Cyber Security

Question Bank

Unit-1

1. Explain passive attacks and active attacks with respect to cyber

criminals?
A. Passive Attack:
Attacks in which a third-party intruder tries to access the
message/ content/ data being shared by the sender and
receiver by keeping a close watch on the transmission or
eave-dropping the transmission is called Passive Attacks.
These types of attacks involve the attacker observing or
monitoring system, network, or device activity without
actively disrupting or altering it. Passive attacks are typically
focused on gathering information or intelligence, rather than
causing damage or disruption.
Here, both the sender and receiver have no clue that their
message/ data is accessible to some third-party intruder. The
message/ data transmitted remains in its usual form without
any deviation from its usual behavior. This makes passive
attacks very risky as there is no information provided about
the attack happening in the communication process. One way
to prevent passive attacks is to encrypt the message/data
that needs to be transmitted, this will prevent third-party
intruders to use the information .
Passive attacks are further divided into two parts based on
their behavior:
 Eavesdropping: This involves the attacker intercepting
and listening to communications between two or more
parties without their knowledge or consent.
Eavesdropping can be performed using a variety of
techniques, such as packet sniffing, or man-in-the-
middle attacks.
 Traffic analysis: This involves the attacker analyzing
network traffic patterns and metadata to gather
information about the system, network, or device. Here
the intruder can’t read the message but only understand
the pattern and length of encryption.
Example of a Passive Attack:
Packet Sniffing: An attacker uses a packet sniffer tool to
intercept and capture data packets as they travel across a
network. By analyzing the captured packets, the attacker can
obtain sensitive information such as usernames, passwords,
or confidential documents. This can be particularly effective if
the transmitted data is not encrypted.

B. Active Attacks:
Active attacks refer to types of attacks that involve the
attacker actively disrupting or altering system, network,
or device activity. Active attacks are typically focused on
causing damage or disruption, rather than gathering
information or intelligence. Here, both the sender and
receiver have no clue that their message/ data is
 modified by some third-party intruder. The message/
data transmitted doesn’t remain in its usual form and
shows deviation from its usual behavior. This makes
active attacks dangerous as there is no information
provided of the attack happening in the communication
process and the receiver is not aware that the data/
message received is not from the sender.
Active attacks are further divided into four parts based
on their behavior:

 Masquerade is a type of attack in which the attacker

pretends to be an authentic sender in order to gain
unauthorized access to a system.
 Replay is a type of active attack in which the attacker
intercepts a transmitted message through a passive
channel and then maliciously or fraudulently replays or
delays it at a later time.
 Modification of Message involves the attacker modifying
the transmitted message and making the final message
received by the receiver look like it’s not safe or non-
meaningful.
 Denial of service (DoS) attacks involve the attacker
sending a large volume of traffic to a system, network, or
device in an attempt to overwhelm it and make it
unavailable to legitimate users.
2. What is the difference between Threat, Vulnerability, and Risk?
3. What is Cybercrime? Explain different types of Cybercrimes in
detail.
Cybercrime refers to illegal activities that involve computers,
networks, or the internet. These crimes are committed by individuals,
groups, or even state-sponsored actors who exploit digital systems
for malicious purposes. Cybercrimes can range from simple scams to
highly sophisticated attacks on critical infrastructure. They typically
target the confidentiality, integrity, or availability of data and
systems.
4. What is cyber security? Explain types of Cyber Security.
The technique of protecting internet-connected systems such as
computers, servers, mobile devices, electronic systems, networks,
and data from malicious attacks is known as cybersecurity. We can
divide cybersecurity into two parts one is cyber, and the other is
security. Cyber refers to the technology that includes systems,
networks, programs, and data. And security is concerned with the
protection of systems, networks, applications, and information. In
some cases, it is also called electronic information security or
information technology security.
 Network Security: It involves implementing the hardware and
software to secure a computer network from unauthorized
 access, intruders, attacks, disruption, and misuse. This security
helps an organization to protect its assets against external and
internal threats.
 Application Security: It involves protecting the software and
devices from unwanted threats. This protection can be done by
constantly updating the apps to ensure they are secure from
attacks. Successful security begins in the design stage, writing
source code, validation, threat modeling, etc., before a program
or device is deployed.
 Information or Data Security: It involves implementing a strong
data storage mechanism to maintain the integrity and privacy of
data, both in storage and in transit.
 Identity management: It deals with the procedure for
determining the level of access that each individual has within
an organization.
 Operational Security: It involves processing and making
decisions on handling and securing data assets.
 Mobile Security: It involves securing the organizational and
personal data stored on mobile devices such as cell phones,
computers, tablets, and other similar devices against various
malicious threats. These threats are unauthorized access,
device loss or theft, malware, etc.
 Cloud Security: It involves in protecting the information stored
in the digital environment or cloud architectures for the
organization. It uses various cloud service providers such as
AWS, Azure, Google, etc., to ensure security against multiple
threats.
 Disaster Recovery and Business Continuity Planning: It deals
with the processes, monitoring, alerts, and plans to how an
organization responds when any malicious activity is causing
the loss of operations or data. Its policies dictate resuming the
lost operations after any disaster happens to the same
operating capacity as before the event.
5. List out the cyber security Challenges? Explain any three
Challenges in detail.
cybersecurity is the main component of the country's overall national
security and economic security strategies. There are so many
challenges related to cybersecurity. With the increase of the cyber-
attacks, every organization needs a security analyst who makes sure
that their system is secured. These security analysts face many
challenges related to cybersecurity such as securing confidential data
of government organizations, securing the private organization
servers, etc.

Blockchain Revolution:-
Blockchain security relies on cryptographic keys. Users need to
manage their private keys, which serve as the only means of
accessing their blockchain assets or accounts. If a private key is lost
or stolen, the user loses access to their funds permanently.Many
individuals and companies have lost millions of dollars in
cryptocurrency simply due to misplacing or failing to secure their
private keys.The regulatory landscape surrounding blockchain
technology and its applications, including cryptocurrencies, is still
evolving. Without clear regulations, blockchain ecosystems may
become havens for illegal activities such as money laundering, fraud,
and cybercrime.
While blockchain ensures transparency, it also raises privacy
concerns. Once data is recorded on a blockchain, it is immutable and
viewable by anyone with access to the network. This can be
problematic for sensitive personal data or confidential business
information.

