Experiment No 1: Explore Interactive Security Threat Chart and Monitor Global Attacks in

Real Time with X-Force Exchange

Student Name: UID:

Branch: Section/Group
Semester: 5th Date of Performance:
Subject Name: Security Intelligence Subject Code: 22CSH-336

Aim:

To familiarize participants with the X-Force Exchange platform and its interactive security
threat chart for monitoring global cyber attacks in real-time.

Objective:

1. Understand the functionality and features of the X-Force Exchange platform.

2. Explore the interactive security threat chart to monitor global cyber threats.

3. Gain insights into the types and trends of cyber attacks occurring worldwide.

4. Learn how to utilize threat intelligence for proactive cybersecurity defense strategies.

Theory:
X-Force Exchange is a threat intelligence sharing platform provided by IBM Security. It offers
access to a vast repository of threat intelligence data, including indicators of compromise
(IOCs), vulnerabilities, and malware samples. The interactive security threat chart within X-
Force Exchange provides real-time visibility into global cyber threats, allowing users to monitor
and analyze attack trends, patterns, and severity levels.

Steps:

1. Access X-Force Exchange:

- Visit the X-Force Exchange website (https://exchange.xforce.ibmcloud.com/) using a web

browser.

2. Explore the Interactive Security Threat Chart:

- Navigate to the "Threat Intelligence" section or dashboard within X-Force Exchange.

- Locate and access the interactive security threat chart feature.

3. Monitor Global Attacks in Real-Time:

- Use the interactive controls and filters to customize the view of the security threat chart
based on specific criteria such as time range, threat type, and severity level.

- Analyze the visualizations and data presented on the security threat chart to identify trends,
patterns, and geographic distribution of cyber attacks.

- Click on individual data points or regions on the chart to drill down into detailed information
about specific incidents or threats.
4. Explore Additional Features:

- Explore additional features and functionalities of X-Force Exchange, such as threat research,
threat intelligence sharing, and collaboration tools.

- Utilize search capabilities to find specific threat indicators, vulnerabilities, or malware

samples within the platform.

Output:

1. Exploration of the X-Force Exchange platform and its interactive security threat chart.
2. Observations and analysis of global cyber attack trends and patterns in real-time.

3. Insights into the types and severity levels of cyber threats affecting different regions and
industries.
4. Documentation of findings, including screenshots or summaries of notable observations from
the interactive security threat chart.
Learning Outcomes:

1. Familiarity with a leading threat intelligence sharing platform used by cybersecurity

professionals and organizations worldwide.

2. Enhanced understanding of global cyber threat landscape and attack trends through real-time
monitoring and analysis.

3. Ability to leverage threat intelligence for proactive cybersecurity defense strategies, including
threat detection, prevention, and incident response.

4. Development of practical skills in utilizing threat intelligence platforms for threat monitoring,
analysis, and information sharing purposes.

Evaluation Grid (To be created as per the SOP and Assessment guidelines by the faculty):

Sr. No. Parameters Marks Obtained Maximum Marks

1. Worksheet completion 10
2. Post Lab Quiz Result 5
3. Pre-Lab Questions 5
Total 20
Experiment No 1: Perform Footprinting Using IP Address Data

Student Name: UID:

Branch: Section/Group
Semester: 5th Date of Performance:
Subject Name: Security Intelligence Subject Code: 22CSH-336

Aim:

To conduct footprinting by gathering information and data associated with a given IP address.

Objective:

1. Identify relevant information and data associated with a specific IP address.

2. Utilize various tools and techniques to perform footprinting and gather intelligence about the
target IP address.

3. Analyze the collected information to understand the target's network infrastructure, services,
and potential vulnerabilities.

4. Gain insights into the importance of footprinting as a reconnaissance technique in

cybersecurity assessments.
Theory:

Footprinting is the process of gathering information about a target system or network to identify
potential attack vectors and vulnerabilities. It involves collecting data from publicly available
sources, such as search engines, social media platforms, and internet registries, to build a profile
of the target's infrastructure and resources. By analyzing this information, attackers can identify
weak points and plan targeted cyber attacks. In this experiment, we will focus on gathering data
associated with a specific IP address to perform footprinting.

Steps:

Step 1: Identify the IP Address

Ensure you have the IP address you want to investigate. For this example, let's assume the IP address is
192.0.2.1.

Step 2: Use Online Tools to Gather Basic Information

1. IP Geolocation:
o Use an IP geolocation service to find the geographical location of the IP address.
o Websites like ipinfo.io, geolocation-db.com, or MaxMind can be helpful.
2. WHOIS Lookup:
o Perform a WHOIS lookup to find information about the IP address registration.
o Websites like whois.com or ARIN WHOIS can provide details about the owner of the IP address, the
organization, and contact information.
Step 3: Analyze Network Infrastructure

1. Reverse DNS Lookup:

o Perform a reverse DNS lookup to find the domain name associated with the IP address.
o Use tools like MXToolbox or DNSstuff.
2. Ping and Traceroute:
o Use ping to check the availability of the IP address and measure round-trip time.
o Use traceroute (or tracert on Windows) to map the path packets take to reach the IP address.
o These commands can be run from your command line or terminal:

Step 4: Check for Open Ports and Services

1. Port Scanning:
o Use a tool like Nmap to scan for open ports and running services on the IP address.
o Example Nmap command:
Step 5: Look for Associated Domains and Subdomains

1. DNS Enumeration:
o Use tools like dnsenum, amass, or online services like SecurityTrails to find associated domains and
subdomains.
o Example using dnsenum:

Step 6: Gather OSINT (Open Source Intelligence)

1. Search Engines:
o Perform searches using search engines like Google to find any publicly available information related to
the IP address.
o Use search queries like "192.0.2.1" or "site:example.com" to find specific data.
2. Social Media and Forums:
o Check social media platforms and forums for any mentions of the IP address.
o Use tools like Maltego for advanced OSINT gathering.

OUTPUT
IPCONFIG

IP Geolocation:
WHOIS
PING

TRACEROUTE

NMAP SCAN
DNSENUM
Conclusion

By following these steps, you can effectively gather and analyze data behind an IP address and perform
comprehensive footprinting. This information can be useful for various purposes, such as cybersecurity
investigations, network diagnostics, or research.

Learning Outcomes:

1. Understanding of footprinting as a reconnaissance technique used to gather intelligence about

target systems and networks.

2. Familiarity with tools and techniques for collecting information and data associated with a
specific IP address.

3. Ability to analyze gathered information to identify potential security risks and vulnerabilities.

4. Appreciation of the importance of footprinting in cybersecurity assessments and proactive

defense strategies.

Evaluation Grid (To be created as per the SOP and Assessment guidelines by the faculty):

Sr. No. Parameters Marks Obtained Maximum Marks

1. Worksheet completion 10
2. Post Lab Quiz Result 5
3. Pre-Lab Questions 5
Total 20
Experiment No 3: Network Scanning Using Zenmap

Student Name: UID:

Branch: Section/Group
Semester: 5th Date of Performance:
Subject Name: Security Intelligence Subject Code: 22CSH-336

Aim:

To perform network scanning using Zenmap, a graphical user interface (GUI) for the Nmap
network scanning tool.

Objective:

Understand the concept of network scanning and its importance in cybersecurity.

Learn how to use Zenmap to conduct network scans and gather information about network
hosts, services, and vulnerabilities.

Explore different scanning techniques and options available in Zenmap for comprehensive
network reconnaissance.

Analyze scan results to identify potential security risks and vulnerabilities within the target
network.

Theory:
Network scanning is the process of discovering and mapping network hosts, services, and
devices to identify potential security risks and vulnerabilities. Zenmap is a GUI front-end for
Nmap, a powerful open-source network scanning tool widely used by cybersecurity
professionals and network administrators. Zenmap provides an intuitive interface for
configuring and executing network scans, as well as visualizing scan results for analysis and
interpretation.

Steps:

Step 1: Identify the IP Address

Our target IP address is 192.0.2.1.

Step 2: Basic Information Gathering with Nmap

Nmap can be used for various tasks such as checking for open ports, services, and even performing some basic
OS fingerprinting.

Port Scanning and Service Detection

First, let's use Nmap to perform a simple scan to detect open ports and services running on the IP address.

Expected Output:
 Step 3:
OS Detection

Nmap can also be used to detect the operating system running on the target IP.

Output:
Step 4: Aggressive Scan

An aggressive scan combines various Nmap options to gather as much information as possible in one go.

Output:
Step 5: Script Scanning

Nmap has various built-in scripts that can provide additional information about the target.
Output:
Learning Outcomes:

1. Proficiency in using Zenmap for conducting network scans and reconnaissance activities.
2. Understanding of different scanning techniques and options available in Zenmap for
comprehensive network exploration.
3. Ability to analyze scan results to identify potential security risks, misconfigurations, and
vulnerabilities within target networks.
4. Appreciation of the importance of network scanning as a proactive security measure for
identifying and mitigating cybersecurity threats.

Evaluation Grid (To be created as per the SOP and Assessment guidelines by the faculty):

Sr. No. Parameters Marks Obtained Maximum Marks

1. Worksheet completion 10
2. Post Lab Quiz Result 5
3. Pre-Lab Questions 5
Total 20
Experiment No 4: Network Sniffing with Wireshark and Quad9 DNS Installation on Windows

Student Name: UID:

Branch: Section/Group
Semester: 5th Date of Performance:
Subject Name: Security Intelligence Subject Code: 22CSH-336

Experiment: Network Sniffing with Wireshark and Quad9 DNS Installation on Windows

Aim

To capture and analyze network traffic using Wireshark and to install and configure Quad9
DNS on a Windows machine for enhanced internet security.

Objective

1. To understand the practical usage of Wireshark for network traffic analysis.

2. To learn the process of installing and configuring Quad9 DNS to block access to malicious
domains.

Theory
Wireshark

Wireshark is a powerful network protocol analyzer used to capture and inspect the traffic
running on a computer network. It allows users to:

- Capture live packet data from a network interface.

- Display packets with detailed protocol information.

- Apply filters to focus on specific traffic types.

- Troubleshoot network issues by examining packet details.

