers, servers, and networks from
digital attacks, theft, and damage, and it is critical for individuals, businesses, and
organizations to protect against cyber threats such as viruses, worms, and
ransomware .

• The video will cover various topics including what cyber security is, cyber
security fundamentals, the history of cyber security, cyber security threats, tools
used in the domain, reasons to learn cyber security, skills required, how to become
a cyber security engineer, and the cyber security career path .

• Cyber security certifications are necessary for those new to the industry to have a
good chance of getting shortlisted, and coding for cyber security is also important
to maximize knowledge in the domain .

• The video will also cover top cyber security attacks, ethical hacking, phases in
ethical hacking, and core concepts like ethical hacking with Kali Linux,
cryptography, and penetration testing .
 • Additionally, the video will show how to use nmap, a network scanner, and cover
methods of cyber attacks like cross-site scripting, DDOS attack, and SQL
injection .

• Steganography, a technique used to hide data in a non-secretive manner to avoid

detection, will also be covered, along with an ethical hacking roadmap and cyber
security interview questions and answers .

• The onset of digitalization has opened up opportunities for everyone, but it has
also increased the risk of security vulnerabilities for sensitive and confidential
data .

• Cyber security is the body of technologies, processes, and practices designed to

protect networks, computers, programs, and data from attack, damage, or
unauthorized access or misuse of authorized assets .

• The goal of cyber security is to reduce the risk of cyber attacks and protect
organizations and individuals from the intentional and unintentional exploitation
of security weaknesses and systems, networks, and technologies .

• Companies like Amazon, Facebook, and Google use various methods to secure
confidential information, including renewing privacy policies, security-focused
patents, and the use of AI for data security .

• With the increasing advancements in the digital world, cyber security threats will
keep getting more complex, and the requirement for cyber security will increase,
leading to companies paying more attention to data protection .

Requirement of Cyber Security

• The demand for highly skilled cyber security professionals is higher than ever to
secure vulnerable assets from cyber attacks in the digital era where people
constantly use the internet and generate data stored on the cloud, which can be
accessed online through various devices .

• Hackers have a "golden age" with many access points, public IP addresses, and
constant traffic, making it easier to exploit vulnerabilities and create malicious
software .

• Cyber attacks are evolving, and hackers are becoming smarter and more creative
with their malware, often bypassing virus scans and firewalls .

• There are various types of cyber attacks, including General malware, phishing,
password attacks, DDOS (Distributed Denial of Service), man in the middle
attacks, drive by downloads, Mal advertising, and Rogue softwares .

• Malware is an all-encompassing term for various cyber threats, including Trojans,

viruses, and bombs, which typically steal data or destroy something on the
computer .
• Phishing attacks often pose as requests for data from trusted third parties, sent via
email, and ask users to click on a link and enter their personal data .

• Password attacks involve a third party trying to gain access to a system by

cracking a user's password .

• DDOS attacks disrupt the service of a network by sending high volumes of data or
traffic, overloading the network and making it unable to function .

• Man in the middle attacks involve impersonating the endpoint in an online

information exchange, allowing attackers to obtain information from both parties .

• Drive by downloads occur when a program is downloaded to a user's system just

by visiting a legitimate website with malware .

• Mal advertising compromises computers with malicious code downloaded when

users click on affected ads .

• Rogue softwares are malwares masquerading as legitimate and necessary security

software .

• The internet is not a safe place, and cyber breaches have compromised the privacy
and confidentiality of data for individuals and large organizations .

• Major cyber breaches have been committed against big companies like eBay,
AOL, Evernote, and Adobe, despite their security measures, showing that even
large organizations are constantly targeted by hackers .

• Cyber security is a mechanism and protocol to protect against various cyber

attacks, comprising of cyber security and physical security, used by enterprises to
protect against unauthorized access to data centers and computerized systems .

• Information security, a subset of cyber security, is designed to maintain the

confidentiality, integrity, and availability of data, helping prevent cyber attacks,
data breaches, identity theft, and aiding in risk management .

• A strong sense of network security and an effective incident response plan can
help prevent and mitigate attacks, with end-user protection defending against loss
and theft, and scanning computers for malicious code .

• The three main activities to protect against in cyber security are unauthorized
modification, deletion, and access, synonymous with the CIA Triad, which stands
for confidentiality, integrity, and availability .

• The CIA Triad is also known as the three pillars of security, with most security
policies based on these principles, aiming to protect against unauthorized actions .

• Confidentiality is roughly equivalent to privacy, with measures undertaken to

prevent sensitive information from reaching the wrong people, while ensuring the
right people can access it .
• Data is often categorized according to the potential damage if it falls into
unintended hands, with more or less stringent measures implemented across
categories, and sometimes requiring special training for those with access to
sensitive documents .

• Integrity involves maintaining the consistency, accuracy, and trustworthiness of

data over its entire life cycle, with measures in place to prevent unauthorized
changes, detect changes, and ensure data cannot be altered .

• Measures to maintain integrity include file permissions, user access controls,

version control, and checksums, with some data including cryptographic
checksums for verification .

• To ensure data security, three key aspects must be considered: confidentiality,

integrity, and availability, with availability being insured by maintaining
hardware, performing repairs, and keeping the operating system environment
functional and free of software conflicts .

• Redundancy, failover, and high availability clusters can mitigate serious

consequences when hardware issues occur, and disaster recovery is essential for
worst-case scenarios, relying on a comprehensive disaster recovery plan that
safeguards against data loss or interruption .

• A backup copy must be stored in a geographically isolated location, such as a

fireproof and water-safe place, to prevent data loss from unpredictable events like
natural disasters and fires .

• Extra security equipment or software, such as firewalls and proxy servers, can
guard against downtime and unreachable data due to malicious actions like denial
of service attacks and network intrusions .

• To protect against cyber attacks, it is essential to identify the malware or cyber

threat, analyze and evaluate affected parties and file systems, and patch the
vulnerability to restore the organization to its original state .

• Three factors are calculated to mitigate cyber attacks: vulnerability, threat, and
risk, with vulnerability referring to a known weakness that can be exploited by
attackers .

• Vulnerabilities can be exploited by automated attackers, and testing for

vulnerabilities is critical to ensuring continued security by identifying weak points
and developing a response strategy .

• Questions to determine security vulnerabilities include whether data is backed up

and stored securely, what kind of antivirus protection is in use, and whether a data
recovery plan is in place .

• A threat refers to a new or newly discovered incident with potential to harm a

system or organization, with three main types of threats existing .
• Threats to an organization can be categorized into national threats, unintentional
threats, and intentional threats, including spyware, malware, adware, and actions
of disgruntled employees, as well as worms and viruses that can cause harm
through automated attacks .

• To assess threats regularly, team members should stay informed of current trends
in cyber security, subscribe to blogs and podcasts, and join professional
associations to benefit from breaking news feeds, conferences, and webinars .

• Regular threat assessment should be performed to determine the best approaches

to protecting a system against a specific threat, and penetration testing involves
modeling real-world threats to discover vulnerabilities .

• Risk refers to the potential for loss or damage when a threat exploits a
vulnerability, and examples of risks include financial losses, loss of privacy,
reputational damage, legal implications, and loss of life .

• Risk can be defined as threat multiplied by vulnerability, and creating and

implementing a risk management plan can reduce the potential for risk .

• Key aspects to consider when developing a risk management strategy include

assessing risk, prioritizing the most important breaches, and including a total
stakeholder perspective .

• Stakeholders include business owners, employees, customers, and vendors, who

can negatively impact the organization but also be assets in helping to mitigate
risk .

• Risk management is key to cyber security, and a scenario involving a chief

security officer named Bob illustrates how cyber security can defend an
organization against manipulative cybercrime .

• Bob's company uses an activity response platform that automates the entire cyber
security process, integrating all security and ID software into a single dashboard .

• The ARP software acts as a hub for the people, processes, and technology needed
to respond to and manage cyber security threats .

• A user behavior analytics engine recognizes suspicious behavior on Bob's

account, involving late-night logins and unusual amounts of data being
downloaded, while he is out on a business trip, and sends an alert to the security
information and event management system .

• The security information and event management system connects to a user

directory software that recognizes Bob's account belongs to an executive who is
out on a business trip and proceeds to lock his account .

• The security information and event management system sends the incident IP
address to a threat intelligent software, which identifies the address as a suspected
malware server .
 • The incident response platform (ARP) creates a set of instructions called a
playbook for a security analyst to follow, which includes locking Bob's accounts
and changing his passwords .

• The analyst determines the attempted attack came from a well-known cybercrime
organization using stolen credentials, which were obtained by exploiting a
vulnerability in the company's firewall software .

• The ARP uses information from endpoint tools to identify which machines need to
be patched, recommends how to patch them, and allows the analyst to push the
patches to all computers and mobile devices instantly .

• The ARP notifies the correct person in the legal department of the breach and the
status of the incident, and the analyst communicates which data may have been
stolen or compromised during the incident .

• The ARP creates a series of tasks for the organization to notify affected parties
and follow relevant compliances and liability procedures, covering affected users
and information in various geographies and jurisdictions .

• The incident response platform organizes people, processes, and technology to

identify and contain the problem, find the source of the attack, fix the
vulnerability, and notify all affected parties in a matter of hours .

• In the future, cognitive security tools will read and learn from trusted publications,
blogs, and other sources of information to uncover new insights and patterns,
anticipate and isolate attacks, and recommend actions for security professionals to
take .

History of Cybersecurity
• The Internet Engineering Task Force (IETF) is responsible for maintaining
documentation about protocols, specifications, and processes related to the
internet, including a series of documents called Request for Comments (RFCs) .

• According to RFC 1389, a hacker is a person who delights in having an intimate

understanding of the internal workings of a system, particularly computers and
computer networks .

• The term "hacker" originated from the Tech Model Railroad Club at the
Massachusetts Institute of Technology (MIT), where members explored and
experimented with computer systems .

• The definition of hacking has changed over time, particularly in the 1980s, due to
the actions of individuals like Robert T. Morris, who unleashed a worm on the
early internet, and Kevin Mitnick, who was convicted of computer crimes .

• The Morris worm led to the creation of the Computer Emergency Response Team
(CERT) at Carnegie Mellon University .
• The popular culture perception of hacking has shifted from a benign to a more
sinister connotation, with depictions in movies and TV shows such as War Games,
Hackers, The Matrix, and NCIS .

• Hacking is about having a deep understanding of computer systems, exploring and

learning new things, and finding creative solutions to problems .

• People hack for various reasons, including for fun, as part of a tradition that dates
back to MIT's early days, and to explore and experiment with computer systems .

• MIT has a long history of hacking, both computer-related and non-computer

related, with examples including the hacking of their homepage .

• Hacking can be done for various reasons, including for fun, to prove a point, or to
challenge oneself, as seen in the example of an April Fool's Day prank in 1998
where it was announced that Disney was buying MIT .

• Some hackers may target a specific individual or organization to make a point,

such as the time Bill Gates visited MIT and the Windows systems in the entryway
were hacked to run Linux instead .

• Hacking can also be done for the challenge and pride of ownership, as seen in the
example of MIT students turning the facade of a building into a Tetris game board
.

• In some cases, hacking is done to prevent theft and protect against cybercrime,
such as learning how to hack to find holes in systems or applications and fix them
before they can be exploited .

• The example of Global Payments, where attackers stole 1.5 million credit card
numbers, highlights the importance of learning how to hack to prevent such
compromises .

• Companies may also want to learn how to hack to find problems in their systems
before deploying them, in order to protect against attackers and prevent
reputational damage .

• Ethical hacking involves hacking into one's own system before publishing it to the
public, in order to find and fix flaws, as seen in the example of Internet Explorer
being published with critical errors in the code .

• Security researchers also play a role in finding flaws in systems and working with
vendors to fix them, as seen in the example of people finding flaws in Internet
Explorer and working with the vendor to fix them .

• There are several reasons to learn hacking, including to get a job, to make a name
for oneself, to protect oneself and others from cyber threats, and to retaliate
against attackers, and these reasons can lead to benefits such as reputation,
speaking engagements, and book deals .
 • To protect oneself from hacked computer companies and fight cyber criminals,
one may need to have the same skills and techniques as attackers, and companies
may want to hire people with these skills or train their employees to learn how to
hack .

• There are different types of hackers, and the first type to be discussed is the ethical
hacker, who thinks like a black hat hacker but follows a moral compass and
intends to find and fix vulnerabilities rather than cause harm .

• Ethical hackers are not out to destroy or break anything unless it is necessary and
acceptable as part of their engagement, and there is a certification available for
certified ethical hackers from the EC Council .

• Black hat hackers, on the other hand, have a different goal, as exemplified by
Kevin Mitnick, who was a black hat hacker for many years and engaged in
computer crime, stealing and causing mischief, before being caught by the FBI .

• Kevin Mitnick's story is an example of the lifestyle and consequences of being a

black hat hacker, and he was involved in computer crime for over a decade before
being charged .

• Kevin Mitnick, a well-known hacker, was prosecuted and eventually convicted of

some of the activities he was involved in .

• Kevin Mitnick can be argued to be a gray-haired hacker and also a gray hat
hacker, who skirts the line between black and white hat hacking .

Types of hackers
• White hat hacking is equivalent to ethical hacking, where the hacker acts for good,
seeking a technical challenge to make things better and more efficient .

• Black hat hackers are driven by financial gain or thrill, engaging in criminal
activities, while gray-hat hackers employ black hat tactics but with a focus on
improving an organization's security posture .

• Gray-hat hacking is detailed in a book called "Gray Hat Hacking," which covers
tactics, strategies, and techniques .

• Hacktivism is a type of hacking where individuals or groups, like Anonymous and

Lulz Security, hack companies to protest or bring attention to security issues,
often crossing the boundary of causing harm .

• Lulz Security hacked companies, posting sensitive information online, including

customer details, to embarrass companies with weak security postures .

• Ethical hackers, or white hat hackers, do not post sensitive information publicly,
as it can cause harm to individuals .
• The different types of hackers include ethical or white hat, black hat, gray hat, and
hacktivists, each with varying goals and means .

• To become a hacker, one needs basic computing skills, including a understanding

of operating systems, running programs, and using command prompts .

• It is assumed that individuals have a basic understanding of computing tasks, such

as opening a command prompt and running programs .

• To learn cyber security, a basic understanding of system software and command

line utilities is necessary, including familiarity with typing and running programs
from the command line, as well as understanding command line switches and
parameters .

• A basic understanding of simple networking concepts is also required, including

knowledge of cables, switches, hubs, and how systems are networked together,
although a deep level of understanding is not necessary .

• Understanding protocols and how they work together is important for ethical
hacking, and some protocols will be covered in detail .

• Life skills such as accepting failure and persevering, problem-solving, and

thinking creatively are essential for success in cyber security .

• Throughout the course, students will learn about various tools, networking,
security, and security postures, with a focus on making systems and networks
more secure .

• Specific topics that will be covered include reading packets from network
captures, tcpip related protocols, and how protocols interact with each other .

• Reading packets will be an important part of the course, and will be used to
understand different tools and how they work .

• The course will cover tactics and methodologies for using information to gather
more information, which is crucial in the field of cyber security, as information is
key to taking action and often requires digging to find .

• Students will learn about entry points and stepping stones to gather necessary
information and then exploit it to gain deeper access to the target .

• The course will cover security awareness, risk, and understanding risks and
vulnerabilities, including recognizing the difference between a vulnerability and
an exploit .

• Understanding risks and their impact on the target will be a key concept
throughout the course .

• The course will cover a wide range of topics, not all at a deep level, and will
sometimes skim the surface due to the large amount of material to be covered .
 • Basic computing skills required for the course include a basic understanding of
operating systems .

Skills Necessary
• The skills developed throughout the training will be necessary to become an
ethical hacker, and the types of attacks that an ethical hacker might deal with will
be discussed, including defacing, which is a form of digital graffiti where a hacker
leaves their mark or imprint behind, primarily on websites .

• Defacing involves making alterations to a website, and it was more common in the
past, but it is still used by businesses or organizations to have their home pages
replaced by a message indicating that the hacker was there .

• Another common type of attack is buffer overflow, which is a result of the way
programs are stored in memory, and it occurs when too much data is sent to a
buffer, causing it to overflow the bounds of the configured area .

• Buffer overflow can allow a hacker to control the flow of execution of a program,
insert code into memory, and potentially gain access to a command shell or other
useful system resources .

• Format string attacks are also discussed, which can be precursors to buffer
overflow attacks, and they occur when a programmer leaves off the format string
and only provides the variable to be output .

• Format strings are used in the C programming language to determine how data is
input or output, and if a format string is not provided, it can allow a hacker to
manipulate the input or output .

• Format string attacks allow an attacker to look at data on the stack of a running
program by providing a format string, potentially finding useful information like a
return address, and may also allow injecting data into the stack .

• A denial of service (DoS) attack prevents a service from being available to its
legitimate or authorized users, and can be caused by various methods such as ping
floods, Smurf attacks, or malformed packets .

• A denial of service attack is not to be confused with a distributed denial of service

(DDoS) attack, which is a coordinated denial of service using several hosts in
several locations .

• A DDoS attack can be triggered using a botnet, where multiple bots controlled
from a remote location send data to a particular server, overwhelming its
resources and causing it to be unable to respond .

• The first known DDoS attack used the tool called "Stacheldraht" (German for
barbed wire), which was developed from a proof of concept piece of code called
"Tribe Flood Network" (TFN) written by Mixter in 1999 .
 • The Tribe Flood Network (TFN) is a set of computer programs used to conduct
various DDoS attacks, as described on its Wikipedia page .

• Types of attacks include ICMP floods, UDP floods, and smart attacks, which can
be researched on Wikipedia for a basic understanding .

• A notable example of a distributed denial of service attack is the one carried out
by the program "Old Rod" in February 2000, targeting servers like eBay and
Yahoo .

• This attack was the first known distributed denial of service attack, although non-
distributed denial of service attacks existed prior to this .

• Distributed denial of service attacks involve multiple systems coordinating to

create a denial of service condition .

• As an ethical hacker, it is essential to be familiar with these types of attacks .

• Penetration testing involves testing the security of a system, network, or

application to see if it can be penetrated or broken into .

• The scope of penetration testing may include attempting to break into systems,
networks, and applications, and may also involve social engineering attacks .

• Physical penetration testing may also be involved in some cases, where the goal is
to break into a physical location .

What is Penetration testing?

• Penetration testing involves attempting to gain unauthorized access to a system,
either physically or through a network, to identify vulnerabilities and weaknesses
in an organization's security posture .

• The goals of penetration testing include assessing weaknesses in an organization's

security, understanding risks, and identifying ways to mitigate those risks .

• Penetration testing can involve social engineering attacks, technical approaches

such as running scans and using Metasploit, or physical access to a system .

• The results of penetration testing are typically presented in a detailed report that
includes findings, methods used to discover vulnerabilities, and recommendations
for remediation activities to fix identified vulnerabilities .

• The report should provide value by not only identifying problems but also offering
solutions and steps to mitigate risks .

• The scope of penetration testing should be clearly defined and agreed upon by the
ethical hacker and the authorized person, including any exclusions or areas that
are off-limits .
• It is essential to obtain a signed agreement from the target organization, outlining
the scope of the testing, to ensure ethics, trust, and legality .

• The scope should be in writing, with signatures attached, and approval should be
obtained from the right people to avoid any potential legal issues .

• A security assessment is a collaborative approach with clients to assess the risk an

organization is exposed to, providing a comprehensive view of the organization's
security posture and risk appetite, and offering guidance on fixes and controls to
mitigate risks .

• The goal of a security assessment is not to penetrate the organization's systems but
to provide a thorough evaluation of the risks and offer recommendations for
improvement, making it a more comprehensive approach than a penetration test .

• A security assessment involves evaluating the organization's policies and

procedures to ensure they are adequate for the organization's risk appetite and that
controls are in place to enforce adherence to these policies .

• The output of a security assessment is tailored to the organization's risk appetite

and priorities, focusing on providing actionable guidance rather than just
identifying vulnerabilities .

• A penetration test, on the other hand, is a simulated attack on an organization's

systems to identify vulnerabilities and weaknesses, but it may not provide a
comprehensive view of the organization's security posture .

• A penetration test is typically conducted within a limited timeframe, such as a

week, and may not be able to identify all vulnerabilities or weaknesses, especially
if the tester is not able to gain significant access to the systems .

• An organization should not assume they are secure just because a penetration test
did not identify any significant vulnerabilities, as a dedicated and motivated
attacker may still be able to exploit weaknesses that were not identified during the
test .

• A penetration test should not be seen as a definitive measure of an organization's

security, but rather as one tool among many that can be used to evaluate and
improve an organization's security posture .

• Footprinting is a process of gathering detailed information about a target,

including its entire scope, domain names, IP addresses, network blocks, and
system architectures, to understand the potential vulnerabilities and risks
associated with it .

• The goal of footprinting is to gather as much information as possible about the

target, including internal and external IP addresses, critical systems, web servers,
email servers, databases, and system architectures .
 • Footprinting involves using various techniques, such as search engines, network
scans, and port scans, to gather information about the target, including usernames,
group names, system banners, and DNS host names .

• It is essential to keep track of the gathered information using a database, Excel

spreadsheet, or notepad, to quickly access and analyze the data .

• Footprinting can be used to identify potential vulnerabilities and risks associated

with a target, including remote access possibilities, and to inform the development
of a penetration testing plan .

• The process of footprinting should be exhaustive, and it may involve trying to

gather email addresses, servers, domain names, and other relevant information .