6. Write a note on Cyber Security Threats.

A cyber security threat refers to any possible malicious attack that
seeks to unlawfully access data, disrupt digital operations or damage
information. Cyber threats can originate from various actors,
including corporate spies, hacktivists, terrorist groups, hostile nation-
states, criminal organizations, lone hackers and disgruntled
employees.
7. What is Cyber Warfare? What Are the Types of Cyber Warfare?
Cyber warfare refers to the use of digital attacks by a nation-state,
organization, or individual to target the computers, networks, and
systems of another entity to cause disruption, damage, or access
sensitive data. It is a form of conflict where the primary weapons are
cyber tools, such as malware, viruses, and hacking techniques, rather
than traditional physical weapons. Cyber warfare can have political,
economic, or military objectives and is often designed to create
chaos, weaken an opponent, or gather intelligence.
Types of Cyber Warfare
1. Espionage
o Involves spying on other governments or organizations to
steal secrets, sensitive information, or intellectual
property. Cyber espionage uses techniques like phishing
and malware to infiltrate systems and extract data.
2. Sabotage
o This type targets critical infrastructure, such as power
grids, transportation systems, or communication
networks. The goal is to disrupt or destroy operations,
causing widespread damage and economic losses.
3. Denial of Service (DoS) Attacks
o A DoS or Distributed Denial of Service (DDoS) attack
overwhelms a target's system, server, or network with
excessive traffic, rendering it inaccessible to users. It can
paralyze websites, government services, or military
operations.
4. Propaganda
 o The use of digital tools to spread misinformation,
disinformation, or fake news to influence public opinion,
manipulate elections, or destabilize a society. This type of
attack undermines trust in institutions and can lead to
political upheaval.
5. Economic Disruption
o Cyberattacks on financial systems or economic
infrastructure aim to destabilize economies. Attacks on
banks, stock markets, or corporations can result in
financial losses, theft of assets, or damage to the
economy of a nation.
6. Military Operations
o In military conflicts, cyber warfare can be used to disrupt
enemy command and control systems, radar, and
communication networks, reducing the opponent’s ability
to coordinate and respond to physical attacks.
7. Ransomware Attacks
o Ransomware involves encrypting a victim's data and
demanding payment in exchange for the decryption key.
Although it is typically used by criminals for financial gain,
it can also be employed by states to destabilize a nation or
organization.
8. Cyberterrorism
o Involves non-state actors or terrorist groups using
cyberattacks to achieve ideological or political goals, such
as causing fear, disruption, or harm to civilians,
governments, or organizations.
These types of cyber warfare can be employed alone or in
combination to achieve strategic goals in both domestic and
international conflicts.

8. What is CIA in cyber security? Explian CIA in detail.

9. Explain Cyber Terrorism, Cyber Terrorists, Cyber Spies, Cyber
Thieves, Cyber Warriors, Cyber Activists.
1. Cyber Terrorism:- Cyber terrorism refers to the use of digital
technologies and the internet to conduct acts of terrorism. These
acts are intended to cause fear, disrupt critical infrastructure, harm
individuals, or destabilize governments and societies. Cyber terrorism
can include attacks on power grids, communication networks,
financial systems, or public services, aiming to cause widespread
panic, physical damage, or even loss of life.
10. List out CyberSecurity of Critical Infrastructure. Explain any five
sector Critical Infrastructure for cyber security.
CyberSecurity of Critical Infrastructure consists of :-
1. The Energy Services Sector:- The Energy Sector is fundamental
to the operation of virtually every other critical infrastructure
sector. It encompasses the production, transmission, and
distribution of electricity, as well as the extraction, refining, and
distribution of oil and natural gas. The sector includes power
plants, electrical grids, pipelines, refineries, and renewable
energy sources such as wind and solar farms. The reliability and
security of energy infrastructure are essential for maintaining
the functionality of homes, businesses, and critical services
such as healthcare, communications, and transportation.
2. The Dams Sector
3. The Financial Services Sector:- The Financial Services sector is
vital for the stability and functioning of the economy. It includes
institutions such as banks, investment firms, insurance
companies, and payment processors that manage the flow of
money, provide financial products and services, and facilitate
transactions. This sector supports economic activity by
providing credit, managing risk, and ensuring the secure
transfer of funds.
4. The Nuclear Reactors, Materials, and Waste Sector
5. The Food and Agriculture Sector
6. The Water and Wastewater Systems Sector :- The Water and
Wastewater Systems sector is essential for public health,
sanitation, and the functioning of communities and industries.
It involves the sourcing, treatment, and distribution of potable
water, as well as the collection, treatment, and disposal of
wastewater. The sector ensures that clean drinking water is
available to households, businesses, and institutions, and that
wastewater is treated to remove contaminants before being
released back into the environment.
7. The Healthcare and Public Health Sector:- The Healthcare and
Public Health sector is crucial for maintaining the health and
well-being of populations. It includes hospitals, clinics,
laboratories, pharmacies, and public health agencies that
provide medical care, preventive services, and health-related
information. This sector is also responsible for responding to
health emergencies, such as pandemics, and ensuring that the
population has access to necessary medical treatments and
interventions.
8. The Emergency Services Sector
9. The Transportation Systems Sector:- The Transportation
Systems sector facilitates the movement of people and goods
across various modes of transportation, including air, rail, road,
and maritime. This sector is essential for the functioning of the
 economy, enabling trade, commerce, travel, and the delivery of
essential goods such as food, fuel, and medical supplies. It
includes infrastructure such as airports, seaports, highways,
railroads, and mass transit systems.
10. The Chemical Sector
11. The Communications Sector
12. The Information Technology Sector
13. The Defense Industrial Base Sector
14. The Critical Manufacturing Sector
15. The Government Facilities Sector
16. The Commercial Facilities Sector

