Cyber Security Workshop (BCS453)

List of Experiments:
Module 1: Packet Analysis using Wire shark

1. Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic protocols like HTTP,
DNS, and SMTP to understand how data is transmitted and received.

2. Detecting Suspicious Activity: Analyze network traffic to identify suspicious patterns, such as repeated
connection attempts or unusual communication between hosts.

3. Malware Traffic Analysis: Analyze captured traffic to identify signs of malware communication, such as
command-and-control traffic or data infiltration.

4. Password Sniffing: Simulate a scenario where a password is transmitted in plaintext. Use Wireshark to capture
and analyze the packets to demonstrate the vulnerability and the importance of encryption.

5. ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap. Analyze the captured packets
to understand how the attack can lead to a Man-in-the-Middle scenario.

Module 2: Web Application Security using DVWA

1. SQL Injection: Use DVWA to practice SQL injection attacks. Demonstrate how an attacker can manipulate
input fields to extract, modify, or delete database information.
2. Cross-Site Scripting (XSS): Exploit XSS vulnerabilities in DVWA to inject malicious scripts into web pages.
Show the potential impact of XSS attacks, such as stealing cookies or defacing websites.

3. Cross-Site Request Forgery (CSRF): Set up a CSRF attack in DVWA to demonstrate how attackers can
manipulate authenticated users into performing unintended actions.

4. File Inclusion Vulnerabilities: Explore remote and local file inclusion vulnerabilities in DVWA. Show how
attackers can include malicious files on a server and execute arbitrary code.

5. Brute-Force and Dictionary Attacks: Use DVWA to simulate login pages and demonstrate brute-force and
dictionary attacks against weak passwords. Emphasize the importance of strong password policies.
Experiments Beyond Syllabus:

1. Wireshark Lab: Getting Start

2. Wireshark TCP Lab.
3. Wireshark UDP Lab
 Module 1:
Packet Analysis using
Wire shark
 Experiment-1

Basic Packet Inspection

1. Objective:

a. To capture network traffic using Wire Shark

b. Analyze basic protocols like HTTP, DNS, and SMTP to understand how data is transmitted and
received.

2. Procedure:
a. The Main Window: Please refer Annexure - 1

b. Interfaces

c. Capturing Packets (1/3)

 Capturing Packets (2/3)

Capturing Packets (3/3)

Stop Wireshark packet capture.

d. (i) Analyzing Packets

 (ii) IP Packet Example

e. Flow Graph:
f. Applying Filters:
Viva Questions:

1. What is HTTP FTP SMTP and DNS?

2. How does HTTPS works?
3. What are cookies and how are they used in HTTP?
What is the main objective of DNS?
4. Why DNS is important in application layer?
5. What is the importance of DNS in an organization?
 Experiment – 2

Detecting Suspicious Activities

Objectives: Analyze network traffic to identify suspicious patterns, such as repeated connection
attempts or unusual communication between hosts.

Introduction:
Signs of suspicious activity include unusual logins, abnormal access patterns, atypical network traffic,
multiple failed login attempts, unexpected application usage, lateral movement, changes in user
behavior, unusual outbound connections, suspicious system processes, and altered configurations.

Prerequisites: Wireshark TCP Lab and Wireshark UDP Lab.

TCP Connect Scan in a nutshell:

 Relies on the three-way handshake (needs to finish the handshake process).
 Usually conducted with nmap -sT command.
 Used by non-privileged users (the only option for a non-root user).
 Usually has a windows size larger than 1024 bytes as the request expects some data due to the nature of the protocol.

Open TCP port (Connect):

Closed TCP port (Connect):

The above images provide the patterns in isolated traffic. However, it is not always easy to spot the given patterns in
big capture files. Therefore analysts need to use a generic filter to view the initial anomaly patterns, and then it will
be easier to focus on a specific traffic point. The given filter shows the TCP Connect scan patterns in a capture file.
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024

Scan the TCP port 80

The filter below shows the UDP scan patterns in a capture file.
icmp.type==3 and icmp.code==3
UDP port in the 55–70 port range is open:

udp and!(icmp.type==3 and icmp.code==3)

Viva Questions:
How do you detect suspicious network activity?
How does Wireshark detect malicious traffic?
What is detect suspicious networks?
What is a suspicious IP? How do hackers see your IP?
 Experiment – 3
Malware Traffic Analysis

Objectives: Analyze captured traffic to identify signs of malware communication, such as command-
and-control traffic or data infiltration.

Introduction:
Malware is a software or computer program that is used to carry out malicious activity. Malware is made
with the aim of harming user’s device because it can change user’s data, use up bandwidth and other
resources without user's permission. Malware traffic is any network activity that is generated by
malicious software such as viruses, worms, ransomeware or botnets. It can pose a serious threat to the
network security, as it can steal, damage, or disrupt data and systems.

Procedure:
Downloaded the pcap file named 2019–09–25 Trickbot Pcap from Malware-Traffic-Analysis.net Filtered
with basic filter and see suspicious get/post requests.

Follow the TCP stream on www.dchristjan.com and there has been a zip file included in this infection.
Exported the zip file from the pcap. Unzipped the file and used the file command to obtain info.

