Cyber Security Workshop Lab Manual - Student
Cyber Security Workshop Lab Manual - Student
(BCS 453)
LAB MANUAL
List of Experiments
S.No. Experiments
1.
Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic
protocols like HTTP, DNS, and SMTP to understand how data is transmitted and
received.
2.
Detecting Suspicious Activity: Analyze network traffic to identify suspicious patterns,
such as repeated connection attempts or unusual communication between hosts.
3.
Malware Traffic Analysis: Analyze captured traffic to identify signs of malware
communication, such as command-and-control traffic or data infiltration.
4.
Password Sniffing: Simulate a scenario where a password is transmitted in plaintext.
Use Wireshark to capture and analyze the packets to demonstrate the vulnerability
and the importance of encryption.
5. ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap. Analyze the
captured packets to understand how the attack can lead to a Man-in-the-Middle scenario.
1.
SQL Injection: Use DVWA to practice SQL injection attacks. Demonstrate how an
attacker can manipulate input fields to extract, modify, or delete database
information.
2.
Cross-Site Scripting (XSS): Exploit XSS vulnerabilities in DVWA to inject malicious scripts
into web pages. Show the potential impact of XSS attacks, such as stealing cookies or
defacing websites.
3.
Cross-Site Request Forgery (CSRF): Set up a CSRF attack in DVWA to demonstrate how
attackers can manipulate authenticated users into performing unintended actions.
4.
File Inclusion Vulnerabilities: Explore remote and local file inclusion vulnerabilities in
DVWA. Show how attackers can include malicious files on a server and execute
arbitrary code.
5.
Brute-Force and Dictionary Attacks: Use DVWA to simulate login pages and
demonstrate brute-force and dictionary attacks against weak passwords. Emphasize
the importance of strong password policies.
Module 1: Packet Analysis using
Wire shark
Experiment No:1
Aim: Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic
protocols like HTTP, DNS, and SMTP to understand how data is transmitted and received.
Solution
a. Open Wireshark.
b. The following screen showing a list of all the network connections you can monitor is
displayed. You can select one or more of the network interfaces using shift+left-click or by
clicking on the tab All Interfaces Shown
c. Once the network interface is selected, you can start the capture, and there are several
ways to do that.
i. Click the first button on the toolbar, titled “Start capturing packets.”
OR
d. During the capture process, Wireshark will show the following screen
e. Once you have captured all the packets needed, use the same buttons or menu options to
Wireshark shows you three different panes for inspecting packet data. The Packet List, the top
pane, lists all the packets in the capture. When you click on a packet, the other two panes change
to show you the details about the selected packet. You can also tell if the packet is part of a
conversation.
Here are details about each column in the top pane:
No.: This is the number order of the packet captured. The bracket indicates that this packet
is part of a conversation.
Time: This column shows how long after you started the capture this particular packet was
captured. You can change this value in the Settings menu to display a different option.
Source: This is the address of the system that sent the packet.
Protocol: This is the type of packet. For example: TCP, DNS, DHCPv6, or ARP.
Length: This column shows you the packet’s length, measured in bytes.
Info: This column shows you more information about the packet contents, which will vary
Packet Details, the middle pane, shows you information about the packet depending on the packet
type. You can right-click and create filters based on the highlighted text in this field.
The bottom pane, Packet Bytes, displays the packet exactly as it was captured in hexadecimal.
When looking at a packet that is part of a conversation, you can right-click the packet and select
Follow to see only the packets that are part of that conversation.
Wireshark filters
Filters allow you to view the capture the way you need to see it to troubleshoot the issues at hand.
Capture filters limit the captured packets by the chosen filter. If the packets don’t match the filter,
a. host IP-address: This filter limits the captured traffic to and from the IP address
e. port not 53 and not arp: Capture all traffic except DNS and ARP traffic
Wireshark display filters change the view of the capture during analysis. After you’ve stopped the
packet capture, use display filters to narrow down the packets in the Packet List to troubleshoot
your issue.
a. ip.src==IP-address and ip.dst==IP-address This filter shows packets sent from one
computer (ip.src) to another (ip.dst). You can also use ip.addr to show packets to and from
that IP.
b. tcp.port eq 25: This filter will show you all traffic on port 25, which is usually SMTP traffic
c. icmp: This filter will show you only ICMP traffic in the capture, most likely they are pings
d. ip.addr != IP_address: This filter shows you all traffic except the traffic to or from the
specified computer
Experiment No:2
Aim: Detecting Suspicious Activity: Analyze network traffic to identify suspicious patterns, such
as repeated connection attempts or unusual communication between hosts.
Solution:
The Hypertext Transfer Application Layer Protocol (HTTP) utilizes the internet to establish
protocols whenever the HTTP client/server transmits/receives HTTP requests.
