SUMMER INTERNSHIP/PROJECT

Name: Mohammed Hussain shaikh

Enrollment No.: A71004920005
Course: BSc IT
School: AIIT
 Internship

Worked with Tracelay Networks as security analyst Intern

and got to learn many things regarding the concept of
security analysis in Corporate Systems

The following is what I have learned and done on

Internship:
• Understanding the role of Cyber Security Analyst
• Understanding various fields of Cyber Security
• Important Tools and Kits that are used to hackers
and attackers
• Various types of Intrusions and Attacks through real
Life example
• Varoius types of malwares, ransomewares, and
viruses that have been used to attack Organisation
with vast Infrastructure.
• Research on this various types of
• Documentation on Current and Upcoming tech that
could be a major victim to hackers

ExtraHop Cyber Defense Tool

REPORT ON UNDERSTANDINGS AND FUNCTIONS OF

EXTRAHOP

ExtraHop is a cybersecurity company providing AI-based

network intelligence that stops advanced threats across
cloud, hybrid, and distributed environments.
ExtraHop provides a best-in-class IoT security solution that
is easily deployed to detect threats within IoT ecosystems.
The IoT solution applies advanced machine learning,
profiling, and service-layer discovery to keep IoT networks
and devices safe from cyber-attacks.

OPEN DETECTION: -

The overview page of the ExtraHop shows the list of

detected exploits and sets it in the order of risk ranging
from 0 to 100, 100 being the most threatening
The attack category is shown in a pie chart divided into
Exploits, Lateral, Actions, Command And Control, and
recon.
4 Recons
6 Exploits
0 c&c
0 Lateral
0 Actions

Top Detection: -
The system dashboard shows the collection company
systems, such as Network, System Health, Activity, and
security.

The network shows the bit rate ranging such as max, min,
and avg. it displays the number of packets transferred
ranging in the same way as max, min and average, also
displaying the bytes of frames.

The activity part shows the activity most used in the

system and what through what port and connection is
being used the most

The system health in the dashboard shows the total

number of devices and which are characterized as L3, L2,
gateway devices and custom Devices

Detections: -
The Detections page shows the exploits that are detected
and orders them in the most exploitable order
The top OFFENDER in the list is LIME Using Shellshock
HTTP
Shellshock is a remote code execution (RCE) vulnerability
in the Bourne-Again shell (Bash) that attackers have been
exploiting since 2014. An attacker sends an HTTP request
with a Shellshock payload to a vulnerable device. The
payload includes code with a syntax similar to () { :;};
<exploit command>. The malicious command runs in Bash
and creates a shell. The attacker connects to the shell to
remotely run commands on the victim.
 The total no of devices are 281

Threat Quotient

A Platform Designed for Threat-Centric Security

Operations To stop threats more effectively and
efficiently your existing security infrastructure and
people need to work smarter, not harder. ThreatQ serves
as an open and extensible threat intelligence platform
that accelerates security operations. The integrated,
selftuning Threat Library, Adaptive Workbench, ThreatQ
Investigations and Open Exchange allow you to quickly
understand threats, make better decisions and
accelerate detection and response.
The Latest 3 threat actors are China, Russian Federation and Iran

The 5 latest malware currently in action

1. Cisco ASA-X with FirePOWER Services Authenticated Command Injection :-

This module exploits an authenticated command injection vulnerability affecting Cisco ASA-X with
FirePOWER Services. This exploit is executed through the ASA's ASDM web server and lands in the
FirePower Services SFR module's Linux virtual machine as the root user. Access to the virtual machine
allows the attacker to pivot to the inside network, and access the outside network. Also, the SFR virtual
machine is running snort on the traffic flowing through the ASA, so the attacker should have access to
this diverted traffic as well. This module requires ASDM credentials in order to traverse the ASDM
interface. A similar attack can be performed via Cisco CLI (over SSH), although that isn't implemented
here. Finally, it's worth noting that this attack bypasses the affects of the `lockdown-sensor` command
(e.g. the virtual machine's bash shell shouldn't be available but this attack makes it available). Cisco
assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that support the ASA FirePOWER
module

