Enrolment No.

:220840116069

PRACTICAL – 1
AIM: Install Kali Linux. Examine the utilities and tools available in Kali
Linux and find out which tool is the best for finding cyber-attack /
vulnerability.
To install Kali Linux –
1. First, we will download the Virtual box / VM Ware and install it.
2. Later, we will download and install Kali Linux.
VirtualBox is a powerful x86 and AMD64/Intel64 virtualization product for enterprise as well
as home use. Not only is VirtualBox an extremely feature rich, high performance product for
enterprise customers, it is also the only professional solution that is freely available as Open
Source Software.

VirtualBox is open-source software for virtualizing the x86computing architecture. It acts as

a hypervisor, creating a VM (virtual machine) where the user can run another OS (operating
system). The operating system where VirtualBox runs is called the "host" OS.
Steps on how to download virtual box:
Download virtual box from its official website https://www.virtualbox.org/ . The interface
will look as follows.

1
 Enrolment No.:220840116069

Click the marked link for Windows. Following interface will appear

In downloads launch the VirtualBox application highlighted above

2
 Enrolment No.:220840116069

By completing the Installation virtual box will open

The interface looks as such

Now to proceed to install kali linux:
The main website for kali linux is as such: Simply search https://www.kali.org/

3
 Enrolment No.:220840116069

Below marked objects can be selected for kali installation. But to install it in a virtual box,
the “Virtual Machines” are used.

Download the virtual machine of kali linux.

4
 Enrolment No.:220840116069

Once kali is installed open the virtual box and create a new file. Set this file to linux type and
version Debian (64 bit).

Choose the following options for a vdi file and click create and then launch this will result in
a new virtual OS named new kali.

5
 Enrolment No.:220840116069

Start the virtual machine.

The kali boot system is as follows.

Enter new id password and launch the machine. The machine looks like this.

6
 Enrolment No.:220840116069

Let’s List the tools and commands available in kali linux and see their uses.
1. N-map:
Nmap is short for Network Mapper. It is an open-source Linux command-line tool
that is used to scan IP addresses and ports in a network and to detect installed
applications. Nmap allows network admins to find which devices are running on their
network, discover open ports and services, and detect vulnerabilities.

2. Who is lookup:
An IP WHOIS Lookup determines ownership information of any IP address. IP:
Lookup. Search for IP WHOIS information using the IP WHOIS lookup tool for any
allocated IP address. This tool provides you with the IP address owner's contact
information.

3. DMITRY command:
Dmitry, or Deepmagic Information Gathering Tool, is a command line utility included
in Kali Linux. It is designed to allow a user to collect public information about a
target host. It can be used to gather a number of valuable pieces of information, such
as: The whois details of a target host.

4. IKE scan:
ike-scan does two things: a) Discovery: Determine which hosts are running IKE. This
is done by displaying those hosts which respond to the IKE requests sent by ike-scan.
b) Fingerprinting: Determine which IKE implementation the hosts are using.

7
 Enrolment No.:220840116069

5. Legion scan:
Legion is a highly customizable stage scanning for ninja-like IPS evasion. Automatic
detection of Common Platform Enumeration (CPEs) and Common Vulnerabilities and
Exposures (CVEs) Realtime AutoSaving of project results and tasks.

6. Netstat command:
The network statistics (netstat) command is a networking tool used for
troubleshooting and configuration, that can also serve as a monitoring tool for
connections over the network. Both incoming and outgoing connections, routing
tables, port listening, and usage statistics are common uses for this command.

7. Spiderfoot:
This package contains an open-source intelligence (OSINT) automation tool. Its goal
is to automate the process of gathering intelligence about a given target, which may
be an IP address, domain name, hostname, network subnet, ASN, e-mail address or
person's name.
Vulnerability analysis:
1. NIKTO tool:

Nikto is an open-source web server and web application scanner. Nikto can perform
comprehensive tests against web servers for multiple security threats, including over
6700 potentially dangerous files/programs. Nikto can also perform checks for outdated
web server software, and version-specific problems.

2. Nmap:
Nmap is used for exploring networks, perform security scans, network audit and
finding open ports on remote machine. It scans for Live hosts, Operating systems,
packet filters and open ports running on remote hosts.
Nmap is a multi-platform program that can be installed on all major operating systems.
It was initially released as a Linux-only tool, and later it was ported to other systems

8
 Enrolment No.:220840116069

such as BSD, Windows, and macOS. If you prefer a GUI over the command line, Nmap
also has a graphical user interface called Zenmap.

3. Nessus:
Nessus is a remote security scanning tool, which scans a computer and raises an alert if
it discovers any vulnerabilities that malicious hackers could use to gain access to any
computer you have connected to a network.

The web interface can be accessed with your browser by making an HTTPS connection
to TCP port 8834 (e.g. https://localhost:8834/). You can also access the Nessus Web
Interface remotely by using the default IP address assigned to Kali Linux (e.g.
https://192.168.1.250:8834/).

4. Nexpose:
Nexpose is used to scan a network for vulnerabilities. Nexpose identifies the active
services, open ports, and running applications on each machine, and it attempts to find
vulnerabilities that may exist based on the attributes of the known services and
applications.

5. Unix-privesc-check:
Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX
11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow
local unprivileged users to escalate privileges to other users or to access local apps (e.g.
databases).

It is written as a single shell script so it can be easily uploaded and run (as opposed to
un-tarred, compiled and installed). It can run either as a normal user or as root
(obviously it does a better job when running as root because it can read more files).
Web Application Analysis:
1. Burp Suite:
Burp Suite is an integrated platform/graphical tool for performing security testing of
web applications. Its various tools work seamlessly together to support the entire testing
9
 Enrolment No.:220840116069

process, from initial mapping and analysis of an application's attack surface, through to
finding and exploiting security vulnerabilities.

2. SQL map:
SQLmap is an open-source tool used in penetration testing to detect and exploit SQL
injection flaws. SQLmap automates the process of detecting and exploiting SQL
injection. SQL Injection attacks can take control of databases that utilize SQL.

3. WhatWeb:
WhatWeb identifies websites. It recognises web technologies including content
management systems (CMS), blogging platforms, statistic/analytics packages,
JavaScript libraries, web servers, and embedded devices.

4. WPScan:
WPScan can detect the versions of WordPress core, plugins and themes, publicly
accessible sensitive data. WPScan can check for publicly accessible wp-config. php
backups and other database exports.

5. Skipfish:
Skipfish is an active web application security reconnaissance tool. It prepares an
interactive sitemap for the targeted site by carrying out a recursive crawl and
dictionary-based probes. The resulting map is then annotated with the output from a
number of active (but hopefully non disruptive) security checks.

1. Wireshark:
Wireshark is a network protocol analyzer that is termed to be the most used and best
tool around the word. With Wireshark, you can see what is happening in your network
and apply filters to get the most efficient results for what you are looking for.

2. MITMPROXY:
MITMPROXY is an SSL-capable man-in-the-middle HTTP proxy, providing a console
interface that allows traffic flows to be inspected and edited at the moment they are
captured. With mimproxy you can inspect and modify network traffic, save HTTP
conversations for inspection, SSL inspection, and more.

3. netsniff-ng:
The netsniff-ng tool is a fast, efficient, and freely available tool that can analyze packets
in a network, capture and replay pcap files, and redirect traffic among different
interfaces. These operations are all performed with zero-copy packet mechanisms. The
transmission and reception functions do not require a kernel to copy packets to user
space from kernel space and vice versa.

4. Macchanger:
The macchanger tool is a favourite tool for pen testing in Kali Linux. Changing the
MAC address is very important while pen testing a wireless network. The macchanger
tool changes the attacker’s current MAC address temporarily. If the victim network has
10
 Enrolment No.:220840116069

MAC filtering enabled, which filters unapproved MAC addresses, then macchanger is
the best defensive option.

5. Mitmproxy:
This “man-in-the-middle” proxy tool is an SSL HTTP proxy. Mitmproxy has terminal
console interface and has the ability to capture and inspect live traffic flow. This tool
intercepts and can change HTTP traffic at the same time. Mitmproxy stores HTTP
conversations for offline analysis and can replay HTTP clients and servers. This tool
can also make changes to HTTP traffic data using Python scripts.

6. Responder:
The responder tool is a sniffing and spoofing tool that answers requests by the server.
As the name implies, this tool only responds to a Filer server service call request. This
improves the stealth of the target network and ensures the legitimacy of the NetBIOS
Name Service (NBT-NS) typical behaviour.
Best sniffing and spoofing tools:
1. Wireshark:
Wireshark is a network protocol analyzer that is termed to be the most used and best
tool around the word. With Wireshark, you can see what is happening in your network
and apply filters to get the most efficient results for what you are looking for.

2. netsniff-ng:
The netsniff-ng tool is a fast, efficient, and freely available tool that can analyze
packets in a network, capture and replay pcap files, and redirect traffic among
different interfaces. These operations are all performed with zero-copy packet
mechanisms. The transmission and reception functions do not require a kernel to copy
packets to user space from kernel space and vice versa.
Forensics tools:

11
 Enrolment No.:220840116069

1. Binwalk:
Binwalk is a forensic tool in Kali that searches a specified binary image for executable
code and files. It identifies all the files that are embedded inside any firmware image. It
uses a very effective library known as “libmagic,” which sorts out magic signatures in
Unix file utility.

2. Bulk extractor:
Bulk extractor tool extracts credit card numbers, URL links, email addresses, which are
used digital evidence. This tool lets you identify malware and intrusion attacks, identity
investigations, cyber vulnerabilities, and password cracking. The specialty of this tool
is that not only does it work with normal data, but it also works on compressed data and
incomplete or damaged data.

12
 Enrolment No.:220840116069

3. Hashdeep:
The hashdeep tool is a modified version of the dc3dd hashing tool designed especially
for digital forensics. This tool includes auto hashing of files, i.e., sha-1, sha-256 and
512, tiger, whirlpool, and md5. An error log file is auto written. Progress reports are
generated with every output.

4. Scalpel:
This forensic tool carves all the files and indexes those applications which run on Linux
and windows. The scalpel tool supports multithreading execution on multiple core
systems, which help in quick executions. File carving is performed in fragments such as
regular expressions or binary strings.

5. Pdfid:
This forensic tool is used in pdf files. The tool scans pdf files for specific keywords,
which allows you to identify executable codes when opened. This tool solves the basic
problems associated with pdf files. The suspicious files are then analyzed with the pdf-
parser tool.

6. Pdf-parser: This tool is one of the most important forensic tools for pdf files. pdfparser
parses a pdf document and distinguishes the important elements utilized during its
analysis, and this tool does not render that pdf document.
Best forensics tools:
1. Binwalk:
Binwalk is a forensic tool in Kali that searches a specified binary image for
executable code and files. It identifies all the files that are embedded inside any
firmware image. It uses a very effective library known as “libmagic,” which sorts out
magic signatures in Unix file utility.

2. Bulk extractor:
Bulk extractor tool extracts credit card numbers, URL links, email addresses, which
are used digital evidence. This tool lets you identify malware and intrusion attacks,
identity investigations, cyber vulnerabilities, and password cracking.

3. pdf parser:
This tool is one of the most important forensic tools for pdf files. pdf-parser parses a
pdf document and distinguishes the important elements utilized during its analysis,
and this tool does not render that pdf document.

13
 Enrolment No.:220840116069

Reporting tools:

1. CutyCapt:
It is a utility to capture WebKit's rendering of a web page into a variety of vector and
bitmap formats.

2. Pipal:
It gives you the stats and the information to help you analyse the password.

3. RDPY:
It is a Python based Remote Desktop Protocol that is built over the event driven
network engine "Twisted".

4. CaseFile: It allows you to add the link quickly and analyze data having the same
graphic flexibility and performance without the use of transformation.

14
 Enrolment No.:220840116069

PRACTICAL – 2
AIM: Explain network defence tools for following.
• Ip spoofing
• Dos attack
1. IP Spoofing:
• IP spoofing is the creation of Internet Protocol (IP) packets which have a modified
source address in order to either hide the identity of the sender, to impersonate another
computer system, or both. It is a technique often used by bad actors to invoke DDos
attacks against a target device or the surrounding infrastructure.

• Sending and receiving IP packets is a primary way in which networked computers and
other devices communicate, and constitutes the basis of the modern internet. All IP
packets contain a header which precedes the body of the packet and contains
important routing information, including the source address. In a normal packet, the
sources ip address is the address of the sender of the packet. If the packet has been
spoofed, the source address will be forged.

• IP Spoofing as Network Defence Tool:

➢ While IP spoofing can’t be prevented, measures can be taken to stop spoofed packets
from infiltrating a network. A very common defence against spoofing is ingress
filtering, outlined in BCP38 (a Best Common Practice document). Ingress filtering is
a form of packet filtering usually implemented on a network edge device which
examines incoming IP packets and looks at their source headers. If the source
headers on those packets don’t match their origin or they otherwise look fishy, the
packets are rejected. Some networks will also implement egress filtering, which
looks at IP packets exiting the network, ensuring that those packets have legitimate
source headers to prevent someone within the network from launching an outbound
malicious attack using IP spoofing.

• Types of ip spoofing:
➢ Email spoofing
➢ Website and/or URL spoofing
➢ Caller ID spoofing
➢ Text message spoofing
➢ GPS spoofing
➢ Man-in-the-middle attacks Extension spoofing
➢ IP spoofing
➢ Facial spoofing
1. Wireshark:
o Wireshark is one of the most well-known and commonly-used tools for sniffing and
spoofing. Wireshark is a network traffic analysis tool with an extremely wide feature
set.

15
 Enrolment No.:220840116069

o One of the major differentiators of Wireshark is its large library of protocol

dissectors. These enable the tool to analyze many common and uncommon
protocols, break out the various fields in each packet and present them within an
accessible graphical user interface (GUI). This makes it possible for users with even
limited network knowledge to understand what they are looking at. On top of this,
Wireshark also offers several different features for traffic analysis, including
statistical analysis and the ability to follow network sessions or decrypt SSL/TLS
traffic.
o Wireshark is a valuable tool for sniffing because it provides deep visibility into
network traffic, either from a capture file or a live capture. This can help with
understanding the network layout, capturing leaked credentials and other activities.

2. Mitmproxy:
o In a man-in-the-middle (MitM) attack, the attacker interjects themselves into
communication between a client and a server. All traffic that flows over that
connection passes through the attacker, potentially enabling them to eavesdrop on
the traffic and modify the data flowing over the network.
o Kali Linux’s mitmproxy makes it easier to perform MitM attacks on web traffic. It
allows on-the-fly capture and modification of HTTP traffic, supports client and
server traffic replay, and includes the ability to automate attacks with Python.
mitmproxy also supports the interception of HTTPS traffic with SSL certificates
created on the fly.

3. Burp Suite:
o Burp Suite is a suite of several different tools for penetration testing. It is focused on
the security analysis of web applications.
o One tool in Burp Suite that is useful for sniffing and spoofing attacks is the Burp
Proxy. Burp Proxy allows interception and modification of HTTP connections and
offers support for HTTPS interception as well.
o Burp Suite works on a freemium model. The basic tools are available for free, but
attacks need to be performed manually without the ability to save work. Paying for a
license provides access to a wider suite of tools (such as a web vulnerability scanner)
and support for automation.

4. Sslstrip:
o SSL/TLS is a protocol that provides several useful security and privacy features. It
encrypts network traffic and authenticates the server in an HTTPS connection.
However, these features that are useful for an internet user are a nuisance for a
penetration tester or other cyberattacker.
o Sslstrip is a tool built into Kali Linux to help mitigate the impacts of SSL/TLS on
sniffing and spoofing. Sslstrip monitors the traffic flowing over the network and
looks for HTTPS links and redirects contained within HTTP pages. It then modifies
the traffic to remap these links to similar HTTP URLs or homograph-similar HTTPS
links.
o The use of Sslstrip can provide a couple of different benefits to an attacker. Stripping
SSL/TLS from web traffic or switching it to a URL under the attacker’s control
16
 Enrolment No.:220840116069

makes it possible to sniff this traffic for valuable data. Additionally, the URL
remapping performed by Sslstrip can redirect users to phishing sites, setting up a
second-stage attack.

5. Zaproxy:
o The executable named Zaproxy on Kali Linux is OWASP’s Zed Attack Proxy
(ZAP). Like Burp Suite, ZAP is a penetration testing tool designed to help with the
identification and exploitation of vulnerabilities within web applications.
o ZAP is a useful tool for sniffing and spoofing due to its ability to perform
interception and modification of HTTP(S) traffic. ZAP provides a wide range of
features and is a completely free option for performing these attacks.

2. Dos attack:
A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or
network, making it inaccessible to its intended users. DoS attacks accomplish this by
flooding the target with traffic, or sending it information that triggers a crash. In both
instances, the DoS attack deprives legitimate users (i.e. employees, members, or
account holders) of the service or resource they expected.

Victims of DoS attacks often target web servers of high-profile organizations such as
banking, commerce, and media companies, or government and trade organizations.

Though DoS attacks do not typically result in the theft or loss of significant
information or other assets, they can cost the victim a great deal of time and money to
handle.

There are two general methods of DoS attacks: flooding services or crashing services.
Flood attacks occur when the system receives too much traffic for the server to buffer,
causing them to slow down and eventually stop. Popular flood attacks include:

• Buffer overflow attacks – the most common DoS attack. The concept is to
send more traffic to a network address than the programmers have built the
system to handle. It includes the attacks listed below, in addition to others that
are designed to exploit bugs specific to certain applications or networks.

• ICMP flood – leverages misconfigured network devices by sending spoofed

packets that ping every computer on the targeted network, instead of just one
specific machine. The network is then triggered to amplify the traffic. This
attack is also known as the smurf attack or ping of death.

• SYN flood – sends a request to connect to a server, but never completes the
handshake. Continues until all open ports are saturated with requests and none
are available for legitimate users to connect to.

Other DoS attacks simply exploit vulnerabilities that cause the target system or
service to crash. In these attacks, input is sent that takes advantage of bugs in the
17
 Enrolment No.:220840116069

target that subsequently crash or severely destabilize the system, so that it can’t be
accessed or used.

An additional type of DoS attack is the Distributed Denial of Service (DDoS) attack.
A DDoS attack occurs when multiple systems orchestrate a synchronized DoS attack
to a single target. The essential difference is that instead of being attacked from one
location, the target is attacked from many locations at once. The distribution of hosts
that defines a DDoS provide the attacker multiple advantages.

• He can leverage the greater volume of machine to execute a seriously disruptive

attack.
• The location of the attack is difficult to detect due to the random distribution of
attacking systems (often worldwide).
• It is more difficult to shut down multiple machines than one.
• The true attacking party is very difficult to identify, as they are disguised behind
many (mostly compromised) systems.

Modern security technologies have developed mechanisms to defend against most

forms of DoS attacks, but due to the unique characteristics of DDoS, it is still
regarded as an elevated threat and is of higher concern to organizations that fear being
targeted by such an attack.

• Dos attack tools:

➢ GoldenEye
➢ Slowloris
➢ LOIC (Low Orbit Ion Cannon)
➢ HOIC (High Orbit Ion Cannon)
➢ THC-SSL-DoS HULK (http Unbearable Load King)
➢ Pyloris
➢ TOR's Hammer XOIC RUDY (R U Dead Yet ?)
➢ DAVOSET
➢ OWASP HTTP POST

1. GoldenEye:
In Kali Linux, GoldenEye is a free and open-source tool that is available on GitHub.
With the help of this tool, we can perform a denial-of-service attack. The framework of
this tool is written in .NET Core. This tool comes with a lot of base classes and
extensions that we can use in our regular work. This tool allows a single machine to
take down another web server of the machine by using totally legal HTTP traffic. It
establishes a full TCP connection and then needs only a few hundred requests at long
term and consistent intervals. As a result, the tool does not require a large amount of
traffic to exhaust the server's available connections.

Features of GoldenEye:
The following are the features of the GoldenEye:

18
 Enrolment No.:220840116069

o GoldenEye is an open-source tool; as a result, we can download it from GitHub at no

cost.
o GoldenEye can be used to carry out a denial-of-service attack by creating a large
amount of botnet traffic.
o GoldenEye uses fully legitimate HTTP
o With the help of this tool, we can perform DDoS attacks on any webserver.
o GoldenEye sends numerous requests to the target, resulting in generating heavy
traffic botnets.

2. Slowloris:
The most effective tool for initiating a dos attack is slowloris. It operates by
establishing numerous connections to the targeted web server and maintaining them
open as long as possible. It accomplishes this by repeatedly sending incomplete HTTP
requests that are never completed. The attacked server continues to open connections
and open more as they wait for each of the attack requests to be completed. Because of
the attack's simple yet elegant form, it uses very little bandwidth and exclusively
impacts the target server's web server, with nearly no side effects on other services or
ports.

Features of Slowloris:

The following are the features of Slowloris:

o In slowloris, a perfectly legitimate HTTP traffic is used.

o With the help of this tool, we can perform ddos attacks on any webserver.
o As this tool is an open-source tool so, we can download it from github free of cost.
o Slowloris can be used to carry out a denial-of-service attack by creating a large
amount of botnet traffic.
o Slowloris sends many requests to the target resulting in a heavy traffic botnet.

3. LOIC (Low Orbit Ion Cannon):

It is the most well-known DoS tool, and it has become a legend among hackers. LOIC
was initially developed by Praetox Technologies in C#, however, it was later released
into the public domain. LOIC essentially converts a computer's network connection into
a firehouse of garbage request, directed towards a target web server. One computer
hardly creates TCP, UDP, or HTTP requests to overwhelm a web server on its own-
garbage requests are readily disregarded, while legitimate requests for web pages are
handled normally.

Features of LOIC (Low Orbit Ion Cannon):

The following are the features of LOIC (Low Orbit Ion Cannon:

o LOIC is a free DDoS attack tool that allows us to test our network's performance.
o It enables us to perform stress testing in order to ensure its stability.

19
 Enrolment No.:220840116069

o With the help of this tool, we can create a DDoS attack online against any website
that they control.
o We can use this DDoS software to identify DDoS programs that hackers can use to
attack a computer network. o LOIC does not hide an IP address even if the proxy
server is down.
4. HOIC (High Orbit Ion Cannon):
The High Orbit Ion Cannon (HOIC) is a tool that can be used by an unauthenticated,
remote attacker to launch distributed denial of service (DDoS) attacks. The High
Orbit Ion Canon or HOIC is developed by the well-known group Anonymous, a
hacktivist collective, in order to replace the Low Orbit Ion Cannon (LOIC) tool. It
works by flooding target systems with junk HTTP GET and POST requests. The tool
can open up to 256 concurrent attack sessions, bringing down the target system by
sending a steady stream of junk traffic until it can process legitimate requests.
Traditional security technologies and firewalls find it more difficult to locate and
block DDoS attacks because of HOIC's misleading and varied strategies. The HOIC is
a well know DDoS attack tool available for Linux, Windows, and Linux platforms
and is free to use.

Features of HOIC (High Orbit Ion Cannon):

The following are the features of HOIC (High Orbit Ion Cannon):

o With the help of this tool, we can attack up to 256 DDoS websites at once.
o With the help of this tool, we can control attacks with low, medium, and high
settings.
o It contains a counter that we can use to measure the output. o This DDoS machine-
free tool can be run on Linux and Mac OS. o We can choose the number of threads
in the current attack.

20
 Enrolment No.:220840116069

PRACTICAL – 3
AIM: Explore the Nmap tool and list how it can be used for network
defence.
Nmap is used for exploring networks, perform security scans, network audit and
finding open ports on remote machine. It scans for Live hosts, Operating systems, packet
filters and open ports running on remote hosts.

Nmap allows you to scan your network and discover not only everything connected to
it, but also a wide variety of information about what's connected, what services each host is
operating, and so on. It allows a large number of scanning techniques, such as UDP, TCP
connect (), TCP SYN (half-open), and FTP.

Nmap is short for Network Mapper. It is an open-source Linux command-line tool

that is used to scan IP addresses and ports in a network and to detect installed applications.
Nmap allows network admins to find which devices are running on their network, discover
open ports and services, and detect vulnerabilities.

Features of NMAP:
There are various phases involved in performing a network scan using Nmap. These steps can
be defined by various options provided by the Nmap utility. A user can pick any of these
options, as per their requirements, to obtain specific network scan results. The following are
the options provided by the Nmap utility:
• Host discovery
• Scan techniques
• Port specification and scan order
• Service or version detection
• Script scan
• OS detection
• Timing and performance
• Evasion and spoofing
• Output
• Target specification

Applications of NMAP:
• 1- Nmap gives you detailed information on every IP active on your networks, and each
IP can then be scanned. In this way, you can check whether an IP is being used by a
legitimate service, or by an external attacker.
• 2- Nmap provides information on your network. You can use it and provide a list of live
hosts and open ports, as well as identifying the OS of every connected device. So, you
will have a valuable tool in ongoing system monitoring, as well as a critical part of pen
testing. You have learned about the Metasploit framework, then, you can use Nmap
alongside it to probe and then repair network vulnerabilities.

21
 Enrolment No.:220840116069

• 3- You can use Nmap to scan your own web server (particularly if you are hosting your
website from home) and it is simulating the process that a hacker would use to attack
your site. So, if you are looking for a tool to protect personal and business websites, you
will find this tool valuable. It helps you to use a powerful way of identifying security
vulnerabilities by Attacking your own site.

• NMAP as Network Defence Tool:

o Nmap is now one of the core tools used by network administrators to map their
networks. The program can be used to find live hosts on a network, perform port
scanning, ping sweeps, OS detection, and version detection.
o By using scanners such as Nmap, the "bad guys" are able to sweep networks and look
for vulnerable targets. Once these targets are identified, an intruder is able to scan for
listening ports. Nmap will also use TCP stack fingerprinting to accurately determine the
type of machine being scanned.
o Nmap is now one of the core tools used by network administrators to map their
networks.
o Nmap can be the solution to the problem of identifying activities on a network as it
scans the entire system and make map of every part of it.
o Thus, it can be said that Nmap tools works as network defence tools.

Nmap command:
This command scans a target with nmap without specifying any command-line option the
target can be either an ip address.

Multiple Target Scans with nmap:

22
 Enrolment No.:220840116069

Ping scan in nmap:

This Nmap command used to ping scan.

Example: nmap -sP 142.250.192.1

23
 Enrolment No.:220840116069

Don’t Ping scan in nmap:

This Nmap command used to don’t ping scan.

Example: nmap -PN 142.250.192.1

Tcp SYN ping:

This Nmap command used to Tcp SYN scan.

24
 Enrolment No.:220840116069

Scan Version Using NMAP:

This NMAP command scans the version of the NMAP.

Example: nmap --version

Tcp ack ping:

This nmap command scan the tcp ack ping.

Scan a list of target:

This nmap command scan a list of inputs or targets.

25
 Enrolment No.:220840116069

Save output in text file:

This nmap command save the output in a text file.

DNS resolution:

Force DNS resolution:

26
 Enrolment No.:220840116069

PRACTICAL – 4
AIM: Explore the NetCat tool.
Netcat is a Unix utility which reads and writes data across network connections using
TCP or UDP protocol.
Following tasks can be done easily with Netcat:
• Connect to a port of a target host.
• Listen to a certain port for any inbound connections.
• Send data across client and server once the connection is established.
• Transfer files across the network once the connection is established.
• Can execute programs and scripts of the client on the server and vice versa.
• Can Provide remote shell access of server to a client where shell commands can
be executed.
Example:
A simple client-server connection:
Type this command on the server machine.

Here, nc stands for Netcat, that we are calling the Netcat program.
-l option tells the program to listen on a port specified by -p option. In this case, it is
1234. So, the command can also be written as,
Now type the following on the client machine or on the other terminal:

This will create a TCP connection with the IP address (that is, 127.0.0.1) on the
specified port (that is, 1234).
Some important options that can be used with Netcat:
1. Verbose, prints additional information about the connection.

27
 Enrolment No.:220840116069

The above command on the client is showing it has successfully connected to the
server. This command can also be used to scan a port of the server if it is open or
not.

2. After data transfer wait w seconds before terminating the connection.

3. To perform simple chat and data transfer.

Use the above sequence of command to send the messages or data from one terminal
and one ip to the other.

4. To perform file transfer.

In this example, the server will terminate the connection 30 seconds after receiving
the file. If the file is not in the current directory, then specify the entire path.

28
 Enrolment No.:220840116069

5. To execute shell command after successful establishment of connection.

/bin/sh is a Unix command which provides a shell to execute shell commands.

This will provide a remote shell to the client, from where the client can execute shell
command on the server.

29
 Enrolment No.:220840116069

PRACTICAL – 5
AIM: Use Wire Shark tool and explore the Packet format and content at
each OSI Layer.

(1) Use the Wireshark tool and explore the packet format and content at each OSI
layer.

Wireshark:
Wireshark is a network protocol analyzer, or an application that captures packets from
a network connection, such as from your computer to your home office or the internet.
Packet is the name given to a discrete unit of data in a typical Ethernet network.
Wireshark is the most often-used packet sniffer in the world.

Like most packet sniffers out there, Wireshark captures, filters, and visualizes network
data and traffic. It starts by accessing a network connection and grabbing whole
sections of data traffic in real-time. It can capture anywhere from dozens to tens of
thousands of data packets at a time hence it can be used for security.

4 main uses of Wireshark are:

• Network administrators use it to troubleshoot network problems.
• Network security engineers use it to examine security problems.
• QA engineers use it to verify network applications.
• Developers use it to debug protocol implementations.

Working of Wireshark:
• Wireshark is a packet sniffer and analysis tool. It captures network traffic from
Ethernet, Bluetooth, wireless (IEEE. 802.11), token ring, and frame relay
connections, among others, and stores that data for offline analysis.

Advantages of Wireshark:
• Common problems that Wireshark can help troubleshoot include dropped packets,
latency issues, and malicious activity on your network.
• It lets you put your network traffic under a microscope, and provides tools to filter
and drill down into that traffic, zooming in on the root cause of the problem.
OSI Network Layer Analysis via Wireshark:
We all know that OSI (Open Systems Interconnection) is a reference model for how
applications communicate over a network. Here are the 7 layers according to OSI model:
• Application Layer
• Presentation Layer
• Session Layer

30
 Enrolment No.:220840116069

• Transport Layer
• Network Layer
• Data Link Layer
• Physical Layer

There is another network model which is TCP/IP.

Here are the 4 layers according to TCP/IP model:

• Application Layer
• Transport Layer
• Internet Layer
• Network Access Layer

Relation OSI and TCP/IP model. Below is the relation between OSI model and TCP/IP
model.

OSI Model TCP/IP Model

Application Layer Application Layer

Presentation Layer

Session Layer

Transport Layer Transport Layer

Network Layer Internet Layer

Data Link Layer Network access Layer

Physical Layer

Actually, in Wireshark we observe below layers:

• Application Layer
• Transport Layer
• Network Layer
• Data Link Layer
• Physical Layer
As Wireshark decodes packets at Data Link layer so we will not get physical layer
information always. In some cases, capturing adapter provides some physical layer
information and can be displayed through Wireshark. The interesting part is all protocol does
not have all the layers. The sequence layers seen in Wireshark

31
 Enrolment No.:220840116069

• Data Link Layer

• Network Layer
• Transport Layer
• Application Layer

If physical layer information is given to Wireshark then that time we should see physical
layer information on top of Data link.
• Physical Layer
• Data Link Layer
• Network Layer
• Transport Layer
• Application Layer

• Network Layer:

32
 Enrolment No.:220840116069

• Data Link Layer:

• Transport Layer:

• Application Layer:

33
 Enrolment No.:220840116069

PRACTICAL – 6
AIM: Examine SQL Injection Attack.
What is a SQL Injection Attack?
SQL Injection attacks alter SQL queries, injecting malicious code by exploiting
application vulnerabilities. Successful SQLi attacks allow attackers to modify database
information, access sensitive data, execute admin tasks on the database, and recover files
from the system. In some cases, attackers can issue commands to the underlying database
operating system.

▪ Types of SQL Injection Attacks There are several types of SQL injection:
• Union-based SQL Injection – Union-based SQL Injection represents the most
popular type of SQL injection and uses the UNION statement. The UNION statement
represents the combination of two select statements to retrieve data from the database.
• Error-Based SQL Injection – this method can only be run against MS-SQL Servers.
In this attack, the malicious user causes an application to show an error. Usually, you
ask the database a question and it returns an error message which also contains the
data they asked for.
• Blind SQL Injection – in this attack, no error messages are received from the
database; We extract the data by submitting queries to the database. Blind SQL
injections can be divided into boolean-based SQL Injection and time-based SQL
Injection.

Examples of SQL injection attacks.

Example: Injecting Malicious Statements into Form Field.

This is a simple SQL injection attack based on user input. The attacker uses a form that
requires first name and last name as inputs.

The attacker inputs:

First name: malicious'ex
Last name: Smith

The attacker’s first name variable contains a malicious expression, which we denoted as
‘ex.
The SQL statement that processes the form inputs looks like this:
SELECT id, firstname, lastname FROM authors

Once the attacker injects a malicious expression into the first name, the statement looks
like this:
SELECT id, firstname, lastname FROM authors WHERE firstname = 'malicious'ex' and
lastname ='newman'

34
 Enrolment No.:220840116069

The database identifies incorrect syntax due to the single apostrophe and tries to execute
the malicious statement.

Example: Using SQL to Authenticate as Administrator.

This example shows how an attacker can use SQL injection to circumvent an application’s
authentication and gain administrator privileges.

Consider a simple authentication system using a database table with usernames and
passwords. A user’s POST request will provide the variables user and pass, and these are
inserted into a SQL statement:
sql = "SELECT id FROM users WHERE username='" + user + "' AND password='" +
pass + "'"

The problem here is that the SQL statement uses concatenation to combine data. The
attacker can provide a string like this instead of the pass variable:
password' OR 5=5

The resulting SQL query will be run against the database:

SELECT id FROM users WHERE username='user' AND password='pass' OR 5=5'

Because 5=5 is a condition that always evaluates to true, the entire WHERE statement will
be true, regardless of the username or password provided.

The WHERE statement will return the first ID from the users table, which is commonly
the administrator. This means the attacker can access the application without
authentication, and also has administrator privileges.

A more advanced form of this attack is where the attacker adds a code comment symbol at
the end of the SQL statement, allowing them to further manipulate the SQL query. The
following will work in most databases including MySQL, PostgreSQL, and Oracle:

' OR '5'='5' /*

SQL Injection Prevention:

1. Prepared Statements (with Parameterized Queries)

Prepared statements are easy to learn and use and eliminate the problem of SQL
injection. They force you to define SQL code, and pass each parameter to the query
later, making a strong distinction between code and data.

If an attacker supplies a malicious string like in the above examples, for example
providing John' or 1=1 for a username, the prepared statement will evaluate this as a

35
 Enrolment No.:220840116069

literal string. It will look for a user named John' or 1=1 (and fail, because no such user
exists) instead of evaluating this statement as code.

Prepared statements are available in all programming languages. Here is an example in

Java. To be on the safe side, OWASP recommends validating the input parameter just
in case.

// Separate definition of input variable

String custname = request.getParameter("customerName");

// Separate definition of SQL statement

String query = "SELECT account_balance FROM user_data WHERE user_name =? ";

// PreparedStatement command securely combines inputs and SQL syntax

PreparedStatement pstmt = connection.prepareStatement(query );
pstmt.setString(1, custname);
ResultSet results = pstmt.executeQuery( );

2. Stored Procedures
Stored procedures are similar to prepared statements, only the SQL code for the stored
procedure is defined and stored in the database, rather than in the user’s code. In most
cases, stored procedures can be as secure as prepared statements, so you can decide
which one fits better with your development processes.

There are two cases in which stored procedures are not secure:
▪ The stored procedure includes dynamic SQL generation – this is typically not
done in stored procedures, but it can be done, so you must avoid it when creating
stored procedures. Otherwise, ensure you validate all inputs.
▪ Database owner privileges – in some database setups, the administrator grants
database owner permissions to enable stored procedures to run. This means that if
an attacker breaches the server, they have full rights to the database. Avoid this by
creating a custom role that allows storage procedures only the level of access they
need.

Here is an example of a stored procedure in Java (Java calls it a CallableStatement). We

assume that the sp_getAccountBalancer stored procedure implements the same logic as the
prepared statement in option 1 above.

// Separate definition of user inputs

String custname = request.getParameter("customerName");

36
 Enrolment No.:220840116069

// Executing the stored procedure sp_getAccountBalancer

Try
{
CallableStatement cs = connection.prepareCall("{call
sp_getAccountBalance(?)}");
cs.setString(1, custname);
ResultSet results = cs.executeQuery();
// result set handling
}
catch (SQLException se)
{
// logging and error handling 200050
}

37
 Enrolment No.:220840116069

PRACTICAL – 7
AIM: Perform SQL Injection using SQL map on vulnerable website found
using google dorks.
sqlmap is an open-source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database servers. It
comes with a powerful detection engine, many niche features for the ultimate
penetration tester and a broad range of switches lasting from database fingerprinting,
over data fetching from the database, to accessing the underlying file system and
executing commands on the operating system via out-of-band connections.
The meaning of the original use of Google Google search engine to search for
information technology and behavior, now refers to the use of various search engines
to search for information technology and behavior. Google Hacking is not really
anything new, in fact, a few years ago I have seen in some foreign sites related to the
introduction, but because at that time did not attach importance to this technology, that
is only used to find the most unnamed mdb or others left the webshell or something,
not too Big practical use. But some time ago carefully nibbled some information to
suddenly find Google Hacking is not so simple.

Steps to perform Sql injection:

1. Download Google host list from here. Then put them into your host's file
2. Open command prompt, then execute ipconfig /flushdns command
3. Testing: ping google.com
4. Open sqlmap and type command
python sqlmap.py -g “inurl:\”php?id=\”” –random-agent -f –batch –answer=”
extending=N,follow=N,keep=N,exploit=n”
5. How to confirm if a site has an injection point: View the corresponding site
directory whether there is a session.sqlite file, if any, then the site exists injection
point. Navigating to C:\Users\Username\.sqlmap directory, then hold down shift +
right mouse button and then click here to open the command line window. Enter at
the
command prompt: tree /F output
6. In the C:\Users\Username\.sqlmap directory, find the existence of injection site
directory, open the target.txt file.
7. On the sqlmap directory, using the command:
python sqlmap.py –wizard

38
 Enrolment No.:220840116069

PRACTICAL – 8
AIM: Examine software keyloggers and hardware keyloggers.
AL NO -8 Key loggers also known as keystroke loggers, may be defined as the
recording of the key pressed on a system and saved it to a file, and the that file is
accessed by the person using this malware. Key logger can be software or can be
hardware.

Working: Mainly key-loggers are used to steal password or confidential details such as
bank information etc. First key-logger was invented in 1970’s and was a hardware key
logger and first software key-logger was developed in 1983.

