PRACTICAL

[Document subtitle]

SUBMITTED BY = KHUSHHAL JAIN

SUBMITTED TO = OMKANT SIR
REG NO = 72212726
COURSE = BCA (IBM) CS
 PRACTICAL FIle
1. Network Scanning using NMAP
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and
security auditing. Many systems and network administrators also find it useful for tasks such as
network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Host Scan

Host scan is used by penetration tester to identify active host in a network by sending ARP request
packets to all system in that network. As result it will show a message “Host is up” by receiving MAC
address from each active host.

Syntax: nmap -sP <target IP range>

nmap -sn <target IP range>

Above syntax describes how to execute a host scan, to discover live hosts in a network by using
Nmap. By default nmap is in-built in kali Linux, now open the terminal and enter the following
command which will send ARP request packet to each system one-by-one.

nmap -sP 192.168.1.1-225

From given below image you can observe result of response generated by nmap for active host.

How it Works

Nmap uses the –sP/-sn flag for host scan and broadcast ARP request packet to identify IP allocated to
particular host machine.

It will broadcast ARP request for a particular IP [suppose 192.168.1.100] in that network which can
be the part of IP range [192.168.1.1-225] or CIDR [192.168.1.1/24 for class C] is used to indicate that
we want to scan all the 256 IPs in our network. After then active host will unicast ARP packet by
sending its MAC address as reply which gives a message Host is up.
Port scan /TCP scan

If penetration testers want to identify open or close state of a particular port on target machine then
they should go with nmap port scan.

Port Status: After scanning, you may see some results with a port status like filtered, open, closed,
etc. Let me explain this.

 Open: This indicates that an application is listening for connections on this port.

 Closed: This indicates that the probes were received but there is no application listening on
this port.

 Filtered: This indicates that the probes were not received and the state could not be
established. It also indicates that the probes are being dropped by some kind of filtering.

 Unfiltered: This indicates that the probes were received but a state could not be established.

 Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish
the state.

 Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t
establish the state.

Syntax: nmap -p [port number] <target IP range>

nmap -sT [port number] <target IP range>

nmap -p135 192.168.1.127

Above command will try to connect with port 135 as result if port is open then it will display state
“open” as well as “service” running on that particular port.

How it Works

Nmap uses the argument -p for defining the port range to be scanned. This flag can be combined
with any scanning method. In the above example, we used the argument –p135 to indicate to Nmap
that we are only interested in port 135. You can apply it the CIDR /24 in 192.168.1.1/24 which is used
to indicate that we want to scan all of the 256 IPs in our network.

There are several accepted formats for the argument –p:

Port List

nmap -p135,139 192.168.1.127

If penetration testers want to scan more than one port of target then they should go with Port list
scan where they can add multiple ports for scanning. This scan is quite useful to identify state of
multiple selected ports which also describe status “host is up” if any single port is found to be
opened.

Port Range

Using port range scan you can scan a particular range of ports of target network as per your
requirement.

nmap -p1-1000 192.168.1.127

Above command will perform scanning from port number 1 to till port number 1000 and identify the
state and service for open ports.

Syntax: nmap -p- <target>

Above syntax is used for scanning all ports of target network, keep patience while executing above
format because it will take some time to enumerate open port or you can also execute given below
command which uses parameter “–open” to perform same task in order to save time.

nmap -p1-65535 192.168.1.127 --open

Specific Ports by Protocols

By default port scan prefer to enumerate the state of TCP ports but if you want to scan TCP port as
well as UDP port then execute following command given below:

Syntax: nmap -pT:25,U:53 <target>

Port Service name

If you don’t known accurate port number for enumeration then you can also mention service name
for port state scanning .

Syntax: nmap –p[service]<target>

nmap -p msrpc 192.168.1.127

From given image you can observe that same result has been obtained by executing above command
without referring any port number.

UDP Scan

UDP services are mostly ignored during penetration tests, but fine penetration testers know that
they often expose host essential information or can even be vulnerable moreover used to
compromise a host. This method demonstrates how to utilize Nmap to list all open UDP ports on a
host.