11. Explain DOS and DDOS Attack in detail.

Denial of Service (DoS) and Distributed Denial of Service (DDoS)
attacks are types of cyberattacks aimed at making a network service,
website, or other online resources unavailable to its intended users.
They do this by overwhelming the target with an excessive amount of
traffic or by exploiting specific vulnerabilities in the target system.
 Flood Attacks: The most common type of DoS attack involves
flooding the target with a large volume of traffic. This traffic can
overwhelm the target’s resources, such as CPU, memory, or
bandwidth, causing legitimate requests to be delayed or
dropped. For example, a SYN flood attack sends numerous
connection requests (SYN packets) to a server without
completing the handshake process, tying up resources.
 Application-Layer Attacks: These attacks target specific
applications or services running on the target system. For
example, an attacker might repeatedly request a resource-
intensive operation from a web server, exhausting its
computational resources.
  Exploitation of Vulnerabilities: Some DoS attacks take advantage
of specific vulnerabilities in the target system’s software. For
example, sending malformed or malicious packets that trigger
bugs in the system's code, causing it to crash.
2. Distributed Denial of Service (DDoS) Attack:- A Distributed Denial
of Service (DDoS) attack is a more advanced and powerful form of a
DoS attack. In a DDoS attack, the attacker uses multiple systems,
often distributed across the globe, to launch a coordinated attack
against a single target. These systems are typically compromised
computers or devices that form a botnet, which is controlled by the
attacker.
 Botnet Formation: The attacker first infects a large number of
computers or IoT devices with malware, turning them into bots.
These bots are then networked together to form a botnet,
which the attacker controls.
 Coordinated Attack: The attacker commands the botnet to send
a massive volume of traffic or requests to the target system.
Because the attack originates from multiple sources, it is more
challenging to block or mitigate compared to a traditional DoS
attack.
 Types of DDoS Attacks:
o Volumetric Attacks: The most common type of DDoS
attack, where the goal is to consume the target’s
bandwidth by overwhelming it with massive amounts of
data. For example, a DNS amplification attack where the
attacker sends small requests to open DNS servers, which
then respond with large amounts of data to the victim.
o Protocol Attacks: These attacks exploit weaknesses in
network protocols, such as TCP, to overwhelm resources.
For example, a SYN flood attack where the botnet sends
 numerous SYN requests to initiate TCP connections, but
never completes the handshake.
o Application-Layer Attacks: These attacks target specific
applications or services by overwhelming them with
requests that appear legitimate. For example, an HTTP
flood attack where the botnet sends numerous HTTP
requests to a web server, overwhelming its ability to
process them.
12. Explain Virus, worms, Trojan Horses and backdoors in detail
with example.
 Virus is a computer program or software that connects itself to
another software or computer program to harm the computer
system. When the computer program runs attached to the virus
it performs some action such as deleting a file from the
computer system. The virus can’t be controlled remotely. An
infected program or file contains the virus and once the host
program or file is run, the virus executes its functions.viruses
are different from worms and cannot spread on their own
without input from a human, for instance, running an infected
file.
example:- Melissa Virus:- The Melissa virus was a macro virus
that targeted Microsoft Word documents. It was embedded in a
Word document, and when the document was opened, it
activated the virus.
 Worm on the other hand is a single malware program that
copies itself to other computers. Worms do not have to attach
themselves to an existing program which is unlike that of a
virus. They take advantage of open holes in operating systems
or applications and spread by possessing the ability to fix
themselves on the networks and consume a great deal of
computing resources which can slow down a system
considerably.
 Example: ILOVEYOU Worm: This worm, which spread rapidly in
2000, was distributed via email with a subject line of “I LOVE
YOU.” It appeared as a love letter and contained an infected
attachment. Once opened, the worm replicated and sent itself
to all contacts in the victim’s address book, causing widespread
damage and disruption.
 A Trojan horse, is a kind of virus that is disguised as a desirable
piece of software. Trojans do not self-replicate like viruses and
worms but are different programs that are subversively
installed in computers. Instead, they trick users into
downloading these apps, typically by disguising themselves as
useful apps or by tricking the user into downloading an infected
file. This type of malicious program can once installed in a
system, earn for itself by stealing important details, be it Login
details, or credit card details among others.
Example: Zeus Trojan: Also known as Zbot, this Trojan is
designed to steal sensitive information such as banking
credentials and login details. It is often distributed through
phishing emails or malicious websites. Once installed, Zeus can
capture keystrokes, take screenshots, and exfiltrate sensitive
data to the attacker.
 A backdoor is a method of bypassing normal authentication
procedures to gain unauthorized access to a system or network.
Backdoors are often used by attackers to maintain persistent
access to compromised systems, even after other malware has
been detected and removed.
Example: Netcat Backdoor: Netcat is a legitimate networking
tool that can be used to create a backdoor if misconfigured.
Attackers can use Netcat to open a network port on a
compromised system, allowing them to remotely execute
commands and gain control over the system.
13. Describe Phishing in detail with example.
Phishing is a form of online fraud in which hackers attempt to get
your private information such as passwords, credit cards, or bank
account data. This is usually done by sending false emails or
messages that appear to be from trusted sources like banks or well-
known websites. They aim to convince you so that they can manage
to have your information and use it as a fraudster.
Example:- A Facebook friend request arrives from someone who has
the same Facebook friends as you. You don’t immediately recognize
the person but assume the request is legitimate because of the
friends in common. This new friend then sends you a Facebook
message with a link to a video that, when clicked, installs malware on
your computer and potentially the company network.
Types of Phishing Attacks
There are several types of Phishing Attacks, some of which are
mentioned below.
 Email Phishing: The most common type where users are tricked
into clicking unverified spam emails and leaking secret data.
Hackers impersonate a legitimate identity and send emails to
mass victims. Generally, the goal of the attacker is to get
personal details like bank details, credit card numbers, user IDs,
and passwords of any online shopping website, installing
malware, etc
 Spear Phishing: In spear phishing a phishing attack, a particular
user(organization or individual) is targeted. In this method, the
attacker first gets the full information of the target and then
sends malicious emails to his/her inbox to trap him into typing
confidential data.
 Whaling: Whaling is just like spear-phishing but the main target
is the head of the company, like the CEO, CFO, etc. A
 pressurized email is sent to such executives so that they don’t
have much time to think, therefore falling prey to phishing.
 Smishing: In this type of phishing attack, the medium of
phishing attack is SMS. Smishing works similarly to email
phishing. SMS texts are sent to victims containing links to
phished websites or invite the victims to call a phone number
or to contact the sender using the given email.
 Vishing: Vishing is also known as voice phishing. In this method,
the attacker calls the victim using modern caller ID spoofing to
convince the victim that the call is from a trusted source. It is
generally used to steal credit card numbers or confidential data
from the victim.
 Clone Phishing: Clone Phishing this type of phishing attack, the
attacker copies the email messages that were sent from a
trusted source and then alters the information by adding a link
that redirects the victim to a malicious or fake website.

Unit-2

1. What is vulnerability in Internet Crime?

vulnerability refers to weaknesses or flaws in systems, software,
networks, or even human behaviors that can be exploited by
cybercriminals to gain unauthorized access, cause harm, or steal
information. These vulnerabilities can arise from various factors,
including:
 Software Vulnerabilities: Bugs or flaws in software that can be
exploited by attackers to execute malicious actions, such as
installing malware, gaining unauthorized access, or disrupting
 services. These are often the result of coding errors or
insufficient security measures.
 Hardware Vulnerabilities: Flaws in the design or
implementation of hardware components, like processors or
network devices, that can be exploited to bypass security
controls.
 Network Vulnerabilities: Weaknesses in the configuration or
design of a network, such as open ports, unpatched systems, or
insecure protocols, that allow attackers to penetrate the
network and conduct malicious activities.
 Human Vulnerabilities: The exploitation of human behaviors,
such as phishing, social engineering, or poor password
practices, to trick individuals into divulging sensitive
information or performing actions that compromise security.