• Footprinting can be used for both internal and external penetration testing or
ethical hacking engagements, and it is essential to understand the networking
protocols used by the target, including TCP, UDP, IPX, and SPX .

• The information gathered during footprinting can be used to identify potential

entry points and vulnerabilities, and to inform the development of a plan to exploit
those vulnerabilities .

What is Footprinting?
• Footprinting involves gathering as much information as possible about a target,
including IP addresses, contact numbers, and other relevant details, to avoid
missing potential entry points for attacks or tests .

• The Wayback machine, also known as archive.org, is a useful tool for

footprinting, providing a starting point for gathering information about a target's
website and its evolution over time .

• The Wayback machine allows users to view how a website looked at a specific
point in the past, including screenshots and archived content, which can be useful
for understanding a website's infrastructure and potential vulnerabilities .

• By using the Wayback machine, users can see the evolution of a website over
time, including changes to its design, content, and functionality, which can
provide valuable insights for potential attacks or tests .

• Footprinting is an important part of the reconnaissance process, and gathering

information about a target's website and infrastructure can help narrow down the
focus of potential attacks or tests .

• Over time, companies have become more aware of the importance of protecting
sensitive information on their websites, and have removed email addresses,
names, and other potentially vulnerable information .
• Google used to have a cached feature that allowed users to access information
from websites that were no longer available or temporarily offline, but this feature
has been removed .

• The Wayback machine can be used as an alternative to Google's cached feature,

providing access to archived information about websites and their evolution over
time .

• The Wayback Machine, located at archive.org, allows users to view historical

snapshots of websites, including edureka.com, which has information dating back
to 2013 .

• A historical look at edureka.com's website reveals changes in its layout, content,

and features over the years, such as the addition of live classes, a search bar, and
changes in course layout and pricing .

• Netcraft is a website that provides internet research, including information on the

types of web servers companies run, with Apache being the leading web server
with 64.3% of the internet market .

• Netcraft's web server service allows users to search for specific websites, such as
edureka.com, and view information about their web server, IP address, DNS
admin, and hosting history .

• The site report for edureka.com reveals that it is hosted on a Linux system with an
Apache web server, has no IPv6 presence, and has a history of hosting on Amazon
Technologies .

• Users can also use Netcraft to view information about other websites, such as
Netflix, including their hosting history, server type, and security frameworks .

• The information provided by Netcraft can be useful for various purposes, such as
understanding how companies evolve their websites and infrastructure over time .

• Additionally, Netcraft provides information on domain-based message

authentication and reporting confirmations, which can be useful for security and
authentication purposes .

• The Wayback Machine and Netcraft are tools available on the internet that can be
used for reconnaissance, providing information about websites and their web
servers .

• The next topic is using DNS to get more information, which involves using a tool
called "whois" to query Regional Internet Registries and store information about
domain names and IP addresses .

• The "whois" utility is used to query various Regional Internet Registries,

including AfriNIC, APNIC, ARIN, LACNIC, and RIPE NCC, which provide
information about domain names and IP addresses .
 • These Regional Internet Registries support different countries and regions,
including Africa, India, Australia, North America, South America, and Europe .

• Using the "whois" query, information about a particular domain name or IP

address can be obtained, such as the registry domain ID, registered URL, creation
date, and registry expiry date .

• For example, using the "whois" query on Netflix.com provides information about
the domain name, including the registry domain ID, registered URL, creation date,
and registry expiry date .

• The "whois" query can also be used to obtain information about the name server,
URL, and DNSSEC status of a domain name .

• To get the IP address of a domain name, the "dig" command can be used, such as
"dig netflix.com" .

• The "dig" command provides information about the IP address of a domain name,
including the IP address and other DNS information .

• Using a tool to look up IP addresses associated with a particular domain, multiple

IP addresses associated with Netflix were returned, including 54.77.108.2 .

• To find out who owns a specific IP address, a "whois" lookup can be performed,
which provides information about the IP address, such as the organization it
belongs to and its location .

• Performing a "whois" lookup on the IP address 54.77.108.2 revealed that it

belongs to aaron.net and is located in Seattle, North America .

• The "whois" lookup also provides a range of IP addresses that may be used by the
organization, which can be useful for identifying potential IP addresses associated
with a particular domain or organization .

• Another IP address, 34.249.125.167, was also looked up to see what information

was available about it .

Handson
• The whois query and bigquery can be used to get information about a domain
name service and retrieve data from a DNS, providing details such as IP address,
location, and more .

• A domain name service (DNS) is a name given to an IP address to make it easier

to remember, mapping names to IP addresses and providing information from
hostname resolution .

• The purpose of DNS is to map names to IP addresses and retrieve information

from hostname resolution .
• The whois command can be used to find domains with a specific word, such as
"Foo", and provide information about the domain .

• The whois command has various flags and options, including setting the host,
port, and source, as well as performing exact matches and inverse lookups .

• The whois command can be used with the verbose option to provide more detailed
information about a domain, such as the ripe database query service and objects in
rpsl format .

• The whois command can be used to retrieve information about a specific domain,
such as Netflix.com, and provide details such as the ripe database query service
and objects in rpsl format .

• The primary keys option can be used with the whois command to return only
primary keys, but this may not work for all databases .

• The internet registries are used to store information about domain names and IP
addresses, and there are five Regional internet registries, including ARIN, which
is responsible for North America .

• There are five Regional Internet Registries (RIRs) responsible for different
regions: ARIN (US and Canada), LACNIC (Latin America and the Caribbean),
RIPE (Europe, Middle East, and Central Asia), AFRINIC (Africa), and APNIC
(Asia Pacific Rim) .

• The WHOIS database contains information about IP addresses, domain names,

and their owners, and can be used to find out who owns a particular IP address or
domain name .

• WHOIS can provide information such as email addresses, technical contacts, and
administrative contacts for a particular company or domain .

• The registry database contains information about .com and .net domains, as well
as other information .

• To query a different IP address or domain, the -h flag can be used with the
WHOIS command .

• WHOIS can also be used to find information about domains, such as the
administrative contact, technical contact, and domain servers .

• The WHOIS database may also store information about hostnames, and can be
used to find information about IP addresses and domain names .

• To install WHOIS on a Unix system, the command "apt install whois" can be used
.

• WHOIS can be used to find network ranges for a domain, which can be useful for
engagements where only the domain name is known .
• The process of finding network ranges involves using the "whois" command to
look up the owner of an IP address and determine the network range associated
with it .

• To find the network range of a specific domain, such as Netflix, you can use the
"host" keyword followed by the domain name, and then use the "whois" command
to look up the IP address .

• The "whois" command can provide information about the network range,
including the IP addresses and the company or organization that owns them .

• Using the "dig" command with the "MX" flag can provide information about the
mail handlers for a specific domain, such as Netflix .

• The "dig" command can also be used to gather information about a domain's DNS
settings and mail servers .

• Google can be used as a tool for reconnaissance by using specific search operators
to target and find specific information .

• Google hacking refers to the use of Google to gain targeted information, but it
does not involve breaking into Google or stealing information .

• Using Google for reconnaissance involves using specific search operators and
techniques to gather information about a target domain or organization .

• Google can be used to narrow down searches by utilizing specific keywords, such
as using quotations to search for specific phrases rather than individual words .

• The "index of" keyword can be used to find indexes of various websites, including
those with downloadable content .

• File types can be specified in a search query using the "filetype" keyword,
followed by the desired file extension, such as "filetype:dbdx" or "filetype:pptx" .

• The "inurl" keyword can be used to search for specific URLs, such as "inurl:root"
to find websites with "root" in their URL .

• Google hacking techniques can be used to find specific information, such as error
pages, by using keywords like "error" in the title of a webpage .

• The "minus" keyword can be used to exclude specific websites or domains from
search results, such as "-google" to exclude Google's own websites .

• Google hacking techniques can be useful for penetration testers or ethical hackers
to find vulnerable systems or specific information .

• The Google hacking database is a resource that can be used to find specific
information and vulnerabilities .
 • The Google Hacking Database was created by Johnny Long to compile a list of
searches that would bring up interesting information, and it is useful for ethical
hackers .

• The database contains various categories and searches that can be used to find
specific information, such as password-protected pages, Google Docs, and more .

• Google hacking entries can be used to find specific information, and the database
also contains a list of queries that can be used for penetration testing .

• The Exploit Database is another resource that contains various types of exploits,
including SQL injection and password tracking attempts .

• The database can be used to find information on specific products, and it also
contains a list of searches that can be used to find interesting information .

• The history of the internet began in 1969 with the creation of the ARPANET, a
computer network that was resilient to military attacks .

• The ARPANET was created by BBN (Bolt Beranek and Newman) after they won
a contract from ARPA (Advanced Research Projects Agency) .

• The first connection of the ARPANET was made in 1969, and it eventually
morphed into the internet as we know it today .

• The ARPANET has a long history that goes through NSFNET in the 1980s and
was eventually decommissioned, with other networks being folded into it .

History of the internet

• The host-to-host protocol is similar to UDP, while ICP is similar to TCP, with the
first router being an interface message processor developed by BBN using a
modified Honeywell computer .

• IP was introduced in 1973, and Vint Surf and Robert Khan developed the concepts
that would work for the needs of the arpanet, publishing a paper in 1974 that
proposed new protocols, including TCP .

• TCP was initially a monolithic concept, but it was later broken down into more
modular protocols, resulting in TCP and IP .

• The development of IP went through several versions, with version 0 to 3 being

developed between 1977 and 1979, and version 4 being adopted in 1980,
becoming the de facto protocol on the internet in 1983 .

• IPv6 was developed as IP Next Generation, with work beginning in 1992, and it
features a 128-bit address, providing a much larger number of unique IP addresses
compared to IPv4's 32-bit addresses .
• IPv6 attempts to address some of the inherent issues in IP, including security
concerns, and provides a more modular and flexible protocol compared to IPv4 .

• The history of TCP/IP has led to the development of the current version, IPv4,
which is still widely used today, despite the introduction of IPv6 .

• Two models are used to describe network protocols and stacks: the OSI model and
the TCP/IP model, which will be discussed in more detail .

• The OSI model, which stands for Open Systems Interconnect, was developed in
the late 1970s as a model for network stacks and protocols, but the TCP/IP model
became the predominant protocol instead, and the OSI model is now used as a
teaching tool and for describing network stacks and applications .

• The OSI model consists of seven layers, starting from the bottom: the physical
layer, which includes physical components such as wires, cables, and network
interfaces .

• The data link layer, which is above the physical layer, includes protocols such as
Ethernet and Frame Relay, and is where switches operate, looking at data link
addresses and physical addresses .

• The network layer, or layer 3, is where IP, ICMP, and IPX protocols live, and is
also where routers operate .

• The transport layer, or layer 4, includes protocols such as TCP, UDP, and SPX,
and is responsible for transporting data between devices .

• The session layer, or layer 5, includes protocols such as AppleTalk and SSH, and
is responsible for establishing and managing connections between applications .

• The presentation layer, or layer 6, includes protocols such as JPEG and MPEG,
and is responsible for formatting and presenting data .

• The application layer, or layer 7, includes protocols such as HTTP, FTP, and
SMTP, and is responsible for delivering and using application functionality .

• When packets are sent over a network, they are built from the top of the stack
down, with each layer adding its own header information, and the application
layer is responsible for beginning the process .

• Data transmission occurs through the OSI model, starting from the application
layer and moving down through the network, data link, and physical layers until it
is sent over the wire, and then the process is reversed when the data is received .

• When a packet is sent, it goes from the physical layer to the data link, network,
transport, session, presentation, and application layers, and finally to the target
system .
 • The OSI model uses an encapsulation process, where each layer adds bits of
information to the datagram or packet as it moves down the stack .

• Each layer in the OSI model communicates with the same layer on the receiving
system, allowing for the removal and handling of headers and data as necessary .

• The physical layer communicates with the physical layer on the receiving system,
the data link layer communicates with the data link layer, and so on .

• The network layer adds and removes IP headers, and determines what to do with
the data based on the information in the header .

• When building a packet, the data moves down through the stack, and when
receiving a packet, the data moves up through the stack .

• The OSI model is referred to as a stack because data is added to the packet in
layers, and then removed in the reverse order on the receiving system .

OSI and TCP/IP Model

• The TCP/IP model has four layers: network access layer, internet layer, transport
layer, and application layer, which is different from the seven layers of the OSI
model .

• The network access layer in the TCP/IP model consists of the physical and data
link layers from the OSI model, while the application layer in the TCP/IP model
encompasses the session, presentation, and application layers of the OSI model .

• The transport layer in the TCP/IP model is the same as the transport layer in the
OSI model, and the internet layer in the TCP/IP model is similar to the network
layer in the OSI model .

• The OSI model is used as a reference model throughout the course because it
makes it easier to differentiate between different functionalities .

• UDP (User Datagram Protocol) is a transport layer protocol in the TCP suite of
protocols, which is connectionless and sometimes referred to as unreliable .

• UDP is used in the network layer of the OSI model, which carries IP addresses,
and the transport layer, which carries information about ports to differentiate
networked applications .

• The transport layer has ports, and the network layer has IP addresses, which are
used to differentiate networked applications and get packages to their destination .

• UDP is a protocol that sits on top of the network layer and carries information
about how to differentiate networked applications .
• The User Datagram Protocol (UDP) is an unreliable protocol, meaning it does not
guarantee that the data sent will reach the intended destination, and it does not
have safety features to ensure this .

• UDP is a fast protocol, making it suitable for applications that require speed, such
as games, real-time voice, and video, but it lacks error checking and validation,
which contributes to its unreliability .

• A packet capture using Wireshark shows the components of a UDP packet,

including the source port, destination port, length, and checksum .

• The source port and destination port are used to communicate between the
originator and the receiver, with the destination port being used to send a return
message .

• The length field in the UDP header provides minimal checking to ensure the
packet received is the correct length, and the checksum ensures the data was not
tampered with during transmission, although it can be easily manufactured in a
man-in-the-middle attack .

• DNS servers use UDP to send queries, requiring fast response times and avoiding
the time-consuming process of setting up connections and negotiating with
protocols like TCP .

• A DNS query packet capture shows the use of UDP, with the packet containing a
source port, destination port, length, and checksum .

• The User Datagram Protocol (UDP) is a protocol used for sending packets, and it
can be explored using tools like Fireshock .

• Addressing modes determine how a packet is addressed to different destinations,

and there are three main types: unicast, broadcast, and multicast .

• Unicast addressing involves one source and one destination, and the source sends
the packet to the destination using a specific protocol such as TCP or UDP .

• TCP is a bi-directional stream, allowing both the source and destination to

communicate simultaneously, whereas UDP is a one-directional stream, allowing
only the source to send packets .

• Broadcast addressing involves sending a packet to every device on the network,

and it is commonly used by mobile network providers to send advertisements .

• Multicast addressing is similar to broadcast but is selective, allowing the sender to

choose which devices receive the packet, and it is often used for screen sharing
with multiple people .

• The three modes of addressing - unicast, broadcast, and multicast - are used in
different scenarios to facilitate communication between devices on a network .
 • A tool called Varsha was used to understand UDP, but its exact function and
purpose were not fully explained in this segment .

What is Wireshark?
• Wireshark is a packet capture utility that grabs data going in or out of a specific
network, providing an accurate view of network activity, as data on the network
cannot be altered or lied about, unlike application logs which can be misleading or
inaccurate .

• Wireshark's packet capture feature allows users to see what's happening on the
network in real-time, making it a valuable tool for network analysis and
troubleshooting .

• A quick packet capture can be performed using Wireshark by selecting the

interface being used, such as Wi-Fi, and capturing data as it flows through the
network .

• Wireshark's interface displays captured packets in a table format, showing

information such as packet number, time, source and destination addresses,
protocol, length, and info .

• The bottom of the Wireshark screen displays detailed information about the
selected packet, including frame information, interface IDs, encapsulation type,
and more .

• Users can drill down into different bits of the packet, viewing information such as
source and destination MAC addresses, IP addresses, source and destination ports,
and more .

• Wireshark is a packet analyzer and packet sniffer, allowing users to check

everything about a packet .

• The tool is useful for network analysis, troubleshooting, and security testing,
providing a detailed view of network activity .

• Wireshark is a tool that can pull a packet into its different layers, demonstrating
the layers of the OSI and TCP/IP model, and it can also filter packets based on
specific protocols such as HTTP .

• In Wireshark, a packet can be broken down into its different layers, and in this
case, a Google web request packet is broken down into four layers, with the ability
to filter based on HTTP and view the text input and image requests .

• Wireshark can also be used to analyze and follow TCP streams, allowing users to
see all the requests related to a particular request and break them down into
individual packets .
 • The tool can also provide information about the destination and source of a
packet, including the vendor ID of the machine, which can be determined from the
MAC address .

• Wireshark can be used for packet sniffing and packet analysis, which can be
useful for tasks such as IDS evasion, where users want to craft their own packets
and analyze the packets going into the IDS system .

• DHCP (Dynamic Host Configuration Protocol) is a network management protocol

used to dynamically assign an Internet Protocol address to any device on a
network, automating and centrally managing these configurations .

• DHCP can be implemented on small or large networks and assigns IP addresses to

devices, eliminating the need for manual assignment by a network administrator .

• DHCP allows devices to obtain new IP addresses when moved to different

locations, eliminating the need for manual configuration by network
administrators .

• There are versions of DHCP available for use in Internet Protocol version 4 and
Internet Protocol version 6 .

• DHCP operates at the application layer of the TCP/IP protocol stack to

dynamically assign IP addresses and allocate TCP/IP configuration information to
DHCP clients .

• DHCP clients receive configuration information, including subnet mask

information, default gateways, IP addresses, domain name systems, and addresses
.

• DHCP is a client-server protocol where servers manage a pool of unique IP

addresses and client configuration parameters, assigning addresses from the
address pools .

• DHCP-enabled clients send a request to the DHCP server when connecting to a

network, and the clients broadcast a request to the DHCP server for network
configuration information .

• The client's request is for local network configuration information for the network
to which they are attached .

What is DHCP?
• DHCP (Dynamic Host Configuration Protocol) is a protocol that assigns IP
addresses and other network settings to devices on a network automatically,
eliminating the need for manual configuration .
• When a device boots up, it sends a query to the DHCP server, which responds
with the necessary IP configuration information, including the IP address and
lease time .

• The DHCP server manages a record of all allocated IP addresses and prevents
multiple devices from having the same IP address by identifying them using their
Media Access Control (MAC) address .

• DHCP is not a routable or secure protocol and is limited to a specific local area
network, requiring a single DHCP server per LAN .

• Large networks may have multiple DHCP servers to handle address distribution,
and network administrators can configure the DHCP relay service to provide
addressing to multiple subnets .

• DHCP lacks built-in authentication, making it vulnerable to deception and attacks,

such as exhausting the server's pool of IP addresses .

• Despite the lack of authentication, DHCP offers several advantages, including

easier IP address management, centralized client configuration, and support for
booting, local and remote clients, and network booting .

• DHCP enables clients to move to different subnets without requiring manual

reconfiguration, as they can obtain new client information from the DHCP server .

• The use of DHCP is widespread in many organizations due to its advantages,

despite its security limitations .

• Address Resolution Protocol (ARP) is a protocol used in local area networks to

resolve IP addresses to MAC addresses, and it will be discussed in more detail in
the context of ethical hacking .

• The Address Resolution Protocol (ARP) works by broadcasting a "who is"

message over a Local Area Network (LAN) to find the MAC address associated
with a specific IP address, allowing devices to communicate more easily .

• When a device wants to send data to another device on the LAN, it broadcasts an
ARP request to find the MAC address of the destination device, and the device
with the matching IP address responds with its MAC address .

• The ARP table is a database that maps IP addresses to MAC addresses, allowing
devices to quickly look up the MAC address associated with a given IP address .

• The ARP protocol is exploitable because there is no validation, allowing an

attacker to lie and claim to be the device with a specific IP address, potentially
leading to a man-in-the-middle attack .

• In a man-in-the-middle attack, an attacker intercepts and modifies data being sent

between two devices on the LAN, by lying about their MAC address and claiming
to be the destination device .
 • The ARP table can be accessed on a computer by opening the command prompt
and running the command "arp -a", which displays all ARP entries on the system .

• The ARP table is not specific to Windows and can be accessed on any machine
that has the TCP/IP protocol installed .

• The ARP table matches a layer 2 or physical address (MAC address) to an IP

address, and is used to resolve IP addresses to MAC addresses or physical
addresses .

• MAC addresses and physical addresses are interchangeable terms that refer to the
same thing, and are used to identify devices on a network .

• ARP (Address Resolution Protocol) is a utility used to diagnose network problems

by mapping IP addresses to MAC addresses, and it can be displayed using the
ARP table .

• The ARP protocol works by sending a "who has" request to find the MAC address
associated with a specific IP address, and there is no authentication involved in
this process .

• When a device sends an ARP request, the target MAC address is initially empty,
and it is filled in when a response is received .

• Wireshark can be used to capture and analyze ARP packets, and it can also
identify the vendor names associated with MAC addresses .

• ARP can be vulnerable to man-in-the-middle attacks, where an attacker can spoof

their MAC address and intercept data .

• To secure ARP, data can be encrypted using cryptography, which can help hide
the information being sent over a local network .

• ARP can be used validly when data is encrypted, as it allows devices to

communicate without revealing sensitive information .

• Tools like Ettercap can be used to perform ARP spoofing and other types of
attacks .

Cryptography
• Cryptography is the art of hiding anything, specifically data in the context of
computer science, and it involves using a key and an encryption algorithm to
protect messages from unauthorized access .