Syntax: nmap –sU <target>

nmap -sU 192.168.1.127

From given below image you can observe the result for UDP port scan.
nmap -sU -p 137 192.168.1.127

In order to scan particular UDP port it is suggested that you should use the flag -p for Port selection.
Here you can observe that we have chosen port 137 which is a UDP port for NetBIOS service.

There are so many way to perform UDP scan as per your requirement, for example read given below
method to perform UDP scan:

UDP Port Range

If you want to scan multiple UDP ports or range of UDP ports then use –p flag to address the range of
port.

Syntax: nmap -p1-500 -sU <target>

ALL UDP PORT

Syntax: nmap -sU -p- <target>

Above syntax is applicable for scanning all UDP ports of target’s network.

OS Detection Scan

Specific Port Version scan

For scanning version of a particular port or service you can use argument –p in the command as
shown below.

Syntax: nmap -sV -p135 <target>

Syntax: nmap -sO <target>

The results will show what protocols are supported, along with their states.

nmap -sO 192.168.1.254

From given below image you can observer the result of protocol scan for open and open|filtered
state.
Fast Scan

The -F option scans only those ports listed in the nmap_services file (or the protocols file if the scan
type is -sO). This is far faster than scanning all 65,535 ports.

If you will compare scanned time from above scanned result you will notice time difference between
these scans, moreover it has not shown open ports of other running services which above scan has
shown.

Syntax: nmap –F <target>

nmap –F 192.168.1.127

From given below image you can observe scanned time: 14.42 seconds where as in above scanning
method [protocol scan] scanned time: 307.45 seconds

\
Timing Template Scan

The main timing option is set through the -T parameter if you may want more control over the timing
in order get the scan over and done with quicker. However, Nmap adjusts its timings automatically
depending on network speed and response times of the victim.

Nmap offers a simpler approach, with six timing templates. You can specify them with the -T option
and their number (0–5) or their name as shown below:

 T0: paranoid

 T1: sneaky

 T2: polite

 T3: normal

 T4: aggressive

 T5: insane

Syntax: nmap T[option] <target>

nmap –T4 192.168.1.127

Above command will perform aggressive scan and reduce scanning timing for enumeration of
target’s system, here from given below image you can observe scanned time: 14.36 seconds.

Exclude Scan

There will be circumstances where host exception is required to avoid scanning of certain machines.
Such as government website or IP, you may not have the authorization, or might that the host has
been already scanned. Nmap option –exclude help you to eliminate a host or list of hosts from
complete network scan.

Syntax: nmap <IP range > –exclude <target IP>

Above syntax defines that from given range of IPs do not perform scanning for excluded target IP else
dump the scanned result for remaining IPs.

nmap -F 192.168.1.110-255 --exclude 192.168.1.114

Aggressive Scan

This option enables additional advanced and aggressive options. Presently this enables OS detection
(-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute). This option only
enables features, and not timing options (such as -T4) or verbosity options (-v) that you might want
as well. You can see this by using one of the following commands:

Syntax: nmap -A <target>

nmap –A 192.168.1.127

If you will notice given below image then you will observe that the result obtain by it is the
combination of multiple scan. As its dump “version” of running application, “OS fingerprint”,
“traceroute” and “host script scanning”g which is showing some very essential information related to
host system.
 2. Sniffing of Login Credential or
Password Capturing in Wireshark
Wireshark is a free and open-source packet analysis tool that lets you capture and analyze network
traffic in real-time. It is available for Windows, macOS, and Linux operating systems.

Wireshark captures network packets and displays the captured data in a human-readable format for
easy analysis and troubleshooting of network issues. It can scan a variety of network protocols
including TCP, UDP, HTTP, DNS, etc.

Password Capturing

Wireshark can capture not only passwords but any type of information transmitted over the
network: usernames, email addresses, personal information, etc. As long as we can capture network
traffic, Wireshark can sniff passing passwords.
In sniffing can include passwords for various protocols such as HTTP, FTP, Telnet, etc. the captured
data can be used to troubleshoot network problems,

Step 1: First of all, open your Wireshark tool in your window or in Linux virtual machine. and start
capturing the network. suppose I am capturing my wireless fidelity.

