CS383-Cyber Security and Cyber Laws 20DCS138

Practical: 1
Date:
Aim: Perform 5 different types of (port) scanning using nmap on a single port and capture the
packets using wireshark and analyze the output.

Theory:

1. Nmap:

 Nmap is a free and open-source network scanner created by Gordon Lyon. Nmap is
used to discover hosts and services on a computer network by sending packets and
analyzing the responses.
 Nmap provides a number of features for probing computer networks, including host
discovery and service and operating system detection.
 These features are extensible by scripts that provide more advanced service detection,
vulnerability detection, and other features.
 Nmap can adapt to network conditions including latency and congestion during a scan.
 Nmap started as a Linux utility and was ported to other systems including Windows,
macOS, and BSD. It is most popular on Linux, followed by Windows.

2. Wireshark:

 Wireshark is a free and open-source packet analyser.

 It is used for network troubleshooting, analysis, software and communications protocol
 development, and education.
 Originally named Ethereal, the project was renamed Wireshark in May 2006 due to
 trademark issues.
 Wireshark is cross-platform, using the Qt widget toolkit in current releases to
implement
 its user interface, and using pcap to capture packets; it runs on Linux, macOS, BSD,
Solaris, some other Unix-like operating systems, and Microsoft Windows.
 There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the
other programs distributed with it such as TShark, are free software, released under the
terms of version 2 of the GNU General Public License.

3. open:

 An application is actively accepting TCP connections, UDP datagrams or SCTP

associations on this port.
 Finding these is often the primary goal of port scanning. Security-minded people know
CS383-Cyber Security and Cyber Laws 20DCS138

that each open port is an avenue for attack.

 Attackers and pen-testers want to exploit the open ports, while administrators try to
close or protect them with firewalls without thwarting legitimate users.
 Open ports are also interesting for non-security scans because they show services
available for use on the network.

4. closed

 A closed port is accessible (it receives and responds to Nmap probe packets), but there
is no application listening on it.

 They can be helpful in showing that a host is up on an IP address (host discovery, or

ping scanning), and as part of OS detection. Because closed ports are reachable, it may
be worth scanning later in case some open up.

 Administrators may want to consider blocking such ports with a firewall. Then they
would appear in the filtered state, discussed next.

5. filtered

 Nmap cannot determine whether the port is open because packet filtering prevents its
probes from reaching the port.

 The filtering could be from a dedicated firewall device, router rules, or host-based

 firewall software.

 These ports frustrate attackers because they provide so little information. Sometimes

 they respond with ICMP error messages such as type 3 code 13 (destination
unreachable: communication administratively prohibited), but filters that simply drop
probes without responding are far more common.

 This forces Nmap to retry several times just in case the probe was dropped due to
network congestion rather than filtering. This slows down the scan dramatically.

6. Unfiltered

 The unfiltered state means that a port is accessible, but Nmap is unable to determine
whether it is open or closed.
 Only the ACK scan, which is used to map firewall rulesets, classifies ports into this
CS383-Cyber Security and Cyber Laws 20DCS138

state.
 Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or
FIN scan, may help resolve whether the port is open.

7. open|filtered

 Nmap places ports in this state when it is unable to determine whether a port is open or
filtered. This occurs for scan types in which open ports give no response.

 The lack of response could also mean that a packet filter dropped the probe or any
response it elicited.

 So Nmap does not know for sure whether the port is open or being filtered. The UDP,
IP protocol, FIN, NULL, and Xmas scans classify ports this way.

8. closed|filtered

 This state is used when Nmap is unable to determine whether a port is closed or
filtered.
 It is only used for the IP ID idle scan.

Implementation:

 Start the wireshark and start capturing the packets

 Firstly, we will write the following command:
 Write sudo nmap ip address of device
 This is the basic format for Nmap, and it will return information about the ports on that
system.

Fig-1.1: nmap command impementation

 Below are the glimpses of the packets captured by wireshark when the above command
was executed
CS383-Cyber Security and Cyber Laws 20DCS138

Fig-1.2: Packets captured by wireshark

 Below are the packets captured for PORT 80.

CS383-Cyber Security and Cyber Laws 20DCS138

Fig-1.3: Packets captured for PORT 80

 If we want to scan for a range of ip address then, enter the following command
 Write sudo nmap ip address range.

