NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27
Mahavir Education Trust's
Shah & Anchor Kutchhi Engineering College,
Chembur, Mumbai 400 088
UG Program in Information Technology

Experiment No.: 8
Date of 20/09/2021
Performance:
Date of 20/09/2021
Submission:

Program
formation/ Documentation Timely Viva Experiment Teacher
Execution/ (02) Submissio Answer Marks (15) Signature with
ethical n (03) (03) date
practices (07)
NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27
EXPERIMENT NO:-8
Aim:Study of malicious software using different tools

a) Keylogger attack using a keylogger tool.

b) Simulate DOS attack using Hping

Learning Outcome 8:Use tools like sniffers, port scanners and other related tools for analyzing
packets in a network.

Theory:

Keylogger definition

Keyloggers are a type of monitoring software designed to record keystrokes made by a user. One of the
oldest forms of cyber threat, these keystroke loggers record the information you type into a website or
application and send back to a third party.

Criminals use keyloggers to steal personal or financial information such as banking details, which they can
then sell or use for profit. However, they also have legitimate uses within businesses to troubleshoot,
improve user experience, or monitor employees. Law enforcement and intelligence agencies also uses
keylogging for surveillance purposes.

How do keyloggers work?

Keyloggers collect information and send it back to a third party – whether that is a criminal, law
enforcement or IT department. “Keyloggers are software programs that leverage algorithms that monitor
keyboard strokes through pattern recognition and other techniques,” explains Tom Bain, vice president
security strategy at Morphisec.

The amount of information collected by keylogger software can vary. The most basic forms may only
collect the information typed into a single website or application. More sophisticated ones may record
everything you type no matter the application, including information you copy and paste. Some variants of
keyloggers – especially those targeting mobile devices – go further and record information such as calls
NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27
(both call history and the audio), information from messaging applications, GPS location, screen grabs, and
even microphone and camera capture.

Keyloggers can be hardware- or software-based. Hardware-based ones can simply nestle between the
keyboard connector and the computer’s port. Software-based ones can be whole applications or tools
knowingly used or downloaded, or malware unknowingly infecting a device.

Data captured by keyloggers can be sent back to attackers via email or uploading log data to predefined
websites, databases, or FTP servers. If the keylogger comes bundled within a large attack, actors might
simply remotely log into a machine to download keystroke data.

How hackers use keyloggers

The first keyloggers were used by the Soviet Union in the 1970s to monitor IBM electric typewriters used
at embassies based in Moscow. They would record what was typed and send the information back to Soviet
intelligence via radio signals.

Today spyware such as keystroke loggers are a common part of the cyber-criminal toolset to capture
financial information such as banking and credit card details, personal information such as emails and
password or names and addresses, or sensitive business information around processes or intellectual
property. They may sell that information or use it as part of a larger attack depending on what was gathered
and their motives.

“These programs can be used to steal information like passwords, PII [personally identifiable information],
and other critical information related to individuals and organizations,” explains Bain. “For example, if a
keylogger is able to monitor the keystrokes of a database super admin within a large organization, they can
gain access to things like laptops and servers that can ultimately expose large volumes of data they can
monetize.”

How keyloggers infect devices

Keyloggers can be placed on machines in a number of different ways. Physical loggers require a person to
be physically present to be placed on a machine, meaning such attacks are harder (but not impossible) to
NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27
achieve, and more likely to come from an insider threat. Wireless keyboards can also be snooped on
remotely.

Last year hundreds of models of HP laptops were shipped with keylogging code present in its touchpad
drivers. The logging was disabled by default and was part of a debug tool left in by one of the company’s
suppliers.

Software-based keyloggers are far more common and have multiple routes for entry. Infected domains are
a common attack method. In October, online office suite Zoho saw its .com and .eu domains suspended
after serving users keylogging malware. Thousands of Wordpress sites have also been previously infected
with keyloggers via fake Google Analytics scripts.

