lOMoARcPSD|44879458

Cyber Security file

cyber security (Dr. A.P.J. Abdul Kalam Technical University)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)
 lOMoARcPSD|44879458

EXPERIMENT NO.-01

Aim: Basic Packet Inspection: Capture network traffic using Wire shark and analyze
basic protocols like HTTP, DNS, and SMTP to understand how data is transmitted
andreceived.

Brief Description: Wireshark is an open-source network protocol analysis software program.

Itis a packet sniffer and analysis tool. It captures network traffic from ethernet, Bluetooth,
wireless (IEEE.802.11), token ring, and frame relay connections, among others, and stores that
data for offline analysis.

Installation Steps:

1. Download from: https://www.wireshark.org

2. Choose the version to download.

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

3. Working with Wireshark - Double click on Wireshark icon - > go to WiFi (or any
other live option, as in the figure the first two are active connections, shown by
graphs), and double click.
4. Also, you may click capture -> ‘start’ to begin the packet transmission capture, and
‘stop’ to end it.
5. Once ended, explore Statistics - > I/O graphs, etc.
6. Finally, you can save the capture of packet transmission in csv file format.

Input and Output:

Input:

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

Click the first button on the toolbar, titled “Start capturing packets.

You can select the menu item Capture -> Start.

OUTPUT:

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

EXPERIMENT NO.-02

Aim: Detecting Suspicious Activity: Analyze network traffic to identify suspicious

patterns, such as repeated connection attempts or unusual communication between hosts.

Brief Description: Wireshark is the foremost and widely used protocol analyzer in the world.
One may trace down onto network at a microscopic level for variety of types of protocols.
Wireshark is the continuation of a project started by Gerald Combs in 1998.

Wireshark has a rich feature set which includes:

 Deep inspection of hundreds of protocols, with more being added all the time • Live
capture and offline analysis.
 Multi-platform: Runs on Windows, Linux, macOS, Solaris, etc.
 Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility.

 Capture files compressed with gzip can be decompressed on the fly.

 Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth,
USB,WiFi, etc.
 Decryption support for many protocols, including IPsec, ISAKMP, Kerberos,
SSL/TLS,WEP, etc.

INPUT:

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

OUTPUT:

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

EXPERIMENT NO.-03

Aim: Malware Traffic Analysis: Analyze captured traffic to identify signs ofmalware
communication, such as command-and-control traffic or data infiltration.

Brief Description: Malware traffic using Wireshark involves analyzing the captured
network packets to identify patterns, behaviors, and indicators of compromise (Ios).

Examine DNS traffic for suspicious domain names.

1. Look for traffic using non-standard or uncommon protocols.

2. Analyze HTTP and HTTPS traffic for anomalies.
3. Identify and analyze encrypted traffic using the "ssl" filter.
4. Use Wireshark's "Follow TCP Stream" feature to reconstruct and analyze complete
conversations.
5. Identify beaconing behavior, where malware sends periodic signals to a command and
control (C2) server.
6. Use the "Follow TCP Stream" or "Follow UDP Stream" feature to reconstruct the entire
communication between hosts.
7. Review metadata such as IP addresses, port numbers, and timestamps. Cross-reference
identified IP addresses, domains, or patterns with threat intelligence feeds. If the
malware uses non-standard ports, investigate the traffic on those ports.

INPUT & OUTPUT:

INPUT:

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

OUTPUT:

Use Wireshark's save function, or other tools, such as Snort, to create a report that summarizes
your analysis, highlights the key findings, and provides recommendations or mitigation
strategies.

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

EXPERIMENT NO.-04

Aim: Password Sniffing: Simulate a scenario where a password is transmitted in plaintext. Use
Wireshark to capture and analyze the packets to demonstrate the vulnerability and the
importance of encryption.

Brief Description: Wireshark can capture not only passwords, but any type of information
transmitted over the network: usernames, email addresses, personal information, etc. If we can
capture network traffic, Wireshark can sniff passing passwords. In sniffing can include
passwords for various protocols such as HTTP, FTP, Telnet, etc. the captured data can be used
to troubleshoot network problems but can also be used maliciously to gain unauthorized access
to sensitive information.

