An Internship Report on

VULNERABILITY ASSESSMENT AND PENETRATION TESTING

UPPUNURI RISHITHA REDDY,

STUDENT INTERN,
SPYRY TECHNOLOGIES LLP
 ACKNOWLEDGEMENT
The satisfaction and euphoria that accompany the successful completion of any task would be
incomplete without the mention of the people who made it possible because “Success is the
abstract of hard work & perseverance, but steadfast of all is encouragement guidance”. So I
acknowledge all those whose guidance and encouragement served as a beacon light & crowned
our efforts with success.
I am extremely grateful to my Technical specialist Mr. Prameel Arjun, Spyry
Tech Team who has given me inspiration and encouragement throughout internship.
I am extremely grateful to my PRINCIPAL Dr. S. Sai Satya Narayana Reddy,
Vardhaman College of Engineering, for granting the permission to do internship here in Spyry
Technologies.
I am extremely grateful to my HOD Prof. Vivek Kulkarni, Vadhaman College
of Engineering, for sending me to the internship and providing whole support throughout my
internship.
I would like to thank all the professors and staff of Computer Science and
Engineering for their co-operation during the internship.

-UPPUNURI RISHITHA REDDY

 DECLARATION

I, UPPUNURI RISHITHA REDDY student of 5th Semester B. Tech, in the

Department Of Computer Science And Engineering, Vardhaman College of
Engineering, Hyderabad declare that the internship entitled “Vulnerabilities and
Penetration Testing” has been carried out by me in Spyry Technologies LLP,
Bangalore during 5th December, 2016 to 5th January 5, 2017.

This report is being submitted for the fulfillment of my internship and for record
purposes.

Place: Bangalore Name: UPPUNURI RISHITHA

Date: Signature
 EXECUTIVE SUMMARY

This report is about my internship at Spyry Technologies LLP. In this Comprehensive report, I
have discussed in detail about Vulnerability assessment and Penetration Testing (VAPT) is the
most comprehensive service for auditing, penetration Testing, reporting and patching for yours
company’s web based applications. With port 80 always open for web access there is always a
possibility that a hacker can beat your security systems and have unauthorized access to your
systems. Vulnerability assessment and penetration testing are two different and complimentary
proactive approaches to access the security posture of an information system’s network. The
Vulnerability Assessment is done to test the security posture of the information system both
internally and externally.

Penetration tests provide evidence that vulnerabilities do exist as a result network penetration is
possible. During our training we learnt about many tools which are used to perform pen testing
and vulnerability Assessment. Methodology include: discovery, enumeration, vulnerability
identification, vulnerability assessment, exploitation and launching of attack.

The methodology of penetration testing includes three phases: test penetration, test and test
analysis. The test phase involves the following steps: information gathering, vulnerability
analysis and vulnerability exploit.

The internship work include the development of non-technical skills like personality
development skills that helps in the overall development of the person as a professional in the
industry.
 TABLE OF CONTENTS
CHAPTER TITLE PAGENO.
1 ABOUT THE ORGANIZATION 1
1.1 Brief History of Organization
1.2 Major Millstones
1.3 Overall Organization Structure
1.4 Services offered by the Company
1.5 Operational Departments in the company

2 TASK PERFORMED 8
2.1 Tasks Assigned
2.2 Tasks performed

3 REFLECTION NOTES (SPECIFIC OUTCOMES) 65

3.1 Technical Outcomes
3.2 Non-Technical Outcomes
 LIST OF TABLES
Table no. Title Page no.
2.1 TIMELINE TASKS TABLE 9
 CHAPTER 1
ABOUT THE ORGANIZATION
Introduction:

Spyry Tech, a Cyber Security leader is a reputed brand for companies that need to protect their
identities, businesses and brand online from Cyber Attacks and also a pioneer leader in IT
industry, is operating based out of Bangalore.
Spyry Technologies with its foundation pillars as Innovation, Information and Intelligence is
exploring indefinitely as a Technology Service Provider and as a Training Organization.

In today’s world of ever increasing cybercrime and threats to every individual and organization,
Spyry is a one-stop shop that caters to all your information security needs.

Mission:
To secure. To strengthen. To simplify.
Our mission is to provide comprehensive web space security to our clients and inculcate a
knowledge based culture of safe and secure use of cyber space to eliminate the disruptions to
your business and life.

Vision:
To create a virtual, safe and secured Cyber Space.
We create a world where all internet users operate on a level playing field. We want to provide
services that make the internet a virtual utopia – a place where knowledge is nestled in a
package that is beautiful yet strong, and is completely safe from prying eyes and devious
hackers

Our Deliverables:
Cyber Security Training
Information Security Consultancy and Solutions

Areas of service
Corporates
1.1 WSPT (Web Space Penetration Testing) - One Time Scan & Patching.
1.2 ASSC (Annual Security Scan Contract) - Regular Monthly Scanning
1.3 Corporate Training - Specialized Skill Development Courses

Government Departments

2.1 IT Risk Assessment – For their main Web Portal & other applications / IT Infrastructure that
their departments might be using (as a part of e-governance or others) for a security
assessment.
2.2 Cyber Police Training – Specialized training to various cyber cells of Law Enforcement
Agencies and senior Bureaucrats.

Academia
3.1 Roving Courses by 2/3 Day Workshops for Faculty and Students along with summer and
Winter 1 month trainings in Universities & Colleges
3.2 In-House Courses by 2 Month/6 Month Training & Internship at Spyry Office.
3.3 Complete course on information security and digital forensics.

Our Corporate Clients

On VAPT and IT Risk Assessment Front Spyry Tech has worked with multiple companies in
providing critical and timely support for their cyber security/information security needs. Some
of the clients of Spyry Tech include
2 of the top 50 IT Companies in India
1 of the Largest Private Banks in India
2 of the top 10 e-Commerce Websites of India

Milestones in Training & Development

• Spyry Tech has got experience of more than 5,000 Contact Hours of
information security training to individuals.
• Trained over 10,000 individuals on various aspects of Information Security
ranging from Engineering Students to Cyber Police.

2
• Have conducted our courses / workshops / training sessions in over 50
establishments till date.
• We provide training in Innovating and Trending Technologies to Govt.
Officials, Corporate Houses and Colleges.

Spyry Trainers have conducted workshops, seminars and courses on Cyber

Security / Ethical Hacking at the following educational institutions and
organizations:
 Vardhaman College of Engineering, Hyderabad
 IIT Kharagpur
 Lakkireddy Balireddy College of Engineering, Vijayawada
 DNR Engineering College, Bhimavaram
 RISE Group of Institutions, Ongole
 Raghu Engineering College, Vizag
 Chaitanya Engineering College, Vizag
 Andhra Loyola Engineering College, Vijayawada
 Eswar Engineering College, Guntur
 VR Siddhartha Engineering College, Vijayawada
 Guntur Engineering College, Guntur
 Rotary Club, Vijayawada
 Visakha Public Library, Vizag
And many more corporate & one-one sessions.

 Something we are proud of

We are a record holder of “Limca Book of Records” 2017 for a 52

hour Continuous Cyber Security Marathon Workshop.

3
 The Workshop was held in February 2016 at Potti Sriramulu Chalavadi Mallikharjuna Rao
College of Engineering and Technology, Vijayawada.

