Cyber Security

CCS340 - CYBER SECURITY LABV Semester AI&DS
Ex.No: 1 Installation of Kali Linux in Virtual Box

Date :
AIM:
To learn and experience different ways of Install Kali Linux on Virtual box
Kali Linux
Kali Linux (formerly known as BackTrack Linux) is an open-source, Debian-based Linux
distribution aimed at advanced Penetration Testing and Security Auditing.
Virtual Box
Oracle VM VirtualBox (formerly Sun VirtualBox, Sun xVM VirtualBox and InnoTek
VirtualBox) is a type-2 hypervisor for x86 virtualization developed by Oracle
Installation of Kali Linux in Virtual Box
Download Kali Linux:
After downloading that zip file extract that zip file

Click the blue color VDI Image file Now it will get installed in VirtualBox
Next, run that Kali machine
1
The default Username: kali and the Password: kali
RESULT:
Thus the Procedure for Install Kali Linux on Virtual box was launched and tested
2
Ex.No: 2 Explore Kali Linux and bash scripting

Date :
Aim
To understand kali linux and bash scripting
Explore Kali Linux
Kali Linux is a popular Linux distribution designed for digital forensics, penetration testing,
and network security assessments.
1. Purpose and Features:
Kali Linux is specifically built for security auditing and testing purposes.
It includes numerous pre-installed tools for vulnerability assessment, penetration testing, and
digital forensics.
The distribution focuses on providing a robust environment for security professionals to
assess and strengthen the security of systems and networks.
2. Penetration Testing:
Kali Linux offers a vast array of tools for penetration testing, including network scanning,
vulnerability assessment, wireless attacks, web application testing, and more.
3. Digital Forensics:
Kali Linux provides a rich set of tools and utilities for digital forensics and incident
response.
Tools like Autopsy, Foremost, Sleuth Kit, and Volatility help in analyzing and recovering
data from digital devices, investigating security incidents, and conducting forensic
3
examinations.
4. Customization and Package Management:
Kali Linux is built on Debian and uses the APT (Advanced Package Tool) package manager,
making it easy to install and manage additional software packages.
The distribution allows customization of the environment, including the desktop

environment, themes, and configurations, to suit individual preferences.
5. Documentation and Community Support:
Kali Linux has extensive documentation available on their official website, including
tutorials, guides, and a user forum.
The Kali Linux community is active and supportive, providing assistance and sharing
knowledge through forums, blogs, and social media channels.
Bash scripting
A bash script is a series of commands written in a file. These are read and executed by the
bash program. The program executes line by line.By naming conventions, bash scripts end
with a .sh
Scripts start with a bash bang.
Scripts are also identified with a shebang . Shebang is a combination of bash # and followed
the the bash shell path. This is the first line of the script. Shebang tells the shell to execute it
via bash shell. Shebang is simply an absolute path to the bash interpreter.
Below is an example of the shebang statement.
#! /bin/bash
The path of the bash program can vary. We will see later how to identify it.
Execution rights
4
Scripts have execution rights for the user executing them.An execution right is represented
by x. In the example below, my user has the rwx (read, write, execute) rights for the file
test_script.sh
File colour
Executable scripts appear in a different colour from rest of the files and folders. In my
case, the scripts with execution rights appear as green.
How to Create Your First Bash Script

Let's create a simple script in bash that outputs Hello world
Create a file named hello_world.sh
touch hello_world.sh
Find the path to your bash shell.
which bash
In my case, the path is /usr/bin/bash and I will include this in the shebang.
Write the command.

We will echo "hello world" to the console.
Our script will look something like this:
#! /usr/bin/bashecho "Hello World"
Edit the file in it.

using a text editor of your choice and add the above lines
5
Provide execution rights to your user.

Modify the file permissions and allow execution of the script by using the command below:
chmod u+x hello_world.sh
chmod modifies the existing rights of a file for a particular user. We are adding to user
Run the script.
You can run the script in the following ways:
./hello_world.sh
bash hello_world.sh
Two ways to run scripts
The Basic Syntax of Bash Scripting

Just like any other programming language, bash scripting follows a set of rules to create
programs understandable by the computer. In this section, we will study the syntax of bash
scripting.
How to define variables

We can define a variable by using the syntax. variable=value To get the value of
the variable, add $ before
$ the variable.
#!/bin/bash# A simple variable example

greeting=Hello
name=Tux
echo $greeting $name
6
Fractions are not correctly calculated using the above methods and truncated.
For decimal calculations, we can use bc command to get the output to a particular number of
decimal places. bc (Bash Calculator) is a command line calculator that supports calculation
up to a certain number of decimal points.
echo “scale=2;22/7” | bc
Where scale defines the number of decimal places required in the output.
RESULT:
Thus the Procedure for Explore Kali Linux and bash scripting was launched and tested
Ex.No: 3 Perform open source intelligence gathering using Netcraft,