In this experiment, we will see how we can capture the password using the Wireshark network
capture analyzer. and see the outputs of the following steps.

INPUT:

Step 1: Open your Wireshark tool in your window or in Linux virtual machine. and
start capturing the network.

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

Step 2: After starting the packet capturing, we will go to the website and login
thecredential on that website as you can see in the image.

Step 3: Now after completing the login credential, we will go and capture the password in
Wireshark. for that we must use some filter that helps to find the login credential through the
packet capturing.
Step 4: Wireshark has captured some packets but we specifically looking for HTTP packets. so,
in the display filter bar we use some command to find all the captured HTTP packets. as you
canseeing the below image the green bar where we apply the filter.

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

Step 5: So, there are some HTTP packets are captured but we specifically looking for form
datathat the user submitted to the website. for that, we have a separate filter. There is main two
methods used for submitting form data from web pages like login forms to the server. the
methods are- GET and POST.
Step 6: So, firstly for knowing the credential we use the first method and apply the filter for the
GET methods as you can see below:
http.request.method == "GET"

As you can see in the image there are two packets where the login page was requested with a
GET request as well, but there is no form data submitted with a GET request.
Step 7: Now after checking the GET method if we didn’t find the form data, then we will try
the POST method for that we will apply the filter on Wireshark as you can see.
http.request.method == "POST"

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

As we can see we have a packet with form data click on the packet with user info and the
application URL encoded. and click on the down-
HTML form URL Encoded where the login credential is found. login credential as it is the
same that we filed on the website in step 2.

OUTPUT:
Form item: "uname" = "Tonystark_44"

Form item: "pass" = "tony@1234"

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

EXPERIMENT NO.-05

Aim: ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap.
Analyze the captured packets to understand how the attack can lead to a Man-in-the-Middle
scenario.

Brief Description: Ettercap is a packet capture tool that can write packets back onto the
network. Thus, data streams can be diverted and altered on the fly. The system can also be used
for protocol analysis to analyze network traffic and work out which applications generate the
most traffic. here is a GUI interface for Ettercap, and it is also possible to use Ettercap at the
command line. The most common uses for Ettercap are man-in-the-middle attacks through ARP
poisoning.
Additionally, hackers use this tool, and you can use it for penetration testing. Ettercap is
primarily tool for Linux and other Unix-like operating systems. It is available for the following
Linux distros:

 Debian
 Ubuntu
 Kali
 Mint
 Parrot OS
 Fedora
 Gentoo
 Pentoo
 OpenSuSe
 Cent OS
 RHEL
The Windows version mentioned by the developers are:

 Windows Vista
 Windows 7
 Windows 8
Installation steps:

Install Ettercap on Ubuntu Linux

Go to the command line and enter the two

commands:sudo apt update

sudo apt install Ettercap-common

ARP poisoning is a type of man in the middle attack. ARP poisoning is the easiest method of
the two and better results for a man-in-the-middle attack on a local network. The ARP poisoning
method lies at the heart of Ettercap’s attack methodology.

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

Steps for updating Ettercap to initiate ARP poisoning attack:

Adjust the Ettercap configuration for ARP poisoning:

(a) Update the Ettercap configuration file to accrue traffic to the superuser.
sudo vi /etc/Ettercap/etter.conf

(b) Look for the [privs] section in the file. Change the following two lines.
ec_uid = 0 # nobody is the default

ec_gid = 0 # nobody is the default

(c) Save the file.

Set up an MITM attack

(a) Make a note of your network’s router. Type the following

command:ip r

The results will state default via and then an IP address. This is the address of
the router. Write it down.

(b) Start-up Ettercap with its front-end graphical interface. With the

command:sudo -E Ettercap -G

In this attack strategy, we will get the victim’s computer to believe our computer is the router.
Thesending computer already knows the IP address of the router. We won’t change that. Instead,
we will link the MAC address of our computer to that IP address.

Steps for inserting ARP poisoning

attack:

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

INPUT & OUTPUT:

INPUT:

1 Click on Sniff in the top menu and then select Unified Sniffing from the drop-down
menu.
2 Ettercap Input dialog box will appear.
3 Select the network interface that is on the same network as the target computer andpress
OK.
4 Click on the Hosts option on the top menu and select Scan for hosts from the drop-
down menu.
5 Next, click on the Hosts option again and choose Hosts List.
6 This will show you the other devices connected to the network.
7 Work out which of these is your target computer.
8 Click on the line for the target and click on the Add to Target 1 button.
9 Next, click on the address of the network’s router and press the Add to Target 2 button.
10 We can add as many Targets 1 addresses as we want.
11 For every Target 1 address, you insert in this setup, the computer associates with that
IP address will have its traffic diverted through the computer running the Ettercap
system.
12 Click on the MITM option on the top menu and then on ARP poisoning.
13 Sniff remote connections and then click on OK.
14 Click on the Start option in the top menu and then choose Start Sniffing
15 This remaps the IP address of the router to your computer.
16 The Ettercap system will forward the traffic to the actual router and channel responses
back to the target.

OUTPUT:

The packet header data for the connection.

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

EXPERIMENT NO.-06

Aim: SQL Injection: Use DVWA to practice SQL injection attacks. Demonstrate how
an attacker can manipulate input fields to extract, modify, or delete database
information.

Brief Description: SQL injection is one of the most common attacks used by hackers to exploit
any SQL database-driven web application. It’s a technique where SQL code/statements are
inserted in the execution field with an aim of either altering the database contents, dumping
useful database contents to the hacker, cause repudiation issues, spoof identity, and much
more.

DVWA is a vulnerable web application developed using PHP and MySQL that allows ethical
hackers to test out their hacking skills and security tools. They can use it to learn which features
of a web application are easy to exploit. Some of the most common web vulnerabilities
demonstrated by this application include Cross-Site Request Forgery (CSRF), File Inclusion,
SQL injection, Brute force attacks, and much more.
Prerequisite to install DVWA:

Step 1: Download Damn Vulnerable Web Application (DVWA)

Step 2: Configure DVWA
Step 3: Install PHP
Step 4: Configure Apache Server
Step 5: Access DVWA on Your Browser

We now have everything configured, and we can proceed to launch DVWA. Open your
browser and enter the URL.

http://127.0.0.1/dvwa/

That will open the setup.php web page as shown in the image:

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

You might see the errors colored in red as in the image above. Don’t panic! Scroll down and
click the Create / Reset Database button.

That will create and configure the database. After some time, you will be redirected to the
DVWA login page. Log in with these credentials:

Username -admin

Password -

password

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

Once logged in, you will see the DVWA main page. On the left panel, we have different types
of attacks you can exploit and the DVWA Security button that allows you to choose the
desired security level - Low, Medium, High, or Impossible.

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

INPUT:

1. Basic Injection- On the User ID field, enter “1” and click Submit. That is supposed
to print the ID, First name, and Surname on the screen as you can see below.
The SQL syntax being exploited here is:

$getid = "SELECT first name, last name FROM users WHERE user id = '$id'";

OUTPUT:

1. Change the ID parameter of the URL to a number like 1,2,3,4 etc. That will also return the
First name and Surname of all users as follows:

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

EXPERIMENT NO.-07
Aim: Cross-Site Scripting (XSS): Exploit XSS vulnerabilities in DVWA to inject malicious
scripts into web pages. Show the potential impact of XSS attacks, such as stealing cookies or
defacing websites.

Brief Description: XSS Reflected, also known as non-persistent XSS or Type-I XSS, is a web
application vulnerability that allows attackers to inject malicious scripts into web pages viewed
by other users.

How does it work:

1 The attacker crafts a malicious link or input field on a website that does not properly
validateor sanitize user input.
2 The user visits the website, clicks on the malicious link, or submits a form containing
the vulnerable input field.
3 There are three types of main types of Cross-Site Scripting (XSS) attacks:

1 Stored XSS
2 Reflected XSS
3 DOM-based XSS

INPUT AND OUTPUT:

INPUT:
1. Create an instance of stored XSS

(a) An attacker finds a vulnerable website that allows users to post comments or
create profiles without properly sanitizing user-supplied data.
(b) The attacker creates a comment or profile with a malicious script, such as the following:
<script>alert("XSS");</script>
(c) The malicious script is stored on the website's database and served to all users who
visited affected page, causing the script to be executed in their browsers.
(d) When other users visit the page, the attacker's script is executed in their browsers,
causing a pop-up message to appear. In a real-world scenario, the attacker's script
might steal sensitive information, such as user credentials, or perform actions on
behalf of the affected user.

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

OUTPUT:

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

EXPERIMENT NO.-08

Aim: Cross-Site Request Forgery (CSRF): Set up a CSRF attack in DVWA to demonstrate
how attackers can manipulate authenticated users into performing unintended actions.

Brief Description: CSRF stands for Cross-Site Request Forgery and is an attack that occurs
when in some way an attacker can trick your web browser into performing an unwanted action
ona trusted website where you are currently authenticated.

INPUT & OUTPUT:

INPUT:

Assume you are working on a Kali Virtual Machine Use <font> tag to set the size of

font. So, once we have:

 a working DVWA application

 the attacking
machine we can run the
VPN and log in.

As usual, the default credentials are:

 Username: admin
 Password: password

Next step will be to go into settings and set it as “Low”.

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

CSRF On DVWA With Low-Security Level

By opening the page, we see a form where we can change our password.

The first thing that should come to mind is to try changing passwords and observing the results.
And after doing that we are still on the same page, but looking at the URL bar, there is an
interesting value.

OUTPUT:

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

EXPERIMENT NO.-9

Aim: File Inclusion Vulnerabilities: Explore remote and local file inclusion vulnerabilities
in DVWA. Show how attackers can include malicious files on a server and execute arbitrary
code.

Brief Description: There are two main types of file inclusion vulnerabilities:

Local File Inclusion (LFI)

Remote File Inclusion (RFI)

INPUT AND OUTPUT:

INPUT:

Assume you have an attacker machine and a working DVWA as a target.Firstly, log in and change
the security level.
Step 1: So, you can log in with these credentials:

Step 2: Go into the settings and set the difficulty as “Low”. This vulnerability allows an attacker
tosee/execute a file without having reading/executing permissions.

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

So let’s try to change the “page” variable with the relative path of the “passwd” file in Linux,
and go to (remember to replace the IP with your target machine’s address):
http://10.10.229.208/vulnerabilities/fi/?page=../../../../../../../../../etc/passwd
The result is the list of users on the server.
But let’s go a step further, and get the flag! As you can see in the structure of DVWA there is a
folder named “flags” inside hackable. You can find it here and it contains the file we want to
execute: fi.php.
So, as you already may have understood, we need to type the relative path to that file in order
to execute it.
This is the URL we will insert into our browser:
http://10.10.229.208/vulnerabilities/fi/?page=../../hackable/flags/fi.
php

OUTPUT:

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

EXPERIMENT NO.-10
Aim: Brute-Force and Dictionary Attacks: Use DVWA to simulate login pages and
demonstrate brute-force and dictionary attacks against weak passwords. Emphasize the
importance of strong password policies.4. A Tribute Page.

Brief Description: A brute force attack is a type of cyber-attack where a hacker uses an
automated tool to guess the password of a user or system. Hackers usually perform this attack
when they do not have any prior knowledge of the password or the system and are trying to
gain access to a system or account.

INPUT AND OUTPUT:

Steps:

Step 1: Preparing The Environment

Step 2: Install the required libraries. For working in python these libraries are required:

 BeautifulSoup: library in charge of parsing HTML.

 requests: a library that helps to send HTTP requests.

Step 3: Login into DVWA by using the credentials:

 Username: admin
 Password: password

After that, you have to set the difficulty as LOW from the settings on the left:

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)

 lOMoARcPSD|44879458

Click on the Brute Force menu item in the left sidebar and you should see this screen:

Now, try to insert some random data (like username: admin, password: admin) and
look at the result:

Step 4:

 Define the function that sends the credentials

 Define a function that reads the passwords from a file and returns a list.
 Put them all together in a main that will send every password in the list
byusing afor-loop.

INPUT : A password file

OUTPUT:

SHABIN S 2200911530094

Downloaded by Abhishek Tiwari (abhishektripathi0706@gmail.com)