Lab Manual

DEPARTMENT
OF
COMPUTER SCIENCE AND ENGINEERING

SESSION
2018-19

Submitted By:
Pankaj Jain
Assistant Professor
 Name of Program: B.Tech – CSE

NAME OF SUBJECT Cyber Security

SUBJECT CODE BCO 084A
SEMESTER VII
NAME OF COURSE Pankaj Jain
INCHARGE
ACADEMIC YEAR 2018-2019

Department of Computer Science & Engineering

JECRC UNIVERSITY
2018 - 2019
 List of Experiments
Program Elective –V Lab
CYBER SECURITY LAB ( BCO 087A )

List of Experiments

1. TCP scanning using NMAP

2. Port scanning using NMAP
3. TCP / UDP connectivity using Netcat
4. Network vulnerability using OpenVAS
5. Web application testing using DVWA
6. Manual SQL injection using DVWA
7. XSS using DVWA
8. Automated SQL injection with SqlMap
Experiment 1
Aim :- TCP scanning using NMAP
Nmap ("Network Mapper") is a free and open source utility for network discovery and security
auditing. Many systems and network administrators also find it useful for tasks such as network
inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses
raw IP packets in novel ways to determine what hosts are available on the network, what services
(application name and version) those hosts are offering, what operating systems (and OS versions)
they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Nmap is ...

 Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP
filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms
(both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the
documentation page.
 Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of
machines.
 Portable: Most operating systems are supported, including Linux, Microsoft Windows,
FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and
more.
 Easy: While Nmap offers a rich set of advanced features for power users, you can start out
as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI)
versions are available to suit your preference. Binaries are available for those who do not
wish to compile Nmap from source.
 Free: The primary goals of the Nmap Project is to help make the Internet a little more secure
and to provide administrators/auditors/hackers with an advanced tool for exploring their
networks. Nmap is available for free download, and also comes with full source code that
you may modify and redistribute under the terms of the license.
 Well Documented: Significant effort has been put into comprehensive and up-to-date man
pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
 Supported: While Nmap comes with no warranty, it is well supported by a vibrant
community of developers and users. Most of this interaction occurs on the Nmap mailing
lists

Commmand

Scan using TCP connect nmap -sT 192.168.1.1

Scan using TCP SYN scan (default) nmap -sS 192.168.1.1
Experiment 2
Aim :- Port scanning using NMAP

Nmap Commands

nmap -sP 10.0.0.0/24 Ping scans the network, listing machines that respond to ping.

Full TCP port scan using with service version detection - usually
nmap -p 1-65535 -sV -sS -T4
my first scan, I find T4 more accurate than T5 and still "pretty
target
quick".

Prints verbose output, runs stealth syn scan, T4 timing, OS and

nmap -v -sS -A -T4 target
version detection + traceroute and scripts against target services.

Prints verbose output, runs stealth syn scan, T5 timing, OS and

nmap -v -sS -A -T5 target
version detection + traceroute and scripts against target services.

Prints verbose output, runs stealth syn scan, T5 timing, OS and

nmap -v -sV -O -sS -T5 target
version detection.

nmap -v -p 1-65535 -sV -O -sS Prints verbose output, runs stealth syn scan, T4 timing, OS and
-T4 target version detection + full port range scan.

nmap -v -p 1-65535 -sV -O -sS Prints verbose output, runs stealth syn scan, T5 timing, OS and
-T5 target version detection + full port range scan

Command Description
-sL List Scan - simply list targets to scan

-sn Ping Scan - disable port scan

-Pn Treat all hosts as online -- skip host discovery

-PS/PA/PU/PY[portlist] TCP SYN/ACK, UDP or SCTP discovery to given ports

-PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes

-PO[protocol list] IP Protocol Ping

-n/-R Never do DNS resolution/Always resolve [default: sometimes]

Scan Techniques
Command Description
-sS TCP SYN scan
-sT Connect scan
-sA ACK scan
-sW Window scan
-sM Maimon scan

-sU UDP Scan

-sN TCP Null scan

-sF FIN scan
-sX Xmas scan

--scanflags Customize TCP scan flags

-sI zombie host[:probeport] Idle scan

-sY SCTP INIT scan

-sZ COOKIE-ECHO scan

-sO IP protocol scan

-b "FTP relay host" FTP bounce scan

Command :
nmap -p- 192.168.0.1
Output :-
Experiment 3
Aim :- TCP/Udp connectivity using Netcat
Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to
network connections using TCP or UDP. Netcat is designed to be a dependable back-end that can
be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich
network debugging and investigation tool, since it can produce almost any kind of connection its
user could need and has a number of built-in capabilities

Opening a raw connection to port 25 (like SMTP)

nc mail.server.net 25

Performing an HTTP request

printf "GET /hypertext/WWW/TheProject.html HTTP/1.0\r\nHost: info.cern.ch\r\n\r\n" | nc
info.cern.ch 80

The full response (including HTTP headers) will be dumped to standard output.
Setting up a one-shot webserver on port 8080 to present the content of a file
{ printf 'HTTP/1.0 200 OK\r\nContent-Length: %d\r\n\r\n' "$(wc -c < some.file)"; cat some.file; } |
nc -l 8080

The file can then be accessed via a web browser under http://servername:8080/. Netcat only serves
the file once to the first client that connects and then exits; it also provides the content length for
browsers that expect it. (This should work fine in a LAN, but may potentially fail with any kind of
firewall between.). In some versions of netcat like netcat-traditional in Debian 8.6, you need to
specify -p before the port number.
Checking whether UDP ports (-u) 80–90 are open on 192.168.0.1 using zero mode I/O (-z)
nc -vzu 192.168.0.1 80-90

Send Files Trough Netcat

Another useful feature of the netcat is file transfer. As we see previous examples netcat can transfer
text easily with a server-client architecture. There is no limit about transfer data. This data can be
normal program or a movie. But keep in mind the transfer time will change according to data size.
In order to transfer we need to setup a server which is the destination. And in the server
configuration we will redirect the incoming data into a file name myfile.txt
$ netcat -l -p 4444 > myfile.txt
$ netcat -l -p 4444 > myfile.txt
1

Now we can send the file from client. We will read file thefile.txt in the client side by redirecting to
the netcat file like below
$ nc 192.168.122.239 4444 < thefile.txt
Experiment 4
Aim :- Network vulnerability using OpenVAS

OpenVAS is a framework of several services and tools offering a comprehensive and powerful
vulnerability scanning and vulnerability management solution. The framework is part of Greenbone
Networks' commercial vulnerability management solution from which developments are
contributed to the Open Source community since 2009.

OpenVAS (Open Vulnerability Assessment System, originally known as GNessUs) is a software

framework of several services and tools offering vulnerability scanning and vulnerability
management.
All OpenVAS products are free software, and most components are licensed under the GNU
General Public License (GPL). Plugins for OpenVAS are written in the Nessus Attack Scripting
Language, NASL.

Commands:-
 openvas-setup
 openvasmd –rebuild
 openvasmd –create-user=dookie
 openvas-start
 openvas-stop
Output:-
Experiment 5
Aim:-Web application testing using DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its
main goals are to be an aid for security professionals to test their skills and tools in a legal
environment, help web developers better understand the processes of securing web applications and
aid teachers/students to teach/learn web application security in a class room environment

For testing web security tools a target which has plenty vulnerabilities is needed. The Damn
Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn
vulnerable.

Setup:-
Experiment 6
Aim:-Manual SQL injection using DVWA
Sql inujuction:
SQL injection (also known as SQL fishing) is a technique often used to attack data
driven applications.
 This is done by including portions of SQL statements in an entry field in an attempt to get
the website to pass a newly formed rogue SQL command to the database (e.g., dump the
database contents to the attacker). SQL injection is a code injection technique that exploits a
security vulnerability in an application's software.
 The vulnerability happens when user input is either incorrectly filtered for string literal
escape characters embedded in SQL statements or user input is not strongly typed and
unexpectedly executed. SQL injection is mostly known as an attack vector for websites but
can be used to attack any type of SQL database.

