Cybersecurity Workshop

Ansh Kasaudhan
(2203491550011)

2023-2024
—
Cyber Security Workshop
—
Under the Guidance Of
Mr. Anand Prakash Dwivedi Sir
 2
INTRODUCTION

This cybersecurity lab report explores key

concepts and techniques for protecting digital
assets from cyber threats. Through practical
exercises, we examine network security,
encryption, intrusion detection, and ethical
hacking. The report aims to enhance
understanding of vulnerabilities, threat
mitigation, and security protocols essential
for safeguarding information systems. By
applying theoretical knowledge to real-world
scenarios, this lab underscores the critical
importance of robust cybersecurity measures
in maintaining the integrity and
confidentiality of digital data.

PAGE 2
 3

Index
S. Name of Date of Date of Page Teacher’s
No Program Conduction checking No. Sign
Module 1: Packet Analysis using Wire shark
1. Basic Packet Inspection: Capture network
traffic using Wire shark and analyze basic
protocols like HTTP, DNS, and SMTP to
understand how data is transmitted and received.
2. Detecting Suspicious Activity: Analyze
network traffic to identify suspicious patterns,
such as repeated connection attempts or unusual
communication between hosts.
3. Malware Traffic Analysis: Analyze captured
traffic to identify signs of malware
communication, such as command-and-control
traffic or data infiltration.
4. Password Sniffing: Simulate a scenario where
a password is transmitted in plaintext. Use
Wireshark to capture and analyze the packets to
demonstrate the vulnerability and the
importance of encryption.
5. ARP Poisoning Attack: Set up an ARP
poisoning attack using tools like Ettercap.
Analyze the captured packets to understand
how the attack can lead to a Man-in-the-Middle
scenario.
Module 2: Web Application Security using DVWA
6. SQL Injection: Use DVWA to practice SQL
injection attacks. Demonstrate how an attacker
can manipulate input fields to extract, modify, or
delete database information.
7. Cross-Site Scripting (XSS): Exploit XSS
vulnerabilities in DVWA to inject malicious
scripts into web pages. Show the potential
impact of XSS attacks, such as stealing cookies
or defacing websites.
8. Cross-Site Request Forgery (CSRF): Set up a
CSRF attack in DVWA to demonstrate how
attackers can manipulate authenticated users into
performing unintended actions.
9. File Inclusion Vulnerabilities: Explore remote
and local file inclusion vulnerabilities in
DVWA. Show how attackers can include
malicious files on a server and execute arbitrary
code.
10. Brute-Force and Dictionary Attacks: Use
DVWA to simulate login pages and
demonstrate brute-force and dictionary attacks
against weak passwords. Emphasize the
importance of strong password policies.
 4

Experiment 1
Aim: - Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic
protocols like HTTP, DNS, and SMTP to understand how data is transmitted and received.

Theory: -
Wire shark captures the data coming or going through the NICs on its device by using an
underlying packet capture library. By default, Wire shark captures on-device data only, but it can capture
almost all the data on its LAN if run in promiscuous mode. Currently, Wire shark uses NMAP’s Packet Capture
library (called np cap).

Wire Shark

Wire shark is a free and open-source packet analyzer used for network troubleshooting, analysis, software
and communications protocol development, and education. It is a data capturing program that can parse and
display the fields of different networking protocols.

Features Of Wire Shark

Key features of Wire shark include:
• Packet capture (PCAP)that converts network traffic into a human-readable format
• Real-time analysis providing a live view of network traffic
• Filtering capabilities to focus on specific types of network traffic
• Graphical user interface (GUI) designed for ease of use.
 5
Packets
Packets, the atomic units of data transmission, are akin to courier vessels navigating the vast seas of
cyberspace. Each packet carries a payload of information, meticulously packaged and dispatched across
networks, forging connections and delivering messages with precision. Whether it's a humble text message or
a high-definition video stream, packets faithfully ferry data from sender to receiver, traversing routers,
switches, and cables with unwavering determination.

Role of Packets
• Packets are like courier vessels that navigate networks.
• They carry information payloads and deliver data from sender to receiver.
Functionality
• Packets are crucial for reliable data transmission in inter connected networks.
Comparison
• Analogous to courier vessels navigating cyberspace.
Importance
• Essential for sending messages across networks with precision.