Whois
Date : Lookups, DNS Reconnaissance, Harvester and Maltego
Aim:
To Perform Open Source Intelligence Gathering Using Netcraft, Whois , Lookups,
DNS Reconnaissance, Harvester And Maltego.
Identify the hosting provider and IP address

The first thing a bug hunter can do is to use Netcraft to identify the hosting provider and IP
address of a website. This can be done by following these steps:
Step 1) Go to the Netcraft website and select "Site Report" from the top navigation menu.
Refer to the exhibit.
Step 2) In the "URL or IP address" field, enter the website's URL. Let's use tesla.com for
this example.
Step 3) Click on the "Search" button to generate the site report.
On the site report page, scroll down to the "Hosting History" section. This section will
show the hosting provider and IP address of the website.
You can do the above steps by searching a single query on your web browser. Below you
can see the query

To use a query string for this task, bug hunters can use the following URL:
https://sitereport.netcraft.com/?url=[WEBSITE_URL]
As you can see on the above snapshot it is providing a list of subdomains associated with the
website, along with additional information about their IP addresses and web server
technologies.
Identify the web server technology

The third thing a bug hunter can do is to use Netcraft to identify the web server technology
used by a website.
To use a query string for this task, bug hunters can use the following URL:
https://sitereport.netcraft.com/?url=[WEBSITE_URL]&tbl=server
For example, to search for the web server technology used by Tesla, the query string would
be:
https://sitereport.netcraft.com/?url=tesla.com&tbl=server
Check for phishing sites
https://sitereport.netcraft.com/?url=[WEBSITE_URL]&tab=phishing
To check for phishing sites, bug hunters can use the following query string:
https://sitereport.netcraft.com/?url=tesla.com&tab=phishing
For example, to search for phishing sites associated with Tesla, the query string would be:
Whois Lookup
Whois is a query and response protocol that’s used for querying databases that store the
registered users or assignees of an internet resource, like a domain name, an IP address block
or an autonomous system, etc.
About Whois
Whois is an Internet service and protocol that searches and displays information about a
domain name from repositories of domain name registrars worldwide.
Features.
Identify and search for a specific domain name.
Provides administrative information such as registrar and contact information for the
individual or organization that controls the domain.
Supports searching IP addresses and propriety intranet systems.
essential resource for maintaining the integrity of the domain name registration and website
ownership process.
WHOIS Lookups
https://whois.domaintools.com/
https://www.name.com/whois-lookup
Some insights:
Whois Record
It is a record that contains all the basic information associated with the person, group, or
company that registers a particular domain name.
whoIs client output
Provides name(s) and phone number(s), physical address and DNS servers, which can be
interrogated.
DNS reconnaissance
DNS reconnaissance is part of the information gathering stage on a penetration test

engagement.When a penetration tester is performing a DNS reconnaissance is trying to
obtain as much as information as he can regarding the DNS servers and their
records.Standard Record Enumeration
Zone Transfer
The security problem with DNS zone transfer is that it can be used to decipher the topology
of a company’s network.Specifically when a user is trying to perform a zone transfer it sends
a DNS query to list all DNS information like name servers,host names,MX and CNAME
records,zone serial number,Time to Live records etc..
/dnsrecon.py -d <domain> -t axfr
Reverse Lookup
According to Wikipedia reverse DNS lookup is the determination of a domain name with the
associated IP address.DNSRecon can perform a reverse lookup for PTR (Pointer) records
against IPv4 and IPv6 address ranges.To run reverse lookup enumeration the command
./dnsrecon.py -r <startIP-endIP>
must be used.Also reverse lookup can be performed against all ranges in SPF records with
the command ./dnsrecon.py -d <domain> -s.In the next image you can see the output that
produces a reverse lookup in a range of IP addresses.
Reverse Lookup
Domain Brute-Force
For performing this technique all we have to do is to give a name list and it will try to
resolve the A,AAA and CNAME records against the domain by trying each entry one by
one.In order to run the Domain Name Brute-Force we need to type:
./dnsrecon.py -d <domain> -D <namelist> -t brt
Domain Brute-Force
As we can see we obtained A and CNAME records of the domain cnn.com and their IP
addresses.
Cache Snooping
DNS cache snooping is occurred when the DNS server has a specific DNS record cached.
./dnsrecon.py -t snoop -n Sever -D <Dict>
Zone Walking
This technique may unveils internal records if zone is not configured properly.The
information that can be obtained can help us to map network hosts by enumerating the
contents of a zone.In order to perform the zone walking we need to type the command:
./dnsrecon.py -d <host> -t zonewalk
theHarvester
What is theHarvester?
theHarvester is a commandline-based tool made by the team at Edge-Security. It is a
Python-based tool meant to be used in the initial stages of an investigation by

leveraging open source Intelligence (OSINT) to help determine a company's external threat
landscape on the internet.
Passive:
Baidu Bing
dnsdumpster Duckduckgo
Active:
DNS brute force: dictionary brute force enumeration
Installing
There are 4 different installation methods for theHarvester.
From Source (without using Pipenv) From Source (with Pipenv)
We can now proceed with installing the software by using the third option. As always,
it’s important to use some type of sandboxing environment when installing new software.
First, we should update our sandbox and install the software we will need:
sudo apt update

