Practical 1

Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic protocols
like HTTP, DNS, and SMTP to understand how data is transmitted and received.

Wire shark captures the data coming or going through the NICs on its device by using an underlying packet
capture library. By default, Wire shark captures on-device data only, but it can capture almost all the data on its
LAN if run in promiscuous mode. Currently, Wire shark uses NMAP’s Packet Capture library (called np cap).

Wire Shark–
Wire shark is a freeandopen-sourcepacketanalyzerusedfornetworktroubleshooting,analysis,softwareand
communications protocol development, and education. It is a data capturing program that can parse and
display the fields of different networking protocols.

Features Of Wire Shark –

Key features of Wire shark include:

 Packet capture(PCAP)that converts network traffic into a human-readable format

 Real-time analysis providing a live view of network traffic
 Filtering capabilities to focus on specific types of network traffic
 Graphical user interface (GUI) designed for ease of use.
Packets–
Packets are the atomic units of data transmission in networking, acting as courier vessels navigating cyberspace.
They carry information payloads an dare essential for sending messages across networks with precision.

Role of Packets–
 Packets are like courier vessels that navigate networks.
 They carry information payloads and deliver data from sender to receiver.

Functionality–
 Packets are crucial for reliable data transmission in inter connected networks.

Comparison–
 Analogous to courier vessels navigating cyberspace.

Importance–
 Essential for sending messages across networks with precision.

Protocols–
Protocols are the guiding principles of digital communication, establishing rules for devices to interact harmoniously
across the digital landscape.

They play a crucial role in shaping the flow of information, from ubiquitous protocols like HTTP for web browsing to
robust suites like TCP/IP that under pin the internet itself.

Through meticulous standardization and adherence to specifications, protocols ensure seamless interoperability
and reliable data transmission in the interconnected world of digital communication.

Filters In Wire Shark–

Filters in Wire shark act as sophisticated lenses, enabling users to focus on specific aspects of network traffic by
isolating packets based on various criteria like source or destination IP addresses, host communication, or protocol
type.

These customizable filters empower analysts to extract actionable insights from packet data, aiding in
troubleshooting, security threat identification, and gaining deeper visibility into network behavior by refining their
focus on relevant information.

ColorizationinWireShark–
Colorization in Wire shark enhances the visual analysis of packet data by assigning different colors based on criteria like
protocol type, packet length, or error status. This visual representation facilitates pattern recognition and improves
readability, aiding in the interpretation of packet captures.

Key points about colorization in Wire shark:

 Adds a visual layer to packet analysis.
 Transforms raw packet data into an intuitive display
 Assigns colors based on criteria like protocol type, packet length, or error status
  Enhances readability and facilitates pattern recognition
 Helps identify anomalous traffic spikes and trace data flow in complex network topologies

HTTP (Hypertext Transfer Protocol)-

1. Communication Protocol: HTTP enables communication between web browsers (e.g., Firefox, Chrome)
and webservers.
2. Message Format: It defines the structure of messages exchanged during web interactions.
3. Web Browsing: HTTP dictates how a web browser should respond to requests from users.
4. Backbone of the Web: HTTP is the backbone of the World Wide Web, facilitating
seamless data transmission between clients and servers.
FTP–
 FTP stands for File Transfer Protocol.
 It is used to transfer files over a communication network.
 FTP establishes two TCP connections: Control Connection for user authentication and Data
Connection for file transfer.

SMTP (Simple Male Transfer Protocol)–

 Function: Used by email servers globally for communication.
 Purpose: Facilitates the delivery of emails between servers.
 Importance: Enables emails to reach recipients' inboxes efficiently.
 Usage: Ensures timely delivery of emails, like assignments to professors.
 Role: Crucial in the seamless exchange of emails.
 Practical 2
Detecting Suspicious Activity: Analyze network traffic to identify suspicious patterns, such as
repeated connection attempts or unusual communication between hosts.
Suspicious activities pose a significant threat when it comes to the potential danger they bring to humans.
With the rise in criminal acts in urban and suburban areas, it is crucial to identify them to be able to
minimize such incidents. In the past, surveillance was conducted manually by humans, which was an
exhausting task as suspicious activities were uncommon compared to the usual activities. With the advent of
intelligent surveillance systems, various approaches were introduced in monitoring. We focus on analyzing
two cases, those if ignored could lead to high risk of human lives, which are detecting potential firearm-
based crimes and detecting abandoned luggage on frames of surveillance footage. We present a deep neural
network model that can detect handguns in images and a machine learning and computer vision pipeline
that detects unattended baggage so that we could identify potential firearm-based crime and abandoned
luggage situations in surveillance footage.

