INDEX

S.NO PRACTICAL REMARKS

1 Explain in brief Vulnerability

Assessment tool- Nessus, openVas

2 Discuss about wireless security

protocols (WPA, WPA2) and aircrack
tool

3 Explain about the network scanning

tools (Nmap, hping3)

4 Discuss about firewall services In

detail (application firewall)

5 Discuss about SMB and SMTP

enumeration

6 Illustrate about packet sniffing tools

such as wireshark

7 Explain about system hacking tools

such as metasploit

8 Discuss about how data encrypted in

web security services in https

9 Write practical steps in active and

passive footprinting

10 Illustrate about browser security tools

– shodan, netcraft

11 Write and practically demonstrate

about steganography technique

12 Discuss about audit policies using

auditpool
13 Discuss about Denial of service tools-
LOIC, HOIC

14 Write a code for creating a malware,

and how to test it in online mode for
educational purposes
 PRACTICAL - 1
Explain in brief Vulnerability Assessment tool- Nessus, openVas

Aim:

To understand the features, functionalities, and significance of Vulnerability Assessment tools,

Nessus and OpenVAS, in identifying system vulnerabilities.

Objective:
 To study the working principles of Nessus and OpenVAS.
 To explore their features, capabilities, and applications in network security.
 To analyze and compare the tools for effective vulnerability assessment.

Theory:

Vulnerability Assessment:
Vulnerability assessment is the process of identifying, classifying, and prioritizing vulnerabilities in
systems or networks. Tools like Nessus and OpenVAS play a vital role in automating this process to
ensure secure IT infrastructure.

1. Nessus:
 Nessus is a proprietary vulnerability assessment tool developed by Tenable, Inc.
 It is widely used for identifying vulnerabilities like misconfigurations, policy violations,
malware, and potential backdoors.
 Features:
o Performs in-depth scans on networks, applications, and devices.
o Offers extensive reporting and analysis tools.
o Provides continuous updates to vulnerability databases.
 Common Use Cases:
o Risk assessment in IT environments.
o Compliance audits for standards like PCI DSS, HIPAA, and ISO 27001.
o Proactive detection of potential exploits.
2. OpenVAS (Open Vulnerability Assessment System):
 OpenVAS is an open-source vulnerability scanner and assessment tool, maintained by
Greenbone Networks.
 It offers extensive vulnerability detection capabilities with a focus on free and community-
driven development.
 Features:
o Includes a vast library of Network Vulnerability Tests (NVTs).
o Supports full automation of scanning and reporting.
o Provides APIs for integration into broader security systems.
 Common Use Cases:
o Identifying and addressing security flaws in networks and hosts.
o Serving as a free alternative for vulnerability scanning in organizations with budget
constraints.
 PRACTICAL - 2
Discuss about wireless security protocols (WPA, WPA2) and aircrack tool

Aim:
To study wireless security protocols WPA and WPA2, and understand the functionality of
the Aircrack tool in testing wireless network security.
Objective:
 To explore the features and security mechanisms of WPA and WPA2.
 To understand the usage of the Aircrack tool for auditing wireless networks.
To analyze the importance of securing wireless communications.

Theory:
Wireless Security Protocols:
Wireless networks require robust security protocols to protect data from unauthorized
access. WPA (Wi-Fi Protected Access) and WPA2 are widely used standards for securing
Wi-Fi communications.
1. WPA (Wi-Fi Protected Access):
 Introduced as an improvement over the flawed WEP (Wired Equivalent Privacy)
protocol.
 Features:
o Utilizes TKIP (Temporal Key Integrity Protocol) to provide encryption.
o Supports dynamic key generation and message integrity checks.
o Backward compatible with older hardware.
 Limitations:
o Vulnerable to brute-force and dictionary attacks.
o Relatively weaker encryption compared to WPA2.
2. WPA2 (Wi-Fi Protected Access 2):
 Successor to WPA with enhanced security features.
 Features:
o Uses AES (Advanced Encryption Standard) for robust encryption.
o Implements CCMP (Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol) for integrity and confidentiality.
 o Provides stronger resistance to network attacks.
 Limitations:
o WPA2-PSK (Pre-Shared Key) is susceptible to weak password attacks.
oRequires hardware support for AES encryption.

Aircrack-ng Tool:
 Aircrack-ng is a popular open-source tool for testing
wireless network security.
 It specializes in capturing and analyzing wireless packets and cracking WEP and
WPA/WPA2 keys.
 Key Components:
o Airmon-ng: Enables monitor mode on wireless devices.
 o Airodump-ng: Captures packets on wireless networks.

o Aircrack-ng: Performs key recovery by analyzing captured packets.

o Aireplay-ng: Allows packet injection to capture handshakes.

 Common Use Cases:

o Ethical hacking and penetration testing.
o Auditing wireless networks for vulnerabilities.
o Demonstrating the importance of using strong passwords and secure
configurations
 PRACTICAL - 3
Explain about the network scanning tools (Nmap, hping3)

Aim:
To understand the functionality and applications of network scanning tools, Nmap and
hping3, in analyzing and securing network environments.
Objective:
 To explore the features and capabilities of Nmap and hping3.
 To understand their significance in network scanning and vulnerability
assessment.
To analyze how these tools help in enhancing network security.

Theory:
Network Scanning Tools:
Network scanning is a process of identifying active devices, open ports, and network
vulnerabilities. Tools like Nmap and hping3 are widely used for reconnaissance and
auditing purposes in cybersecurity.
1. Nmap (Network Mapper):
  Nmap is an open-source network scanning tool designed for security auditing and
network exploration.