Start a Wireshark capture -> Open a web browser -> Navigate to any HTTPS-based website -> Stop
the Wireshark capture.
Input ' ssl' in the filter box to monitor only HTTPS traffic -> Observe the first TLS packet -> The
destination IP would be the target IP (server).
A standard port scan takes advantage of the TCP three-way handshake. The attacker sends the
SYN packet to the target port. The port is considered open when he gets SYN+ACK as a response,
whereas the arrival of RST shows the port is closed. After receiving SYN+ACK, the hacker would
send an ACK packet to establish a TCP connection.
Input ‘tcp.port == 80’ to see only TCP traffic connected to the webserver connection.
Observe the TCP [SYN] packet. Expand Ethernet and observe the destination address that is the
default gateway address; whereas, the source is your own MAC address.
To check the IP details, observe Internet Protocol Version 4; in our case, the destination IP is
Googles' web server IP, and the source IP is the local IP address.
To view TCP details, observe Transmission Control Protocol, like port numbers. Monitor the flag
values. SYN, which is enabled, shows the initial section of the TCP three-way handshake.
Take a look at the TCP [SYN, ACK] packet. Expand Ethernet and observe the destination address
now would be your own MAC address; whereas the source is the default gateway address.
Monitor the acknowledgement code. It's worth noting that the number is one relative ACK
number. The real acknowledgement value is one higher than the previous segment's identifier.
Monitor the flag values. [SYN, ACK], which is enabled, shows the second section of the TCP three-
way handshake.
Analyze SYN flood attack
SYN flood occurs when an attacker delivers a substantial amount of SYN packets to a server using
fake IPs, causing the server to respond with an SYN+ACK and keep its ports partially open,
expecting a response from an invisible client.
By overwhelming a victim with SYN packets, an attacker can effectively overrun the victim's
resources. In this state, the victim fights with traffic, which causes processor and memory usage
to rise, eventually exhausting the victim's resources.
Use the hping3 tool to flood the victim IP. Simultaneously, start capturing the traffic on Wireshark.
Input 'tcp.flags.syn == 1' in the filter box to view SYN packets flood.
Notice a lot of SYN packets with no time lag.
Experiment No:4
Step 1:First of all, open your Wireshark tool in your window or in Linux virtual
machine. and start capturing the network. suppose you are capturing your
wireless fidelity.
Step:2 After starting the packet capturing we will go to the website and login
the credential on that website as you can see in the image.
Step-3: Now after completing the login credential we will go and capture the
password in Wireshark. for that we have to use some filter that helps to find
the login credential through the packet capturing.
Step 4: Wireshark has captured some packets but we specifically looking for
HTTP packets. so in the display filter bar we use some command to find all
the captured HTTP packets. as you can see in the below image the green bar
where we apply the filter.
Step 5: So there are some HTTP packets are captured but we specifically
looking for form data that the user submitted to the website. for that, we have
a separate filter .
As we know that there are main two methods used for submitting form data
from web pages like login forms to the server. the methods are-
● GET
● POST
Step 6: So firstly for knowing the credential we use the first method and apply
the filter for the GET methods as you can see below.
As you can see in the image there are two packets where the login page was
requested with a GET request as well, but there is no form data submitted with
a GET request.
Step 7: Now after checking the GET method if we didn’t find the form data, then
we will try the POST method for that we will apply the filter on Wireshark as
you can see.
As you can see we have a packet with form data click on the packet with user
info and the application URL encoded. and click on the down-
HTML form URL Encoded where the login credential is found. login credential
as it is the same that we filed on the website in step 2.
Experiment No:5
Aim: ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap. Analyze the
captured packets to understand how the attack can lead to a Man-in-the-Middle scenario.
Solution:
1. Open Ettercap.
When we do that, it opens a new window asking us what interface we want to use and defaults to
eth0.
3. Click "OK", ettercap launches it sniffing and loads its plugins.
4. Click on the "Hosts" tab and you will see a menu that includes "Scan for Hosts". Click on it
and ettercap will begin scanning the network for hosts.
5. Now, using that same "Hosts" tab, click on "Hosts List". This will display all the hosts
that ettercap has discovered on your network as seen in the screenshot below.
6. Now, select one of the hosts that will be the target of this attack in the window by
clicking on it and then click on "Add to Target 1" at the bottom of the window. When
you do so, ettercap will add that host as the first target in our MiTM attack as seen
in the screenshot below. Next, select the second host in this attack and then click
"Add to Target 2".
7. Finally, go to the menu above and click on MITM tab and the drop down menu will
have a selection called "ARP Poisoning" as seen in the screenshot below.
8. Select it and it will open a pop window like below. Select "Sniff remote
connections".When we press OK, ettercap will begin ARP poisoning and you will
see ettercap respond in its main windows with the message below.
Now, we have successfully placed ourselves between the two targets systems and all their
traffic must flow through us.