Step 2: After starting the packet capturing we will go to the website and login the credential on that
website as you can see in the image.

Step 3: Now after completing the login credential we will go and capture the password in Wireshark.
for that we have to use some filter that helps to find the login credential through the packet
capturing.
Step 4: Wireshark has captured some packets but we specifically looking for HTTP packets. so in the
display filter bar we use some command to find all the captured HTTP packets. as you can see in the
below image the green bar where we apply the filter.

http

Step 5: So there are some HTTP packets are captured but we specifically looking for form data that
the user submitted to the website. for that, we have a separate filter

As we know that there are main two methods used for submitting form data from web pages like
login forms to the server. the methods are-

 GET

 POST

Step 6: So firstly for knowing the credential we use the first method and apply the filter for the GET
methods as you can see below.

http.request.method == "GET"

GET method

As you can see in the image there are two packets where the login page was requested with a GET
request as well, but there is no form data submitted with a GET request.

Step 7: Now after checking the GET method if we didn’t find the form data, then we will try the POST
method for that we will apply the filter on Wireshark as you can see.
http.request.method == "POST"

As you can see we have a packet with form data click on the packet with user info and the application
URL encoded. and click on the down-

HTML form URL Encoded where the login credential is found. login credential as it is the same that
we filed on the website in step 2.

Form item: "uname" = "Tonystark_44"

Form item: "pass" = "tony@1234"

3. Slowloris DDOS Attack Tool in

Kali Linux
Slowloris is a free and Open source tool available on Github. We can perform a denial of service
attack using this tool. It’s a framework written in python. This tool allows a single machine to take
down another machine’s web server it uses perfectly legitimate HTTP traffic. It makes a full TCP
connection and then requires only a few hundred requests at long-term and regular intervals. As a
result, the tool doesn’t need to spend a lot of traffic to exhaust the available connections on a
server.

Uses of Slowloris:

 Slowloris sends multiple requests to the target as a result generates heavy traffic botnets.

 Slowloris can be used to perform DDoS attacks on any webserver.

 It is an open-source tool, so you can download it from GitHub free of cost.

 It uses perfectly legitimate HTTP traffic.

  A denial of service attack can be executed with the help of Slowloris by generating heavy
traffic of botnets.

Installation and step-by-step implementation of Slowloris tool:

Step 1: Open your Kali Linux and then Open your Terminal.

Step 2: Create a new Directory on Desktop named Slowloris using the following command.

mkdir Slowloris

Step 3: Move to the directory that you have to create (Slowloris).

cd Slowloris

Step 4: Now you have to clone the Slowloris tool from Github so that you can install it on your Kali
Linux machine. For that, you only have to type the following URL in your terminal within the
Slowloris directory that you have created.

git clone https://github.com/gkbrk/slowloris.git

You have successfully installed the Slowloris tool in your Kali Linux. Now it’s time to perform a denial
of service using the following steps.
Step 5: Now go to the Action bar and click on split terminal vertically then you will see that the two-
terminal screen has been open now.

Step 6: Now you have to check the IP address of your machine to do that type of following
command.

ifconfig

Step 7: As you can see we got our IP address now it’s time to start the apache server, start the
apache server using the following command.

sudo service apache2 start

Step 8: Now we have to check the status of your server whether it is active or not so to check the
status of your server run the following command.

service apache2 status

Step 9: We can see that our server is under active status it means is running properly, now come
back to the first terminal, and to check permissions run the following command.

ls -l

Step 10: Now it’s time to run the tool using the following command.

python3 slowloris.py (your ip address) -s 500

Step 11: You can see the tool has started attacking that particular IP address which we have given
now to check whether its working or not go to your browser and on your URL bar type that IP
address, and you will see the site is only loading and loading but not opening this is how Slowloris
tool works.