Spyry Tech Key Team

Prameel Arjun – CEO, Spyry Technologies

He is a 22-year-old, one of the country’s efficient and

youngest Information Security Analyst. The young
student hacker has solved many issues with the
vulnerabilities present in various websites and
databases, given a solution in clearing the loopholes in
order to protect the data to be leaked from the
databases. Besides Hacking, he has a major passion in
Blogging. He is an author of many renowned blogs in
the internet. He is an expert in SEO as well.

While pursuing his Engineering (CSE) itself, he has

trained around 5000+ people through various
workshops, seminars and presentations and this makes
him one of the youngest student trainer in the country.

At the age of 18 he conducted his first workshop in Ethical hacking which was the beginning to
his success in this field and now he has a handful workshops to train students in Andhra Pradesh
and he is the only student trainer who started conducting workshop for his peers and professors.
He conducts workshops on Ethical Hacking, Information Security, Cyber Security, Blogging/SEO
and Forensic Investigation corporate organizations as well. With around 6-7 articles about him in
various newspapers, he’s now a well-recognized face in the country.

Certifications/Awards/Recognitions at a glance

 Certified Ethical Hacker (CEH)

 EC Council Certified Security Analyst (ECSA)
 Microsoft Technology Associate (MTA)
 Cyber Whiz Kid award by Science Olympiad Foundation at the age of 12
 Certified for his Computer Skills by New South Wales University, Australia at the age of 13
 World’s 22nd Youngest Blogger
 Maxthon Ambassador and Head of Marketing Events – India
 Cambridge Certified Security Associate by CIU
 Cambridge Certified Internet Associate by CIU
 Appreciated by various Foreign Universities, Organizations and Technocrats

4
 Bharath Kumar – Cyber Security Head, Spyry Technologies
He is an avid security researcher with special interest in network
exploitation and web application security analysis. He has an
experience of training more than 1000 individuals directly and more
than 5000+ students personally through online platform. He has
found multiple security flaws on various websites and helped the
admins to patch them. He exclusively maintains an active Facebook
group with over 7000+ users and teaches them various tricks and tips
related to Tech.

SPYRY TECHNOLOGIES IS FEATURED IN

5
TESTOMINALS

“I really love the way spyry EDUTAIN people ...it was really fun learning new things at SPYRY. Arjun sir
you really rock the show. It is really appreciable the way you respond to all our requests and queries I find
very less people with this level of commitment towards their respective professions”
- GuruCharan, Student, Hyderabad

“Wow! It was a wonderful workshop. Learnt so many hacking techniques and so many tools in these 2
days of workshop. Special thanks to "Arjun" sir and Santosh. KUDOS to @Spyry”
- Sanjeeva Kumar, Corporate Employee, Bengaluru

“The best of exploring new about cyber security is all of SPYRY had a great experience in exploring new
things, it was completely an edutainment. Thank you Spyry we will be heading back soon to explore
more”
- Bhargav Simhadri, Student, Hyderabad

6
“It was an excellent practical training by the Spyry. Got to know lot of good things in a short period. Thank
you, Arjun Sir.”
- Nithin Revanna, Student, Bengaluru

“Unparalleled in their knowledge will to teach”

- Amurt Purohit, Student, Bengaluru

“One of the best cyber security service provider...I strongly believe this could extend to more and more
areas and maintain its excellent standards ever.”
- Sravya, Corporate Employee, Hyderabad

“I have a dream to work with them”

- SaiNandan, Student, Hyderabad

CHAPTER 2
TASKS PERFORMED

In the Internship period, I have worked on different methodologies like Virtualization, Foot
Printing and its different types, and in scanning I have carried on the work like port scanning and
different vulnerability scanning methodology. I have used different tools for scanning like Nmap,
Acunetix.

Tools used for different foot printing types are Advanced Ip scanner, Smart Whois tool, and the
major used tool is the Maltego, for the purpose of foot printing.

7
And I have worked on different tools like Kali Linux, Wireshark, Armitage, Cola Soft packet
builder.

2.1 TASKS ASSIGNED

The various tasks assigned to me during the internship period include the following.

1. To learn about DNS RECORDS that include A, CNAME, TXT, HINFO, and SRV, NS.
2. To learn about different types of hosting like Shared Hosting, Dedicated Hosting and VPS
hosting.
3. To learn about different types of footprinting?
4. To learn about Banner grabbing and Port Scanning.
5. To learn about hping commands and their usage.
6. To learn about virus, worm, Trojan, adware, malware, spyware, bot and anti-virus.
7. To learn about web server, web server architecture, directory traversal attacks, HTTP
Response splitting, web cache poisioning attack, HTTP response Hijacking, SSH Bruteforce
attack, man in the middle attack.
8. To develop a website and to exploit all the vulnerabilities and to patch them.
9. To scan websites by using different tools such as acunetix, whois, Nessus etc.

2.1 TIMELINE TASK TABLE

TASK ASSIGNED PURPOSE DURATION TASK PERFORMED TIME
TAKEN
DNS records like To understand 1 day Learnt about those 1 day
A,CNAME,TXT,NS, about the records and their
SRV,HINFO records which purpose
are mainly used
what is their
purpose

8
Learn about types of To know or To 1 day Learnt about types 1 day
webhosting understand that of web hosting are
what kind of dedicated,shared,and
server we are VPS hosting
using

To learn about Types of To gather 1 day Learnt about 1 day

footprinting and information different types and
methodologies in foot from a websites methodologies of
printing by using various Foot printing.
methodologies

To learn about Banner To know about 1 day Learnt about the 1 day
grabbing and the banner banner grabbing and
Port scanning grabbing and port scanning using
port scanning some tools like
nmap

To learn about hping It uses 1 day Learnt all the 1 day

commands and their TCP,ICMP,UDP commands and
usage protocols. executed those
commands

To develop a website To exploit all 5 days Leant how to 5 days

using HTML,CSS to the discover the
exploit all vulnerabilities in vulnerabilities in a
vulnerabilities developed particular website
website

9
 To learn about all To learn all the 2 days Learnt about their 2 days
virus,worm,Trojan terms with their working and their
,adware,spyware, examples significance
Malware,bot

To learn about all the To learn about 2 days Learnt about web 2 days
Webservers,architecture all the terms and servers,architecture
of the web their working of web
servers,HTTP session servers,HTTP
Hijacking,HTTP session
response Splitting,web hijacking,HTTP
cache poisioning,etc. response
splitting,etc.

2.2 TASKS PERFORMED

DNS RECORDS

A -record:-

1. A record is address record.

2. It assigns Ip address to domain/sub-domain.

3.32-bit IPV4 address

4. It maps host names to an ip address of host.

Example:-example.com.IN A 64.9.34.66

10
 IN-internet, A-address record and example.com is domain.

CNAME RECORD:-

1. It is canonical record.

2. It makes one domain name an alias of another

3. Aliased one will get all sub domains and dns records of originals.

4. We use CNAME for pointing the more services to the same IP.

Example:-stuff.everybox.com CNAME www.everybox.com(A-record)

Or

Mail.example.com IN CNAME mail.example.net

MX RECORD:-

1. It is mail exchange

2. We can do it for single servers or multiple servers.

Example:-mydomain.com. 14450 IN MX 0 mydomian.com

In the example, 14450 is the ttl and '0' indicates the preference number (priority).Based on the
priority number only we can exchange the mails. Low preference number has highest priority.