• When a message is sent, a key is used along with an encryption algorithm, and
this key is also sent to the recipient, although the method of sending the key will
be discussed later .
 • The encryption algorithm takes the key and the message as parameters, resulting
in ciphertext that needs to be deciphered, and this process is reversed using a
decryption key and algorithm to retrieve the original message .

• In symmetric key cryptography, the decryption key is often the same as the
encryption key, and it is used along with the decryption algorithm to retrieve the
original message .

• Cryptography can be thought of as a password-protected system for messages,

providing a secure way to communicate .

• The history of cryptography dates back several thousand years, with early forms
of cryptography emerging shortly after the development of communication
methods .

• One of the earliest forms of cryptography is the Caesar Cipher, developed by

Julius Caesar, which is a simple rotation cipher that involves rotating a portion of
the key to generate the algorithm .

• The Caesar Cipher uses a simple substitution method, where each letter is shifted
by a fixed number of positions, such as three letters, to create the ciphertext .

History of Cryptography
• A Caesar Cipher is a simple encryption technique where each letter in the
plaintext is shifted by a fixed number of positions down the alphabet, for example,
shifting the first row back to the second row and changing the letter D to the letter
C.

• Rot13 is a variation of the Caesar Cipher that rotates the letters 13 positions
instead of three, and it is also known as a rotation cipher .

• The Enigma Cipher is a German cipher that was developed to encrypt and decrypt
messages during World War II, and it was given its name by the people trying to
crack it, not by its developers .

• The Enigma Cipher was used to communicate between headquarters and

battlefields, similar to how Caesar used his cipher to communicate with his
generals .

• The Allies, particularly the British, spent a lot of energy trying to decrypt the
Enigma messages, and it was one of the first instances where a machine was used
for encryption .

• In the 1970s, the National Institute of Standards and Technology proposed a

digital encryption standard, and IBM developed an encryption algorithm based on
the Lucifer Cipher, which became known as DES .
• DES was chosen as the digital encryption standard in 1977, but it had a 56-bit key
size, which was considered adequate at the time but became inadequate by the
1990s .

• To address the limitations of DES, a stopgap solution called Triple DES was
developed, which applies the DES algorithm three times with different keys .

• Triple DES works by encrypting the plaintext with the first 56-bit key, then
decrypting the ciphertext with a second key, and finally encrypting the result with
a third key .

• Triple Data Encryption Algorithm (Triple DES) works by applying three keys in
succession to encrypt data, using the decryption algorithm against the ciphertext
from the first round, then applying a third key to receive a new set of ciphertext,
resulting in an effective key size of about 168 bits, but still only 56 bits at a time .

• The Advanced Encryption Standard (AES) was developed to replace the Digital
Encryption Standard (DES), with the National Institute of Standards and
Technology (NIST) requesting proposals and selecting an algorithm put together
by mathematicians, which became AES .

• AES supports multiple key lengths, currently using 128-bit keys, but supporting
up to 256-bit keys, allowing for an increase in key material if needed .

• The history of cryptography shows that with every set of encryption, eventually
people find a way to crack it, and currently, AES is a reasonably stable encryption
standard .

• The Digital Encryption Standard (DES) was developed by IBM in the 1970s,
originally named Lucifer, and was selected as the digital encryption standard, but
caused controversy due to changes requested by the NSA, which some speculated
could be a back door into the standard .

• DES uses 56-bit keys, is a block cipher, and uses 64-bit blocks, but was
effectively broken in 1998 when a DES-encrypted message was cracked in three
days, and later in less than a day by a network of 10,000 systems .

• Triple DES was developed as a replacement for DES, but is not a new algorithm,
rather a way to use DES three times to increase the effective key size .

• A process is described where a plain text message, referred to as P, is encrypted

using a key called K1, resulting in ciphertext C1 .

• The ciphertext C1 is then decrypted using a second key, K2, but since it's the
wrong key, the output is not plain text, but rather another round of ciphertext,
referred to as C2 .

• The ciphertext C2 is then encrypted using a third key, K3, resulting in another
round of ciphertext, referred to as C3 .
 • This process involves three different keys applied in two different ways:
encryption with keys K1 and K3, and decryption with key K2 .

• The process is described as an encrypt-decrypt-encrypt process with separate keys

.

• Although the process doesn't yield a full 168-bit key size, the three rounds of
encryption result in an effective key size .

Digital Encryption Standard

• The Data Encryption Standard (DES) was developed by IBM in the 1970s and
was originally a cryptographic cipher named Lucifer, which was later modified
and proposed as a digital encryption standard .

• DES uses a 56-bit key and is a block cipher that uses 64-bit blocks, and it
remained the encryption standard for the next couple of decades .

• In 1998, a DES-encrypted message was cracked in three days, and a year later, a
network of 10,000 systems around the world cracked the DES-encrypted message
in less than a day .

• The National Institute of Standards and Technology (NIST) requested a standard

in 1999, and in 2001, the Advanced Encryption Standard (AES) was published,
which was originally called Rijndael .

• AES has a fixed 128-bit block size and key lengths of 128, 192, and 256 bits, and
it was specified by NIST as the Advanced Encryption Standard .

• Triple DES (3DES) is not three times the strength of DES, but rather DES applied
three times, using three different keys to encrypt the message .

• 3DES was a stopgap measure, and it was known that if DES could be broken,
3DES could also be broken with more time .

• The NSA requested some changes during the selection process of DES, which led
to speculation about a possible back door into the digital encryption standard .

• The process of applying multiple keys in different ways, such as encrypting with
key E1, decrypting with key E2, and then encrypting with key E3, is described as
an encrypt-decrypt-encrypt process with three separate keys, but it doesn't yield a
168-bit key size in terms of effectiveness, as it's basically 56-bit keys being used
thrice .

• The triple DES encryption method, which applies three different keys in two
different ways, is not as strong as it seems, as it can be easily broken, and if one
key is broken, the same method can be applied to the other keys .
• The National Institute of Standards and Technology (NIST) chose the Rijndael
algorithm, now called the Advanced Encryption Standard (AES) algorithm, in
2001, which has a fixed block size of 128 bits and three different key sizes: 128,
192, and 256 bits .

• AES has a fixed block size of 128 bits, unlike the Rijndael algorithm, which
allows for variable block sizes in multiples of 32 bits .

• Symmetric cryptography uses the same key for both encryption and decryption,
has shorter key lengths than asymmetric cryptography, and is faster, with
examples of algorithms including DES and AES .

• Symmetric key cryptography can be demonstrated using a tool like AEScript,

which is available for Linux, Windows, and Mac, and can be used to encrypt and
decrypt files using a symmetric key .

• A text file named "text.txt" contains the sentence "quick brown fox jumped over
the lazy dog," which includes all the alphabets in the English language, and is
used as an example for encryption .

• The file is encrypted using the Advanced Encryption Standard (AES) symmetric
key cipher with a password "Pokemon," resulting in a new encrypted file named
"text.txt.aes" .

• The encrypted file is sent over the network, and the recipient, who knows the
encryption algorithm and key, can decrypt it .

• The encrypted message, also known as ciphertext, appears as a jumbled and

unreadable text .

• To decrypt the file, the same password "Pokemon" is used, and the decrypted
message is obtained .

• Symmetric key encryption uses either a stream cipher or a block cipher, with
block ciphers encrypting a fixed-length block of bits at a time, and stream ciphers
encrypting a bit at a time .

• Asymmetric key cryptography uses two different keys, a public key and a private
key, and is used for signing documents or emails, and ensuring the authenticity of
the sender .

• Asymmetric key encryption has a longer key length, more computation, and a
slower encryption process compared to symmetric key encryption .

• The use of asymmetric key encryption ensures that the message comes from the
actual sender, as the private key is used for signing and the public key is used for
verification .
• Asymmetric encryption provides the advantage of ensuring the identity of the
other end of a communication stream, as only they should have the private key,
and is often used in hybrid encryption models to encrypt symmetric session keys .

• In practice, asymmetric encryption is typically used to encrypt the key exchange,

while symmetric key encryption is used to encrypt the actual message being sent .

• Asymmetric encryption is a slower process and may not be suitable for small files
.

• To demonstrate public key encryption, a key is generated using OpenSSL on an

Ubuntu system .

• The process begins by creating a file called "text.txt" and adding some text to it .

• OpenSSL is then used with the RSA algorithm to generate a private key, which is
output into a file called "private.key" .

• A passphrase is used to protect the private key .

• The private key is then used to generate a public key, which is output into a file
called "public.key" .

• The public key is used to encrypt a file, and the encrypted file can only be
decrypted using the corresponding private key .

• Public key cryptography can be used to encrypt and decrypt files using the
OpenSSL tool, where a public key is used for encryption and a private key is used
for decryption .

• To encrypt a file, the command "openssl rsautl -encrypt -inkey public_key -in
text.txt -out encrypted.txt" can be used, and to decrypt the file, the command
"openssl rsautl -decrypt -inkey private_key -in encrypted.txt -out plain_text.txt"
can be used .

• The decrypted file will be the same as the original file, and this can be verified by
comparing the two files using the command "diff plain_text.txt text.txt" .

• Digital certificates are electronic passwords that allow secure data exchange over
the internet using public key infrastructure, and they provide identification,
authentication, confidentiality, integrity, and non-repudiation .

• Digital certificates are issued by authorities, such as Encrypt Authority X3, and
they can be viewed in web browsers like Google Chrome .

• Digital certificates are also known as public key certificates or identity

certificates, and they are used to secure e-commerce and internet-based
communication .
 • To create a digital certificate, the OpenSSL tool can be used, and this will be
demonstrated in the next part of the tutorial .

Bitlocker
• In the case of a system being compromised, a package called gdecrypt can be used
to map and mount a created encrypted volume, helping to set up the process of
encrypting volumes on the system .

• Encryption is a good idea when working with sensitive client data, and tools like
BitLocker and Windows Vault can be used for disk encryption .

• Scanning refers to the use of computer networks to gather information regarding

computer systems, and network scanning is mainly used for security assessment,
system maintenance, and performing attacks by hackers .

• The purpose of network scanning includes recognizing available UDP and TCP
network services, recognizing filtering systems, determining operating systems,
and evaluating target host TCP sequence numbers .

• Network scanning consists of network port scanning and vulnerability scanning,

with network port scanning referring to the method of sending data packets to
identify available network services on a system .

• Vulnerability scanning is a method used to discover known vulnerabilities of

computing systems available on a network, helping to detect weak spots in
applications or operating systems .

• Network port scanning and vulnerability scanning are information gathering

techniques, but when carried out by anonymous individuals, they are viewed as a
prelude to an attack .

• Network scanning processes like port scans and ping sweeps return details about
active live hosts and the type of service they provide .

• Inverse mapping is another network scanning method that gathers details about IP
addresses that do not map to live hosts, helping an attacker focus on feasible
addresses .

• Network scanning is one of the three important methods used by an attacker to

gather information during the footprint stage, and it helps create a profile of the
target organization .

• A popular tool used for network scanning is nmap, which is a must-have tool for
most ethical hackers and is used for scanning, but it is a noisy scanner .

• Nmap can be used to scan quietly if the user knows ways of IDS evasion, which is
a topic to be discussed further .
• Nmap is a tool originally available on Unix systems but also available on
Windows systems, used for various purposes such as target specification, host
discovery, scan techniques, port specification, and more .

• To install nmap on a Unix system, the command 'apt install nmap' can be used,
and if the user is not a root user, the 'sudo' command should be used along with it .

• The 'help' command can be used to view all the available options and features of
nmap .

• Nmap can be used to scan a specific IP address or a hostname, such as

'edureka.go', and it can take some time to complete the scan .

• Nmap can also be used to scan an entire subnet by specifying the IP address range,
such as '192.168.1.1-24' .

• A file containing a list of target IP addresses can be used with nmap using the '-iL'
flag, followed by the filename .

• Nmap allows excluding specific IP addresses from the scan using the '--exclude'
option .

• Various scanning techniques can be used with nmap, such as scanning for specific
ports or using default ports .

• Nmap can be used to perform various types of scans, including SYN scans, TCP
connection port scans, UDP port scans, and acknowledgment port scans, with
different flags used for each type, such as -sS for SYN scans, -sT for TCP
connection port scans, -sU for UDP port scans, and -sA for acknowledgment port
scans .

• The -sW flag can be used for a Windows port scan, and the -sM flag can be used
for a main mount port scan .

• Nmap can also be used for host discovery, with the -sL flag used to scan only the
list targets, and the -sN flag used to disable port scanning or host discovery .

• The -n flag can be used to never do hostname resolution, saving time .

• Nmap can be used to perform ARP discovery on a local network, with the -PR
flag used for ARP discovery .

• Port specifications can be used to scan specific ports, such as scanning port
number 21, or scanning a range of ports, such as ports 21 to 100 .

• A fast port scan can be performed using the -F flag, which is considerably faster
than other scans .

• The --top-ports flag can be used to scan the top ports, such as the top 2000 ports,
although this can take a long time .
 • Service inversion detection can be performed using nmap, which can attempt to
determine the service versions running on a given IP address, such as Apache
server 2.0, by using the command "nmap -sV" followed by the IP address .

• The version intensity of the scan can be increased by specifying a number

between 0 and 9, with higher numbers providing more correctness, although the
"version intensity" option has been removed from nmap .

• Aggressive scans can be performed using the "-A" tag, which will do a very
aggressive scan on the IP address, but may take a long time .

• OS detection can be performed using nmap with the "-O" option, which will give
the OS detection .

• An Intrusion Detection System (IDS) is a system that monitors network traffic for
suspicious activity and issues alerts when such activities are discovered .

• IDS can also take actions when malicious activity or anomalous traffic is detected,
including blocking traffic from suspicious IP addresses .

• The primary function of IDS is anomaly detection and reporting, and it can
monitor network traffic for suspicious activity .

What is IDS
• Network intrusion detection systems (NIDS) and host intrusion detection systems
(HIDS) are used to monitor network packets for potentially malicious activity, but
they can also produce false alarms or false positives, requiring organizations to
fine-tune their systems to recognize normal traffic patterns .

• NIDS are deployed at strategic points within the network to monitor inbound and
outbound traffic, while HIDS run on individual computers or devices with direct
access to the internet and the internal network .

• HIDS have an advantage over NIDS in detecting anomalous network packets

originating from inside the organization or malicious traffic that NIDS may have
missed .

• Signature-based intrusion detection systems compare network packets against a

database of known malicious threats, similar to antivirus software .

• Intrusion detection systems (IDS) can be evaded using various techniques, such as
manipulating packets to look a certain way, which can be done using tools like
Packet .

• Packet manipulation can be used to spoof IP addresses, allowing an attacker to

disguise their source IP address, but this may not allow them to receive responses
or complete a three-way TCP connection .
• IDS evasion techniques may be necessary when performing an assessment or
penetration test on a target where the activities should not be detected .

• Cyber attacks are constantly happening, and the security of organizations is being
compromised, as seen on websites like Threat Cloud, which displays real-time
cyber attacks occurring globally .

• To evade detection, attackers can use techniques such as IP spoofing, modifying

packet settings, and generating bogus data to hide legitimate scans .

• There are eight types of cyber threats, starting with malware, which is an all-
encompassing term for various cyber attacks, including Trojans, viruses, and
worms .

• Malware is defined as code with malicious intent that typically steals data or
destroys something on the computer, and it can be categorized based on how it
causes damage .

• Types of malware include viruses, which attach themselves to clean files and
infect other files, Trojans, which disguise themselves as legitimate software, and
worms, which infect entire networks of devices .

• Malware can also include botnets, which are networks of infected computers
controlled by an attacker, and can be encountered through vulnerabilities,
illegitimate software downloads, or compromised email attachments .

• Each form of malware requires a different removal method, and the best way to
prevent malware is to avoid clicking on links or downloading attachments from
unknown sources .

• To prevent cyber threats from senders, deploying a robust and updated firewall
can be effective in preventing the transfer of large data files over the network and
weeding out attachments that may contain malware .

• Keeping a computer's operating system, whether it be Windows, Mac OS, or

Linux, up-to-date with the latest security updates and software is crucial in
addressing any holes or weak points .

• Programmers frequently update programs to address any weaknesses, and

installing these updates is essential in decreasing system weaknesses .

• Phishing is a type of cyber threat where attackers pose as a trusted third party,
sending emails that ask users to click on a link and enter their personal data .

• Phishing emails have become more sophisticated, making it difficult for people to
discern a legitimate request from a false one, and often fall into the same category
as spam but are more harmful .
 • Phishing attacks often involve spoofing or mimicking well-known businesses like
Bank, credit card companies, Amazon, eBay, and Facebook, attempting to get
victims to reveal their personal information .

• The phishing scam process involves five steps, starting with the initial step,
although the details of the remaining steps are not provided in this segment .

What is pishing
• Phishing involves planning, setting up, delivering, executing, and using the
gathered information for identity theft and fraud, with the goal of obtaining
sensitive information from victims, such as passwords or credit card numbers .

• Phishers decide which business to target, determine how to get email addresses for
the customers of that business, and create methods for delivering the messages
and collecting the data .

• The execution of the attack involves sending a phony message that appears to be
from a reputable source, and recording the information the victims enter into the
web page or pop-up windows .

• The information gathered is then used to make illegal purchases or commit fraud,
with as many as a fourth of the victims never fully recovering .

• To prevent phishing, it is essential to be aware of how phishing emails work,

which often have specific properties such as a generalized way of addressing
someone, not being from a reputable source, and redirecting links that can be
inspected by hovering over them .

• Phishing emails can be identified by inspecting the email address that it came
from, which may not be legitimate, and reporting the email to administrators or
concerned parties .

• A demonstration of phishing from the perspective of an attacker involves creating

a phishing website for harvesting Facebook credentials, sending a legitimate-
looking email, and using a back-end code to make a log file of the entered
passwords .

• The phishing website can be made to look legitimate by taking the source code of
the Facebook login page and pasting it, and then creating a back-end code in PHP
to log the entered passwords .

• The demonstration shows how phishing works by entering an email address and
password on a phishing website, which then redirects to the original site, but
compromises the credentials in the process .

• It is essential to be careful when dealing with emails that may be phishing

attempts, and to always verify the legitimacy of the email and the website it
redirects to .
Password Attacks
• A password attack is an attempt by hackers to use a user's password for illegal
purposes, often accomplished by recovering passwords from data stored in or
transported from a computer system .

• Password cracking refers to various measures used to discover computer

passwords, usually by repeatedly guessing the password through a computer
algorithm .

• Password attacks can be done for several reasons, but the most malicious reason is
to gain unauthorized access to a computer system without the owner's awareness .

• This can result in cybercrime, such as stealing passwords to access bank

information .

• There are three common methods used to break into a password-protected system:
Brute Force attacks, dictionary attacks, and keylogger attacks .

• A Brute Force attack involves a hacker using a computer program or script to try
to log in with possible password combinations, usually starting with the easiest to
guess passwords .

• Dictionary attacks involve a hacker using a program or script to try to log in by

cycling through combinations of common words, which can succeed because
people often choose short or simple passwords .

• Keylogger attacks involve a hacker using a program to track a user's keystrokes,

recording login IDs and passwords, and are different from Brute Force and
dictionary attacks in that stronger passwords don't provide much protection .

• To prevent password attacks, it is recommended to practice best practices, such as

updating passwords regularly, using alphanumerics, and avoiding words found in
dictionaries .

• Using "garbage words" that make no sense can also increase security, as they are
harder for hackers to guess .

Packet Flooding
• A common type of attack is the Distributed Denial of Service (DDoS) attack,
which involves an attacker using multiple computers to send traffic or data that
overloads a system, often without the knowledge of the computer owners whose
devices are being used for the attack .

• DDoS attacks can have serious consequences, including disrupting services and
online access, and can be used as a form of protest, but can result in severe
punishment, including major jail time .
 • To prevent DDoS attacks, it is essential to keep systems secure with regular
software updates, online security monitoring, and monitoring of data flow to
identify unusual or threatening spikes in traffic .

• Physically monitoring connections is also crucial, as attacks can be perpetrated by

simply cutting a cable or dislodging a plug that connects a website server to the
Internet .

• Man-in-the-Middle (MITM) attacks involve impersonating endpoints in an online

information exchange to obtain information from the end user and the entity they
are communicating with .

• MITM attacks often gain access through non-encrypted wireless access points and
can be prevented by using an encrypted WAP, checking the security of
connections, and investing in a Virtual Private Network (VPN) .

• To prevent MITM attacks, it is also essential to be cautious when accessing

websites, as attackers may try to strip down security protocols such as HTTPS or
HSTS .

• Drive-by downloads are another type of attack where malware can be installed on
a device without the user's knowledge or consent, often through exploited
vulnerabilities in software or websites .

What is a Drive-by-download
• Drive-by downloads occur when a user visits a compromised web page, allowing
malicious code to install on their device without requiring any action other than
visiting the site .

• A drive-by download usually takes advantage of an outdated browser, app, or

operating system with security flaws, and the initial code downloaded is often
small and contacts another computer to pull down the rest of the code .

• Web pages may contain multiple types of malicious code to match weaknesses on
a user's computer, and the download is triggered during the TCP protocol's three-
way handshake connection .

• To avoid drive-by downloads, users should avoid visiting potentially malicious

websites, keep their internet browser and operating system up to date, use a safe
search protocol, and install comprehensive security software .

• Malvertising refers to criminally controlled advertisements that intentionally

infect people and businesses, often appearing as normal ads on popular websites .

• Malvertising uses advanced technology to present itself as a normal ad, but

contains hidden code that redirects the user's computer to a criminal server, which
then injects malware .
 • To stop malvertising, users should use an ad blocker, install browser extensions,
keep their software up to date, and exercise common sense when interacting with
suspicious ads .