As you can see here the browser is waiting for an IP address because the browser is not able to load
the page, this is because the denial of service attack is happening behind the browser using slowloris
tool if you want to attack the live website you can attack using the domain name of that website
instead of giving the IP address of the system to the slowloris tool. Slowloris tool will start attacking
that

4. Create a Phishing link by

ZPHISHER and distribute
that/LOCALHOST by NGrok
Zphisher is a powerful open-source tool Phishing Tool. It became very popular nowadays and is used
to do phishing attacks on Target. Zphisher is easier than Social Engineering Toolkit. It contains some
templates generated by a tool called Zphisher and offers phishing templates webpages for 33
popular sites such as Facebook, Instagram, Google, Snapchat, GitHub, Yahoo, Proton mail, Spotify,
Netflix, LinkedIn, WordPress, Origin, Steam, Microsoft, etc. It also provides an option to use a
custom template if someone wants. This tool makes it easy to perform a phishing attack. Using this
tool you can perform phishing in (wide area network). This tool can be used to get credentials such
as id, password.

Uses and Features of Zphisher:

 Zphisher is open source tool.

 Zphisher is a tool of Kali Linux.

 Zphisher is used in Phishing attacks.

 Zphisher tool is a very simple and easy tool.

 Zphisher tool is a very simple and easy tool.

 Zphisher tool is a lightweight tool. It does not take extra space.

 Zphisher is written in bash language.

  Zphisher creates phishing pages for more than 33 websites.

 Zphisher creates phishing pages of popular sites such as Facebook, Instagram, Google,
Snapchat, Github, Yahoo, Protonmail, Spotify, Netflix, LinkedIn, WordPress, Origin, Steam,
Microsoft, etc

Installation:

Step 1: To install the tool first go to the desktop directory and then install the tool using the following
commands.

cd Desktop

git clone git://github.com/htr-tech/zphisher.git

cd zphisher

Step 2: Now you are in zphisher directory , use the following command to run the tool.

bash zphisher.sh
Step 3: The tool has started running successfully. Now you have to choose the options from the tool
for which you have to make the phishing page.

Step 4: From these options, you can choose the number for which you have to create a phishing
page. Suppose you want to create a phishing page for Instagram then choose option 2.

Step 5: Now you can see that to attract the victim , it’s giving 4 different web templates. You can
choose any option from here. Suppose you want to choose the first option then type 1.
Example 1: Using Zphisher tool , create a phishing page of instagram and get credentials(user id
and password ) of victim.

After launching the tool you will see this interface.

You can send any of the links to the victim. Once he/she entered his/her id password it will get
reflected in the terminal.

You can see the link we have opened is ezlikers. This is the phishing page we have opened. Now the
user has to enter his/her id password.
We got the details of ID and password here. This is how you can perform phishing using zphisher. You
can send these links to the victim. Once the victim clicks on the link and types the id password it will
be reflected on the terminal itself. This is how zphisher works. This is one of the best tools that can
be used for phishing attacks. You can choose the option as per your requirement. zphisher is a
powerful open-source tool Phishing Tool. It became very popular nowadays and is used to do
phishing attacks . zphisher is easier than Social Engineering Toolkit.
 5. How to use SQLMAP to test a
website for SQL Injection
vulnerability
This article explains how to test whether a website is safe from SQL injection using the SQLMAP
penetration testing tool.

What is SQL Injection?

SQL Injection is a code injection technique where an attacker executes malicious SQL queries that
control a web application’s database. With the right set of queries, a user can gain access to
information stored in databases. SQLMAP tests whether a ‘GET’ parameter is vulnerable to SQL
Injection.

For example, Consider the following php code segment:

$variable = $_POST['input'];

mysql_query("INSERT INTO `table` (`column`) VALUES ('$variable')");

If the user enters “value’); DROP TABLE table;–” as the input, the query becomes

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

which is undesirable for us, as here the user input is directly compiled along with the pre-written sql
query. Hence the user will be able to enter an sql query required to manipulate the database.

Where can you use SQLMAP?