The file type was .lnk. Most of the time attackers use lnk files with msi packages or hidden .bat files.

Used sha256sum to generate the hash of the file and asked Virustotal. The screen went red after that

By the categorizations, I knew that this was only a downloader. Hovering over to the relations there were
the network IOCs I was looking for. We have seen the solar.php earlier when filtering for HTTP traffic.
Click the objects and saved the solar.php after that. When trying to open the file on Vscode it implied
that the file was unsupported. Opened and used the file command on solar.php and discovered that
solar.php is actually a Windows executable.

The C2 server is another IP address that we found earlier with basic filtering;

There is an unusual traffic between 170[.]238.117.187 over 8082 and by following the TCP stream you
may see that a malicious executable sent information about the pc named BACHMANN-BTO-
PC_W617601 with the POST method to C2 server.

On the screenshot, there is a GET request to 185[.98.87.185 requesting a .png file. Since there is no
HTML request it is a bit suspicious. I followed the TCP stream and it turned into a Windows executable
too.
So in our analysis, we have found that malware downloads more malware in a Quickbot infection.

Wireshark is a tool that allows security analysts to capture and inspect network traffic in real-time. By
analyzing the traffic captured with Wireshark, experts can gain insights into the activities of malware,
such as command and control (C&C) communications, data exfiltration, or exploit attempts.

Viva Questions:
1. What is malware traffic?
2. How to do malware analysis in Wireshark?
3. What is API in malware analysis?
4. What is the first step in malware analysis?
5. Is malware analysis hard?
 Module 2:
Web Application Security using
DVWA
Introduction: Damn Vulnerable Web App (DVWA)

This package contains a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an
aid for security professionals to test their skills and tools in a legal environment, help web developers
better understand the processes of securing web applications and to aid both students & teachers to learn
about web application security in a controlled class room environment.
The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of
difficulty, with a simple straightforward interface. Please note, there are both documented and
undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and
discover as many issues as possible.
WARNING: Do not upload it to your hosting provider’s public html folder or any Internet facing
servers, as they will be compromised.

Pre-Requisites to install DVWA

Already have a Kali Linux Server Up and Running.

Its main goals are to be an aid for security professionals to test their skills and tools in a legal
environment, help web developers better understand the processes of securing web applications and aid
teachers/students to teach/learn web application security in a class room environment.

Attacks Covered in DVWA

● Brute Force
● Command Execution
● CSRF
● File Inclusion
● SQL Injection
● SQL Injection (Blind)
● Shell Uploading
● XSS ( Reflected )
● XSS ( Stored)

Benefits of DVWA –
 Experiment:5
Wireshark Lab: Ethernet and
ARP v8.0
Supplement to Computer Networking: A Top-Down Approach,
8th ed., J.F. Kurose and K.W. Ross

“Tell me and I forget. Show me and I remember. Involve me and I

understand.” Chinese proverb

© 2005-2020, J.F Kurose and K.W. Ross, All Rights Reserved

In this lab, we’ll investigate the Ethernet protocol and the ARP protocol. Before
beginning this lab, you’ll probably want to review sections 6.4.1 (Link-layer
addressing and ARP) and 6.4.2 (Ethernet) in the text1. RFC 826 (ftp://ftp.rfc-
editor.org/in- notes/std/std37.txt) contains the gory details of the ARP protocol, which
is used by an IP device to determine the IP address of a remote interface whose
Ethernet address is known.

1. Capturing and analyzing Ethernet frames

Let’s begin by capturing a set of Ethernet frames to study. Do the following2:

 First, make sure your browser’s cache is empty. To do this under Mozilla Firefox V3, select
Tools->Clear Recent History and check the box for Cache. For Internet Explorer, select Tools-
>Internet Options->Delete Files. Start up the Wireshark packet sniffer
 Enter the following URL into your browser http://gaia.cs.umass.edu/wireshark-
labs/HTTP-ethereal-lab-file3.html Your browser should display the rather lengthy
US Bill of Rights.

1
References to figures and sections are for the 8th edition of our text, Computer Networks, A Top-down Approach, 8th ed.,
J.F. Kurose and K.W. Ross, Addison-Wesley/Pearson, 2020.
2
If you are unable to run Wireshark live on a computer, you can download the zip file
http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the file ethernet--ethereal-trace-1. The traces in
this zip file were collected by Wireshark running on one of the author’s computers, while performing the steps indicated
in the Wireshark lab. Once you have downloaded the trace, you can load it into Wireshark and view the trace using the
File pull down menu, choosing Open, and then selecting the ethernet-ethereal-trace-1 trace file. You can then use this
trace file to answer the questions below.
 Stop Wireshark packet capture. First, find the packet numbers (the leftmost
column in the upper Wireshark window) of the HTTP GET message that was sent
from your computer to gaia.cs.umass.edu, as well as the beginning of the HTTP
response message sent to your computer by gaia.cs.umass.edu. You should see
a screen that looks something like this (where packet 4 in the screen shot below
contains the HTTP GET message)
  Since this lab is about Ethernet and ARP, we’re not interested in IP or higher-
layer protocols. So let’s change Wireshark’s “listing of captured packets” window
so that it shows information only about protocols below IP. To have Wireshark
do this, select Analyze->Enabled Protocols. Then uncheck the IP box and select
OK. You should now see a Wireshark window that looks like:

In order to answer the following questions, you’ll need to look into the packet
details and packet contents windows (the middle and lower display windows
in Wireshark).