• Users should be cautious of ads offering free money or lottery winnings, as these
are likely scams that can inject malware .

• Rogue security software is a form of malicious software and internet fraud that
misleads users into believing there is a virus on their computer and manipulates
them into paying money for a fake malware removal tool, posing a serious
security threat in desktop computing since 2008 .

• Rogue security software works by manipulating users into downloading the

program through various techniques, including ads offering free or trial versions
of security programs, pop-ups warning of virus infections, and manipulated SEO
rankings that redirect users to infected websites .

• Once installed, rogue security software can steal information, slow down
computers, corrupt files, disable updates for legitimate antivirus software, and
prevent users from visiting legitimate security software vendor sites .

• To prevent rogue security software attacks, it is recommended to have an updated

firewall, install trusted antivirus or anti-spyware software, and maintain a general
level of distrust on the internet .

• Blue Vector is a network security program that uses machine learning capabilities
to protect computers and networks from malware and human-backed intrusion,
allowing it to learn and adapt to new threats over time .

• Blue Vector works by tasking machines and computers with protecting

themselves, enabling them to counter malware and human-backed intrusion at
machine speed, giving defenders a serious advantage .

• Blue Vector's machine learning capabilities allow it to get smarter over time,
learning the intricacies of each network it is deployed on and tweaking its
defenses accordingly .

BluVector
• Blue Vector is a cyber security tool that uses algorithms and detection engines to
protect environments from threats, and it can be installed as a hardware-based
network appliance or as a virtual machine, operating in line with network traffic or
as a retrospective tool to scan and catch threats that other programs might have
missed .

• Blue Vector is designed to work with all IPv6 traffic as well as older IPv4
streams, making it suitable for environments with Internet of Things and
supervisory control and data acquisition devices, such as industrial and
manufacturing settings, as well as normal office environments .
• Bricata is a cyber security tool that offers Advanced IPS/IDS protection with
multiple detection engines and threat feeds to defend network traffic and core
assets, and it also allows for threat hunting based on events or anomalies .

• Bricata can be deployed as a physical or virtual appliance that serves as the main
collator point and user interface, linking up to network sensors that capture traffic
data at network choke points .

• Bricata sensors can be deployed at network gateways or around core assets or

internal points to give the platform visibility into horizontal movements or
potential threats .

• Cloud Defender by Alert Logic is a cyber security tool designed to provide

protection to web applications, critical data, and everything else running or stored
within an organization's cloud environment .

• Cloud Defender offers a sliding scale of support, from a user-friendly tool that
enables local IT staff to inspect their cloud deployment for threats or breaches, to
a full-service model where the Alert Logic team takes over most cloud-based
cyber security functions .

• In the full-service model, Alert Logic will do everything short of remediating

problems, offering monitoring, advising, and logging of events in a software as a
service model .

• Cloud Defender is a platform that combines SAS security and local team aid,
configured to make logs and information collected available for at least a year,
and works with any cloud environment, including Amazon Web Services,
Microsoft Azure, and Google Cloud Services, with pricing based on the number of
nodes protected and log file size .

• Cloud Defender's pricing is not based on the cloud environment, but rather on the
number of nodes being protected and the size of the log files being analyzed .

• Cofense Triage is a phishing defense tool that works by managing responses to

emails reported by users as suspected phishing, helping organizations tap into the
newfound skill set of employees in spotting phishing scams .

• Phishing is a popular and quick way for attackers to enter a network by tricking
users into taking an action, and most organizations have little or no defense
against it .

• The original PhishMe product was deployed in 2008 to allow network

administrators to craft their own phishing emails to train users about the dangers
of phishing emails .

• Cofense has moved its focus from pure education to threat remediation, and its
product, Triage, takes email reported by users as suspected phishing and helps
manage responses .
• Contrast Security is a suite of tools that deals with application security,
converging endpoint security, network security, and content security into a single
program .

• Contrast Security aims to change the trend of alert fatigue by condensing

application security into a single program that protects apps from development to
deployment and their full life cycle .

• Contrast Security embeds agents inside each app, making it part of the program,
and has a rare hundred percent on the OWASP security benchmark, passing over
2000 tests without generating any false positives .

• The secret sauce for Contrast Security is the use of bytecode instrumentation, a
feature in Java used to integrate programs and application features during
development, but used by Contrast Security for cyber security purposes .

• Digital Guardian is a threat-aware data protection platform that provides endpoint

security, which has traditionally been the realm of signature-based antiviruses that
have proven inadequate against targeted and highly advanced malware campaigns
.

• Unlike most endpoint security programs that deliver protection through the
creation of rules, Digital Guardian comes pre-loaded with thousands of best
practices rules based on years of experience working in the field, which are
tailored to the specific network it is protecting after a quick data discovery process
.

• Intellector is a platform that acts like a security information and event

management console but for compliance issues, installed either as an on-premise
or cloud-based console, it pulls information from a series of network collectors
and correlates that data into continuously monitored compliance dashboards .

• Compliance and security are mutually supporting, with compliance rules put in
place to provide a good security baseline, but it's possible to be completely in
compliance with all applicable regulations and still not be adequately secure .

• The skill sets used to implement compliance and security are different, and
organizations can have a deep IT or cybersecurity staff that is unskilled with
compliance issues or unpracticed in knowing exactly which regulations apply .

• The mantix 4 platform is a threat hunting tool that seeks to solve the people
problems while providing robust threat hunting tools for use by clients, and it
takes threat hunting into the software as a service realm .

• Threat hunting is becoming an increasingly important part of cybersecurity

defenses, given the insidious nature of advanced threats, and it's almost a certainty
that every organization of any size will eventually be hacked or compromised .
 • The mantix 4 platform was originally designed for the Canadian government's
Department of Public Safety, which is the equivalent of the US Department of
Homeland Security .

• The Department of Homeland Security in the United States and Canada utilizes
montx4 to defend networks in 10 sectors considered critical infrastructure, rooting
out threats that might bypass traditional protection .

• The system is deployed as two components, with the first part comprised of
Observer sensors that sit at critical points within a protected network, either
alongside routers or at network gateways .

• The Observer sensors can be set to work inline or to passively sniff network traffic
and can be deployed almost anywhere, depending on the need, with the best
deployment being as a small appliance that hosts nothing else .

• Network traffic analysis tools have been used for a long time to help improve
efficiencies in enterprise networks, locating unused capacity, bandwidth, and
eliminating choke points, and have recently been employed as an arm of
cybersecurity .

• Traffic analysis tools capture the communication between internal threats,

malware, and its controllers on the outside, but even a small to medium-sized
enterprise generates three or four billion traffic logs per month, making it difficult
for humans to find anything meaningful without computerized assistance .

• Capturing all that data traditionally requires the installation of network taps on
gateways across the network, but seg bi has fielded new software that aims to
eliminate both of those problems by deploying their analyzer as a software module
capable of running on premise or in the cloud .

• The analyzer only looks at the log files, eliminating the need for any network taps,
agents on the clients, or anything beyond access to the constantly generated log
files, and crunches those billions of events in the logs using finely tuned
algorithms .

• The analyzer can be deployed with a pay-as-you-go contract, where users only
pay based on how many gigabytes of log file data they need to process per day .

Cybersecurity Frameworks
• The President issued Executive Order 13636 in February 2013, which aimed to
improve critical infrastructure cybersecurity by directing NIST to develop a
voluntary framework for reducing cyber risks to critical infrastructures .

• The Cybersecurity Enhancement Act of 2014 reinforced NIST's executive order,

and the voluntary framework was created through collaboration between industry
and government to promote the protection of critical infrastructure .
• The framework consists of standards, guidelines, and practices to help owners and
operators of critical infrastructure manage cybersecurity-related risks, and it
provides a prioritized, flexible, repeatable, and cost-effective approach .

• According to Section 7 of the Executive Order, the Secretary of Commerce shall

direct the Director of the National Institute of Standards and Technology to lead
the development of a framework to reduce cyber risks to critical infrastructure .

• The Cybersecurity Framework shall include a set of standards, methodologies,

procedures, and processes that align policy, business, and technological
approaches to address cyber risks, and it shall incorporate voluntary consensus
standards and industry best practices to the fullest extent possible .

• The framework helps organizations better understand, manage, and reduce their
cybersecurity risks, and it assists in determining which activities are most
important to assure critical operations and service delivery .

• The framework provides a common language to address cybersecurity risk

management, and it is especially helpful in communicating inside and outside the
organization, including improving communications, awareness, and among IT
planning and operating units, as well as senior executives .

• The framework can be implemented in stages or degrees, making it more

appealing to businesses, and it has built-in maturity models and gap analysis .

• Organizations can readily use the framework to communicate current or desired

cybersecurity postures between a buyer or supplier .

• The Cybersecurity Framework is voluntary guidance based on existing standards,

guidelines, and practices for organizations to better manage and reduce
cybersecurity risks .

• The framework was designed to foster risk and cybersecurity management

communications amongst both internal and external organizational stakeholders .

• There are several types of cybersecurity frameworks, including PCI DSS

(Payment Card Industry Data Security Standards), ISO 27001 and 2702
(International Organization for Standardization), and CIS (Critical Security
Controls) .

• The NIST framework is designed to improve an organization's readiness for

managing cyber security risks by leveraging standard methodologies and
processes, and it is the most popular framework among those discussed .

• The framework prioritizes a flexible and cost-effective approach to promote the

protection and resilience of critical infrastructure and other sectors important to
the economy and national security .
• The objectives of the framework include being adaptable, flexible, and scalable,
improving an organization's readiness for managing cyber security risks, and
being performance-based and cost-effective .

• The framework consists of three main components: the core, implementation tiers,
and profiles, which provide a set of desired cyber security activities and outcomes,
assist organizations in viewing cyber security risk management, and align
organizational requirements and objectives with the framework core .

• The framework implementation tiers assist organizations in considering the

appropriate level of rigor for their cyber security program and are often used as a
communication tool to discuss risk appetite, mission priority, and budget .

• The framework profiles are used to identify and prioritize opportunities for
improving cyber security at an organization and are primarily based on the
organization's unique alignment of requirements and objectives .

• The framework tiers describe the degree to which an organization's cyber security
risk management practices exhibit the characteristics defined in the framework,
ranging from partial to adaptive, and describe an increasing degree of rigor and
integration of cyber security risk decisions .

• The core is a set of desired cyber security activities and outcomes organized into
categories and aligned with informative references, designed to be intuitive and
enable communication between multi-disciplinary teams using simplistic and non-
technical language .

• The core consists of three parts: functions, categories, and subcategories, which
provide a translation layer to enable communication between teams .

• The NIST framework's core includes five high-level functions: Identify, Protect,
Detect, Respond, and Recover, which are applicable to both cyber security risk
management and risk management as a whole .

• The Identify function helps develop an organizational understanding to manage

cyber security risk, focusing on systems, people, assets, data, and capabilities .

• The Protect function develops and implements safeguards to ensure delivery of

critical services, supporting the ability to limit or contain the impact of a potential
cyber security event .

• The Detect function develops and implements activities to identify the occurrence
of a cyber security event, enabling timely discovery of cyber security events .

• The Respond function develops and implements activities to take action regarding
a detected cyber security incident, supporting the ability to contain the impact of a
potential cyber security incident .
• The Recover function develops and implements activities to maintain plans for
resilience and restore any capabilities or services impaired due to a cyber security
incident, supporting timely recovery to normal operations .

• These five functions represent the primary pillars for a successful and holistic
cyber security program, aiding organizations in expressing their management of
cyber security risk at a high level and enabling risk management decisions .

• NIST recommends customizing the framework to maximize business value, with

this customization referred to as a profile, which is an organization's unique
alignment of their requirements and objectives against the desired outcomes of the
framework core .

• Profiles can be used to identify opportunities for improving cyber security posture
by comparing a current profile with the target profile, and they are about
optimizing the cyber security framework to best serve the organization .

• The framework is voluntary, so there is no right or wrong way to do it, and one
way of approaching profiles is for an organization to map their cyber security
requirements, mission objectives, and operating methodologies along with the
current practices against the subcategories of the framework core .

• To create a current state profile, an organization's requirements and objectives can

be compared against the current operating state of the organization to gain an
understanding of the gaps between the two .

• The following steps illustrate how an organization could use a framework to

create a new cyber security program or improve on an existing program: prioritize
and scope the organization, orient yourself, create a current profile, conduct a risk
assessment, create a target profile, and determine, analyze, and prioritize gaps .

• The first step is to prioritize and scope the organization, which involves
identifying its business mission objectives and high-level organizational priorities,
making strategic decisions regarding cyber security implementations, and
determining the scope of systems and assets that support the selected business line
or process .

• The second step is to orient yourself, which involves identifying related systems
and assets, regulatory requirements, and overall risk approach, and consulting
sources to identify threats and vulnerabilities applicable to those systems and
assets .

• The third step is to create a current profile, which involves developing a current
profile by indicating which category and subcategory outcomes from the
framework core are currently being achieved .

• The fourth step is to conduct a risk assessment, which involves analyzing the
operational environment to discern the likelihood of a cyber security event and the
impact that the event could have on the organization .
 • The fifth step is to create a target profile, which involves creating a target profile
that focuses on the assessment of the framework categories and subcategories
describing the organization's desired cyber security outcomes .

• The sixth step is to determine, analyze, and prioritize gaps, which involves
comparing the current profile and the target profile to determine gaps, creating a
prioritized action plan to address gaps, and determining resources necessary to
address the gaps .

• Implementing an action plan involves determining which actions to take to

address identified gaps and adjusting current cyber security practices to achieve
the target profile .

• Organizations should determine which standards, guidelines, and practices work

best for their needs, including those that are sector-specific, and repeat the steps as
needed to continuously assess and improve their cyber security .

• The framework helps guide key decision points about risk management activities
through various levels of an organization, including executive, business process,
and implementation or operations levels .

• The executive level communicates mission priorities, available resources, and

overall risk tolerance to the business process level, which uses this information as
input into the risk management process .

• The business process level collaborates with the implementation or operation level
to communicate business needs and create a profile, which is then used to perform
an impact assessment .

• The implementation or operation level communicates profile implementation

progress to the business level, which reports the outcomes of the impact
assessment to the executive level .

• The organization's overall risk management process is informed by the outcomes

of the impact assessment, and the implementation or operation levels are made
aware of the business impact .

• Cyber security is an evergreen industry, and as long as there is internet, there will
be malware, hence a need for absolute digital protection against it .

• The cyber security industry has a Compound Annual Growth Rate (CAGR) of
13.4 percent .

• Learning cyber security is important due to the growing need for digital protection
and the industry's growth rate .

Cybersecurity is an evergreen industry

• The cyber security market is projected to be worth $403 billion US Dollars by
2027, according to Forbes 2021, with the importance of cyber security increasing
due to the advent of technologies like big data, machine learning, IoT, and cloud
computing .

• Cyber security job trends are always in demand, and there is no chance of a
shortfall for those who have gone through professional training in this domain .

• Cyber crimes have caused the world $2 trillion dollars since 2019, with the major
drawbacks being the advancement of technologies such as artificial intelligence .

• Artificial intelligence plays a prominent role in cyber security, as it helps identify

systems with weak security or those likely to contain valuable data, but hackers
and criminals are also using AI to their advantage .

• Building a security-aware culture is crucial, and it's essential for organizations to

initiate and foster a culture of awareness around cyber security issues, making it a
part of everyone's job description .

• The Internet of Things (IoT) and cloud security are critical, with devices ranging
from smart variables to home appliances, cars, buildings, alarm systems, and
industrial machineries being vulnerable to cyber attacks .

• Cloud security measures need to be continuously monitored and updated to

safeguard data, and users must be aware of the risks of erroneous errors, malicious
software, and phishing attacks .

• To start a career in cyber security, the requirements are basic, and all one needs is
confidence and a professional background in IT, with the overall eligibility
criterion being relaxed around the world .

• Even college students and young professionals can pursue a career in cyber
security without worrying, and those without a professional background can
proceed with cyber security certification .

• To become a cyber security professional, one doesn't need a four-year degree

course or years of experience; a basic understanding of cyber security is sufficient
.

• Mathematics is not a requirement for cyber security training and education,

making it accessible to those who struggle with the subject .

• Cyber security professionals can work in challenging environments, outsmarting

hackers, patching vulnerabilities, and analyzing risks, with continuous study and
research required to stay up-to-date .

• The cyber security industry offers opportunities for personal growth, with
expanding horizons through various industries, providing a perfect platform for
career growth and learning opportunities .
• Learning cyber security can lead to continuous learning, gaining new experiences,
and adding to one's skill set, making it an attractive career path .

• Cyber security might be the perfect career path for those who aspire to travel the
globe, with thousands of experts working to protect businesses, government
agencies, and consumers worldwide .

• The rise of cyber attacks has created a high demand for cyber security
professionals, resulting in opportunities to travel overseas and serve their skills .

• With millions of companies across various sectors relying on the internet, the
demand for cyber skills is growing fast, making it a gateway to working in various
industries, including sports, fashion, media, and emergency services .

• Cyber security professionals have a wide range of job opportunities, including

working with prestigious Fortune 500 companies, secret agencies, and top-secret
government agencies .

• The potential for career growth in cyber security is vast, with opportunities to
work with top-secret government agencies and intelligence agencies for those who
prove worthy of their skills .

• Learning cyber security can lead to a career with top-secret agencies such as MI6,
Mossad, NSA, and RAW, and can also result in high paychecks, as the world has
realized the importance of cyber security with frequent news stories on new cyber
attacks.

• The demand for cyber security experts is high, with business and government
agencies looking for professionals to protect their systems from cyber criminals,
and they are willing to pay high salaries and provide training and development.

• Salaries in cyber security have a greater growth potential than 90% of other
industries, with senior security professionals earning more than the average
median by a vast amount, depending on their merits.

• It's never too late to begin a career in cyber security, as people have opted for this
profession even after completing 50 years of age, and experts in this field are
always in demand, making job security a non-issue.

• One of the top skills required for a cyber security professional is intrusion
detection, which involves monitoring a network or system for malicious activities
or policy violations, and reporting them to an administrator or security center.

• Intrusion detection systems can be classified into network intrusion detection and
host intrusion detection systems, with the former analyzing incoming traffic and
the latter monitoring important operating system files.

• Another important skill for a cyber security professional is knowledge of

programming, as it helps defend against hacking techniques and is a sought-after
 skill in the industry, with languages like JavaScript being useful for web
development and cyber security.

• JavaScript can be used to improve the functionality and security of a website, but
it can also be used to produce malicious functions if a hacker takes control of a
website, making a JavaScript engineer a crucial role in the cyber security space .

• A JavaScript engineer is expected to foster development processes for API

functionalities, design websites and user interfaces, and ensure that security is not
altered, which includes mitigating possible cross-site scripting attacks in web
forms and minimizing other technical risks .

• To beat hackers, one needs to think like them, which means having a mindset that
can predict the hacker's next move and beat them in their own game, a mindset
that is necessary during a response to an actual attack .

• Risk management and risk mitigation are essential skills in cyber security,
involving identifying, assessing, and mitigating risks to the scope, schedule, cost,
and quality of a project, which can be achieved through a risk management plan,
risk register, and qualitative and quantitative analysis .

• Cloud security is the protection of data stored online via cloud computing
platforms from theft, leakage, and deletion, which can be achieved through
methods such as firewall, penetration testing, tokenization, and VPN, and major
threats to cloud security include data breaches, data loss, account hacking, and
denial of service attacks .

• The demand for cyber security engineers is driven by current and forthcoming
trends, including increasing ransomware attacks, with over 120 separate families
of ransomware estimated to exist .

Why Become an cyber security engineer

• Ransomware and hackers have become very adaptive at hiding malicious activity,
and remote working poses a new cyber security risk as home offices are often less
protected than centralized offices .

• The evolution of the Internet of Things creates more opportunities for cyber
crime, increasing the number of potential entry points for malicious actors .

• The increase in cloud services has led to a rise in cloud security threats, with
misconfigured cloud settings being a significant cause for data breaches .

• Social engineering attacks, such as phishing, have become more troubling and
widespread, targeting individuals connecting to their employers' network from
home .
 • The continued rise of AI presents opportunities for more robust threat detection,
but also allows criminals to automate their attacks using data poisoning and model
stealing techniques .

• There are over 14,000 job vacancies for cyber security engineers in India and over
15,000 in the US, with major high-tech cities like Bangalore and California having
the highest job vacancies .

• The average salary of a cyber security engineer in India is 6 lakh per annum, and
$101,580 per annum in the US .

• Companies like IBM, Deloitte, TCS, Oracle, Cognizant, Accenture, and Amazon
have a huge demand for cyber security engineers .

• A cyber security engineer is a professional responsible for maintaining the

security aspects of computer and networking systems, designing and
implementing secure networking solutions, and monitoring and troubleshooting .

• Cyber security engineers help organizations by assessing security requirements,

setting up best practices and standards, developing and deploying security
measures, and conducting regular testings and scannings to identify vulnerabilities
.

Who is a cybersecurity engineer ?

• A cybersecurity engineer performs regular penetration testing and takes an active
role in the change management process .

• The job description for a cybersecurity engineer at Vodafone includes following

the cybersecurity baseline to deliver tasks, supporting the team in technical
operations, and detecting, identifying, and responding to cyber events, threats,
risks, and vulnerabilities .

• The job description for a cybersecurity engineer at Visa includes implementing

and continuously improving effective security controls, ensuring the correct
functioning of server security technologies, and working with vendors to
implement product updates and bug fixes .