If you observe a web url that is of the form http://testphp.vulnweb.com/listproducts.php?cat=1,

where the ‘GET’ parameter is in bold, then the website may be vulnerable to this mode of SQL
injection, and an attacker may be able to gain access to information in the database. Furthermore,
SQLMAP works when it is php based.
A simple test to check whether your website is vulnerable would be to replace the value in the get
request parameter with an asterisk (*). For example,

http://testphp.vulnweb.com/listproducts.php?cat=*

If this results in an error such as the error given above, then we can conclusively say that the website
is vulnerable.

Installing sqlmap

SQLMAP comes pre-installed with kali Linux, which is the preferred choice of most penetration
testers. However, you can install sqlmap on other debian based linux systems using the command

sudo apt-get install sqlmap

Usage

In this article, we will make use of a website that is designed with vulnerabilities for demonstration
purposes:

http://testphp.vulnweb.com/listproducts.php?cat=1
As you can see, there is a GET request parameter (cat = 1) that can be changed by the user by
modifying the value of cat. So this website might be vulnerable to SQL injection of this kind.
To test for this, we use SQLMAP. To look at the set of parameters that can be passed, type in the
terminal,

sqlmap -h

The parameters that we will use for the basic SQL Injection are shown in the above picture. Along
with these, we will also use the –dbs and -u parameter, the usage of which has been explained in
Step 1.
Using SQLMAP to test a website for SQL Injection vulnerability:

 Step 1: List information about the existing databases

So firstly, we have to enter the web url that we want to check along with the -u parameter.
We may also use the –tor parameter if we wish to test the website using proxies. Now
typically, we would want to test whether it is possible to gain access to a database. So we use
the –dbs option to do so. –dbs lists all the available databases.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs

  We get the following output showing us that there are two available databases. Sometimes,
the application will tell you that it has identified the database and ask whether you want to
test other database types. You can go ahead and type ‘Y’. Further, it may ask whether you
want to test other parameters for vulnerabilities, type ‘Y’ over here as we want to thoroughly
test the web application.

 We observe that there are two databases, accurate and information_schema

 Step 2: List information about Tables present in a particular Database

To try and access any of the databases, we have to slightly modify our command. We now
use -D to specify the name of the database that we wish to access, and once we have access
to the database, we would want to see whether we can access the tables. For this, we use
the –tables query. Let us access the accurate database.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1

-D acuart --tables
Tables

 In the above picture, we see that 8 tables have been retrieved. So now we definitely know
that the website is vulnerable.

 Step 3: List information about the columns of a particular table

If we want to view the columns of a particular table, we can use the following command, in which we
use -T to specify the table name, and –columns to query the column names. We will try to access the
table ‘artists’.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1

-D acuart -T artists --columns

Columns

 Step 4: Dump the data from the columns

Similarly, we can access the information in a specific column by using the following
command, where -C can be used to specify multiple column name separated by a comma,
and the –dump query retrieves the data

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1

-D acuart -T artists -C aname --dump

 From the above picture, we can see that we have accessed the data from the database.
Similarly, in such vulnerable websites, we can literally explore through the databases to
extract information

Prevent SQL Injection

Preventing SQL injection is effectively achieved through Prepared Statements. By using this approach,
a template for the code is employed, allowing the separation of code and user input analysis. Unlike
direct insertion of user input into the code, as shown in the earlier example, prepared statements
use a placeholder for user input. The SQL query is sent separately from the actual user input,
reducing the risk of executing malicious code.

Consider the following php code segment.

$db = new PDO('connection details');

$stmt = db->prepare("Select name from users where id = :id");

$stmt->execute(array(':id', $data));

In this code, the user input is not combined with the prepared statement. They are compiled
separately. So even if malicious code is entered as user input, the program will simply treat the
malicious part of the code as a string and not a command.
 6. The Volatility Foundation - Open
Source Memory Forensics
1. What is the Operating System of this Dump file? (OS name)

Volatility needs profiles to work. When we have the memory image file we want to analyze, we first
need to use the command see below:

$ volatility -f victim.raw imageinfoVolatility Foundation Volatility Framework 2.6

INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64,
Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000,
Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace
(/home/kali/Downloads/Capture-The-Flag/Forensics/victim.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800028420a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002843d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2019-05-02 18:11:45 UTC+0000
Image local date and time : 2019-05-02 11:11:45 -0700

Once this command is run, Volatility will identify the system the memory image was taken from,
including the operating system, version, and architecture. Volatility will suggest the recommended
profile and when running any other command on this memory image we need to provide the profile
as well. The suggested profile is Win7SP1x64 and we can therefore say that the OS of this dump file
is Windows.