N mapScans–
N map is an industry-standard tool for mapping networks, identifying live hosts, and discovering services. It is a
commonly used network scanner tool that security analysts employ to identify network patterns created by various
scan types. Two common N maps can types are TCP Connect scans and SYN scans.

UDP Scans–
 UDP scans differ from TCP Connect scans in that they do not require a hand shake process.
 They do not prompt for open ports but instead generate an ICMP error message for closed ports.
 Analyzing UDP scans can provide insights into network activity, including identifying potential security
threats and abnormal communication patterns.

The above image shows that the closed port returns an ICMP error packet. No further information is provided
about the error at first glance, so how can an analyst decide where this error message belongs? The ICMP
error message uses the original request as encapsulated data to show the source/reason of the packet.
Once you expand the ICMP section in the packet details pane, you will see the encapsulated data and the
original request, as shown in the below image.
Open TCP port (Connect)–

The above images provide the patterns in isolated traffic. However, it is not always easy to spot the given patterns in big
capture files.

Therefore, analysts need to use a generic filter to view the initial anomaly patterns, and then it will be easier
to focus on a specific traffic point. The given filter shows the TCP Connects can patterns in a capture file.

Here, knowing the network architecture and inspecting the traffic for a specific time frame can help detect
the anomaly. As an analyst, you should take notes of your findings before going further. This will help you be organised
and make it easier to correlate the further findings.
Look at the given picture; there is a conflict; the MAC address that ends with “b4”crafted an ARP request with the
“192.168.1.25”IPaddress,thenclaimedtohavethe“192.168.1.1”IPaddress.
 Practical 3
Malware Traffic Analysis: Analyze captured traffic to identify signs of malware
communication, such as command-and-control traffic or data infiltration.
If you are not yet familiar with Malware – Traffic -Analysis.net (MTA), I strongly suggest visiting
the site to explore the valuable work Brad is doing. He has developed an impressive system for
identifying infected websites and malware, capturing relevant traffic in PCAPs, and offering
comprehensive insights into the traffic, malware, and other pertinent details.

One aspect of the site that I particularly enjoy is the inclusion of PCAPs with sets of questions, serving
as exercises for investigator store fine their packet analysis skills. I make it a point to engage with
these exercises as they provide a hands-on opportunity to delve into the latest exploit kits. Recently,
I delved into the exercise dated March 9, 2015, and wanted to share my analysis with others.

The SetUP–
Before delving into the analysis, let me provide a brief overview of my analysis setup. While a
significant portion of the traffic is live, I prefer to work in a dedicated environment for analyzing
historical PCAP data. In this setup, the tools utilize (as demonstrated in this example) include Suricata
2.0.7withthe latest Emerging Threats rule set, with Suricata logs directed to a single index within Elastic
search, and Wireshark.

Although there are numerous other tools at my disposal, for brevity, I will focus on these key tools for

now. Let's kick off the analysis!

Step1:ExecutingthePacket
Having a pre-configured environment allows me to efficiently process a PCAP through various tools,
quickly opening Wireshark and a web browser to expedite the analysis. I have a simple script that runs the
PCAP through Suricata. Here are the basic commands to replay the traffic:

By scripting these commands, I can initiate the necessary tools with a single command, including
opening a web browser to view Kibana. The '-r' switch is commonly used for this purpose.

Step 2: Identifying Alerts

Firstly, I review the Suricata output to identify any alerts that could provide insights into the ongoing
activities. By utilizing a dashboard with customized widgets, I focus on visualizing the traffic and
identifying specific events:
Upon examination, the dashboard reveals several events, including alerts related to Kelihos, Simda,
PE/DLL downloads, and a Nuclear EK drive by. I have color-coded the activities based on alerts, DNS,
and over all traffic, with not able occurrences of red throughout the histogram. Towards the end of
the PCAP, there is a notable surge in traffic activity, disrupting the graph's scale.