 Features:
o Detects live hosts on a network.
o Scans for open ports, running services, and OS detection.
o Supports advanced techniques like stealth scans, version detection, and
script-based scanning using NSE (Nmap Scripting Engine).
 Common Commands:
o nmap -sS <target>: Performs a stealth scan.
o nmap -O <target>: Identifies the operating system.
o nmap -A <target>: Provides detailed scan results, including OS and service
versions.
 Applications:
o Network inventory and monitoring.
o Penetration testing and vulnerability assessment.

2. hping3:
 hping3 is an open-source packet crafting and scanning tool used to manipulate and
send custom TCP/IP packets.

 Features:
 o Supports packet generation with custom headers for TCP, UDP, and ICMP
protocols.
o Performs advanced scanning like firewall testing and traceroute.
o Can simulate Denial-of-Service (DoS) attacks for testing purposes.
 Common Commands:
o hping3 -S -p 80 <target>: Sends SYN packets to port 80.
o hping3 -c 100 -i u1 <target>: Sends 100 packets with a 1-microsecond
interval.
o hping3 --flood <target>: Performs a flood attack (for testing).
 Applications:
o Firewall and intrusion detection testing.
o Network troubleshooting and performance testing.
 PRACTICAL - 4
Discuss about firewall services In detail (application firewall)
Aim:
To study the working principles and functionalities of firewall services, focusing on
application firewalls, and their role in network security.
Objective:
 To understand the types and functionalities of firewalls.
 To explore the specific features and importance of application firewalls.
 To analyze the use cases and limitations of application firewalls in network
protection.
Theory:
Firewalls in Network Security:
A firewall is a security system designed to monitor and control incoming and outgoing
network traffic based on predefined security rules. It acts as a barrier between trusted
internal networks and untrusted external networks.

Types of Firewalls:
1. Packet-Filtering Firewalls: Operate at the network layer, filtering traffic based on
source/destination IP, port, and protocol.
2. Stateful Firewalls: Keep track of active sessions and make decisions based on the
state of connections.
 3. Application Firewalls: Provide advanced filtering by inspecting traffic at the
application layer.
Application Firewall:
An application firewall is a type of firewall that monitors, filters, and controls traffic to and
from applications or services. It works at the application layer (Layer 7 of the OSI model)
and is capable of analyzing and filtering traffic specific to web applications, APIs, or other
protocols.
Features of Application Firewalls:
 Content Inspection: Examines data payloads to detect malicious activities like SQL
injection, cross-site scripting (XSS), and buffer overflow attacks.
 Granular Control: Provides detailed rules for specific applications or services.
 User Authentication: Ensures only authorized users can access applications.
 Protocol Enforcement: Validates adherence to protocol standards (e.g., HTTP,
HTTPS).
Logging and Monitoring: Tracks application-level events for auditing and analysis.
Use Cases of Application Firewalls:
1. Protecting web servers from cyberattacks like DDoS, SQL injection, and XSS.
2. Securing enterprise applications by blocking unauthorized data transmission.
3.Enforcing compliance with security policies for sensitive data.
Advantages:
 Protects against advanced application-layer threats.
 Provides deep visibility into application traffic.
Enables secure access to web applications and APIs.

Limitations:
 Can be resource-intensive, requiring significant
processing power.
 Needs constant updates and fine-tuning to adapt to
evolving threats.
May introduce latency in high-traffic environments.

Popular Application Firewall Solutions:

 Web Application Firewalls (WAFs): Designed to protect web applications (e.g., AWS
WAF, Cloudflare WAF).
 Host-based Application Firewalls: Installed on individual servers or devices.
 Network-based Application Firewalls: Integrated into network infrastructure to
monitor application traffic across the network.
 PRACTICAL - 5
Discuss about SMB and SMTP enumeration

Aim:

To understand the process of enumerating SMB (Server Message Block) and SMTP (Simple Mail
Transfer Protocol) services to gather useful information for penetration testing and vulnerability
assessment.

Objective:
 To explore the techniques used for enumerating SMB and SMTP services.
 To understand the significance of these enumeration processes in cybersecurity.
 To analyze the tools and methods used for effective enumeration.

Theory:

Enumeration in Cybersecurity:
Enumeration is the process of extracting information about systems, networks, and services. It is a
critical phase in ethical hacking and penetration testing to identify potential vulnerabilities.
1. SMB (Server Message Block) Enumeration:
 SMB is a network protocol used for sharing files, printers, and communication between
devices on a network.
 SMB enumeration involves extracting information about shared resources, users, and
machines on the network.

 Information Gathered:
o Shared folders and files.
o Active users and groups.
o Network devices and services.
 Common Tools for SMB Enumeration:
o Nmap:
  Command: nmap --script smb-enum-shares -p 445 <target> (Lists shared
resources).
 Command: nmap --script smb-enum-users -p 445 <target> (Extracts user
information).
o Enum4linux:
 A Linux-based tool that gathers SMB information like user lists, shared
directories, and password policies.
 Command: enum4linux <target>

o Metasploit Framework:
 Module: auxiliary/scanner/smb/smb_enumshares
  Relevance in Security:
o Helps identify misconfigurations and sensitive data exposure.
o Assists in auditing user privileges and shared resource access.

2. SMTP (Simple Mail Transfer Protocol) Enumeration:

 SMTP is a protocol used for sending emails between servers.
 SMTP enumeration aims to gather information about valid email addresses, mail servers, and
supported commands.
 Information Gathered:
o Valid email accounts.
o Server configuration and supported extensions.
o Usernames for brute-force or social engineering attacks.
 Common Tools for SMTP Enumeration:
o Telnet:
 Manually connects to the SMTP server for enumeration.
 Commands:
 EHLO <hostname>: Identifies server capabilities.
 VRFY <username>: Verifies if a user exists.
 EXPN <listname>: Displays members of a mailing list (if allowed).
o Nmap:
 Command: nmap --script smtp-enum-users -p 25 <target>
o Metasploit Framework:
 Module: auxiliary/scanner/smtp/smtp_enum
 PRACTICAL - 6
Illustrate about packet sniffing tools such as wireshark

Aim:

To study packet sniffing and analyze network traffic using Wireshark, a powerful and widely used
packet capture tool.