Malware-infected apps are also an issue. Google recently removed 145 apps from the Play Store that
contained keylogging malware. As with many types of malware, loggers are often included in phishing
emails containing malicious links. A new version of the HawkEye keylogger, for example, was spread via
a spam email campaign bearing infected Word documents. Some variants, such as Fauxspersky, can spread
through infected USB drives.

Keyloggers often come bundled with other malware as part of a wider attack. Many keyloggers now come
with ransomware, cryptocurrency mining or botnet code attached that can be activated at the attacker’s
discretion.

Some universities have suffered incidents due to keyloggers. Nearly 2,000 students at the University of
California Irvine had their personal and health information stolen after computers in the student health
center were compromised. Last year at the University of Iowa, a student was arrested by the FBI for
computer fraud after using a keylogger to gain advance copies of exams and change grades. In 2016 a
student at the Singapore Management University used a USB hardware keylogger to gain the user IDs and
passwords of two professors to delete the test scripts for an example and force a retake.

Types of Keyloggers:

 Software keyloggers:
NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27
Software-based keyloggers are basically programs that plan to monitor your PC’s working
framework. The Keylogger shift in sorts and levels of framework infiltration. One case of which is
memory infusion programming.

These Keyloggers are ordinary Trojan infections that adjust the memory tablet of a framework to
sidestep online security. Another illustration is a frame snatching based programming. This
Keyloggers controls the structures submitted on the web and basically tracks all the data users put
in each frame.

Software-based keyloggers are more dangerous if there are additional features for each. The
Keylogger can be very hard to detect that’s why it takes a lot to remove them.

 Hardware-based keyloggers:
Compared to a software-based Keylogger, hardware Keylogger doesn’t need any installing since
they are as of now inside the physical system of the PC. Keyboard keyloggers are amongst the
most widely recognized cases of hardware-based ones.

The Keylogger monitors the keyboard keys a client presses and after that records it secretly.
Another case is the acoustics keyloggers. The Keylogger record the sounds of the keys pressed by
each client. Since each sound is unique, it is conceivable to predict which key it is.

Keyloggers can either be evil or great. Considering there are such a significant number of sorts of
keyloggers out there, one should always be-be extremely careful. So whether you’re installing
something or a hardware device connected to your PC, better be careful every step of the way.

Some Keylogger Tools:

 Hooker:
Hooker is a lightweight keyboard activity spy. It allows capturing of all keystrokes made by the
user, including any clipboard changes. Currently active process name and window title can be
NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27
logged and used for filtering the captured data. It is Unicode aware, so characters generated in any
language are going to be recorded correctly, even combining keys such as accents.

Advanced logging facility can periodically save all of the activity in a log file, send via email or
upload to an FTP server. The program is completely hidden during normal operation and is
accessible only with a secret key combination

 PyKeylogger
PyKeylogger is an easy-to-use and simple keylogger written in python. It is primarily designed for
backup purposes, but can be used as a stealth keylogger, too. It does not raise any trust issues, since
it is a short python script that you can easily examine.
It is primarily designed for personal backup purposes, rather than stealth keylogging. Thus, it does
not make explicit attempts to hide its presence from the operating system or the user.
That said, the only way it is visible is that the process name shows up in the task list, so it is not
immediately apparent that there is a keylogger on the system.

What is a denial-of-service attack?

A denial-of-service (DoS) attack is a type of cyber attack in which a malicious actor aims to render a
computer or other device unavailable to its intended users by interrupting the device's normal functioning.
DoS attacks typically function by overwhelming or flooding a targeted machine with requests until normal
traffic is unable to be processed, resulting in denial-of-service to addition users. A DoS attack is
characterized by using a single computer to launch the attack.

A distributed denial-of-service (DDoS) attack is a type of DoS attack that comes from many distributed
sources, such as a botnet DDoS attack.

How does a DoS attack work?

NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27
The primary focus of a DoS attack is to oversaturate the capacity of a targeted machine, resulting in denial-
of-service to additional requests. The multiple attack vectors of DoS attacks can be grouped by their
similarities.