sudo apt
upgrade
sudo apt install git python3-venv
Now we can make a Python virtual environment to install the necessary Python packages:
python3 -m venv
harvest cd harvest/
source bin/activate
git clone https://github.com/laramies/theHarvester
cd theHarvester/
pip install wheel
pip install -r requirements/base.txt
We found a minor bug during the installation and had to install the pip package 'wheel'
before installing the other packages from `base.txt'.
1. Securitycode
Run the following:
python theHarvester.py -d rpfront.com -l 50 -b
Securitycode
There is a lot more data here. We found 3 related IPs and 2 hosts.
2. ThreatCrowd
We found no results when using ThreatCrowd as the source.
3. UrlScan
Running:
python theHarvester.py -d rpfront.com -l 50 -b
urlscan
We were able to find 5 IPs and 1 host.
Primary OSINT data sources are great for finding IPs and hosts. The good thing is that this
tool offers a big set of sources to choose from, we will now attempt to run more tests using
other third party services.
With the lack of results, it was a bit concerning that we might be doing something wrong. So
we decided to test out the Hunter API to see if we found any data regarding 'moslempress'
there. Unfortunately, we found nothing there either:
The 2 data sources corroborate what is the current IP address for
python theHarvester.py -d moslempress.com -l 10 -b
hunter
www[.]moslempress[.]com.
The number of data points here showcases the value of theHarvester.
python theHarvester.py -d moslempress.com -l 50 -b all -f
moslempress.html
Maltego
Maltego is a software used for open-source intelligence and forensics, developed by Paterva
from Pretoria, South Africa. Maltego focuses on providing a library of transforms for
discovery of data from open sources, and visualizing that information
in a graph format”
Maltego is pre-installed in Kali linux.
You can always download maltego for Windows, Linux or Mac. Official site
Maltego has 3 different packs-

1. community
2. Professionals
3. Enterprises
The community version is free to use and others are paid with more features
The Application button will open a application menu.
Maltego uses graphs to show the data and information it collects. Now, let’s see how to how
to create a new graph.
Graphs in Maltego
To create a new graph.
To create a new graph you can go to application tab and click on new graph or you can also
select
new graph option from top left corner.
This is how a Graph in Maltego looks like. Once you have created a new graph you will get
a fresh page within a new tab, surrounded by a range of control windows.
Now just select the entity you want to perform OSINT on like some domain name or DNS
system.
People
Groups of people (social networks)
Basically, you can gather information about all the things mentioned above. Just select an
entity.
Here we have selected domain name. Now, just put any domain you want and click on the
entity.
This will expand all the available information on the domain and show it as a tree like
below-
Here you can see all the possible DNS records of the domain.
Transform Hub
Now if you right-click after selecting an entity it will open up a context menu or transform
hub where you can search all sorts of things about the domain and fetch the available
information.
src-> maltego.com
This how a transform hub looks like and this is just a short part, It has a lot more options.
This is what you can find with just a domain with this amazing tool.
Result:
Perform open source intelligence gathering using Netcraft, Whois Lookups, DNS
Reconnaissance,Harvester and Maltego was tested and learned.
Ex.No: 4 Understand the nmap command d and scan a target using nmap
Date :
Aim
To read , understand and practise about the nmap command d and scan a target using nmap .
About Nmap
Nmap is a free and open source network exploration and security auditing tool that is widely
used for discovering hosts and services on a computer network.
The command nmap -h displays the help menu for Nmap. It provides a list of
available options and commands that can be used with the nmap command.
The nmap -d command is used to enable debug mode in Nmap. When this option is
used,
scan a target using nmap
In nmap, there is various scan available and one of the most basic and commonly used scans
is the version detection scan.
When you use the -sC option, Nmap runs a set of scripts that are deemed safe and
non-intrusive.
nmap -sC -sV 192.168.1.0
Here s means scan and V is version so it is called version scanning

This command will perform a UDP scan of the target host at IP address 192.168.0.1. Nmap
will send UDP packets to each port on the target and analyze the responses to determine
which ports are open, closed, or filtered.
Aggressive scan
The -A option in Nmap enables aggressive scanning, which can provide more
information about the target host or network than a regular scan.
nmap -A scanme.nmap.org
In nmap, we can able scan more than one host and IP address also.
nmap -F scanme.nmap.org www.google.com >> scaned.txt
If want to view only open ports and services.
nmap -F scanme.nmap.org 192.168.0.1 >> scaned.txt

Parallelism:
Host Group:
If you want to scan multiple hosts at the same time you can use this Minimum and
Maximum host group attribute to make time-efficient
nmap -sT --min-host 30 10.10.250.1/24
nmap - - open www.google.com >> scanned.txt

Now the above command scan minimum of 30 hosts at the same time
We can able to give specific maximum host also
nmap -sT --min-host 30 --max-host 100 10.10.250.1/24