Objective:
 To understand the concept and significance of packet sniffing in network security.
 To explore the features and capabilities of Wireshark.
 To analyze live and recorded network traffic for troubleshooting and vulnerability
assessment.

Theory:

Packet Sniffing:
Packet sniffing involves capturing, analyzing, and monitoring network packets to understand network
behavior, diagnose issues, or detect malicious activities. Sniffers can capture data transmitted over
wired or wireless networks and are essential for network administration and cybersecurity.

Wireshark:
Wireshark is an open-source network protocol analyzer used for capturing and inspecting packets in
real-time or from saved files. It supports a vast number of protocols and is highly versatile for
troubleshooting and security analysis.
Features of Wireshark:

1. Packet Capture:
 o Captures live traffic on a network interface.
o Supports wired and wireless interfaces.

2. Protocol Analysis:
o Decodes over 2000 protocols (e.g., HTTP, FTP, TCP, UDP).
o Displays protocol-specific details for in-depth analysis.

3. Filtering Capabilities:
o Display Filters: Focus on specific traffic within the capture (e.g., http.request.method
== "GET").
o Capture Filters: Filter packets during the capture process (e.g., port 80).

4. Visualization:
o Graphs, I/O statistics, and protocol hierarchy charts for better insights.

5. Export/Import:
o Save captures in various formats for later analysis.
o Import saved files from other tools like tcpdump.

How Wireshark Works:

6. Select an active network interface.

7. Start capturing packets.

8. Apply filters to isolate specific data (e.g., traffic from a particular IP address).

9. Analyze the packet details (headers, payloads, etc.).

10. Export the results for reporting or further study.

Use Cases:
 Network Troubleshooting: Diagnose connectivity issues, packet loss, or latency.
 Security Analysis: Detect suspicious activity, such as unauthorized access or data breaches.
 Protocol Development: Debug protocol implementations.
 Educational Tool: Learn network protocols and their behavior.

Limitations:
 Does not decrypt encrypted traffic (e.g., HTTPS) without the encryption key.
 Requires administrative privileges to capture traffic.
 Can generate large capture files in high-traffic environments.
 PRACTICAL – 7
Explain about system hacking tools such as metasploit

Aim:

To study and understand the functionality of system hacking tools, focusing on the Metasploit
Framework, its use in penetration testing, and its relevance to cybersecurity.

Objective:
 To explore the features and capabilities of the Metasploit Framework.
 To understand how Metasploit is used to identify and exploit vulnerabilities in systems.
 To analyze its significance in ethical hacking and security testing.

Theory:

System Hacking in Cybersecurity:

System hacking involves gaining unauthorized access to computer systems, applications, or
networks. Ethical hacking uses these techniques to assess vulnerabilities and improve security.

Metasploit Framework:
Metasploit is an open-source platform used for penetration testing, vulnerability assessment, and
exploitation. It provides a comprehensive environment for identifying and addressing security
weaknesses in networks and systems.
Features of Metasploit Framework:

1. Exploitation Modules:
o Pre-built scripts designed to exploit specific vulnerabilities in software or systems.

2. Payloads:
o Code executed on the target system after successful exploitation. Examples include
reverse shells, bind shells, or meterpreter sessions.

3. Auxiliary Modules:
o Used for tasks like scanning, sniffing, and service enumeration without exploitation.

4. Post-Exploitation Modules:
o Tools for activities after gaining access, such as privilege escalation, keylogging, or
data exfiltration.

5. Encoders and Evasion Tools:

o Modify payloads to bypass antivirus and intrusion detection systems.

6. Meterpreter:
o An advanced payload that provides an interactive shell and additional tools for post-
exploitation.

How Metasploit Works:

1. Reconnaissance:

o Use auxiliary modules or external tools like Nmap to identify

vulnerabilities.
 o Example: msfconsole > use auxiliary/scanner/portscan/tcp.

2. Exploitation:
o Load an exploit module and configure its parameters (target IP, port, etc.).
o Example: use exploit/windows/smb/ms17_010_eternalblue.
o Set the payload with commands like set payload
windows/x64/meterpreter/reverse_tcp.
o Execute the exploit using run or exploit.

3. Post-Exploitation:
o Access the target system and perform tasks like privilege escalation or data
extraction.

Applications of Metasploit:
 Penetration testing for identifying vulnerabilities in networks or systems.
 Training and research in cybersecurity.
 Simulating real-world attacks for incident response planning.

Advantages:
 Comprehensive and modular design.
 Includes a vast library of exploits, payloads, and modules.
 Supports both CLI (msfconsole) and GUI (Armitage).

Limitations:
 Can be misused by attackers if not handled responsibly.
 Requires regular updates to include the latest exploits.

Legal and Ethical Considerations:

 Metasploit should only be used with explicit permission from the system owner.
 Unauthorized use is illegal and unethical.

Practical Demonstration:

1. Launch Metasploit using the msfconsole command.

2. Identify vulnerabilities using auxiliary modules or external scans.

3. Load an exploit module and configure its settings.

4. Execute the exploit and interact with the target using a meterpreter shell.

5. Use post-exploitation modules for advanced tasks.

 PRACTICAL – 8
Discuss about how data encrypted in web security services in https

Aim:

To understand the principles of data encryption in web security services using HTTPS, and the role of
encryption protocols in ensuring secure communication over the internet.

