INDEX

BCS453- Cyber Security Workshop

Module 1: Packet Analysis using Wire shark

1. Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic protocols like
HTTP, DNS, and SMTP to understand how data is transmitted and received.
2. Detecting Suspicious Activity: Analyze network traffic to identify suspicious patterns such as
repeated connection attempts or unusual communication between hosts.
3. Malware Traffic Analysis: Analyze captured traffic to identify signs of malware communication,
such as command-and-control traffic or data infiltration.
4. Password Sniffing: Simulate a scenario where a password is transmitted in plaintext. Use
Wireshark to capture and analyze the packets to demonstrate the vulnerability and the importance of
encryption.
5. ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap. Analyze the
captured packets to understand how the attack can lead to a Man-in-the-Middle scenario.

Module 2: Web Application Security using DVWA

1. SQL Injection: Use DVWA to practice SQL injection attacks. Demonstrate how an attacker can
manipulate input fields to extract, modify, or delete database information.
2. Cross-Site Scripting (XSS): Exploit XSS vulnerabilities in DVWA to inject malicious scripts into
web pages. Show the potential impact of XSS attacks, such as stealing cookies or defacing
websites.
3. Cross-Site Request Forgery (CSRF): Set up a CSRF attack in DVWA to demonstrate how
attackers can manipulate authenticated users into performing unintended actions.
4. File Inclusion Vulnerabilities: Explore remote and local file inclusion vulnerabilities in DVWA.
Show how attackers can include malicious files on a server and execute arbitrary code.
5. Brute-Force and Dictionary Attacks: Use DVWA to simulate login pages and demonstrate brute-
force and dictionary attacks against weak passwords. Emphasize the importance of strong
password policies.
 Cyber Security Workshop

Introduction to Wireshark
Wireshark is a network packet analyzer. A network packet analyzer presents captured packet data
in as much detail as possible.

You could think of a network packet analyzer as a measuring device for examining what’s
happening inside a network cable, just like an electrician uses a voltmeter for examining what’s
happening inside an electric cable (but at a higher level, of course)
Downloading Steps:

1. Your first step is to head to the Wireshark download page and locate the Windows installer.

Once your file is downloaded, you can open the file from your Download folder.
2. You will be presented with the Wireshark wizard to guide you through the installation.
Click “Next.”

3. Next, you can review, agree to the license agreement, and click “Noted” to continue.
4. The next screen will ask if you want to donate to the Wireshark Foundation to help support
Wireshark and Sharkfest at https://wiresharkfoundation.org/. Click “Next” when finished.
5. Next, you will be asked what components you want to install. You can make your choice and thenclick
“Next.”

6. The following screen will ask if you want to create any shortcuts and if you want to associate tracefile
extensions with Wireshark (recommended).
7. Now you must install Ncap (an open-source library for packet capture and network analysis). It’s a
library allowing Wireshark to capture and analyze network traffic effectively. It enhances Wireshark's
capabilities by providing optimized packet capture.
8. Wireshark will now begin the installation process.
Objective 1:
Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic protocols like HTTP,
DNS, and SMTP to understand how data is transmitted and received.
Tool Used: Wireshark

Protocols used in different OSI Layers:

Commands used for making Reference Table:

 Ipconfig /all (for getting information of local host)
 arp -a (for getting MAC address of Gateway)
 ping httpforever.com for capturing http packets
 1. Steps to Analyse HTTP protocol
Step 1: Open ether/wifi adapter in wireshark
Step2: Apply http filter as given below:
Step 3: Start Capturing
Step 4: open httpforever.com in the browser
Step 5: Analyse the TCP data (source port, destination port), source Mac, Destination Mac, Source Ip etc.
and compare it with the reference table
Step 6: check 3way handshaking befor establishing http connection by using the filter tcp.port==56368*
Step 7: Now finally record the data for http header in the table given below:

2. Steps to analyse DNS protocol

DNS:

Command for cmd:

ipconfig /displaydns
ipconfig /flushdns

DNS observation
Step 1: Start capturing via Wireshark
Step 2: ping nptel.ac.in (command prompt)
Step 3: Apply dns protocol filter in wireshark
Step 4: Observe the data in the given table:
 3. Step to analyse SMTP protocol
Step 1: Start capturing via Wireshark
Step 2: Enable the telnet feature by usin windows feature serviceStep 3: telnet gmail-smtp-in.l.google.com
25 (command prompt) Helo sahilquit

Commands to use:

Step 3: Apply smtp protocol filter in wireshark

Step 4: Observe the data in SMTP:

 Experiment 2

Objective : Detecting Suspicious Activity: Analyze network tra8ic to identify suspicious patterns,
such as repeated connection attempts or unusual communication between hosts.

Tool and Package Required:

Sec-sick client.pcapng

Aurora.pcap

Arp_poison.pcap

Step 1: Check the normal activity of di8erent protocol on the network by checking protocol
hierarchy and find the normal information being transferred under di8erent protocols susch as TCP
and UDP.

Protocol heirarchy:
Step 2: Open sec-sickclient.pcapng and observer the suspisious data being trasnferred in TCP
protocol and observe the path of the same.

Sec sick client:

Step 3: Load the other package “Aurora.pcap”- Spear Phishing attack and observe the line no 6 for
iframe attack

Line 6 I frame attack:

Step 4: Observe line 21 as some gif data is being transferred with unreadable language.

Line 21 :
Step 5: Check the TCP data by following TCP stream of the same and observe that the hacker is
trying to access the adming control by getting password and other credentials.

Line 25- TCP stream:

Step 6: Observe the suspicious activity by loading the package “ arp_poison.pcap” and check that
there is man in the middle attack is being happened in line no. 54, 55,56 and 57.
 Experiment 3
Objective: Malware Traffic Analysis: Analyze captured traffic to identify signs of malware
communication, such as command-and-control traffic or data infiltration.

Package: 2014-11-16-traffic-analysis-exercise.pcp

What are we looking for:

1. What are the infected file(s) downloaded and their hashes?

2. What is URL/ Domain of the infected site?

3. What is the IP address of the infected website?

4. What is the IP address of the infected machine ?

5. What is the hostname of the infected machine?

6. What is the mac address of the infected machine ?

To see only Get and Post Request : Filter ---→ http.request

To get the better understanding of destination: Right Click on host user HTTP

Now check Host Column

Sort column by Content type

We can save all suspicious files

We can directly upload the files to virus total but we avoid due to confidentiality, instead we
find the hash of file and then check for malicious activity.
Now, we checked the hash in virus total and found it infected.
2. What is URL/ Domain of the infected site?
Answer: see the host name of infected file.
stand.trustandprobaterealty.com

3. What is the IP address of the infected website?

37.200.69.143

4. What is the IP address of the infected machine ?

172.16.165.165

5. What is the hostname of the infected machine?

K34EN6W3N-PC

6. What is the mac address of the infected machine ?

f0:19:af:02:9b:f1

Host name using DHCP:

 1

EXPERIMENT 4
Objective 1: Simulate a scenario where a password is transmitted in plaintext. Use wire shark to capture and
analyze the packets to demonstrate the vulnerability and the importance of encryption.

Tool Used: Wireshark

Password Capturing/Sniffing
Wireshark can capture not only passwords but any type of information transmitted over the network:
usernames, email addresses, personal information, etc. As long as we can capture network traffic, Wireshark
can sniff passing passwords.
In sniffing can include passwords for various protocols such as HTTP, FTP, Telnet, etc. the captured data
can be used to troubleshoot network problems, but can also be used maliciously to gain unauthorized access
to sensitive information.
So, here we will see how we can capture the password using the Wireshark network capture analyzer. and
see the outputs of the following steps.
Step 1: First of all, open your Wireshark tool in your window or in Linux virtual machine. and start
capturing the network. suppose I am capturing my wireless fidelity.

Step 2: After starting the packet capturing we will go to the website and login the credential on that website
as you can see in the image.
 2

Step 3: Now after completing the login credential we will go and capture the password in Wireshark. for that
we have to use some filter that helps to find the login credential through the packet capturing.

Step 4: Wireshark has captured some packets but we specifically looking for HTTP packets. so in the
display filter bar we use some command to find all the captured HTTP packets. as you can see in the below
image the green bar where we apply the filter.

http
 3

Step 5: So there are some HTTP packets are captured but we specifically looking for form data that the user
submitted to the website. for that, we have a separate filter
As we know that there are main two methods used for submitting form data from web pages like login forms
to the server. the methods are-
 GET
 POST
Step 6: So firstly for knowing the credential we use the first method and apply the filter for the GET
methods as you can see below.
http.request.method == "GET"

GET method
As you can see in the image there are two packets where the login page was requested with a GET request as
well, but there is no form data submitted with a GET request.

Step 7: Now after checking the GET method if we didn’t find the form data, then we will try the POST
method for that we will apply the filter on Wireshark as you can see.

http.request.method == "POST"
 4

As you can see we have a packet with form data click on the packet with user info and the application URL
encoded. and click on the down-
HTML form URL Encoded where the login credential is found. login credential as it is the same that we
filed on the website in step 2.
Form item: "uname" = "Tonystark_44"
Form item: "pass" = "tony@1234"
 Experiment 5

Objective: ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap. Analyze
the captured packets to understand how the attack can lead to a Man-in-the-Middle scenario.

Install Virtual Box Manager on Windows

Install Kali Linux through Virtual Box

Choose Installer Image

Start Kali Linux:
Open Terminal and write command: ip add

Copy MAC address from above and run command in wireshark @kali

We observe: No traffic is being captured

Aim is to capture the traffic between Target and default gate way on same line.

So we go to Target Device (Windows) and find IP address and default gateway.

IPv4 Address. . . . . . . . . . . : 192.168.1.5

Default Gateway . . . . . . . . . : 192.168.1.1

We are going to sniff traffic once we enable ARP poising using Tool Ettercap

OR

Click on three dots and scan for hosts

Select Ip Address and Add to Target 1
Select Default Gateway and Add to Target 2

Still Nothing is capturing

Select Current Targets

Click ARP Poisoning and start sniffing

Now we can see, packets are being captured

Open Wireshark on target Machine and check ARP Poisoning