Quad9 DNS

Quad9 is a free DNS service that enhances internet security by blocking access to malicious
domains. It:

- Routes DNS queries through a secure network.

- Uses threat intelligence to block known malicious domains.

- Improves user privacy by not logging personal data.

Steps

Part 1: Using Wireshark

1. Download and Install Wireshark

- Visit the official Wireshark website: [Wireshark

Download](https://www.wireshark.org/download.html).

- Download the installer for Windows.

- Run the installer and follow the prompts, ensuring to install the required components such as
WinPcap or Npcap.

2. Capture Network Traffic

- Open Wireshark.
 - Select the network interface you want to monitor (e.g., Wi-Fi, Ethernet).

- Click on the "Start Capturing Packets" button (shaped like a shark fin).

3. Analyze Captured Data

- Allow Wireshark to capture packets for a few minutes.

- Click the "Stop Capturing Packets" button.

- Explore the captured packets by clicking on them to view detailed information.

- Use display filters (e.g., `http`, `tcp`, `dns`,icmp ,dns) to focus on specific types of traffic.
4. Save the Capture File

- Go to `File` > `Save As`.

- Choose a location and save the capture file in the desired format.

Part 2: Installing and Configuring Quad9

1. Change DNS Settings in Windows

- Open the Control Panel.

- Navigate to `Network and Internet` > `Network and Sharing Center`.

- Click on `Change adapter settings`.

- Right-click on your active network connection and select `Properties`.

- Select `Internet Protocol Version 4 (TCP/IPv4)` and click `Properties`.

- Select `Use the following DNS server addresses` and enter:

- Preferred DNS server: `9.9.9.9`

- Alternate DNS server: `149.112.112.112`

- Click `OK` to apply the settings.

2. Verify DNS Configuration

- Open Command Prompt.

- Type `ipconfig /all` and press Enter.

- Ensure that the DNS servers listed are Quad9's (`9.9.9.9` and `149.112.112.112`).
3. Test DNS Resolution

- In Command Prompt, type `nslookup google.com` and press Enter.

- Verify that the response comes from Quad9's DNS servers.

Output

Wireshark Output:

- A list of captured network packets.

- Detailed packet information including source, destination, protocol, and additional data.

- A saved capture file for future analysis.

Quad9 Output:

- DNS queries are resolved through Quad9's DNS servers.

- DNS settings verification showing Quad9's IP addresses.

- Successful domain name resolutions using Quad9.

Learning Outcomes

By completing this experiment, students will:

1. Develop practical skills in using Wireshark for network traffic analysis.

2. Learn how to capture, filter, and analyze different types of network packets.

3. Understand the role of DNS in network communications and the importance of secure DNS
services.

4. Gain experience in changing DNS settings on a Windows machine and verifying the new
configuration.

5. Recognize the importance of tools like Wireshark and services like Quad9 in enhancing
network security and performance.
Evaluation Grid (To be created as per the SOP and Assessment guidelines by the faculty):

Sr. No. Parameters Marks Obtained Maximum Marks

1. Worksheet completion 10
2. Post Lab Quiz Result 5
3. Pre-Lab Questions 5
Total 20
Experiment No 5: Implement a malicious DDOS attack and countermeasures

Student Name: UID:

Branch: Section/Group
Semester: 5th Date of Performance:
Subject Name: Security Intelligence Subject Code: 22CSH-336

Aim : Implement a malicious DDOS attack and countermeasures

Objective

The objective of this experiment is to understand the principles and impact of Denial of
Service (DoS) attacks using the Low Orbit Ion Cannon (LOIC) tool. This includes
learning how to set up and use LOIC, configure various attack parameters, and analyze
the effects of DoS attacks on network resources and services in a controlled and ethical
manner.

Theory

A Denial of Service (DoS) attack is a malicious attempt to disrupt the normal functioning
of a targeted server, service, or network by overwhelming it with a flood of Internet
traffic. DoS attacks can consume bandwidth, overload system resources, and potentially
cause a server to become unresponsive or crash.

The Low Orbit Ion Cannon (LOIC) is a network stress testing tool that allows users to
send a high volume of packets to a target to simulate a DoS attack. LOIC supports
different attack methods, including TCP, UDP, and HTTP, allowing users to test various
aspects of network robustness and security.

Using LOIC in a controlled environment helps security professionals and researchers to:

 Understand the mechanics of DoS attacks.

 Learn how to configure and launch DoS attacks.

 Analyze the impact of DoS attacks on network performance and availability.

 Develop and test mitigation strategies to defend against such attacks.

Steps

Step 1: Install Mono

LOIC is a .NET application, which means it requires Mono to run on Linux. Mono is an
open-source implementation of Microsoft's .NET Framework.

1. Open your terminal.

2. Update your package list:

 3. Install Mono:

Step 2: Download LOIC

1. Download the LOIC executable from a trusted source. You can typically find it on
GitHub.

Unzip the downloaded file:

2. Navigate to the LOIC directory:

Step 3: Compile LOIC

1. Compile LOIC using Mono:

This command will build the LOIC application.