Protocols
Protocols are the guiding principles of digital communication, establishing rules for devices to interact harmoniously
across the digital landscape.
They play a crucial role in shaping the flow of information, from ubiquitous protocols like HTTP for web browsing
to robust suites like TCP/IP that under pin the internet itself.
Through meticulous standardization and adherence to specifications, protocols ensure seamless interoperability and
reliable data transmission in the interconnected world of digital communication.

Filters In Wire Shark

Filters in Wire shark act as sophisticated lenses, enabling users to focus on specific aspects of network traffic by
isolating packets based on various criteria like source or destination IP addresses, host communication, or protocol
type.
These customizable filters empower analysts to extract actionable insights from packet data, aiding in
troubleshooting, security threat identification, and gaining deeper visibility into network behavior by refining their
focus on relevant information.

There are 2 types:

1. Capture Filters:
Capture filters are used when capturing packets and are applied before the capture process begins. They help
reduce the amount of data captured by specifying which packets to capture based on specific criteria. To set a
capture filter in Wireshark:

• Locate the Capture Section: On the Home screen, find the "Capture" section.
• Select an Interface: Choose the network interface you want to capture from.
• Enter the Filter Text: In the capture filter field, enter the filter statement.
• Start the Capture: Click the "Start" button to begin capturing packets.
 6

2. Display Filters:
Display filters are used after capturing packets to filter which packets are displayed. They allow you to
concentrate on specific packets or protocols while hiding others. To set a display filter in Wireshark:

• Open the Display Filter Bar: Click on the filter box between the main toolbar and the packet
list.
• Enter the Filter Expression: Type the filter expression you want to apply.
• Apply the Filter: Press Enter or click the "Apply Display Filter" button to apply the filter.

Colorization in Wire Shark

Colorization in Wire shark enhances the visual analysis of packet data by assigning different colors based on criteria
like protocol type, packet length, or error status. This visual representation facilitates pattern recognition and
improves readability, aiding in the interpretation of packet captures.

Key points about colorization in Wire shark:

• Adds a visual layer to packet analysis.
• Transforms raw packet data into an intuitive display
• Assigns colors based on criteria like protocol type, packet length, or error status
• Enhances readability and facilitates pattern recognition
• Helps identify anomalous traffic spikes and trace data flow in complex network topologies

HTTP (Hypertext Transfer Protocol)

• Communication Protocol: HTTP enables communication between web browsers (e.g., Firefox,
Chrome) and webservers.
• Message Format: It defines the structure of messages exchanged during web interactions.
• Web Browsing: HTTP dictates how a web browser should respond to requests from users.
• Backbone of the Web: HTTP is the backbone of the World Wide Web,
facilitating seamless data transmission between clients and servers.

FTP
• FTP stands for File Transfer Protocol.
• It is used to transfer files over a communication network.
• FTP establishes two TCP connections: Control Connection for user authentication and Data Connection
for file transfer.
SMTP (Simple Male Transfer Protocol)
• Function: Used by email servers globally for communication.
• Purpose: Facilitates the delivery of emails between servers.
• Importance: Enables emails to reach recipients' inboxes efficiently.
• Usage: Ensures timely delivery of emails, like assignments to professors.
• Role: Crucial in the seamless exchange of emails.
 7

ARP (Address Resolution Protocol)

• Maps IP addresses to MAC addresses

• Enables local network communication
• Involves ARP requests and replies
• Uses ARP caches for efficiency
• Vulnerable to ARP spoofing attacks

TCP (Transmission Control Protocol)

• Ensures reliable data transmission between devices

• Operates at the Transport Layer
• Establishes connections via a three-way handshake
• Provides error-checking and data recovery
• Segments data for efficient transmission.

DNS (Domain Name System)

• Translates domain names to IP addresses
• Operates at the Application Layer
• Uses a hierarchical, distributed database system
• Employs DNS servers to resolve queries
• Involves processes like querying, caching, and recursion

SNMP (Simple Network Management Protocol)

• Manages network devices and systems

• Operates at the Application Layer
• Uses a client-server architecture
• Collects and organizes information about network devices
• Employs agents to monitor network performance
 8

Experiment 2

Aim: - Detecting Suspicious Activity: Analyze network traffic to identify suspicious patterns,
such as repeated connection attempts or unusual communication between hosts.