Select the Ethernet frame containing the HTTP GET message. (Recall that
the HTTP GET message is carried inside of a TCP segment, which is
carried inside of an IP datagram, which is carried inside of an Ethernet
frame; reread section 1.5.2 in the text if you find this encapsulation a bit
confusing). Expand the Ethernet II information in the packet details
window. Note that the contents of the Ethernet frame (header as well as
payload) are displayed in the packet contents window.
Answer the following questions, based on the contents of the Ethernet frame
containing the HTTP GET message. Whenever possible, when answering a
question you should hand in a printout of the packet(s) within the trace that
you used to answer the question asked. Annotate the printout3 to explain
your answer. To print a packet, use File->Print, choose Selected packet
only, choose Packet summary line, and select the minimum amount of
packet detail that you need to answer the question.

1. What is the 48-bit Ethernet address of your computer?

2. What is the 48-bit destination address in the Ethernet frame? Is this the
Ethernet address of gaia.cs.umass.edu? (Hint: the answer is no). What device has
this as its Ethernet address? [Note: this is an important question, and one that
students sometimes get wrong. Re-read pages 468-469 in the text and make
sure you understand the answer here.]
3. Give the hexadecimal value for the two-byte Frame type field. What upper
layer protocol does this correspond to?
4. How many bytes from the very start of the Ethernet frame does the ASCII “G” in
“GET” appear in the Ethernet frame?

Next, answer the following questions, based on the contents of the Ethernet
frame containing the first byte of the HTTP response message.
5. What is the value of the Ethernet source address? Is this the address of your
computer, or of gaia.cs.umass.edu (Hint: the answer is no). What device has
this as its Ethernet address?
6. What is the destination address in the Ethernet frame? Is this the Ethernet
address of your computer?
7. Give the hexadecimal value for the two-byte Frame type field. What upper
layer protocol does this correspond to?
8. How many bytes from the very start of the Ethernet frame does the ASCII “O” in
“OK” (i.e., the HTTP response code) appear in the Ethernet frame?

3
What do we mean by “annotate”? If you hand in a paper copy, please highlight where in the printout
you’ve found the answer and add some text (preferably with a colored pen) noting what you found in what
you ‘ve highlight. If you hand in an electronic copy, it would be great if you could also highlight and
annotate.
2. The Address Resolution Protocol
In this section, we’ll observe the ARP protocol in action. We strongly
recommend that you re-read section 6.4.1 in the text before proceeding.

ARP Caching

Recall that the ARP protocol typically maintains a cache of IP-to-Ethernet

address translation pairs on your comnputer The arp command (in both
MSDOS and Linux/Unix) is used to view and manipulate the contents of
this cache. Since the arp command and the ARP protocol have the same
name, it’s understandably easy to confuse them. But keep in mind that they
are different - the arp command is used to view and manipulate the ARP
cache contents, while the ARP protocol defines the format and meaning of
the messages sent and received, and defines the actions taken on message
transmission and receipt.

Let’s take a look at the contents of the ARP cache on your computer:

 MS-DOS. The arp command is in c:\windows\system32, so type either “arp” or

“c:\windows\system32\arp” in the MS-DOS command line (without quotation
marks).
 Linux/Unix/MacOS. The executable for the arp command can be in various
places. Popular locations are /sbin/arp (for linux) and /usr/etc/arp (for some
Unix variants).

The Windows arp command with no arguments will display the contents of
the ARP cache on your computer. Run the arp command.

9. Write down the contents of your computer’s ARP cache. What is the meaning
of each column value?

In order to observe your computer sending and receiving ARP messages,

we’ll need to clear the ARP cache, since otherwise your computer is likely to
find a needed IP-Ethernet address translation pair in its cache and
consequently not need to send out an ARP message.

 MS-DOS. The MS-DOS arp –d * command will clear your ARP cache. The –d flag
indicates a deletion operation, and the * is the wildcard that says to delete all
table entries.
 Linux/Unix/MacOS. The arp –d * will clear your ARP cache. In order to run this
command you’ll need root privileges. If you don’t have root privileges and can’t
run Wireshark on a Windows machine, you can skip the trace collection part of
this lab and just use the trace discussed in the earlier footnote.
Observing ARP in action

Do the following4:

 Clear your ARP cache, as described above.

 Next, make sure your browser’s cache is empty. To do this under Mozilla Firefox
V3, select Tools->Clear Recent History and check the box for Cache. For Internet
Explorer, select Tools->Internet Options->Delete Files.
 Start up the Wireshark packet sniffer
 Enter the following URL into your browser
http://gaia.cs.umass.edu/wireshark-labs/HTTP-wireshark-lab-file3.html
Your browser should again display the rather lengthy US Bill of Rights.
 Stop Wireshark packet capture. Again, we’re not interested in IP or higher-
layer protocols, so change Wireshark’s “listing of captured packets” window so
that it shows information only about protocols below IP. To have Wireshark do
this, select Analyze->Enabled Protocols. Then uncheck the IP box and select
OK. You should now see an Wireshark window that looks like:

4
The ethernet-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip
was created using the steps below (in particular after the ARP cache had been flushed).
In the example above, the first two frames in the trace contain ARP messages
(as does the 6th message). The screen shot above corresponds to the trace
referenced in footnote 1.