Fig-1.4: scan for a range of ip address

 We will get the result of scan for the whole range

 To know the status of a particular port, enter the following command
CS383-Cyber Security and Cyber Laws 20DCS138

Fig-1.5: status of a particular port

 Packets captured in Wireshark

Fig-1.6: Packets captured in Wireshark

CS383-Cyber Security and Cyber Laws 20DCS138

 To scan all the possible ports, write the following command

Fig-1.7: scanning all possible ports

 To scan for all available TCP ports, enter the following command

Fig-1.8: scan all available TCP ports

 To go for tcp syn scan, enter the following command

Fig-1.9: tcp syn scan

 Some of the packets captured in wireshark

CS383-Cyber Security and Cyber Laws 20DCS138

Fig-1.10: packets captured in wireshark

 To scan for ping scan, enter the following command

Fig-1.11: scan for ping

Fig-1.12: ICMP packet transfer

 For TCP Connect scan, enter the following command.

CS383-Cyber Security and Cyber Laws 20DCS138

Fig-1.13: TCP Connect scan

 TCP Scan from the Wireshark

Fig-1.14: TCP Scan From wireshark

 For UDP Scan, use the following command

Fig-1.15: UDP scan

 UDP Scan from Wireshark

Fig-1.16: UDP scan from wireshark

Conclusion/Summary:
CS383-Cyber Security and Cyber Laws 20DCS138

Student Signature & Date Marks Evaluator Signature & Date

Practical 2
Date:
Aim: Perform a Vulnerability Scan on a system within the Local Area Network and Submit
the report.
Theory:

Nessus Essentials:
 Nessus Essentials is a free vulnerability assessment solution for up to 16 IPs that
provides an entry point into the Tenable ecosystem.
 Backed by market leading functionality from Nessus Professional, Nessus Essentials
gives you the accuracy and speed you need to discover, prioritize and remediate
vulnerabilities.

Implementation:
 Firstly, Nessus Essential is not pre-installed. Hence, we need to download it.
CS383-Cyber Security and Cyber Laws 20DCS138

Fig-2.1: download page of Nessus

 Accept the Agreement

CS383-Cyber Security and Cyber Laws 20DCS138

Fig-2.2: License Agreement

 Now, unpack the package

Fig-2.3: unpacking the packge

 Now, enter the following commands

CS383-Cyber Security and Cyber Laws 20DCS138

Fig-2.4: commands for installing nessus

 Check the status

Fig-2.5: Status

 Go to the link provided and proceed further. (https://kali:8834)

 The installation page will arrive

CS383-Cyber Security and Cyber Laws 20DCS138

Fig-2.6: installation page

 Apply the activation code.

Fig-2.7: activation code

CS383-Cyber Security and Cyber Laws 20DCS138

 After providing the user_name and password, download process will begin.

Fig-2.8: download process

 Once, all plugins are installed, it will prompt you to enter the details of hosts that you
want to check for.

 After that, it will start the scanning.

Fig-2.9: scanning
CS383-Cyber Security and Cyber Laws 20DCS138

 Once completed, following information will be shown.

Fig-2.10: scan progress

Fig-2.11: scan result

CS383-Cyber Security and Cyber Laws 20DCS138

Fig-2.12: scan outcomes

Conclusion/Summary:

Student Signature & Date Marks Evaluator Signature & Date

Practical: 3
Date:
CS383-Cyber Security and Cyber Laws 20DCS138

Aim: Implementation to identify web vulnerabilities, using OWASP project

Theory:
 OWASP stands for “Open Web Application Security Project”.
 It is an open, online community that creates methodologies, tools, technologies and
guidance on how to deliver secure web applications.
 OWASP ZAP (ZAP) is one of the world’s most popular free security tools and is
actively maintained by hundreds of international volunteers. It can help to find security
vulnerabilities in web applications. It’s also a great tool for experienced pen testers and
beginners.
 ZAP is what is known as a “man-in-the-middle proxy.” It stands between the browser
and the web application. While you navigate through all the features of the website, it
captures all actions. Then it attacks the website with known techniques to find security
vulnerabilities.
 It is one of the most active Open Web Application Security Project (OWASP) projects
and has been given Flagship status.
 When used as a proxy server it allows the user to manipulate all of the traffic that
passes through it, including traffic using https.
 It can also run in a daemon mode which is then controlled via a REST API.
 ZAP was added to the ThoughtWorks Technology Radar in May 2015 in the Trial ring.
 ZAP was originally forked from Paros, another pentesting proxy. Simon Bennetts, the
project lead, stated in 2014 that only 20% of ZAP's source code was still from Paros.

