GTU Cyber Security Summer 2023 Paper Solutions

Q.1

(a) Define System and Web Vulnerability. [3 marks]

  • System Vulnerability: A system vulnerability is a weakness or flaw in a computer system's design, implementation, or operation and management, which could be exploited to compromise the system's security or functionality. Example - Unpatched software with known security flaws.
  • Web Vulnerability: Web vulnerability refers to a weakness in a web application or website that can be exploited by cyber attackers to gain unauthorized access, steal data, or perform malicious actions. Example - Cross-Site Scripting (XSS) vulnerability allowing malicious code injection

(b) Explain Metasploit and OpenVAS. [4 marks]

  • Metasploit:
    • Purpose: Metasploit is an open-source framework used for developing, testing, and executing exploit code against a remote target machine.
    • Features: It includes tools for automatic vulnerability scanning and exploit selection, and it can be used to test the security of computer systems or to break into them.
    • Usage: Commonly used in penetration testing and ethical hacking to assess the security of systems and networks.
    • Payload Customization: Metasploit allows users to customize and generate payloads tailored to specific scenarios
  • OpenVAS:
    • Purpose: OpenVAS is a full-featured vulnerability scanner that is used to identify vulnerabilities in servers and other network devices.
    • Components: It consists of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
    • Functionality: Capable of performing unauthenticated or authenticated testing, configuration auditing, and a wide variety of other features.
    • Reporting and Remediation Support: OpenVAS provides detailed reports on identified vulnerabilities and suggests remediation steps

(c) Describe Nmap. Explain different functionality with its command in detail. [7 marks]

  • Nmap (Network Mapper):
    • Definition: Nmap is a free and open-source network scanner used for network discovery and security auditing. Functionalities of Nmap:
    • Host Discovery: Identifies devices running on a network (nmap -sn 192.168.1.0/24).
    • Port Scanning: Determines which ports are open on a target host (nmap -p 1-65535 192.168.1.1).
    • Service and Version Detection: Discovers what services are running on those ports, along with versions (nmap -sV 192.168.1.1).
    • OS Detection: Deduces the operating system of the target (nmap -O 192.168.1.1).
    • Scriptable Interactions: Allows the use of NSE (Nmap Scripting Engine) for more advanced discovery and exploitation (nmap --script=<script name> 192.168.1.1).
    • Network Scans: Capable of scanning large networks or single hosts.
    • Security Auditing: Commonly used in vulnerability assessments and penetration testing.

Q.2

(a) Define Snort. [3 marks]

  • Snort:
    • A powerful open-source tool used for network intrusion detection and prevention.
    • It monitors network traffic for malicious activity and logs or blocks these activities based on user-defined rules.
    • Highly flexible and can be configured to run in various modes including sniffer, packet logger, and network intrusion detection mode.

(b) Differentiate between Stateful and Stateless Firewalls. [4 marks]

  • Stateful Firewalls:
    • Monitor the full state of active network connections.
    • Make decisions based on context gathered from previous packets and connections.
    • More secure as they track connections and can identify unauthorized or unexpected packets.
    • Perform deep packet inspection at the application layer, allowing them to understand the nature of the traffic and make decisions based on the specific application or service involved.
  • Stateless Firewalls:
    • Filter traffic based on static values like source and destination IP addresses, ports, and protocols.
    • Do not keep track of network connections or sessions.
    • Generally faster but less secure compared to stateful firewalls.
    • Known for their lower latency, as they make decisions based on predefined rules without the overhead of connection tracking

(c) Explain Network Sniffers with suitable example. [7 marks]

  • Network Sniffers:
    • Definition: Network sniffers are tools used to capture and analyze network traffic. They are essential for network troubleshooting, security analysis, and understanding data flow across the network.
    • How They Work: Network sniffers capture data packets as they pass through the network, allowing the user to see what type of data is being transmitted. They can operate in 'promiscuous mode' to capture all the traffic on the network segment they are connected to.
    • Uses: They are crucial for detecting network anomalies, unauthorized access attempts, and for monitoring overall network health.
  • Example: Wireshark:
    • Overview: Wireshark is one of the most popular and widely used network sniffers. It's an open-source tool that allows for deep inspection of hundreds of protocols, live capture, and offline analysis.
    • Features: Wireshark has a user-friendly interface that displays filtered aspects of the captured data. It can dissect and analyze different layers of network protocols.
    • Capabilities: It can capture data from Ethernet, Bluetooth, wireless (IEEE.802.11), and others. The filters allow users to isolate specific traffic, aiding in pinpointing issues or malicious activity on the network.
    • Educational and Diagnostic Tool: Wireshark is also used for educational purposes, helping students and professionals understand network protocols and communication patterns.
    • Troubleshooting: Network professionals use Wireshark to diagnose network problems, inspect network security issues, and analyze network applications.