Taking a moment to assess our progress:

Multiple alerts have been generated from the PCAP, indicating the presence of well-known Trojans, a
drive- by kit, malware check-ins, outdated Flash vulnerabilities, and PE/DLL downloads. This initial
analysis suggests:

The likelihood of malware being dropped, potentially due to a web vulnerability or exploit.

The presence of an executable or DLL being dropped, possibly resembling files associated with Kelihos
or Simda, noting that the file was delivered via HTTP.

Check-in alerts indicating that the malware may have executed and communicated outwards, with
multiple check-in alerts for each malware type.

Step 3: Establishing Activity Timeline

With these pointers in mind, I proceed to scroll through the dashboard to examine the alerts and
supporting information:
The first alert, chronologically speaking, leads to a Nuclear EK drive by event time stamped on March 9,
2015, at 16:54:23.797347. The event involves two IPs, a source, and a destination:

Destination IP (internal host):172.16.138.158

Source IP (external): 178.62.142.240

As we delve into profiling the activity, maintaining detailed notes and context is crucial. Continuing
within the Kibana dashboard, we observe the surrounding activities related to the alert:

Highlighted in red, the event provides a timestamp and IPs, offering a window into the events
preceding and following the alert. The analysis reveals browsing activities on fortunet.biz, requests to
portal.0037.in for a PHP page, and subsequent requests to soquumaihi.co.vu/WQdbAk8CUx8J.html,
deviating from the expected browsing behavior. Additionally, there is application/octet-stream
content originating from the.co.vu domain, interspersed with alerts related to the Nuclear EK event
and Flash vulnerabilities.

Further down the dashboard, we encounter additional alerts and heightened activity from the.co.vu
domain, including more application/octet-stream content. To tie up loose ends from our initial
observations, let's delve into more events:
Malware traffic analysis involves scrutinizing captured network traffic to identify indications of malware
communication, such as command-and-control traffic or data infiltration.
 Practical 4
Password Sniffing: Simulate a scenario where a password is transmitted in plain text. Use
Wireshark to capture and analyze the packets to demonstrate the vulnerability and the
importance of encryption.

What is Password Sniffing?

Password sniffing is a type of network attack where an attacker intercepts data packets containing passwords
andusesapassword-crackingprogramtoobtaintheactualpasswords.Thismethodiscommonly used to steal login
credentials for various accounts, including email, social media, and financial accounts. It is a prevalent attack on
both home and business networks, posing a significant security risk.

Why is Password Sniffing a Threat?

Password sniffing poses a threat as it can lead to the theft of sensitive information such as login credentials
and credit card numbers. Attackers can eavesdrop on network traffic or physically intercept data
transmissions between devices. Once passwords are sniffed, attackers can access victims' accounts, potentially
resulting in financial loss or the disclosure of confidential information.

How Do Hackers Use Packet Sniffers?

Hackers utilize packet sniffers to steal information and login credentials through sniffing attacks. They can
intercept passwords, email messages, and other sensitive data, as well as monitor internet activity and collect
user data without consent. One common method used by hackers is ARP poisoning, allowing interception of
traffic meant for another computer on the same network.

Active Sniffing vs Passive Sniffing

Active Sniffing: Involves attackers sending packets on to the network to disrupt or intercept communications,
making it easier to detect as it generates traffic.
Passive Sniffing: Attackers do not generate traffic; instead, they eavesdrop on existing traffic passing through
the network, making it more challenging to detect. This method involves capturing network traffic to gain
information that can be used to exploit vulnerabilities.

Best Defense Against Password Sniffing

One effective defense against password sniffing is to encrypt traffic using technologies like VPNs or SSL/TLS.
Encryption significantly increases the difficulty for attackers to read intercepted traffic, enhancing network
security.

Types of Sniffing
 Web Password Sniffing: Captures passwords sent over a network, enabling ethical hackers to
identify security vulnerabilities or troubleshoot network issues.
 LAN Sniffing: Monitors traffic on a local area network, providing insights in to data exchanges
between devices for troubleshooting or information gathering purposes.
 Protocol Sniffing: Focuses on protocols used for communication between devices, allowing
ethical hackers to analyze data transmission and exchanged information.
 ARP Sniffing: Involves mapping IP addresses to physical addresses using the Address Resolution
Protocol (ARP). Useful for obtaining information about network devices or troubleshooting network
issues.