Step 4: Run LOIC

1. Navigate to the directory containing the compiled executable:

Run LOIC using Mono:

Step 5: Configure and Perform the DoS Test (On Authorized Systems Only)

1. Once LOIC is running, you will see the user interface.

2. Enter the target IP address or URL of the system you have permission to test.

3. Choose the attack method (TCP, UDP, or HTTP).

4. Set the port number, if required.

5. Configure the attack options, such as the number of threads, timeout, and message.

6. Click on the "IMMA CHARGIN MAH LAZER" button to start the attack.

Step 6: Monitor and Analyze

1. While the attack is running, monitor the target system to analyze its response to the
DoS attack.

2. Document your observations and results for your experiment report.

Output

Learning Outcomes

Explain the concept and impact of Denial of Service (DoS) attacks.

Set up and run LOIC on a Linux system.

Configure LOIC for different types of DoS attacks.

Perform a controlled DoS attack with explicit permission.

Analyze the impact of DoS attacks on network performance.

Understand ethical and legal considerations of DoS attacks.

Develop strategies to mitigate DoS attacks.

Or

If its not work you can install by watching the video

https://youtu.be/KibZhBfNKRM?si=5KY6OUyihv5ZqTNz

Evaluation Grid (To be created as per the SOP and Assessment guidelines by the faculty):

Sr. No. Parameters Marks Obtained Maximum Marks

1. Worksheet completion 10
2. Post Lab Quiz Result 5
3. Pre-Lab Questions 5
Total 20
Experiment No 6: Footprinting and Reconnaissance Using Different Information Gathering
Methods

Student Name: UID:

Branch: Section/Group
Semester: 5th Date of Performance:
Subject Name: Security Intelligence Subject Code: 22CSH-336

Aim

To perform footprinting and reconnaissance on a target to gather as much information as

possible using various information-gathering methods and tools.

Objective

1. To understand the process of footprinting and reconnaissance in the context of ethical

hacking and cybersecurity.

2. To use different tools and techniques to gather information about a target.

3. To analyze and document the collected information.

Theory

Footprinting and Reconnaissance

Footprinting and reconnaissance are the initial phases of a penetration test or ethical
hacking process. These phases involve gathering information about the target system to
understand its structure, vulnerabilities, and security posture. This information can then
be used to plan further attacks or security assessments.

Types of Information Gathering:

1. Passive Information Gathering: Collecting information without direct interaction with

the target (e.g., using publicly available data).

2. Active Information Gathering: Directly interacting with the target to gather

information (e.g., scanning, querying services).

Common Footprinting Techniques:

1. WHOIS Lookup: Retrieves domain registration information.

2. DNS Enumeration: Discovers DNS records and subdomains.

3. Network Scanning: Identifies live hosts, open ports, and services.

4. Social Engineering: Collects information through human interaction.

5. Web Reconnaissance: Gathers data from the target’s website and related online
presence.
Steps

Step 1: WHOIS Lookup

1. Tool: WHOIS Lookup

- Use online WHOIS lookup services like

[whois.domaintools.com](https://whois.domaintools.com/) or command-line tools.

- Command: `whois example.com`

2. Procedure:

- Enter the target domain name in the WHOIS lookup tool.

- Analyze the domain registration information, including registrant details, contact

information, and domain expiry date.

Step 2: DNS Enumeration

1. Tool: `nslookup`, `dig`, `dnsenum`

- Command: `nslookup example.com`

- Command: `dig example.com ANY`

 - Command: `dnsenum example.com`

2. Procedure:

- Use `nslookup` or `dig` to query DNS records.

- Identify the target's DNS servers, mail servers (MX records), and other relevant DNS
records.

- Use `dnsenum` for comprehensive DNS enumeration, including subdomain discovery.

Step 3: Network Scanning

1. Tool: Nmap

- Command: `nmap -sP <target-ip-range>`

- Command: `nmap -sS -p 1-65535 <target-ip>`

2. Procedure:

- Perform a ping sweep to identify live hosts.

- Conduct a TCP SYN scan to discover open ports and services.

- Analyze the results to understand the network layout and active services.

Step 4: Social Engineering

1. Techniques:

- Search for the target on social media platforms (LinkedIn, Facebook, Twitter).

- Gather information about employees, organizational structure, and contact details.

2. Procedure:

- Use search engines to find social media profiles related to the target.

- Document any useful information that could assist in further reconnaissance or social
engineering attacks.

Step 5: Web Reconnaissance

1. Tool: Burp Suite, OWASP ZAP, HTTrack

- Use Burp Suite or OWASP ZAP to crawl the target website.

- Use HTTrack to download the target website for offline analysis.

2. Procedure:

- Crawl the website to identify structure, directories, and hidden pages.

- Download the website for a thorough offline examination.

 - Analyze the website content, looking for information about the technologies used, potential
vulnerabilities, and administrative interfaces.

Output

WHOIS Lookup:

- Domain registration details, including registrant information, contact details, and domain

expiration date.

DNS Enumeration:
- DNS records, including A, MX, NS, and TXT records.

- Discovered subdomains and associated IP addresses.

Network Scanning:

- List of live hosts, open ports, and running services.

- Network topology and active service map.

Social Engineering:

- Information about employees, organizational structure, and contact details from social media
and public sources.

Web Reconnaissance:

- Website structure, directories, hidden pages, and technologies used.

- Potential entry points and vulnerabilities identified.

Learning Outcomes

By completing this experiment, students will:

1. Understand the importance and techniques of footprinting and reconnaissance in ethical

hacking.

2. Gain hands-on experience with various information-gathering tools and methods.

3. Learn to analyze and document the collected information to understand the target’s security
posture.

4. Develop skills in using both passive and active information-gathering techniques.

5. Appreciate the ethical considerations and legal implications of reconnaissance activities in

cybersecurity.

Evaluation Grid (To be created as per the SOP and Assessment guidelines by the faculty):

Sr. No. Parameters Marks Obtained Maximum Marks

1. Worksheet completion 10
2. Post Lab Quiz Result 5
3. Pre-Lab Questions 5
Total 20
Experiment No 7: Implementing a Brute-Force Attack on an SSH Service

Student Name: UID:

Branch: Section/Group
Semester: 5th Date of Performance:
Subject Name: Security Intelligence Subject Code: 22CSH-336

Experiment: Implementing a Brute-Force Attack on an SSH Service

Aim

To understand and demonstrate the process of conducting a brute-force attack on an SSH

(Secure Shell) service and to explore the methods to mitigate such attacks.

Objective

1. To implement a brute-force attack on an SSH service using common tools.

2. To analyze the impact of the brute-force attack.

3. To explore and implement countermeasures to protect SSH services from brute-force attacks.

Theory
Brute-Force Attack

A brute-force attack is a trial-and-error method used to obtain information such as passwords or

encryption keys. In this context, it involves systematically checking all possible passwords until
the correct one is found.

SSH (Secure Shell)

SSH is a cryptographic network protocol for operating network services securely over an
unsecured network. Typical uses of SSH include remote command-line login and remote
command execution.

Countermeasures:

1. Strong Password Policies: Enforce the use of complex passwords to make brute-force attacks
more difficult.

2. Account Lockout Policies: Temporarily or permanently lock accounts after a certain number
of failed login attempts.

3. Rate Limiting: Limit the number of login attempts from a single IP address.

4. Fail2Ban: An intrusion prevention software framework that protects servers from brute-force
attacks.

5. Two-Factor Authentication (2FA): Adds an extra layer of security by requiring a second form
of authentication.

Steps
Setting Up a Test Environment

1. Set Up a Virtual Machine:

o Use VirtualBox or VMware to create a virtual machine (VM) running a Linux

distribution like Ubuntu.

2. Install and Configure SSH:

o On your VM, install OpenSSH server:

sudo apt-get update

sudo apt-get install openssh-server

o Ensure the SSH service is running:

sudo systemctl status ssh

3. Configure SSH for Testing:

o Modify the SSH configuration file to allow password authentication:

sudo nano /etc/ssh/sshd_config

o Ensure the following lines are set:

PasswordAuthentication yes

PermitRootLogin yes

o Restart the SSH service:

sudo systemctl restart ssh

Implementing a Brute-Force Attack with Hydra

Hydra is a popular tool for conducting brute-force attacks on various services, including SSH.

1. Install Hydra:

o On your Kali Linux machine (or any system where Hydra is installed), you can
install Hydra with:

sudo apt-get install hydra

2. Create a Wordlist:

o Create a wordlist with possible passwords. This can be a simple text file with one
password per line:

echo -e "password123\n123456\nletmein\nadmin" > passwords.txt

3. Run Hydra Against the SSH Service:

o Use Hydra to attempt to brute-force the SSH login:

hydra -l root -P passwords.txt ssh://192.168.56.101

o Replace 192.168.56.101 with the IP address of your VM.

Monitoring and Defending Against Brute-Force Attacks

1. Install Fail2Ban:

o Fail2Ban helps protect against brute-force attacks by banning IP addresses that

show malicious behavior:

sudo apt-get install fail2ban

2. Configure Fail2Ban for SSH:

o Create or modify the SSH jail configuration:

sudo nano /etc/fail2ban/jail.local

o Add the following configuration:

[sshd]

enabled = true

port = ssh

filter = sshd

logpath = /var/log/auth.log

maxretry = 3

o Restart Fail2Ban:

sudo systemctl restart fail2ban

3. Monitor Logs:

o Use Fail2Ban to monitor logs and ban IP addresses after multiple failed login
attempts.
Output

Countermeasures:

- Strong password policy implemented.

- Account lockout policy limiting the number of authentication attempts.

- Rate limiting in place to restrict login attempts.

- Fail2Ban protecting the SSH service by banning IP addresses after multiple failed attempts.

- Two-Factor Authentication set up to provide an additional layer of security.

Learning Outcomes

By completing this experiment, students will:

1. Understand the mechanics and impact of brute-force attacks on SSH services.

2. Gain hands-on experience with tools like Hydra for conducting brute-force attacks.

3. Learn to analyze server logs to detect brute-force attempts.

4. Implement and evaluate various countermeasures to protect SSH services from brute-force
attacks.
5. Appreciate the importance of a multi-layered security approach, including strong passwords,
account lockout policies, rate limiting, intrusion prevention systems, and two-factor
authentication.