NS RECORD:-

1. It is name server and it is also called as Authoritative record or delegation records.

2. It gives the Authoritative name servers for a particular domain.

Example: - vardhaman.com.IN NS ns1.live.secure.com (authoritative server)

Domain is vardhaman.com

TXT RECORD:-

1. It is the Text record which gives structured text and it allows admin to insert arbitary
text.

Example:-xyz.com.TXT "v=spf3 - all"

Or

xyz.com.TXT "v=spf3 mx -all"

11
SRV RECORD:-

1. It is service locator record.

2. It is used for new protocol specific records like MX...

3. Syntax is. ... srvce prot name ttl pri weight port target

i. srvce (what king od service i.e. _http, _ftp,_ldap)

ii. Prot (protocol)-_tcp and _udp

iii. Name (domain name)

iv. ttl (time to live)

v. pri (priority) --- 0 to 65535

vi. Weight (when there is same priority we proceed by checking this weight)

vii. port-normal port is 80.

viii. target-(domain)

Example:-_http._tcp.example.com.IN SRV 0 5 80 www.xyz.com.

HINFO RECORD:-

1. It gives the host information

2. It gives information about CPU and OS.

Syntax:-[optional name] [optional ttl] class HINFO hardware OS

Example: - IN HINFO sparc-10 UNIX

TYPES OF HOSTING
There are three types of hosting they are:-
1. SHARED HOSTING

2. VPS HOSTING

3. DEDICATED HOSTING

Shared hosting:-In shared hosting, ourself and other website owners will share single server.

12
Shared hosting are inexpensive because the cost is shared between ourselves and other owners.

This shared hosting includes the physical server and the software applications which are
available in the server.

Shared hosting can be done in 2 ways they are:-1.IP based

2. NAME based.

Due to this shared web hosting we can perform advertising stuff.

Dedicated hosting:-

In dedicated hosting, we have total web server for ourself. Entire web server for single person
increases the faster performance.

This is expensive when compared to the shared hosting because in dedicated no one will share
the cost.

This dedicated hosting is very good for websites to provide lot of security.

VPS hosting:-

It is virtual private server hosting. It is a Virtual machine which sells the service by an internet
hosting service. It runs its own copy of OS. It is customizable and we can update for any no.of
times. It works truly without any expense.

It provides complete isolation, root access, guaranteed resources.

FOOT PRINTING
Footprinting:-It is the collection of information about target network to identify various routes.

Whois footprinting:-It is used to gather information using who.is

Tools used for whois foot printing are WHO.IS and SMARTWHOIS

13
14
SMARTWHOIS

Email footprinting:-

It is used to gather the information from mails.

The tools used for email footprinting are:-

15
1. Emailtracerpro.com

2. Politemail.com

3. Whoreadme.com

16
 DNS FOOTPRINTING:-
In this, we will gather the information from the domain name systems.
For gathering information we use few tools they are
1. Dnsqueries.com
2. Dnsstuff.com

Results for checks on vardhaman.org

Category Test name Information’s
Parent Parent Zone The calculated parent zone for your domain is org.

17
 Parent NS records The parent zone DNS server a2.org.afiliasnst.info. says that your
DNS are:
ns1.rdsindia.co.in. (No Glue) [TTL:
86400] ns2.rdsindia.co.in. (No
Glue) [TTL: 86400]
TLD Parent Check Good. a2.org.afiliasnst.info, the parent server I asked for, has
information for your TLD. This is a good thing as there are some
other domain extensions like "co.us" for example that are missing
a direct check.
Your name servers are Good. The parent server a2.org.afiliasnst.info. has your name
listed servers listed. This is a must if you want to be found as anyone
that does not know your DNS servers will first ask the parent
name servers.
Parent sent glue Since not all the NS records have the same domain's TLD, it is not
expected that the parent server sends out glue records!
DNS servers have A records Since the domain and the NS are on different TLDs, it's ok if the
A records at zone parent server are missing.
NS Your NS records Your DNS servers return the following
NS records: ns1.rdsindia.co.in:
ns1.rdsindia.info. [IP: 64.62.254.211]
[TTL: 86400] ns2.rdsindia.info. [IP:
64.62.254.212] [TTL: 86400]
ns2.rdsindia.co.in:
ns2.rdsindia.info. [IP: 64.62.254.212]
[TTL: 86400] ns1.rdsindia.info. [IP:
64.62.254.211] [TTL: 86400]
Open DNS servers All of your name servers don't accept recursive queries. This is very
good, since can cause problems (anyone could use them) and can
cause Denial of Service attacks.
Mismatched glue Since not all the NS records have the same domain's TLD, i don't
have the glues for the NS records
ns1.rdsindia.co.in.
ns2.rdsindia.co.in.
Additionally it can happen that some records with the same
domain's TLD mismatch the glues sent by parent name servers
NS A records at name Your name servers do include A records when they are asked for
servers your NS records. This ensures that your DNS servers know the A
records of all your NS records.
All name servers The NS records at all your name servers are identical.
report identical NS
records
All name servers respond All of your name servers listed at the parent name servers
responded.

18
 Name server name validity All of the NS records that your name servers report seem valid
hostnames.
Number of name servers You have 2 name servers. You must have at least 2 name servers
and no more than 7.
Lame name servers All the name servers listed at the parent servers answer
authoritatively for your domain.
Missing (stealth) I have detected 2 stealth name servers:
name servers ns1.rdsindia.info. ns2.rdsindia.info. .
These are listed in your name servers but are missing in the parent
zone name servers. Those name servers are not included in these
tests, so you have to check them manually.
Missing (stealth) I have detected 2 stealth name servers:
name servers 2
ns1.rdsindia.co.in.
ns2.rdsindia.co.in.
. These are listed in the parent zone name servers but are missing
in your name servers
No CNAMEs for domain There are no CNAMEs for vardhaman.org.. RFC1912 2.4 and
RFC2181 10.3 state that there should be no CNAMEs if an NS (or
any other) record is present.
Name servers on Your name servers are on the same Class C IP range. This is very
separate class C's bad if you want to be found in the case of outage, or even worst,
problems!
All NS IPs public All of your NS records appear to use public IPs.
TCP Allowed All your DNS servers allow TCP connections. TCP connections are
occasionally used instead of UDP connections and can be blocked
by firewalls. This can cause hardtodiagnose problems.

http://www.dnsqueries.com/en/domain_check.phpSOAYour SOA records Your DNS servers return the following

SOA records:
SOA Your SOA records Your DNS servers return the following SOA records:
ns1.rdsindia.co.in:
ns1.rdsindia.info. support.rdsindia.com.
2016112901 3600 7200 1209600 86400.
[TTL: 86400]
ns2.rdsindia.co.in:
ns1.rdsindia.info. support.rdsindia.com.
2016112901 3600 7200 1209600 86400.
[TTL: 86400]

19
All same SOA All your name server respond with the same SOA record, which is a
great thing! The SOA record is:
Primary name server: ns1.rdsindia.info.
Host master Email address: support.rdsindia.com.
Serial Number: 2016112901
Refresh: 3600
Retry: 7200
Expire:
1209600
Default TTL: 86400.
Same Serial Number All your name servers agree that your SOA serial number is
2016112901. That means that all your name servers are using the same
identifier for the data’s.
SOA Primary NS Not all your name servers agree on the identification of the primary
name server or it isn't listed in the parent zone name server.
Host master Email All your name servers state that your host master Email address is
support.rdsindia.com...
Serial Format Your SOA serial number is 2016112901. It appears to be in the format of
YYYYMMDDnn
(Recommended), where 'nn' is the revision. Your DNS was last updated
on 29 November 2016 and was revision 01.
REFRESH The SOA REFRESH value determines how often
secondary name servers check with the master name
RETRY
server for updates. Your SOA REFRESH value is
3600 seconds which seems normal (about 3600
7200 seconds is good although RFC1912 2.2
recommends a value between 1200 to 43200 seconds).
The retry value is the amount of time your secondary
name servers will wait to contact the master name server
again if the last attempt failed. Your SOA RETRY
interval is 7200 seconds and it seems normal (1207200
seconds is ok).