Host Timeout:
If want to scan the host for a particular period of time or time duration for a single port
You can able to do this with host timeout options
nmap -sT scanme.nmap.org --host-timeout 1m
Scan Delay:
Scan delay which helps us to pause or delay the packet send by the specific time Or it will
pause the nmap between each probe or request that you send
This great when your dealing with time-based-firewall, rate Limting, IDS There is options
which is --scan-delay/--max-scan-delay
nmap -sT scanme.nmap.org --scan-delay 12s

In the below image you able be to notice that the First SYN Packet is arrived at
01:54:53
The Second SYN Packet arrived at 01:55:05 (Here you can confirm that packet has 12-
second delay)
Packet Rate:
Packet Rate we can able to specific that how many packets we want to send at once per
second
There is two options which is --min-rate and --max-rate
Minimum Rate:
nmap -sT scanme.nmap.org --min-rate 2
Now it will send the three packets at same time not less than
The First SYN Scan at time of 02:20:21
The Second SYN Scan at time of 02:20:21
Result :
Thus the Understanding of the nmap command and scan a target using nmap was practised
Ex.No: 5 Install metasploitable2 on the virtual box and search for unpatched
Date : vulnerabilities
Aim:
To learn and experience about to Install metasploitable2 on the virtual box and search for
unpatched vulnerabilities
Metasploitable 2
A test environment provides a secure place to perform penetration testing and security
research.
Downloading and Setting Up Metasploitable 2
The easiest way to get a target machine is to use Metasploitable 2, which is an
intentionally vulnerable Ubuntu Linux virtual machine that is designed for testing common
vulnerabilities.
Install metasploitable2 on the virtual box
Metasploitable 2 is available at: https://www.vulnhub.com/entry/metasploitable-2,29/
After that extract that zip file and you will get the blue color VDI image file
Next, open your virtual box and click the new

Now you will get the virtual machine and operating system
Just name that machine as metasplotiable2 and change the type to Linux (Debian 64)
Now you will get the hardware section and set the base memory as 512 MB and processors
as 1
Now you will get the virtual hard disk section Here you want to click the use an existing
virtual hard disk file
Now click that add and add that VMDK file which metasploitable virtual disk image file and
click that choose

Finally, you get the summary. Just click that finish and start that metasploitable2 machine
Now you will get the metasploitable2 and the default username: msfadmin and password:
msfadmin
Now the metasploitable2 is successfully installed
Search for unpatched vulnerabilities

First, scan the metasploitable2 machine using Nmap
nmap -sC -sV 192.168.0.0
Now you will get the version and services details and in this I have found the FTP services
vulnerable to backdoor
So finally we have installed that metasploitable2 and find the unpatched vulnerability
RESULT:
Thus the Procedure for Install metasploitable2 on the virtual box and search for unpatched
vulnerabilitieswas launched and tested
Ex.No: 6 Use Metasploit to exploit an unpatched vulnerability

Date :
Aim:
By using Metasploit to exploit an unpatched vulnerability inside the system
Procedure
Metasploit is a popular penetration testing tool that can be used to identify and exploit
vulnerabilities in computer systems and networks.
First open your kali linux terminal

Next open your metasploit using msfconsole command
And fireup the metasploitable2 machine because we going to exploit that metasploitable 2
using our metasploit tool

Next scan the metasploitable2 machine using Nmap
nmap -sC -sV 192.168.0.0
Now you will get the version and services details and using this details I have found the FTP
services vulnerable to backdoor
search vsftpd
Now you will get the exploit so just the use that exploit
Next modify the option using show option command

Here the RHOST ( Remote host Address ) and LPORT (Local Port Number)
Next execute the exploit command
exploit
Now you will successfully exploit that machine and you will get the meterpeter shell
So finally we Use Metasploit to exploit an unpatched vulnerability

Result:
Thus the learning about use Metasploit to exploit an unpatched vulnerability
was understand and practiced.
Ex.No: 7 Install Linus server on the virtual box and install ssh
Date :
Aim :
To learn and Experience the installing of Linux server on virtual box and install SSH
Procedure
1. Download Ubuntu 22.04 Server LTS ISO

First, we must have a bootable ISO file of Ubuntu 22.04 Server jammy jellyfish Linux
2. Do you have VirtualBox?
Of course, to install Ubuntu 22.04 server Virtual machine on VBox, we also need to have
VirtualBox installed on our existing host operating system.
3. Create Virtual Machine
Once you have installed the VirtualBox or if you already have then simply run it.
Create New VM
After that click on the “New” button to create a fresh Virtual machine.
Name Virtual Machine

Give some name to your virtual machine such as “Ubuntu 22.04” where select Type- Linux
and version to Ubuntu.
Set RAM for VM

If you are planning to install Ubuntu 22.04 Server with Desktop interface then for good
performance and if your host system allows, then set the RAM to 4GB or less as per your
system configuration.
Create a Virtual Hard disk