Software key-loggers: Software key-loggers are the computer programs which are
developed to steal password from the victim’s computer. However key loggers are used
in IT organizations to troubleshoot technical problems with computers and business
networks. Also, Microsoft windows 10 also has key-logger installed in it.
1. JavaScript based key logger – It is a malicious script which is installed into a web
page, and listens for key to press such as oneKeyUp (). These scripts can be sent by
various methods, like sharing through social media, sending as a mail file, or RAT
file.
2. Form Based Key loggers – These are key-loggers which activates when a person
fills a form online and when click the button submit all the data or the words written
is sent via file on a computer. Some key-loggers works as a API in running
application it looks like a simple application and whenever a key is pressed it records
it.
Hardware Key-loggers: These are not dependent on any software as these are hardware
key loggers. keyboard hardware is a circuit which is attached in a keyboard itself that
whenever the key of that keyboard pressed it gets recorded.
1. USB keylogger – There are USB connector key-loggers which has to be connected to
a computer and steals the data. Also, some circuits are built into a keyboard so no
external wire i used or shows on the keyboard.
2. Smartphone sensors – Some cool android tricks are also used as key loggers such as
android accelerometer sensor which when placed near to the keyboard can sense the
vibrations and the graph then used to convert it to sentences, this technique accuracy
is about 80%. Now a days crackers are using keystroke logging Trojan, it is a
malware which is sent to a victims computer to steal the data and login details.

So, key-loggers are the software malware or a hardware which is used to steal, or snatch
our login details, credentials, bank information and many more.
Some keylogger application used in 2020 are:
1. Kidlogger
2. Best Free Keylogger
39
 Enrolment No.:220840116069

3. Windows Keylogger
4. Refog Personal Monitor
5. All In One Keylogger
How to Identify Keyloggers on Your Computer?
There are several ways to detect a Keylogger:
1. Have a good antivirus that can detect a Keylogger on your system. There are specific
antiviruses that are designed for such scans.
2. Check the task list on the computer and examine the programs that are running to
check if there are unknown programs on the list.
3. Scan hard disc for recent files stored. Look for files that are often updated, as they
could be indicative of logs.
4. Check programs that run at computer boot-up.

40
 Enrolment No.:220840116069

PRACTICAL – 9
AIM: Perform online attacks and offline attacks of password cracking.
John the ripper is free and open-source tool. To use this easy and awesome tool just open
terminal window and call his name "john".
John will show all his option just like the following screenshot:

First of all, we need to know what kind of hash encountered with us. And we need to ready
our word-list which will brute-force the hash.
Now type the following command.
john --format=raw-md5 --wordlist=/path/of/wordlist/demo_word_list.txt
/path/of/hash/demo_hash.txt
The screenshot is following:

See our hash has been cracked successfully.

The hash was “2f47a213cacefc2f8bd4ec9325a1b3c5”.
John will show all his option just like the following screenshot:
Johnny is brother of John the ripper.
The work of John and Johnny are almost same. Basically, Johnny is a GUI client for John.
When it adds UI, it becomes very easy to use it.
41
 Enrolment No.:220840116069

To run it we need to open our terminal window and type following command:
johnny
Then the GUI tool will start up like the following screenshot:

Now we load the hash file by clicking the Open Passwd File option. We can see our file
has been loaded in following screenshot:

Then we need to go in the Options and choose/type the format of hash, and then specify
the directory of wordlist file in the Wordlist section.

42
 Enrolment No.:220840116069

Once it is done, we click on the Start new attack we should see our password when it's
cracked.

43
 Enrolment No.:220840116069

PRACTICAL – 10
AIM: Consider a case study of cybercrime, where the attacker has
performed on line credit card fraud. Prepare a report and also list
the laws that will be implemented on attacker.

“The environment that the organisation worries about is put there by the
organisation.” - Weick Background.
The assistant manager (the complainant) with the fraud control unit of a large business
process outsourcing (BPO) organization filed a complaint alleging that two of its
employees had conspired with a credit card holder to manipulate the credit limit and
as a result cheated the company of INR 0.72 million.
The BPO facility had about 350 employees. Their primary function was to issue the
bank's credit cards as well as attend to customer and merchant queries. Each employee
was assigned to a specific task and was only allowed to access the computer system
for that specific task. The employees were not allowed to make any changes in the
credit-card holder's account unless they received specific approvals.
Each of the employees was given a unique individual password. In case they entered
an incorrect password three consecutive times then their password would get blocked
and they would be issued a temporary password.
The company suspected that its employees conspired with the son (holding an add-on
card) of one of the credit card holders. The modus operandi suspected by the client is
as follows.
The BPO employee deliberately keyed in the wrong password three consecutive times
(so that his password would get blocked) and obtained a temporary password to
access the computer system. He manually reversed the transactions of the card so that
it appeared that payment for the transaction has taken place. The suspect also changed
the credit card holder's address so that the statement of account would never be
delivered to the primary card holder.
Investigation:
The investigating team visited the premises of the BPO and conducted detailed
examination of various persons to understand the computer system used. They learnt
that in certain situations the system allowed the user to increase the financial limits
placed on a credit card. The system also allowed the user to change the customer's

44
 Enrolment No.:220840116069

address, blocking and unblocking of the address, authorisations for cash transactions
etc.
The team analysed the attendance register which showed that the accused was present
at all the times when the fraudulent entries had been entered in the system. They also
analysed the system logs that showed that the accuser's ID had been used to make the
changes in the system.
The team also visited the merchant establishments from where some of the
transactions had taken place. The owners of these establishments identified the holder
of the add-on card.
Current status:
The BPO was informed of the security lapse in the software utilised. Armed with this
evidence the investigating team arrested all the accused and recovered, on their
confession, six mobile phones, costly imported wrist watches, jewels, electronic
items, leather accessories, credit cards, all worth INR 0. 3 million and cash INR
25000. The investigating team informed the company of the security lapses in their
software so that instances like this could be avoided in the future.
This case won the second runner-up position for the India Cyber Cop Award, for its
investigating officer Mr S. Balu, Assistant Commissioner of Police, Crime, Chennai
Police. The case was remarkable for the excellent understanding displayed by the
investigating team, of the business processes and its use in collecting digital evidence.

45