CS/IT423 Hall Ticket Number
Total Page:16
File Type:pdf, Size:1020Kb
CS/IT423 Hall Ticket Number: IV/IV B.Tech (Regular) DEGREE EXAMINATION MARCH, 2017 Computer Science & Engineering Eighth Semester Cyber Security-II Time: Three Hours Maximum : 60 Marks Answer Question No.1 compulsorily. (1X12 = 12 Marks) Answer ONE question from each unit. (4X12=48 Marks) 1. Answer all questions (1X12=12 Marks) a What is metasploit Frame work? b Purpose of Information Gathering. c Types of password attacks? d Need for firewall? e Differentiate Virus & Worms? f Define Email-Spam? g Give some Examples of incidents? h What is the Command used for displaying current running processes in UNIX-based systems? i What is the use of FTK imager? j List out Types of Location based Data Backups? k What is 3-2-1 rule? l Define Log management? UNIT – I 2.a How to scan live hosts, active ports, types of Operating Systems with Zen map. 6 M 2.b What is Veil-evasion? Explain the procedure for how to bypass windows Anti-virus 6M with veil- evasion? (OR) 3.a Discuss the Procedure for how to hack the target system by using pass the hash 8M method. Write the purpose for key scan? 3.b Write short notes on Online password attacks with some examples. 4M UNIT – II 4.a State the purpose of snort tool? Explain Installation procedure for snort and parts of 8M rule? Write the rule for alerting incoming ping requests from any source to any destination IP Addresses and Ports? 4.b Differentiate ClamAv and Clamtk and write the commands for identifying & 4M removing virus files by using ClamAv? (OR) 5.a What is web application security? Explain Different types of web application attacks. 8M Write the procedure for detecting SQL injection attack by using mod-security tool? 5.b Explain the installation & Configuration procedure for mail scanner? 4 M UNIT – III 6.a Discuss IR Methodologies based on Procedures. 6M 6.b How to investigate the Unix based systems based on the Artifacts. 6M (OR) 7.a Why we need FTK imager? Explain the procedure for how to create the disk image 6M and recovering the permanent deleted files/images by using FTK imager. 7.b What is incident and incident Response? Explain the needs and goals of IR 6 M UNIT – IV 8.a What are the different types of storage devices? Give advantages and disadvantages? 6 M 8.b What is the need of rsync tool? Explain the options of rsync tool. Write the 6M commands for copying files to local systems and remote systems. (OR) 9.a What is Log.? Explain the uses of Logs and types of Logs? How to install and 6M configure Log watch Tool in to system? 9.b Explain about Log management Infrastructure Tiers and functionalities of Log 6M management Infrastructure. 1.Answer the following a. what is metasploit frame work? Metasploit is a frame and platform for vulnerability testing and exploitation. b. Purpose of information gathering? Information gathering is defined as gathering the details of system like ports, services, subdomains, domains and live systems. These details are used to hack the system. c. Types of password attacks? Passive online attacks Active online attacks Offline attack Nontechnical attacks d. need for fire wall? Firewall act as security for the system. When system is connected to network there is a chance for hackers to hack system. So fire wall prevent them by acting as security. e. differntiate virus and worms? Virus Virus does not have self-replicating capability Worms Worms have self-replicating capability f. Define email-spam? Email-spam is defined as electronic version of junk mail. g. Give some examples of incidents? User infected by downloading and running a malicious email attachment. A gateway router forwarding all network traffic to an attacker. A web server is crashed due to vast amount of incoming connections from compromised clients. h. what is command used for displaying current running process in unix-based system. Ps-elf is the command i. what is the use of FTK imager? Used for copying bit by bit data of the driver Used to retrieve deleted files Used for analysing the files in case of any modification based on the encrypted value. j. list out types of location data backups? Local Remote Online Offsite Cloud ftp k. what is 3-2-1 rule? 3- one primary and two backups 2- two types of media (hard drive and optical media) 1- one offsite storage l. Define log management? Log management is defined as collecting, aggregating and analysing the network data for a variety of purposes. Unit 1 2.a. How to scan live hosts, active ports, types of operating system with zenmap. Topology tab The “Topology” tab is an interactive view of the connections between hosts in a network. Hosts are arranged in concentric rings. Each