TCP Session Stealing–

 Observes how data is transmitted and the information exchanged using TCP.
 Helps identify security vulnerabilities and troubleshoot network problems.

What is a Sniffer App?

A sniffer app is a type of software that intercepts and logs network traffic. It can be utilized for both legal and illegal
purposes, depending on its configuration and use. Network administrators employ sniffer apps to monitor network
activity and identify security threats. However, malicious individuals can exploit these apps to steal sensitive
information like passwords or credit card details.
 Practical 5
ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap. Analyze the
captured packets to understand how the attack can lead to a Man-in-the-Middle scenario.

ARP(AddressResolutionProtocol)–
 ARP is a protocol used to map an IP address to a physical MAC address. It is used to obtain the
MAC address of a network device when only its IP address is known.
 ARP works by broadcasting the IP address and requesting the corresponding MAC address
from the network. The MAC address is then used to send data to the device

RARP (Reverse Address Resolution Protocol)–

 RARP is a protocol used to map a physical MAC address to an IP address. It is used to obtain the
IP address of a host based on its physical MAC address.
 RARP works by broadcasting the MAC address and requesting the corresponding IP address
from the network. The IP address is then used to communicate with the device

ARP Poisoning Attack Using Ettercap–

Environment Setup
 Use two VMs, one running Kali Linux and the other as the target Windows 10 machine.
 On the Kali machine, run arp-a to view the MAC addresses of the gateway and target.
 Note the last 4 digits of the MAC addresses, e.g. 3500 for the gateway and 27 cd for the Windows
Launching the Attack
 Start packet capture on the target Windows VM to record the attack traffic
 On the Kali machine, run Ettercap and select the target interfaces
 Select the target hosts to ARP poison, usually the gateway and Windows VM
 Start the ARP poisoning attack by enabling "Sniff remote connections" and "Redirect HTTP traffic".

Ettercap ARP Poisoning Attack – Analyzing

the Captured Traffic
 Examine the ARP tables on the target Windows VM - you should see the gateway MAC address
has been changed to the Kali machine's MAC address
  Inspect the captured packets in Wire shark – you will see the Windows VM's traffic is now
being routed through the Kali machine
 Look for sensitive data like login credentials, cookies, etc. that can be harvested from the poisoned traffic

Wire shark Captured Packets–ARP

Poisoning Attack Results
 ARP Poisoning Attack Success: ARP poisoning attack successful, with the Windows VM's traffic
being routed through the Kali machine
 ARP Poisoning Attack Failure: ARP poisoning attack failed due to network configuration or other issues

ARP and RARP in Practice–

 ARP in Action: ARP in action, mapping IP addresses to MAC addresses
 RARP in Action: RARP in action, mapping MAC addresses to IP addresses

ARP and RARP Packet Formats–

 ARP Packet Format: ARP packet format, showing the fields and their meanings
 RARP Packet Format: RARP packet format, showing the fields and their meanings

- By analyzing the captured packets, we can see how the ARP poisoning attack works. The attacker's
machine (Kali Linux) is now positioned between the victim (Windows VM) and the gateway,
allowing it to intercept and inspect all traffic.

- This man-in-the-middle scenario enables the attacker to steal sensitive data like login credentials,
cookies, and other information from the victim's traffic. The attacker can also modify the traffic
to inject malicious content or redirect the victim to a malicious site.

To prevent ARP poisoning attacks, it is important to secure the network by implementing measures
such as network segmentation, firewall configuration, and network monitoring. Users should also be
educated about the risks of ARP poisoning and the importance of using secure protocols like HTTPS to
protect their data.
 Practical 6
SQL Injection: Set up an SQL Injection Attack Using DVWA ( Damn Vulnerable Web Application
)

What is SQL injection (SQLi)?

SQL injection is one of the most common attacks used by hackers to exploit any SQL database-driven web
application. It’s a technique where SQL code/statements are inserted in the execution field with an aim of
either altering the database contents, dumping useful database contents to the hacker, cause repudiation
issues, spoof identity, and much more.
Let’s take a simple scenario where we have a web application with a login form with username and password
fields. If the developer used PHP for development, the code would look like this:

If a user Karen with the password ‘12345’ wanted to log in, after clicking the Submit or the Log in button, the
query that would be sent to the database would look like this:

If an attacker knew the username and wanted to bypass the login window, they would put something
like Karen;-- in the username field. The resulting SQL query would look like this:

What the attacker has done, is adding the -- (double-dash) which comments the rest of the SQL statement. The
above query will return the information entered in the password field making it easier for the attacker to bypass
the login screen.