 Physical Vulnerabilities: Situations where physical access to

devices or facilities can be gained by unauthorized individuals,
leading to potential exploitation.
 Organizational Vulnerabilities: Weaknesses in an organization's
policies, procedures, or culture that might lead to inadequate
security practices or lack of awareness, making it easier for
cybercriminals to succeed in their attacks.
2. Explain Wireshark and how do we use Wireshark to find a
password in a network?
Wireshark is a popular and powerful network protocol analyzer, often
used by network administrators, security professionals, and
researchers to capture and analyze the traffic flowing across a
network. Wireshark allows users to see all the data being transmitted
over a network in real-time, down to the packet level. This granular
visibility makes it an invaluable tool for troubleshooting network
issues, monitoring network activity, and performing security
assessments.
here's how Wireshark can be used to capture unencrypted passwords
transmitted over the network:
1. Install and Open Wireshark
 Download and install Wireshark from the official website.
 Open Wireshark. You'll see a list of network interfaces (e.g.,
Ethernet, Wi-Fi) that you can monitor.
2. Select the Network Interface
 Choose the appropriate network interface that you want to
monitor. For example, if you're monitoring Wi-Fi traffic, select
the Wi-Fi interface.
 Click on the interface to start capturing traffic.
3. Start Capturing Traffic
 Once you've selected the interface, Wireshark will start
capturing all traffic on that network. You'll see packets being
displayed in real-time as they are captured.
 The packets will contain various types of data, including HTTP
requests, DNS queries, TCP connections, and more.
4. Apply a Filter
 To focus on potentially sensitive data, you can apply filters. For
example, you might want to filter for HTTP traffic if you're trying
to capture credentials sent over an unencrypted HTTP
connection.
 A basic filter for HTTP traffic is: http. This will show only HTTP
packets.
  If you suspect the password is being sent via POST request in a
web form, you can filter for HTTP POST requests:
http.request.method == "POST".
5. Analyze Packets for Sensitive Information
 Look through the filtered packets for any that might contain
usernames and passwords. Often, this information is sent in the
clear over HTTP in the body of a POST request.
 Select a packet and inspect its details in the lower pane of the
Wireshark interface. You might see the username and password
in plaintext within the packet data if the connection is not
encrypted.
6. Follow the TCP Stream
 To get a better view of the entire conversation between the
client and the server, you can use Wireshark's "Follow TCP
Stream" feature.
 Right-click on a packet that you suspect contains the login
credentials and select "Follow" > "TCP Stream". This will display
the entire conversation, including all data sent and received.
 If the data is not encrypted, you may see the username and
password in the stream.
7. Search for Specific Strings
 Use Wireshark's search functionality to look for specific strings,
such as username=, password=, or other key identifiers in the
packet content.
 Go to "Edit" > "Find Packet" or press Ctrl+F, and search within
the packet details for the relevant terms.

3. Explain Virus and Worms, Trojan Horses and Backdoors.

(same as 12).
4. What is vulnerability scanning? Explain Types of vulnerability
scanning.
Vulnerability scanning usually refers to the scanning of systems that
are connected to the Internet. It can also refer to system scanning or
audits on internal networks that are not connected to the Internet in
orderto assess the threat of malicious software. It is possible to know
the basic security measures when installing and managing network
and websites.
The vulnerability scanners provide you the automate security
auditing and play an important role in your IT security. The
vulnerability scanners can scan your network and websites for up to
thousands of different security risks. It produces a list of those
vulnerabilities, and gives steps on how to overcome or reduce them.

Here are the types of vulnerability scanning mentioned :

1. Cloud-Based Vulnerability Scanners:
o These scanners are used to find vulnerabilities in cloud-
based systems such as web applications and content
management systems like WordPress and Joomla. They
assess these systems to detect security issues that could
be exploited over the cloud.
 2. Host-Based Vulnerability Scanners:
o These scanners are designed to find vulnerabilities on a
single host or system. This can include individual
computers, servers, or network devices like switches or
core routers. The focus is on identifying system-specific
weaknesses.
3. Network-Based Vulnerability Scanners:
o These scanners are used to find vulnerabilities within
internal networks by scanning for open ports and services.
They determine if there are any open vulnerabilities
within the network that could be exploited by attackers.
4. Database-Based Vulnerability Scanners:
o These scanners are used to identify vulnerabilities in
database management systems. Since databases are
critical for storing sensitive information, vulnerability
scans help prevent attacks like SQL injection and other
database-related risks.

5. Web Application Vulnerability Scanning:

 This type of scanning targets web applications to find

vulnerabilities such as SQL injection, cross-site scripting
(XSS), and insecure configurations. Web application
scanners simulate attacks to detect security issues that
could be exploited through web interfaces.
 Example: A web application vulnerability scan might
discover a SQL injection flaw in a login form that allows
an attacker to access or manipulate the database.