Objective:
 To explore how HTTPS encrypts data for secure transmission.
 To understand the key cryptographic techniques and protocols involved in HTTPS.
 To analyze the significance of HTTPS in web security.

Theory:

HTTPS Overview:
 HTTPS (Hypertext Transfer Protocol Secure) is an extension of HTTP with encryption and
security features enabled through SSL/TLS protocols.
 It ensures the confidentiality, integrity, and authenticity of data exchanged between a client
(browser) and a server.

Key Components of HTTPS:

1. SSL/TLS Protocols:
o SSL (Secure Sockets Layer) and TLS (Transport Layer Security) establish a secure
connection by encrypting data.
o TLS is the more secure and modern version, widely adopted for web
encryption.

2. Public Key Infrastructure (PKI):

o HTTPS relies on PKI to manage encryption keys and digital

certificates.
 o Certificates are issued by trusted Certificate Authorities (CAs) to verify the identity of
websites.

3. Encryption Techniques:
o Symmetric Encryption: Used for the actual data transmission (e.g., AES).
o Asymmetric Encryption: Used during the handshake process to exchange symmetric
keys securely (e.g., RSA).

How HTTPS Encryption Works:

4. Handshake Phase:
o The client requests a secure connection to the server.
o The server sends its SSL/TLS certificate, including its public key, to the client.
o The client verifies the certificate using the CA’s public key.
o A secure session key (symmetric key) is generated and shared using asymmetric
encryption.

5. Data Encryption Phase:

o Once the handshake is complete, all data exchanged between the client and server is
encrypted using symmetric encryption.

3. Integrity Check:

o Each encrypted message includes a Message Authentication Code (MAC) to ensure

data integrity.

Benefits of HTTPS:
 Confidentiality: Prevents eavesdropping by encrypting the data in transit.
 Integrity: Ensures that data is not altered during transmission.
 Authentication: Confirms the identity of the website through certificates.
Cryptographic Algorithms in HTTPS:

1. AES (Advanced Encryption Standard): Symmetric encryption algorithm used for data
encryption.

2. RSA (Rivest-Shamir-Adleman): Asymmetric encryption for secure key exchange.

3. SHA (Secure Hash Algorithm): Generates hashes to verify data integrity.

Relevance in Web Security:

 Protects sensitive information, such as login credentials, payment details, and
personal data.
 Prevents man-in-the-middle (MITM) attacks.
 Builds trust by displaying the padlock icon and "https://" in the URL.

Challenges of HTTPS:
 Computational overhead in encryption and decryption.
 Certificate management requires careful monitoring and timely renewal.
 PRACTICAL – 9
Write practical steps in active and passive footprinting

Aim:
To understand and perform active and passive footprinting techniques for gathering
information about a target network or system during a penetration test.
Objective:
 To explore the differences between active and passive footprinting.
 To identify the tools and techniques used in both types of footprinting.
To perform both active and passive footprinting to gather relevant data.
Theory:
Footprinting in Cybersecurity:
Footprinting is the first step in ethical hacking and penetration testing. It
involves
gathering as much information as possible about a target system or network. This helps
identify potential vulnerabilities and plan the attack in subsequent stages. Footprinting
can be categorized into two types:
1. Active Footprinting
2. Passive Footprinting
3. Passive Footprinting:
Passive footprinting is the process of gathering information about a target system or
network without directly interacting with it. The goal is to avoid detection by the target
while collecting useful data. This type of footprinting mainly involves publicly available
resources and data.
Techniques in Passive Footprinting:
 WHOIS Lookup:
o WHOIS queries provide information about domain names, IP address
blocks, and domain registrants.
o Tool: whois <domain>
 DNS Querying:
o DNS queries can reveal details like domain names, subdomains, and IP
addresses associated with the target.
o Tool: dig <domain> or nslookup <domain>
  Social Media and Public Data:
o Gathering information from websites, social media platforms, and job
boards can reveal employee names, technologies, and network structures.
o Example: LinkedIn, Facebook, Twitter
 Google Hacking (Google Dorking):
o Searching with specific keywords and operators in Google to gather
sensitive information about the target (e.g., site:target.com filetype:pdf).
 Passive DNS Tools:
o Tools like PassiveTotal and VirusTotal provide historical DNS data without
directly querying the target.
 Publicly Accessible Information (Public Repositories):
o Gathering data from public repositories such as GitHub, source code, and
documentation to identify system details or vulnerabilities.
2. Active Footprinting:
Active footprinting involves directly interacting with the target system to gather
information. This method can be detected by the target as it involves probing or scanning
systems and networks. However, it provides more accurate and detailed information
compared to passive footprinting.
Techniques in Active Footprinting:
 Port Scanning:
o Scanning open ports on the target system helps identify services that are
running and potentially vulnerable.
 o Tool: nmap (e.g., nmap -sS -p 1-65535 <target IP>)

 Banner Grabbing:
o Extracting information from service banners, such as web servers, FTP
servers, or other network services, can reveal details like software versions.
o Tool: nc (netcat), telnet, or nmap
 Ping Sweeping:
o Using ICMP (ping) requests to determine which hosts are alive on a
network.
o Tool: nmap -sn <target network> or fping <target IP range>
 Traceroute:
o Tracing the path that packets take to reach the target can reveal network
topology and routing information.
o Tool: traceroute <target> or tracert <target>
 OS Fingerprinting:
o Identifying the target system’s operating system based on its response to
probes.
o Tool: nmap -O <target IP>
 Active DNS Interrogation:
o Querying DNS servers for records that may reveal information such as
domain names, MX records, and mail servers.
oTool: dig @<DNS server> <domain>

Comparison of Active and Passive Footprinting:

Feature Passive Footprinting Active Footprinting

Visibility to No direct interaction; low Direct interaction with the target;

Target detection risk. higher risk of detection.