OR

(c) Define NAT. Describe Port Forwarding with its types in detail. [7 marks]

  • NAT (Network Address Translation):
    • NAT, or Network Address Translation, is like a translator for computers. It changes private IP addresses into one public IP address before information goes online. This saves IP addresses and keeps internal ones private, adding a security layer to the network.
  • Port Forwarding:
    • Overview: Port forwarding, also known as port mapping, is a technique in networking where a specific external port of a networking device (typically a router) is directed to an internal IP address and port. This method is used to allow external devices to access services and applications on a private network.
      1. Local Port Forwarding:
        • Purpose: Enables accessing a service on a remote server through a secure channel.
        • How it works: Forwards traffic from a local port on the client to a specified port on the remote server.
        • Example: Used in Secure Shell (SSH) connections to access services like web servers securely.
      2. Remote Port Forwarding:
        • Purpose: Allows external devices to access services on a local network securely.
        • How it works: Forwards traffic from a remote port on the server to a specified port on the client.
        • Example: Useful for hosting a local website that can be accessed securely from the internet.
      3. Dynamic Port Forwarding (SOCKS Proxy):
        • Purpose: Creates a secure tunnel for various applications to access the internet through a remote server.
        • How it works: Establishes a dynamic SOCKS proxy on the local machine, directing traffic through the encrypted tunnel.
        • Example: Used in scenarios where anonymity and bypassing restrictions are required.

Q.3

(a) Explain Curl, OpenSSL and Stunnel (3 Marks)

  • Curl:
    • A command-line tool used for transferring data with URLs.
    • Supports various protocols like HTTP, HTTPS, FTP.
    • Useful for downloading files, making API requests.
  • OpenSSL:
    • A software library for applications that secure communications over computer networks.
    • Widely used for SSL/TLS protocols.
    • Provides cryptographic functions, helping in encryption and decryption.
  • Stunnel:
    • A proxy designed to add TLS encryption to existing clients and servers without any changes in the programs' code.
    • Creates secure tunnels, enhancing data privacy.
    • Useful for securing non-SSL aware daemons and protocols (like POP3, SMTP).

(b) Define Password Cracking and Brute Force Tools. Explain any one in brief (4 Marks)

  • Password Cracking:
    • The process of attempting to gain unauthorized access to restricted systems using common passwords or algorithms that guess passwords.
  • Brute Force Tools:
    • Software that systematically tries every possible password combination to crack encrypted data.
  • John the Ripper (Explanation):
    • A popular brute force password cracking tool.
    • Supports many encryption types and protocols (Unix, Windows, Kerberos, etc.).
    • Flexible and fast, can be run against various password hashes.
    • Features a customizable cracker, useful for detecting weak Unix passwords.

(c) Describe DVWA. Explain SQL Injection in DVWA with example in detail (7 Marks)

  • DVWA (Damn Vulnerable Web Application):
    • A PHP/MySQL web application designed to be vulnerable.
    • Used for learning and practicing web application security.
    • Contains various security vulnerabilities for educational purposes.

SQL Injection in DVWA:

  • Concept:
    • SQL Injection is a code injection technique used to attack data-driven applications.
    • Malicious SQL statements are inserted into an entry field for execution.
  • How it Works in DVWA:
    • DVWA offers different security levels to practice SQL Injection.
    • Users can input SQL queries into forms to manipulate the application's database.
  • Example:
    • Consider a login form in DVWA.
    • Normal input: Username and Password.
    • SQL Injection: Entering admin' -- in the username field.
    • This input bypasses login authentication by commenting out the password part of the SQL query.
  • Detailed Process:
    • On a low-security setting in DVWA, the SQL query might be: SELECT * FROM users WHERE username='[input]' AND password='[input]'.
    • Injecting admin' -- changes it to: SELECT * FROM users WHERE username='admin' --' AND password=''.
    • The - comments out the password check, allowing unauthorized access.
  • Prevention:
    • Use of prepared statements and parameterized queries.
    • Implementing proper input validation and sanitization.
  • Educational Purpose:
    • DVWA provides a legal environment to understand and improve defense against SQL Injection.

OR

Q.3

(a) Explain Zed Attack Proxy (3 Marks):

  • Zed Attack Proxy (ZAP) is an open-source web application security scanner.
  • It is designed to find a variety of security vulnerabilities in web applications while they are in development and testing phases.
  • ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

(b) Explain the following terms (4 Marks):

  1. Datapipe: Datapipe is a tool used for port forwarding and making attribution of an attack difficult by forwarding traffic across several systems before reaching the intended destination.
  2. Fpipe: FPipe, by McAfee, implements port redirection in Windows, adds UDP support, which Datapipe lacks, and doesn't require support DLLs or privileged user access. It allows using a source port and binding to a specific interface.
  3. WinRelay: WinRelay typically refers to a network utility used for relaying TCP/IP packets.
  4. Traffic Probe: A traffic probe involves actions or objects used for collecting data about the network state. For example, pinging to check if a destination exists, or some services provide information about themselves without requiring specific client data.