5. Define the term in briefly: (i) Open Port Identification (ii) Banner
Check.
Open Port Identification
An open port is a network port configured to accept all incoming
connections using protocols like TCP and UDP, included in every IP
address. When a port is open, a particular port number on a device is
accessible and actively listening for incoming connections. In
contrast, a closed port rejects or ignores connections. For example,
port 80 is used for HTTP traffic, while port 443 is used for HTTPS.
A TCP Connect Scan establishes a full TCP connection with each port
on a target system by completing the three-way handshake. This
method is reliable for detecting open ports because it establishes a
real connection, but it is more detectable and can trigger alarms in
network security systems due to the full connection setup.
To identify open ports, network administrators and security
professionals use port scanning tools. These tools send connection
requests to a range of ports on the target system and observe the
responses. The responses indicate whether the ports are open,
closed, or filtered. For instance, a successful connection indicates an
open port, while a refusal or no response suggests the port is closed
or protected by a firewall.
Banner Check.
Banner check:- A banner check (or banner grabbing) is the process of
retrieving and examining the text banners or information messages
that some network services expose when they are connected to.
These banners usually reveal valuable information about the
software version, services, or the system running on a specific port.
To perform a banner check, tools connect to a service's port and
capture the banner that is sent in response. This can be done
manually using tools like Telnet or Netcat, which allow users to
connect to a specific port and view the banner information.
Automated tools like Nmap also provide banner grabbing capabilities,
allowing for the extraction and display of banner information from
multiple services in one go.
The primary use of banner checking is in security assessments. By
analyzing the banners, security professionals can determine the
versions and types of services running on a server. This information is
valuable for identifying vulnerabilities associated with specific
software versions. For example, if a banner reveals an outdated
version of a web server known to have security flaws, it can be a
critical indicator of potential security risks.
6. Describe Network Sniffers and Injection Tool. Explain any two
injection tools in brief.
A Network Sniffer is a tool that captures all data packets passing
through a network interface in order to analyze network activities
without impacting network operations. It operates silently, collects
data continuously, and can detect stealthy or sporadic activities.
 Network Troubleshooting: Identifying issues within the
network, such as bottlenecks, connection problems, or
misconfigurations.
 Security Monitoring: Detecting unauthorized access, monitoring
for suspicious activity, or capturing data that may be involved in
security incidents.
 Data Analysis: Understanding traffic patterns, protocol usage,
and bandwidth consumption within a network.
 Ethical Hacking: Penetration testers use sniffers to gather
information about a network or to capture unencrypted data
for further analysis.
Injection Tools
Injection tools are software applications or scripts used to inject
malicious code or data into a vulnerable system or application to
exploit it. Injection attacks can be used to gain unauthorized
access, execute arbitrary commands, or manipulate data within a
system. These tools are commonly used in penetration testing and
by malicious actors to exploit vulnerabilities.
 1. SQLMap
SQLMap is an open-source tool specifically designed for
automating the process of detecting and exploiting SQL injection
vulnerabilities in web applications. It allows users to:
 Identify SQL Injection Points: SQLMap can scan web
applications for potential SQL injection vulnerabilities by
analyzing user inputs and the responses they generate from the
server.
 Exploit SQL Vulnerabilities: Once a vulnerability is found,
SQLMap can be used to exploit it, allowing the attacker to
retrieve or manipulate data in the database, such as dumping
entire databases, retrieving database schema, and extracting
credentials.
2. Metasploit
Metasploit is a comprehensive penetration testing framework that
includes a wide range of tools for discovering, exploiting, and
validating vulnerabilities. It is widely used by security professionals
and ethical hackers for various types of attacks, including injection
attacks. Key features include:
 Payload Injection: Metasploit allows users to create and inject
payloads into vulnerable systems. These payloads can perform
actions like creating a reverse shell, adding new users, or
escalating privileges.
 Exploit Modules: Metasploit contains a vast library of exploit
modules, including those for SQL injection, command injection,
and other types of code injection attacks.

7. What is a Probe? Explain its different types.

In Computer Security, a probe is an attempt to gain access to a
computer and its files through a known or probable weak point in
the computer system. A probe is an action taken or an object used
for the purpose of learning or collecting data about the state of
the network.
For example, an empty message can be sent simply to see
whether the destination actually exists. Ping is a common utility
for sending such a probe.
There are two types of probes:-
8. Write short notes on Nmap and Netcat.
9. What is OpenVas? Write advantages and disadvantages of
OpenVas.
OpenVAS is an open-source vulnerability scanning and management
tool that helps to identify security issues like misconfigurations,
outdated software, and weak passwords that could be exploited by
attackers. OpenVAS is widely used by security professionals to assess
and improve the security posture of their networks and is known for
its effectiveness and flexibility.
Advantages of OpenVAS
1. Comprehensive Vulnerability Scanning:
o OpenVAS offers extensive scanning capabilities, covering a
wide range of vulnerabilities across different platforms,
devices, and applications. It can identify
misconfigurations, unpatched software, and potential
security risks.
2. Regular Updates:
o The tool is regularly updated with the latest vulnerability
definitions, ensuring that it can detect newly discovered
vulnerabilities as they emerge.
3. Cost-Effective:
o Being open-source, OpenVAS is free to use, making it an
attractive option for organizations with limited budgets. It
provides many features found in commercial vulnerability
scanners without the associated costs.
 4. Customizable Scans:
o OpenVAS allows users to customize scans based on their
specific needs, including selecting specific hosts, types of
vulnerabilities to look for, and the depth of the scan.
5. Reporting and Analysis:
o OpenVAS generates detailed reports that include
information on detected vulnerabilities, their severity, and
recommendations for remediation. These reports can be
exported in various formats for further analysis or
presentation.
6. Integration with Other Tools:
o OpenVAS can be integrated with other security tools and
platforms, such as Security Information and Event
Management (SIEM) systems, to enhance overall security
management.
Disadvantages of OpenVAS
1. Complex Installation and Configuration:
o Setting up and configuring OpenVAS can be complex and
time-consuming, especially for users who are not familiar
with Linux-based systems or vulnerability scanning tools.
It may require additional time and resources to get it up
and running.
2. Resource Intensive:
o OpenVAS can be resource-intensive, particularly during
large or deep scans. This can lead to performance issues
on the system where it is installed, or it may impact the
network being scanned.
3. False Positives:
 o Like many vulnerability scanners, OpenVAS can generate
false positives, where it reports vulnerabilities that do not
actually exist. This can lead to unnecessary remediation
efforts and can be time-consuming to verify.
4. Limited Customer Support:
o As an open-source tool, OpenVAS lacks dedicated
customer support. Users rely on community support,
forums, and documentation, which may not be sufficient
for resolving complex issues quickly.
5. Learning Curve:
o There is a significant learning curve associated with
OpenVAS, particularly for users who are new to
vulnerability scanning or who are used to more user-
friendly, commercial tools.
6. Less Frequent Updates Compared to Commercial Solutions:
o Although OpenVAS is regularly updated, it may not
receive updates as quickly as some commercial
vulnerability scanners. This could potentially leave gaps in
coverage for the latest vulnerabilities.