EXPIRE The expire value is how long a secondary name server will wait before
considering its DNS data stale if it can't reach the primary name server.
Your SOA EXPIRE value is 1209600 seconds which seems normal (as
suggested by RFC1912 a value between 1209600 to 2419200 seconds is
good).
Default TTL The SOA DEFAULT TTL is used for negative caching, meaning that all the
queries that don't have a valid response are cached for this amount of seconds.
Your SOA DEFAULT TTL is: 86400 seconds and is normal (as suggested by
RFC2308 a value between 3600 and 86400 seconds is ok).

20
MX Your MX records Your DNS servers return the following MX records:
ns1.rdsindia.co.in:
0 vardhamanorg.mail.protection.outlook.com. [TTL: 14400]
10
a4dc8c62e935d24b82b7f3b44f90db.pamx1.hotmail.com.
[TTL: 14400] 5 ms19876748.msv1.invalid. [TTL:
14400]
ns2.rdsindia.co.in:
5 ms19876748.msv1.invalid. [TTL: 14400]
0 vardhamanorg.mail.protection.outlook.com. [TTL: 14400]
10 a4dc8c62e935d24b82b7f3b44f90db.pamx1.hotmail.com. [TTL:
14400]
Multiple MX You have multiple MX records and this is a very good thing! When one MX
records server is down the others can continue to accept mail.
Invalid characters It seems that all of your MX records use valid hostnames, without any invalid
characters.
All MX IPs public Your NS don't return their IPs when looking explicitly for MX records.
MX records are not None of the lookups of your MX records did return CNAMEs.
CNAMEs
MX A lookups have no Looking up for the A records of your MX servers i did not detect problems.
CNAMEs
MX is host name, not IP All the MX records retrieved are host names. Using IP addresses in MX
records is not allowed.
Differing MXA Our local dns cannot resolve the A query for one or more MX records:
records a4dc8c62e935d24b82b7f3b44f90db.pamx1.hotmail.com.
Duplicate MX The check cannot be complete as i don't have the ip address for the following
records MXs
ms19876748.msv1.invalid.
ms19876748.msv1.invalid.
Reverse DNS entries for McCone or more of the IPs of your MX records

21
 Mail server I was not able to connect to one or more of your mail servers. The report of
host name this test is:
in greeting vardhamanorg.mail.protection.outlook.com. >
BO1IND01FT008.mail.protection.outlook.com > N.C.
a4dc8c62e935d24b82b7f3b44f90db.pamx1.hotmail.com.
> BAY004PAMC1F9.hotmail.com > N.C.
ms19876748.msv1.invalid. Not connected
Spam recognition software and RFC821 4.3 (also RFC2821 4.3.1) state that
the hostname given in the SMTP greeting MUST have an A record pointing
back to the same server.
Acceptance I was not able to connect to one or more of your mail servers to check if they
of NULL <> accept mail from "<>". RFC1123 5.2.9 requires all mail servers to receive mail
sender from this kind of address, which is used in reject/bounce messages and return
receipts. The report of the test is:
vardhamanorg.mail.protection.outlook.com.: Accepts null sender
A4dc8c62e935d24b82b7f3b44f90db.pamx1.hotmail.com. Accepts null
sender ms19876748.msv1.invalid. Not connected
Acceptance I was not able to connect to one or more of your mail servers to check if they
of accept mail to postmaster@vardhaman.org... RFC822 6.3, RFC1123 5.2.7, and
postmaster RFC2821 4.5.1 require all mail servers to accept mail to this kind of address. The
address report of the test is:
Vardhamanorg.mail.protection.outlook.com. Accepts mail to
postmaster@vardhaman.org.
A4dc8c62e935d24b82b7f3b44f90db.pamx1.hotmail.com. Does not
accept mail to postmaster@vardhaman.org.
ms19876748.msv1.invalid. Not connected
Acceptance of I was not able to connect to one or more of your mail servers to check if they
abuse address accept mail to postmaster@vardhaman.org.. RFC822 6.3, RFC1123 5.2.7, and
RFC2821 4.5.1 require all mail servers to accept mail to this kind of address. The
report of the test is:
vardhamanorg.mail.protection.outlook.com.: Does not accept mail to
abuse@vardhaman.org.
a4dc8c62e935d24b82b7f3b44f90db.pamx1.hotmail.com.: Does not accept
mail to abuse@vardhaman.org.
ms19876748.msv1.invalid. Not connected
Acceptance of I was not able to connect to one or more of your mail servers to check if they
domain literals accept mail to
postmaster@[ip_address] (Literal format). RFC1123 5.2.17 require all mail
servers to accept mail to this kind of address. The report of the test is:
vardhamanorg.mail.protection.outlook.com.: Does not accept mail to
postmaster@[ip_address]
a4dc8c62e935d24b82b7f3b44f90db.pamx1.hotmail.com.: Does not accept
mail to postmaster@[ip_address]
ms19876748.msv1.invalid. Not connected
Open relay test I was not able to connect to one or more of your mail servers to check if they
closed to external domain relaying. The report of the test is:
vardhamanorg.mail.protection.outlook.com.: Is not an open relay
a4dc8c62e935d24b82b7f3b44f90db.pamx1.hotmail.com.: Is not an open
relay ms19876748.msv1.invalid. Not connected

22
 SPF record You have an SPF record And this is very very good, as it will help to stop spammers
using the domain vardhaman.org. In their activities. Your SPF record is:
"v=spf1 ip4:64.62.254.210 +a +mx ~all".
Please note that i am not checking if it is a valid SPF record...
WWW WWW Record Your DNS servers when asked for www.vardhaman.org. return the following
records:
64.62.254.210.
All WWW IPs public All of the ip addresses associated to www.vardhaman.org. Appear to be public. If
there were any private IPs, they would not be reachable by your site's users.
Records their hostnames from the IP address. Many mail servers, accordingly to
RFC1912 2.1, will not accept mail from mail servers
with no PTR (reverse DNS) entry. The IPs which suffer
this problem are
65.54.188.109
MAIL Connect to mail serversI have connected successfully to some of your mail servers:
vardhamanorg.mail.protection.outlook.com:
Connected with greeting:
BO1IND01FT008.mail.protection.outlook.com
a4dc8c62e935d24b82b7f3b44f90db.pamx1.hotma
il.com: Connected with greeting: BAY004-
PAMC1F9.hotmail.com

But i was not able to connect to the following:

http://www.dnsqueries.com/en/domain_check.php
But i was not able to connect to the following:
Ms19876748.msv1.invalid. Failed to connect to
ms19876748.msv1.invalid:
php_network_getaddresses: getaddrinfo
failed: Name or service not known (Timeout
was 5secs)
CNAME Lookup There is one or more CNAMEs record pointing to
www.vardhaman.org... This can cause extra bandwidth
usage since the resolution of www.vardhaman.org. Is
done in multiple steps. However this is only a warning!