Publicly available data (WHOIS, Direct queries and scans (port scanning,
Data Source DNS, Google). banner grabbing).

WHOIS, DNS lookup, Google

Tools Used Dorking, etc. Nmap, Traceroute, Ping Sweep, etc.

Limited to publicly available Provides detailed, specific, and real-

Accuracy information. time data.

Practical Steps in Footprinting:

1. Passive Footprinting Steps:
1. WHOIS Lookup:
o Run whois <target domain> to gather registration details.
2. DNS Query:
o Use dig <target domain> to get DNS records such as A, MX, and NS records.
3. Google Dorking:
o Search for sensitive data on Google using specific queries like
site:example.com or filetype:pdf.
4. Social Media Profiling:
o Search for target company or employee information on LinkedIn, Twitter,
and Facebook.
2. Active Footprinting Steps:
1. Port Scanning with Nmap:
o Run nmap -sS -p 1-65535 <target IP> to detect open ports.
2. Banner Grabbing:
o Use telnet <target IP> <port> to grab service banners.
3. Traceroute:
o Run traceroute <target IP> to analyze routing paths.
4. OS Fingerprinting with Nmap:
o Run nmap -O <target IP> to detect the target’s OS.
 PRACTICAL - 10
Illustrate about browser security tools – shodan, netcraft

Aim:
To understand the functionality and usage of browser security tools such as Shodan and
Netcraft, and their role in identifying vulnerabilities in web applications and networks.
Objective:
 To explore how Shodan and Netcraft work for identifying security risks in websites,
services, and networks.
 To understand the key features and capabilities of these tools.
To demonstrate how these tools can be used for online security assessments.

Theory:
Browser Security Tools Overview: Browser security tools are critical for identifying
vulnerabilities in websites, networks, and online services. They help security
professionals, researchers, and penetration testers monitor and assess the security
posture of online systems.
1. Shodan: Shodan is a search engine designed for discovering information about
internet-connected devices. Unlike traditional search engines, Shodan indexes services
and devices based on their IP addresses, open ports, and banner information. It is often
used for identifying vulnerable devices, services, and applications exposed to the
internet.
Key Features of Shodan:
 Search Engine for IoT Devices: Shodan helps locate internet-connected devices,
including cameras, routers, industrial equipment, servers, and more.
 Service and Port Discovery: Shodan indexes devices based on their open ports and
services, providing details on what protocols are running and what vulnerabilities
may exist.
 Vulnerability Detection: Shodan can highlight devices with known vulnerabilities or
outdated software versions, allowing cybersecurity professionals to spot
weaknesses in systems exposed to the public internet.
 Advanced Filtering: Shodan allows users to search with filters such as geographic
location, device type, organization, and service version to pinpoint specific targets.
How Shodan Works:
 Shodan continuously scans the internet, collecting data from devices and services
exposed to the public IP space. It then indexes this data, making it searchable by
users.
 The results can include device banners (information returned by services running
on specific ports), including device type, version information, and sometimes even
credentials.

Practical Use of Shodan:

1. Go to the Shodan website (https://www.shodan.io).
2. Use search queries such as apache or ssh to find devices running these services.
3. Apply filters to narrow down results by country, organization, or specific
vulnerability tags.
Example Search:
 apache country:"US" to find Apache servers in the United States.
 ssl to find SSL-enabled servers.
2. Netcraft: Netcraft is a cybersecurity company that provides tools for
identifying
security risks, including website fingerprinting, phishing detection, and web application
analysis. Netcraft is known for its services that help track malicious activity and gather
intelligence on the security of online services.
Key Features of Netcraft:
 Phishing Detection: Netcraft offers tools that help identify and block phishing
websites, which are designed to steal users' personal information.
 Website Fingerprinting: It provides detailed information about websites, including
their hosting providers, technologies used, and underlying infrastructure.
 Web Application Security Monitoring: Netcraft helps identify vulnerabilities in
websites, particularly those related to security misconfigurations or outdated
software.
 SSL/TLS Certificate Monitoring: Netcraft allows tracking of SSL/TLS certificates used
by websites to ensure they are valid and properly configured.
 Historical Data: It provides insights into the history of a website, including changes
in its hosting provider or technologies.
How Netcraft Works:
 Netcraft uses its extensive data collection network to monitor and scan websites
for various security risks. It provides both free and paid services for users to access
detailed reports on websites and their security posture.

Practical Use of Netcraft:

1. Go to the Netcraft website (https://www.netcraft.com).
2. Enter the URL of a target website to retrieve information about its security, hosting
provider, and technologies.

3.Use the "Phishing" tool to check if a website is flagged for phishing activities.
Example Search:
 Searching a domain on Netcraft provides insights into whether the site is using
secure protocols, which web server is hosting it, and whether the SSL certificate is
valid.
Comparison of Shodan and Netcraft:

Feature Shodan Netcraft

Search engine for internet- Website fingerprinting, phishing

Purpose connected devices and detection, and monitoring web
services security

Type of Data Device information, open Website hosting, technologies

Collected ports, vulnerabilities used, SSL certificates, phishing risk

Security professionals,
penetration testers, Website owners, cybersecurity
Target Users analysts, security researchers
researchers

IP addresses, services, Domain names, hosting providers,

Search Focus vulnerabilities certificates

Identifying vulnerable devices Detecting phishing websites,

Main Use and services exposed to the monitoring web security, analyzing
Cases internet web technologies

Practical Demonstration:
Shodan:
1. Go to Shodan.io.
2. Log in (create an account if needed).
3. In the search bar, enter a query like apache or ftp to find devices with those
services exposed.