Implementation:

 Starting ZAP.
 Once setup you can start ZAP by clicking the ZAP icon on your Windows desktop or
CS383-Cyber Security and Cyber Laws 20DCS138

from the start menu.

Fig-3.1: Glimpses Of ZAP Console

 Spidering the web application

 Spidering a web application means crawling all the links and getting the structure of
the application. ZAP provides two spiders for crawling web applications;
 The traditional ZAP spider discovers links by examining the HTML in responses from
the web application. This spider is fast, but it is not always effective when exploring an
AJAX web application.
 This is more likely to be effective for AJAX applications. This spider explores the web
application by invoking browsers which then follow the links that have been generated.
The AJAX spider is slower than the traditional spider.

Automated Scan:
 This option allows you to launch an automated scan against an application just by
entering the URL. If you are new to ZAP, it is best to start with Automated Scan mode.
 To run a Quick Start Automated Scan:
CS383-Cyber Security and Cyber Laws 20DCS138

1. Start Zap and click the large ‘Automated Scan’ button in the ‘Quick Start’ tab.
2. Enter the full URL of the web application you want to attack in the ‘URL to attack’
text box.
3. Click the ‘Attack’ button.

Fig-3.2: Crawling started

 Once you click the ‘Attack’ button, ZAP will start crawling the web application with
its spider and passively scan each page it finds. Then ZAP will use the active scanner
to attack all of the discovered pages, functionality and parameters.
 Exploring the web application manually
 Spiders are a great way to explore the basic site, but they should be combined with
manual exploration to be more effective. This functionality is very useful when your
web application needs a login or contains things like registration forms, etc.

 You can launch browsers that are pre-configured to proxy through ZAP via the Quick
Start tab. Browsers launched in this way will also ignore any certificate validation
warnings that would otherwise be reported.

Manual Explore:
CS383-Cyber Security and Cyber Laws 20DCS138

Fig-3.3: Manual Explore

 To Manually Explore the web application.
 Start ZAP and click on the large “Manual Explore” button in the Quick Start tab.
 Enter the full URL of the web application to be explored in the ‘URL to explore’ text
box.
 Select the browser you would like to use and click the ‘Launch Browser’ button.
 This will launch the selected browser with a new profile. Now explore all of the
targeted web applications through this browser.
 ZAP passively scans all the requests and responses made during your exploration for
vulnerabilities, continues to build the site tree, and records alerts for potential
vulnerabilities found during the exploration.

What is passive scanning?

 Passive Scans only scan the web application responses without altering them.
 It does not attack or insert malicious scripts to the web application, so this is a safe
scan; you can use it if you are new to security testing.
 Passive scanning is good at finding some vulnerabilities and as a way to get a feel for
the basic security of a web application.

What is active scanning?

 Active scan attacks the web application using known techniques to find vulnerabilities.
This is a real attack that attempts to modify data and insert malicious scripts in the web
application.
CS383-Cyber Security and Cyber Laws 20DCS138

Fig-3.4: Sites Updates

Fig-3.5: Manual scanning initiated

 We will not proceed as we are not allowed to scan the website.

Conclusion/Summary:
CS383-Cyber Security and Cyber Laws 20DCS138

Student Signature & Date Marks Evaluator Signature & Date

Practical: 6
Date:
Aim: Implementation to gather information from any PC’s connected to the LAN using whois,
port scanners, network scanning, IP scanners etc.

Theory:

Angry IP Scanner:
CS383-Cyber Security and Cyber Laws 20DCS138

Angry IP Scanner is a free, lightweight, cross-platform, and open source tool to scan networks.
It helps you to scan a range of IP addresses to find live hosts, open ports, and other relevant
information of each and every IP address.

The good thing about Angry IP Scanner is that it lets you scan IP addresses in three different
ways. They are, the range you specified, a random IP address or a list of IP addresses from a
text file. You can easily select the scan mode from the drop-down menu next to the IP address
field.