23
http://www.dnsqueries.com/en/domain_check.php
NETWORK FOOTPRINTING:-
Network footprinting means gathering the information about the networks.
We use some tools for gathering the network information they are:-
1. Advance ip scanner
2. Net craft

24
25
  MALTEGO

A tool showing detailed information about the website in the form of a graph.
Mapping from the entities.
o Company Stalker: Get all the emails at a domain and the emails must be public
for the user to exploit the information.

26
o Find Wikipedia Edits : Archive the information
o Footprint L1: Scan out main servers and its associated IP addresses. A level-1
Scanning
o Footprint L2 – Scan at the deep levels and know the IP addresses and associated
information.
o Footprint L3 – Scan at the deepest possible levels getting the required information
that is associated with that particular domain.
o Person –Email -All the emails that match to the particular name searched.70%
might be true that we are actually searching on.

27
 Foot printing L1

Foot printing L2

28
People email foot printing

BANNER GRABBING AND PORT SCANNING

BANNER GRABBING:-
1. Banner grabbing is gathering the information about the servers.
2. It is used to collect the information about a computer system on a network and the services
running on its ports.
3. It is used in order to find network hosts (running versions of applications and os).

29
4. Malicious hackers use this kind of banner grabbing.
5. This Banner grabbing technique can be useful to the administrators in cataloging their
Systems and ethical hackers (white hat) can also use it during penetration tests.
6. Service ports used for banner grabbing are http (80), ftp (21), SMTP (25).
TOOLS FOR BANNER GRABBING:-
1. Nmap (this is the known tool)
2. Amap
3. Netcat
4. Telnet

Banner grabbing using NMAP:-

Banner grabbing using telnet:-grabbing the information about the remote login devices.

30
Banner grabbing using netcat:-Allowing the user to make network connections between the
machines without any programming.
Command:-
nc -nvv 192.168.65.3 80
Here, nc is the netcat and –n is suppress name/port resolutions and –v is verbose.
Output:-
Connection to 85.25.132.39 80 port [tcp/*] succeeded!
If connection is established then type this command
HEAD / HTTP/1.0
Then the output is
HTTP/1.1 200 OK
Date: …..
Server: …..
Last-Modified: …..
ETag: ……
Accept-Ranges: bytes
Content-Length: ….
Vary: Accept-Encoding
Content-Type: text/html
Connection: close
It gives this kind of Information.
TYPES OF BANNER GRABBING:-
There are 2 types of banner grabbing. They are:-

31
1. Active banner grabbing
2. Passive banner grabbing

Active banner grabbing:-

It Involves sending of data and see how the system responds. It is detectable as it
Repeatedly attempts to connect to the system that which is targeted.

Passive banner grabbing:

It involves examining the network for determining the operating system. It uses

Sniffing instead of scanning. It is undetected by IDS in most of the cases but it is less accurate

than active banner grabbing.

PORT SCANNING:-

Systematically scanning of ports is known as port scanning.

It determines open ports and services.

Due to the port the information goes into and out of the computer.

It identifies open doors to the computers.

They are used for managing networks.

We cannot stop port scanning when we are connected with the internet.

There are some software tools which can stop the port scanning.

Types of port scans:-

1. Vanilla

2. Strobe

3. Fragmented packets

4. Udp

5. Ftp

32
6. Stealth scan.

Counter measures for port scanning:-

1. Enable only the traffic you need to access internal hosts — preferably as far as possible from

the hosts you’re trying to protect — and deny everything else. This goes for standard ports, such
as TCP 80 for HTTP and ICMP for ping requests.

2. Configure firewalls to look for potentially malicious behavior over time and have rules in

place to cut off attacks if a certain threshold is reached, such as 10 port scans in one minute or

100 consecutive ping (ICMP) requests.

3. Most firewalls and IPSs can detect such scanning and cut it off in real time.

4. Proper security architecture, such as implementation of ids and firewalls, should be followed.

HPING COMMANDS
1. Icmp ping
Hping3 -1 <ip address>
2. Ack scan on port 80
Hping3 –A <ip address> -p <port number (80)>
3. udp scan on port 80
Hping3 -2 <ip address> -p <port number (80)>
4. collecting initial sequence number
Hping3 <ipaddress> -Q –p 139 –S
5. timestamp and firewall
Hping3 –S <ipaddress> -p 80 –tcp-timestamp
6. FIN,PSH,URG SCAN
Hping3 –F –p –U <ip address> -p 80
7. Intercept all traffic containing http signature
Hping3 -9 http –I eth0
8. SYN flooding(advance DDOS)
Hping3 –c <no.of packets> -d <size of each packets in bytes> -S –w <tcpwindow
size> -p <port number> --flood-randsource <ip address>.

33
TO DEVELOP A WEBSITE AND TO FIND THE
VULNERABILITIES
MYSTIC PROJECT
The website: BLOGGING WEBSITE
The website, mystic.spyry.in was created as a part of project assigned to
me, Nikitha and Kumudha. The website was created so that we
understand the vulnerabilities that can creep in while developing a
website, scanning and analyzing those vulnerabilities individually.
The website is a blogging site, where in the user has to login to blog
anything. If the user is not a registered one, then he has to register
through a registration form. Once he is registered, he is redirected to the
blogging page.
The website consists of a home page, login, registration and a contact
page. The home page (named as new.html) is divided as frames. The
whole task of reloading the whole page is reduced by using frames.
The home page gives a description about what the website is all about.
The next page is the login page wherein the user has to enter user name
and password. As soon as he submits it is directed towards a blog page,
where the user has a text area to write his blog. As soon as he is done
writing a post, a post option is provided wherein he will be redirected to
a static webpage containing some posts.
If a user is not a registered one, the login page has a link which redirects
to the registration page. It has the basic details like name, password,
conformation password, email, address, gender and all the basic

34
information of a person so that he is a valid user of the blog. The last
page is the contact page, wherein the contact information about the site
owner is given.
The website is mainly built using frames. The webpage is divided as two
frames (horizontally).The upper frame contains the options to navigate
to different Webpages (login, contact etc).These are targeted to the
second frame (below).So when a user right clicks the webpage and
opens the frame in a new tab, he can navigate to all the pages from the
newly opened page without any redirection to the original home page.

35
36
 Vulnerabilities found in acunetix
The website scanned: http://mystic.spyry.in
By performing acunetix scan there were no high level vulnerabilities.
15 medium level vulnerabilities were found.
4 low level and 5 informational vulnerabilities were found.
In this scan even the number of files and extensions available in the
website will also be known.

The website has 2 JavaScript files.

37
The following urls have atleast one input fields.

The following are the hosts that are linked to the website.

The email address which is found in the host is

-myblogmywish@gmail.com
As the email address is directly provided in the website there may be
chance of getting more spam mails. The attackers get to know the email
from the website to send spam mails.

The directory listing available in the website is

The following links have html forms without CSRF protection

38
Without CSRF protection an unauthorized user can perform action on
the web application by changing the URL pattern.
The following links have the form field’s submission through GET
method instead of POST.

By using GET method if username and password are submitted through

the form then there is a chance of knowing the username and password
as the details are visible in the URL.
The following urls have the password type field with auto complete
option enable.

Directory Traversal Attack is also possible for the website. We can

also access the various files in the website by directory traversal with the
URL. All the list of files and directories are visible.

39
As the directories are visible to all there may be chance of disclosing and
getting to know the sensitive information if it is available in any of the
directories of the website.
This website stores all the blogs of a user, in a folder called ‘blog’,
located inside ‘page’ folder. These folders can be easily located by

40
navigating all the directories, just by modifying the URL, so that some
folder is traversed.
Now, when the user opens the web page, the URL will be displayed.
When the URL is modified (by deleting the path until a meaningful path
is formed) and processed, all the associated files of the website are
found. These files include the home, contact, login, registration pages,
the images used in the website and some of the blogs of some ‘A’ user
(the folder is inside ‘page’ folder named as ‘blog’).

The website does not have forms with CSRF protection.

The username and password are visible in the URL.
The affected URL is:
http://mystic.spyry.in/mystic%20blog/page/logn.html

The URL clearly shows the username and password which are
highlighted in yellow color.
The website needs user details such as username and password (for
login) and some more details like, email address (for registration). When
a person enters those details as a normal user, the information is safe.
When the user opens the frame in a new tab and enters the details they
are visible in the address bar. The blogs that are posted also will be
visible in the address bar. Even though the user doesn’t give any input to

41
the he will be able to navigate to all the pages like blogging page, the
posts associated to the user can also be navigated.
Even in the registration page, when the frame is opened in a new tab, the
details like username password and the conformation password are
visible in the address bar. Even when the user doesn’t give any details he
is automatically redirected to the blogging page. There may even be a
possibility that any user can randomly post stuff or blog in the website.
This in turn means that registered user is not validated.
The login page also suffers with the same threat. There is no need that a
user has to enter the details like username and password. Instead he can
just click on the login option, through which he will be redirected to the
blogging page (to write a blog) and then post some stuff. Hence the user
is not validated as well as an invalid user can blog.

Login page does not have security against the password attack.
The password can guessed through a brute force attack.
The HTTP OPTIONS method is enabled for the website.
This shows all the available methods which are supported by the web
server. This may expose sensitive information to the attacker.
Password type input with auto-complete enabled in the website login
page.
http://mystic.spyry.in/mystic%20blog/page/logn.html.
As the auto complete is enabled the web browser will ask whether to
save the password or not. If the password is saved then the username and
password details are saved in the local browser cache. Due to this the
Attacker with local access can easily obtain the username and password
details from the browser cache.

42
PORT SCANNING:-
For port scanning, a tool used by ourselves is NMAP. Because, it
discovers the ports and services. To open the NMAP, click on the
ZENMAP icon which is present on the desktop .After opening
ZENMAP, give the target and type of scan then proceed to scan. To
observe all the details very clearly, we approached intense scan.
Target-mystic.spyry.in
Profile-Intense scan
OBSERVATION:-
The tool (NSE-nmap scripting engine) loaded 142 scripts for scanning.
After initiating and completion of NSE, it started ping scan.
PING SCAN
In ping scan, it gave the IP address of mystic.spyry.in (108.167.180.19)
and also discovered 4 ports.
To complete this ping scan, it took 0.83sec.
SYN STEALTH SCAN
Stealth scan is nothing but it is half scan. In this, client sends SYN
packet to the server. If the port is open, the server responds with
SYN+ACK packet. If the port is closed then server sends RST packet.
The client sends the RST packet to close the initiation before a
connection is established.
In this SYN stealth scan, it scans up to 1000 ports and gives the
information about opened ports. They are:-

43
For completing this stealth scan, it took 19.14sec.
SERVICE SCAN
In this, it scans 14 services that are available in mystic.spyry.in. This
scan is completed in 13.81sec.
OS DETECTION
It is used to detect whether DNS servers are disabled or not.
For detecting that we use "--system-dns" or "--dns--servers".
TRACEROUTE

44
It uses port number 443/tcp and gives the information about the host is
up or down, RTT, latency and IP address.
It took 0.35sec as latency and host is up.

NMAP SACN REPORT

It gives the report for the mystic.spyry.in about,
PORT STATE SERVICE VERSION
21/tcp open ftp pure-FTPD

45
This port is 21 that is file transfer protocol. If it is opened then, all files
can easily accessible by others.
22/tcp filtered Ssh
This is secure shell (Ssh).Using this we can secure the unsecured
network by using cryptographic network.
25/tcp open SMTP Exim smtpd4.87
This is simple mail transfer protocol. It is used to transfer simple mails
.If the port is opened then some mails will be accessible by hackers.
53/tcp open domain ISC BIND 9.8.2rcl
It gives the information about the dns-nsid (dns name server id) and
version (bind. Version: 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.1)
80/tcp open http nginx 1.10.2
It is hypertext transfer protocol. It supports the methods, header and title.
Http-favicon: Unknown favicon MD5:
D41D8CD98F00B204E9800998ECF8427E|
Supported Methods: GET HEAD POST OPTIONS
Http-server-header: nginx/1.10.2|_http-title: Index of /
110/tcp open pop3 dovecot pop3d
It is post office protocol. It describes about the signature algorithm,
public key, public key bits, ssl date ...etc
143/tcp open imap dovecot imapd
It describes the imap capabilities, issuer name, and public key type and
bits. ...etc.
443/tcp open ssl/http Apache httpd

46
It gives the info about the issuer, signature algorithm, supported methods
of http/.........etc.
587/tcp open SMTP Exim smtpd 4.87
It describes the connection establishment.
993/tcp open ssl/imap Dovecot imapd
It describes about the ssl cert, issuer, signature algorithm, public key and
bits ..etc.
995/tcp open ssl/pop3 Dovecot pop3d
2222/tcp open Ssh Open SSH 5.3 (protocol 2.0)
3306/tcp open MySQL MySQL 5.5.51-38.2
It gives the sql info, protocol, version ... etc.
8080/tcp open http nginx 1.10.2
8443/tcp open ssl/http nginx 1.10.2
PORT SCAN SCRIPT RESULTS

In this it gives the information about os and system service detection is

performed, and it is scanned in 89.50 seconds.
Raw packets sent are 1116 and received are 1098.so, some packets are
lost...

47
VIRUS:-
Virus is a small piece of code loaded onto our system without any knowledge and
runs against to our wish. Virus will replicate themselves and spreads through
floppy transfer. Viruses are dangerous because they will quickly uses all the
available memory and makes the device to stop or to halt.

Virus will corrupt the data and also modifies the data.

There are 2 types of computer viruses. They are

1. Parasitic:-It attaches itself to other programs. When the host program is executed
then the virus are activated. If any affected program is transferred to another
computer or device then the virus will be spreaded.

2. boot:-it is designed to enter the boot sector of the floppy disc.It will work by
replacing the first sector of the disc with itself and it hides the rest of the disc.when
the machine is switched on, the virus is loaded by built-in startup and install itself,
hides the data and loads the actual program.It occupies the DOS boot sector or
master boot sector.

Examples:-

C-brain-->boot sector virus

Macmag--> attacked Apple Macintosh computers only

Cascade-->attacked IBM computers.

Jerusalem-->virus effects only on Friday and that to on COM and EXE files only

Bomb-->event triggered one, at a particular time all the data will be crashed.

WORM:-

It is a standalone malware. Worms always causes harm to the network. It also

replicates by itself. They just create more traffic in the network but it does not
corrupt or modify the data.

