TASK 1: SECURITY VULNERABILITIES

A). EXPLAINATION OF EACH VULNERABILITY:

I. MISSING AUTHORIZATION: (CVE Score 5.3 Medium)

Missing authorization is a vulnerability where the software doesn’t

perform authorization checks. Anyone can access the data. This leads to
critical data breach. The software delivers the information without
checking access control list. User without privileges can access the data.
An attacker could read sensitive data directly from the data server that is
not restricted.

Impacts for business:

 Financial loss
 Data loss
 Reputation damage
 Unauthorized access of data

Exploitation:
It can be exploited by injecting malicious codes into the management
server ms.log file. This will fabricate the log entries into the management
servers.

Recommendations:

Allowing a user login locally will lead to bypass the session, so its
recommend to use data encryption key, so the authentication will be
encrypted at the user end.
 All authentication should be performed by server side, after successful
authentication, the data will be loaded into mobile device, so the data will
be loaded after a successful authentication.

II. DOWNLOAD OF CODES WITHOUT INTEGRITY CHECKS: (CWE:494)

The server will execute the program without checking the origin or
integrity which will change the flow of the program. The attacker can
execute malicious programs into servers performing DNS spoofing or
modifying the codes.

Causes: This vulnerability is caused due to missing a security check

during the designing and architecture phase.

Recommendation:

 Perform proper DNS lookups to detect DNS spoofing

 Encrypt the code with a reliable encryption scheme before
transmitting data

III. BROKEN AUTHENTICATION AND SESSION MANAGEMENT:

This allows the attackers to capture the users request and bypass the
authentication methods. Due to lack of proper authentication methods.
The attacker can gain the user privileges.
 Causes:

 Editing url links to gain access to web servers

 Improper user authentication methods
 Session fixation attacks

Recommendations:

 Transmitting the user data in encryption tunnel

 Recommending automatic secure passwords

IV. MISSING DATA ENCRYPTION:

This allows the attacker to easily sniff the data traffic over the network.
It affects the confidentiality and integrity, the application doesn’t use SSL,
SSH which leads to transmitting the data without proper encryption.

Causes:

 Decrypting the network traffic, leads to critical information loss

 Can easily sniff the login credentials

Recommendations:

 Use proper encryption methods for storing and transmitting the

data through the network
  Using private key encryption method to transfer the data directly
to the legitimate users.

V. CROSS SITE SCRIPTING:

The attacker injects malicious code into the website, when the user open
the URL the malicious code will be executed in the user’s system. The web
server fails to validate the code executed into the website. Types of XSS
(cross site scripting) are:

 Blind xss
 Stored xss
 DOM based xss

Causes:

 The malicious code will executed every time when the user visits
that page
 The payload enter into the trusted websites and executes at the
user end.

Recommendations:

 Turn off HTTP trace in all web servers

 Encode data on output
B). SQL INJECTION DEMONSTRATION:

In this demonstration we are going to use OWASP brick tool. It is a web

application security learning platform built in php and MySQL.

SQL injection is a attack where the attacker injects some injection codes into
the type box fields and retrieve sensitive in formation from the SQL databases.
This will lead to unauthorized authentication into web servers, users
information leakage etc.

Step 1: We are going to install owasp bricks into our system

We have to download :

 uWAMP server
 Bricks &
 Mantra

Step 2: After installing it, our task is to login into this site without creating user
account.
Step 3: We are going to use the following SQL code injection into this fields

SELECT * FROM users where name=‘admin’ or ‘1’=’1’ and password==‘admin’ or

‘1’=’1’
Thus we gained into the website using sql injection methods.

TASK 2: SOCIAL ENGINEERING

A) Assess any 2 methods employed by social engineers to trick users into

handing over their log-ins and financial information.

Attempting to get Log-ins:

Using Phishing methods – Phishing is type of social engineering attack in which

the attacker fool the victims in order to get sensitive information from them.
Phishing is a famous method in social engineering, many people don’t know
about the effectiveness of phishing attack. Even MNC companies like Microsoft,
Facebook had faced phishing attack. It will lead to sensitive data leakage into
the wrong hands. The data will be used for malicious purposes. Phishing can be
done by cloning the legitimate websites like Facebook, Instagram etc. And
hosting these login sites sharing it to the victims. The attacker try to convince
the victims to login into the fake page and get the details from the victim. The
login credentials will be sent to the attacker’s server.

Here we are going to create a fake xyz multi specialty hospital’s webserver.
Each and every employee has a unique login credentials. The website consists
of visiting patients details like name, contact information, address etc. If you
have access to that site you will get the total database of that hospital. First of
all we have to gain as much information about the employees, infrastructure
and about the owner. The admin page of this website is accessible via google
search engine. So we are going to use this webpage as a bait. So we need to clone
this admin webpage using social engineering tools. We are going to host that
clone site into the server. And we are going to share the URL to the victim. Here
we are going to impersonate as a Managing director of that hospital. We are
going to register a Gmail account in the name of that Managing Director. Let’s
consider the name of the managing director is john
(johnxyzhospital@gmail.com). We are going to send Gmail to one of the
employees in that hospital and ask to login through this link. The employee of
that hospital will login through the phishing link. And the login details will be
sent to our server.

Attempting to get financial information using vishing method:

Vishing is a method used by the attackers defrauding people over phone,

making them to reveal critical information which leads to financial loss to the
companies or individuals. Vishing is the common method in social engineering
attacks. Most of the victims fall into the trap of the attackers.

Here we are going to demonstrate the vishing method. Here we are going to call
an individual through call (the contact information is obtained through
phishing method). Our mission is to impersonate as a bank officer and get the
credit card number through phone call. Calling that individual and claiming that
we are calling from bank head office.