DoS attacks typically fall in 2 categories:

What are some historically significant DoS attacks?

Historically, DoS attacks typically exploited security vulnerabilities present in network, software and
hardware design. These attacks have become less prevalent as DDoS attacks have a greater disruptive
capability and are relatively easy to create given the available tools. In reality, most DoS attacks can also
be turned into DDoS attacks.

A few common historic DoS attacks include:

· Smurf attack - a previously exploited DoS attack in which a malicious actor utilizes the broadcast address
of a vulnerable network by sending spoofed packets, resulting in the flooding of a targeted IP address.

· Ping flood - this simple denial-of-service attack is based on overwhelming a target with ICMP (ping)
packets. By inundating a target with more pings than it is able to respond to efficiently, denial-of-service
can occur. This attack can also be used as a DDoS attack.

· Ping of Death - often conflated with a ping flood attack, a ping of death attack involves sending a
malformed packet to a targeted machine, resulting in deleterious behavior such as system crashes.

How can you tell if a computer is experiencing a DoS attack?

While it can be difficult to separate an attack from other network connectivity errors or heavy bandwidth
consumption, some characteristics may indicate an attack is underway.

Indicators of a DoS attack include:

· Atypically slow network performance such as long load times for files or websites
NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27
· The inability to load a particular website such as your web property

· A sudden loss of connectivity across devices on the same network

What is the difference between a DDoS attack and a DOS attack?

The distinguishing difference between DDoS and DoS is the number of connections utilized in the attack.
Some DoS attacks, such as “low and slow” attacks like Slowloris, derive their power in the simplicity and
minimal requirements needed to them be effective.

DoS utilizes a single connection, while a DDoS attack utilizes many sources of attack traffic, often in the
form of a botnet. Generally speaking, many of the attacks are fundamentally similar and can be attempted
using one more many sources of malicious traffic. Learn how Cloudflare's DDoS protection stops denial-
of-service attacks.
NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27
Hping

A Denial of Service (DoS) attack is an attempt to make an online service unavailable by

overwhelming it with traffic.

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired

by the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. It
supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send
files between a covered channel, and many other features.

While hping was mainly used as a security tool in the past, it can be used in many ways by
people that don’t care about security to test networks and hosts. A subset of the stuff you can
do using hping:

● Firewall testing
● Advanced port scanning
● Network testing, using different protocols, TOS, fragmentation
● Manual path MTU discovery
● Advanced traceroute, under all the supported protocols
● Remote OS fingerprinting
● Remote uptime guessing
● TCP/IP stacks auditing
● hping can also be useful to students that are learning TCP/IP.

Commands

sudo apt install hping3 -y

hping3 -h
NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27
DOS attack using hping3:

sudo hping3 -S --flood -V -p 80 DOMAIN/IP

TCP SYN scan:

sudo hping3 -S DOMAIN/IP -p 80 -c 1

TCP ACK scan:

sudo hping3 -A DOMAIN/IP -p 80 -c 1

Attack from random IP:

sudo hping3 DOMAIN/IP -q -n -d 120 -S -p 80 --flood --rand-source

Smurf attack:

sudo hping3 -1 --flood -a 192.168.33.123 192.168.1.255

Attack from fake IP:

sudo hping3 -a <FAKE IP> <target> -S -q -p 80 --faster -c2

# example

sudo hping3 -a 192.168.33.123 192.168.1.255 -S -q -p 80 --faster -c2

Conclusion:Studied various keylogger tools available and used them in our system. Studied various
hping3 commands used to flood servers DOS attack.

Output: Hooker

Hooker Step 1:

Download Hooker from: http://hooker.findmysoft.com/

NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27

Step 2:

After downloading, extract into a folder.

NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27

Step 3:

Open hooker application.

NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27

After opening this will start recording keywords on our system.

Step 4:

Logfile.
NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27

Output: Hping
NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27
NAME: Nirmal Nemade

CLASS : TE-5-B

ROLL NO: 27