Fig-6.1 Angry IP Scanner for Scanning a network

Once you close the summary window, you will see the list of all the IP address. You can also
see additional details in different “fetcher” columns. In case you are wondering, here’s what
the colored dots next to each IP address mean.

Red: The IP address is inactive, dead or there is no device connected to this IP address.3.
Blue: The IP address is either active or busy and not responding to the requests sent by Angry
IP Scanner. This usually will be your own IP Address.
Green: The IP address is active, and the device connected to it is responding to the requests
made by Angry IP Scanner. There may also be open ports.

ARPING

If traditional ICMP-based pings are no longer reliable unless you know in advance that there is
no firewall blocking ICMP echo requests, what other options exist? One option is an Address
CS383-Cyber Security and Cyber Laws 20DCS138

Resolution Protocol (ARP) based ping using the arping utility.

To know why ARP pings are virtually guaranteed to work while ICMP pings may not, one
should understand the importance of ARP in networking. ARP is used by hosts on a network
to resolve IP addresses into Media Access Control (MAC) addresses, which can be interpreted
as a network interface’s unique serial number. Hosts on an Ethernet network use MAC
addresses rather than IP addresses to communicate.

When a host tries to create a connection to another host (on the same subnet), it first needs to
obtain the second host’s MAC address. In this process, Host A sends an ARP request to the
broadcast address of the subnet to which it is connected. Every host on the subnet receives this
broadcast, and the host with the IP address in question sends an ARP reply back to Host A
with its MAC address. After receiving the ARP reply from Host B, Host A can connect to
Host B.

ARP is required for an Ethernet network to function properly, so it typically is not blocked by
a firewall. If ARP requests were blocked, no host would be able to “find” a computer on a
network and connect to it. For all intents and purposes, the system would be unplugged from
the network.

(Tools do exist to filter ARP. The ebtables project provides these tools. Ebtables is similar in
both functionality and syntax to iptables, but whereas iptables works with TCP and UDP
protocols, ebtables works with ARP.)

One possible drawback to this system of using ARP to ping a host is that the ARP protocol is
not a routed protocol. If you are not on the same subnet as the host you are trying to connect
to, then this method is not going to work without first joining that subnet, which may or may
not be physically possible. Thus by sending an ARP request rather than an ICMP echo, you are
virtually guaranteed to get a reply.
CS383-Cyber Security and Cyber Laws 20DCS138

Fig-6.2 Arping for Scanning a IP address

Zenmap

It is a GUI form of nmap

The purpose of using zenmap is providing user an UI.

Fig-6.3 Zenmap is nmap in GUI to scan a ports and networks

Whois

Whois is a protocol and a set of tools used to query information about domain names, IP
addresses, and other network resources. It is used to look up information about the registration
and ownership of a domain name, or the assignment of an IP address. The information that can
be obtained from a Whois query typically includes details such as the name of the registrant,
the date of registration, and the expiration date of the domain or IP address.
Whois can be used for various purposes, including:
Finding the contact information for a domain or IP address, including the registrant’s name,
address, phone number and email address.
CS383-Cyber Security and Cyber Laws 20DCS138

Checking the availability of a domain name.

Identifying the owner of a website or IP address.
Researching the history of a domain or IP address, including past ownership and registration
details.

Fig-6.4 Whois command to scan the DNS and IP Address.

Masscan

Masscan is a high-speed TCP port scanner that can scan the entire internet in under 6 minutes.
It is open-source software that is designed to be fast, efficient, and highly configurable.
Masscan uses a technique called "SYN scanning" to scan for open ports on a given IP address
or range of IP addresses. It can also perform service detection, which means it can identify the
type of service running on a given port.

Fig-6.5 Masscan , The TCP port scanner (SYN Scanning)

CS383-Cyber Security and Cyber Laws 20DCS138

Conclusion/Summary:

Student Signature & Date Marks Evaluator Signature & Date

Practical: 8
Date:
Aim: Gather information of any domain/website/IP address using following Information
Gathering Tools. 1. Samspade 2. Nslookup 3. Whois 4. Tracert.

