---

Introduction

Module 7 — Malware Threats

• Malware is malicious software designed to disrupt, steal, or control systems — from viruses and worms to ransomware and botnets.
• Study how malware propagates, how to analyze it (static & dynamic), and how detection (AV/EDR/sandboxing) and response work.
• Focus on real-world incidents, advanced techniques (fileless, polymorphic, RaaS), and layered defenses.

Module 8 — Sniffing

• Sniffing is capturing and analyzing network traffic to extract credentials, sessions, or sensitive data — attackers and defenders both use it.
• Learn passive vs active sniffing (ARP spoofing, MAC flooding, rogue APs), practical tools (Wireshark, tcpdump, Ettercap) and lab techniques.
• Emphasize detection signatures (ARP anomalies, rogue DHCP/DNS), encryption (TLS/VPN) and switch/hardening controls (DAI, DHCP snooping, port security).

Module 9 — Social Engineering

• Social engineering exploits human trust and cognitive biases to get credentials, access, or actions (phishing, vishing, baiting, tailgating).
• Master the psychology (authority, reciprocity, urgency), OSINT-backed pretexting, attack workflows, and realistic red-team techniques.
• Defend with people/process/tech: training & simulations, verification workflows, SPF/DKIM/DMARC, MFA, and incident playbooks.

---

Module 7: Malware Threats

1. Introduction

• Malware (malicious software) is software intentionally created to damage, exploit, disrupt, or gain unauthorized access to systems.
• It remains a primary cyber weapon in both targeted and large-scale attacks.
• CEH emphasizes malware because:
  • It is the most common tool of attackers.
  • It demonstrates how attacks transition from access → persistence → damage.
  • It requires defenders to understand infection vectors, types, analysis, and countermeasures.

💡 Exam Tip: Expect questions that compare types of malware (virus vs worm vs trojan), propagation methods, and defenses.

2. Malware Categories & Variants

Viruses

• Malicious code that attaches to host files/programs.
• Needs human execution (file opened, program run).
• Spread via USBs, file sharing, infected documents.
• Effects: File corruption, OS crashes, data destruction.
• Variants:
  • Boot sector virus → infects MBR.
  • Macro virus → embedded in Office macros.
  • Polymorphic virus → changes its signature to avoid detection.
  • Metamorphic virus → rewrites code with each infection.

Worms

• Self-replicating, do not need user interaction.
• Exploit vulnerabilities to spread across networks.
• Cause network congestion, mass infection.
• Examples:
  • SQL Slammer (2003).
  • WannaCry (2017, SMB exploit).

Trojans

• Appear legitimate but execute malicious payloads.
• Used for backdoors, data theft, and remote control.
• Types:
  • RAT (Remote Access Trojan) → full system control.
  • Banking Trojan → steals credentials.
  • Downloader Trojan → installs additional malware.
• Example: Zeus Trojan (banking malware).

Ransomware

• Encrypts files and demands ransom (usually cryptocurrency).
• Often spreads via phishing or RDP exploitation.
• Variants:
  • Crypto Ransomware → encrypts data.
  • Locker Ransomware → blocks access to system.
• Examples: WannaCry, Petya, Ryuk.

Spyware & Adware

• Spyware → secretly monitors user activities (keystrokes, browsing).
• Adware → floods system with unwanted ads, sometimes ad-click fraud.

Rootkits

• Hide malware presence by modifying OS/kernel.
• Can be kernel-level, user-mode, firmware, or bootkits.
• Danger: Provide stealth and persistence.

Botnets

• Networks of compromised machines (zombies) under control of C&C (command & control).
• Used for DDoS, spam, credential stuffing, crypto mining.
• Example: Mirai botnet (2016).

3. Malware Propagation Methods

• Phishing emails with attachments/links.
• Drive-by downloads via malicious websites.
• Removable media (USB worms).
• Exploit kits leveraging browser/OS flaws.
• Social engineering tricks (fake updates, free software).
• Fileless malware that runs directly in memory (PowerShell, WMI).