2. What is the PID of SearchIndexer?

We can identify the process ID (PID) of the SearchIndexer process, by using the pslist plugin provided
by volatility. We will use the profile Win7SP1x64 identified earlier and specify the pslist plugin, as
seen in the command below:

volatility -f victim.raw --profile=Win7SP1x64 pslist

Looking through the output, we can see the SearchIndexer process and it’s PID:
We can look down through the output, and based on the Access Date field, identify the last directory
accessed by the user. After some searching, I found the following directory:

Volatility “shellbags” plugin output.

Task 2: Volatility Forensics (Contd.)

4. There are many suspicious open ports; which one is it? (ANSWER format: protocol:port)

We can use the netscan plugin to identify network connections:

volatility -f victim2.raw --profile=Win10x64_17134 netscan

This returns a large number of network connections but it is difficult to identify which ones are
suspicious based on this output alone. To narrow down my options, I decided to use
the malfind plugin to detect any code injections:

Code Injection is the general term for attack types which consist of injecting code that is then
interpreted/executed by the application. This type of attack exploits poor handling of untrusted data.
These types of attacks are usually made possible due to a lack of proper input/output data validation.

volatility -f victim2 --profile=Win7SP1x64 malfind

The output from the malfind plugin may contain false positives. The plugin found 3 malicious PIDs
where code injection was detected (i.e. 1860, 1820 and 2464):

Process: explorer.exe Pid: 1860 Address: 0x3ee0000

Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITEProcess: explorer.exe Pid: 1860 Address:
0x3f90000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITEProcess: svchost.exe Pid: 1820 Address:
0x24f0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITEProcess: svchost.exe Pid: 1820 Address:
0x4d90000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITEProcess: wmpnetwk.exe Pid: 2464 Address:
0x280000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE

Looking back at the output for network connections, I can see a network connection for
wmpnetwk.exe (PID 2464), marking it as suspicious and the answer for this question:

Volatility “netscan” plugin output.

5. Vads tag and execute protection are strong indicators of malicious processes; can you find which
they are? (ANSWER format: Pid1;Pid2;Pid3)

We have already answered this question while trying to answer question 4 above. We can find the
three malicious process IDs (PID) by using the malfind plugin, as seen earlier above.

To uncover Indicators of Compromise (IoC) from the malicious processes, utilize the following
commands:

strings 2464.dmp 1860.dmp 1820.dmp | grep "www.go" | grep "ru"

strings 2464.dmp 1860.dmp 1820.dmp | grep "www.i" | grep "com"

strings 2464.dmp 1860.dmp 1820.dmp | grep "www.ic"

strings 2464.dmp 1860.dmp 1820.dmp | grep "202." | grep "233."

strings 2464.dmp 1860.dmp 1820.dmp | grep ".200" | grep ".164"

strings 2464.dmp 1860.dmp 1820.dmp | grep "209" | grep ".190"

To identify the unique environmental variable of PID 2464, use the envars plugin:

volatility -f ../victim3.raw --profile=Win7SP1x64 envars -f 2464.dmp -p 2464

```

Review the output to find the distinctive environment variable associated with PID 2464.
 7. Autopsy - Digital Forensic
What is Autopsy?

“Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital
forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what
happened on a computer. You can even use it to recover photos from your camera’s memory card.”
— Official Website

Basically, the autopsy is a free open-source tool that supports a wide range of other digital forensics
modules and tools.

The Autopsy is computer software that makes it simpler to deploy many of the open-source
programs and plugins used in The Sleuth Kit.[1] The graphical user interface displays the results from
the forensic search of the underlying volume making it easier for investigators to flag pertinent
sections of data. The tool is largely maintained by Basis Technology Corp. with the assistance of
programmers from the community.

Features

 Multi-User Cases: Collaborate with fellow examiners on large cases.

 Timeline Analysis: Displays system events in a graphical interface to help identify activity.

 Keyword Search: Text extraction and index searched modules enable you to find files that
mention specific terms and find regular expression patterns.

 Web Artifacts: Extracts web activity from common browsers to help identify user activity.

 Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.

 LNK File Analysis: Identifies shortcuts and accessed documents

 Email Analysis: Parses MBOX format messages, such as Thunderbird.

 EXIF: Extracts geo location and camera information from JPEG files.

 Media Playback and Thumbnail viewer.

 Robust File System Analysis: Support for common file systems, including NTFS,
FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2,

 Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types
in many languages

 File Type Detection based on signatures and extension mismatch detection.

 Interesting Files Module will flag files and folders based on name and path.

 Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and
more.

How to install Autopsy?

Autopsy Comes preinstalled in Kali Linux. Although, it is highly recommended that one use the
autopsy in windows for a better GUI experience.
Official Website – https://www.autopsy.com/download/

You can download the autopsy for any architecture of Windows 64-bit or 32-bit. Also, there is a .deb
package that you can use to install in Linux.

Download it for windows and install it like any other program with the installer.

Autopsy Demo

In this section, we are going to see a small demo on how to add the image source file and create a
case in autopsy for further investigation.

For this demo, we are going to use a free memory sample.

You can find all the free memory samples here to test any of the digital forensics tools.

This is how the autopsy screen will look like after running the program. Now we have to create a new
case here.

After clicking new case, fill in the required information like a case number and base directory and all
the necessary information.
Now, after filing the information we will be present at this screen where we have to select add source
and then select the host. Use Generate new host to generate new host for new cases.

Now we have to select the type of source we are adding. In this demo, I am adding a Disk image file
so I will select first. Then click next.

Here we have to select the location of the image file which we have to analyze. Then click next.
In this panel, we have to select the ingest or modules or the things we have to extract from the
image files. and click next.

Note

Never select all the ingest when analyzing a big file because it may take a lot of time to Ingest.

Now it will analyze the ingest and give you the result.

So, this is how the results look like and here we can analyze all the things we need.
Like this how we can analyze the deleted files from the disk this process is known as File Carving and
we can do it that easily on the autopsy.

This is the list of things we can extract and analyze from a disk image file.
So, This is it for this demo you can try downloading different images and try it yourself on the
autopsy.
 8. Credential Harvesting via MiTM -
Burp Suite

**Burp Suite Credential Harvesting Tutorial Overview:**

In the realm of cybersecurity, penetration testers employ credential harvesting to assess system
vulnerabilities. Burp Suite, a renowned web vulnerability scanner, offers advanced features for
credential harvesting through Man-in-the-Middle (MiTM) attacks. This tutorial explores the
sophisticated applications of Burp Suite for credential harvesting, outlining the steps involved.

**1. Enabling Routing for Traffic Interception:**

- Execute `echo 1 > /proc/sys/net/ipv4/ip_forward` in the terminal to enable IP forwarding.

- Ensure connectivity by verifying IP forwarding on the attacking machine.

**2. Configuring IP Tables for Traffic Redirection:**

- Redirect outbound HTTP (port 80) and HTTPS (port 443) requests to the attacking machine.

- Use `iptables` commands, replacing 'x.x.x.x' with the attacking machine's IP.