Answer the following questions:

10. What are the hexadecimal values for the source and destination addresses in
the Ethernet frame containing the ARP request message?
11. Give the hexadecimal value for the two-byte Ethernet Frame type field.
What upper layer protocol does this correspond to?
12. Download the ARP specification from
ftp://ftp.rfc-editor.org/in-notes/std/std37.txt. A readable, detailed
discussion of ARP is also at
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html.
a) How many bytes from the very beginning of the Ethernet frame does
the ARP opcode field begin?
b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP request is made?
c) Does the ARP message contain the IP address of the sender?
 d) Where in the ARP request does the “question” appear – the Ethernet
address of the machine whose corresponding IP address is being queried?
13. Now find the ARP reply that was sent in response to the ARP request.
a) How many bytes from the very beginning of the Ethernet frame does the
ARP opcode field begin?
b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP response is made?
c) Where in the ARP message does the “answer” to the earlier ARP request
appear – the IP address of the machine having the Ethernet address whose
corresponding IP address is being queried?
14. What are the hexadecimal values for the source and destination addresses in the
Ethernet frame containing the ARP reply message?
15. Open the ethernet-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-
labs/wireshark-traces.zip. The first and second ARP packets in this trace correspond
to an ARP request sent by the computer
running Wireshark, and the ARP reply sent to the computer running
Wireshark by the computer with the ARP-requested Ethernet address. But
there is yet another computer on this network, as indicated by packet 6 –
another ARP request. Why is there no ARP reply (sent in response to the
ARP request in packet 6) in the packet trace?

Extra Credit

EX-1. The arp command:

arp -s InetAddr EtherAddr

allows you to manually add an entry to the ARP cache that resolves the IP
address InetAddr to the physical address EtherAddr. What would happen
if, when you manually added an entry, you entered the correct IP address,
but the wrong Ethernet address for that remote interface?

EX-2. What is the default amount of time that an entry remains in your ARP
cache before being removed. You can determine this empirically (by
monitoring the cache contents) or by looking this up in your operation
system documentation. Indicate how/where you determined this value.
 Module 2:
Web Application Security
using
DVWA
Introduction: Damn Vulnerable Web App (DVWA)

This package contains a PHP/MySQL web application that is damn vulnerable. Its main goal is
to be an aid for security professionals to test their skills and tools in a legal environment, help
web developers better understand the processes of securing web applications and to aid both
students & teachers to learn about web application security in a controlled class room
environment.
The aim of DVWA is to practice some of the most common web vulnerabilities, with various
levels of difficulty, with a simple straightforward interface. Please note, there are both
documented and undocumented vulnerabilities with this software. This is intentional. You are
encouraged to try and discover as many issues as possible.
WARNING: Do not upload it to your hosting provider’s public html folder or any Internet facing
servers, as they will be compromised.

Pre-Requisites to install DVWA

Already have a Kali Linux Server Up and Running.

Its main goals are to be an aid for security professionals to test their skills and tools in a legal
environment, help web developers better understand the processes of securing web applications
and aid teachers/students to teach/learn web application security in a class room environment.

Attacks Covered in DVWA

● Brute Force
● Command Execution
● CSRF
● File Inclusion
● SQL Injection
● SQL Injection (Blind)
● Shell Uploading
● XSS ( Reflected )
● XSS ( Stored)

Benefits of DVWA –

● Hacking anything without the permission is a Crime. So as a student or beginners from

where you got this permission so you can use this. For advanced users to sharpen their skill
DVWA is the best platform.
● In DVWA you do not have to take permission from others, you can simply install this in
a virtual environment and start using it.
● It is very simple to install.
● This is the best place to do hacking.
● In fact, this is running in your local environment and it is totally legal.
As well as being vulnerable, DVWA has some other features which aid in the teaching or
learning of web application security. DVWAs Security features can be divided into two parts,
one is the security levels and the other is PHP-IDS.
The security levels are named low, medium, high and impossible. Each level changes the
vulnerability state of DVWA throughout the application. By default when DVWA is loaded the
security level is set to Impossible.
PHP-IDS is a popular PHP Intrusion Detection System (IDS) also known as a Web Application
Firewall (WAF). PHP-IDS works by filtering any user supplied input against a blacklist of
potentially malicious code. PHP-IDS is used in DVWA to serve as a live example of how WAFs
can help improve security in web applications and in some cases how WAFs can be
circumvented.
The first step is to download the source code of DVWA application from one of the best open
source repository database i.e. Github by typing the following command in your terminal:
Command: git clone https://github.com/ethicalhack3r/DVWA
Note: Make sure that, you must download the above package of DVWA inside /var/www/html
directory.