Let the “Create a virtual hard disk now” option be selected and move to the next step.
If you have any plan to use the Virtual hard disk later in VMware then go for VMDK
otherwise let the default option VDI be selected.
Also, let the default “Dynamic Allocated” option be selected as it is. Allocate around 30GB
of virtual space.
4. Start Ubuntu 22.04 server Virtual Machine

Finally, once all the above steps are done, you will see a newly created virtual machine on
your VirtualBox. Select that from the left side panel and hit
the Start button.
5. Add Ubuntu 22.04 server ISO to VirtualBox

Now, we need to select the downloaded Ubuntu 22.04 ISO file as a Start-up disk to boot our
As you have done this, the same ISO image will show in the “ISO Image selection ” area.
Scroll to your added Ubuntu 22.04 LTS image and hit the Choose button.Finally, click on
the Start button.
6. Grub Menu to select and boot the OS

Once the virtual machine is started, you will see the Grub menu as the first screen to select
“Try or Install Ubuntu Server” to boot with it
7. Install Ubuntu 22.04 on VirtualBox

Finally, from the installation wizard, select the language, by default it will be English.
In the next step, let the default keyboard layout be selected, and just press the Enter key to
move further.
8. Ubuntu Server standard or minimized

In the next step, the installation wizard will ask you what type of server installation do you
want? It is recommended to let the default option be selected and simply hit
the Enter key.
9. Network Connections VirtualBox

Ubuntu server will automatically identify the connected network and select the same to use.
If you want to customize that then use the arrow key and manually select the Adapter you
want to use.
Skip the Proxy in the next step and hit the Enter key again.
After that again press the Enter key to let the system select the default Ubuntu Mirror to
fetch packages.
10. Erase disk and Install Ubuntu 22.04 server

Now, the system will show the entire attached virtual hard disk where it is planning to install
the Ubuntu server. Use the TAB key to select the DONE option and hit
the Enter key.
11. Set Username and password

Soon, you will have the Profile Setup area from where we can create a user for our Server.
After that, if you want to access the server remotely using the SSH then you can select the
“Install OpenSSH Server” using arrow keys and spacebar otherwise simply select the
“DONE” and move forward because we can install it later.
12. Select the Ubuntu Server package to install (optional)

Do you want to install some popular and common server software packages such as Docker?
Then you can select them here otherwise, leave them unselected and select the Done option.
Move next and the system will start the installation process of the Ubuntu 22.04 server on
VirtualBox as a Virtual Machine.
13. Switch to root user and set a password

As you reboot the Ubuntu server virtual machine, a login interface will appear. Enter the
details of the user you have created while installing it.
Set Ubuntu root user password
sudo -i
passwd
Enter the new password for your root user.

In Ubuntu, you need to install the OpenSSH server package:
sudo apt install openssh-server
After the installation, check the SSH status:

sudo systemctl status ssh
If it is not, enable and start it manually:

sudo systemctl enable ssh --
now
sudo systemctl status ssh
Open SSH port in Firewall

If you have a firewall enabled in your VirtualBox, it may block your SSH connection. You
can find what ports are open with this command:
sudo lsof -i -P -n | grep LISTEN
If you do not find the port 22 among open ports, open it in your firewall:
sudo ufw allow ssh
sudo ufw status verbose
You can also do it using the graphical interface of the UFW firewall.
VirtualBox network settings

To open VirtualBox for SSH connections, we need to change the VirtualBox network
settings to allow the SSH connection.
Then go to Advanced -> Port Forwarding and add these settings: Name: ssh (or whatever
you like)
Protocol: TCP
Host Port: 2222 (or any other port you like) Gust port: 22
The IP fields can be left empty.
Similarly, you can also set port forwarding for other interfaces.
Install SSH client

To be able to SSH into the VirtualBox OS, you must have
an OpenSSH client installed on the computer you are going to connect from
Connect to VirtualBox from the guest OS
sudo apt install openssh-client
Now, connect to the VirtualBox OS using the port 2222 that we set earlier and the
username of your VirtualBox OS:
ssh -p 2222 virtualbox-user-name@localhost
Connect to VirtualBox from another computer

Connecting to VirtualBox from another computer is a little more complicated.
Switch to the Bridge Adapter in VirtualBox

The Bridge Adapter creates a routing that makes your VirtualBox network interface look
like your host network interface.
You need to go to VirtualBox network settings and switch from NAT to Bridge Adapter.
Find out your VirtualBox IP

You can find your VirtualBox IP address, if you run this command:
ip a
Result:
Thus the Procedure for Install Linus server on the virtual box and install ssh was
launched and tested .
Ex.No: 8 Use Fail2ban to scan log files and ban Ips that show the
Date : malicious signs
Aim
To understand the usage of Use Fail2banto scan log files and ban Ips to show the
malicious signs
Procedure
Format of the Logfile
At the simplest logging level, entries will appear in /var/log/fail2ban.log as follows (fail2ban
version 1.0.2):
...
2023-02-17 23:44:17,037 [992]: [apache-auth] Ban
fail2ban.actions NOTICE XXX.9
1.244.228
2023-02-17 23:44:26,259 [992]: [apache-auth]
fail2ban.actions NOTICE Unban XX
X.122.233.27
2023-02-17 23:54:15,034 [992]: [apache-auth]
fail2ban.actions NOTICE Unban XX
X.91.244.228
2023-02-18 00:58:41,938 [992]: [apache-noscript]
fail2ban.actions NOTICE Ban X
XX.239.163.126
This is all very interesting, but what if you want to see a summary report so that you can try
to identify IP addresses that regularly trigger Fail2Ban - so that you can send a report to their
ISP or block them using a firewall script for example?
1. Generating Simple Reports

