0% found this document useful (0 votes)
132 views19 pages

Practical: 5

Snort is a free and open source network intrusion prevention and detection system that uses rules to detect malicious activity by monitoring network traffic in real time. It can detect scanning attacks, protocol-specific attacks like ICMP, TCP, and ARP poisoning attacks. Snort is configured by editing configuration files, setting variables like the home network, and rules. Output is typically in log format but can be changed. Vulnerabilities in network services are detected and exploited to maintain backdoors. The Damn Vulnerable Web Application (DVWA) is deployed on a web server for testing. Nmap and other tools scan for open ports and host information. BurpSuite and ZAP proxies perform automated web application testing to find defaults and vulnerabilities
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
132 views19 pages

Practical: 5

Snort is a free and open source network intrusion prevention and detection system that uses rules to detect malicious activity by monitoring network traffic in real time. It can detect scanning attacks, protocol-specific attacks like ICMP, TCP, and ARP poisoning attacks. Snort is configured by editing configuration files, setting variables like the home network, and rules. Output is typically in log format but can be changed. Vulnerabilities in network services are detected and exploited to maintain backdoors. The Damn Vulnerable Web Application (DVWA) is deployed on a web server for testing. Nmap and other tools scan for open ports and host information. BurpSuite and ZAP proxies perform automated web application testing to find defaults and vulnerabilities
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

CS383-Cyber Security and Cyber Laws 20DCS138

Practical: 5
Date:
Aim: Monitor the traffic in real time and issue alerts to users when it discovers potentially
malicious packets or threats on Internet Protocol (IP) networks using SNORT.
Solution:

Introduction:
To detect and to prevent hackers and attackers from penetrating a system, we need to have a
basic understanding of the attacks that can be possibly performed on it.
Scanning attack: This involves sending packets/information to a network in an attempt to
gather data about the network, e.g., blind SQL injection.

Verifying the installation

Fig – 5.1
Sniffer output1

Fig – 5.2

Protocol-specific attack: This targets specific protocols such as ICMP, TCP and ARP.
CS383-Cyber Security and Cyber Laws 20DCS138

 ICMP stands for Internet Control Message Protocol; ping floods attack can be
performed, which overwhelm the device with ICMP echo-request packets. There
are also smurf attacks and port scanning.
 TCP stands for Transmission Control Protocol, which is vulnerable to TCP
syn attacks in which a port stays open as the ACK message is never received; the
open port can be used to send malicious packets.
 ARP stands for Address Resolution Protocol, in which the attack takes place
by ARP Poisoning where false ARP messages are sent to link the attacker’s MAC
address with the IP address of a legit device.
Snort
Snort is a free and open source network intrusion prevention and detection system. It uses a
rule-based language combining signature, protocol and anomaly inspection methods to detect
any kind of malicious activity. Snort is also capable of performing real-time traffic analysis
and packet logging on IP networks. It was developed in 1999 but it went on to become so
popular that it was purchased by Cisco in 2014.

Fig – 5.3
kali > sudo apt-get install snort
kali > sudo mousepad /etc/apt/sources.list
kali > sudo snort -V

Fig – 5.4
CS383-Cyber Security and Cyber Laws 20DCS138

Configuration of Snort
Like all Linux commands and applications, Snort also has the help of the command line,
which can be invoked by using the following code:
kali > sudo snort –-help

Fig – 5.5

Starting Snort
kali > sudo snort -vde
kali > sudo snort -vde -c /etc/snort/snort.conf

Fig – 5.6

Snort — rules and configuration


log tcp !x.x.x/xx OR

log tcp !x.x.x/xx any -> xxx \

(msg: “some command”)


kali > mousepad /etc/snort/snort.conf

Fig – 5.7
CS383-Cyber Security and Cyber Laws 20DCS138

Setting variables
In the screenshot in Figure 5.5 , we can see the highlighted line ‘ipvar HOME_NET’. This variable
denotes the network is protected. ‘HOME_NET’ is the variable name to which the IP address is
assigned. This can be a single IP address, a list of IP addresses, or a subnet in CIDR notation, or
even can be left as any.

Checking the output


Using Ctrl+F, we then move on to output plugins (Figure 6). By default, Snort sends the output in
log format. But if we want, we can comment out that line (unified2) and uncomment the bottom
line (log_tcpdump), enabling the output in tcpdump format, which is saved in
the /var/log/snort directory.