Setup a Vulnerable Web Server DVWA in Kali Linux local host.

How to Setup
Setting up vulnerable server is very easy. Now we set up DVWA in our kali Linux machine.
DVWA is designed for practice some most common web vulnerability. It is made with PHP and
MySQL.
Lets’s Start
In Linux environment localhost files are stored in /var/www/html directory, so we open a
terminal and change our directory to that directory using following command:

Here we clone DVWA from it’s Github repository. To clone it we run following command:

After the cloning complete, we rename the DVWA to dvwa (it is not necessary but it will save
our effort).

Then we change the permission on dvwa directory by using following command:-

Now we have to setup this web application to run properly for that we have to go into
/dvwa/config directory.
In the above screenshot we can see the config.inc.php.dist file. This file contains default
configuration. We need to make a copy of this file with .php extension name, we are coping this
file because in future if anything goes wrong then we have the default values. So we copy this
file with .php extension name using following command:-

Edit this config.php file

The Screenshot is following :-

We will make changes in this part the p@ssw0rd to pass and the user from root. see the
following screenshot:-

Then we save and exit.

The next is configuring the database.

Here we have opened a new terminal window closing the previous one. We start the mysql at
first using following command:-
If there are no errors that means the service is started.

Now let’s login to mysql using following command:-

Now to setup a database, we start with creating a new user by applying following command.
create user 'user'@'127.0.0.1' identified by 'pass';
Here using this command we are creating a user called ‘user’ running server on
127.0.0.1(localhost) and the password is ‘pass’. Remember that this username and password
should exactly same as the password and username we have entered in the configuration file of
dvwa web application.

In the screenshot we can see the query is OK. That means the user is created.

Then we grant this user all the privileges over the database. For that we type following
command:-
grant all privileges on dvwa.* to 'user'@'127.0.0.1' identified by 'pass';

Yes, we have finished the work of database, now we configure the server. For this we need to
configure our apache2 server. Let’s change our directory to /etc/php/7.4/apache2

Here we are using version 7.4, if we use another version then the path might be change.
cd /etc/php/7.4/apache2
Here we configure the php.ini file.
We need to change the allow_url_fopen and allow_url_include values. We set both of them
‘On’. In some cases when we are first time configuring it, we might find that one of this or both
of this configuration is set to ‘Off’. We have turned both of these configuration to ‘On’, as the
following screenshot:-
Then we save and close the file.

Then we start the apache2 server using following command:-

service apache2 start
Let’s open the browser and navigate to 127.0.0.1/dvwa/ first open will open the setup.php as
shown in the screenshot.

Here we scroll down and click on “Create/Reset Database”.

Then it will create and configure the database and we redirected to DVWA login page.
The default login is
● Username:- admin
● Password:- password
After login we are in Damn Vulnerable Web Applications main page. Here is some general
information and warnings.
On the left side we can see lots of vulnerable pages are available we can practice here.

DVWA have different security levels to change those we navigate to DVWA security. There are
some security levels low, medium, high, impossible. We can choose difficulty as we need.
Now we can run penetration testing tools and techniques in our localhost.
This is how we can setup DVWA, Damn Vulnerable Web Application in our Kali Linux
system.
 Experiment – 1

SQL Injection

Objectives:

a. To practice SQL injection attacks using DVWA.

b. Demonstrate how an attacker can manipulate input fields to extract, modify or delete
database information

Introduction:
SQL injection is a technique used to extract user data by injecting web page inputs as
statements through SQL commands. Basically, malicious users can use these instructions to
manipulate the application’s web server.

1. SQL injection is a code injection technique that can compromise your database.
2. SQL injection is one of the most common web hacking techniques.
3. SQL injection is the injection of malicious code into SQL statements via web page
input.

Requirements:
● Xampp/Wamp Server
● DVWA Lab
● Kali Linux: Burp suite, SQLmap tool

Now open the DVWA in your pc and log in with following credentials:
Username – admin
Password – password
Click on DVWA Security and set Website Security Level low
From the list of vulnerability select SQL Injection for your attack.
Type user ID: 1 in the text box. Don’t click on submit button without setting browser proxy. Set
your browser proxy to make burp suite work properly.
The flaw in the code you provided is that it is vulnerable to SQL injection
attacks. The vulnerability arises from directly concatenating user input into
the SQL query without proper sanitization or parameterization.

Here’s an explanation of the flaw and the recommended solution:

In the code, the variable $id is retrieved from the user input without any
validation or sanitization. It is then directly concatenated into the SQL query
string:

$id = $_REQUEST['id'];
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

This allows an attacker to manipulate the value of $id and inject

malicious SQL code, potentially leading to unauthorized access, data
leakage, or even complete loss of data.
This means that the query that was executed back in the database was
the following:

1' OR '1'='1'#

'UNION SELECT table_name, NULL FROM information_schema.tables --

'UNION SELECT column_name, NULL FROM information_schema.columns WHERE
table_name= 'users' --

Now we can see we got both username and encrypted password.

'UNION SELECT user, password FROM users --

Medium
We will intercept the request and send it to the repeater.
Edit id=1 to this code then send it and we can see the results in response.

1 UNION SELECT user, password FROM users --

High

For high level, after clicking the “here to change your ID”, we can see a window where we can

insert our malicious code.

' UNION SELECT user, password FROM users --

After submitting the code, we can get usernames and passwords.

Viva Questions:
1 What is SQL injection in DVWA?
2. Why is it called SQL injection?
3. What is SQL command?
4. Which tool is used for SQL injection attack?
5. What is the weakness of SQL injection?
 Experiment – 2

Cross – Site Scripting (XSS)

Objectives:

a. Exploit XSS vulnerabilities in DVWA to inject malicious scripts into web pages.
b. Show the potential impact of XSS attacks, such as stealing cookies or defacing
websites

Introduction: Cross Site Scripting (XSS):

Cross Site Scripting or XSS is the most critical vulnerabilities in web applications. XSS allows
the attacker to send malicious scripts or code to the victim's computer system. With that code
injection can come numerous malicious activities.
If an application is vulnerable to XSS, the hacker can develop a URL that includes malicious
code and pass the code to the app as a legitimate user. When the user clicks on the link sent by
the hacker, the request is sent to the app. The code or script is generated on the server, sent to the
user's browser and is executed.

The classic Proof of Concept (POC) for XSS is to use JavaScript to trigger an alert box when the
script is run in the user's browser. This in itself is not malicious, but only indicates that the
application is vulnerable to injecting code.

XSS Payloads:

XSS can deliver multiple types of payloads. Javascript is powerful and flexible and therefore is
capable of delivering a wide range of malicious payloads. Some of the payloads include;
1. Pop up alerts
2. Hijacking session identifiers
3. Downloading and installing software
4. Redirecting to a different URL
5. Installing a keylogger
4. Invoking a reverse shell such as the Metasploit meterpreter
5. Launching client side attacks

Types of XSS

XSS is often divided into at least two types;

1. Reflective or Non Persistent
2. Persistent or Stored
Reflective XSS usually involves code that is "reflected" back to the web page and does not
persist after one use. Persistent or Stored XSS, as the name implies, is stored within the
application and can be run multiple times by multiple users.
In the following section, we will be using the DVWA to demonstrate such attacks and
vulnerabilities.

Step 1: Connect to the DVWA

To start, boot up a system running DVWA. Then, connect to the DVWA with your browser from
your Kali system.

Step 2: Set Security to Low

Using some simple XSS that is usually sanitized by modern secure web applications. For
demonstration purposes we are disabling that sanitizing process. For that reason, we need to set
the security level on our DVWA to "low".

Step 3: Reflected XSS Attacks

To perform a Reflected XSS, the victim must perform some action such as clicking on a link,
doing a search or some other functionality. The victim must also be logged into the application
when they click on the link.
To start, navigate to the Reflected XSS page in DVWA as seen below.

Now, go ahead and enter your name. I entered my name in the form "Occupy the web".

As one can see above, the application comes back and greets me "Hello Occupy the web" after
hitting Submit.

This time we will enter some script and see whether we can get the application to execute it. The
script to enter is;

<script>alert("Hello Hackers-Arise ") </script)

A cursory examination of this script reveals that we are triggering an alert box and having the
alert box say "Hello Hackers Arise"

So, instead of entering our name into the form, let's enter this script.
Now, hit Submit.

As you can see, the script was executed and an alert box was triggered with the message "Hello
Hackers-Arise". Clearly, this application is vulnerable to a Reflected XSS attack!
Reflected XSS is a one-time attack. Whoever clicks on the link will have the script executed in
their browser.

Step 4: URL Address Bar Attack

When we ran the Reflected XSS, you can see that the URL created by the attack changed. We
could use this URL that was created to execute the attack. The attacker could send this link to
the victim to execute the attack. To demonstrate, simply copy and paste the URL and enter it into
another tab in your browser.

As you can see, it works equally well to trigger the Reflected XSS attack.
Step 5: Attacking Session Cookies

Although generating a pop-up alert box is interesting and proves the concept, it really does not
provide the attacker anything of value. What if we could have the alert box grab the session
cookie of the victim? In this way, the attacker could then use the cookie to authenticate against
the app as the legitimate user.
In this case, we will create a script that generates an alert, grabs the session cookie and displays
it.
The following script should do just that.
<script>alert(document.cookie)</script>
As you can see, when we run this script, the application grabs and displays the users session ID
that then could be used to authenticate the attacker to the application!

Step 6: Persistent or Stored XSS Attacks

The persistent or stored XSS is very different from the Reflected XSS attack. Most importantly,
the attacker does not need to social engineer the victim to click on a URL, but rather stores the
malicious code into the application. In this way, every one who visits the malicious web page
will fall victim to this attack.

Persistent XSS attacks are far more malicious and damaging than reflected attacks. They are
capable of attacking numerous victims and implanting malware or other payloads into the target
system.
Let's start by clicking on the DVWA Stored Cross Site Scripting app.
This app represents a "Guest Book" of a web app where each user can enter their name and
comments. Obviously, a Guest Book will store the information entered into a back-end database
(MySQL in this case). If we can send a script to that back-end database, our script will be stored
there and run time and time again as people visit and use the Guest book.

