Review APA criteria and Lab 3 Document. Please read the document carefully and answer all the questions from Document HW 3.


Question 1

Carefully review what you have done in Lab-3. Describe different types of attackers and their characteristics based on the attacks and attackers you have seen in Lab-3. Compare and contrast the possible resources, capabilities, techniques, motivations of these different attacker profiles.

Question 2

Describe different types of attacks and their characteristics by taking the phases of MITRE’s ATT&CK framework into account.

Question 3

Describe the following concepts:

A) Attack surface

B) Attack vector

C) Attack tree

Answer the following questions:

1) Which one is a base metric for calculating the CVSS score of a vulnerability? What are the values for the base metric? Explain those possible values.

2) Can an attack tree include attack surface and attack vector information? Explain.

3) Which one has more attack surface for an unprivileged attacker who is in the same network with the target computers? Explain.

a. Ten Windows 7 computers with ports 135, 137, 138, 139, and 445 are open.

b. One Red Hat Enterprise Linux that has 15 ports open, One Windows 2018 server that has 10 ports open.

Lab-3: Cyber Threat Analysis

In Lab-3, you will do some cyber threat analysis by browsing several websites and services maintained by either security companies, volunteers, or hackers. Nothing will harm your computer as long as you don’t push the limits by clicking on the links and ignoring the browser’s security warnings.

To ensure %100 security, you can consider using the Firefox browser inside your Kali VM instead of using the browser at your computer. If you proceed with your computer, then it is recommended to update your browser if it is out of date.

Section-1: Analysis of zone-h.org

Zone-h.org is used and most probably operated by hackers to share the websites that they defaced. They don’t provide any details on how they hacked the website; instead, they share the URL of the defaced website and a mirror for the defaced webpage.

If you are planning to use your computer instead of Kali VM, it is strongly suggested to open a new incognito/InPrivate/Private browser window for the following steps:

1) Enter the website: www.zone-h.org

2) Click on the Archive menu on the top menu. You will see the result screen similar to below:


There is a lot of information on defaced websites on this page, including the original URL and the hacked version of the website (on the mirror link at the rightmost column). Hacked versions of the websites give some clues on the motivations of the hackers; you can see political reasons, have some fun, or a basis to make cyberspace secure.

The legends M and R provide more insight on the defacement. M means mass defacement. If you click one of the M letters, you can see the defacements initiated from a specific IP address. Mass defacements are usually succeeded by the help of scripts. Hackers prepare the scanning and exploitation scripts, scan thousands of websites for a particular vulnerability, and exploit the ones that have the specific vulnerability.

3) Click on one of the M letters you spotted, and see the websites defaced from the same IP address. You can see the IP address in the address bar.

Note: You can perform a whois query to see the detailed information about the IP address you found, including contact information and geographical location.


4) To see a redefacement, you can click one of the R letters you spotted.

Below is an example screenshot of a redefacement, myschool.ng website has been defaced twice in two years.


5) You can click the ENABLE FILTERS link at the top and search for the websites with gov extension. You can see the result of this query below.



Section-2: Pastebin.com

A pastebin site hosts the text-based data such as source codes, code snippets, and anything worth sharing. Pastebin.com is the oldest pastebin site. Pastebin.com had been hosting the pastes of the hacktivist group, Anonymous. After pastebin.com started monitoring the site for illegally pasted data, Anonymous began to a new service: https://anonpaste.org. This pastebin site is used for hacktivist purposes. Anybody can paste text here and -so-called- securely sent. You cannot search among pasted content.


There are many small and restricted pastebin sites on the dark web. A specific hacker group may share things like exploit codes, malicious payloads internally. They also use the pastebin services to share the information they stole like passwords, credit card numbers, etc.


You can see the public pastes in the pastebin website. Google indexes public pastes. You can perform the following searches on Google and check whether there are pastes in pastebin.com. Please review the search sites to get an idea of what kind of information is being shared among hackers in the pastebin.

· Exploit code site:pastebin.com

· Shellcode site:pastebin.com

· Malware code site:pastebin.com

· Keylogger code site:pastebin.com

Section-3: Interactive Threat Maps

There are many websites and services that provide threat intelligence data. Some of them provide information for free; most of them offer paid subscriptions.


These are two services from Cisco and SANS Institute, respectively.

https://talosintelligence.com/reputation_center/: Shows the malicious hosts spreading malware and sending spam e-mail on the world map. You can check the reputation of the IP addresses and domain names on this serves as well.

https://isc.sans.edu/threatmap.html: Shows the density of the different threat feed per country.


SANS Institute provides a FightBack service on this address: https://isc.sans.edu/fightback.html. They forward the strong cases to the ISPs after analyzing the logs and other evidence provided by the Internet user.


Last but not least, the following blog page provides the top 10 cyber-attack maps; it is worth reviewing as it gives the screenshots and a fair amount of information.


Section-4: Fighting with Spam and Malware

Thousands of phishing websites try to trick people into believing that they are on the official website so that they try to steal sensitive information like passwords, credit card numbers, SSNs. If you come up with such a website, you can submit it to Phishtank.org. Phishtank database has been used by reputation engines and virus scanners, such as virustotal.com. Therefore you help to secure cyberspace. The website of PhishTank is https://phishtank.org.

URLhaus does a similar thing for the websites that spread virus. The website of URLhaus is https://urlhaus.abuse.ch.

You can review both web services. For example, enter the PhishTank website and see the recent submissions similar to below:

You can click on the ID numbers to see the phishing websites.

Section-5: Checking URLs

Below services are just two examples by which you can check websites:

https://www.virustotal.com: Check the website if it spreads malware, or it is a phishing website. Currently, VirusTotal makes the controls of the submitted URLs using ~80 different antivirus services.


https://sitecheck.sucuri.net: Check the website for malware and blacklisting.


You can choose some websites from PhishTank and URLhaus and scan them using VirusTotal and Sucuri’s SiteCheck.








0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *