DEPARTMENT OF COMPUTER ENGINEERING & APPLICATIONS

Institute of Engineering & Technology

Practical File

Name: Piyush Kumar Univ Roll: 2315300015

Course: B. Tech (CS-CSF) Class Roll: 14

Faculty: Mr. Arvind Prasad

Code: BCSE 0638

Subject Name: IT System Security & Physical Security Lab

Year: I Semester: II Session: 2023-24

Experiment 1:
As a security expert at a leading organization, it is imperative to conduct thorough checks
to identify potential vulnerabilities and ensure the security of Windows systems. Your tasks
involve examining Windows administrative vulnerabilities are present, if weak passwords
are being used on Windows accounts, the presence of known IIS and SQL administrative
vulnerabilities, and which security updates are required on each individual system in your
organization.
To make sure all the devices connected in your network are secured, perform following
tasks

A. Collect IP addresses of the devices connected in your network.

B. Identify the range of ID addresses of connected devices.
C. Using Microsoft Baseline Security Analyzer (MBSA), determine the security
state of the connected devices.
Ensure that your documentation is clear and concise, providing step-by-step instructions
along with screenshots to facilitate easy understanding.

Solution:

Step1: To start the scanning, click on the Scan multiple computers option.

Step2: Fill the systems IP address range.

Step3: Click on the Start Scan button.

Step4: Now the scanning will start, and it will take some time to complete the scan.
 Step5:
Once the scan is completed a scan report will be generated, click on the Pick a security report
view option.

Step6: On the next window the report will be expanded, click on Ok after analysing the report.
 Experiment 2:
Consider you are the cybersecurity lead for an enterprise, and you have been tasked with
enhancing the security of the organization's endpoint devices. One of the key concerns is to
protect these devices from potential threats, including port scanning attacks.

 Your goal is to develop a Python program for port scanning that can help detect open
ports on a device (laptop or desktop) in a network.
 Maintain a white list of ports that should not be reported.
 Ask user for an IP address to scan that IP address for open post.
 Ask user for a range of IP address to scan all the computers in that range.

Solution:

Python script for port scanning using socket.

import socket
print("Made by Piyush Kumar") def
portscanner(target, startport, endport):
print(f'Starting port scan on target {target}')
for port in range(startport, endport +
1):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(1)
result = sock.connect_ex((target, port))
if result == 0:
print(f"Port {port}: Open")
sock.close()

target = input("Enter the target host/IP address: ")

startport = int(input("Enter the start port: ")) endport
= int(input("Enter the end port: "))
portscanner(target, startport,
endport)

Experiment 3:
To protect a network device and all the critical information on that device, it is important to
keep a track of detailed profile of all the installed software and hardware, network
inventory, any missing Microsoft hotfixes, anti-virus status, security benchmarks, and
displays the results in the Web browser.

Solution:

The following report summarises that:

• The virus protection is up-to-date.

• The security benchmark score is 4.31 out of 10.

• There are 3 missing security updates, therefore in the section missing security updates
there is a link to install them.

• We can also see a computer profile summary which gives all the information about software,
hardware, virus protection, communications and other devices.
Experiment 4:

Opening a large range of listening sockets on your computer to mimic vulnerable services can
help to monitor the latest tricks and exploits of hackers. When an attacker connects to these
services, they are fooled into thinking they are attacking a real server. The honeypot safely
captures all communications with the attacker and logs these results for future analysis. As a
cybersecurity expert,

A. You have to deploy and configure a HoneyPot using HoneyBOT tool.

B. Open a range of ports on your computer and check list of IP addresses have tried to
access your computer.
C. Identify the malicious connections.
D. Maintain a white list to ignore benign request.

Solution:

A. Open HoneyBOT and select the network adapter through which you want to use the
HoneyBOT then list the ports with their services and then start the engine click on the
blue play button to start the HoneyBOT listening engine. The status bar at the bottom of
the window will increment as each port is successfully opened.

B. On the top left corner go to the view tab then select services then add the service you
want to add with their respective details such as (port
number,protocol,enable,description).
Click on the blue play button to start the HoneyBOT listening engine. The
status bar at the bottom of the window will increment as each port is
successfully opened. Now wait for a while after that click on the red stop button
to shut down all listening services and terminate existing open sockets. The
status bar at the bottom of the window will decrement as each port is closed.

Double clicking a record in the list view of the main window will open the
Packet Log viewer window. On the upper left hand side of the window is the
Connection Details which displays basic information about the selected hit
including the total number of bytes sent and bytes received for that hit. In the
upper right hand side the application displays the Packet History list view of all
transmitted and received IP packets associated with the hit.
C. 172.16.151.56 This IP Address seems malicious.

D. Go to the view tab on the top left corner then select the whitelist option to create a
whitelist. After going to the whitelist option add the details (remote IP,local
port,protocol,description) of the IP that has to be whitelisted.
Experiment 5:
Let’s assume, based on experiments, you have identified a malicious IP address which is
launching DDoS attack on your server. Now you have to find MAC address and hop distance
of that malicious device. Use ZenMap to scan the target device using “Quick scan plus” and
find out the hop distance from your device to the victim device. Discuss the possible ways to
block the malicious device using the MAC address.

Solution:
Identifying Malicious Device and Blocking with ZenMap

1. Scan the Target Device using ZenMap:

a. Launch ZenMap, a graphical interface for Nmap.
b. Select "Quick Scan Plus" from the Profile dropdown menu.
c. Enter the IP address of the victim device (the one under DDoS attack) in the
Target field.
d. Click on the "Scan" button to initiate the scan.

2. Analyze Scan Results:

a. Once the scan is complete, ZenMap will provide information about the target
device, Including its MAC address and hop distance from your device.
3. Find the MAC Address and Hop Distance:
a. Look for the MAC address information in the scan results.

b. ZenMap may provide the hop distance (number of hops) between your device
and the victim device. This indicates the number of intermediary devices
(routers or switches) between your device and the target.

4. Blocking the Malicious Device using MAC Address:

Access your network infrastructure, such as your router or firewall, that has the
capability to filter traffic based on MAC addresses
 5. Implement MAC Address Filtering:
a. Log in to your router or firewall administration interface.
b. Navigate to the MAC address filtering section.
c. Add an entry to block traffic from the malicious device's MAC address.
d. Save the changes to apply the configuration.

6. Verify Blocking:
a. Monitor network traffic to ensure that traffic from the malicious device is
effectivel blocked.
b. Test connectivity to confirm that legitimate traffic is not affected by the MAC
address filtering.

Possible Ways to Block the Malicious Device using MAC Address:

1. Router Access Control Lists (ACLs):

 a. Configure ACLs on your router to deny traffic from the malicious device's MAC
address.

2. Firewall Rules:
a. Create firewall rules on your firewall device to block traffic originating from the
MAC address of the malicious device.

3. Switch Port Security:

a. If the malicious device is connected to a switch port, enable port security on the
switch to restrict traffic based on MAC addresses.

4. Intrusion Prevention Systems (IPS):

a. Utilize IPS solutions that support MAC address blocking to automatically detect
and block traffic from malicious devices.

5. Network Access Control (NAC):

a. Implement NAC solutions that can enforce policies to block or quarantine
devices based on MAC addresses.

By effectively blocking the malicious device's MAC address, you can mitigate the impact of
the DDoS attack and protect your server from further harm. Regular monitoring and
updating of security measures are essential to maintaining a secure network environment.

Experiment 6:

Your organization suspects a security breach in the network, and you have been assigned
the task of investigating the incident using Wireshark.

A. Describe the steps you would take to set up a Wireshark capture to monitor network
traffic for suspicious activities.

B. Analyse the captured packets in Wireshark and identify any signs of unauthorized
access, malware, or unusual network behaviour.

C. Propose security measures or actions that should be taken based on your findings to
mitigate the potential security threat.

Solution:

A. Setting up Wireshark Capture:

1. Preparation and Planning:
 a. Understand the network topology and identify potential points of interest
where suspicious activities might occur.
b. Ensure you have necessary permissions to capture traffic on the network.
c. Identify the specific interface or network segment where you suspect the
breach might be occurring.

2. Install and Configure Wireshark:

a. Download and install Wireshark on a computer connected to the network
segment you want to monitor.
b. Configure Wireshark to capture traffic on the desired interface. Go to Capture >
Interfaces, select the appropriate interface, and start the capture.

3. Filtering Traffic:
a. Use capture filters to focus on specific types of traffic (e.g., HTTP, FTP, SMTP) or
specific IP addresses that might be involved in the suspicious activity.
b. Apply display filters to narrow down the captured packets based on criteria
such as source/destination IP, port numbers, protocols, etc.

4. Start the Capture:

a. Once you have set up the capture filters and display filters, start capturing
traffic by clicking the 'Start' button in Wireshark.

B. Analyzing Captured Packets in Wireshark:

1. Identifying Suspicious Activity:
 a. Look for anomalies in the traffic patterns, such as unusual volumes of data,
connections to unknown IP addresses, or unexpected protocols.
b. Check for any signs of unauthorized access, such as login attempts with
incorrect credentials or traffic to restricted areas of the network.
c. Look for indications of malware activity, such as unusual command and control
traffic, file transfers of suspicious executables, or patterns consistent with
known malware behavior.

2. Examining Packet Details:

a. Drill down into individual packets to examine their contents, including headers,
payloads, and any additional metadata.
b. Look for any signs of tampering, spoofing, or unusual packet structures that
might indicate malicious activity.
c. Pay attention to packet timing and sequencing to identify potential attacks like
port scans, reconnaissance activities, or denial-of-service attempts.

3. By applying filter of tcp port 8080 as there was unusual amount of network traffic
going out and coming from
a. As we can see on port 8080 the connection is established between our device
and IP 192.168.43.1.
b. And when we analyze the network packet between them and reassembled tcp
bytes we found out that ipconfig command is remotely executing on the device,
c. From this we can say it is a reverse shell through which our system getting
exploited by the attacker.
C. Proposing Security Measures:
1. Immediate Actions:
a. Disconnect compromised devices from the network to prevent further damage.
b. Change passwords and access credentials for affected systems and accounts.
c. Quarantine suspicious files or payloads identified during the analysis for further
investigation.

2. Mitigation Measures:
a. Patch vulnerabilities in software and firmware to prevent future exploits.
b. Enhance network segmentation and access controls to limit the impact of
future breaches.
c. Implement intrusion detection and prevention systems to proactively identify
and block malicious activity.
d. Educate users and employees about security best practices, such as avoiding
suspicious links and emails, and reporting any unusual network behavior
promptly.

3. Forensic Analysis:
a. Preserve captured packet data and other relevant logs for forensic analysis and
legal purposes.
b. Conduct a thorough investigation to identify the root cause of the security
breach and take corrective actions to prevent similar incidents in the future.
By following these steps, you can effectively use Wireshark to investigate security breaches,
identify malicious activity, and implement appropriate measures to mitigate potential
threats to your network.

Experiment 7:

You are a network administrator in a medium-sized company, and you have received
complaints from several employees about slow internet speeds and intermittent
connectivity issues. You decide to use Wireshark to analyse the network traffic and identify
the potential causes of the problems. You are required to perform following task to identify
the three bandwidth-consuming devices.

A. Open Wireshark and start capturing traffic on the network.

B. Identify the source and destination IP addresses of the top three bandwidth-consuming
devices.

C. Determine the protocol used by each of these devices for communication. Based on your
analysis, provide recommendations to resolve the slow internet speeds and intermittent
connectivity issues.

Solution:

Network Traffic Analysis with Wireshark

Task A: Capturing Traffic with Wireshark

1. Open Wireshark:
a. Launch Wireshark application on your computer.

2. Select Network Interface:

a. Choose the appropriate network interface connected to the network
experiencing issues.

3. Start Capture:
a. Click on the Start button or press Ctrl + E to begin capturing network traffic.

4. Capture Duration:
 a. Allow Wireshark to capture traffic for a sufficient duration to gather relevant
data (e.g., 5-10 minutes).

5. Stop Capture:
a. Click on the Stop button or press Ctrl + E again to stop capturing traffic.

Task B: Identifying Bandwidth-Consuming Devices

1. Apply Display Filter:

a. Use the following display filter to focus on traffic volume:
Statistics -> Conversations -> IPv4
2. Analyze Traffic Volume:
a. Review the list of IP addresses and their corresponding traffic volumes.

3. Identify Top Three Bandwidth-Consuming Devices:

a. Identify the IP addresses with the highest traffic volume. These are likely the
bandwidth-consuming devices.
Task C: Determining Protocols Used

1. To determine the protocols we can go to TCP and UDP next to ipv4 option and check
match source and destination IP address to find port number.

Recommendations to Resolve Issues:

1. Network Traffic Optimization:

a. Implement traffic shaping or Quality of Service (QoS) policies to prioritize critical
traffic and limit bandwidth usage for non-essential applications.

2. Identify and Address Network Bottlenecks:

a. Investigate network switches, routers, and other network infrastructure
components for potential bottlenecks or misconfigurations. Upgrade hardware
if necessary.

3. Update Network Equipment Firmware:

a. Ensure that network devices (routers, switches, access points) are running the
latest firmware to address known performance issues and security
vulnerabilities.

4. Network Monitoring and Management:

a. Deploy network monitoring tools to continuously monitor network traffic,
identify abnormal behavior, and proactively address potential issues.

5. User Education and Policy Enforcement:

 a. Educate employees about the impact of bandwidth-intensive activities (e.g.,
streaming, file downloads) on network performance. Enforce policies to
regulate such activities during peak usage hours.

6. Consider Network Expansion:

a. Evaluate the possibility of expanding network bandwidth by upgrading internet
connection plans or adding additional network links to accommodate growing
traffic demands.

By implementing these recommendations based on the analysis of network traffic with

Wireshark, you can mitigate slow internet speeds and intermittent connectivity issues,
ensuring optimal network performance for your organization.

Experiment 8:

Your university has recently developed an online quiz portal where students can check their
quizzes, and teachers can input and manage quizzes for various subjects. As a cybersecurity
student, you decide to perform a basic security assessment using ZAP (Zed Attack Proxy) to
ensure the application is secure.

A. Outline the initial steps you would take to set up ZAP for testing the university's quiz
portal.

B. Perform a simple scan using ZAP and identify any potential security vulnerabilities
that might exist in the web application.

C. List at least two common security issues that ZAP might detect during the scan, and
provide a brief explanation of each.

D. Suggest basic recommendations or fixes that could address the identified

vulnerabilities to improve the security of the quiz portal.

Solution:

Security Assessment of University's Quiz Portal using ZAP

A. Setting up ZAP for Testing the Quiz Portal:

1. Installation:
- Download ZAP from the official website and install it on your system.
- Ensure you have Java installed as ZAP runs on Java.

2. Configure Proxy Settings:

- Configure your browser to use ZAP as a proxy.
- Set the proxy settings in your browser to point to ZAP's listening port (default is 8080).

3. Start ZAP:
- Launch ZAP after installation.
- ZAP will start a local proxy server to intercept and inspect HTTP and HTTPS traffic.

4. Configure Browser:
- Open your browser and navigate to the ZAP welcome page (`http://localhost:8080/`).
- Follow the instructions to set up your browser to work with ZAP.

5. Spider the Website:

- Use ZAP's spider tool to crawl the university's quiz portal.
- This will help in identifying all accessible pages and endpoints for testing.

B. Performing a Simple Scan using ZAP:

1. Set Target URL:

- In ZAP, go to the "Quick Start" tab.
- Enter the URL of the university's quiz portal as the target.
2. Perform Active Scan:
- Click on the "Attack" tab.
- Select "Active Scan" and configure scan settings if needed.
- Start the scan to identify potential vulnerabilities.

3. Review Scan Results:

- Once the scan is complete, review the results in the "Alerts" tab.
- ZAP will categorize vulnerabilities based on severity and provide detailed information
about each issue found.

C. Common Security Issues Detected by ZAP:

1. Cross-Site Scripting (XSS):
- ZAP might detect XSS vulnerabilities where untrusted data is improperly handled,
allowing attackers to inject malicious scripts into web pages.
- This can lead to session hijacking, defacement, or stealing sensitive information from
users.

2. SQL Injection (SQLi):

- ZAP can identify SQL injection vulnerabilities where attackers can manipulate SQL
queries executed by the application's backend database.
- Exploiting SQLi vulnerabilities can result in unauthorized access to databases, data
theft, or even complete database compromise.

Recommendations to Address Detected Vulnerabilities:

1. Implement Input Validation:

- Validate and sanitize user input to prevent XSS and SQLi attacks.
- Use proper encoding and escaping techniques to handle user-supplied data securely.

2. Security Headers:
- Implement security headers such as Content Security Policy (CSP), X-Content-
TypeOptions, and X-Frame-Options to mitigate various web application security risks.
3. Parameterized Queries:
- Use parameterized queries or prepared statements to prevent SQL injection attacks by
separating SQL code from user input.

4. Regular Security Assessments:

- Conduct regular security assessments using tools like ZAP to proactively identify and
address security vulnerabilities in the quiz portal.

By addressing the identified vulnerabilities and adopting security best practices, the
university can enhance the security posture of its quiz portal and mitigate potential risks to
student and teacher data.

Experiment 9:

You are a network administrator tasked with securing your GLA University network. The
University has recently experienced some security incidents, and has asked you to perform a
comprehensive network scan using Nmap to identify potential vulnerabilities in any device.
In this regard, you are required to perform following tasks: You are required to recommend
actions to mitigate the identified risks.

a. Use Nmap to perform a basic network discovery scan to identify the IP addresses of
all devices in the simulated network. Provide a detailed list of discovered devices,
including their IP addresses.

b. Conduct a detailed port scan on one of the target machines to identify open ports
and services.
c. Document the open ports and the corresponding services running on the machine.

Solution:

Mitigating Identified Risks:

1. Patch Management:
- Ensure that all devices on the network have the latest security patches and updates
installed to address known vulnerabilities.

2. Network Segmentation:
- Implement network segmentation to isolate critical systems and reduce the attack
surface. This prevents attackers from moving laterally within the network in case of a
breach.
3. Access Control Policies:
- Enforce strict access control policies to limit access to sensitive resources only to
authorized users. Use strong authentication mechanisms such as multi-factor authentication
(MFA).

4. Firewall Configuration:
- Configure firewalls to filter incoming and outgoing traffic, blocking unnecessary ports and
services. Regularly review and update firewall rules to adapt to changing security
requirements.

5. Intrusion Detection and Prevention Systems (IDPS):

- Deploy IDPS to monitor network traffic for suspicious activities and potential threats. Set
up alerts for unusual behavior and respond promptly to any detected incidents.

6. Regular Security Audits:

- Conduct regular security audits and vulnerability assessments to identify and remediate
security weaknesses proactively.

Basic Network Discovery Scan using Nmap:

1. Performing the Network Discovery Scan:

- Open a terminal or command prompt.
- Use the following Nmap command to perform a basic network discovery scan:

nmap -sn <network_address>

Replace `<network_address>` with the IP range of the simulated network.

Discovered Devices:

- Device 1:
- IP Address: xxx.xxx.xxx.xxx
- Description: (Provide any known information about the device, such as hostname or device
type)

- Device 2:
- IP Address: xxx.xxx.xxx.xxx
- Description: (Provide any known information about the device, such as hostname or device
type)

- (Repeat the above format for all discovered devices)

Detailed Port Scan on Target Machine:

1. Performing the Port Scan:

- Choose one of the discovered devices as the target machine.
- Use the following Nmap command to perform a detailed port scan:

nmap -p- -sV <target_ip>

Replace `<target_ip>` with the IP address of the target machine.

Open Ports and Corresponding Services:

- Port 22 (SSH):
- Service: Secure Shell (SSH)
- Description: Used for secure remote access to the system.

- Port 80 (HTTP):
- Service: Hypertext Transfer Protocol (HTTP)
- Description: Used for web traffic, indicating the presence of a web server.

- (Repeat the above format for all open ports and their corresponding services)

Ensure to analyze the results of the network scan thoroughly and take appropriate actions
to address any vulnerabilities or security risks identified. Regularly monitor the network for
changes and updates to maintain a secure environment.

Experiment 8:

You have been given a task to organize a directory containing various files and subdirectories
on a Linux system. Use the terminal and basic Linux commands to accomplish the following:

A. Navigate to the "Projects" directory, which is located inside the "Documents" directory.

B. Create a new directory named "Reports" within the "Projects" directory.

C. Inside the "Reports" directory, create two text files named "Quarterly_Report.txt" and
"Annual_Report.txt."

D. Display the contents of the "Reports" directory to verify the creation of the new files.

E. Move the "Annual_Report.txt" file to the "Backup" directory, which is located in the
parent directory of "Documents."

F. Change the name of the "Quarterly_Report.txt" file to "Q1_Report.txt."

G. Display the updated contents of the "Reports" directory. Ensure to use appropriate Linux
commands for navigation, directory and file creation, listing, moving, and renaming.
Explain each step briefly as you perform it.

Solution:

Here's how to accomplish the given tasks using basic Linux commands:

A. Navigate to the "Projects" Directory:

cd ~/Documents/Projects

Explanation: This command changes the current directory to the "Projects" directory located
inside the "Documents" directory.

B. Create a New Directory Named "Reports":

mkdir Reports

Explanation: This command creates a new directory named "Reports" within the "Projects"
directory.

C. Create Two Text Files Inside the "Reports" Directory:

cd Reports

touch Quarterly_Report.txt Annual_Report.txt

Explanation: The `cd Reports` command changes the current directory to the "Reports"
directory, and the `touch` command is used to create two text files named
"Quarterly_Report.txt" and "Annual_Report.txt" inside it.

D. Display the Contents of the "Reports" Directory:

ls

Explanation: This command lists the contents of the current directory, which should now
include the two text files created in the "Reports" directory.

E. Move the "Annual_Report.txt" File to the "Backup" Directory:

mv Annual_Report.txt ../../Backup

Explanation: The `mv` command moves the "Annual_Report.txt" file to the "Backup"
directory located in the parent directory of "Documents" (two levels up).

F. Change the Name of the "Quarterly_Report.txt" File to "Q1_Report.txt":

mv Quarterly_Report.txt Q1_Report.txt

Explanation: This command renames the "Quarterly_Report.txt" file to "Q1_Report.txt"

within the "Reports" directory.
G. Display the Updated Contents of the "Reports" Directory:
ls

Explanation: Finally, this command lists the contents of the "Reports" directory to verify that
the files have been renamed and moved as intended.