Evaluation Grid (To be created as per the SOP and Assessment guidelines by the faculty):

Sr. No. Parameters Marks Obtained Maximum Marks

1. Worksheet completion 10
2. Post Lab Quiz Result 5
3. Pre-Lab Questions 5
Total 20
Experiment No 8: Performing an SQL Injection Attack to Compromise Databases

Student Name: UID:

Branch: Section/Group
Semester: 5th Date of Performance:
Subject Name: Security Intelligence Subject Code: 22CSH-336

Experiment: Performing an SQL Injection Attack to Compromise Databases

Aim

To understand and demonstrate the process of performing an SQL injection attack to

compromise a database, and to explore the methods to mitigate such attacks.

Objective

1. To perform an SQL injection attack on a vulnerable web application.

2. To extract sensitive data from the compromised database.

3. To understand the impact of SQL injection attacks.

4. To explore and implement countermeasures to protect databases from SQL injection attacks.

Theory
SQL Injection

SQL injection is a code injection technique that exploits vulnerabilities in an application's

software by inserting malicious SQL statements into an entry field for execution (e.g., to dump
the database contents to the attacker). It is one of the most common web application
vulnerabilities.

Impact of SQL Injection:

- Unauthorized access to sensitive data.

- Data manipulation (insertion, deletion, modification).

- Compromised database integrity.

- Potential for remote code execution in severe cases.

Common Types of SQL Injection:

1. Union-Based SQL Injection: Uses the UNION SQL operator to combine the results of two or
more SELECT statements.

2. Error-Based SQL Injection: Relies on error messages returned by the database to gain
information about the structure of the database.

3. Blind SQL Injection: No error messages are returned, but the attacker infers information
based on the behavior of the application.

Countermeasures:
1. Prepared Statements and Parameterized Queries: Use of prepared statements to separate SQL
logic from data.

2. Stored Procedures: Encapsulating SQL logic within the database.

3. Input Validation: Ensuring all user inputs are validated and sanitized.

4. Web Application Firewalls (WAF): Filtering and monitoring HTTP requests to protect
against SQL injection.

5. Least Privilege Principle: Restricting database user privileges to the minimum necessary.

Steps

Access the Lesson:

 Go to the Hacksplaining SQL Injection Lesson. Or just paste the link given below
https://www.hacksplaining.com/lessons/sql-injection

Introduction:

 The lesson starts with an introduction explaining what SQL injection is and why it is a
significant threat to web applications. SQL injection involves inserting or "injecting"
malicious SQL code into a query to manipulate the database.
 

Understanding SQL Injection:

 The lesson provides an overview of how SQL injection works. It explains how an
attacker can exploit vulnerabilities in web applications that use SQL databases. For
example, when user input is not properly sanitized, attackers can input SQL code that
alters the intended SQL query, leading to unauthorized access or data manipulation.

Interactive Examples:

 Hacksplaining offers interactive examples where you can practice SQL injection attacks
in a simulated environment. You'll see a typical web form that interacts with a SQL
database.

 For instance, the lesson might show a login form where you can try entering different
inputs to see how the application responds. It may look something like this:

Username: admin

Password: ' OR '1'='1

 This input tricks the application into thinking you've provided a valid username and
password by exploiting the SQL query logic.

Exploring Vulnerabilities:

 You'll explore various types of SQL injection vulnerabilities. The lesson covers basic
SQL injection, as well as more advanced techniques like blind SQL injection and second-
order SQL injection.

 You'll learn how different inputs can manipulate the database and what kind of
information can be extracted or altered.

Defending Against SQL Injection:

 After understanding how attacks work, the lesson shifts to defense mechanisms. This
includes best practices for securing web applications against SQL injection, such as:

o Input Validation: Always validate and sanitize user inputs to ensure they don't
contain malicious SQL code.

o Parameterized Queries: Use prepared statements and parameterized queries to

separate SQL logic from user input. For example, in PHP:
Output

SQL Injection Attack:

- Successful retrieval of database information (version, user, database name).

- Extraction of table names, column names, and sensitive data (e.g., usernames and passwords).

Learning Outcomes

1. Understand the mechanics and impact of SQL injection attacks on web applications and
databases.

2. Gain hands-on experience with SQL injection techniques to compromise databases.

3. Learn to analyze web application vulnerabilities and extract sensitive information using SQL
injection.

4. Implement and evaluate various countermeasures to protect databases from SQL injection
attacks.

5. Appreciate the importance of secure coding practices, input validation, and the principle of
least privilege in database security.

Evaluation Grid (To be created as per the SOP and Assessment guidelines by the faculty):

Sr. No. Parameters Marks Obtained Maximum Marks

1. Worksheet completion 10
2. Post Lab Quiz Result 5
3. Pre-Lab Questions 5
Total 20
Experiment No 9: Sending Sample Data to QRadar SIEM and Investigating a Remote Access
Offense

Student Name: UID:

Branch: Section/Group
Semester: 5th Date of Performance:
Subject Name: Security Intelligence Subject Code: 22CSH-336

Demonstration: Sending Sample Data to QRadar SIEM and Investigating a Remote Access
Offense

Aim

To demonstrate how to send sample data to IBM QRadar SIEM and investigate a remote access
offense using the SIEM platform.