• To become a cybersecurity engineer, one must be familiar with skills such as

programming languages, operating systems, networking fundamentals and
protocols, security aspects, web development, and CI/CD tools .

• A cybersecurity engineer should also be familiar with tools such as Jenkins,

Travis CI, GitLab, Sherden, Maltego, Netcraft, and others .

• The roles and responsibilities of a cybersecurity engineer include planning and

implementing security measures for systems and networks, troubleshooting
security and network problems, and ensuring the protection of an organization's
data and infrastructure .
Roles and responsibilities of cyber security
• Cyber security engineers are involved in daily administrative tasks, regular testing
and identifying network and system vulnerabilities, and responding to security
breaches .

• To become a cyber security engineer, one needs to follow a roadmap that includes
having basic knowledge of programming languages such as Python, Perl, C++,
Java, and Powershell, working on operating systems like Windows, Mac OS,
Linux, and Kali Linux, and understanding networking fundamentals and protocols
.

• Additionally, knowledge of security aspects, web development skills, and hands-

on experience with tools like Jenkins, GitLab, and Travis are required .

• To start a career in cyber security, one can check the Edureka YouTube channel
and blog for related sessions and certification training programs .

• Due to the frequency of cyber attacks, careers in cyber security are in demand, and
qualified professionals can explore various job titles such as security analysts,
security engineers, security specialists, incident responders, vulnerability
assessors, security architects, security administrators, cryptographers, security
directors, security consultants, security managers, and security auditors .

• To start a career in cyber security, one needs to earn a bachelor's degree in cyber
security or related fields like information technology or computer science, with
coursework in programming, statistics, ethics, and computer forensics .

• Prospective students should choose an accredited cyber security degree program

that aligns with their interests and career goals .

• To pursue a career in cyber security, one should complete an advanced training,

and some employers may require candidates to hold an advanced degree, such as a
master's degree in cyber security, which takes an additional one to two years to
complete after the bachelor's degree level and provides advanced instruction in
protecting computer networks and electronic infrastructures from attacks .

• Cyber security professionals can also earn certifications to boost their skills while
working full-time to gain hands-on experience, and they need to pass a security
clearance test, which is necessary for those who wish to work with classified
information .

• The security clearance process, which takes three months to a year, involves
submitting clearance documentation, followed by a background investigation, and
does not begin until an employer decides to hire the candidate .

• New cyber threats appear constantly, creating new and innovative career
opportunities in cyber security, and professionals can find employment in a wide
range of industries, from governments to banks to hospitals .
• Some common career paths in this field include the Chief Information Security
Officer (CISO), who oversees the general operations of a company or
organization's I.T security division and is responsible for planning, coordinating,
and directing all computer network and data security needs .

• CISO positions normally require at minimum a bachelor's degree in cyber or

information security, information technology, or other computer science-related
subjects, and most mid-size or large organizations prefer their CISOs with a
master's degree .

• Another career path is the Forensic Computer Analyst, who reviews computers
and based information for evidence following a security breach or other incident,
and must be sensitive to the security concerns of their employers or clients and
follow closely all privacy procedures .

• Employment as a Forensic Computer Analyst normally requires a bachelor's

degree in a relevant field, such as computer science or information technology,
and involves handling hard drives and other storage devices, employing
specialized software programs, and identifying vulnerabilities and recovering data
from damaged or destroyed devices .

• To work in the field of computer security, a bachelor's degree in computer

security or a related subject is typically required, and previous experience may
also be necessary depending on the company .

• An Information Security Analyst (ISA) is responsible for protecting an

organization's computer system and networks, and they must continuously stay on
top of the latest industry trends and cyber threats .

• ISAs need to earn a bachelor's degree in computer science or a related area, and
there is a growing trend towards undergraduate degree programs specializing in
the information security field .

• Some employers, particularly large corporations or organizations, may prefer job

candidates with an MBA in Information Systems .

• A Penetration Tester is given permission to hack into a computer and network

system to preemptively discover vulnerabilities, and they must be highly creative
in their methods .

• Penetration Testers typically earn a bachelor's degree in information technology or

cyber security, and many employers require applicants to have relevant
professional certifications .

• A Security Architect is responsible for establishing and maintaining network

security for their organization, and they work in all sectors of the economy .

• Security Architects develop and implement organization security policies and

procedures, and they are responsible for the hands-on repair of issues raised in the
problem .
• A job as a Security Architect normally requires a bachelor's degree in information
security, information technology, or computer science, and some previous work
experience is often required .

• The demand for skilled cyber security professionals has resulted in high wages
and excellent benefits for qualified applicants .

• Cyber security careers offer various job roles with different salaries, such as a
Chief Information Security Officer (CISO) earning around $143,000 a year, a
Security Director earning around $120,000 a year, and an IT Security Consultant
earning around $80,000 a year .

• To have a cyber security profession, one needs to possess core skills, including
strong written and verbal communication skills to clearly and concisely
communicate with clients and executives .

• Cyber Security Professionals must be able to work in a team environment, as it is

a crucial skill for almost any profession, and have a clear understanding of their
responsibilities and how they integrate into the whole team .

• Integrity and discretion are also necessary skills, as working in the cyber security
field requires sensitivity to an organization's security vulnerability issues and the
ability to tackle those issues in a way that engenders trust .

• Organizational and problem-solving skills are essential, as the cyber security

business involves a large amount of complex data, and a professional must
develop solid organization and problem-solving skills to avoid being
overwhelmed by their job .

• Programming skills are required, as a variety of scripts and programming tools are
often needed to design effective cyber security programs .

• A good understanding of security principles, such as the CIA triad

(confidentiality, authentication, and privacy), access controls, and other concepts,
is necessary for a cyber security professional .

• Risk analysis is a critical skill, as cyber security personnel must be able to assess a
client's particular security needs in light of its organizational goals, which requires
knowledge of risk analysis principles .

• Network protocols must be well-understood, as cyber Security Professionals often

deal with them, and they must be able to identify malicious code from good code
and understand how they are propagated and the associated risks .

• Knowledge of intruder techniques is also necessary, as analyzing attacks requires

recognizing known intruder techniques and characteristics, and identifying new
and future techniques by means of elimination of the known ones .

• Cyber Security Experts use various software programs to protect against hackers,
viruses, and other threats, and some of the most pressing areas of cyber security
 technology include access management, third-party identity and access tools, and
botnet protection .

• Cloud-based security is necessary due to the increasing amount of information

being moved to the cloud, and various cloud-based security tools are available for
network protection, data encryption, and data leak prevention .

• Data encryption tools provide added security for data being transferred, and data
leak prevention tools ensure system information is secure from intruder access .

• Endpoint protection tools address security issues for endpoints such as PCs,
mobile devices, networks, and connected printers, servers, and peripheral devices .

• Intrusion protection tools prevent attacks from viruses and malware designed to
harm both software and hardware .

• Next-generation firewalls provide additional capabilities like integrated intrusion

protection, stateful inspection, and application and identity awareness compared to
traditional firewalls .

• Wireless security provides WEP or WAP security for data transmitted over
wireless connections .

• There is a distinct shortage of cyber security professionals, particularly those with

data science skills, resulting in many computer science workers considering
employment in cyber security .

• Job growth for information security analysts is projected to be 37% from 2012 to
2022, compared to 18% for all computer occupations and 11% for occupations as
a whole .

• Cyber crime continues to be a significant and growing problem worldwide,

contributing to the robust job growth in cyber security .

• Various cyber security job titles are emerging, including computer and
information research scientists, computer and information system engineers,
computer hardware engineers, computer network architects, computer network
support specialists, and computer programmers .

• Computer and information research scientists require a doctorate in computer

science and have a salary of around $102,000 with a 15% growth rate .

• Computer and information system engineers require a bachelor's in computer

science or IT and have a salary of around $120,000 with a 15% growth rate .

• Computer hardware engineers require a bachelor's degree in computer science

engineering and have a salary of around $100,000 with a 7% growth rate .
 • Computer network architects, computer network support specialists, and computer
programmers require a bachelor's degree in computer science or related fields and
have salaries ranging from $75,000 to $91,000 .

How to choose the right cybersecurity certification?

• To determine the most relevant certifications in cyber security, it's essential to
research the job market and identify the positions that employers are seeking to
fill in a specific geographical area, which can be done by searching job posting
sites such as Monster using various certificate acronyms .

• C and C++ are two of the top programming languages to consider when learning
cyber security, with C being one of the oldest programming languages developed
in the early 90s, mainly used for developing software like operating systems,
databases, and compilers .

• C++ is a general-purpose programming language and an extension of C, used for

developing operating systems, browsers, games, and more, making it an excellent
language to learn for programming beginners .

• Both C and C++ are low-level programming languages that provide low-level
access to hardware such as RAM and system processing, making them essential
for cyber security professionals to know, as they are often exploited by hackers if
not protected .

• C and C++ are useful in cyber security for reverse engineering, finding
vulnerabilities, and reading and understanding open-source code, with many cyber
security programs such as nmap being created using C++ .

• Python is a general-purpose, object-oriented, high-level programming language

that is widely used due to its versatility, making it an ideal language for complex
application development and suitable for general-purpose tasks like data
managing and Big Data facilities .

• Python is a useful programming language for cyber security professionals,

enabling them to perform various cyber security functions like malware analysis,
penetration testing, and scanning, with extensive libraries available for
implementing projects quickly .

• Python can be used for accomplishing multiple tasks such as host discovery,
accessing servers, port scanning, and network scanning, helping cyber security
professionals keep up with tasks .

• JavaScript is one of the most popular and widespread programming languages,

widely used for web development, and its growth has been further enhanced by
frameworks such as jQuery, angular, and react.js .

• JavaScript is a powerful language that helps programmers build front-end and

back-end software using different JavaScript-based frameworks, and its usage has
 extended to mobile application development, desktop app development, and game
development .

• Proficiency in JavaScript can ensure that a website is secure enough to reduce or

eliminate web-based attacks, making it one of the best cyber security
programming languages to learn .

• JavaScript enables the design of secure websites and user interfaces by mitigating
cross-site scripting attempts and minimizing technical risks, and also allows for
working with cookies and event handlers .

• PHP is a server-side programming language used to develop websites, with 80%

of the top 10 million websites using it, making it the most dominant server
language on the web .

• Knowledge of PHP enables defense against intruders, including protection against

denial of service (DoS) attacks, which attempt to make web applications
unavailable to users .

• PHP can also be used to delete data on a website if not built carefully, but learning
the language can help identify and solve vulnerabilities in the code .

• SQL is a domain-specific language used for managing data stored in databases,

and is a sought-after language for managing databases in data-driven
organizations .

• SQL enables access to records or data with a single command, and is used to
retrieve data from databases, but can be exploited by hackers using SQL injection
to steal sensitive data .

• Learning SQL can help make databases more secure, and is beneficial to security
professionals, as SQL injection is a top threat to web application security .

• There is no one "best" programming language for security, and any language can
be ideal as long as a perfect cyber security strategy is created .

• To gain hands-on experience with cyber security concepts and principles, projects
such as key loggers can be worked on .

Keylogger
• A keylogger, short for keystroke logger, is software that records every keystroke
made on a system, allowing hackers to obtain private information such as net
banking credentials, account user IDs, and passwords .

• Keyloggers have become more sophisticated over time, making them harder for
antivirus software to detect, and can be a topic for a project, such as developing a
keylogger or finding ways to spot and detect keyloggers from a system .
 • A potential project idea is to develop a keylogger that can capture keystrokes on a
virtual keyboard, or to research different ways to detect keyloggers by reverse
engineering them .

• Another project idea is to break a Caesar Cipher, a type of encryption method that
replaces a letter with another letter a fixed number of positions down the alphabet
.

• A Caesar Cipher project could involve building a small web app that can break or
decipher encrypted text, which would be a great project for beginners in
cybersecurity .

• Packet sniffing, also known as network traffic analysis, is the process of capturing
and analyzing data packets sent across the internet and on a network, and can be a
project idea for those learning cybersecurity .

• Packet sniffing projects should be done with permission from the network
administrator, especially if using an organization's or institute's network .

• SQL vulnerability assessment, specifically SQL injection, is another important

topic in cybersecurity and can be a project idea, as many websites have been
hacked using SQL injection over the years .

SQL Vulnerability assessment

• A project on injection attacks, specifically SQL injection, can add significant
value to a portfolio, as it is a type of attack that allows hackers to execute
malicious SQL statements .

• Cryptography is the process of converting ordinary plain text into encoded text,
allowing only authorized individuals to access the information, and it can also be
used for authentication .

• Cryptography protects data from theft and alteration, and it is a method of storing
and transmitting data in a particular form .

• A scenario is presented where two people, A and B, are trying to have a

conversation over an unsecured network, and an intruder is intercepting their
communication .

• To prevent the intruder from accessing the conversation, A encrypts the message,
for example, converting "hello" to "olleh", and sends it to B, who can then decrypt
the message by reversing it .

• The intruder, who does not have the key to decrypt the message, is unable to
access the information .
• A system is proposed where two servers will be used to send encrypted messages,
with one server encoding the message and sending it to both the intruder and the
intended recipient, who will have the key to decrypt the message .

• The system will be implemented using Python network programming, with three
files created: server one, hacker one, and client one, representing the sender,
intruder, and recipient, respectively .

• A server is set up with a message input field, where users can enter their message,
and a small message prompting them to enter their message will be displayed .

• An encryption algorithm is designed to encrypt the input message, where each

alphabet is replaced by a different character, for example, 'a' becomes '!', 'b'
becomes ' ', 'c' becomes '9', and so on .

• A key is defined, which includes all alphabets from 'a' to 'z', numbers from 0 to 9,
a space, and an exclamation mark, to increase the complexity of the code .

• A dictionary is created to map each character to its encrypted equivalent, where

the encrypted message is the reverse of the original message .

• The dictionary is populated using a zip function, where each key-value pair is
created, and the key is replaced by its encrypted equivalent .

• The dictionary is printed to show how it looks, where each character is mapped to
its encrypted equivalent .

• The message is encrypted using the dictionary, where each character in the
message is replaced by its encrypted equivalent, and the encrypted message is
printed .

• The encryption process uses a list comprehension and the join function to create
the encrypted message .

• The encrypted message is created by iterating over each character in the input
message and replacing it with its encrypted equivalent using the dictionary .

• A message is encrypted using a Caesar Cipher algorithm, which replaces each

letter with a different letter a fixed number of positions down the alphabet, and
spaces are replaced with exclamation marks .

• The encryption process is case-sensitive, so the message must be converted to

lowercase using the dot lower function to avoid errors .

• The encrypted message is unreadable to anyone without the decryption key, which
is used to reverse the encryption process .

• The decryption process uses a dictionary to map the encrypted characters back to
their original values, with the key and value pairs reversed compared to the
encryption dictionary .
• The decryption process works in the same way as the encryption process, but with
the key and value pairs reversed .

• The encryption and decryption processes can be used to secure sensitive

information, such as credit card details and personal data .

• To make the Caesar Cipher algorithm more secure, an additional encryption key
or algorithm can be added, making it more difficult for unauthorized parties to
access the encrypted data .

• A server can be created to facilitate secure communication between multiple

parties, with each party having their own encryption and decryption keys .

• To implement a sender in a network, the socket library needs to be imported to

send data over a server .

• A message is required to be sent, which can be obtained by asking the end user for
input, and this message is stored in the variable 'message' or 'MSG' .

• To pass the message through a server, an instance of a socket is created using 's =
socket.socket()' .

• The socket instance is then bound to a tuple containing the hostname and a port
number using 's.bind()' .

• The 'listen()' method is used to listen for incoming connections, and the 'accept()'
method is used to accept incoming connections and return the address and object
needed to send a message .

• To send a message, the 'send()' method is used, but before sending, the message is
encrypted using a key and a dictionary .

• The key is defined as a string of numbers, spaces, and special characters, and the
value is the reverse of the key .

• The message is encrypted by exchanging the values in the dictionary using list
comprehension and the 'join()' method .

• The encrypted message is then sent using the 'send()' method .

• A receiver and hacker code will be created, with the code for both being almost
the same but with a few differences .

• The receiver end will import the socket and have an encryption key, with two
layers of security: the encryption key size and the encryption key itself .

• The first layer of security checks if the decryption key length is equal to the
number of alphabets (26) plus numbers (10) and special characters (4), totaling 40
.
 • If the length is correct, the user will be prompted to enter the decryption key, and
if correct, the message will be received .

• A socket object will be created using the socket.socket() method, and the connect
method will be used to pass a tuple containing the hostname and port number .

• The port number should match the one used earlier, and a random port number
can be used for now .

• The received message will be decrypted using a decryption algorithm, which

involves creating a dictionary with the decryption key values and keys .

• The message will be decoded using the utf-8 format, and the decryption algorithm
will convert the message back to its original form .

Top Cyber attacks in history

• Adobe was attacked, resulting in the theft of around 40 GB of source code,
including the entire source code of ColdFusion and parts of the source code of
Adobe Acrobat Reader and Photoshop, but fortunately, customer banking data
was not stolen due to high-quality encryption .

• Target, the second-largest US discount retailer chain, was a victim of a large-scale

cyber attack in December 2013, resulting in the hijacking of data from about 110
million customers, including banking data of 40 million customers and personal
data, and the company ultimately had to pay over $18 million as a settlement .

• Sony's PlayStation network was attacked in April 2011, resulting in the leakage of
personal data of 77 million users and banking information of tens of thousands of
players, and the company paid around $15 million in compensation and had to
refund people whose banking accounts were illegally used .

• Equifax, an American credit company, suffered a cyber security attack in 2017,

resulting in the theft of personal data, including names, dates of birth, social
security numbers, and private license numbers, of about 143 million Americans,
Canadians, and British customers, as well as 200,000 credit card numbers .

• In South Korea, data from about 100 million credit cards and 20 million bank
accounts were stolen over several years, and the theft was carried out by an
employee of a South Korean credit bureau who stole personal information from
customers of credit card companies and resold it to credit card traders and
telemarketing companies .

• Marriott Hotels suffered a cyber attack, resulting in the compromise of

information of about 500 million guests, including banking details, dates of birth,
and other information, and the hacking was taking place since 2014 but was only
spotted in September 2018 .
 • Ransomware attacks have become a prominent cyber security challenge, with
82% of India's organizations hit by ransomware attacks in the last six months, and
these attacks involve hacking into a user's data and preventing them from
accessing it until a ransom amount is paid .

Cybersecurity challenges
• The Internet of Things (IoT) attack is a significant challenge in the field of cyber
security, with an estimated 106 billion IoT devices in 2021, which can
autonomously transmit data over a network, and examples of IoT devices include
desktops, laptops, mobile phones, and smart security devices .

• As the adoption of IoT devices increases at an unpredictable rate, attacking these

devices can result in the compromise of sensitive user data, making safeguarding
IoT devices one of the biggest challenges in the cyber security domain .

• Cloud attacks are another challenge in cyber security, where hackers steal user
data from cloud platforms, and a notable example is the infamous iCloud attack
that exposed private photos of celebrities .

• Phishing attacks are a type of social engineering attack used to steal user data,
including login credentials or credit card numbers, and are prevalent among
hackers as they can exploit user data until the user finds out about it .

• The future of cyber security is alarming, with the rate of cyber crime increasing
rapidly, and every business is in its own unique stage of digital transformation, but
security should be considered the topmost priority .

• Cyber security professionals will be in high demand, and the need for skilled
professionals is dire, as new attacks are being coined that are more harmful than
the previous ones .

• The integration of artificial intelligence and cyber security tools and techniques is
expected to improve security expertise, analyzation, study, and understanding of
cyber crime .

• Automation in cyber security is also expected to increase, allowing for the

constant search for threats and deploying immediate remedies .

• Hacking is the process of finding vulnerabilities in a system and using these found
vulnerabilities to gain unauthorized access into the system to perform malicious
activities, but it can be legal if done with permission .

• Computer experts are often hired by companies to hack into their systems to find
out vulnerabilities and weak endpoints, which is done as a precautionary measure
against legitimate hackers with malicious intents .
 • Ethical hackers are known for the process of ethical hacking, where they hack into
a system with prior permission to find vulnerabilities and fix them before
malicious individuals can exploit them .

• White hat hackers, also known as ethical hackers, hack into a system with prior
permission to find vulnerabilities and fix them before malicious individuals can
exploit them .

• Black hat hackers, also known as crackers, hack into a system without permission
to gain unauthorized access, harm its operations, or steal sensitive information,
and their actions are illegal .

• Gray hat hackers are a blend of black hat and white hat hackers, acting without
malicious intent but for their own fun, exploiting security weaknesses in computer
systems or networks without the owner's permission or knowledge .

• Suicide hackers work with the intent to bring down major corporations and
infrastructure, often motivated by vengeance, and are also known as hacktivists
who utilize technology to announce social, ideological, or political messages .

• Hacktivism often involves website defacement or denial of service attacks, and is

used to announce social, ideological, or political messages .

Types of hacking
• Hacking can be segregated into different types depending on what the hacker is
trying to achieve, including computer hacking, password hacking, email hacking,
network hacking, and website hacking .

• Computer hacking involves stealing a computer's ID and password to gain

unauthorized access to a computer system .

• Password hacking is the process of recovering secret passwords from data stored
in or transmitted by a computer system .

• Email hacking includes gaining unauthorized access to an email account and using
it to send out spam links, third-party threads, and other harmful activities .

• Network hacking means gathering information about a network using tools like
telnet, slookup, ping, Tracer, or netstat, with the intent to harm the network system
or hamper its operations .

• Website hacking involves taking unauthorized control over a web server and its
associated software, such as a database and other interfaces .