ring represents an additional network hop from the center node. Clicking on a node brings it to the center. Because it shows a representation of the network paths between hosts, the “Topology” tab benefits from the use of the --traceroute option. Port/hosts tab The “Ports / Hosts” tab's display differs depending on whether a host or a service is currently selected. When a host is selected, it shows all the interesting ports on that host, along with version information when available Nmap output tab The “Nmap Output” tab is displayed by default when a scan is run. It shows the familiar Nmap terminal output. The display highlights parts of the output according to their meaning The “Host Details” tab Each host has an icon that provides a very rough “vulnerability” estimate, which is based solely on the number of open ports. The icons and the numbers of open ports they correspond to are 0–2 open ports, 3–4 open ports, 5–6 open ports, 7–8 open ports, and 9 or more open ports. OS icons FreeBSD Irix Linux Mac OS OpenBSD Red Hat Linux Solaris or OpenSolaris Ubuntu Linux Windows Other (no specific icon) OS detection not performed Scan Results Tabs Each scan window contains five tabs which each display different aspects of the scan results. They are: “Nmap Output”, “Ports / Hosts”, “Topology”, “Host Details”, and “Scans”. Scan specification Zenmap is packaged with default profiles Intense scan command = nmap -T4 -A -v An intense, comprehensive scan. The -A option enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute). Without root privileges only version detection and script scanning are run. This is considered an intrusive scan. Intense scan plus UDP command = nmap -sS -sU -T4 -A -v Does OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute) in addition to scanning TCP and UDP ports. Intense scan, all TCP ports command = nmap -p 1-65535 -T4 -A -v Scans all TCP ports, then does OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute). Intense scan, no ping command = nmap -T4 -A -v -Pn Does an intense scan without checking to see if targets are up first. This can be useful when a target seems to ignore the usual host discovery probes. Ping scan command = nmap -sn This scan only finds which targets are up and does not port scan them. Quick scan command = nmap -T4 -F This scan is faster than a normal scan because it uses the aggressive timing template and scans fewer ports. Quick scan plus command = nmap -sV -T4 -O -F --version-light A quick scan plus OS and version detection. Slow comprehensive scan command = nmap -sS -sU -T4 -A -v -PE -PS80,443 -PA3389 -PP -PU40125 -PY -- source-port 53 --script all This is a comprehensive, slow scan. Every TCP and UDP port is scanned. OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute) are all enabled. Many probes are sent for host discovery. This is a highly intensive scan. 2.b. What is veil evasion ? explain the procedure for how to bypass windows anti virus with vail evasion. Veil-evasion The antivirus and the fire walls are generally used for security purpose. But the truth is that we can bypass the antivirus and the fire wall by using the veil a remote shell payload generator that can bypass many current anti-virus programs. Many antivirus programs work by pattern or signature matching. If a program looks like malware that it has been programed to look for, it catches it. If the malicious file has a signature that AV has not seen before, many will dutifully say that the file is clean and not a threat. Veil , a new payload generator created by security expert and Blackhat USA class instructor chris truncer, does just that .It takes a standard metasploit payload and through a metasploit like program allows you to create multiple payloads that most likely will bypass anti-virus. Veil can be installed into the system by using the following command “install apt-get veil-evasion” The steps that are involved in the bypassing the anti virus or the firewall using the veil- evasion. i. install apt-get veil-evasion ii. Open terminal start veil-evasion iii. Picking the payload using ‘use’ command, ‘powershell/meterpreter/rev_tcp ‘ payload is used. iv. Set the lhost value using ‘set lhost #ipaddress’ command. v. Generate payload using ‘generate’ command. vi. Give name for the payload . vii. Go to path var/lib/veil-evasion/output/source copy the file to the target system, click on the file. How to bypass antivirus firewall using veil-evasion. a) Tools required ➢ VMware Workstation Pro 12.1.1 ➢ kali-linux-2016.2-amd64 ➢ windows (os with any version) b) Steps Step1: Open terminal start veil-evasion Step2: Picking the payload using ‘use’ command, ‘powershell/meterpreter/rev_tcp ‘ payload is used.