Disable rules
After making any change, simply save the file and test the configuration using the -T switch.
kali > sudo snort -T -c /etc/snort/snort.conf

Fig – 5.8

Conclusion/Summary:
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________

Student Signature & Date Marks Evaluator Signature & Date


CS383-Cyber Security and Cyber Laws 20DCS138

Practical: 7
Date:
Aim: Set up a Virtual lab environment with Windows XP (SP1), Metasploitable OS, and
BRICKS/DVWA web server and an Attacker machine (KALI/BT) in virtual machines
(network in NAT mode). Now carry out Vulnerability assessment in environment
a. Network VA/PT 4 3,4
i. Find the open ports in domain.
ii. Find out the hosts in domains.
iii. Find out the services running on domains and their versions.
iv. Banner Grabbing of server.
v. Find out default vulnerabilities in Services.
vi. Exploit the vulnerabilities.
vii. Deploy and maintain the backdoor.
b. Web VA/PT
i. Find the domain information.
ii. Find the details of server and its default vulnerabilities.
iii. Perform automated testing using BurpSuite or ZAP proxies.
Tools: nmap, netcat, netcraft, nslookup, whois, dig, ping, Nessus, Metasploit, FOCA.
Solution:

Step 1: Download Damn Vulnerable Web Application (DVWA)


To get started, we will need to clone the DVWA GitHub into our /var/www/html directory.
That is the location where Localhost files are stored in Linux systems. Launch the Terminal
and change our directory to the /var/www/html directory with the command below.
$ cd /var/www/html

Fig – 7.1

Once in this directory, we will clone the DVWA GitHub repository with the command below.
$ sudo git clone https://github.com/digininja/DVWA
CS383-Cyber Security and Cyber Laws 20DCS138

Fig – 7.2

After cloning, we can rename the DVWA folder to dvwa. That is not mandatory, but it makes
work easier when executing multiple commands.
$ sudo mv DVWA dvwa

Step 2: Configure DVWA


After downloading cloning DVWA in our /var/www/html directory, we still need to do some
minor configurations. To get started, let’s set read, write, and execute permissions to the DVWA
directory. Execute the command below.
$ chmod -R 777 dvwa/

Fig – 7.3

After successfully executing the command, we need to set up the user and password required to
access the database. Change directory to point to the config directory with the command below.
$ cd dvwa/config

When you run the ls command to view the files inside the directory, you will see
the config.inc.php.dist file. That is the original file containing the default
configurations. We won’t edit it. Instead, we will create a copy of this file
called config.inc.php and the original config.inc.php.dist file will act as our
backup in case things go wrong.
Execute the command below.
sudo cp config.inc.php.dist config.inc.php
CS383-Cyber Security and Cyber Laws 20DCS138

Fig – 7.4

Run the command below to open the newly created file with nano editor and make the
necessary changes, as shown in the image below. We will set db_user as user
and db_password as pass. Feel free to use a different username or password.
$ sudo nano config.inc.php

Fig – 7.5

Save the file (Ctrl + O, then Enter) and Exit (Ctrl + X). That’s it! We are done configuring
the DVWA Web application. Let’s move on and configure the database (MySQL).

Step 3: Install MySQL on Kali Linux


By default, MySQL comes pre-installed on Kali Linux. If that's not the case for you or maybe
you messed up with MySQL, we can go ahead and install it manually. If you have worked with
Debian-based distributions, MySQL comes in two packages:

 mysql-server
 mysql-client
In our case, we will need to install the mysql-server. However, there is a catch. If you try using
the command apt install mysql-server you will most likely get the error "Package mysql-server
is not available, but is referred to by another package. E: Package 'mysql-server' has no
installation candidate." That's because the package mysql-server is referred to default-mysql-
server in Kali Linux and also in the latest release of Debian (Debian 10). Therefore, use the
command below:

sudo apt install default-mysql-server


CS383-Cyber Security and Cyber Laws 20DCS138

Fig – 7.6

Step 4: Configure MySQL Database

Start the MySQL service with the command below:


$ sudo service mysql start
You can check whether the service is running using the systemctl status command below.
$ systemctl status mysql

Fig – 7.7

Login to the MySQL database using the command below as root. If you have another name set
for the superuser in your system, use it instead of root.
$ sudo mysql -u root -p
You will see a prompt to enter the password. Just hit Enter since we haven’t set any password.
MySQL will open, as shown in the image below:

Fig – 7.8

We will create a new user with the username and password set in our DVWA application
configuration file. In my case, the username was ‘user,' and the password was ‘pass.’ The
server we are using is Localhost (127.0.0.1). Use the command below.
CS383-Cyber Security and Cyber Laws 20DCS138

create user 'user'@'127.0.0.1' identified by 'pass';

Fig – 7.9

We need to grant this new user privilege over the dvwa database. Execute the command below.
grant all privileges on dvwa.* to 'user'@'127.0.0.1' identified by 'pass';
Up to this point, we are through with configuring both the DVWA application and the MySQL
database. Type exit to close the database.