10. Write benefits of Metasploit.

Metasploit is an open-source framework used for security
development and testing. It is best tool for developing and executing
exploit code against a remote target machine.
Modules built on top of libraries, accessed via interfaces to conduct
exploitation tasks. Plugins hook directly into the framework to add
commands to the interface, etc.
 Visual UI:- Metasploit provides several easy-to-use GUIs,
primarily Armitage. These GUIs let you perform common
penetration testing functions such as managing vulnerabilities
and creating workspaces at the click of a button.
 Open Source:- One of the biggest reasons to adopt Metasploit
is that Metasploit is open source and actively developed. Unlike
many other pentesting tools, Metasploit provides deep
customizability, giving pentesters full access to source code and
the ability to add custom modules.
 Comprehensive Exploit Library:- Metasploit includes a large
and regularly updated database of exploits for a wide variety of
vulnerabilities across different platforms and software. This
allows security professionals to simulate real-world attacks and
test the effectiveness of their security measures.
 Customizable and Extensible:- Metasploit supports custom
scripting using Ruby, allowing users to automate complex tasks
and create custom exploits or payloads tailored to specific
needs.
 Community and Support:- Metasploit has a large and active
community of users and contributors. This ensures continuous
development, frequent updates, and the availability of a wealth
of shared knowledge, tutorials, and resources.
 Cross-Platform Compatibility:- Metasploit supports a variety of
operating systems, including Windows, Linux, macOS, and
Android, making it versatile for testing different environments
and devices.
 Regular Updates:-The Metasploit team regularly updates the
framework with new exploits, payloads, and modules, ensuring
that it stays current with emerging threats and vulnerabilities.
 Ease of Use:- Metasploit offers both a command-line interface
(CLI) and a graphical user interface (GUI) (via Armitage), making
it accessible to users with different levels of expertise.
11. Explain Following terms in detail: 1. Datapipe 2. Fpipe
3.WinRelay 4.Traffic Probe.
Traffic probe (from ans 7)
12. Describe Network Sniffers with suitable examples.
Explaination from previous answer
Example:-
13. Explain different functionally provided by Wireshark.
Wireshark is a popular and powerful network protocol analyzer, often
used by network administrators, security professionals, and
researchers to capture and analyze the traffic flowing across a
network. Wireshark allows users to see all the data being transmitted
over a network in real-time, down to the packet level. This granular
visibility makes it an invaluable tool for troubleshooting network
issues, monitoring network activity, and performing security
assessments.
14. Write short notes on Tcpdump and Windump.
Windump is the Windows version of the popular network packet
analyzer tool, tcpdump. It allows users to capture and analyze
network traffic passing through a network interface on a Windows
machine. Windump provides a command-line interface to display
detailed packet information, making it a valuable tool for network
troubleshooting, security analysis, and monitoring.
Windump supports various filters to capture specific types of traffic,
and the captured data can be saved to a file for further analysis. It is
often used by network administrators and security professionals to
diagnose network issues and investigate suspicious network activity.

15. Explain Injection tools like Tcpdump, Windump and Wireshark.

(from above answers.)
16. What is kismet? Features of kismet. Explain Ettercap and Hping
Kismet.
Kismet is an open-source wireless network detector, sniffer, and
intrusion detection system (IDS). It is widely used for detecting
wireless networks (Wi-Fi) and capturing network traffic. Kismet works
with wireless network cards to detect and passively collect data from
networks without actively probing them. It is popular among network
security professionals for assessing wireless security and identifying
vulnerabilities.
Key Features of Kismet:
1. Wireless Network Detection:
o Description: Kismet detects wireless networks
(802.11a/b/g/n/ac/ax), including those that are not
broadcasting their SSIDs (hidden networks).
2. Passive Network Sniffing:
o Description: Kismet captures network traffic passively
without sending any packets, which makes it stealthy and
less likely to be detected by security systems.
3. Support for Multiple Data Sources:
o Description: Kismet supports a wide range of wireless
cards and network types, including Wi-Fi, Bluetooth, and
Software Defined Radio (SDR).
4. Packet Logging:
o Description: Kismet logs packets, including data and
management frames, for later analysis. This allows users
to review traffic patterns and detect potential intrusions
or misconfigurations.
 5. Integration with Other Tools:
o Description: Kismet can be integrated with other security
tools, such as Wireshark, to analyze packet data in greater
detail.
6. Wireless Intrusion Detection System (IDS):
o Description: Kismet can be configured as an IDS to detect
unauthorized access points and other wireless threats.

What is Ettercap?
Ettercap is an open-source network security tool that is used for
man-in-the-middle (MITM) attacks on a local area network (LAN). It
allows attackers to intercept, capture, and manipulate network traffic
between devices. Ettercap is commonly used for network security
testing, ethical hacking, and penetration testing to assess the security
of network protocols and applications.