💡 Exam Tip: Virus requires user action, worm self-replicates, Trojan disguises itself.

4. Advanced Malware Techniques

• Polymorphic Malware: Constantly changes signature to evade signature-based AV.
• Metamorphic Malware: Completely rewrites itself during each infection cycle.
• Armored Malware: Uses obfuscation and anti-debugging to frustrate reverse engineers.
• Fileless Malware: Operates entirely in RAM, leaving little forensic evidence.
• Ransomware-as-a-Service (RaaS): Commercialized malware sold to cybercriminals.

5. Malware Analysis Methods

Static Analysis

• Inspecting malware without executing it.
• Involves disassembly, checking file headers, hash values, strings.
• Tools: PEiD, IDA Pro, Ghidra, strings, VirusTotal.

Dynamic Analysis

• Running malware in a sandbox/isolated lab.
• Observes behavior: file changes, registry edits, network calls.
• Tools: Cuckoo Sandbox, ProcMon, Process Explorer, Wireshark.

Memory Forensics

• Examining RAM for malware traces (useful for fileless malware).
• Tools: Volatility Framework, Redline.

6. Malware Detection Tools & Frameworks

• Antivirus/Antimalware: Malwarebytes, Kaspersky, Bitdefender.
• EDR (Endpoint Detection & Response): CrowdStrike Falcon, Carbon Black, SentinelOne.
• Sandboxing: FireEye, Cuckoo Sandbox.
• IDS/IPS: Snort, Suricata, Zeek.
• Threat Intelligence Feeds: Detect IOCs (Indicators of Compromise).

7. Real-World Malware Incidents

• ILOVEYOU Worm (2000): Caused $10 billion in damages via email propagation.
• Stuxnet (2010): Targeted SCADA/ICS systems, disrupted Iranian nuclear program.
• WannaCry (2017): Global ransomware attack exploiting SMB vulnerability.
• Emotet: Began as banking Trojan, evolved into a malware distribution platform.

8. Countermeasures Against Malware

1. Prevention
   • User awareness and phishing training.
   • Patch management.
   • Disable autorun on removable media.
   • Principle of Least Privilege (PoLP).
2. Detection
   • Signature and behavior-based AV/EDR.
   • Centralized log analysis with SIEM (Splunk, QRadar).
   • Network anomaly detection.
3. Response
   • Quarantine infected hosts.
   • Remove malware via AV tools.
   • Restore clean backups.
   • Conduct forensics to identify entry vector.
4. Long-Term Defense
   • Zero Trust architecture.
   • Threat hunting programs.
   • Continuous monitoring.
   • Application whitelisting.

9. Key Takeaways

• Viruses attach, worms replicate, trojans disguise, ransomware extorts, rootkits hide, spyware spies, botnets enslave.
• Malware evolves constantly with fileless, polymorphic, and RaaS trends.
• Effective defense requires layered security: prevention, detection, and response.
• Malware analysis (static + dynamic) is crucial for incident response and threat intelligence.

🔑 Memory Hooks for Exam:

• Malware Types Mnemonic: “Very Wild Tigers Really Run Swiftly Backwards” →
  Viruses, Worms, Trojans, Rootkits, Ransomware, Spyware, Botnets.
• Malware Analysis: Static = no execution; Dynamic = run in sandbox.

---

Module 8: Sniffing

1) What is sniffing?

• Sniffing = capturing (sniffing) network packets and analysing them to extract useful information (credentials, session tokens, files, protocol data).
• Dual use:
  • Attackers: capture cleartext credentials, session cookies, or manipulate traffic (MITM).
  • Defenders: legitimate network monitoring, troubleshooting, incident response.

Core idea: if traffic is unencrypted, a sniffer can read it.