Examples:-

Morris-1st computer worm, which cracks the weak passwords and process ids.
48
My doom-->fastest spreading email.

Bad Trans-->installed a key logger

Blaster-->for bill gates

Bagle, ILOVEYOU worm, hybis, kak worm, SQL slammer. Upering........

TROJAN:-

It is a non-threating program at first glance but simply takes the information if

executed once. It is not self-replicating.

It is used to hack the computer by misleading users of its true intent. These are
spread by some form of social engineering. Many modern forms acts as a
backdoor, contacting a controller which can have unauthorized access to the
affected computer.so that, It allows the attacker to know about the user’s personal
information such as banking, passwords or personal identity (Ip address).

Types of Trojans:-

1. Backdoor Trojan:-giving remote access to hacker

2. Trojan Ransom:-encrypts the data and locks up our system

3. Trojan spy-logs our keystrokes

4. Trojan mail finder-acquires mail address from computer address book.

5. Trojan banker-steals online banking information such as credit card details and
passwords.

Examples:-

Melissa, Zeus, conficker, stuxnet........................

ADWARE:-

Advertising supported software. The advertisements may be in the user interface of

the software or on a screen presented to the user during the installation process.

Which presents unwanted advertisements to the user of a computer. The

49
advertisements produced by the adware are sometimes in an "enclosable window".

Examples:-ShopAtHome-->updates are also available when this site is

downloaded.

MALWARE:-

It is malicious software.

Major Malwares are worms and Trojans.

Malware is a stealthy, used to steal information .Malware sometimes is called as

computer contaminant. These malwares are embedded in programs that are
officially supplied by the companies.

Examples:-Ransomeware-cryptolocker, Shamoon, Aramco, stuxnet ..... etc.

SPYWARE:-
It is a software that gathers the information about a person or an organization
without their knowledge. It is classified into 4 types they are
1. System monitors
2 .Trojans

50
3. Adware
4. Tracking cookies.
It monitors the user’s computer. Spyware can also interface with the user control of
a computer by installing additional softwares or redirecting web browsers.
Examples:-
Cool web search, internet optimizer, zango, hunt bar, zlob ........ etc.
BOT:-
Bot is also known as www robot. It is a software application which runs automated
tasks over the internet. These bots performs all repeated and high rate task that
would be possible for a human alone. Bots plays important role in modifying,
confusing, silence conversations. Etc.
Examples:-
WebCrawler, zombie computer, chatterbot, videogame bot, twitter bot ..... etc.
ANTIVIRUS:-
Antivirus is a software which is used to prevent, detect and removes the malicious
software.
It was originally developed to detect and remove the computer virus.
It protects from malicious browser helper objects, browser hijackers, ransomware,
key loggers, backdoors, rootkits, Trojan horses, worms, fraud tools, adware and
spyware.
Examples:-
Kaspersky, Norton security, Avira, trend micro, Avast, F-secure, panda security,
ESET etc......
Backend:-
1. Verify that what antivirus is used by the customers
2. Make sure that antivirus software should be updated.
3. Check to see how updates are being applied.
4. Uses multiple scanning engines

51
5. Checks customer’s antivirus license.
Working of antiviruses:-
Antivirus traditional meaning is fighting with computer malware. When hackers
are becoming very skilled and prolific in spread of malware. Antivirus has become
one component of security that offers multi-layered protection for computers.
Features:-
*Background scanning
*Full System Scans
*virus Detection
Background Scans:-It scans all the backend files. It gives real-time protection
safeguarding the computer from threats or from malicious attacks.
Full System Scans:-These scans are essential for the first time when we install an
antivirus software or when it is updated recently. These full system scans are used
when we repair our infected computer.
Virus detection:-Antivirus is used to identify the malware. Malware definitions
contain signatures for new viruses and other is similar to malware. This is very
essential for knowing the latest malwares in the systems.
TYPES OF ANTIVIRUS:-
1. Signature based detection:-Each virus will have a digital signature or a code that
which causes the virus to perform the functions designed to perform. This method
is very effective against the preventing infection from known viruses.
2. Heuristics:-It helps the protected computers from unknown malware by using
heuristic algorithms. It detects or scans the files for random combinations of
signatures to detect malware.
3. Rootkit detection:-It can alter the operating systems of a computer to change
how it works and even alter antivirus software itself to make it inoperable. This
requires entire system reinstallation and usually results in data loss.
4. Real time monitoring:-It provides real time protection such as resident shield,
background guard, auto protect ...etc. This is done at all load and read times, or at
any file is accessed, downloaded, uploaded.

52
SPLITTING, WEBSERVERS, ARCHITECTURE OF WEBSERVERS,
DIRECTORY TRAVERSAL ATTACK, HTTP RESPONSE WEB CACHE
POISIONING, HTTP SESSION HIJACKING, SSH BRUTEFORCE
A webserver is a program that uses HTTP to serve the files that form web pages to
the users, in response to their requests, which are followed by their computers
HTTP clients. Web servers are large package of internet and intranet related
programs for serving emails, downloading requests for transferring files and
building and publishing web pages.
Webservers are Apache, IIS, ngnix, GWS (google web server), Domino
servers .....etc.
Dedicated computers and appliances may be referred as web servers.
Webservers handle server side scripting languages.
FEATURES OF WEB SERVERS:-
1. Security
2. Logging
3. Traffic analysis
4. Require centralized data structures to implement.
ARCHITECTURE OF WEBSERVERS:-
Web server architecture follows two approaches:-
1. Concurrent approach
*multi-process
*multi-threaded
*hybrid method
2. single-process-event driven approach

53
DIRECTORY TRAVERSAL ATTACKS:-
It is also called as../(dot dot slash attack).IT is an HTTP exploit which allows the
attackers to access restricted directories and execute commands outside of the web
servers root directory.
The goal of this attack is to use an affected application to gain unauthorized access
to the file system.
Web servers provide 2 main levels of security mechanisms. They are
1. Access control Lists
2. Root directory

HTTP RESPONSE SPLITTING:-

54
It is a form of web application vulnerability. It can be used to perform cross-site
scripting attacks, cross-user defacement, web cache poisioning and similar
exploits.

WEB CACHE POISONING ATTACK:-

It is against the integrity of an intermediate web cache repository, in which original
content cached for an arbitrary URL is replaced with spoofed content. Then, users
of the web cache repository will consumes the spoofed content instead of a genuine
one requesting that URL through the web cache.

55
HTTP RESPONSE HIJACKING:-
HTTP response hijacking is when an attacker sends a response splitting request to
a webserver to split a user's response. It's frequently a way to obtain sensitive data
that a user transmits to a website.

SSH BRUTEFORCE ATTACK:-

SSH (secure socket shell) is a protocol which provides users with a secure way of
accessing a remote computer.
This Ssh brute force attack is a trial and error attack that is performed by the bot
scanning or any other ways where our server is being scanned to retrieve the
passwords.

56
MAN IN THE MIDDLE ATTACK:-
It is simply called as MIM attack. The attacker secretly relays and possibly alters
the communication between two parties who believe they are communicating
directly with each other. This is used against many Cryptographic protocols.