What is Hping?
Hping is an open-source command-line tool for network security
testing and auditing. It is used primarily for crafting and manipulating
TCP/IP packets and conducting security tests such as network
scanning, firewalls testing, and performing denial-of-service (DoS)
attacks. It is similar to ping, but offers advanced packet manipulation
capabilities, allowing users to craft custom packets for testing
purposes.
17. What do you mean by TCP/IP port? What is socket? Write down
port number range & well known ports.
A TCP/IP port is a logical endpoint in a network communication used
by the Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP) to identify specific processes or services running on a
server or client. When data is transmitted over a network, it is
directed to the correct application using a port number, which acts as
an address for the data within the host. Ports are essential in
distinguishing between multiple services or connections on a single
device. For example, web servers typically use port 80 for HTTP
traffic, while email servers might use port 25 for SMTP.
A socket is an endpoint for communication between two machines. It
is a combination of an IP address and a port number, enabling the
transmission of data between a client and a server in a network.
Sockets can be created for both TCP (connection-oriented) and UDP
(connectionless) protocols.
For example, when a client wants to connect to a web server, it
creates a socket using the server’s IP address and port number 80
(HTTP). The server, listening on this port, accepts the connection and
communicates with the client.
Port numbers range from 0 to 65535 and are divided into three
categories:
1. Well-Known Ports (0-1023)
 2. Registered Ports (1024-49151)
3. Dynamic/Private Ports (49152-65535)
Some of the most commonly used well-known ports include:
 Port 20, 21: FTP (File Transfer Protocol)
o Port 20: FTP Data
o Port 21: FTP Control
 Port 22: SSH (Secure Shell)
o Used for secure remote login and command execution.
 Port 23: Telnet
o Used for unencrypted text-based communication over a
network.
 Port 25: SMTP (Simple Mail Transfer Protocol)
o Used for sending emails.
 Port 53: DNS (Domain Name System)
o Used for domain name resolution.
 Port 80: HTTP (Hypertext Transfer Protocol)
o Used for web traffic (websites).
 Port 110: POP3 (Post Office Protocol 3)
o Used for retrieving emails from a mail server.
18. What is Metasploit? Explain payload types in short
Metasploit (from above)
A payload refers to the part of malware which performs a
malicious action. In the analysis of malicious software such as
worms, viruses and Trojans, it refers to the software's harmful
results. A payload in Metasploit refers to an exploit module. There
 are three different types of payload modules in the Metasploit
Framework: Singles, Stagers, and Stages. These different types
allow for a great deal of versatility and can be useful across
numerous types of scenarios.
Examples of payloads include data destruction, messages with
insulting text or spam e-mail messages sent to a large number of
people.
Singles:- Singles are payloads that are self-contained and
completely standalone. A Single payload can be something as
simple as adding a user to the target system or running calc.exe.
These kinds of payloads are self-contained, so they can be caught
with non-metasploit handlers such as netcat.
Stagers:- Stagers setup a network connection between the
attacker and victim and are designed to be small and reliable. It is
difficult to always do both of these well so the result is multiple
similar stagers. Metasploit will use the best one when it can and
fall back to a less-preferred one when necessary.
Stages:- Stages are payload components that are downloaded by
Stagers modules. The various payload stages provide advanced
features with no size limits such as Meterpreter, VNC Injection,
and the iPhone ‘ipwn’ Shell.
19. What is Nmap? Explain different functionality with its command
in detail.(same as 8)
Functionality with commands:-
1. Scan a Range of IP Address: To scan a range of IP addresses, the
Nmap command is as follows:
nmap 192.168.1.1-24
2. Port Scanning: There are multiple commands in Nmap for scanning
ports such as:
To scan TCP port 80, the following Nmap command can be used:
nmap -p T:80 192.168.1.1
3. Ping Scan Using Nmap: It can be used for host discovery and the
following command can be used:
nmap -sP 192.168.1.1/20
4. Saving the Nmap Scan Output to a File: The syntax for the
command to save the Nmap output to a text file is as follows:
nmap 192.168.1.1 > op.txt
5. Most Popular Ports Scanning: The most popular TCP ports can be
scanned using TCP SYN scan and the following command exists for
this purpose:
nmap -sS 192.168.1.1
imp question answers:-
1.What is Metasploit? write differences between payload &
exploits.
Metasploit is a popular open-source framework used for developing,
testing, and executing exploits against a target system to identify
security vulnerabilities. It is commonly used by penetration testers
and security researchers to simulate attacks, detect weaknesses in
systems, and improve security measures. Metasploit offers various
tools and modules for exploit development, payload delivery, and
post-exploitation tasks.
Key Components of Metasploit:
 Exploits: Prebuilt or custom code that takes advantage of
vulnerabilities in a system.
 Payloads: Code executed after an exploit successfully gains
access to the system.
  Auxiliary Modules: Tools used for scanning, enumeration, and
other non-exploitative tasks.
 Encoders: Used to obfuscate payloads to avoid detection by
security software.
Difference Between Payload and Exploit:
Feature Exploit Payload
A payload is the code
An exploit is code that executed on the target system
takes advantage of a after the exploit successfully
specific vulnerability to breaches the system. It
Definition
gain unauthorized access defines what actions are
to a system or execute performed (e.g., opening a
arbitrary commands. reverse shell, downloading
files).
To breach a system's To specify what to do once
Purpose defenses by exploiting access to the system is
known vulnerabilities. obtained.
The first stage that The second stage, where
Role in delivers and executes the actual actions or commands
Attack payload on the target are executed on the
system. compromised machine.
A buffer overflow exploit
A reverse shell that connects
Example targeting a vulnerable
back to the attacker’s system.
service.
Exploit triggers the Payload executes after the
Interaction
payload. exploit is successful.
Types Exploits vary based on the Payloads can be either single-
vulnerability they target use (e.g., immediate action)
(e.g., remote, local, web- or staged (executing a series
Feature Exploit Payload
based). of actions).
In summary, the exploit is responsible for breaching the system, and
the payload determines what is done after the system is
compromised.
2.Write short notes on Tcpdump and Windump.
Tcpdump is one of the most widely used packet capture and analysis
tools in UNIX-like systems such as Linux, macOS, and BSD. It operates
from the command line and allows network administrators, security
experts, and developers to capture network packets and analyze
network traffic at a very granular level. Tcpdump gives insights into
the data being transmitted over the network, which is useful for
troubleshooting network issues, detecting security vulnerabilities,
and performance monitoring.
Key Features of Tcpdump:
 Real-time packet capture: Tcpdump captures packets as they
are transmitted and received on the network interface in real-
time.
 Detailed protocol analysis: It decodes various network
protocols such as IP, TCP, UDP, ICMP, and HTTP, allowing deep
inspection of the traffic.
 Filtering: Tcpdump uses Berkeley Packet Filter (BPF) syntax,
which allows users to filter captured traffic. This helps to focus
on specific traffic, such as packets to or from a particular IP
address, a specific port, or a particular protocol.
o Example: To capture only TCP traffic, the filter would be:
tcpdump tcp
  Packet saving: Tcpdump allows saving captured packets in
a .pcap file format, which can be analyzed later using tools like
Wireshark.
o Example: Save packets to a file:
tcpdump -w capture.pcap
 Offline analysis: Captured files can be read and analyzed later
without the need to stay connected to the network.
o Example: Read a previously saved capture file:
tcpdump -r capture.pcap
 Network performance: Tcpdump is very lightweight and
doesn't add significant overhead to the network or the machine
on which it's running.
Windump is the Windows counterpart of Tcpdump, providing similar
functionality in capturing and analyzing network traffic on Windows
platforms. It is built on top of WinPcap, a Windows library that
facilitates low-level network packet capture and filtering. Windump
has become a standard packet analyzer for Windows, widely used by
network administrators and security experts for diagnosing and
analyzing network traffic.
Key Features of Windump:
 Packet capture and filtering: Like Tcpdump, Windump captures
all the traffic flowing through a network interface and allows
users to filter specific traffic using BPF syntax.
o Example: To capture HTTP traffic on a Windows system:
windump tcp port 80
 WinPcap integration: Windump requires WinPcap (Windows
Packet Capture Library) to capture packets. WinPcap provides
 low-level access to the network stack and enables packet
filtering, traffic capture, and traffic injection.
 Command-line operation: Windump is a command-line tool,
making it lightweight and scriptable. This allows it to be
integrated into various automated network monitoring and
intrusion detection systems.
 Pcap format: Captured data can be stored in .pcap format,
which is compatible with other packet analysis tools like
Wireshark.
o Example: Save captured data to a file:
windump -w output.pcap
 Cross-platform compatibility: Since Windump produces the
same .pcap files as Tcpdump, users can easily share capture files
between different operating systems for analysis.
3.write short note on nmap and netcat.
Nmap (Network Mapper)
Nmap is a powerful and flexible open-source tool used for network
exploration, security auditing, and vulnerability detection. It enables
network administrators, security professionals, and penetration
testers to scan and map network infrastructures, identify active
hosts, and discover open ports along with the services running on
them. Nmap is highly regarded for its efficiency in both large-scale
network scanning and targeted analysis of individual systems.
Key Features of Nmap:
1. Host Discovery:
o Nmap is commonly used to discover devices on a
network, determining which systems are active and
reachable. It does this by sending various types of probe
 packets, such as ICMP (ping), TCP, and UDP packets, to
identify responsive hosts.
o Example: A basic network scan for active devices:
nmap -sn 192.168.1.0/24
2. Port Scanning:
o Nmap can determine which network ports on a host are
open and what services are running on those ports. It
identifies whether services like HTTP (port 80), FTP (port
21), or SSH (port 22) are accessible. This information is
crucial for understanding what is running on a target
system and identifying potential vulnerabilities.
o Example: To scan for open ports on a specific IP address:
nmap 192.168.1.10
3. Service and Version Detection:
o Nmap goes beyond identifying open ports by determining
the services running on those ports and their software
versions. This allows network administrators to pinpoint
specific software applications running on servers, such as
web servers, databases, or email servers.
o Example: Scanning to detect services and versions:
nmap -sV 192.168.1.10
4. Operating System Detection:
o Nmap uses TCP/IP stack fingerprinting to guess the
operating system of the target device. By analyzing
various characteristics of packet responses, it can provide
detailed information about the OS version and
architecture.
o Example: To detect the OS running on a target:
nmap -O 192.168.1.10
5. Network Mapping:
o Nmap can be used to create detailed maps of network
structures. This helps administrators visualize network
topology and identify potential bottlenecks,
misconfigurations, or unauthorized devices on the
network.
Netcat:-