All of the following commands can be run at the command line or via a script. They are
written for Linux/UNIX systems but may work on other platforms.
Grouping by IP address:
awk '($(NF-1) == "Ban"){print $NF}' /var/log/fail2ban.log \

| sort | uniq -c | sort -n
Note: the variable NF equals the number of fields in each row of the logfile. So $NF is the
value of the last field.
Sample output:
...
4 XXX.124.81.130
5 XXX.248.175.246
8 XXX.29.45.142
Remember that each time an IP address gets banned it's because they've been caught at least
max failure times, so a total of 8 represents maybe 30 matches in the relevant logfile.
zgrep -h "Ban " /var/log/fail2ban.log*

\
| awk '{print $NF}' | sort | uniq -c
This is the best report for identifying problem subnets. The output will be the first two bytes
of the most 'caught' subnets:
...
75 83.110.
90 219.95.
154 210.213.
Let's take the last one on the list (highlighted) and see what it's been up to:
zgrep -c " 210.213." /var/log/fail2ban.log*
The output shows how many times those numbers appear in each logfile:
fail2ban.log:39
fail2ban.log.1.gz:129
and which specific IP addresses are involved:
zcat -f /var/log/fail2ban.log* \
| awk '($(NF-1) == "Ban" && $NF ~ /^210\.213\./){print $NF}' \
| sort | uniq -c
The output of this will be a list of the IP addresses starting with 210.213.
Grouping by IP address and Hostname:
The command for including hostnames in the list is a bit more complicated.
awk '($(NF-1) = /Ban/){print $NF,"("$NF")"}' /var/log/fail2ban.log | sort \

|logresolve \
| uniq -c | sort -n
Note that the log resolve command can take some time to execute, especially if there are a
lot of IP addresses to be processed.
...
4 XXX.net.pk (XXX.83.169.221)
5 XXX.248.175.246 (XXX.248.175.246)
8 XXX.example.com.au (XXX.29.45.142)
You can of course just run host, dig, nslookup or logresolve manually on the addresses that
you want to identify.
Group by IP address and Fail2Ban section:
grep "Ban " /var/log/fail2ban.log \

| awk -F[\ \:] '{print $19,$17}' | sort | uniq -c | sort -n
This shows us which services each IP address has been trying to access/exploit:
...
4 XXX.124.81.130 [sendmail]
5 XXX.248.175.246 [sendmail]
8 XXX.29.45.142 [sendmail]
Now you know which logfiles to look in to see what they were doing to get banned.
Reporting on 'today's activity:

Here's a report I find useful to run before midnight each day to generate a summary of the
day's activity:
grep "Ban " /var/log/fail2ban.log \

| grep $(date +%Y-%m-%d) \
| awk '{print $NF}' | sort \
| awk '{print $1,"("$1")"}' \
|logresolve \
| uniq -c | sort -n
The output will be the same as the second report above, but limited to just today's activity
rather than the whole logfile.
Grouping by Date and Fail2Ban section

This report scans all fail2ban logfiles and gives you a summary of how many ban events
there were for each section on each day:
zgrep -h "Ban " /var/log/fail2ban.log* \

| awk '{print $6,$1}' \
| sort | uniq -c
This can give you an idea of longer-term trends and the effectiveness of your firewall rules.
This method of examining all logfiles rather than just the current one can also be applied to
most of the reports above.
2. Banning an IP block or subnet

If it turns out that a significant portion of 'unwanted' traffic comes from a single ISP then
you should try sending an email to their abuse address, but don't be too hopeful of getting a
response. If the abuse continues then it's time to get strict.
Block a subnet from accessing SSH:
iptables -I INPUT -p tcp -sXXX.XXX.XXX.XXX/XX --dport ssh -j REJECT --reject-with tcp-

reset
Block a subnet from accessing SMTP (mail):
iptables -I INPUT -p tcp -sXXX.XXX.XXX.XXX/XX --dport smtp -j REJECT --reject-with tcp

-reset
Block an IP address from HTTP:
iptables -I INPUT -p tcp -sXXX.XXX.XXX.XXX --dport http -j REJECT
Block an IP address from FTP (using DROP):
iptables -I INPUT -p tcp -sXXX.XXX.XXX.XXX --dport ftp -j DROP
and so on for other services.
In the FTP example we've used the DROP policy instead of REJECT as that causes the
connection to hang for a longer time rather than giving an instant notification that they've
been rejected.
iptables -vnL INPUT --line-numbers
At some point (hopefully) the source computer will be 'fixed' or in any case stop abusing
your server. You should then remove the firewall rules.
3. Monitoring the fail2ban log with fail2ban 1.0.2

