The document outlines the importance of scanning in cybersecurity, including network, vulnerability, web application, database, host-based, and wireless network scanning, highlighting various tools and methodologies used. It discusses attack tree analysis as a structured approach for assessing potential security threats, along with the process of vulnerability assessment and penetration testing to identify weaknesses and mitigate risks. Additionally, it provides insight into common cyber attacks, pentesting tools, roles, responsibilities, and certifications essential for professionals in the field.

1. Cyber Security
A. Avinash, Ph.D.,
Assistant Professor
School of Computer Science and Engineering (SCOPE)
Vellore Institute of Technology (VIT), Chennai

2. • Scanning is a critical process in cyber security used to identify
vulnerabilities, weaknesses, and potential threats in networks, systems,
and applications.
Importance of Scanning
• Proactive Defense: Helps identify and fix vulnerabilities before they can
be exploited by attackers.
• Compliance: Assists in meeting regulatory requirements and industry
standards (e.g., PCI DSS, HIPAA).
• Risk Management: Enables organizations to assess and mitigate risks
effectively.
• Continuous Monitoring: Provides ongoing visibility into the security
posture of the organization.
Hacking Methodology

3. Types of Scanning
1. Network Scanning: Network scanning is the process of discovering devices, services,
and open ports in a network.
• Purpose: To map the network, identify active devices, and detect open ports and
services.
• Tools:
• Nmap: A powerful network scanner that can discover hosts and services on a
network.
• Angry IP Scanner: A fast and easy-to-use IP address and port scanner.
• Advanced IP Scanner: A network scanner to analyze LAN.
• Methods:
• Ping Sweeps: Sending ICMP echo requests to multiple hosts to determine which are
up and responding.
• Port Scanning: Checking the status of ports (open, closed, or filtered) on devices to
identify running services.
• OS Detection: Identifying the operating systems running on network devices.
Hacking Methodology

4. Hacking Methodology
2. Vulnerability Scanning: Vulnerability scanning aims to detect security weaknesses in systems and
applications.
• Purpose: To identify vulnerabilities that can be exploited by attackers.
• Tools:
• Nessus: A widely used vulnerability scanner that identifies vulnerabilities, configuration
issues, and malware.
• OpenVAS: An open-source vulnerability scanner that offers a comprehensive scanning and
vulnerability management solution.
• Qualys: A cloud-based platform that provides continuous vulnerability scanning and
compliance monitoring.
• Methods:
• Authenticated Scanning: Uses valid credentials to perform a deeper and more accurate scan
of the target system.
• Unauthenticated Scanning: Scans the target system without using credentials, simulating an
attack from an external threat actor.
• Configuration Checks: Evaluates the system's configuration against best practices and
security standards.

5. 3. Web Application Scanning: Web application scanning focuses on identifying
security vulnerabilities in web applications.
• Purpose: To find vulnerabilities that can be exploited in web applications.
• Tools:
• OWASP ZAP (Zed Attack Proxy): An open-source web application security
scanner.
• Burp Suite: A comprehensive platform for performing security testing of web
applications.
• Nikto: An open-source web server scanner that checks for dangerous files,
outdated server software, and other issues.
• Methods:
• Static Analysis: Examines the application's source code to identify
vulnerabilities.
• Dynamic Analysis: Tests the running application to identify security issues.
• Fuzzing: Inputs a large amount of random data ("fuzz") to the application to find
security flaws.
Hacking Methodology

6. 4. Database Scanning: Database scanning identifies vulnerabilities and
misconfigurations in databases.
• Purpose: To ensure the security and integrity of databases.
• Tools:
• DBScan: A database vulnerability scanner that checks for security
issues in various types of databases.
• SQLmap: An open-source tool that automates the detection and
exploitation of SQL injection flaws.
• Methods:
• Configuration Checks: Ensures that database settings are secure and
follow best practices.
• Content Scans: Identifies sensitive data, such as Personally
Identifiable Information (PII) or credit card numbers, that might be
exposed.
Hacking Methodology