**3. Configuring Burp Suite for Credential Harvesting:**

- Launch Burp Suite, navigate to 'Proxy' > 'Options' > 'Add' (port '443' for HTTPS, '80' for HTTP).

- Listen on all interfaces, enable 'Invisible Proxy Support', and configure SSL certificate if available.

**4. Poisoning ARP Cache with ARPSpoof:**

- Use `arpspoof` to poison the victim's ARP cache, redirecting traffic through the attacking machine.

- Exercise caution to minimize collateral damage.

**5. Harvesting Credentials with Burp Suite:**

- Monitor alerts in Burp Suite for connectivity issues.

- View harvested credentials within POST requests in the Burp Suite interface.

- Identify users authenticating with sensitive information.

 9. Dictionary attack using Burp Suite
Burp Suite facilitates password brute-forcing through features like dictionary attacks and exhaustive
brute-force attacks:

1. **Dictionary Attack:**

- Utilize a list of common passwords, known as a dictionary attack.

- Follow these steps:

- Send the login form submission request to Burp Intruder.

- In the Intruder > Positions tab, choose the Sniper attack type.

- Highlight the password value, click Add § to mark it as a payload position, ensuring a valid
username (e.g., wiener).

2. **Exhaustive Brute-Force Attack:**

- Attempt every permutation of a character set.

- Note: Real-world execution may require bypassing defenses like rate limiting.

- Reference the Web Security Academy's Authentication topic for ideas.

**Before Starting:**

- Identify valid usernames for the target website (e.g., assume wiener is valid).

- For comprehensive login attempts, refer to Brute-forcing a login with Burp Suite.
Note: The examples are simplified, and real-world execution may involve additional considerations
like bypassing rate limiting.
1. Go to the Payloads tab. Under Payload settings [Simple list], add a list of passwords that you
want to test. Ideally, sort the list in order of how likely you think the password is to be
correct. This could be based on prior knowledge of the user in question or just how common
the password is in general.

 If you're using Burp Suite Professional, you can open the Add from list dropdown
menu and select the Passwords list.

 If you're using Burp Suite Community Edition, manually add a list of potential
passwords.

2. Click Start attack. The attack starts running in the new dialog. Intruder sends a request for
each password in the list.

3. When the attack is finished, study the responses to look for any behavior that may indicate a
valid password. For example, look for any anomalous error messages, response times, or
status codes. In the example below, one of the requests has received a 302 response.

4. To investigate the contents of a response in detail, right-click and select Send to Comparer
(response). Do the same for the original response.
 5. Go to the Comparer tab. Select the two responses and click Words or Bytes to compare the
responses. Any differences are highlighted.

Running an exhaustive brute-force attack

Another approach is to attempt every possible permutation of a character set. This enables you to
brute-force passwords that don't necessarily appear in a wordlist. However, for longer passwords and
larger character sets, this type of attack is often impractical due to the number of requests needed.
For example, an alphabetical password with five characters has over 11 million possible
combinations. It's often better to try running a dictionary attack first.

1. Send the request for submitting the login form to Burp Intruder.

2. In the request, highlight the password value and click Add § to mark it as a payload position.
Make sure that you're using a valid username.

3. Go to the Payloads tab. Under Payload sets, select the payload type Brute forcer.

4. Under Payload settings [Brute forcer], enter the full character set and set the minimum and
maximum password length that you want to test. If you're able to create your own account
on the site, you can potentially get clues about the password requirements to help you
determine the appropriate values.
5. Click Start attack. The attack starts running in the new dialog. Intruder sends a request for
every possible password based on your settings.

6. When the attack is finished, study the responses to look for any behavior that may indicate a
valid password.

7. To investigate the contents of a response in detail, right-click and select Send to Comparer
(response). Do the same for the original response.

8. Go to the Comparer tab. Select the two responses and click Words or Bytes to compare the
responses. Any differences are highlighted.
 10. IBM QRadar : Installation
Requirements:

- Memory: 8 GB RAM (10 GB with apps)

- Disk Space: 250 GB

- CPU: 2 cores (min) or 6 cores (rec)

- Network: 1 adapter with internet

Downloads:

- [QRadar CE OVA](https://www.ibm.com/community/qradar/ce/)

Procedure:

1. Import OVA:

- Download OVA file.

- Import to VM.

2. Setup:

- Log in as root, set password.

- Run setup: `./setup`.

3. Accept EULA:

- CentOS: Enter.

- QRadar CE:

- Space to advance.

- 'q' to prompt EULA.

- Enter to confirm.

4. Continue:

- 'Y' to proceed.

5. Admin Password:

- Enter strong password:

- Min 5 chars.

- No spaces.

- Special: @, #, ^, *.

6. Access Web Interface:

- Log in at https://<ip>/console.