Objective

1. To understand the process of sending sample log data to QRadar SIEM.

2. To investigate and analyze a remote access offense using QRadar's capabilities.

3. To gain insights into how SIEM platforms help in detecting and mitigating security incidents.

Theory
Security Information and Event Management (SIEM)

SIEM platforms like IBM QRadar provide real-time analysis of security alerts generated by
applications and network hardware. SIEM systems aggregate and analyze log data from various
sources to detect suspicious activities and potential security threats.

Remote Access Offense

A remote access offense involves unauthorized access to a system or network from a remote
location. Attackers use various methods such as stolen credentials, malware, or exploits to gain
remote access and potentially compromise systems.

Steps

Part 1: Sending Sample Data to QRadar SIEM

1. Set Up QRadar SIEM

- Ensure that IBM QRadar is installed and configured properly in your environment.

- Access the QRadar web console through a web browser.

2. Create a Log Source

- Go to the Admin tab in QRadar.

 - Click on "Log Sources" under the "Data Sources" section.

- Click "Add" to create a new log source.

- Fill in the required fields, such as Log Source Name, Log Source Type (e.g., Universal
DSM), Protocol Configuration (e.g., Syslog), and relevant connection details.

- Save the log source configuration.

3. Send Sample Data

- Use a sample log data generator or manually create sample log entries.

- Example of a sample log entry (Syslog format):

```

<34>1 2023-05-25T12:00:00Z mymachine.example.com sshd 1234 - - Accepted password

for user from 192.168.1.100 port 22 ssh2

```

- Send the sample log data to QRadar via Syslog.

- Use a tool like `logger` on a Unix system:

```bash

logger -n <QRadar_IP> -P <Syslog_Port> "<34>1 2023-05-25T12:00:00Z

mymachine.example.com sshd 1234 - - Accepted password for user from 192.168.1.100 port 22
ssh2"

```
Part 2: Investigating a Remote Access Offense

1. Access the QRadar Dashboard

- Log in to the QRadar web console.

- Navigate to the "Log Activity" tab.

2. Search for Relevant Logs

- Use the search bar to filter logs related to remote access.

- Example search query: `eventName = "Accepted password for user"`

- Adjust the time range to include the period when the sample data was sent.

3. Analyze the Logs

- Examine the logs for details such as source IP, user, and timestamp.

- Identify any suspicious remote access attempts, such as logins from unusual IP addresses or
multiple failed login attempts followed by a successful one.

4. Create an Offense

- If suspicious activity is detected, QRadar may automatically create an offense.

- Go to the "Offenses" tab to view active offenses.

 - Click on the offense to view details, including involved IP addresses, users, and correlated
events.

5. Investigate the Offense

- Analyze the offense details to understand the scope and impact.

- Use the "Event Viewer" to drill down into specific events related to the offense.

- Correlate events to determine the attack pattern and methods used.

6. Respond to the Offense

- Based on the investigation, decide on appropriate actions to mitigate the threat.

- Actions might include blocking the offending IP address, resetting compromised user
accounts, or further forensic analysis.

Output

Sample Data Sent to QRadar:

- Log entries successfully sent to QRadar and visible in the "Log Activity" tab.

- Example log entry:

```

<34>1 2023-05-25T12:00:00Z mymachine.example.com sshd 1234 - - Accepted password for

user from 192.168.1.100 port 22 ssh2
 ```

Investigation of Remote Access Offense:

- Logs related to remote access attempts identified and analyzed.

- Offense created by QRadar for suspicious remote access activity.

- Detailed analysis of offense, including correlated events and involved entities.

Learning Outcomes

By completing this demonstration, students will:

1. Understand how to send log data to a SIEM platform like IBM QRadar.

2. Gain experience in configuring log sources and generating sample log data.

3. Learn how to use QRadar to investigate security incidents, specifically remote access
offenses.

4. Develop skills in analyzing log data and identifying suspicious activities.

5. Appreciate the role of SIEM platforms in enhancing an organization's security posture

through real-time monitoring and incident response.
Evaluation Grid (To be created as per the SOP and Assessment guidelines by the faculty):

Sr. No. Parameters Marks Obtained Maximum Marks

1. Worksheet completion 10
2. Post Lab Quiz Result 5
3. Pre-Lab Questions 5
Total 20
Experiment No 10: Remote Access Report Template and Network Hierarchy Configuration in
QRadar

Student Name: UID:

Branch: Section/Group
Semester: 5th Date of Performance:
Subject Name: Security Intelligence Subject Code: 22CSH-336

Aim

To create a comprehensive remote access report template and configure the network hierarchy
in IBM QRadar to improve the monitoring and analysis of network traffic and security events.

Objective

1. To develop a standardized template for reporting remote access incidents.

2. To configure and organize the network hierarchy in IBM QRadar for accurate categorization
of network traffic.

3. To enhance the ability to detect, investigate, and respond to remote access offenses.

Theory
Remote Access Incident Reporting

A structured incident report is essential for documenting the details of a remote access offense,
including detection, impact, and remediation actions. This helps in understanding the incident's
root cause, improving future responses, and complying with regulatory requirements.