2) Passive vs Active sniffing

• Passive sniffing
  • The sniffer simply listens; does not alter traffic.
  • Works in broadcast or hub networks (or when using SPAN/mirror ports).
  • Harder to detect (low noise).
  • Tools: Wireshark, tcpdump, NetworkMiner.
• Active sniffing
  • Attacker manipulates network behavior to redirect traffic through attacker machine (MITM).
  • Techniques: ARP poisoning, MAC flooding, DNS spoofing, DHCP spoofing.
  • Easier to capture target traffic in switched networks.
  • Tools: Ettercap, arpspoof, Cain & Abel, Bettercap.

3) Common sniffing attack techniques (how attackers get traffic)

A. ARP poisoning / ARP spoofing (MITM on LAN)

• Attacker sends forged ARP replies telling victim “I am the gateway” and telling gateway “I am the victim”.
• Result: victim’s traffic is routed via attacker → attacker can sniff & modify traffic.
• Typical commands:
  • Enable IP forwarding on attacker:
    sysctl -w net.ipv4.ip_forward=1
  • Using arpspoof (dsniff):
    arpspoof -i eth0 -t <victim-ip> <gateway-ip>
arpspoof -i eth0 -t <gateway-ip> <victim-ip>
  • Using ettercap (text mode):
    ettercap -T -q -M arp:remote /<victim IP>/ /<gateway IP>/

B. MAC flooding

• Flood switch CAM table with fake MAC addresses so it fails and begins broadcasting — then attacker can sniff.
• Tools: macof (part of dsniff), custom scripts.
• Mitigation: port-security, CAM table limits.

C. DNS spoofing / DNS cache poisoning

• Attacker responds to DNS requests with forged IPs to redirect victims to malicious sites.
• Tools: dnsspoof (part of dsniff), ettercap DNS spoofing, dnschef.
• Example: add entries to Ettercap etter.dns then run ettercap with DNS plugin.

D. DHCP attacks

• Attacker runs rogue DHCP server offering malicious gateway/DNS so victims send traffic to attacker.
• Tools: dhcpd, metasploit modules, Yersinia.
• Mitigation: DHCP snooping.

E. SSL stripping / HTTPS downgrade

• Intercept HTTPS attempts and downgrade to HTTP (stripper sits in the middle).
• Tools: sslstrip (use with ARP spoofing) — modern mitigations (HSTS, certificate pinning) make it harder.

F. Wireless sniffing & rogue APs

• Set up rogue access points or capture traffic on open Wi-Fi (or weak encryption like WEP).
• Tools: Kismet, aircrack-ng suite, Wireshark, Bettercap.
• Mitigation: WPA3, 802.1X, VPN on public Wi-Fi.

G. Fileless / memory-based capture

• Some advanced attackers inject code into memory and sniff/process in-memory network stacks. Detection requires EDR/memory forensics.

4) Protocols most at risk

• Cleartext protocols: HTTP, FTP, Telnet, POP3, IMAP, SMTP, SNMP v1/v2.
• VoIP: SIP/RTP (calls, credentials).
• Legacy remote admin: Telnet, rlogin.
• Wireless: Open Wi-Fi or weak protocols (WEP).
• Any protocol without end-to-end encryption is a candidate.

5) Tools — short practical list + sample filters/commands

Packet capture & analysis

• Wireshark (GUI)
  • Capture filter (libpcap): tcp port 80
  • Display filter: http or ip.addr==192.168.1.10 or tcp contains "password"
• tcpdump (CLI)
  • Capture all traffic to file: tcpdump -i eth0 -w capture.pcap
  • Capture only HTTP: tcpdump -i eth0 tcp port 80 -w http.pcap
  • Read: tcpdump -r capture.pcap -n
• Tshark (Wireshark CLI): tshark -r capture.pcap -Y "http.authbasic"

MITM & active tools

• Ettercap (MITM, DNS spoofing): ettercap -T -q -M arp:remote /victim/ /gateway/
• arpspoof (dsniff): see commands above
• Cain & Abel (Windows) – ARP poisoning, password sniffing (legacy)
• Bettercap – modern MITM framework: bettercap -iface eth0 then modules.