 Netcat, often referred to as the "Swiss Army Knife" of

networking, is a versatile and powerful command-line tool that
facilitates a wide range of network-related tasks. Designed to
function as both a client and a server, Netcat can establish TCP
or UDP connections, making it a fundamental utility for
network administrators, penetration testers, and system
administrators alike.
 At its core, Netcat allows you to read from and write to
network connections, which means it can initiate or accept
connections to and from other devices on a network. Its
simplicity and flexibility come from the fact that it can handle
both inbound and outbound connections, making it highly
adaptable to different network scenarios.
 One of the most common uses of Netcat is as a port scanner,
where it checks for open ports on a remote machine. By
sending connection requests to a range of ports, it helps in
identifying which services are available and running on a target
system. Though tools like Nmap provide more advanced port
scanning features, Netcat is ideal for quick and simple scans.
 Beyond scanning, Netcat is frequently used to create raw
network connections. It allows two devices to communicate
directly by establishing a TCP or UDP connection between
them. This capability can be leveraged for troubleshooting
network issues, such as testing if a service is reachable or
simulating a client-server communication for diagnostic
 purposes. Netcat can also act as a basic server itself, listening
for incoming connections on a specified port. Once a
connection is established, it can be used for interactive
communication, file transfers, or even as a means to create
simple chat applications.
 Another common use of Netcat is file transfer. It offers a
lightweight way to move files between two systems without
the need for complex setups like FTP servers. For instance, one
machine can be set up to listen for incoming connections while
the other machine sends the file. This simple approach to file
transfer is not only efficient but also bypasses the need for
specialized software when moving files across a network.
 Netcat is also widely used for banner grabbing, where it
connects to a specific service running on a port (such as a web
or mail server) and retrieves information about the service,
such as its version or software type. This process is crucial in
network security, as it helps identify potential vulnerabilities or
outdated software running on a system.

6.Explain different functionally provided by Wireshark.

Wireshark is one of the most widely used open-source network
protocol analyzers, providing deep visibility into network traffic and
enabling real-time analysis of network communications. It captures
packets from a network interface and displays them in a highly
detailed format, allowing network administrators, security experts,
and developers to monitor, troubleshoot, and analyze network
behavior. Wireshark’s extensive functionality makes it an
indispensable tool for diagnosing network issues and investigating
security events.
Some key functionalities of Wireshark include:
 Packet Capturing: Wireshark captures live traffic from a
network interface, such as Ethernet or Wi-Fi, and allows users
to analyze it in real time or save it for later review.
  Protocol Decoding: It automatically decodes network protocols
and displays their data in a readable format, from Ethernet to
high-level protocols like HTTP, DNS, and FTP.
 Filtering: Users can apply filters to focus on specific types of
traffic, such as packets related to a particular IP address or
protocol.
 Packet Reassembly: Wireshark can reassemble fragmented
packets, such as those split over a TCP connection, to show the
full data transmission.
 Performance Monitoring: It provides insight into network
performance metrics, such as latency and packet loss, helping
to identify issues like bottlenecks.
8.Describe Network Sniffers with suitable examples.
A network sniffer, also known as a packet sniffer or protocol
analyzer, is a tool used to capture and analyze network traffic. It
intercepts and logs data packets traveling over a network, allowing
users to monitor the flow of information between devices, inspect
the contents of packets, and diagnose network problems. Network
sniffers can be either hardware devices or software programs, with
the latter being more common.
Types of Sniffers
1. Passive Sniffers: These sniffers silently capture network traffic
without altering or interfering with the data flow. They are
typically used on wired networks with hubs (where all traffic is
broadcast to every device).
2. Active Sniffers: These sniffers manipulate the network
environment to capture packets on switched networks. They
may use techniques like ARP (Address Resolution Protocol)
spoofing or port mirroring to gain access to traffic between
devices.
Examples of Network Sniffers
1. Wireshark:
Wireshark is the most widely used network sniffer and protocol
analyzer. It captures and decodes network traffic, making it easy
to troubleshoot, monitor, and inspect the data. For example,
Wireshark can be used to capture HTTP traffic and analyze the
contents of requests and responses exchanged between a web
browser and a server.
2. Tcpdump:
Tcpdump is a command-line packet sniffer commonly used in
Unix-based systems. It captures traffic and displays it in a simple
format. Tcpdump is less graphical than Wireshark, but its
efficiency makes it ideal for quick analysis or use in scripting
environments.
3. Ettercap: Ettercap is a well-known, open-source tool that is
primarily used for man-in-the-middle (MITM) attacks and
network sniffing. It supports both active and passive sniffing
modes, and is especially useful for intercepting and
manipulating traffic between devices on a local area network
(LAN). Ettercap is capable of ARP poisoning, DNS spoofing, and
SSL stripping, making it popular among penetration testers for
testing network vulnerabilities.
4. WinDump: WinDump is the Windows version of Tcpdump, a
command-line packet sniffer that captures and analyzes traffic
on a Windows-based network. It is a lightweight tool used for
capturing network traffic, displaying packet headers, and saving
captured data for later analysis. WinDump is favored in
environments where a full graphical tool like Wireshark might
be overkill or unnecessary.