4.Review the results and identify the type of services running on those devices.
Netcraft:
5. Go to Netcraft.com.
6. Use the "Search" feature to enter the domain of a website.
7. Review the report generated to check for hosting information, security status, and
any potential phishing alerts.
 PRACTICAL – 11
Write and practically demonstrate about steganography technique

Aim:

To understand the concept and practical application of steganography for hiding information within
digital media, such as images, and to demonstrate how data can be embedded and extracted using
steganography.

Objective:
 To learn the principles behind steganography.
 To explore different types of steganographic techniques and their use cases.
 To practically demonstrate hiding and extracting information from images using Python.

Theory:

What is Steganography? Steganography is the practice of hiding data within a medium such that the
existence of the hidden data is not apparent to the observer. Unlike encryption, where the goal is to
make data unreadable to unauthorized parties, steganography aims to conceal the presence of the
message itself.

Key Concepts in Steganography:

 Carrier File: The file in which the hidden message will be embedded, such as an image,
audio, or video file.
 Payload: The hidden information that is being concealed, which can be text, an image, or any
other form of data.
 Least Significant Bit (LSB) Substitution: One of the most common techniques in image
steganography, where the least significant bits of the pixel values are altered to embed data
without visibly changing the image.

Types of Steganography:

1. Image Steganography: Embedding secret information into images (most commonly used
method).

2. Audio Steganography: Hiding data within audio files.

3. Video Steganography: Embedding information in video files.

4. Text Steganography: Hiding information within the structure or characters of text files.

Common Techniques:
 Least Significant Bit (LSB) Encoding: This technique involves replacing the least significant
bits of the image’s pixel values with the secret data. This allows for hiding data without
noticeable changes to the image.
  Transform Domain Techniques: Involves modifying the frequency components of the image,
such as using Discrete Cosine Transform (DCT) or Discrete Wavelet Transform (DWT).

Applications of Steganography:
 Protecting sensitive data by embedding it in innocuous files.
 Digital watermarking for copyright protection.
 Concealing data for covert communication.

Practical Demonstration: Steganography in Python using the Pillow and stepic Libraries

Requirements:
 Python installed on your system.
 Pillow (for image processing) and stepic (for steganography) libraries installed. You can install
these via pip:

pip install pillow stepic

Steps to Hide a Message in an Image:

1. Import Required Libraries: First, you need to import the necessary libraries to work with
images and perform steganography.

from PIL import Image

import stepic

2. Choose an Image and a Message: You need an image file (e.g., image.png) to serve as the
carrier file and a message that you want to embed.

3. Embed the Message: Use the stepic library to encode the message within the image.

Python-
# Open the image

image = Image.open("image.png")

# The secret message

secret_message = "This is a secret message hidden in the image."

# Encode the message into the image

encoded_image = stepic.encode(image, secret_message.encode())

# Save the encoded image

encoded_image.save("encoded_image.png")

4. Extract the Hidden Message: Once the message is embedded, you can extract it using the
same technique.

Python-

# Open the encoded image

encoded_image = Image.open("encoded_image.png")

# Decode the hidden message

decoded_message = stepic.decode(encoded_image)

print(f"Decoded message: {decoded_message}")

Explanation of the Code:

 Image.open() is used to open the image file.
 stepic.encode() embeds the secret message
into the image using LSB steganography.
 The encode() method returns a new image
that contains the hidden message.
 stepic.decode() extracts the hidden message
from the encoded image.

Practical Example:

1. Embed a Message:
o Open an image called image.png
and embed the message "This is a
secret message."
o The encoded_image.png will now
contain the hidden message.

2. Extract the Message:

o By opening encoded_image.png and running the decode script, you will retrieve the
hidden message, which should display "This is a secret message."

Testing the Steganography:

3. Step 1: Choose a suitable image file, preferably in PNG format to minimize image
compression.

4. Step 2: Use the Python code provided to embed a message in the image.

5. Step 3: Save the encoded image and visually check if there is any noticeable change in the
image.

6. Step 4: Use the decode function to extract the hidden message from the image and display it
in the terminal.
 PRACTICAL – 12
Discuss about audit policies using auditpool

Aim:

To understand and demonstrate the configuration of audit policies in Windows using the Auditpol
tool, and to explore how these policies can help in tracking system activities for security monitoring
and compliance.

Objective:
 To learn about the purpose of audit policies in Windows security.
 To demonstrate how to configure and manage audit policies using the Auditpol command.
 To explore different audit policy categories and their practical implications in system
auditing.

Theory:

What is Auditpol? Auditpol is a command-line utility in Windows that allows administrators to

configure, view, and modify security auditing policies. Security auditing helps in tracking system
events such as user logins, file accesses, system changes, and other important actions on a system.
These logs are vital for security monitoring, incident investigation, and ensuring compliance with
security policies.

Key Concepts:
 Audit Policies: These policies define the types of actions or events that are logged for
auditing. They allow administrators to capture events related to user activities, security
changes, and system access.
 Event Logs: The data captured by audit policies is stored in event logs. These logs can be
viewed using tools like the Event Viewer.
 Audit Categories:
o Logon/Logoff: Tracks user logon/logoff events.
o Account Logon: Captures events related to account authentication.
o Object Access: Monitors access to objects such as files and folders.
o Privilege Use: Logs events where system privileges are used or modified.
o Policy Change: Tracks changes in security policies.
o System Events: Records system-level events like startup, shutdown, or resource
allocation.