Dvwa sql injuction

1.Basic Injection
1. Input "1" into the text box.
2. Click Submit.
3. Note, webpage/code is supposed to print ID, First name, and Surname to the screen.
4. Below is the PHP select statement that we will be exploiting, specifically $id.
 $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";

Always True Scenario

1. Input the below text into the User ID Textbox (See Picture).
 %' or '0'='0
2. Click Submit
3. In this scenario, we are saying display all record that are false and all records
that are true.
 %' - Will probably not be equal to anything, and will be false.
 '0'='0' - Is equal to true, because 0 will always equal 0.
 mysql> SELECT first_name, last_name FROM users WHERE user_id='%' or '0'='0';
OUTPUT
Experiment 7
Aim:-XSS using DVWA

XSS:
Cross-Site Scripting (XSS)" attacks are a type of injection problem, in which malicious scripts are
injected into the otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a
web application to send malicious code, generally in the form of a browser side script, to a different
end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web
application using input from a user in the output, without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser
has no way to know that the script should not be trusted, and will execute the JavaScript. Because it
thinks the script came from a trusted source, the malicious script can access any cookies, session
tokens, or other sensitive information retained by your browser and used with that site. These
scripts can even rewrite the content of the HTML page.
Because its a reflected XSS, the malicious code is not stored in the remote web application, so
requires some social engineering (such as a link via email/chat).

OUTPUT
Experiment 8
Aim:-Automated SQL injection with SqlMap

sqlmap is an open source penetration testing tool that automates the process of detecting and
exploiting SQL injection flaws and taking over of database servers. It comes with a powerful
detection engine, many niche features for the ultimate penetration tester and a broad range of
switches lasting from database fingerprinting, over data fetching from the database, to accessing the
underlying file system and executing commands on the operating system via out-of-band
connections.
Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM
DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management
systems.
 Full support for six SQL injection techniques: boolean-based blind, time-based blind,
error-based, UNION query-based, stacked queries and out-of-band.
 Support to directly connect to the database without passing via a SQL injection, by
providing DBMS credentials, IP address, port and database name.
 Support to enumerate users, password hashes, privileges, roles, databases, tables and
columns.
 Automatic recognition of password hash formats and support for cracking them using a
dictionary-based attack.
 Support to dump database tables entirely, a range of entries or specific columns as per
user's choice. The user can also choose to dump only a range of characters from each
column's entry.
 Support to search for specific database names, specific tables across all databases or
specific columns across all databases' tables. This is useful, for instance, to identify tables
containing custom application credentials where relevant columns' names contain string like
name and pass.
 Support to download and upload any file from the database server underlying file system
when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
 Support to execute arbitrary commands and retrieve their standard output on the
database server underlying operating system when the database software is MySQL,
PostgreSQL or Microsoft SQL Server.
 Support to establish an out-of-band stateful TCP connection between the attacker
machine and the database server underlying operating system. This channel can be an
interactive command prompt, a Meterpreter session or a graphical user interface (VNC)
session as per user's choice.
 Support for database process' user privilege escalation via Metasploit's Meterpreter
getsystem command.

GET Request
sqlmap -u http://site-to-test.com/test.php?id=1 -p id
sqlmap -u http://site-to-test.com/test.php?id=1*
-u: URL to scan
-p: parameter to scan
*: Parameter to scan (if -p switch is not provided)

POST Request
We can provide the data being passed in the POST request body to scan by the SQLMap tool.
sqlmap -u http://site-to-test.com/admin/index.php –data=”user=admin&password=admin” -p
user
–data = POST data

--dbs

OUTPUT:-