This is something I've been meaning to investigate for some time now, and there have been a
number of request for this ability. Can we use fail2ban to block for a
longer time (even permanently)
[fail2ban-smtp]
enabled = true
port =
smtp
logpath =/var/log/fail2ban.log
maxretry = 3
findtime =
6h bantime =
1d
And then create a file /etc/fail2ban/filter.d/fail2ban-smtp.conf with the following:

[Definition]
failregex = NOTICE [[]sendmail(-\w+)?[]] Unban
ignoreregex = [[][-\w]+[]] Ban

already banned$
Finally start the new jail:
# fail2ban-client add fail2ban-smtp

# fail2ban-client start fail2ban-
smtp
With these settings, fail2ban will monitor it's own logfile and if a HOST is banned three
times (maxretry) in six hours (findtime) they will incur a new ban lasting a full 24 hours
(bantime).
4. Test new filters using fail2ban-regex

Whenever you add or change a filter you will want to test that the regular expressions are
correct by running it over an existing logfile.
fail2ban-regex --print-all-matched/var/log/fail2ban.log/etc/fail2ban/filter.d/fail2ban
-smtp.conf
The first argument is the logfile to be scanned and the second argument the jail configuration
file containing failregex.
If nothing is being matched, or everything is being matched that may suggest a problem with
the regexp. Otherwise, if everything looks ok, you can start the new jail as described above.
Result:
Thus the development about how to Use Fail2ban to scan log files and ban Ips that show the
malicious signs was developed and learned .
Ex.No:9 Launch brute-force attacks on the Linux server using Hydra

Date :
Aim
To learn how to Launch brute-force attacks on the Linux server using Hydra.
Procedure
Hydra is a brute-forcing tool that helps penetration testers and ethical hackers crack the
passwords of network services.
How to Install Hydra
Hydra comes pre-installed with Kali Linux and Parros OS. So if you are using one of them,
you can start working with Hydra right away.
How to Work with Hydra
Let’s look at how to work with Hydra. We will go through the common formats and options
that Hydra provides for brute-forcing usernames and passwords. .
$ hydra -h
This will give you the list of flags and options that you can use as a reference when working
with Hydra.
How to Perform a Single Username/Password Attack with Hydra

Let’s start with a simple attack. If we have the username and password that we expect a
system to have, we can use Hydra to test it.
Here is the syntax:
$ hydra -l <username> -p <password> <server> <service>
Let’s assume we have a user named “molly” with a password of “butterfly” hosted at
10.10.137.76. Here is how we can use Hydra to test the credentials for SSH:
If it works, here is what the result will look like:
Hydra single username and password

How to Perform a Password Spraying Attack with Hydra

What if we know a password that someone is using, but we are not sure who it is? We can
use a password spray attack to determine the username.
root
admin
user
molly
steve
richard
Now we are going to test who has the password “butterfly”. Here is how we can run a
password spray attack using Hydra.
$ hydra -L users.txt -p butterfly 10.10.137.76 ssh
We will get a similar result to the following output if any of the users match with the given
password. You should also notice that we have used the flag -L instead of -l. -l is for a single
username and -L is for a list of usernames.
Hydra password spraying
How to Perform a Dictionary Attack with Hydra

A dictionary attack is where we have single/multiple usernames and we provide a password
wordlist to Hydra. Hydra then tests all these passwords against every user in the list.
I am going to use the Rockyou wordlist for this example along with the users.txt file we
created in the previous attack. If you are using Kali Linux, you can find the
RockYou wordlist under /usr/share/wordlists/rockyou.txt. Here is the command for a
dictionary attack:
$ hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 1010.137.76 ssh
If this attack is successful, we will see a similar result to the other two commands.
Hydra will highlight the successful username/password combinations in green for all the
matches.
How to Use the Verbosity and Debugging Flags in Hydra

Hydra can be awfully quiet when running large brute-force attacks. If we have to make sure
Hydra is doing what it is expected to do, there are two flags we can use.
Hydra verbose mode
We can also use the debug (-d) flag to gather even more information. Here is the same result
when using the debug flag:
How to Save Your Results in Hydra

Let's look at how to save results. There is no point in spending hours cracking a password
and losing it due to a system crash.
$ hydra -l <username> -p <password> <ip> <service> -o <file.txt>
More flags and formats

Hydra also offers a few additional flags and formats that will be useful for us as pen testers.
Here are a few:
Service specification
Instead of specifying the service separately, we can use it with the IP address. For example,
to brute force SSH, we can use the following command:
$ hydra -l <username> -p <password> ssh://<ip>
How to resume attacks

If Hydra’s session exits when an attack is in progress, we can resume the attack using the -R
flag instead of starting from scratch.
$ hydra -R
How to use custom ports