Theory:
 Samspade
 Nslookup
 Whois
 Tracert

NSLOOKUP:
CS383-Cyber Security and Cyber Laws 20DCS138

 NSLOOKUP (short for "name server lookup") is a command-line tool used to

troubleshoot DNS issues by querying a DNS server for information about a specific
domain or IP address. It can be used to find the IP address associated with a domain
name, or to find the domain name associated with an IP address. NSLOOKUP can also
be used to query specific types of DNS records, such as MX records (used to route
email) or NS records (used to specify the authoritative name servers for a domain).
NSLOOKUP is available on most operating systems, including Windows and Linux.

Fig-8.1 Information gathering of DNS server by using nslookup

WHOIS:
 WHOIS is a protocol and a database used to look up information about domain names,
IP addresses and other internet resources. It is a way to find the owner and technical
details of a domain name or IP address, including contact information and registration
data. WHOIS records are maintained by registrars and registries, which are
organizations that manage the registration of domain names and IP addresses. WHOIS
information can be used for various purposes such as troubleshooting technical
problems, researching the ownership of a domain or IP address, or identifying the
registrar or registry responsible for a particular resource. WHOIS information can be
queried using a command-line tool or a web-based interface.
CS383-Cyber Security and Cyber Laws 20DCS138

Fig-8.2 whois command to gather the information about domain

TRACERT(traceroute):
 The traceroute command is used to determine the path between two connections. Often
a connection to another device will have to go through multiple routers.
 The traceroute command will return the names or IP addresses of all the routers
between two devices.
CS383-Cyber Security and Cyber Laws 20DCS138

Fig-8.3 Installation of traceroute

Fig-8.4 Commands that can be used with traceroute

SAMSPADE:

 SamSpade is a set of online tools for investigating IP addresses and domains. It

provides information such as who owns a domain, what the DNS servers are, and what
other domains may be hosted on the same IP address. Some of the tools available on
the site include a traceroute utility, a WHOIS lookup, and a reverse DNS lookup.
SamSpade is a free, open-source tool that can be used by anyone to gather information
on a specific IP address or domain. It is widely used by cybersecurity professionals,
network administrators, and researchers for reconnaissance, threat hunting and incident
response.
CS383-Cyber Security and Cyber Laws 20DCS138

Fig-8.5 Using SamSpade gather the information about domain and IP address

Conclusion/Summary:

Student Signature & Date Marks Evaluator Signature & Date

Practical: 9
Date:
Aim: Identify any 5 online web portals for information gathering. Scan an IP address/URL for
CS383-Cyber Security and Cyber Laws 20DCS138

gathering information. Prepare a report.

Theory:

DOMAINTOOLS: http://www.domaintools.com

Find information on any domain name or website. Large database of whois information, DNS,
domain names, name servers, IPs, and tools for searching and monitoring domain names.

Fig-9.1 Domain Tool Website

Fig-9.2 DomainTools records shows IP and URL

CS383-Cyber Security and Cyber Laws 20DCS138

Fig-9.3 Updated Record of DomainTools including various organization resources

WHOIS: http://www.who.is

Secure Domain Name Searches, Registration & Availability. Use Our Free Whois Lookup
Database to Search for & Reserve.

Fig-9.4 Whois Website

CS383-Cyber Security and Cyber Laws 20DCS138

Fig-9.5 DNS Record Management in Whois

BUILTWITH: http://builtwith.com

Domain information, whois & dns report.

Fig-9.6 BuiltWith is website for domain information

Fig-9.7 Charusat.ac.in domain information in BuiltWith

CS383-Cyber Security and Cyber Laws 20DCS138

NETCRAFT: https://sitereport.netcraft.com/

Web technology information profiler tool. Find out what a website is built with.

Fig-9.8 NetCraft website to find the information related to website infrastructure

Fig-9.9 Site Report of CHARUSAT website using NetCraft

VIRUSTOTAL: https://www.virustotal.com/gui/home/url

DNS tools, Network tools, Email tools, DNS reporting and IP information gathering. Explore
monitoring products and free DNS tools at DNSstuff.
CS383-Cyber Security and Cyber Laws 20DCS138

Fig-9.10 VIRUSTOTAL is used to get DNS report and malware detection and other breaches
in any website

Fig-9.11 VIRUSTOTAL result of CHARUSAT Website

Conclusion/Summary:

Student Signature & Date Marks Evaluator Signature & Date