Auditpol Command: Auditpol is a powerful command used to configure audit policies at both the
domain and local machine levels. The syntax for Auditpol is:
BASH -

auditpol /set /subcategory:<subcategory_name> /success:[enable|disable] /failure:[enable|disable]

Where:
 /subcategory: defines the specific audit policy.
 /success: enables or disables auditing of successful events.
 /failure: enables or disables auditing of failed events.

Examples of Auditpol Subcategories:

 Logon/Logoff
 Account Logon
 Object Access
 Directory Service Access
 Policy Change
 Logon/Logoff
 Account Management

Practical Demonstration: Using Auditpol to Configure Audit Policies

Requirements:
 A Windows machine with administrative privileges.

Step 1: Viewing Current Audit Policy Configuration To view the current audit policy settings on the
system, use the following command:

BASH -
auditpol /get /category:*

This command displays the current configuration of all audit categories and subcategories, showing
whether auditing for success or failure events is enabled or disabled.

Step 2: Enabling Specific Audit Policies To enable auditing for successful and failed logons, use the
following command:

BASH -

auditpol /set /subcategory:"Logon/Logoff" /success:enable /failure:enable

This command ensures that both successful and failed logon attempts are logged.
Step 3: Disabling Specific Audit Policies If you wish to disable auditing for a particular event, such as
account logon attempts, you can use:

BASH -

auditpol /set /subcategory:"Account Logon" /success:disable /failure:disable

This command disables the logging of account logon events.

Step 4: Enabling Object Access Auditing To monitor access to specific files or objects, you can enable
the "Object Access" audit policy:

BASH -

auditpol /set /subcategory:"Object Access" /success:enable /failure:enable

This will log both successful and failed attempts to access files or other system objects.

Step 5: Viewing the Event Logs After configuring the audit policies, the logged events can be viewed
using the Event Viewer tool:

1. Press Windows + R, type eventvwr.msc, and press Enter.

2. In the Event Viewer, navigate to Windows Logs > Security.

3. Here, you will see events such as logons, account access, object accesses, and more based on
the policies you enabled.

Practical Example:

4. Step 1: Open a Command Prompt with administrative privileges.

5. Step 2: Use the auditpol command to enable auditing for failed logon attempts:

BASH -

auditpol /set /subcategory:"Logon/Logoff" /failure:enable

3. Step 3: Attempt a failed logon (e.g., entering an incorrect password at the login screen).

4. Step 4: Open the Event Viewer and go to Windows Logs > Security.

5. Step 5: You should see an event with the ID 4625, indicating a failed logon attempt.

Key Event ID Examples:

 4624 (Successful Logon): Logged when a user successfully logs on.
 4625 (Failed Logon): Logged when a logon attempt fails.
 4648 (Logon Attempt with Explicit Credentials): Captures events when a logon is attempted
with specific credentials.
Common Auditpol Commands:

1. To view audit policy settings for a specific category:

BASH -

auditpol /get /category:Logon/Logoff

2. To enable auditing for directory service access:

BASH -

auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

3. To configure auditing for privilege use:

BASH -

auditpol /set /subcategory:"Privilege Use" /success:enable /failure:enable

 PRACTICAL – 13
Discuss about Denial of service tools- LOIC, HOIC

Aim:

To understand the functioning and usage of Denial of Service (DoS) tools, specifically LOIC (Low Orbit
Ion Cannon) and HOIC (High Orbit Ion Cannon), and their implications in network security.

Objective:
 To explore the tools LOIC and HOIC, which are commonly used in DoS attacks.
 To demonstrate the basic working of these tools.
 To understand the ethical and legal implications of using such tools.

Theory:

What is Denial of Service (DoS)? Denial of Service (DoS) is a type of cyberattack that aims to make a
network service unavailable to its intended users by overwhelming it with traffic or by exploiting
vulnerabilities. This results in service disruptions or complete outages.

A Distributed Denial of Service (DDoS) attack involves multiple systems attacking a single target,
making it harder to defend against.

LOIC (Low Orbit Ion Cannon): LOIC is an open-source DoS tool that is widely known for being easy to
use. It was initially created for testing purposes but has been used in various cyberattacks. LOIC
works by sending a large amount of traffic to a target server to exhaust its resources, leading to the
server becoming unavailable to legitimate users.
 How LOIC Works:
o LOIC can send TCP, UDP, or HTTP flood requests to a server, overwhelming its
resources.
o It provides a simple graphical user interface (GUI) for users to input the target IP
address, port, and other settings.
o LOIC is often associated with Botnets in DDoS attacks, where it can be used in
conjunction with other compromised systems to attack a target.
 LOIC Features:
o Allows for multiple attack types (TCP, UDP, HTTP).
o Simple GUI that is user-friendly for attackers with minimal technical
knowledge.
o Supports both manual and automated attacks.
 LOIC Attack Process:
1. Set the Target IP Address and the Port to attack.

2. Choose the attack method (TCP, UDP, HTTP).

3. Start the attack by clicking the “Fire” button.

4. LOIC will continuously send packets to the target, trying to overload it with traffic.
 Ethical Considerations:
o While LOIC can be useful for testing network robustness under load, it is often
misused for illegal purposes (i.e., DoS or DDoS attacks).
o Participating in or launching DoS/DDoS attacks is illegal and unethical, as it disrupts
services and can cause financial losses to organizations.