Theory: -
Suspicious activities pose a significant threat when it comes to the potential danger they bring to
humans. With the rise in criminal acts in urban and suburban areas, it is crucial to identify them to be able to
minimize such incidents. In the past, surveillance was conducted manually by humans, which was an
exhausting task as suspicious activities were uncommon compared to the usual activities. With the advent of
intelligent surveillance systems, various approaches were introduced in monitoring. We focus on analyzing
two cases, those if ignored could lead to high risk of human lives, which are detecting potential firearm-based
crimes and detecting abandoned luggage on frames of surveillance footage. We present a deep neural network
model that can detect handguns in images and a machine learning and computer vision pipeline that detects
unattended baggage so that we could identify potential firearm-based crime and abandoned luggage situations
in surveillance footage.

N map Scans
N map is an industry-standard tool for mapping networks, identifying live hosts, and discovering services. It is a
commonly used network scanner tool that security analysts employ to identify network patterns created by various
scan types. Two common N maps can types are TCP Connect scans and SYN scans.

UDP Scans
• UDP scans differ from TCP Connect scans in that they do not require a hand shake process.
• They do not prompt for open ports but instead generate an ICMP error message for closed ports.
• Analyzing UDP scans can provide insights into network activity, including identifying
potential security threats and abnormal communication patterns.

The behind image shows that the closed port

returns an ICMP error packet. No further
information is provided about the error at
first glance, so how can an analyst decide
where this error message belongs? The
ICMP error message uses the original
request as encapsulated data to show the
source/reason of the packet. Once you
expand the ICMP section in the packet
details pane, you will see the encapsulated
data and the original request, as shown in the
below image.
 9

Open TCP port (Connect)

The behind images provide the
patterns in isolated traffic.
However, it is not always easy to
spot the given patterns in big
capture files.

Therefore, analysts need to use a generic filter to view the initial anomaly patterns, and then it will be easier
to focus on a specific traffic point. The given filter shows the TCP Connects can patterns in a capture file.

Here, knowing the network

architecture and inspecting the
traffic for a specific time frame
can help detect the anomaly. As an
analyst, you should take notes of
your findings before going
further. This will help you be
organized and make it easier to
correlate the further findings.

Look at the given picture; there is

a conflict; the MAC address that
ends with “b4” crafted an ARP
request with the “192.168.1.25”
IP address, then claimed to have
the “192.168.1.1” IP address.
 10

Experiment 3
Aim: - Malware Traffic Analysis: Analyze captured traffic to identify signs of malware
communication, such as command-and-control traffic or data infiltration.

Theory: -
If you are not yet familiar with Malware – Traffic -Analysis.net (MTA), I strongly suggest
visiting the site to explore the valuable work Brad is doing. He has developed an impressive system for
identifying infected websites and malware, capturing relevant traffic in PCAPs, and offering comprehensive
insights into the traffic, malware, and other pertinent details.
One aspect of the site that I particularly enjoy is the inclusion of PCAPs with sets of questions, serving as
exercises for investigator store fine their packet analysis skills. I make it a point to engage with these exercises
as they provide a hands-on opportunity to delve into the latest exploit kits. Recently, I delved into the exercise
dated March 9, 2015, and wanted to share my analysis with others.

The Setup
Before delving into the analysis, let me provide a brief overview of my analysis setup. While a significant
portion of the traffic is live, I prefer to work in a dedicated environment for analyzing historical PCAP data.
In this setup, the tools utilize (as demonstrated in this example) include Suricata 2.0.7withthe latest
Emerging Threats rule set, with Suricata logs directed to a single index within Elastic search, and Wireshark.

Although there are numerous other tools at my disposal, for brevity, I will focus on these key tools for now.
Let's kick off the analysis!

Step1: Executing the Packet

Having a pre-configured environment allows me to efficiently process a PCAP through various tools, quickly
opening Wireshark and a web browser to expedite the analysis. I have a simple script that runs the PCAP
through Suricata. Here are the basic commands to replay the traffic:

By scripting these commands, I can initiate the necessary tools with a single command, including opening a
web browser to view Kibana. The '-r' switch is commonly used for this purpose.