Fig – 7.10

Step 5: Install PHP


PHP comes installed in Kali Linux. However, if you want to install a particular version, you can
do it manually from the Terminal. In this post, we will install PHP 7.4 which is the latest release
as of writing this post. Follow the steps below.
First, update your system and add the SURY PHP PPA repository by executing the commands
below.
sudo apt update
sudo apt -y install lsb-release apt-transport-https ca-certificates
sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
echo "deb https://packages.sury.org/php/ buster main" | sudo tee /etc/apt/sources.list.d/php.list

Fig – 7.11

After successfully adding the repository, use the command below to install PHP 7.4
sudo apt update
sudo apt install php7.4 -y
CS383-Cyber Security and Cyber Laws 20DCS138

Fig – 7.12

To install additional PHP extensions, use the syntax below where xxx stands for the extension
name.
sudo apt install php7.4-xxx
e.g
sudo apt install php7.4-{cli,json,imap,bcmath,bz2,intl,gd,mbstring,mysql,zip}

Fig – 7.13

Step 6: Configure Apache Server


Now, we need to configure the server. Use the command below to change your location on the
Terminal to point to /etc/php/7.3/apache2 directory.
$ cd /etc/php/7.4/apache2
NOTE:
As of writing this post, I was running PHP version 7.4. You might need to confirm your version
and replace it on the command. Use the command below to check the installed version.
$ ls /etc/php
In the /etc/php/7.4/apache2, when you execute the ls command, you will see a file called php.ini.
That is the file we will edit to configure our localhost server. Use the command below to open
it using the nano editor.
$ sudo nano php.ini
Scroll down and look for these two lines: allow_url_fopen and allow_url_include. Set them
both as On. Save the file (Ctrl + O, then Enter) and Exit (Ctrl + X).
CS383-Cyber Security and Cyber Laws 20DCS138

Fig – 7.14
Start Apache server using the command below:
$ sudo service apache2 start
To check whether the service started successfully, use the status command.
$ systemctl status apache2

Fig – 7.15

Step 7: Access DVWA on Your Browser


That’s it! We now have everything configured, and we can proceed to launch DVWA. Open
your browser and enter the URL:
http://127.0.0.1/dvwa/
That will open the setup.php web page as shown in the image:
ALSO READ:Install deb package on Kali Linux [4 Methods]
CS383-Cyber Security and Cyber Laws 20DCS138

Fig – 7.16
You might see the errors colored in red as in the image above. Don’t panic! Scroll down and
click the Create / Reset Database button.

Fig – 7.17
That will create and configure the database. After some time, you will be redirected to the
DVWA login page. Log in with these credentials:

 Username - admin
 Password - password
CS383-Cyber Security and Cyber Laws 20DCS138

Fig – 7.18

Once logged in, you will see the DVWA main page. On the left panel, we have the different
types of attacks you can exploit and the DVWA Security button that allows you to choose the
desired security level - Low, Medium, High, or Impossible.

Fig – 7.19
CS383-Cyber Security and Cyber Laws 20DCS138

Conclusion/Summary:
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________

Student Signature & Date Marks Evaluator Signature & Date


CS383-Cyber Security and Cyber Laws 20DCS138

Practical: 10
Date:
Aim: Perform Live / Memory Analysis on a Linux OS and prepare a detailed report.
Solution:

It’s necessary to trace memory usage of the system in order to determine the program that
consumes all CPU resources or the program that is responsible to slowing down the activities of
the CPU. Tracing memory usage also becomes necessary to determine the load on the server.
Parsing the usage data enables the servers to be able to balance the load and serve the user’s
request without slowing down the system.
1. free Displays the amount of memory which is currently available and used by the
system(both physical and swapped). free command gathers this data by parsing
/proc/meminfo. By default, the amount of memory is display in kilobytes.
free command in UNIX

Fig – 10.1

watch -n 5 free -m watch command is used to execute a program periodically.

Fig – 10.2

According to the image above, there is a total of 2000 MB of RAM and 1196 MB of swap space
allotted to Linux system. Out of this 2000 MB of RAM, 834 MB is currently used where as 590
MB is free. Similarly for swap space, out of 1196 MB, 0 MB is use and 1196 MB is free currently
in the system.
2. vmstat vmstat command is used to display virtual memory statistics of the system. This
command reports data about the memory, paging, disk and CPU activities, etc. The first
use of this command returns the data averages since the last reboot. Further uses returns
the data based on sampling periods of length delays.

Fig – 10.3
vmstat -d Reports disk statistics
CS383-Cyber Security and Cyber Laws 20DCS138

Fig – 10.4

vmstat -s Displays the amount of memory used and available

Fig – 10.5
CS383-Cyber Security and Cyber Laws 20DCS138

3. top top command displays all the currently running process in the system. This
command displays the list of processes and thread currently being handled by the kernel.
top command can also be used to monitor the total amount of memory usage.

Fig – 10.6

top -H Threads-mode operation


Displays individual thread that are currently in the system. Without this command
option, a summation of all thread in each process is displayed.

Fig – 10.7
CS383-Cyber Security and Cyber Laws 20DCS138

4. /proc/meminfo This file contains all the data about the memory usage. It provides the
current memory usage details rather than old stored values.

Fig – 10.8

5. htop htop is an interactive process viewer. This command is similar to top command
except that it allows to scroll vertically and horizontally to allows users to view all
processes running on the system, along with their full command line as well as viewing
them as a process tree, selecting multiple processes and acting on them all at once.
working of htop command in UNIX:
CS383-Cyber Security and Cyber Laws 20DCS138

Fig – 10.9

Conclusion/Summary:
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________

Student Signature & Date Marks Evaluator Signature & Date

You might also like