(c) Discuss Web Vulnerability Tools in Detail (7 Marks):

  1. OWASP ZAP (Zed Attack Proxy):
    • Purpose: OWASP ZAP is an open-source security testing tool designed for finding vulnerabilities in web applications. It is maintained by the Open Web Application Security Project (OWASP).
    • Features:
      • Automated Scanner: Identifies common security issues in web applications.
      • Proxy Intercept: Captures and inspects HTTP/HTTPS traffic for manual testing.
      • Fuzzer: Tests applications for unexpected input and potential vulnerabilities.
      • Automated and Manual Exploration: Supports both automated and manual testing for comprehensive assessments.
      • Active and Passive Scanning: Provides capabilities for actively and passively discovering vulnerabilities.
  2. Nessus:
    • Purpose: Nessus is a widely used vulnerability scanning tool that identifies security issues in networks, including web applications.
    • Features:
      • Vulnerability Scanning: Scans networks for known vulnerabilities, including those in web applications.
      • Configuration Auditing: Checks systems against security best practices.
      • Compliance Checking: Ensures systems adhere to industry-specific compliance standards.
      • Continuous Monitoring: Provides real-time monitoring for changes in security posture.
      • Plugin Architecture: Supports a vast array of plugins for extensive vulnerability coverage.
  3. OpenVAS:
    • Purpose: OpenVAS is a full-featured vulnerability scanner used to identify vulnerabilities in servers and network devices, including web applications.
    • Components:
      • Network Vulnerability Tests: Scans for vulnerabilities in various network services and protocols.
      • Configuration Auditing: Checks system configurations for security weaknesses.
      • CVE Compatibility: Incorporates the Common Vulnerabilities and Exposures (CVE) system for standardized vulnerability identification.
      • Reporting and Remediation Support: Provides detailed reports and suggests remediation steps for identified vulnerabilities.
      • Scalability: Supports scanning of large and complex networks efficiently.

Q4.

(a) Define Digital Forensics (03 marks)

  • Digital Forensics is the process of uncovering and interpreting electronic data.
  • It involves preserving, identifying, extracting, and documenting computer evidence.
  • Used primarily for legal evidence in cybercrime and digital crime cases.

(b) Explain types of Cyber Crimes (04 marks)

  1. Hacking: Unauthorized access to or manipulation of computer systems or data.
  2. Phishing: Deceiving individuals into providing sensitive information via email or websites.
  3. Identity Theft: Stealing personal information to impersonate someone for fraudulent purposes.
  4. Malware Attacks: Using malicious software like viruses, worms, and trojans to damage systems or steal data.

(c) Explain IT Act, 2000 (07 marks)

  • The IT Act, 2000, is India's primary law for dealing with cybercrime and electronic commerce.
  • Section 43: Penalties for damage to computer, computer systems, etc.
  • Section 66: Hacking with computer system.
  • Section 67: Publishing obscene information electronically.
  • Section 72: Breach of confidentiality and privacy.
  • Section 75: Act to apply for an offense or contravention committed outside India.
  • Section 79: Exemption from liability of intermediary in certain cases.
  • The Act also covers a range of other aspects including digital signatures, electronic records, and the legal recognition of electronic transactions.

OR

Q4.

(a) Define Incident Response (03 marks)

  • Incident Response is the organized approach to addressing and managing the aftermath of a security breach or cyberattack.
  • The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
  • It involves a series of steps to identify, contain, eradicate, and recover from a cybersecurity incident.

(b) Discuss about Contaminants and Destruction of Data (04 marks)

  1. Contaminants:
    • Refers to any unwanted or malicious data or code introduced into a system.
    • Can include a variety of malware forms like viruses, worms, and trojan horses.
    • These contaminants often aim to corrupt, steal, or modify data in the system.
    • Can also disrupt normal system operations, leading to reduced performance or system failures.
  2. Destruction of Data:
    • Involves intentional deletion or corruption of data in a system.
    • Can occur through physical means like damaging hardware or through cyber means like using data-wiping malware.
    • Often targets critical data to inflict maximum impact on the victim, whether it's an individual or an organization.
    • May also be part of a larger cyberattack strategy, such as in ransomware attacks where data is encrypted and effectively destroyed unless a ransom is paid.