Let's begin by entering our name, OTW. Then let's enter a bit of Javascript.

<script>alert("Hackers-Arise is BEST")</script>

If this script runs, it will open an alert box stating the obvious "Hackers-Arise is BEST".

When we click "Sign Guestbook", an alert box opens stating what we all know to be true.

As the application stores this information into the back-end database, we may be able to get that
script to run whenever anyone logs into the Guestbook.

Let's test that by entering as a different Guest and enter a different message. In this case, I will
enter as "John Doe" and leave a message "I'm so happy to be here".
When John Doe clicks to "Sign Guestbook" they get the same message that "Hackers-Arise is
BEST". Our XSS has persisted in the database and every guest will now be greeted with our
message!

Cross Site Scripting (XSS) is one of the most important and malicious vulnerabilities in web
applications. These attacks are capable of injecting any number of malicious payloads into the
victim's browser and ultimately into their computer system.

Viva Questions:

1. What is Cross Site Scripting?

2. What are the types of XSS attacks?
3. What do mean by reflective XSS?
4. Define Persistent XSS. Why is it called Stored XSS?
5. Are all web applications vulnerable to XSS attacks? Why or why not?
6. Is it possible to prevent XSS in most cases without any user interaction?
 Experiment – 3

Cross – Site Request Forgery (CSRF)

Objectives:

Set up a CSRF attack in DVWA to demonstrate how attackers can manipulate authenticated
users into performing unintended actions

Introduction:

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted
actions on a web application in which they’re currently authenticated. With a little help of social
engineering (such as sending a link via email or chat), an attacker may trick the users of a web
application into executing actions of the attacker’s choosing. If the victim is a normal user, a
successful CSRF attack can force the user to perform state changing requests like transferring
funds, changing their email address, and so forth. If the victim is an administrative account,
CSRF can compromise the entire web application.

Before going into implementation, it would be nicer to understand why and how the attacks
work. To elaborate, first, we need to know what HTTP protocol is. HTTP protocol (a.k.a Hyper
Text Transfer Protocol) is a network protocol for the web applications.

It works as following:

Clients ask for HTTP request to server, and server responds to the client by giving status code.
However, it is very important to notice that HTTP is stateless. That is, there is no record of
previous interactions and thus, users have to go through the authentication/verification process
whenever they make a new request. Think of checking email. Though you have definitely logged
into google to check your email, you have to log in again when you check your mailbox. What a
big inconvenience! And this is where the session and cookie come in.

Two things to know. The first cookie, and second session. cookie contains data in form of
dictionary for purpose of transferring data between client and server. And session is to have a
state, allowing to maintain a particular state until closing the browser. The basic idea is
following:

Once accessing to web application, cookie is stored at local hard disk and session ID is
generated, and session ID is also stored in cookie. if clients try to access again, cookie with
session ID is transferred to web server to give false impression that clients have been
maintaining the state.

Changing Password with CSRF using DVWA

As the default setting is set to be impossible, please change its security to be low.

First, we need to know how the process normally works. Please select CSRF from the menu bar,
and try to change the password. Accordingly, you can find the HTTP request on Burp-suite as
following.
Get method to transfer new password being used

User can notice that Get method is used to transfer passwords without any encryption. What we
are going to do is that by exploiting data from HTTP request, we aim to change the password of
the victim as we have previously set.

To make it a bit realistic, I sent an e-mail claiming that I won a lottery to myself (victim) with
HTML containing a malicious request. Like this. (you can find sample HTML file(csrf.html)

below is the part of the code to make request to server.

As seen in the figure attached above, the code is written in JavaScript and the very same
parameters that we obtained from Burp-Suite is used.

Once the receiver (me) found the e-mail and clicked the provided link, you can find that Get
request is transferred to web server and the password of the innocent receiver has been
simultaneously changed. The thing is unless specifically notified of changing password, the
victim is very unlikely to notice the change. While I have made a button to make change visible,
You may try to use on load function.
On left, you can find request has successfully transferred / On right is the screen of csrf.html

In order to launch an attack successfully, it is necessary that the victim should be logged in.

Try to distinguish between normal request (left) and malicious request(right)

The grounds for a successful attack lie on the cookie. As seen above, the same cookie has been
used, meaning that web server has no choice but to treat the malicious requests as equally as
normal requests. Also, you can notice that the parameter for changing password and referer,
origin indicating where the request came from have been changed.
Next, we will try to hack medium level. In medium level, web server tries to protect itself from
being attacked by checking ‘referer’.
Changing security level to medium — it checks ‘referer’

You can see that an identical attack used for low security does not work as intended. You can
check this on Burp-suite (click the response tab for the request and go to render.

Checking the response — it fails to change password

However, checking the referer cannot be an ultimate solution because attack can be implemented
on the very particular web server, thus avoiding the protection scheme. Moreover, if you look
into the code, it can be shown that protection will become useless if the attacker include web
server address.

Changing file name makes attack successful!

DVWA provides one of ideal solution to protect password from CSRF attack. That is, to require
users to provide current password. It can be seen if you change security level to impossible.