Wireless

• Kismet, airodump-ng, airmon-ng, airplay-ng for capture and attacks.

Passive analysis

• NetworkMiner (reconstruct files, credentials)
• Bro/Zeek (network analysis framework — useful for detecting anomalies)

6) Detection & log indicators (what defenders look for)

Network indicators

• Duplicate ARP replies, frequent gratuitous ARP entries.
• Unexpected ARP pairings (one MAC associated with multiple IPs).
• Repeated DNS responses with differing IPs for same query.
• Abnormal DHCP OFFERs (rogue DHCP server).
• Spike in broadcast traffic (possible MAC flooding).

Host indicators

• New routes or changed default gateway.
• Multiple hosts mapping to same MAC.
• Unexpected TLS certificate mismatches (browser warnings).
• Large amounts of plaintext credentials in packet captures.

IDS/IPS signatures and examples (conceptual)

• ARP spoof detection: many platforms use local heuristics, but a signature example concept:
  • Detect multiple ARP replies mapping different MACs to same IP in a short window → trigger alert.
• DNS spoofing: detect NXDOMAIN responses followed by normal-looking answers or multiple anomalous DNS responses.
• HTTP credentials over cleartext: Snort rule (conceptual) to alert on POSTs containing “password”: alert tcp any any -> any 80 (msg:"HTTP POST with possible password"; flow:to_server,established; content:"password="; nocase; sid:100001;) (Adapt rule to your IDS’s syntax and performance considerations.)

Tools for detection

• arpwatch — monitors ARP changes.
• OSSEC / Wazuh / Suricata / Zeek — network monitoring & alerts.
• SIEM (Splunk/ELK/QRadar) — centralize logs & correlate unusual ARP/DNS/DHCP events.

7) Countermeasures (hardening & mitigation)

Encryption & protocol hardening

• Use HTTPS/TLS everywhere. Enforce HSTS & certificate pinning for critical apps.
• Replace Telnet/FTP with SSH/SFTP.
• Use SMTPS/IMAPS/POP3S for mail.
• Use end-to-end encryption for sensitive applications.

Network hardening

• Use switched networks (not hubs) but with protections:
  • Port Security on switches (limit MAC addresses per port).
  • Dynamic ARP Inspection (DAI) — validates ARP packets based on DHCP snooping.
  • DHCP Snooping — prevent rogue DHCP servers.
  • BPDU guard, MAC address table aging and CAM limits to prevent MAC flooding.
  • Use 802.1X for network access control.

Wireless

• Use WPA3 or at least WPA2-Enterprise (802.1X) — avoid PSK for large orgs.
• Disable open Wi-Fi for sensitive access; use VPN for public Wi-Fi.

Host / endpoint

• Use EDR to detect suspicious ARP/DNS modifications, process injections, or sniffing tools.
• Enforce least privilege, application whitelisting, and restrict raw socket creation if possible.
• Patch systems promptly to reduce attack surface.

User / application measures

• Use MFA and avoid transmitting reusable static credentials.
• Educate users about public Wi-Fi risks and inspecting certificate warnings.

8) File/Packet analysis examples & filters

• Wireshark display filters to find credentials/cleartext:
  • http.authbasic — find basic auth headers.
  • smtp && (ip.addr == 10.0.0.5) — SMTP traffic for host.
  • ftp.request || ftp.response
  • tcp.port == 21 (FTP), tcp.port == 23 (Telnet), tcp.port == 80 (HTTP)
  • frame contains "password" — rough search (noisy).
• Reconstruct a file transfer (HTTP/FTP) with Wireshark: File → Export Objects → HTTP.

9) Legal & ethical notes

• Always get written permission before sniffing/mitm on any network you don’t own.
• Sniffing without authorization is illegal in most jurisdictions and could violate company policy or law.