2. ManageEngine DataSecurity Plus Xnode Enumeration :-

This module exploits default admin credentials for the DataEngine Xnode server in DataSecurity Plus
versions prior to 6.0.1 (6011) in order to dump the contents of Xnode data repositories (tables), which
may contain (a limited amount of) Active Directory information including domain names, host names,
usernames and SIDs. This module can also be used against patched DataSecurity Plus versions if the
correct credentials are provided. By default, this module dumps only the data repositories and fields
(columns) specified in the configuration file (set via the CONFIG_FILE option). The configuration file is
also used to add labels to the values sent by Xnode in response to a query. It is also possible to use the
DUMP_ALL option to obtain all data in all known data repositories without specifying data field names.
However, note that when using the DUMP_ALL option, the data won't be labeled. This module has been
successfully tested against ManageEngine DataSecurity Plus 6.0.1 (6010) running on Windows Server
2012 R2.

3. ManageEngine ADAudit Plus Xnode Enumeration :-

This module exploits default admin credentials for the DataEngine Xnode server in ADAudit Plus versions
prior to 6.0.3 (6032) in order to dump the contents of Xnode data repositories (tables), which may
contain (a limited amount of) Active Directory information including domain names, host names,
usernames and SIDs. This module can also be used against patched ADAudit Plus versions if the correct
credentials are provided. By default, this module dumps only the data repositories and fields (columns)
specified in the configuration file (set via the CONFIG_FILE option). The configuration file is also used to
add labels to the values sent by Xnode in response to a query. It is also possible to use the DUMP_ALL
option to obtain all data in all known data repositories without specifying data field names. However,
note that when using the DUMP_ALL option, the data won't be labeled. This module has been
successfully tested against ManageEngine ADAudit Plus 6.0.3 (6031) running on Windows Server 2012
R2 and ADAudit Plus 6.0.7 (6076) running on Windows Server 2019.

4. Zyxel Firewall SUID Binary Privilege Escalation :-

This module exploits CVE-2022-30526, a local privilege escalation vulnerability that allows a low
privileged user (e.g. nobody) escalate to root. The issue stems from a suid binary that allows all users to
copy files as root. This module overwrites the firewall's crontab to execute an attacker provided script,
resulting in code execution as root. In order to use this module, the attacker must first establish shell
access. For example, by exploiting CVE-2022-30525. Known affected Zyxel models are: USG FLEX (50,
50W, 100W, 200, 500, 700), ATP (100, 200, 500, 700, 800), VPN (50, 100, 300, 1000), USG20-VPN and
USG20W-VPN.

5. ICPR Certificate Management :-

Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate
template's configuration the resulting certificate can be used for various operations such as
authentication. PFX certificate files that are saved are encrypted with a blank password.

WEB APPLICATION VULNERABILITY SCAN REPORT

NORMAL SCANNED A WEB APPLICATION
A total of 256 vulnerabilities were found in the scanning of this web application in which the
major attack types were XPath Injection, SQL injection, and HTTP Brutefrorce. All these attack
types were majorly the high risks attack.The majorityty of the attack types were low risk and
the attack types were HTTPEverywhere

Vulnerability Scana on demo e-commerce website. FounHighhigh Risk Vulnerability.

High-riskrisk attack types are SessionStrength and FormBruteForce.
Many of the of the vulnerabilities were Medium risk level
This Rapid7 tools help in scanning a domain For vulnerabilities and and informing level of risks
of a vulnerability. It levels threat as high medium low and can generate a report of
vulnerabilities

We can see total numbers of scans and the status of it, they show the vulnerability risk.
The tool shows total number of vulnerability.

The tool can also be used for testing your own website for the vulnerabilities.

The scans can be scheduled as well can be flexibly schedule a scan for a domain.

PERSONAL PROJECT
Over the period of 3 to 4 months I have working on
building my personal portfolio website showcasing front-
end developmental skills and offset other skills I am
learning as well

The website has been made with the use of HTML, CSS,
Tailwind CSS, and JavaScript
Used Html to make a simple nav bar and body to showcase
an introduction to the website

This is the home page with a simple nav bar and website
introduction the design was made using tailwind CSS

The portfolio pages main idea is to showcase my current

skill and what skill I am pursuing to learn
The skills are clickable icons to showcase projects when
clicked on it will direct you to a separate page
Since this is a work in progress the project part of the
website isn’t ready yet

JavaScript code was written to implement security

features of the website to avoid cross-site scripting,
clickjacking, and SQL injection

The About page is still a work in progress to showcase me

and my field.