Network Hierarchy in SIEM

The network hierarchy in SIEM platforms like QRadar represents the organization’s network
structure. It includes defining network segments and their IP ranges, which helps in
categorizing and analyzing network traffic accurately. Properly configured network hierarchies
ensure that alerts and offenses are relevant and contextually accurate.

Remote Access Incident Report Template

1. Report Information

- Report Title: Remote Access Incident Report

- Prepared by: [Your Name]

- Date: [Report Date]

- Incident Start Date: [Incident Start Date]

- Incident End Date: [Incident End Date]

2. Executive Summary

Provide a brief overview of the remote access incident, including the nature of the incident, key
findings, impact assessment, and remediation steps taken.

3. Incident Description

- Incident Details: Detailed description of the incident, including how remote access was
gained, the duration of the access, and what was accessed.

- Detection Method: How the incident was detected (e.g., alerts, log analysis, user report).

- Impact: Description of the impact on the organization, including affected systems, data
compromised, and any operational disruptions.

4. Incident Timeline

| Date/Time | Event | Details |

|---------------|-----------|-------------|

| [Date/Time] | [Event] | [Details] |

| [Date/Time] | [Event] | [Details] |

| [Date/Time] | [Event] | [Details] |

5. Investigation

- Sources of Data: List of log sources, systems, and tools used in the investigation.

- Findings: Detailed findings from the investigation, including IP addresses, user accounts
involved, methods used to gain access, and any indicators of compromise (IoCs).

- Attack Vector: Description of how the attacker gained remote access (e.g., stolen credentials,
exploited vulnerability).

6. Mitigation and Remediation

- Immediate Actions Taken: Steps taken to contain and mitigate the incident (e.g., blocking IP
addresses, disabling accounts).

- Long-term Remediation: Actions to prevent future incidents (e.g., patching vulnerabilities,

strengthening authentication mechanisms, user training).

- Recommendations: Further recommendations for improving security posture.

7. Lessons Learned

- Successes: What worked well during the incident response.

- Challenges: Issues and challenges encountered during the incident response.

- Improvements: Suggested improvements to incident response processes and tools.

8. Appendices

- Logs and Evidence: Attach relevant logs, screenshots, and evidence collected during the
investigation.

- References: List of references and resources used in the report.

Sign-Off

- Report Prepared by: [Your Name]

- Date: [Report Date]

- Approved by: [Approver's Name and Title]

- Date: [Approval Date]

Configuring Network Hierarchy in IBM QRadar

Steps

Step 1: Access Network Hierarchy Configuration

1. Log in to the QRadar web console.

2. Navigate to the "Admin" tab.

Step 2: Define Network Objects

1. Under the "System Configuration" section, click on "Network Hierarchy."

2. Click the "Add" button to create a new network object.

3. Enter the following details:

- Name: A descriptive name for the network object.

- CIDR: The IP address range (e.g., `192.168.1.0/24`).

- Description: A brief description of the network object (optional).

4. Click "Save" to add the network object to the hierarchy.

Step 3: Organize Network Objects

1. Organize the network objects into logical groups, such as Internal Network, DMZ,
External Network.

2. Create nested groups if necessary to reflect the network structure accurately.

3. Drag and drop network objects to organize them hierarchically.

Step 4: Apply Changes

1. After configuring and organizing network objects, click "Deploy Changes" to apply the
new network hierarchy settings.

2. QRadar will update its configuration to use the new network hierarchy for categorizing
and analyzing traffic.

Step 5: Verify Configuration

1. Go to the "Log Activity" or "Network Activity" tabs.

2. Verify that incoming logs and network events are correctly categorized based on the
new network hierarchy.

3. Ensure that alerts and offenses are triggered appropriately for different network
segments.

Output

Remote Access Report:

- Comprehensive documentation of the remote access incident, including the incident

timeline, investigation findings, mitigation steps, and lessons learned.
- Example timeline entry:

```plaintext

| 2024-05-01 10:00:00 | Unauthorized login attempt detected | User 'john_doe' logged in

from IP 192.168.1.100 |

```

Network Hierarchy Configuration:

- A properly configured network hierarchy in QRadar, with network objects and

segments accurately defined and organized.

- Verification of log categorization and accurate alerting based on the configured network
hierarchy.

Learning Outcomes

By completing this task, students will:

1. Understand the importance of structured incident reporting and learn how to create a detailed
remote access incident report.

2. Gain hands-on experience in configuring and managing network hierarchies in a SIEM

platform like IBM QRadar.
3. Learn to categorize and analyze network traffic accurately within a SIEM environment.

4. Develop skills in using QRadar for effective security monitoring, incident detection, and
response.

5. Appreciate the role of proper documentation and configuration in enhancing organizational

security and compliance efforts.
Evaluation Grid (To be created as per the SOP and Assessment guidelines by the faculty):

Sr. No. Parameters Marks Obtained Maximum Marks

1. Worksheet completion 10
2. Post Lab Quiz Result 5
3. Pre-Lab Questions 5
Total 20