How to prevent SQL injection

The main reason that makes websites vulnerable to SQL injection attacks can be traced back to the web
development stage. Some of the techniques that can be implemented to prevent SQL injection include:

 Input validation: If the website allows user input, this input should be verified whether it’s allowed or
not.

 Parametrized queries: This is a technique where the SQL statements are precompiled and all you have to
do is supply the parameters for the SQL statement to be executed.
  Use Stored procedures

 Use character-escaping functions

 Avoid administrative privileges - Don't connect your application to the database using an account with
root access

 Implement a Web application firewall (WAF)

Any penetration tester who wants to get started or advance their skills in SQL injection will need a vulnerable
platform to practice. There are many vulnerable applications available both for offline and online use.

In this particular tutorial, we will focus on the Damn Vulnerable Web Application (DVWA).

Pre-requisites –
This tutorial expects that you have an up and running DVWA setup. If you have not yet installed DVWA on your
Kali Linux system, please check out the article which gives a step-by-step guide.

Step 1: Setup DVWA for SQL Injection

After successfully installing DVWA, open your browser and enter the required URL 127.0.0.1/dvwa/login.php Log
in using the username “admin” and password as “password”. These are the default DVWA login
credentials. After a successful login, set the DVWA security to LOW then click on SQL Injection on the left-side
menu.

DVWA SQL Injection

Step 2: Basic Injection
On the User ID field, enter “1” and click Submit. That is supposed to print the ID, First_name, and Surname on
the screen as you can see below. The SQL syntax being exploited here is:
 DVWA Basic SQL Injection
Interestingly, when you check the URL, you will see there is an injectable parameter which is the ID. Currently,
my URL looks like this:

Let’s change the ID parameter of the URL to a number like 1,2,3,4 etc. That will also return
the First_name and Surname of all users as follows:

If you were executing this command directly on the DVWA database, the query for User ID 3 would look like this:

SQL Injection
 Step 3: Always True Scenario
An advanced method to extract all the First_names and Surnames from the database would be to use the
input: %' or '1'='1'

always true injection

The percentage % sign does not equal anything and will be false. The '1'='1' query is registered as True since 1
will always equal 1. If you were executing that on a database, the query would look like this:

SQL Injection

Step 4: Display Database Version

To know the database version the DVWA application is running on, enter the text below in the User ID field.

The database version will be listed under surname in the last line as shown in the image below.
 Display database version
Step 5: Display Database User
To display the Database user who executed the PHP code powering the database, enter the text below in the
USER ID field.

The Database user is listed next to the surname field in the last line as in the image

Display database user

Step 6: Display Database Name
To display the database name, we will inject the SQL code below in the User ID field.
The database name is listed next to the surname field in the last line.

Display database name

Step 7: Display all tables in information_schema
The Information Schema stores information about tables, columns, and all the other databases maintained by
MySQL. To display all the tables present in the information_schema, use the text below.

Database schema
Step 8: Display all the user tables in information_schema
For this step, we will print all the tables that start with the prefix user as stored in the information_schema.
Enter the SQL code below in the User ID.

bash
%' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#
 User tables
Step 9: Display all the columns fields in the information_schema user table
We will print all the columns present in the users’ table. This information will include column information like
User_ID, first_name, last_name, user, and password. Enter the input in the User_ID field.

bash
%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where
table_name = 'users' #

Column fields

Step 10: Display Column field contents

To display all the necessary authentication information present in the columns as stored in the
information_schema, use the SQL syntax below:
 Column fields contents
From the image above, you can see the password was returned in its hashed format. To extract the password,
copy the MD5 hash and use applications like John the Ripper to crack it. There are also sites available on the
internet where you can paste the hash and if lucky, you will be able to extract the password.

Conclusion –
SQL injection proves to be a critical vulnerability that can exist in a system. Not only can attackers exploit it to
reveal user or customer information, but it can also be used to corrupt the entire database thus bringing the
whole system down. Injection is listed as the number one vulnerability in the OWASP Top 10 Vulnerabilities
summary. The DVWA acts as a reliable resource for both penetration testers who want to improve their skills
and web developers who want to develop systems with security in mind.