Step 2: Identifying Alerts

Firstly, I review the Suricata output to identify any alerts that could provide insights into the ongoing
activities. By utilizing a dashboard with customized widgets, I focus on visualizing the traffic and identifying
specific events:

Upon examination, the dashboard reveals several events, including alerts related to Kelihos, Simda, PE/DLL
downloads, and a Nuclear EK drive by. I have color-coded the activities based on alerts, DNS, and over all
traffic, with not able occurrences of red throughout the histogram. Towards the end of the PCAP, there is a
notable surge in traffic activity, disrupting the graph's scale.
 11

Taking a moment to assess our progress:

Multiple alerts have been generated from the PCAP, indicating the presence of well-known Trojans, a
drive- by kit, malware check-ins, outdated Flash vulnerabilities, and PE/DLL downloads. This initial
analysis suggests:
The likelihood of malware being dropped, potentially due to a web vulnerability or exploit.
The presence of an executable or DLL being dropped, possibly resembling files associated with Kelihos
or Simda, noting that the file was delivered via HTTP.
Check-in alerts indicating that the malware may have executed and communicated outwards, with
multiple check-in alerts for each malware type.

Step 3: Establishing Activity Timeline

With these pointers in mind, I proceed
to scroll through the dashboard to
examine the alerts and supporting
information:

The first alert, chronologically

speaking, leads to a Nuclear EK drive by
event time stamped on March 9, 2015, at
16:54:23.797347. The event involves
two IPs, a source, and a destination:

Destination IP (internal host):

172.16.138.158

Source IP (external):
178.62.142.240
 12

As we delve into profiling the activity, maintaining detailed notes and context is crucial. Continuing within
the Kibana dashboard, we observe the surrounding activities related to the alert:

Highlighted in red, the event provides a timestamp and IPs, offering a window into the events preceding and
following the alert. The analysis reveals browsing activities on fortunet.biz, requests to portal.0037.in for a
PHP page, and subsequent requests to soquumaihi.co.vu/WQdbAk8CUx8J.html, deviating from the expected
browsing behavior. Additionally, there is application/octet-stream content originating from the.co.vu domain,
interspersed with alerts related to the Nuclear EK event and Flash vulnerabilities.

Further down the dashboard, we encounter additional alerts and heightened activity from the.co.vu domain,
including more application/octet-stream content. To tie up loose ends from our initial observations, let's delve
into more events:

Malware traffic analysis involves scrutinizing captured network traffic to identify indications of malware
communication, such as command-and-control traffic or data infiltration.
 13

Experiment 4
Aim: - Password Sniffing: Simulate a scenario where a password is transmitted in plaintext.
Use Wireshark to capture and analyze the packets to demonstrate the vulnerability and the
importance of encryption.

Theory: -
Password Sniffing
Password sniffing is a type of network attack where an attacker intercepts data packets containing passwords
and uses a password-cracking program to obtain the actual passwords. This method is commonly used to
steal login credentials for various accounts, including email, social media, and financial accounts. It is a
prevalent attack on both home and business networks, posing a significant security risk.

Why is Password Sniffing a Threat?

. Password sniffing poses a threat as it can
lead to the theft of sensitive information
such as login credentials and credit card
numbers. Attackers can eavesdrop on
network traffic or physically intercept
data transmissions between devices.
Once passwords are sniffed, attackers can
access victims' accounts, potentially
resulting in financial loss or the
disclosure of confidential information.

How Do Hackers Use Packet Sniffers?

Hackers utilize packet sniffers to steal information and login credentials through sniffing attacks. They can
intercept passwords, email messages, and other sensitive data, as well as monitor internet activity and collect
user data without consent. One common method used by hackers is ARP poisoning, allowing interception of
traffic meant for another computer on the same network.

Active Sniffing vs Passive Sniffing

Active Sniffing: Involves attackers sending packets on to the network to disrupt or intercept
communications, making it easier to detect as it generates traffic.
Passive Sniffing: Attackers do not generate traffic; instead, they eavesdrop on existing traffic passing
through the network, making it more challenging to detect. This method involves capturing network
traffic to gain information that can be used to exploit vulnerabilities.