Sometimes system administrators will change the default ports for service. For example,
FTP can run in port 3000 instead of its default port 21. In those cases, we can specify ports
using the -s flag.
$ hydra -l <username> -p <password> <ip> <service> -s <port>
How to attack multiple hosts

What if we have multiple hosts to attack? Easy, we can use the -M flag. The files.txt will
contain a list of IP addresses or hosts instead of a single IP address.
$ hydra -l <username> -p <password> -M <host_file.txt> <service>
Targeted combinations
If we have a list of usernames and passwords, we can implement a dictionary attack. But if
we have more information on which usernames are likely to have a set of passwords, we can
prepare a custom list for Hydra.
username1:password1
username2:password2
username3:password3
We can then use the -C flag to tell Hydra to run these specific combinations instead of
looping through all the users and passwords.
Here is the syntax.
$ hydra -C <combinations.txt> <ip> <service>
We have seen how to work with Hydra in detail. Now you should be ready to perform real-
world audits of network services like FTP, SSH, and Telnet.
Result:
Thus the Procedure for Launching brute-force attacks on the Linux server using Hydra was
launched and tested .
Ex.No:10 Perform real-time network traffic analysis and data

Date : packet logging using Snort
Aim
To learn how to Perform real-time network traffic analysis and data pocket logging using
Snort
About Snort
Snort is a widely used open-source intrusion detection and prevention system (IDS/IPS). It is
capable of performing real-time network traffic analysis, detecting various types of network
attacks, and logging data packets for further analysis.
1. Installation and Configuration:
Start by installing Snort on a system of your choice. Snort is available for various operating
systems, including Linux, Windows, and macOS.
2. Rule Configuration:
Snort uses rules to detect and identify various types of network traffic and attacks.
3. Real-time Traffic Analysis:
Snort continuously monitors network traffic on the specified interfaces in real time.
4. Alert Generation:
Snort can generate alerts when suspicious or malicious network traffic is detected.
5. Packet Logging:
Snort can log data packets for further analysis and investigation.
Packet logging allows for in-depth analysis of network traffic, identifying attack vectors, and
understanding the nature of network-based threats.
6. Analysis and Response:
The generated alerts and logged packets can be further analyzed using various tools and
techniques.
Result:
Thus the real-time network traffic analysis and data pocket logging using Snort was done
with the snort IDS

Cyber Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Security

Uploaded by

Copyright:

Available Formats

CCS340 - CYBER SECURITY LABV Semester AI&DS

Ex.No: 1 Installation of Kali Linux in Virtual Box

Installation of Kali Linux in Virtual Box

Download Kali Linux:

After downloading that zip file extract that zip file

The default Username: kali and the Password: kali

Ex.No: 2 Explore Kali Linux and bash scripting

Explore Kali Linux

1. Purpose and Features:

4. Customization and Package Management:

The distribution allows customization of the environment, including the desktop

5. Documentation and Community Support:

Below is an example of the shebang statement.

How to Create Your First Bash Script

Create a file named hello_world.sh

Find the path to your bash shell.

Write the command.

#! /usr/bin/bashecho "Hello World"

Edit the file in it.

Provide execution rights to your user.

chmod u+x hello_world.sh

Two ways to run scripts

The Basic Syntax of Bash Scripting

How to define variables

#!/bin/bash# A simple variable example

Ex.No: 3 Perform open source intelligence gathering using Netcraft,

Identify the hosting provider and IP address

can see the query

Identify the web server technology

Check for phishing sites

Identify and search for a specific domain name.

Supports searching IP addresses and propriety intranet systems.

whoIs client output

DNS reconnaissance is part of the information gathering stage on a penetration test

/dnsrecon.py -d <domain> -t axfr

Python-based tool meant to be used in the initial stages of an investigation by

DNS brute force: dictionary brute force enumeration

From Source (without using Pipenv) From Source (with Pipenv)

sudo apt update

We were able to find 5 IPs and 1 host.

Maltego is pre-installed in Kali linux.

Maltego has 3 different packs-

The Application button will open a application menu.

Groups of people (social networks)

scan a target using nmap

nmap -sC -sV 192.168.1.0

Here s means scan and V is version so it is called version scanning

nmap -F scanme.nmap.org www.google.com >> scaned.txt

If want to view only open ports and services.

nmap -F scanme.nmap.org 192.168.0.1 >> scaned.txt

nmap -sT --min-host 30 10.10.250.1/24

nmap - - open www.google.com >> scanned.txt

We can able to give specific maximum host also

nmap -sT --min-host 30 --max-host 100 10.10.250.1/24

You can able to do this with host timeout options

nmap -sT scanme.nmap.org --host-timeout 1m

nmap -sT scanme.nmap.org --scan-delay 12s

There is two options which is --min-rate and --max-rate

nmap -sT scanme.nmap.org --min-rate 2

The First SYN Scan at time of 02:20:21

The Second SYN Scan at time of 02:20:21

Metasploitable 2 is available at: https://www.vulnhub.com/entry/metasploitable-2,29/

Next, open your virtual box and click the new