HOIC (High Orbit Ion Cannon): HOIC is another popular open-source DoS tool that is an upgraded
version of LOIC. It is more powerful and efficient in carrying out DDoS attacks. HOIC was created as a
response to the limitations of LOIC, particularly the ability to launch larger and more effective
attacks.
 How HOIC Works:
o HOIC sends a larger volume of traffic compared to LOIC by utilizing a multi-threaded
attack mechanism.
o It can send an HTTP flood, targeting specific URLs and making the server resource-
intensive.
o HOIC uses “Boosters” (special scripts that are added to the attack) to increase the
intensity of the flood.
o The tool can be used for attacks involving multiple target IPs, making it suitable for
large-scale DDoS attacks.
 HOIC Features:
o Supports multi-threaded attacks, which can increase the volume of traffic sent to the
target.
o Boosters can be used to amplify the attack and improve its effectiveness.
o The GUI allows attackers to choose a target URL and configure the number of
threads and boosters.
o Offers better performance than LOIC in terms of scalability.
 HOIC Attack Process:

1. Input the target URL and set the desired port.

2.Configure the number of threads (this determines how many simultaneous connections will be
made to the target).

3. Attach one or more boosters to increase the attack strength.

4. Initiate the attack by clicking the “Attack” button.

 Ethical Considerations:

o Like LOIC, HOIC is often misused for launching illegal DDoS attacks.
 o It is important to understand the risks and consequences associated with using such
tools, as they are illegal in most jurisdictions.

Practical Demonstration (for educational purposes only)

Requirements:
 LOIC and HOIC tools installed (both tools are available for download from open-source
repositories).
 A controlled environment for testing (e.g., your local network or a dedicated test
server).

Note: It is critical to understand that using LOIC or HOIC against systems or networks that you do not
own or have explicit permission to test is illegal and unethical.

Step 1: Using LOIC for a DoS Test

1. Download and run LOIC on a local machine or test server.

2. Set the Target IP to a server you control (e.g., your local web server) and specify the Port.

3. Select the Attack Method (e.g., TCP/UDP/HTTP).

4. Click on the Fire button to initiate the attack.

5. Monitor the server’s response to see if the traffic overloads the system and causes service
degradation.

Step 2: Using HOIC for a DoS Test

1. Download and run HOIC on a local machine.

2. Input the Target URL and Port.

3. Configure the number of Threads and attach one or more Boosters for increased traffic.

4. Click on the Attack button to start the attack.

5. Observe the effects on the target server, noting any performance issues or outages.
 PRACTICAL – 14
Write a code for creating a malware, and how to test it in online mode for educational purposes

Aim:

To understand how malware is created and how to test it online in a controlled environment.

Objective:
 To learn the process of creating malware.
 To explore how malware can be tested in an online environment while ensuring safety and
legality.

Theory:

Malware is created by hackers using various programming techniques to exploit system

vulnerabilities. The process of creating malware involves identifying system weaknesses, selecting
the appropriate type of malware, and writing the code to perform specific malicious actions.

Steps Involved in Creating Malware:

1. Identifying Vulnerabilities:
Hackers often begin by identifying vulnerabilities in systems that can be exploited to deliver
malware. This can include weak configurations, unpatched software, or insecure network
protocols.
2. Choosing the Type of Malware:
Depending on the attacker's objective, the type of malware is selected. This could include
viruses, worms, trojans, ransomware, etc.

3. Programming the Malware:

The malware is written using languages like Python, C++, or scripting languages like
 PowerShell or JavaScript. The code is designed to perform specific tasks, such as stealing
information, corrupting files, or providing unauthorized access to the system.

4. Obfuscating the Code:

To avoid detection, the malware code is obfuscated. This may involve encrypting the code or
using polymorphic techniques to make it harder for antivirus software to detect.

5. Delivery Mechanism:
The malware is delivered to the target system using methods like phishing emails, software
vulnerabilities, or social engineering.

6. Executing the Malware:

Once the malware is executed on the victim's system, it performs the malicious activity,
whether that’s stealing data, encrypting files, or gaining unauthorized access.

7. Persistence and Evasion:

Malware is often designed to ensure it remains undetected by hiding itself or running
automatically on system start-up.

Testing the Malware Online:

Before testing any malware, it is important to use a safe and controlled environment to avoid any
harm to personal systems or networks. Always ensure you have explicit permission before testing any
malware in any real-world scenario.

Steps for Safe Testing:

1. Use a Virtual Machine (VM):

o Create a sandbox environment using a VM. This allows you to test malware without
risking your main operating system.
o Popular VM software: VMware, VirtualBox.

2. Use Online Sandboxes:

o Services like Hybrid Analysis or VirusTotal allow you to upload and test the malware
in an isolated environment. These services provide reports on what the malware
does when executed.
o Hybrid Analysis: Provides detailed reports on the behavior of uploaded files.
o VirusTotal: Scans files against multiple antivirus engines to detect malicious content.

3. Use Online Malware Analysis Tools:

o Tools like Cuckoo Sandbox can help in automating malware analysis. It will run the
malware and observe its behavior.
o ANY.RUN: Another interactive online tool that allows users to safely run and analyze
suspicious files in a sandbox.

4. Monitor the Behavior:

 o Observe the behavior of the malware on the virtual machine or sandbox, such as file
modifications, network communication, or any changes made to the system’s
configuration.
o Use tools like Wireshark or Process Monitor to capture network traffic and system
behavior.

[Insert testing procedure/code here]

5. Report Generation:

o After testing, generate and review reports from sandbox or antivirus analysis tools to
determine how the malware interacts with the system, including which files it
affects, what changes it makes, and any network traffic it generates.
IES COLLEGE OF TECHNOLOGY, BHOPAL
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

LAB FILE

Student Name : Kartik Namdev

Roll No : 0177CY221023

Subject : Network Security

Subject Code CY 503

: Branch COMPUTER SCIENCE & ENGINEERING

: 5TH
Semester Sept - Dec 2024
:

Session
:

IES College of Technology, Bhopal

Department of Computer Science & Engineering

Rajiv Gandhi Proudyogiki Vishwavidyalaya, Bhopal