7. 5. Host-based Scanning: Host-based scanning focuses on the security of
individual hosts or devices.
• Purpose: To identify vulnerabilities and misconfigurations on specific devices.
• Tools:
• Nessus: Also used for host-based scanning to check for vulnerabilities on
individual hosts.
• OpenVAS: Provides host-based scanning capabilities to identify
vulnerabilities on specific systems.
• Retina Network Security Scanner: A comprehensive vulnerability
assessment solution for identifying security risks on hosts.
• Methods:
• Patch Management: Ensures that all software and systems are up-to-date
with the latest security patches.
• Configuration Audits: Evaluates the configuration of the host against
security best practices.
Hacking Methodology

8. 6. Wireless Network Scanning: Wireless network scanning identifies and assesses
wireless networks and their security.
• Purpose: To detect and secure wireless networks.
• Tools:
• Aircrack-ng: A suite of tools for assessing Wi-Fi network security.
• Kismet: A wireless network and device detector, sniffer, and intrusion
detection system.
• Wireshark: A network protocol analyzer that can capture and analyze
wireless traffic.
• Methods:
• SSID Discovery: Identifies available wireless networks and their SSIDs.
• Encryption Analysis: Checks the encryption methods used by wireless
networks to ensure they are secure.
• Rogue Access Point Detection: Identifies unauthorized access points that
may pose a security risk.
Hacking Methodology

9. Attack Tree Analysis
• An attack tree is a visual representation that models the security of a system
from the perspective of an attacker.
• It starts with a single root node representing the main goal of the attack (e.g.,
gaining unauthorized access).
• Node is then expanded into branches that represent different ways to achieve
this goal.
• Each branch can further divide into sub-branches, representing more specific
attack methods or steps.

10. Attack Tree Analysis
Components of an Attack Tree
• Root Node: The ultimate goal of the
attack (e.g., stealing sensitive data).
• Branches: Different methods or
steps to achieve the goal.
• Leaf Nodes: The final steps or
specific actions in each attack path.
• AND Nodes: Represent steps that
must all occur together for an attack
to succeed.
• OR Nodes: Represent alternative
steps, where any one can lead to the
next stage in the attack.

11. Attack Tree Analysis

12. Attack Tree Analysis

13. Attack Tree Analysis
Example of an Attack Tree: Consider an attack tree for gaining unauthorized access to a secure system
• Root Node: Gain unauthorized access
• Branch 1: Exploit software vulnerability (OR Node)
• Leaf Node: Identify vulnerability
• Leaf Node: Develop exploit
• Branch 2: Obtain login credentials (OR Node)
• Sub-Branch: Phishing (AND Node)
• Leaf Node: Create phishing email
• Leaf Node: Send email to target
• Sub-Branch: Social engineering (AND Node)
• Leaf Node: Impersonate IT support
• Leaf Node: Convince user to reveal password
• Branch 3: Physical access (OR Node)
• Leaf Node: Steal access card
• Leaf Node: Bypass physical security

14. Attack Tree Analysis

15. Attack Tree Analysis
Benefits of Attack Tree Analysis
• Structured Approach: Provides a clear and organized way to think about
and document potential attack vectors.
• Comprehensive Coverage: Ensures that all possible attack paths are
considered.
• Prioritization: Helps prioritize threats based on likelihood and impact,
enabling more effective resource allocation.
• Risk Assessment: Assists in evaluating the risk associated with each attack
path.
• Mitigation Planning: Facilitates the development of strategies to
counteract identified threats.

16. Attack Tree Analysis
Steps to Create an Attack Tree
• Define the Goal: Identify the main objective of the potential attacker (e.g.,
data theft, system disruption).
• Identify Attack Vectors: Brainstorm all possible ways to achieve the goal.
• Break Down Steps: Decompose each attack vector into smaller, manageable
steps.
• Organize the Tree: Structure the attack vectors and steps into a hierarchical
tree format.
• Analyze the Tree: Evaluate the likelihood and impact of each attack path.
Identify vulnerabilities and possible defenses.