• The first phase of ethical hacking is reconnaissance, which involves collecting

information about the target to understand how to hack it .
• Reconnaissance is similar to an army chief gathering information about an enemy
layer before launching a surgical strike .

• In the reconnaissance phase, an ethical hacker collects basic information about the
target, such as its IP address, IP address range, location, and surroundings .

• The IP address of the target is essential to identify the system in the network, and
the IP address range is necessary to check the security of multiple systems in an
organization .

• When conducting reconnaissance, it's essential to gather basic information about

the target, including the organization or network architecture, DNS records, and
other relevant details .

• The first tool used for reconnaissance is a search engine, such as Google, Yahoo,
or Bing, to gather information about the target by searching for its name .

• Using a search engine can provide the URL of the target website, which can then
be used to find other information such as the IP address and IP address changes .

• Another popular tool for reconnaissance is nslookup, a DNS querying tool used to
get the domain name and IP address map of the target .

• Nslookup can provide information such as the domain name, IP address map, and
IP address range .

• Whois lookup is a browser-based query and response tool used to get the
registration and delegation details of the target .

• Whois lookup can provide information such as the website's registration details,
contact information, and other relevant data .

• The information gathered through reconnaissance plays a vital role in the next
phase of ethical hacking, which is scanning .

• Scanning involves gathering more detailed information about the target, such as
identifying potential entry points, to develop a strategy for the attack .

• Scanning is essential to determine which points of the target can be entered from
and whether these points are vulnerable .

• In the context of ethical hacking, scanning refers to the phase where weak points
on a target system or network are identified, allowing hackers to attempt to breach
the target, similar to how a building is scanned for safe entry points in a physical
attack .

• The goal of scanning is to gather information about active ports and hosts,
services being run on the target, and vulnerable applications and operating
systems .
• Active ports and hosts are those that are live and running on the system, making
them potential targets for hacking .

• Services being run on the target may include security services like firewalls and
intrusion detection, which hackers need to be aware of to avoid detection .

• Vulnerable applications and operating systems are those that are unpatched or
outdated, providing potential security loopholes for hackers to exploit .

• Popular tools used for scanning include OpenVAS, an open-source framework for
vulnerability scanning and management .

• Nikto is a command-line vulnerability scanner that scans web servers for

dangerous files, CGIs, and outdated services .

• Wireshark is a tool used for wireless networks, providing information about the
network as an open-source packet analyzer .

• Nessus is a powerful tool that provides high-performance data capture and offers
various types of scans depending on the target or system .

• Exploitation is a phase in ethical hacking where the hacker takes advantage of

weaknesses and loopholes found on the target system or network and runs
appropriate tools to hack the target .

• The first step in exploitation is selecting the right attack, depending on the target's
weaknesses, and then launching the attack to gain access .

• Popular tools used for exploitation include Beef, which leverages browser
vulnerabilities, Metasploit, which has hundreds of scripts to hack, and SQLmap,
which automates detection and exploitation of SQL injection flaws .

• Maintaining access is a phase in ethical hacking where the hacker maintains a

connection between the target system, allowing for direct access later in time
without having to start the attack from scratch .

• Maintaining access involves installing software or making changes on the target

system after it has been hacked, such as installing backdoors to bypass login or
authentication, or creating new users with new usernames and passwords .

• The goal of maintaining access is to ensure control over the target system and
prevent the enemy from occupying it again, similar to a surgical strike .

• Maintaining access to a target system can be achieved through various methods,

including escalating privileges to run system commands or services, installing
rootkits to enable access, and using Trojans .

• Popular tools used for maintaining access include Powersploit, a Windows-based

tool that connects to the victim's PowerShell to run system commands, and
 Weevely, a PHP website used to install stealth backdoors or manage web accounts
.

• DNS2TCP is a network tool that relays TCP connections through DNS traffic,
allowing hackers to maintain access to a target system .

• Covering tracks is a crucial phase in ethical hacking, where the hacker erases all
details regarding their identity and the exploit to prevent the target from tracing
back the hacker's identity .

• Methods for covering tracks include clearing cache and cookies, tampering with
log files to delete evidence of unauthorized login, closing ports, and stopping
services that were started to install backdoors or rootkits .

• The final phase of ethical hacking is reporting, where the hacker documents all the
evidence and clues gathered during the surgical strike, but in the context of ethical
hacking, this phase involves reporting the vulnerabilities found to the target
system's administrators .

What is kali Linux?

• Kali Linux was released on March 13, 2013, as a complete rebuild of Backtrack
Linux, adhering to Debian development standards, and is specifically tailored to
the needs of penetration testing professionals .

• Kali Linux is a Linux distribution that comes pre-loaded with a bunch of

penetration testing software, saving time for penetration testers and providing a
number of reasons to use it .

• There are over 600 penetration testing tools included in Kali Linux, with tools that
serve a specific purpose and are not duplicates or useless .

• Kali Linux is free and always will be, like Backtrack, and is completely free of
charge .

• Kali Linux is committed to the open-source development model, and the

development tree is available for all to see, with all source code available for
anyone who wants to tweak or rebuild packages .

• Kali Linux has wide-ranging wireless device support, built to support as many
wireless devices as possible, allowing it to run properly on a wide variety of
hardware and making it compatible with numerous USB and other wireless
devices .

• Kali Linux allows users to customize it to their liking, all the way down to the
kernel, and has custom kernels and patches for injections, making it suitable for
penetration testers who need to do wireless assessments .
 • The video will cover topics such as command-line essentials, staying anonymous
using proxy and Kali Linux, and using tools like map changers .

• The realm of Wireless penetration testing will be explored, including tools like
Aircrack NG and testing how to Brute Force some WPS pins, as well as router
vulnerabilities and other miscellaneous topics .

• The video will take a Hands-On approach to learning how to use things in Kali
Linux, with a focus on practical work and encouraging viewers to download and
install Kali Linux on a virtual machine or dual boot .

• The video will cover command line Essentials, including theoretical aspects such
as MAC addresses and proxy chains, which will be taught through PowerPoint
presentation slides .

• The course will not cover the entirety of Kali Linux, but rather focus on
interesting topics that can cause damage if done without permission, and viewers
are warned that damage can come with repercussions, including arrest .

• Viewers are encouraged to follow along with the video and participate in practical
work, with the assurance that they will have fun and learn a lot .

• The video will not teach viewers how to install Kali Linux, as there are already
many videos available that cover this topic .

Hands-on in Kali Linux

• The Linux terminal is a powerful tool that allows users to move around the
operating system, create files, change permissions, and perform various other
tasks, making it a crucial tool for ethical hackers .

• Ethical hackers typically work with a Linux distribution, such as Kali Linux or
Parrot OS, due to its powerful networking analysis and scanning capabilities .

• The first essential step for an ethical hacker is to know how to use the Linux
terminal, which is the primary tool available to them .

• The CD command is used to change directories, and the PWD command is used to
print the current working directory .

• The Nano command is used to open a command-line text editor, which is a useful
tool for ethical hackers as it saves time and allows them to work efficiently within
the command line .

• The Nano editor can be used to create and edit files, and it provides most of the
functionality of a GUI editor .

• The list of commands to be covered includes LS, which is used to list files, as well
as CD and PWD, which have already been discussed .
• The Unix commands to be covered include CP, MV, cat, less, grep, echo, touch,
mkdir, chown, chmod, and RM, with the latter being one of the most dangerous
commands .

• The Ctrl+G shortcut is used to get help, while Ctrl+O is used to save a file .

• Saving a file involves pressing Ctrl+O, naming the file, and then exiting .

• The LS command is used to show the list of files in a directory, and it can also be
used to show files in a specific directory by specifying the path .

• The LS command has various flags that can be used to customize its output, which
can be viewed by using the --help flag .

• The -a flag with the LS command is used to show hidden files, while the -l flag is
used to show a long list with more information .

• The long list output of the LS command shows information such as permissions,
ownership, file size, creation time, and file name .

• The -a flag with the LS command also shows the current directory (.) and the
parent directory (..), which are hidden files .

• The CD command cannot be used to move into the current directory (.) or the
parent directory (..) .

• Hidden files are not visible to random users and can be used to store sensitive
information .

• The ls command can be used with the -a flag to show hidden files, and the
command to do this is ls -la .

• To view the contents of a file, the file name can be typed in the terminal, and the
contents will be displayed, for example, list.txt .

• The cp command is used to copy files from one location to another, and the syntax
is cp filename destination .

• Flags are used in Linux commands, and the -v flag is used for verbose output,
which shows the progress of the command, for example, cp -v filename
destination .

• The cp command leaves a copy of the file in the original directory, while the mv
command moves the file completely to the new location .

• The mv command can be used with various options, including the verbose option,
suffixes, and forcing the move without prompting for permission .
• The help command can be used to view the options and syntax for a specific
command, for example, mv --help .

• The command line interface can be navigated using various commands, and
previously used commands can be toggled through using the up and down keys .

• The 'mv' command is used to move or rename files, and it can be used with the
'verbose' option to show the changes being made .

• The 'ls' command is used to list the files in a directory, and it can be used to verify
that a file has been moved or renamed .

• The 'cd' command is used to change directories, and it can be used to navigate to a
specific directory .

• The 'clear' command is used to clear the terminal window, and it can be used to
remove clutter from the screen .

• The 'cat' command is used to print the contents of a file, and it can be used to view
the contents of a file .

• The 'less' command is used to view the contents of a file in a new window, and it
can be used to keep the main command line interface clutter-free .

• The 'q' key is used to exit the 'less' command and return to the main command line
interface .

• The 'grep' command is used to filter the contents of a file, and it can be used to
search for specific text within a file .

• The pipe symbol '|' is used to pipeline commands, and it can be used to filter the
output of one command using another command .

• The 'grep' command can be used in conjunction with other commands to filter and
search for specific text within a file .

• The cd command is used to navigate through directories, and the ls command is

used to list the files and directories in the current directory .

• The cat command is used to display the contents of a file, and the grep command
is used to search for specific text within a file .

• The grep command can be pipelined to filter the output and display only specific
results .

• The echo command is used to output text to the screen, and it can also be used to
input text into a file .

• The touch command is used to quickly create files, and it can be used to create
multiple files at once .
 • The mkdir command is used to create directories, and it can be used to create a
directory and then move into it using the cd command .

• The cd command can be used with the .. notation to move back to the previous
folder .

• The cat command can be used to display the contents of a file, and the chmod
command is used to change the permissions of a file .

• The chown command is used to change the ownership of a file, but it may not be
demonstrated in this context due to the absence of multiple users in the virtual
setup .

What is a proxy chain?

• Proxychains can be used in combination with Tor to anonymize traffic on all
networks, not just web browsing traffic, and can be configured in the settings .

• To understand the options available in Proxychains, the proxychain.conf file can

be opened using the Nano editor by navigating to the ETC folder .

• The Nano editor displays a list of instructions and options, including the ability to
draw out traffic through a series of proxy servers to stay anonymous .

• Proxychains allows users to hide behind proxy servers or have them forward
requests, making it appear as though the requests are coming from the proxy
servers .

• There are many proxy servers available, but they can be unstable and slow,
making them unsuitable for brute forcing or computing attacks .

• Proxychains can be useful for specific targets, such as logging in or accessing a

certain website, but may not be suitable for mass scanning or brute forcing
passwords .

• The types of proxies available in Proxychains include HTTP, Socks4, and Socks5,
with Socks5 being the best option as it can anonymize all types of traffic .

• Socks4 is similar to Socks5 but does not support IPv6 or UDP protocols, making
it less desirable .

• Options in the proxychain.conf file can be enabled by deleting the hash symbol,
and the changes can be saved by saving the file .

• Dynamic chain is the most commonly used and preferred option for routing
traffic, as it is the most stable and allows for flexibility in the order of proxies
used, making it ideal for users who don't pay for proxies and want to maintain
anonymity .
• Dynamic chain allows traffic to be routed through a series of proxies (e.g.,
ABCD) without requiring a specific order, and as long as one proxy is functional,
the traffic will reach its destination .

• Strict chain policy, on the other hand, requires traffic to go through all proxies in a
specific order, which can be a problem if one of the proxies is down .

• To use proxy chains in combination with Tor and route all traffic through the Tor
Network, Dynamic chains must be enabled .

• Random chains are another option that allows for specifying a list of IPs and
telling the computer to connect to a point using a different proxy each time, with
options to specify chain length and other parameters .

• Random chains can be used to reset the service and assign a new IP address,
similar to resetting Tor, which assigns a new IP address every 10 minutes or so .

• Quiet mode is not necessary, but proxy DNS requests are crucial to prevent DNS
leaks, which can reveal the IP address of the DNS server being used and
potentially compromise physical location .

• DNS leaks occur when the DNS server resolves a domain to an IP address and
vice versa, allowing others to discover the local DNS server and potentially figure
out the user's personal IP address .

• Proxy DNS is necessary to maintain anonymity, although it may slow down the
connection, and it's recommended to use socks5 instead of HTTP because it's safer
.

• The format for entering proxies includes the type of proxy, IP address, port
number, and username and password if required, with socks5 being the
recommended type .

• The IP address of the proxy server is entered manually, along with the port
number on which the proxy server is listening, and the username and password if
required .

• The username and password are entered in plain text, assuming only the user has
access to the computer and the file, and this information is used to gain access to a
paid proxy .

• The Tor default listens on port 9050, and adding a socks5 proxy address requires
typing in socks5, the IP address, and the port number, using the loopback address
127.0.0.1 for interdevice communication .

• To configure ProxyChains, the configuration file needs to be edited by pressing

Ctrl+O, saving the file with the same name, and then exiting with Ctrl+X, after
which the screen can be cleared with Ctrl+L .
 • The status of the Tor service needs to be checked by typing 'service tor status', and
if it's not installed, it needs to be installed before proceeding .

• Once the Tor service is installed, the ProxyChains configuration file needs to be
set up with a SOCKS5 proxy chain, and the Tor service needs to be started by
typing 'service tor start' .

• To use ProxyChains, the command 'proxychains' needs to be used, followed by

the browser being used, such as Firefox, and the URL being accessed .

• The packets and requests will be directed through a series of IP addresses, but in
this case, only the loopback address for the Tor network is being used .

• Depending on the system, it may take some time for the browser to open, and the
terminal will show the packets being transmitted through various proxies .

• The goal of using ProxyChains is to achieve anonymity, and the output on the
terminal will show the packets being denied or accepted by various proxies .

• Custom proxy lists can be used instead of the default list, and this can be done by
editing the ProxyChains configuration file and adding the custom list .

• To set up a proxy chain, one needs to go into the proxy chain, edit the
configuration file, and set up dynamic genes to go online and search for a free
proxy list, which provides the port number and IP address of the proxy server .

• A free proxy server list can be found by searching online, which displays the
proxy type, such as https, and the IP address and port number of the proxy server .

• To find a software proxy, one can add "software proxy" to the search query, and
then take down the IP address and port number of the proxy server to add to the
configuration file .

• After setting up the proxy chain, one can save the configuration file and use it to
make themselves anonymous online .

• A MAC address, which stands for Media Access Controller address, is a unique
identifier assigned to a network interface controller for communication purposes .

• MAC addresses are used as a network address for most IEEE 802 Network
Technologies, including Ethernet .

What is a Mac Address?

• MAC addresses are used in the media access control protocol sublayer and are
typically represented as six groups of two hexadecimal digits each, separated by
colons, with the first three hexadecimals being the organizationally unique
identifier (OUI) representing the vendor and the next three hexadecimals
representing the network card uniquely .
• When on a network, a device is recognized by its MAC address, which is listed in
the ARP (Address Resolution Protocol) table, a table that maps IP addresses to
physical addresses .

• The ARP table can be viewed on a Windows system using the ARP command
with the -a flag, which displays the IP addresses and their corresponding MAC
addresses .

• MAC addresses are commonly used in the ARP protocol to identify devices on a
network, and sometimes, users may want to remain unknown on a network, which
can be achieved by spoofing the MAC address .

• Spoofing a MAC address can be done for malicious reasons, such as changing a
computer's MAC address to match a professor's computer, allowing the user to
perform malicious activities without being detected .

• However, MAC address spoofing can also be done for legitimate reasons, and
tools like MAC Changer can be used to change a MAC address .

• To find a device's MAC address, the ifconfig command can be used, or the MAC
Changer tool can be used with the -s flag and the interface name to display the
current MAC address .

• The MAC Changer tool can also be used to change a device's MAC address,
allowing users to remain unknown on a network or perform other tasks that
require a different MAC address .

• The MAC address can be changed to avoid tracing and raising flags, and a tool
called MAC Changer can be used to achieve this, allowing users to hide
themselves as a different vendor, such as a Cisco router, to remain anonymous .

• The MAC Changer tool can also be used to get a list of MAC addresses and their
corresponding vendor IDs, which can be useful for various purposes .

• To change the MAC address to a random one, the 'r' flag can be used with the
MAC Changer tool, and the new MAC address can be verified using the 'ifconfig'
command .

• The MAC Changer tool can also be used to show the current and permanent MAC
addresses, which may be different .

• To change the MAC address automatically on boot-up, the 'cron' tool can be used
to schedule tasks on Linux, and the MAC Changer tool can be configured to run at
boot-up .

• The 'cron' tool uses a file called 'crontab' to store scheduled tasks, and users can
edit this file using the 'e' flag to add or modify tasks .

• When using the 'cron' tool, users should be careful when deleting tasks, as this can
have unintended consequences .
• To change the MAC address on a local network, a tool called Mac Changer can be
used, and setting it up to run at reboot can be done by editing the cron tab file
using the command "crontab -e" and adding the line "@reboot macchanger -r
eth0" .

• The cron tab file can be edited using the Nano editor, and the changes can be
saved by pressing Ctrl+O, then Enter, and finally Ctrl+X to exit .

• After rebooting the computer, the MAC address can be checked using the
command "ifconfig" to verify that it has changed .

• Spoofing the MAC address can help in staying anonymous on local networks and
protocols that map IP addresses to MAC addresses .

• Wi-Fi cracking involves capturing a four-way handshake using a tool called

Aircrack-NG and then cracking the password using a wordlist generator called
Crunch .

• Aircrack-NG can be used to crack WPA and WPA2 protocols, but WEP is not
recommended as it is easily cracked .

• To start the Wi-Fi cracking process, the network access card needs to be set up in
monitor mode, which can be done by identifying the network card name using the
command "ifconfig" .

• The network card name can be identified by typing "ifconfig" in the terminal,
which will display the network card name, such as "wlo1" .

• To gain access to a Wi-Fi network, the process involves monitoring nearby access
points, choosing a target, running an airodump scan, de-authenticating connected
devices, and catching the re-authentication process, which includes a four-way
handshake between the device and access point .

• It is essential to have some knowledge about the password, such as its length or
specific characters, before attempting to crack it, as guessing the password out of
thin air is not feasible without unlimited processing power .

• If the goal is to test for vulnerabilities, it is recommended to test for router

vulnerabilities rather than cracking the Wi-Fi password, as router vulnerabilities
are more likely to be found .

• Two tools used for this process are aircrack-ng and crunch, a word list generator,
which can be installed on Kali Linux or any Linux-based system using the
command "apt-get install aircrack-ng" .

• Crunch can be downloaded from SourceForge and installed, allowing users to

generate word lists with given characters, which can be used to crack the Wi-Fi
password .
 • Once aircrack-ng and crunch are installed, users can verify the installation by
checking the manual pages, which should open up successfully .

• Crunch works by generating a word list with given characters, allowing users to
specify the minimum and maximum length of the words, as well as the characters
to be used .

• To use Crunch in conjunction with Aircrack, generate a word list using Crunch
and pipe it through Aircrack NG to capture and crack the log file .

• To put the network interface card into monitor mode, type 'ifconfig' followed by
the interface name (wl1) and 'down', then use 'iwconfig' with the interface name
and 'mode monitor' .

• After putting the interface card into monitor mode, start it up by typing 'ifconfig
wl1 up' .

• Check if the network interface card is up and running by typing 'ifconfig' .

• Use the command 'airmon-ng check' followed by the interface name to check for
services running in the background that might interfere with the scanning process .

• If any processes are running, use the command 'airmon-ng check kill' to kill them,
and if necessary, kill any other child processes separately .

• Run an error dump scan on the network card using the command 'airodump-ng'
followed by the interface name (wlo1) to scan for access points .

• The scan results will display columns including BSS ID (MAC address of
routers), pwr, beacons, data packets, channel, cipher, and authentication .

• Identify the Wi-Fi router to crack into from the list, noting the encryption used (in
this case, WPA2) .

Cryptography
• Andy sends a private message to his friend Sam over the internet, but wants to
ensure the message remains private and secure from unauthorized access, such as
from someone like Eve who may have secretly gained access to their
communication channel .

• Eve's access to the communication channel allows her to not only eavesdrop but
also potentially change the message, highlighting the need for secure
communication .

• The goal is to make communication secure, which is where cryptography comes

in – the practice and study of techniques for securing communication and data in
the presence of adversaries .
• Cryptography involves converting a message into a numeric form, applying an
encryption key using an encryption algorithm, resulting in a ciphertext that is sent
over the network .

• The recipient uses a decryption key and a decryption algorithm to convert the
ciphertext back into the original message, and any errors during this process can
indicate tampering .

• To protect his message, Andy converts it into an unreadable form using a key,
resulting in a ciphertext that can only be decrypted with the proper key .

• Even if someone like Eve discovers the ciphertext, they won't be able to decrypt it
without the proper key, ensuring the message remains private .

• If Eve tampers with the message, the recipient Sam will know due to an error that
occurs during decryption, indicating that the message has been altered .