Best Defense Against Password Sniffing

One effective defense against password sniffing is to encrypt traffic using technologies like VPNs or SSL/TLS.
Encryption significantly increases the difficulty for attackers to read intercepted traffic, enhancing network
security.
 Types of Sniffing 14

• Web Password Sniffing: Captures passwords sent over a network, enabling ethical
hackers to identify security vulnerabilities or troubleshoot network issues.
• LAN Sniffing: Monitors traffic on a local area network, providing insights in to data
exchanges between devices for troubleshooting or information gathering purposes.
• Protocol Sniffing: Focuses on protocols used for communication between devices,
allowing ethical hackers to analyze data transmission and exchanged information.
• ARP Sniffing: Involves mapping IP addresses to physical addresses using the Address Resolution
Protocol (ARP). Useful for obtaining information about network devices or troubleshooting
network issues.

TCP Session Stealing

• Observes how data is transmitted and the information exchanged using TCP.
• Helps identify security vulnerabilities and troubleshoot network problems.

What is a Sniffer App?

A sniffer app is a type of software that intercepts and logs network traffic. It can be utilized for both legal and illegal
purposes, depending on its configuration and use. Network administrators employ sniffer apps to monitor network
activity and identify security threats. However, malicious individuals can exploit these apps to steal sensitive
information like passwords or credit card details.
 15

Experiment 5
Aim: - ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap.
Analyze the captured packets to understand how the attack can lead to a Man-in-the-Middle
scenario.

Theory: -
ARP (Address Resolution Protocol)
• ARP is a protocol used to map an IP address to a physical MAC address. It is used to obtain
the MAC address of a network device when only its IP address is known.
• ARP works by broadcasting the IP address and requesting the corresponding MAC
address from the network. The MAC address is then used to send data to the device

RARP (Reverse Address Resolution Protocol)

• RARP is a protocol used to map a physical MAC address to an IP address. It is used to
obtain the IP address of a host based on its physical MAC address.
• RARP works by broadcasting the MAC address and requesting the corresponding IP
address from the network. The IP address is then used to communicate with the device

ARP Poisoning Attack Using Ettercap

Environment Setup
• Use two VMs, one running Kali Linux
and the other as the target Windows 10
machine.

• On the Kali machine, run ARP-a to view

the MAC addresses of the gateway and
target.

• Note the last 4 digits of the MAC

addresses, e.g. 3500 for the gateway and
27 cd for the Windows
 16
Launching the Attack

• Start packet capture on the target Windows VM

to record the attack traffic

• On the Kali machine, run Ettercap and select the

target interfaces

• Select the target hosts to ARP poison, usually

the gateway and Windows VM

• Start the ARP poisoning attack by enabling

"Sniff remote connections" and "Redirect HTTP
traffic".

Ettercap Arp Poisoning Attack – Analyzing the Capture Traffic

• Examine the ARP tables on the target Windows VM - you should see the gateway MAC
address has been changed to the Kali machine's MAC address
• Inspect the captured packets in Wire shark – you will see the Windows VM's traffic is
now being routed through the Kali machine
• Look for sensitive data like login credentials, cookies, etc. that can be harvested from the poisoned
traffic

Wire shark Captured Packets–ARP

Poisoning Attack Results
• ARP Poisoning Attack Success: ARP poisoning attack successful, with the Windows
VM's traffic being routed through the Kali machine
• ARP Poisoning Attack Failure: ARP poisoning attack failed due to network configuration or
other issues

ARP and RARP in Practice

• ARP in Action: ARP in action, mapping IP addresses to MAC addresses
• RARP in Action: RARP in action, mapping MAC addresses to IP addresses

ARP and RARP Packet Formats

• ARP Packet Format: ARP packet format, showing the fields and their meanings
• RARP Packet Format: RARP packet format, showing the fields and their meanings

1. By analyzing the captured packets, we can see how the ARP poisoning attack works. The attacker's
machine (Kali Linux) is now positioned between the victim (Windows VM) and the gateway, allowing
it to intercept and inspect all traffic.
2. This man-in-the-middle scenario enables the attacker to steal sensitive data like login credentials,
cookies, and other information from the victim's traffic. The attacker can also modify the traffic to inject
malicious content or redirect the victim to a malicious site.
To prevent ARP poisoning attacks, it is important to secure the network by implementing measures such
as network segmentation, firewall configuration, and network monitoring. Users should also be educated
about the risks of ARP poisoning and the importance of using secure protocols like HTTPS to protect
their data.