17. Attack Tree Analysis
Applications of Attack Tree Analysis
• Security Assessment: Used by security professionals to assess the
robustness of systems and identify weak points.
• Incident Response Planning: Helps in preparing for potential security
incidents by understanding attack methods.
• Compliance and Auditing: Supports regulatory and compliance
requirements by demonstrating thorough security analysis.
• Training and Awareness: Educates employees and stakeholders about
potential security threats and defenses.

18. Assessing vulnerabilities
Assessing vulnerabilities is a critical process in cyber security aimed at identifying,
evaluating, and mitigating weaknesses in systems, networks, and applications. Key steps
involved in assessing vulnerabilities:
1. Planning and Preparation
a. Define Scope:
• Determine the assets, systems, and networks to be assessed.
• Identify the boundaries and limitations of the assessment.
b. Gather Information:
• Collect data on the target environment, including network topology, operating systems,
applications, and security policies.
• Identify the stakeholders and obtain necessary permissions.

19. Assessing vulnerabilities
2. Asset Identification and Prioritization
a. Inventory Assets:
• Create a comprehensive list of all hardware, software, and data assets.
• Include details such as IP addresses, versions, configurations, and dependencies.
b. Classify and Prioritize:
• Categorize assets based on their criticality to the organization.
• Assign priority levels to assets based on their importance and the potential impact of a vulnerability.
3. Vulnerability Identification
a. Automated Scanning:
• Use automated vulnerability scanning tools (e.g., Nessus, Qualys, OpenVAS) to perform initial assessments.
• Configure the tools to scan for known vulnerabilities in the target environment.
b. Manual Testing:
• Conduct manual tests to identify vulnerabilities that automated tools may miss.
• Use techniques such as penetration testing, code review, and configuration review.

20. Assessing vulnerabilities
4. Vulnerability Analysis
a. Validate Findings:
• Verify the vulnerabilities identified by automated tools and manual tests.
• Eliminate false positives and ensure accuracy.
b. Assess Impact and Exploitability:
• Evaluate the potential impact of each vulnerability on the organization.
• Determine how easily the vulnerability can be exploited by an attacker.
c. Classify Vulnerabilities:
• Categorize vulnerabilities based on their severity (e.g., critical, high, medium, low).
• Use standardized scoring systems such as CVSS (Common Vulnerability Scoring System)
to quantify severity.

21. Assessing vulnerabilities
5. Reporting and Documentation
a. Create a Detailed Report:
• Document the findings, including the identified vulnerabilities, their severity, and
potential impact.
• Provide detailed descriptions, screenshots, and steps to reproduce the vulnerabilities.
b. Recommend Mitigations:
• Suggest specific actions to remediate or mitigate each vulnerability.
• Include both short-term fixes and long-term strategies.
c. Communicate with Stakeholders:
• Present the findings and recommendations to relevant stakeholders.
• Ensure clear communication of the risks and necessary actions.

22. Assessing vulnerabilities
6. Continuous Monitoring and Improvement
a. Establish Continuous Monitoring:
• Implement continuous monitoring tools and processes to detect new vulnerabilities and
threats.
• Regularly update vulnerability databases and scanning tools.
b. Review and Update Policies:
• Periodically review and update security policies, procedures, and controls.
• Ensure ongoing training and awareness for staff to stay informed about emerging threats
and best practices.

23. Penetration Testing
● Penetration testing, also called pen testing or ethical hacking, is the practice of
testing a computer system, network or web application to find security
vulnerabilities.
● The process of pen testing involves gathering information about the target before
the test, identifying possible entry points, attempting to break in and reporting back
the findings.
● Penetration testing can be automated with software applications or performed
manually either way.
● A black-box penetration test determines the vulnerabilities in a system that are
exploitable from outside the network.
● A white-box penetration testers are given full access to source code, architecture
documentation etc.