(c) Discuss Attack Vector. List out different types of Attack Vector (07 marks)

  • An Attack Vector is a path or means by which a hacker can gain access to a computer or network server to deliver a payload or malicious outcome.
  • Different Types of Attack Vectors:
    1. Phishing: Deceiving users into providing sensitive information.
    2. Malware: Software designed to harm a system or steal data.
    3. Man-in-the-Middle (MitM) Attacks: Intercepting and possibly altering communication between two parties.
    4. Denial of Service (DoS) and Distributed Denial of Service (DDoS): Overwhelming a system to make it unavailable.
    5. Drive-by Download Attacks: Unintentionally downloading a virus or malware by visiting a compromised website.
    6. SQL Injection: Inserting malicious SQL queries through input data from the client to the application.
    7. Zero-day Exploit: Attacking a software vulnerability before the software provider releases a fix.

Q5.

(a) Explain SQL Injection (03 marks)

  • SQL Injection is a code injection technique used to attack data-driven applications.
  • It involves inserting malicious SQL statements into an entry field for execution.
  • The goal is to manipulate or exploit the database behind the application.
  • Can lead to unauthorized access to sensitive data, data corruption, or system compromise.

(b) Discuss Keyloggers and Spyware (04 marks)

  1. Keyloggers:
    • Keyloggers are types of surveillance software.
    • They record the keystrokes made on a computer.
    • Can capture sensitive information like passwords and credit card details.
    • Often used for malicious purposes, but can also be used for legitimate monitoring.
  2. Spyware:
    • Spyware is software that gathers information about a person or organization without their knowledge.
    • Can track internet activity, access personal files, and transmit data to third parties.
    • Often installed without the user's consent and can be difficult to detect and remove.

(c) Explain Virus, Worms, Trojan Horses, and Backdoors in detail with example (07 marks)

  1. Virus:
    • A virus is a malicious code attached to a legitimate program or file.
    • It replicates itself and spreads to other programs/files when the host is executed.
    • Example: ILOVEYOU virus, which spread via email and overwrote files.
  2. Worms:
    • Worms are standalone malware that replicate themselves to spread to other systems.
    • They can spread without any human interaction, exploiting vulnerabilities.
    • Example: The WannaCry worm, which targeted Windows systems.
  3. Trojan Horses:
    • A Trojan is a type of malware disguised as legitimate software.
    • Trojans can perform malicious actions like stealing data or installing backdoors.
    • Example: Zeus Trojan, used for stealing banking information.
  4. Backdoors:
    • A backdoor is a secret pathway into a system, bypassing normal authentication.
    • They are often installed by other malware to allow future access.
    • Example: Back Orifice, which allows remote control of a Windows system.

OR

Q5.

(a) Explain Steganography with Example (03 marks)

  • Steganography is the practice of concealing messages or information within other non-secret text or data.
  • Unlike cryptography, which obscures the content of a message, steganography hides the fact that a message exists.
  • Example: Hiding a secret text message within an image or audio file, where the alteration is imperceptible to the naked eye or ear.

(b) Explain Buffer Overflow Attack in Detail (04 marks)

  • A buffer overflow attack occurs when more data is put into a fixed-length buffer than it can hold, causing data to overflow into adjacent memory.
  • This can corrupt or overwrite the valid data, leading to erratic program behavior or a system crash.
  • Attackers exploit this by overwriting a program's memory, potentially leading to the execution of malicious code.
  • Example: A C program where the 'strcpy' function copies an array into a buffer of fixed size without checking the length, potentially causing a buffer overflow.

(c) Describe DOS and DDOS Attack with Suitable Example (07 marks)

Denial of Service (DoS) Attack:

  1. Concept:
    • A DoS attack aims to make a machine or network resource unavailable to its intended users.
    • This is achieved by overwhelming the target with traffic or sending information that triggers a crash.
  2. Methods:
    • Common methods include flooding the target with superfluous requests to overload systems.
    • Other techniques involve exploiting vulnerabilities that cause the target system to crash or become inoperable.
  3. Impact:
    • The result is that legitimate users cannot access the service, website, or network resource.
    • It can lead to significant downtime and, in the case of businesses, a loss of revenue and reputation.
  4. Example:
    • A classic example is a SYN flood attack, where an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

Distributed Denial of Service (DDoS) Attack:

  1. Concept:
    • Similar to DoS but involves multiple compromised systems (often part of a botnet) attacking a single target.
    • The distributed nature of the attack makes it more challenging to prevent and mitigate.
  2. Methods:
    • Involves a large number of requests sent from numerous locations simultaneously.
    • Attackers often use botnets – networks of infected computers – to launch these attacks.
  3. Impact:
    • DDoS attacks can completely overwhelm a target's resources, making it much more severe than a standard DoS.
    • They can last for extended periods, causing prolonged service disruption.
  4. Example:
    • A notable instance is the attack on the DNS provider Dyn in October 2016. This attack involved tens of millions of IP addresses and brought down major websites like Twitter, Netflix, and CNN, showcasing the devastating impact of a well-coordinated DDoS attack.