10) Quick memory hooks & summary

• Passive = Listen silently (Wireshark/tcpdump).
• Active = Force traffic through you (ARP poisoning, DNS spoofing, DHCP rogue).
• Top defenses: encrypt traffic (HTTPS/SSH/TLS/IPsec), switch security (port-security, DAI, DHCP snooping), endpoint EDR, MFA.
• Lab commands recap:
  • tcpdump -i eth0 -w capture.pcap
  • sysctl -w net.ipv4.ip_forward=1
  • arpspoof -i eth0 -t <victim> <gateway>
  • ettercap -T -q -M arp:remote /victim/ /gateway/

Module 9: Social Engineering

1. Definition & Scope

• Social engineering: the art of manipulating people into performing actions or divulging confidential information.
• Focuses on human behaviour rather than technical vulnerabilities.
• Objective for attackers: obtain credentials, bypass controls, gain physical access, or get privileged actions performed.

2. Why social engineering works (psychology)

Attackers exploit predictable cognitive biases and social norms:

• Authority — people obey perceived authority (fake manager, IT).
• Reciprocity — people return favours (offer help to extract info).
• Scarcity / Urgency — “act now” reduces rational thinking.
• Liking / Rapport — we trust people we like or identify with.
• Social Proof — people follow what others are doing.
• Commitment / Consistency — small compliance leads to larger concessions.
• Trust in processes — exploiting assumed workflows (e.g., “finance always follows this format”).

3. Common attack vectors & techniques (with practical detail)

A. Phishing (email)

• Mass Phishing: generic lure to many recipients.
• Spear-phishing: crafted to a person or small group using OSINT (LinkedIn, company site).
• Whaling: highly tailored to executives (finance, legal).
  Practical elements:
  • Use domain look-alike or subdomain spoofing, sender display name tricks.
  • Include realistic context: invoice numbers, project names, HR announcements.
  • Payloads: credential harvest pages, malicious attachments (macro / archive).

B. Vishing (voice)

• Caller spoofs caller ID, impersonates IT, vendor, or bank.
• Tactics: pressure for immediate action, scripted pretext, knowledge gleaned via OSINT.

C. Smishing (SMS)

• Short, urgent message with a malicious link or callback number.
• High click rates on mobile due to brevity and trust.

D. Pretexting

• Fabricated scenario: “I’m from HR, need employee backup files for audit.”
• Requires background detail to be convincing (names, relevant project).

E. Baiting & USB Drops

• Physical USB devices labeled to entice (Payroll2025.xlsx → malware).
• Baiting online: fake downloads, “free software/cracked license” with payload.

F. Quid Pro Quo

• Offer (IT help, software) in exchange for credentials/permission to act.

G. Tailgating / Piggybacking (physical)

• Following authorized person into secure area; social tactics to gain compliance (holding door, asking to help).

H. Watering Hole

• Compromise a site known to be frequented by target group (vendor portal, forum).

I. Business Email Compromise (BEC)

• Compelling targeted scam to trick finance into wire transfers (CEO impersonation with forged invoice/urgent wire instructions).

4. Reconnaissance & payload preparation (attacker side)

• OSINT sources: LinkedIn, Facebook, Twitter, company press releases, job ads (reveal tech stack), WHOIS, Google dorks.
• Create convincing pretext: role, email signature, internal references, mock attachments.
• Weaponize: credential-harvesting page with TLS & valid looking domain, macros that require “Enable Content”, PDFs with malicious links.
• Infrastructure: disposable domains, short-lived mailboxes, throwaway VoIP numbers, staging servers.

5. Detection indicators (red flags for defenders)

• Unsolicited requests for credentials or to bypass controls.
• Urgency/pressure to act now; attempts to avoid standard processes.
• Slightly off sender domain or mismatched reply-to addresses.
• Emails with attachments that request macros be enabled.
• Requests for wire transfers with altered account numbers or unusual payees.
• Unfamiliar caller requesting password or MFA code.
• Multiple failed authentication attempts followed by a successful access from a different IP/location.
• Physical: unknown person trying to access secure doors, wearing improper badges.

6. Practical templates & scripts (for authorized testing / red team)

Use only with written authorization.