24. Phases of a Penetration Test
1. It is the process of collecting information
before deploying any real attacks.
2. It is the process of identifying the likely entry
points into the target system.
3. It is the process which defines, locates, and
classifies the security leaks in a computer,
network, or application.
4. It is the process of enabling pen testers to
compromise a system and expose to further
attacks.
5. It is the process of documenting all the steps
that led to a successful attack during the test.

25. Penetration Test Terms
1. Common vulnerabilities and exposures (CVE) program cataloging software and
firmware vulnerabilities for 18 years.
2. Vulnerability is a weak point or a bug in a piece of software , hardware or
operating system that leaves a system open and vulnerable to attacks and
unauthorized access.
3. Exploit is a code that takes advantage of a software vulnerability or security flaw.
Exploits allow an intruder to remotely access a network and gain elevated privileges,
or move deeper into the network or computer systems.
4. Payload is a piece of code that executed through exploit.

26. Most Common Types of Cyber Attacks
1. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
2. Man in The Middle Attack (MITM)
3. Phishing and spear Attacks
4. SQL Injection Attack
5. Cross-Site Scripting (XSS) Attack

27. Common Network Attacks
1. CDP Manipulation: CDP packets are enabled by default on Cisco switches and transmitted in a
clear text which allows the attacker to analyze the packets and gain information about the network
device, so the attacker can search for a known vulnerability and execute against this device.
2. Telnet Enabled VTY: Telnet also transmits packets in clear text which can reveal to an attacker
who’s sniffing the network , as well as SSH v1 which is also vulnerable and compromised.
3. Mac Flooding: The attacker floods the Mac table with Mac Address more than the switch can
store or handle , which makes the switch operating as a hub giving the attacker the opportunity to
sniff all traffic on the segment.
4. DHCP Spoofing: the attacker listens for DHCP requests and answers them , giving it’s IP
address the default gateway for the clients , the attacker becomes a (MITM).
5. ARP Spoofing: similar to dhcp spoofing but related to ARP Messages.

28. Common Pentest Tools
1. Nmap is a very popular tool predominantly aids in understanding the characteristics of any target
network, the characteristics include host, services, OS, packet filters/firewalls etc. It works on most of the
environments and is open sourced.
2. Nessus is a scanner, robust vulnerability identifier tool. It specializes in compliance checks, Sensitive
data searches, IPs scan, website scanning etc. and aids in finding the ‘weak-spots’.
3. Acunetix is a fully automated web vulnerability scanner that detects and reports on over 4500 web
application vulnerabilities including all variants of SQL Injection and XSS.
4. Metasploit is the most advanced and popular Framework that can be used to for pen-testing. It is based
on the concept of ‘exploit’ which is a code that can surpass the security measures and enter a certain
system. It runs a ‘payload’, a code that performs operations on a target machine, thus creating a perfect
framework for penetration testing.
5. Wireshark is a network protocol analyzer, details about network protocols, packet information,
decryption etc.
6. Burp-Suite: Burp suite is also essentially a scanner (with a limited “intruder” tool for attacks),
although many security testing specialists swear that pen-testing without this tool is unimaginable.

29. Pentest roles and responsibilities
1. Network and application tests to check the general security vulnerabilities across a network.
2. Physical security test checking for disaster hardening of servers to non-cyber threats
3. Security audits is a fundamental and ongoing aspect of the penetration tester’s role.
4. General security report writing and the use of metrics from tests to help develop security strategies
5. Involvement in security team and security policy review need to be able to communicate with
team and help with security policy review

30. Penetration Testing certificates
Here is a list of the most common certificates in penetration Testing:
● EC-Council Licensed Penetration Tester (LPT) Master
● IACRB Certified Penetration Tester (CPT)
● Certified Expert Penetration Tester (CEPT)
● Certified Penetration Testing Engineer (CPTE)
● GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
● GIAC Web Application Penetration Tester (GWAPT)
● GIAC Penetration Tester (GPEN)