• In modern cryptography, the security of the system relies on keeping the

encryption and decryption keys secret .

• Cryptography is broadly classified into two categories: symmetric key

cryptography and asymmetric key cryptography .

• Cryptography can be classified into symmetric key cryptography and public key
cryptography, with symmetric key cryptography further divided into classical
cryptography and modern cryptography .

• Classical cryptography is divided into transposition cipher and substitution cipher,

while modern cryptography is divided into stream cipher and block cipher .

• Symmetric key algorithms use the same cryptographic keys for encryption of
plain text and decryption of ciphertext, representing a shared secret between two
or more parties .

• The main drawback of symmetric key encryption is that both parties must have
access to the secret key, which is a limitation compared to public key encryption .

• Symmetric key cryptography is also known as secret key cryptography, with the
most popular symmetric key system being the Data Encryption Standard (DES) .

• A transposition cipher is a method of encryption that rearranges the positions of

units of plain text according to a regular system, using a bijective function to
encrypt and an inverse function to decrypt .

• In a transposition cipher, the plain text is reordered, and the ciphertext constitutes
a permutation of the plain text .

• A substitution cipher involves replacing single letters separately, using a

substitution alphabet that may be shifted, reversed, or scrambled .
• A substitution alphabet can be created by writing out a keyword, removing
repeated letters, and then writing the remaining letters in the usual order .

• An example of a substitution cipher is the Caesar cipher, which uses a shifted

alphabet, and the mixed alphabet, which uses a scrambled alphabet .

• A mixed alphabet can be created using a keyword, such as "zbras", to create a

substitution alphabet that is used to encrypt a message .

• A code is used to encrypt a message, where each letter corresponds to a different

letter, resulting in a ciphertext, and traditionally, the ciphertext is written in blocks
of fixed length, omitting punctuations and spaces to help avoid transmission errors
and disguise word boundaries from the plain text .

• These blocks are called groups, and sometimes a group count is given as an
additional check, with five-letter groups being traditional, dating back to when
messages were transmitted by telegraph .

• If the length of the message is not divisible by 5, it may be padded at the end with
nulls, which can be any characters that can be decrypted to obvious nonsense,
allowing the receiver to easily spot and discard them .

• A stream cipher is a method of encrypting text to produce ciphertext, where a

cryptographic key and algorithm are applied to each binary digit in a data stream
one bit at a time, but this method is not commonly used in modern cryptography .

• The main alternative method is a block cipher, which applies a key and algorithm
to a block of data rather than individual bits in a stream .

• A block cipher is an encryption method that applies a deterministic algorithm for

the symmetric key to encrypt a block of text, rather than encrypting one bit at a
time, with a common block cipher being AES, which encrypts 128-bit blocks with
a key of predetermined length .

• Block ciphers are pseudorandom permutation families that operate on a fixed-size

block of bits, which are considered reliable, but have been proven to be unreliable
by some sources .

• Asymmetric cryptography, also known as public key cryptography, uses a pair of

keys, a public key and a private key, to accomplish two functions: authentication
and encryption .

• The public key verifies that the holder of the paired private key sent the message,
and only the paired private keyholder can decrypt the message encrypted with the
public key .

• The strength of a public key cryptographic system relies on the computational

efforts required to find the private key from its paired public key, and effective
security only requires keeping the private key private .
• Digital certificates can be viewed to see the details of the signature algorithm and
signature hash algorithm used to secure a website, such as YouTube, which uses
RSA with SHA-256, and the issuing authority, in this case, Google Internet
Authority .

• Public key encryption can be demonstrated using a website, such as

cobbwebs.cs.uga.edu, where keys can be generated, and a message can be
encrypted using the public key and decrypted using the private key .

• The process of sending a secure message involves generating keys, encrypting the
message using the public key, and decrypting the message using the private key .

• RSA is a commonly used algorithm for encryption and decryption, and it was
invented by Ron Rivest, Adi Shamir, and Len Adleman .

• The RSA crypto system involves two aspects: generation of key pairs and
encryption/decryption algorithms .

• To generate a key pair, two large prime numbers, p and q, are multiplied to get n,
and then Phi is calculated using the formula (p-1) * (q-1) .

• The public key is formed by a pair of numbers, e and n, where e is greater than 1
and less than Phi, and e and Phi are co-prime .

• The private key is used to decrypt the message, and it is kept secret by the owner .

• RSA public key system consists of numbers n and E, which are made public and
distributed throughout the network, while the difficulty in factorizing a large
prime number ensures the strength of RSA .

• The private key D is calculated from p, q, and E for given n and E, and there is a
unique number D that is the inverse of e modulo Phi .

• The encryption process involves putting in E and N, and then picking a letter to
cipher, which is encoded as a number .

• The decryption process requires D and N, and the encrypted message is decrypted
to obtain the numerical form of the plain text, which is then decoded to obtain the
original message .

• RSA is a complex cryptography system that uses various factors, including n, e,

and D, to ensure secure encryption and decryption .

• Vulnerability assessment is a process of defining, identifying, classifying, and

prioritizing vulnerabilities in a computer system, application, and network
infrastructures .

• Vulnerability assessment has three steps: identifying the assets and valuabilities of
the system, quantifying the assessment, and reporting the results .
 • Penetration testing is an extended process of vulnerability assessment that
includes processes like scanning, vulnerability assessment, exploitation, research,
and reporting .

• Metasploit is a widely used framework in penetration testing and exploitation

research .

• Exploit research involves approaching and understanding various exploits, which

is an essential part of penetration testing .

What is cross-site scripting?

• Cross-site scripting (XSS) is a type of attack that executes when a victim visits a
web page or when the web server sends a response to the victim's request, and it
can be used to steal sensitive information like cookies, session tokens, usernames,
and passwords .

• XSS attacks can also be used to modify the contents of a website by injecting
malicious code onto the web server or the web browser, as it is a code injection
attack .

• Cross-site scripting is a web application hacking technique that requires a website,

a web server, and a victim, and it involves the injection of malicious code onto the
website, which is then sent to the victim or the web server .

• When a user accesses a website, they send a request to the web server, and the
response is sent back to the user through the webpage, but in XSS attacks, a
hacker can inject malicious code on the website, which is then executed when the
victim visits the web page or tries to access a page or data from the web server .

• The malicious script can be used to steal credentials or sensitive information from
the web browser or the web server, and there are mainly three types of cross-site
scripting attacks .

types of cross-site scripting

• Cross-site scripting (XSS) is a type of attack that can be categorized into three
types: Reflected, DOM-based, and Stored XSS, with Reflected XSS being the first
type where the data is not stored on the web server .

• In Reflected XSS, the malicious script is executed on the victim's side, mainly on
the browser, and is not stored on the server, hence the name "reflected" .

• Reflected XSS attacks can be used to hack web applications by injecting

malicious scripts into the website, which can then be executed on the victim's
browser .
• A demo of a Reflected XSS attack was performed using the Damn Vulnerable
Web Application (DVWA), where a text box was used to enter a name and submit
it, and the website echoed the name back to the user .

• The attack was performed by entering an HTML code using the H1 tag to display
a header, and submitting it, which modified the output on the website, indicating
that it was vulnerable to Reflected XSS .

• A malicious script was then entered using the script tag to execute a pop-up,
which was successfully displayed on the website, further confirming the
vulnerability .

• The demo showed how Reflected XSS can be used to inject malicious code into a
web application, potentially leading to more severe attacks .

• Cross-site scripting (XSS) attacks can be used to obtain sensitive information

from a web application, such as session IDs, which can be used to log into a
different account without knowing the username and password .

• A session ID is a unique string assigned to a particular user by the web server to

identify that user when the session is active .

• XSS attacks can be used to access cookies for a web application or user, allowing
an attacker to log into an account without knowing the password .

• Increasing the security level of a web application can prevent XSS attacks, but an
attacker can still use techniques such as nested script tags to bypass security
measures .

• When a web application is designed to eliminate script tags, an attacker can use
nested script tags to create a new script tag that will be executed, allowing the
XSS attack to succeed .

• The logic behind using nested script tags is that when the web application
eliminates the main script tag, the nested script tag is concatenated as a string and
executed, allowing the XSS attack to succeed .

• XSS attacks can be used to access sensitive information and take control of a
user's account, even if the attacker does not know the username and password .

• Cross-site scripting (XSS) can be demonstrated through a direct approach, where

an input is given to a web application to see if it handles the attack, and in this
case, the application sanitizes the input using regular expressions to replace script
tags with blank spaces or empty characters .

• To bypass this sanitization, malicious scripts can be given without using script
tags, and other HTML or PHP tags can be used instead, such as the image tag with
a malicious source and an onmouseover function to create a pop-up .
 • This approach can be used to execute malicious code when a user hovers over an
image, and the image source can be replaced with a real image that says "click
here" to trick the user into executing the code .

• Reflected cross-site scripting occurs when the data is not stored on the web server
and is executed on the web page, whereas stored cross-site scripting involves
storing the data on the web server .

• Stored cross-site scripting is different from reflected cross-site scripting in that the
data is stored on the web server, rather than just being executed on the web page .

How to use cross-site scripting

• Stored Cross-Site Scripting (XSS) is a type of attack where a malicious script is
stored on a web server or database, and every time a user accesses that data, the
malicious code is executed .

• Web applications like Facebook store user data in a database, and when a user
accesses that data, the web server fetches it and displays it on the web browser,
making it vulnerable to stored XSS attacks .

• To demonstrate a stored XSS attack, a web page with a guestbook feature is used,
where a user can input their name and message, which is then stored in the
database and displayed on the web page .

• An attacker can inject malicious code into the input fields, which will be executed
every time a user visits the web page, as demonstrated by a pop-up appearing after
refreshing the page .

• The same vulnerability applies to applications that store user data, such as
Facebook, where a malicious script can be executed when another user accesses
the page .

• To increase security, the web application can implement features such as input
validation and character limits, which can prevent the malicious code from being
executed .

• However, an attacker can still try to manipulate the restrictions by inspecting the
web page and changing the character limits, as demonstrated by using the inspect
feature to modify the text box limitations .

• The web application can handle malicious input on a medium level by

implementing security features, but an attacker can still try to find ways to bypass
these restrictions .

• A text box with a max length of 10 was manipulated by changing the value to 100,
allowing more characters to be input, but the input was still sanitized, indicating
that the name field is designed to eliminate malicious input .
• To bypass this, a nested script tag was used, similar to reflected Crosshair
scripting, and the malicious code was executed successfully .

• The web application was designed to eliminate script tags, but using a nested
script tag allowed the malicious code to be executed .

• The security level was increased, and the previous malicious script was tried
again, but it did not work, indicating that the code is using regular expressions to
eliminate script tags .

• The code was examined, and it was confirmed that regular expressions are used to
identify and replace script tags with a blank space .

• An alternative to the script tag, the image tag, was used to create a pop-up
message, and the input was given as "image source X on Mouse over" .

• The pop-up message appeared when the mouse was brought over the image,
demonstrating how stored Crosshair scripting can be hacked .

• The next type of cross-site scripting attack, DOM cross-site scripting, was
introduced, which is a client-side attack that does not involve sending the script to
the server or storing it on the server .

• DOM cross-site scripting works by the web page sending a request to the server,
the server sending a response, and the server script being executed first, followed
by the malicious script .

• A web page vulnerable to DOM-based Cross-Site Scripting (XSS) is

demonstrated, where selecting a language and hitting the select button changes the
URL but does not display any changes on the web page .

• To manipulate the webpage, the URL is modified to inject a malicious script,

which in this case is "script alert hello" .

• When executed, the script triggers a pop-up, indicating successful manipulation of

the URL .

• Increasing the security level to high prevents the malicious script from working,
as the webpage strips the script tag and sets the default language to English .

• Attempting to bypass this security measure by nesting the script tag is also
unsuccessful .

• Inspecting the webpage's element reveals a form tag with different options, which
can be manipulated to inject a malicious query .

• By copying and pasting a line of code that displays English as the value, the
webpage's syntax can be manipulated to inject a malicious query .
• The webpage's design uses a select tag with different options, which can be
manipulated by closing the option tag and select tag earlier in the URL .

• By closing the option tag and select tag in the URL and using the body tag with
the on-load function, a pop-up can be created that says hello .

• Successfully injecting the malicious code into the URL allows for the creation of a
pop-up, demonstrating the vulnerability of the webpage to DOM-based XSS .

• A malicious script was successfully executed on a webpage with a medium

security level by adding an option tag and a select tag, then typing the malicious
script and closing it, which prevented the original code from executing .

• When the security level was increased to high, the direct approach and previous
approach did not work, indicating that the webpage was designed to sanitize the
URL .

• The webpage's code only accepted specific languages as input and set the default
to English if any other input was provided .

• To hack the webpage, knowledge of web design and anchor tags is necessary, as
anchor tags are used to index a particular part of a webpage .

• Anchor tags can be used to regenerate the URL and point to a specific section of
the webpage when clicked .

• A pound symbol or hash symbol can be used to index or point to a certain page on
the same website, allowing malicious code to be injected without being considered
as input .

• Using the pound symbol and typing a malicious script after it allowed the code to
be executed, resulting in a pop-up message .

• There are three types of cross-site scripting attacks: reflected, stored, and DOM,
and the type of attack used depends on how the web page is designed .

• To prevent cross-site scripting attacks, the first step is to escape user input by
removing special characters like greater than, smaller than, and percentage
symbols, making them just text characters .

• To ensure cyber security, it is essential to consider all input as a threat since users
have complete control over the input they provide, and thus, every input should be
assumed as a threat and sanitized and handled with care .

• Data validation is crucial, especially in fields like login, where users enter their
usernames and passwords, and it can be used to avoid cross-site scripting attacks
by validating the format of the input data, such as email IDs .

• Sanitizing data is necessary to eliminate potential threats, such as script tags, and
regular expressions can be used to achieve this, as demonstrated in the demo
 where web pages were sanitizing data by eliminating script tags and using regular
expressions .

• Encoding the output is another important step in ensuring cyber security, although
the specifics of this process are not detailed in this segment .

How to prevent cross-site scripting?

• To prevent malicious scripts, URL encoding can be used to encode input or
output, making it no longer a malicious script .

• Using the right response headers can help decide what data can be sent or
received, and content security policies (CSP) can be used to avoid cross-site
scripting .

• A Denial of Service (DoS) attack is an attack that makes a service unavailable,

and it can be performed from a single machine or multiple devices .

• A Distributed Denial of Service (DDoS) attack is a type of DoS attack that is

executed from multiple devices spread across a wide area, making it difficult to
stop and near impossible to point out the main culprit .

• DDoS attacks work by making a certain service unavailable by bringing down the
performance of the machine, and some common methods include flooding servers
with connection requests or sending unfragmented packets to a server .

• There are different types of DDoS attacks, including the Ping of Death, which
exploits the maximum packet size allowed by the TCP/IP protocol by sending
packets that are larger than the maximum size .

• Computers generally do not know what to do with oversized packets and end up
freezing or crashing entirely when such packets are added up .

• Reflected attacks are often used with the help of a botnet, where the attacker sends
a host of innocent computers a connection request using a botnet, which are also
called reflectors, and this overloads the computer and crashes it .

• Reflected attacks are also known as Smurf attacks, where the host of computers
sent an acknowledgment to the victim computer, overloading it .

• Male bomb attacks generally attack email servers by sending oversized emails
filled with random garbage values, crashing the email server due to a sudden spike
in load .

• Teardrop attacks abuse the fragmentation offset field of a packet, causing the
server vulnerable to teardrop attacks to be unable to reassemble the packets,
resulting in a denial of service condition .
• To perform a denial of service attack, one can use tools such as aircrack NG,
which is a suit of tools containing aircrack-ng, airmon-ng, aireplay-ng, and
airdump-ng .

• Another tool that can be used is Mac changer, and to use these tools, one needs to
log in as a root and have administrator access .

• The first step in performing the attack is to check out the wireless network card's
name using the ifconfig command, and then set it up in monitor mode .

• To install the necessary tools, one can use the apt-get install command, such as
apt-get install aircrack-ng .

• To install the tools 'crack-ng' and 'mac changer', the command 'apt-get install
crack-ng macchanger' can be used, and to check if the tools have been installed
properly, the manual pages can be opened by typing 'man crack-ng' and 'man
macchanger' .

• To set up the network interface card into monitor mode, the commands 'ifconfig
wlo1 down', 'iwconfig wlo1 mode monitor', and 'ifconfig wlo1 up' are used .

• The mode of the network interface card can be checked by using the command
'iwconfig wlo1' or by passing it through a pipe function using 'grep mode' .

• To check for subprocesses that might interfere with the scanning process, the
command 'airmon-ng check' is used, and to kill any subprocesses found, the
command 'airmon-ng check kill' can be used .

• A dump scan can be run on the network interface card to check all possible access
points available by using the command 'airodump-ng wlo1' .

• The access points found come with their BSS IDs, power of the signal, beacons,
data, channels available, and the BSS ID is the Mac ID tied to the ESSID, which
represents the name of the router .

• To choose a router to DOS, the process involves continuously de-authenticating

all devices connected to it, and the tool 'aireplay' is used to send a de-
authentication broadcast .

• Aireplay is a part of the Aircrack-ng suite of tools, and it can be used to de-
authenticate all devices connected to the chosen router .

• To send a de-authentication message, the command --help is used, which shows

that the -0 option can be used to send the de-authentication message, and the
count can be specified, with 1 sending one message and 0 continuously looping
and sending multiple messages .

• The de-authentication message can be sent to a specific person by specifying their

MAC address or BSSID, but in this demonstration, the goal is to de-authenticate
everybody .
• The MAC address or BSSID of the target router is copied, and then the de-
authentication message is sent, which can be seen on the channel being used .

• The channel of the interface can be changed using the command iwconfig
<interface> channel <channel number>, and in this case, the channel is
changed to 6, which is the channel the target router is using .

• Once the de-authentication message is sent, any device connected to the target
router will be almost unusable, as the constant authentication will prevent them
from accessing the internet .

• This is not exactly a DDOS attack, but the code can be optimized to make it
appear as if it's coming from multiple machines .

• A script file can be written to automate and optimize the code, which will change
the MAC address every time to make it harder to track .

• The script file will start a while loop that continuously runs until it's stopped, and
will send de-authentication messages to a specific BSSID, and then change the
MAC address after sending the messages .

• The wireless network card needs to be put down in order to change the MAC
address, which is a necessary step in the script .

• To change a MAC address, the tool "Mac Changer" can be used, which can
provide a new MAC address every time it is run .

• The Mac Changer tool has various options, including getting a random MAC
address, showing the current MAC address, and specifying the interface to show
the MAC address .

• To use Mac Changer, the interface must be specified, and the tool can be used to
generate a new MAC address .

• After generating a new MAC address, the network interface card can be put back
up, and the new MAC address can be verified .

• Spoofing a MAC address can be useful in certain situations, as it can make it

difficult for others to track the device .

• To automate the process of changing the MAC address, a script can be created
that uses Mac Changer to generate a new MAC address, puts the network interface
card into monitor mode, and then sleeps for a specified amount of time .

• The script can be repeated continuously, with the MAC address changing every
time it is run .

• To run the script, it must be given executable permissions using the command
"chmod +x" .
What is SQL Injection?
• SQL injection is a code injection technique used to execute malicious SQL
statements on a database, allowing attackers to take over database servers .

• A normal database query is generated on a web application, sent to the database,

executed, and relevant information is returned to the web application .

• In SQL injection, the database query is manipulated to make it do something it's

not supposed to do, by injecting a malicious string into the SQL query .

• The malicious query is then sent to the database, executed, and relevant results are
returned .

• SQL injection attacks can be used on web applications that use a database to store
usernames and passwords .

• When a user logs in to a web application, their input information is sent to the
database and cross-checked with a table storing usernames and passwords .

• If the username and password match, there's a successful login; otherwise, the
login is unsuccessful .

• The SQL query generated for a login process typically fetches rows from a
database table that match the entered username and password .

• If the SQL query returns a value or a true value, the login is successful; otherwise,
it's unsuccessful .

• SQL injection attacks are web-based attacks that manipulate SQL queries to
always return true, even if the username or password is unknown, by giving the
right inputs to the user-controlled part of the query .

• In a web application, the SQL query is pre-generated, and the user only has
control over the input, which is the part highlighted in the query .

• To execute a SQL injection attack, the goal is to manipulate the SQL query to
return true, which can be achieved by using an OR logic gate .

• An OR logic gate is a function that takes certain inputs and gives an output, where
if one of the inputs is true, the output is always true, regardless of the other input .

• In the context of SQL injection, the OR function is used to make the SQL query
return true by adding a statement that is always true, such as "1=1", to the right-
hand side of the OR function .

• The malicious input string used in the SQL injection attack is an inverted comma,
space, OR, space, 1=1, hyphen, hyphen, space, which is designed to close the
string parameter and execute the OR function .
• The first inverted comma in the input string is used to close the string parameter,
and the OR function is used to execute the statement "1=1", which always returns
true .

• The statement "1=1" is used because it is always true, and when used as one of the
inputs to the OR function, it ensures that the output is always true, regardless of
the other input .

• SQL injection works by manipulating the SQL query to return true, allowing
unauthorized access to a web application, and the use of an extra double hyphen is
to comment out the rest of the SQL query, making the login successful regardless
of the password .

• There is no universal string for SQL injection, and the method used depends on
how the web application is built, with data being passed in different ways, such as
using the GET method .

• The GET method passes data through the URL of the request, making the data
visible in the URL, which can be exploited using SQL injection .

• A web application using the GET method to pass data can be hacked using SQL
injection by manipulating the URL request to inject malicious SQL code .