Spear-phish subject/body template

Subject: [ProjectName] — Urgent: Action Required by EOD
Body:

Hi [Name],

We received an exception for [ProjectName] regarding the deployment scheduled today. Please review the attached “deployment-list.xls” and confirm the server IPs. If you don’t respond within 2 hours the deployment will be delayed.

— [Fake IT Lead Name] | IT Operations

Vishing template

“Hello [Name], this is [IT helpdesk] — we’re doing a critical update and I see your machine hasn’t checked in. Can I have your temporary admin password so I can push the patch? This will take less than a minute.”

Tailgating script

“Sorry, I left my badge in the car — can you hold the door for me? I’m with the [vendor name].”

7. Tools commonly used (for testing and for defenders)

• Offensive / Testing: Social-Engineer Toolkit (SET), Gophish (phishing automation), Maltego (OSINT), disposable email services, VoIP spoofing tools.
• Defensive: Email gateways (sandboxing), SPF/DKIM/DMARC, DLP, EDR, SIEM correlation, web-proxy filtering, telephony anti-spoofing (STIR/SHAKEN), visitor management systems.

8. Technical controls & prevention (detailed)

Email & Messaging

• SPF, DKIM, DMARC: ensure domain authenticity and reject spoofed email.
• Attachment sandboxing: detonate attachments in isolated environment.
• URL rewriting & scanning by secure email gateway.
• Spam & phishing filters, with ML-assisted detection.

Authentication & Account Defense

• Enforce MFA — reduces value of stolen credentials.
• Adaptive/Machine-risk based authentication — flag logins from unusual geos/devices.
• Password policies + no password reuse — block credential stuffing.

Network & Endpoint

• Web proxy & URL filtering — block known phishing domains and risk categories.
• EDR — detect unusual processes or script execution (macro launches).
• Disable auto-run for removable media; block execution from USB.
• Application whitelisting — prevent unauthorized binaries/scripts.

Telephony

• Use caller verification policies, limit information disclosure over phone.
• Implement STIR/SHAKEN where carriers support it.

Physical

• Visitor management: positive ID, escorting, badge checks.
• Mantraps, turnstiles, tailgating detection.

9. Process & organizational controls

• Formal verification workflows for payments and privileged actions (two-person approval, out-of-band verification).
• Clear policies: IT will never ask for your password; finance escalation steps.
• Incident response playbook for social engineering events (contain, identify, notify, remediate).
• Rapid revoke & reset processes for compromised accounts (MFA removal, password resets).

10. Training, metrics & continuous improvement

Training

• Regular phishing simulation campaigns with realistic scenarios and role-specific content.
• Interactive vishing & physical security drills for reception, helpdesk, facilities.
• Executive briefings for WHaling awareness and personal security.

Metrics (KPIs)

• Phishing click rate / reporting rate (target: lower click, higher report).
• Time to report suspicious email (lower is better).
• % of employees passing awareness tests.
• Number of successful vishing/tailgating incidents per audit.
• Mean time to revoke compromised credentials.

Lessons & Feedback

• After each simulation, provide personalized training and aggregate reporting for leadership.
• Tie findings to risk remediation: remove unnecessary published info, tighten vendor controls.

11. Incident response for suspected social engineering breach

1. Isolate affected accounts/workstations.
2. Preserve evidence (emails, call logs, session logs).
3. Reset credentials & revoke sessions/MFA tokens.
4. Identify scope (where else credentials used).
5. Notify legal, HR, leadership, and potentially affected third parties.
6. Remediate (patch, block malicious domains, update policies).
7. Lessons learned: update training and technical controls.

12. Quick reference cheatsheet

• Phishing = email trick → credential harvest or malware.
• Vishing = phone social engineering.
• Smishing = SMS lure.
• Baiting = physical/media lure (USB).
• Quid pro quo = exchange for help/service.
• Tailgating = physical unauthorized entry.
• Key defenses = MFA, SPF/DKIM/DMARC, email sandboxing, DLP, training, verification workflows.