Attacker: Hello sir, your credit has been blocked and we have to reactivate
immediately or else you can use your card anymore

Victim : What is the process to reactivate my credit card?

Attacker: Please don’t worry sir, we are here to help no need to visit the branch,
we can activate it remotely. Please tell me your 16 digit number on your credit
card.

Victim: Here is my 16 digit number sir, 1497 5032 8710 6384

Attacker: Okay sir, your credit card will be reactivated in few hours. Thank you.
(The attacker gains the credit card information from the Victim)

The Victim has no idea what just happened. Here the attacker uses the vishing
method to gain financial information (credit card number) from the method. It
is the most effective which is used to gain financial information from the victim
easily. In the above demonstration, the attacker will use the credit card number
for online purchases or for any illegal purposes.

B). DEMONSTRATION OF SOCIAL ENGINEERING ATTACK:

For this illustration we are going to use zphisher from GitHub. Zphisher is an
open source phishing tool which has lots of clone websites. We are going to use
kali linux for this demonstration.

Step 1: Open the virtual box and start kali linux

Step 2: Go to browser and type zphisher GitHub
Step 3: Download the file from the GitHub
Step 4: After download open it with the help of terminal

Command: ./zphisher.sh
It will install all the pre requisites needed.

Step 6: The zphisher page is opened

(Here we are going to use PayPal login page select number 6 from the column)

After selecting number 6, the zphisher clone the PayPal login page
Now we have to select the hosting, in this demonstration we are going to
perform with ngrok.io, so let’s select number 2
After selecting ngrok it will clone the website and host it into ngrok localhost.
The url will be provided, we can send this url to our victims.

For sharing the URL we are going to use Social engineering toolkit (SET) which
is pre installed in kali linux.
After opening SET, it will ask for several types of social engineering attacks, in
this demo we are going to use mass mailer method.
Select Number 1 from the menu
Select number 5 which is mass mailer attack
And then we are going to select number 1, which is single email address.
Enter the victim Ip address and the sender ip address.

Fill all the details like body of the message, mail subject, attachment needed etc.
Here we are impersonating as a PayPal customer service and asking victims to
fell into phishing trap. Thus the email is sent to the victim. The zphisher waits
for the victim to open the link. After opening the link, the victims ip address are
stored in text file, if the users logs in into the clone website his credentials are
captured and saved as a file.

Here you can see our victim opened the phishing link and his public ip is saved
in text file.
This is the fake PayPal login page. Looks like a legitimate website.
Here you can see the victim logged into the fake page and his credentials are
captured.

This the demonstration of phishing attack.

 TASK 4: PHASES OF ETHICAL HACKING

1). PHASES OF ETHICAL HACKING

Before exploiting the target hackers undertake several steps. In each steps the
hackers gain sensitive information about the target which helps to exploit the
target. The phases of ethical hacking are as follows:

 Reconnaissance

 Scanning

 Gaining access

 Maintaining access

 Clearing tracks
 Fig 1.0 Phases of Ethical Hacking

Reconnaissance:

In penetration testing reconnaissance or footprinting is the first phase, where

hackers identify their target and gaining information like names, contact
information, ip address, number of employees, address, company details etc.
This will be used to exploit the target. Reconnaissance are classified into 2
types:
  Active reconnaissance &
 Passive reconnaissance

Scanning:

With the information obtained from reconnaissance, the ethical hacker begins
to testing the networks and machines to identify the potential attacks. The
ethical hacker will scan the entire network of the target to find vulnerabilities.

A. Network mapping: Process of gaining information like network

topologies, server information, firewall information, operating system
information, host network etc.

B. Port monitoring: Process of collecting the open ports information in the

network to establish a remote connection with the network.

C. Vulnerability analysis: Process of using automatic scanner tools to find

potential vulnerabilities in the system.

Gaining access:
The ethical hackers will exploit the vulnerabilities collected in the above phases
and gain access to the target. The attacker will exploit the systems will payloads
or malwares. Common tools used for payload execution is Metasploit
framework (msf console). The most common attacks are:

 Buffer overflow

 SQL injection attacks

  Phishing attack

 Cross site scripting

 Broken authentication

 Privilege escalation

Maintaining access:
Process of gaining the databases from the servers for malicious purposes. The
attacker try to find possible ways to penetrate into the systems.

Clearing tracks:
This is the final phase, where the attackers clear his evidences like uninstalling
scripts, clearing log information, folders created during attack, clearing the
registry information etc.

2). Types of footprinting:

Footprinting is the first phase in ethical hacking. There are two types of
footprinting, they are:

 Active footprinting &

 Passive footprinting

I. Active footprinting: Process of collecting information directly engaging

with the target by collecting information through phone calls, emails,
messages or in person.
 II. Passive footprinting: Process of collecting information without directly
engaging with the target by collecting information through online etc.

3). Perform Network Scanning using network tools such as nmap/zenmap

For this demonstration we are going to use kali Linux.

Step 1: Open the virtual box and start kali linux

Step 2: After that, open the terminal

Step 3: In terminal open nmap and use the following command

nmap –sP 192.168.1.0/24

This will scan the entire network in the host.

Step 4: After scanning the network we identified our target. The target ip is
192.168.1.2 Use the following command

nmap 192.168.1.4

This will scan the target and give the open port information. Here the open
ports are 80,135,139,445,7070.
Step 5: For further details, we are going to collect more information from the
target device. Use the following command.

nmap –p0- -v –A -T4

-p0- scans the port

-v is used for verbose output
-A is used for aggressive scanning
-T4 is used for fast scanning
Here we performed network scanning using nmap.