REPRESENTATION OF A TCP PACKET

 Before usage of the tool we need to know the format of the TCP HEADER.
 TCP HEADER FORMAT :-

57
 TCP header is a 32 bit length and there are different flags and port which
combinely define a TCP header.
 The every part present in the TCP header is going to be shown in the cola
soft packet builder tool and the clear encryption is also listed.
 Actually how a TCP packet looks is shown in the below figures which is
represented in cola soft packet Builder tool.
USING A COLASOFT PACKET BUILDER TOOL

58
  In the above figures observe that each every representation of a TCP
header is represented.
 There is a HEX EDITOR where the data is encrypted. To observe it clearly
see the blue lines in the tcp format and the corresponding hex editor
representation.
 If sniffing is to be done in an Network, then the knowledge of the TCP
header is a mandatory concept.

SNIFFING:-
It is a process of monitoring telephone or internet conversation via a 3 rd party.

59
 An attacker can monitor, intercept, record, and manipulate the information.
TWO TYPES OF SNIFFING:-
1) Active:-
The attacker is able to monitor, intercept, record, and manipulate.
2) Passive:-
The attacker is able to monitor and record the information.
PACKET SNIFFING:-
This is the process of monitoring and capturing the all the packets
passing in the same Network.
The attacker must be in the same Network to perform the Sniffing.
Only “Unencrypted” packets are visible i.e. we can gain the
information.
SENSITIVE INFORMATION THAT AN ATTACKER CAN GET
THROUGH SNIFFING:-
1. Dns traffic
2. Email traffic
3. Web traffic
4. Chat traffic
5. Ftp passwords
6. Router configuration
7. System logs
WIRESHARK (NETWORK PACKET ANALYSER)
 Wire shark is a tool which is used by the cyber security professionals to
analyze the packets that pass in particular network i.e. through a particular
router.(White hat uses)
 But this particular tool is used by the attackers for the purpose of sniffing
(Black hat uses)

60
61
ARMITAGE:-
 Armitage is a tool that is used to gain the access of a particular device
present on the same network.
 All the NMAP scans are available i.e. inbuilt in the Armitage.
 In particular Armitage is used to gain the control of the computer that is
present in the same network
DRAWBACK IN ARMITAGE:-
 The tool is updated only to serve the versions of until windows xp (service
pack 2).
 So this tool is not capable of gaining control of the higher versions of the
windows.

62
CRYPTOGRAPHY
It is a conversion of data in to a scrambled code and that is encrypted and sent
across the data
Or
Cryptography is associated with scrambling plain text into cipher text (encrypted
text), then back again.
4 objectives:-
1. Confidentiality: The information cannot be understood by anyone whom it is
was un-intended
2. Integrity: The info cannot be altered, in storage or transit between the sender and
intended receiver.
3. Non-repudiation: The create or sender of the info cannot be denied at the later
stage his or her intentions in creation or transformation.
4. Authentication:-the sender and receiver can conform the each identity from the
origin and destination of the information.

Types of cryptography
1. Symmetric encryption (uses same key for both encryption and decryption)
2. Asymmetric encryption (uses diff keys for both) --- more secure against the
attackers.
Various types of ciphers
1. Classical ciphers -- it operates on alphabets a to z (implemented by hand or by
simple devices) --- not very reliable.
*substitution--units of plain text with cipher text.
*transposition--The letters of plain text are formed to cryptogram.
2. Modern ciphers -- there are more reliable

63
 *type of key used--public key (same key), private key (different key)
*based type of data---block ciphers (these refers to an algorithm operating
on block of fixed size with an unvarying transformation specified by a symmetric
key), stream ciphers (these refers to symmetric ciphers, these are obtained by
combining the plain text digits with the key stream)

PROXY SERVER:-
A proxy is a network computer that can serve as a intermediate that can serve other
computers.

Use of proxy:-

1) Firewall: - a proxy protects local network from outside attacks

2) Specialized proxy servers can filter out unwanted content
3) As an ip address multiplexer a proxy allows the connection of a number of
computers to the internet with a single ip address.
4) To be anonymous.

Why attackers use proxy servers?

*To be anonymous.
*To remotely access intranet and other website services

64
 *To interrupt all the requests and transmit them to a third party destination.
*Attackers chain multiple proxy servers to avoid detection

ANNONYMIZERS:-
Removes all the identifier data from system
This makes the activity untraceable

Why this?
1. Privacy and anonymity
2. Security
3. to access restricted content
4. Bypass firewall and IDS
5. Most anonymizers uses http, ftp, and gopher

Gopher: TCP/IP protocol used for distributing, surfing documents over the
internet.

Types:
1) Networked anonymizers
2) Single point anonymizers
Tools:
1) Mowser
2) Spot flux
3) u-surf
4) Guard star

65
 CHAPTER 3
REFLECTION NOTES
3.1 TECHNICAL OUTCOMES
i. During the period of internship, I have learnt many new technical concepts which
were completely different from academics.

ii. I had a very basic knowledge on Kali Linux operating system; I worked on it
which has helped me to improve to know about Kali Linux in-depth.

iii. A Clear Knowledge of Web Hosting, Web Servers, Websites, webpages have
been gained by me in the tenure of internship

iv. I was not at all clear about hosting the website on the internet, but now I have my
own website and some other websites which has been developed by me.

v. I was exposed to the important thing i.e. Vulnerability assessment and penetration
(VAPT) where I came to know what actually the word security means.

vi. I learnt about the security measures taken by the corporate companies and what
security measures should be taken by the individuals to protect themselves.

vii. The Difference of book knowledge and practical knowledge was entirely new and
as nice as we got to know the practical implementation of book knowledge.

viii. The outcome of the session hi-jacking and cookie stealing were damn pretty
interesting to do more and more on that.

ix. How to get into an website through the sql injection and how to find the
vulnerabilities all were very helpful to learn and to know how the vulnerabilities were
taken precautions to protect that from attack.

x. All types of techniques used for the basic Ethical hacking and the basic concepts
and many more advanced topics were learnt.

66
3.2 NON TECHNICAL OUTCOMES
i. On an internship, it is important to get something out of the experience. I used this
internship opportunity to better myself and to develop the skills I lack.
ii. I have improved my leadership qualities and co0ordination between all the friends much
more.
iii. Coming into this position, I felt that I had no idea where my career was going and I
lacked confidence about what I could do and what I am real.
iv. All the days during the Internship we have many sleepless nights to complete the tasks
and had a fun nights for us and the most memorable moments.
v. Due to these tasks we have learnt how to show interest on the given task and to do
much more Better.
vi. The trip to Mysore was quite interesting and we have new friends and the funniest
moments in that travelling.
vii. Just observing the everyday events has taught me more about teamwork, and how people
can come together to get things done. Although sometimes I have to remind myself to use my
inside voice, I feel I’ve adapted to the office life relatively well.
viii. Team work between all of us was very much and all of us together worked for many
hours and at last we have completed the task.
ix. Planning, Hard work, Travelling, expenditure control and basic needs how to control
ourselves in the situations and we have done and successfully completed our INTERNSHIP.
x. Being initiative is important as the working world would is much less tolerant of
mistakes, and deadlines have to be kept strictly. Besides, having initiative is also a good way of
maintaining a harmonious and happy working relationship with colleagues.

67
 *******
THANKING YOU BOTH ARJUN SIR AND BHARATH SIR FOR THE WONDERFUL DAYS WE ARE VERY
GLAD TO HAVE OUR PRESENCE THERE AND HAVE YOUR VALUABLE PRESENCE OVER THERE TO
TRAIN US IN YOUR TIGHT SCHEDULE.
*******

68