• A demonstration of a web application using the GET method to pass data shows
how SQL injection can be used to access the database and retrieve sensitive
information .

• The demonstration includes a login page with a username and password field, and
the web application connects to a database to verify the credentials using a SQL
query .

• The database contains a table named "login details" with columns for username
and password, and the web application prints a success or failure message based
on the query results .

• The web application can be exploited using SQL injection by injecting malicious
SQL code into the URL request, allowing unauthorized access to the database .

• A web application using the GET method to pass data can be vulnerable to SQL
injection attacks, as the data is visible in the URL string, allowing malicious users
to manipulate the data and potentially gain unauthorized access .

• To demonstrate this vulnerability, a malicious string (" ' OR 1=1 -- ") can be used
in the username field to bypass the login and gain access to the web application .

• The success of the SQL injection attack depends on the web application's use of
the GET method to pass data, as the data is visible in the URL string and can be
manipulated by malicious users .
 • In contrast, web applications using the POST method to pass data do not display
the data in the URL string, making it more difficult for malicious users to
manipulate the data .

• However, even web applications using the POST method can be vulnerable to
SQL injection attacks if malicious users can enter malicious strings through the
input fields .

• To test the vulnerability of a web application using the POST method, a malicious
string can be entered in the username and password fields to see if the web
application is vulnerable to SQL injection attacks .

• A demonstration of a SQL injection attack on a web application using the POST

method to transfer data was shown, where a malicious string was used to bypass
the login credentials and gain unauthorized access to the application .

• The importance of preventing SQL injection attacks was emphasized, especially

for ethical hackers who need to test web applications for vulnerabilities and
provide recommendations to organizations on how to improve their security .

• A method to prevent SQL injection attacks was explained, which involves using
the "prepare" and "bind parameter" functions in the code to bind user input as a
string, preventing malicious strings from being executed as SQL code .

• The use of bind parameter functions ensures that malicious strings are considered
as strings and not as logic in the code, preventing SQL injection attacks .

• Other ways to prevent SQL injection attacks were mentioned, including form
validations and limiting the characters that can be used as passwords, which
depend on how the web application is built .

• A scenario was presented where images on a shopping website could be used to

hide malicious content, such as detailed blueprints of military installations .

What is steganography?
• Cryptography is a method of encrypting and securing communication, but it does
not hide the fact that a secret message is being sent, making it vulnerable to
attackers who may discover the message and try to extract the secret information .

• Steganography is a technique used to hide secret messages behind ordinary files,

making it difficult for attackers to suspect that a secret message is being sent .

• The main reason for using steganography is to conceal the fact that a secret
message is being communicated, unlike cryptography which conceals the content
of the message .
• Steganography is an ancient art of covering messages in a secret way, with the
word "steganography" derived from Greek words "steganos" meaning hidden or
concealed and "graphein" meaning writing or drawing .

• The concept of steganography was first introduced in 1499, but the idea itself has
existed since ancient times, with examples including the use of invisible inks, null
ciphers, and microdots .

• In ancient times, steganography was used in various ways, such as tattooing a

message on a slave's scalp, sending a secret message on a tablet covered with wax,
and using invisible inks that could be made visible by heating the document .

• Today's steganographic systems use multimedia objects like images, audio, and
video as cover media to hide secret information .

• Steganography is divided into multiple types based on the type of cover media
used, including text steganography, which involves hiding information inside text
files by changing the format, words, or generating random character sequences .

• Steganography involves hiding data in various forms of media, including text,

images, audio, and video, to conceal secret messages or information from
unauthorized parties .

• There are different methods to hide data in text, such as format-based methods,
random and statistical generation, and linguistic methods .

• Image steganography is a popular method of hiding data, as digital images contain

a large number of bits, making it easy to store or hide data .

• Common approaches to image steganography include LSP's steganography,

masking, filtering, and encryption techniques .

• Audio steganography involves embedding a secret message into an audio signal,

altering the binary sequence of the corresponding audio file .

• Video steganography allows for hiding large amounts of data in digital video
formats, combining image and audio steganography techniques .

• There are two classes of video steganography: embedding data in uncompressed

raw video and then compressing it, or embedding data directly into compressed
data streams .

• Network steganography involves embedding information within network control

protocols, such as TCP, UDP, and ICMP .

• Email steganography is a lesser-known type of steganography that involves hiding

files within email headers using steganography .

• A steganographic technique must possess certain features, including transparency,

robustness, and tamper resistance .
• Transparency refers to the ability of the cover media to hide data without
degradation or distortion .

• Robustness is the ability of the hidden message to remain undamaged even if the
stego media undergoes transformations, such as cropping or scaling .

• Tamper resistance is the ability of the steganographic technique to prevent an

attacker from altering or damaging the original data .

• A steganographic model involves a cover object or cover file, which is used to

hide secret information, and can be an image, video, audio, or networked file, with
the secret message being the information to be hidden into the cover object.

• A stego key is sometimes used, which is a key to embed data in a cover and
extract data from the stego medium, providing extra security.

• The steganographic encoder uses a steganographic method or function to embed

the secret message into the cover object, taking the cover file, secret message, and
key as inputs.

• The embedding process generates a stego object, which looks exactly like the
cover object, and is sent to the receiver through a network without encryption.

• To extract the secret message, the receiver feeds the stego object into a
steganographic decoder, which also takes the key as an input, and gets the secret
message as a result.

• To make the process more secure, encryption can be added as an extra step, where
the sender encrypts the secret message along with an encryption key before
feeding it into the steganographic encoder.

• The encrypted message, along with the stego key and cover file, is fed into the
steganographic encoder, generating a stego object, which is sent to the receiver
using a secure communication channel.

• The receiver feeds the stego object and stego key into the steganographic decoder,
gets the cipher text, and then feeds the cipher text and decryption key into a
decryption algorithm to get the secret message.

• Steganography is a technique used to hide secret data inside an image, video, or

any other cover object, and various steganographic methods or techniques work
by using different algorithms or encryption algorithms to embed data into the
cover object .

• One of the most popular steganographic techniques is LSB (Least Significant

Bits) steganography, which is used to write secret messages inside an image .

• A digital image is a finite set of digital values called pixels, and each pixel can be
one color at a time, typically represented using a binary code .
• The RGB color model is an additive color model in which red, green, and blue
light are combined together in different ways to reproduce a broad array of colors,
and each of these can be represented using a binary code .

• In binary values, the leftmost bit is the most significant bit, and the rightmost bit is
the least significant bit, and changing the most significant bit will have a large
impact on the final value, while changing the least significant bit will have a very
less impact .

• LSB steganography uses this point by replacing the least significant bit of an
image or of a pixel in an image with a bit from the secret data to be hidden .

• The RGB color model uses 8-bit binary values to represent each color, allowing
for the display of about 256 colors .

• Pixels are so small that they often blend together to form new colors, and
thousands or even millions of individual pixels together make up an image .

• The color of a pixel is usually determined by the number of bits used to represent
it, and in this case, 8 bits are used .

• The Least Significant Bit (LSB) technique is a method of steganography that

works well for image, audio, and video steganography, and it alters the original
output very slightly, making the cover image and the stego image look identical .

• To insert data into an image using the LSB technique, the binary representation of
the data is used, and the least significant bits of the pixels in the image are
replaced with the bits of the data .

• The RGB color model is used, with 8 bits to represent each of the red, green, and
blue values, and three consecutive pixels (nine bytes) are needed to replace the
least significant bits with the bits of the data .

• The process of replacing the least significant bits with the bits of the data does not
make significant changes to the image, and the final result or stego image is very
much identical to the actual image .

• On average, the LSB technique requires that only half of the bits in an image can
be changed, and it is possible to hide data in the least and second least significant
bits without being discernible to the human eye .

• The concept of LSB steganography makes use of the fact that changing the least
significant bit does not make much change to the actual image, and it replaces the
least significant bits in the cover object with the binary bits of the secret message .

• The steps involved in using the LSB technique to hide secret text in an image
include encoding the text into the image, loading an image and considering each
pixel's decimal value, converting the secret text into its binary form, and storing
the secret message bits into the least significant bits of the image pixels .
Steganography tools
• There are various tools available that can hide secret messages behind image,
audio, or video files, such as StegHide, GoHide, Sciography, Sued Pixel, and
OpenPuff.

• StegHide is an open-source steganography software that lets users hide secret files
or audio files in an image or audio file without noticeable changes.

• StegHide is a command-line software, requiring users to learn command-line

operations to use it, and can be installed using the command "sudo apt-get install
steghide" in Ubuntu.

• The StegHide command includes options to embed or extract data, use a cover
object, compress and encrypt the file, and display information about the file after
encryption.

• When embedding data, StegHide prompts the user for a passphrase, which serves
as a key or password to ensure the right user is accessing the hidden data.

• StegHide provides examples of commands, including embedding a file using the

command "steghide embed -cf <cover_file> -ef <secret_file>".

• To use StegHide, users need to specify the cover object, secret message, and
passphrase, and the software will embed the secret message in the cover object.

• Steghide is a tool used for steganography, and it can be used to extract data from
an image file using the command "steghide extract" followed by the name of the
file, in this case, "dogs.g" .

• The extraction process requires a passphrase for security purposes, and once the
data is extracted, it is saved to a file named "message.txt" .

• The "info" command in Steghide can be used to extract information about the file,
including its format, capacity, and whether it contains any embedded data .

• Steghide also provides an option to embed data into an image file, and it allows
users to set a passphrase to protect the embedded data .

• An alternative to entering the passphrase manually is to use the "-p" command

followed by the passphrase, which skips the manual entry step .

• StegoSuite is another steganography tool that can be used to hide confidential

information in image files, and it is written in Java .

• StegoSuite allows users to select an image file and embed text or secret data into
it, and it also provides an option to set a password to protect the embedded data .
• Once the data is embedded, the resulting image file can be saved, and the
embedded data can be retrieved by opening the image file in StegoSuite and
entering the password .

• ScioSteganography is a free software that can be used to write secret files in BMP
format .

• A steganography tool can be used to hide files within bitmap images or WAV
files, and it supports encryption in multiple formats .

• To use the tool, load a BMP or WAV file, add the file to be hidden, select an
encryption format, and enter a password .

• The tool allows users to select from various encryption algorithms, such as RC4,
Triple DES, and more .

• Once the file is embedded, it can be saved with a new name, and the final file will
appear similar to the original BMP image, but with the hidden data .

• To extract the hidden file, load the source file, enter the password, and click
extract .

• The extracted file can be saved, and the process can be repeated to hide and
extract different types of files, including Excel, Word, and image files .

• Another tool, called Pixel, uses a different approach to hide information, where an
image file is used as a key to protect the hidden text inside an image .

• In Pixel, users need to enter another image as a key, instead of a password, to hide
and unhide text inside an image .

• The tool requires three images: the original image, the Delta image (which acts as
a key), and the encrypted image .

• Users can enter a message to be hidden, encrypt it, and save the image, and then
extract the message later by opening the original image and decrypting it .

• To decrypt an image using a steganographic tool, one needs to reset, click on open
original image, give the original image used for encryption, and then click on
decrypt image, using the original image as a key to extract or hide data inside the
encrypted image .

• The steganographic tool functions by extracting data hidden inside an image, and
the process is slightly different from other steganographic tools .

• Ethical hackers have various roles and responsibilities beyond penetration testing
of systems and applications .

• Some of the operations performed by ethical hackers include scanning open and
closed ports using the nmap tool .
 • Ethical hackers engage in Social Engineering methodologies and examine patches
released to perform various vigorous tests .

• Ethical hackers are responsible for much more than just penetration testing, and
there is a general misconception about their role in the industry .

Ethical hacking and roles in ethical hacking

• Ethical hackers perform vulnerability analysis, evade intrusion prevention
systems, and employ strategies such as sniffing networks, bypassing and cracking
wireless encryption, and hijacking web services to replicate the work of black hat
hackers and analyze an organization's defense protocols and social engineering
aspects .

• The job role of an ethical hacker is to protect the privacy of the organization they
work for, report any breaches in the system to the corresponding division, and
update hardware and software vendors regarding vulnerabilities found in the
products used .

• Ethical hacking is important because data has become an invaluable resource, and
the prevention of privacy and integration of data has increased in importance, with
almost every business having an internet-facing side that makes endpoints
vulnerable to attacks .

• Hackers have proven themselves to be creative geniuses in penetrating systems,

and organizations need someone with the same training to fight off these hackers,
with recent hacking outrages leading to losses amounting to millions of dollars .

• To become an ethical hacker, one's current field of occupation, study, or research

is crucial, and those not in a related field may need to shift to one, with a
bachelor's degree being helpful but not necessary .

• Ethical hackers must be creative thinkers, able to predict and prevent crack
activities, think like hackers, work under pressure with good judgment, and be
proficient at communicating problems to the corresponding department .

• Those who are skeptical about going to college could consider a career in the
military, particularly in the intelligence faction, which could help get their resume
noticed by employers .

• Getting a job as an ethical hacker prior to getting industry experience is difficult,

but after getting an entry-level job such as a tech support engineer or security
analyst, one may try attending partnered certification programs .

• Having a certification in cyber security can give an individual an edge over others
when applying for a job, as it helps prove their knowledge and skills to others,
even without ample industry experience .
 • The Certified Ethical Hacker (CEH) certification is an unbiased credential that is
highly valued, and CEH certified individuals are in high demand, with an average
annual salary of around $88,000 according to PayScale .

• Other noteworthy certifications in the field of cyber security include SANS

certification, Certified Vulnerability Assessor, Certified Professional Ethical
Hacker, and Certified Penetration Testing Engineer .

• Ethical hackers should possess certain key skills, including experience in various
operating systems, primarily Linux and its distributions .

• In-depth knowledge of networking is also crucial for a successful ethical hacking

career, involving skills such as packet tracking, packet sniffing, intrusion
detection and prevention, and scanning subnets .

• Programming is another important skill for ethical hackers, although the specific
programming languages are not mentioned .

Ethical hacking tools

• Programming is a vital skill for an ethical hacker, as it helps in implementing
solutions to problems, automating tasks, identifying and exploiting programming
errors in applications, and customizing pre-existing tools to cater to specific needs
.

• Ethical hackers are problem solvers and tool builders, and learning how to
program enables them to perform these tasks effectively .

• Nmap, or Network mapper, is a widely used reconnaissance tool in ethical

hacking that helps gain information about the target system, and it is cross-
platform, working on Mac, Linux, and Windows .

• Netsparker is a web application security testing tool that finds and reports web
application vulnerabilities, such as SQL injection and cross-site scripting, and
provides a proof of concept to confirm the identified vulnerabilities .

• Burp Suite Enterprise Edition is a JavaScript-based web penetration testing

framework that helps identify vulnerabilities and verify attack vectors affecting
web applications, and it is widely used by Information Security Professionals .

• Metasploit is an open-source pen testing framework written in Ruby that acts as a

public resource for reaching security vulnerabilities and developing code that
allows network administrators to break into their own network to identify security
risks and document vulnerabilities .

Cybersecurity interview questions

• Today's generation relies heavily on the internet, but general users are often
unaware of how data is transmitted securely, making it essential to have protocols
in place to protect against cyber attacks .

• Cyber attacks are constantly evolving, with hackers becoming smarter and more
creative in their methods, highlighting the need for effective cyber security
measures .

• Cyber security is a combination of processes, practices, and technologies designed

to protect networks, computers, programs, data, and information from attack,
damage, or unauthorized access .

• A home network can serve as a test environment for experimentation and learning,
and can include various devices such as a dedicated firewall appliance, a network-
attached storage device, and gaming consoles .

• Encryption is the process of converting data into an unreadable form to prevent

unauthorized access and ensure data protection, and is important for securely
protecting sensitive information .

• There are two types of encryption: symmetric encryption, which uses the same
secret key for both encryption and decryption, and asymmetric encryption, which
uses different keys for encryption and decryption purposes .

• Symmetric encryption is faster but more vulnerable, while asymmetric encryption

is slower but more secure, with examples of symmetric encryption including DES
and 3DES, and examples of asymmetric encryption including RSA and Diffie-
Hellman .

• The CIA Triad is a baseline standard for evaluating and implementing information
security, and consists of three components: confidentiality, which ensures that
data is accessible only to authorized individuals, integrity, and availability .

• Confidentiality measures are designed to prevent sensitive information from

reaching the wrong people while ensuring that the right people can access it .

• Integrity measures ensure that data is kept properly and not meddled with in an
unauthorized way, and include file permission and user access controls .

• Availability measures ensure that data and computers are available as needed by
authorized parties .

• A threat refers to someone or something with the potential to do harm to a system

or organization .

• Vulnerability refers to a weakness of an asset that can be exploited by one or more

attackers .

• Risk refers to the potential for loss or damage when a threat exploits a
vulnerability .
• Risk assessment can be either quantitative or qualitative, and is suitable for both
technical and business purposes .

• Risk reporting involves assessing risk first, and then reporting it to the relevant
audience .

• An Intrusion Detection System (IDS) detects intrusions but does not take action,
whereas an Intrusion Prevention System (IPS) detects and prevents intrusions .

• The positioning of IDS and IPS devices in a network differs, despite both working
on the same concept .

• Cybersecurity frameworks, such as PCI DSS, ISO 27001 and 27002, and CIS,
provide guidance for organizations to manage and reduce cybersecurity risks .

• A weak information security policy is one that does not meet the criteria of an
effective policy, including distribution, review, comprehension, compliance, and
uniformity .

• A weak information security policy is also one that is not readily available for
review by employees, or is not understood by employees .

• To configure a firewall, steps include modifying the default username and

password, and setting up the firewall according to the organization's needs .

• Remote Administration should be disabled from the outside network to prevent

unauthorized access .

• Port forwarding should be configured for certain applications to work properly,

such as web servers or FTP servers .

• When installing a firewall in a network with an existing DHCP server, the

firewall's DHCP server should be disabled to avoid conflicts .

• Logging should be enabled to troubleshoot firewall issues or potential attacks, and

it's essential to understand how to view the logs .

• A firewall should be configured to enforce solid security policies .

• SSL (Secure Socket Layer) is a protocol that enables safe conversations between
two or more parties by identifying and verifying the person on the other end .

• HTTPS (Hypertext Transfer Protocol Secure) is HTTP combined with SSL,

providing a safer browsing experience with encryption .

• TLS (Transport Layer Security) is another identification tool that offers better
security features than SSL, providing additional protection to data .

• Salted hashes are used to defend against dictionary attacks and known hash
attacks by adding a random salt value to the hash value of a password .
• To prevent identity theft, ensure a strong and unique password, avoid sharing
confidential information online, shop from known and trusted websites, use the
latest version of browsers, and install advanced malware and spyware tools .

• To prevent Man-in-the-Middle (MITM) attacks, use encryption, preferably public

key encryption, between both parties to ensure digital verification .

• To prevent security breaches, it is recommended to avoid using open Wi-Fi

networks and use plugins like HTTPS Force TLS if necessary .

• Encoding is used to transform data so that it can be properly and safely consumed
by a different type of system, with examples including ASCII, Unicode, URL
encoding, and base64, and its goal is not to keep information secret but to ensure
it's able to be properly consumed .

• Encryption is used to transform data in order to keep it secret from others, with
examples including AES, Blowfish, and RSA, and its goal is to ensure that data
cannot be consumed by anyone other than the intended recipient .

• Hashing serves the purpose of ensuring integrity, making sure that if something
has changed, it is known that some change has taken place, with examples
including SHA3, MD5, and SHA256 .

• To secure a server, four simple ways include having a secure password for the
root and administrator user, making new users on the system, removing remote
access from the default or root administrator accounts, and configuring firewall
rules for remote access .

• A DDoS (Distributed Denial of Service) attack occurs when a network is flooded

with a large number of requests that it cannot handle, making the server
unavailable to legitimate request senders, and can be mitigated by analyzing and
filtering traffic in scrubbing centers .

• DNS (Domain Name System) monitoring is important as it allows websites to be

easily recognizable and keeps information about other domain names, working
like a directory for everything on the internet, and can reveal information for
forensic analysis, such as botnets and malware connecting to the CNC server .

• A three-way handshake in the Transmission Control Protocol (TCP) is the method

used by a device on a network to set up a stable connection over an Internet
Protocol-based network, involving three messages transmitted by TCP to
negotiate and establish a connection .

• Black hat hackers have extensive knowledge about breaking into computer
networks and bypassing security protocols, and their primary motivation is usually
for personal or financial gain .

• White hat hackers, also known as ethical hackers, use their power for good and are
sometimes paid employees or contractors working for companies as security
specialists to find security holes via hacking with the owner's permission .
• Gray hat hackers are a blend of black hat and white hat hackers, often looking for
vulnerabilities in a system without the owner's permission or knowledge, and
reporting them to the owner, sometimes requesting a small fee to fix the issue .

• Patch management should be done as soon as it is released for Windows and

network devices, and applied to all machines not later than one month, following a
proper patch management process .

• Application security is a practice of improving the security of applications using

software, hardware, and other procedural methods, with countermeasures such as
application firewalls that limit the execution of files or handling of data .

• Penetration testing helps identify and address security vulnerabilities, whereas

software testing focuses on the functionality of the software and not the security
aspect .

• A good penetration tester thinks differently than a software tester, looking for
small vulnerabilities that were not mitigated, and software security testers usually
know the full details of the system or software .

• The Tracer or trace route command shows the path a packet of information takes
from a computer to a specified destination, listing all the routers it passes through
and the time each hop takes .

• Common cyber attacks include malware, which is a method used by black hat
hackers to gain access to systems .