If the attacker implements CSRF only attack, there is no way for him to get current password. As
he cannot extract current password, the attack is never going to happen.

Viva Questions:

1. What is CSRF?
2. How do you check if your application is vulnerable to CSRF attacks?
3. What’s the difference between XSS and CSRF?
4. In what ways can you mitigate CSRF risks?
5. Mentioned some examples of how a CSRF attack might occur?
 Experiment 4:

File Inclusion Vulnerabilities

Objectives:

a. To Explore remote and local file inclusion vulnerabilities in DVWA.

b. To show how attackers can include malicious files on a server and execute arbitrary code

Definition: File Inclusion Attack

It is an attack that allows an attacker to include a file on the web server through a php script. This
vulnerability arises when a web application lets the client submit input into files or upload files
to the server. A file include vulnerability is distinct from a generic Directory Traversal Attack, in
that directory traversal is a way of gaining unauthorized file system access, and a file inclusion
vulnerability subverts how an application loads code for execution. Successful exploitation of a
file include vulnerability will result in remote code execution on the web server that runs the
affected web application.

This can lead to the following attacks:

1. Code execution on the web server

2. Cross Site Scripting Attacks (XSS)
3. Denial of Service (DOS)
4. Data Manipulation Attacks

Types:

a) Local File Inclusion

b) Remote File Inclusion

LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim
machine. This can be very dangerous because if the web server is misconfigured and running
with high privileges, the attacker may gain access to sensitive information. If the attacker is able
to place code on the web server through other means, then they may be able to execute arbitrary
commands.

RFI vulnerabilities are easier to exploit but less common. Instead of accessing a file on the local
machine, the attacker is able to execute code hosted on their own machine.
Remote File inclusion (RFI) and Local File Inclusion (LFI) are vulnerabilities that are often
found in poorly-written web applications. These vulnerabilities occur when a web application
allows the user to submit input into files or upload files to the server.
a. Local File Inclusion in Action

Difficulty: LOW
Now start your machine and login to DVWA, then go to DVWA security tab and change the
difficulty level to low.

Go to file inclusion tab and change the URL from incude.php to ?page=../../../../../../etc/passwd.
change the URL from?page=../../../../../../etc/passwd to ?page=../../../../../../proc/version.

Difficulty: MEDIUM
Now, go on and try the exploits we used in low difficulty. You will notice that you can’t read
files like before using the directory traversal method. So, as you can see in the below snapshot of
source page, the server is more secure and is filtering the ‘../’ or ‘..\’pattern. Let’s try to access
the file without ‘../’ or ‘..\’.

Change include.php to /etc/passwd

Now,change the URL from?page=/etc/passwd to ?page=/proc/version.

As you can see, it worked by directly entering the name of the file. Let’s level up the difficulty to
HIGH.

Difficulty: HIGH
Change the difficulty to HIGH and try all exploits from medium difficulty, and you’ll notice
none of them will works because the target is more secure, as it is only accepting “include.php”
or inputs starting with the word “file”. If you try anything else, it will show “File not
Found”.

In this level of security, we can still gather sensitive info using the “File” URI scheme. (because
it starts with the word “file”)
Change the URL from include.php to ?page=file:///etc/passwd

You will get the data of /etc/passwd file.

This is how you can exploit file inclusion vulnerability using local files on the web server.
Remote File Inclusion in Action

Now, let’s try to exploit this vulnerability using remote files hosted on the attacker machine.
Difficulty: LOW
Now, Let’s start with the Low difficulty.
Change the difficulty to low and go to file inclusion tab.
Let’s change include.php to http://www.google.com so the final URL will look something like
this,
?page=http://www.google.com

Difficulty: MEDIUM
Change the difficulty to medium and check as we did it in the low difficulty. You’ll notice, it’s
not working anymore. The target is now filtering “http” and “https” as shown in source page.
So try the attack with “HTTP” (in CAPS) or any one word in caps like I used as shown in
snapshot (httP)and it’ll work.

?page=httP://imdb.com

Difficulty: HIGH
We can’t exploit the high difficulty using RFI as we can see in source page, we know that the
target web-server is only accepting “include.php” or anything that’s starting with the word “file”
that’s why we can’t include anything from an outside server.

Points to Secure against File Inclusion Vulnerability:

a) Strong Input Validation.

b) A white list of acceptable inputs.
c) Reject any inputs that do not strictly conform to specifications.
d) For filenames, use stringent whitelist that limits the character set to be used.
e) Exclude directory separators such as “/”.
f) Use a white list of allowable file extensions.
g) Environment Hardening.
h) Develop and run your code in the most recent versions of PHP available.
i) Configure your PHP applications so that it does not use register globals.
j) Run your code using the lowest privileges.

Viva Questions:
7. What are the different types of file inclusion?
8. What is remote file inclusion?
9. Why is file inclusion possible?
10. Differentiate between local file inclusion and remote file inclusion?
11. What is the impact of file inclusion vulnerability?
 Experiment – 5

Brute Force and Dictionary Attacks

Objectives: Use DVWA to simulate login pages and demonstrate Brute Force and
Dictionary Attacks against weak passwords. Emphasize the importance of strong password
policies.

Introduction: Brute Force Attack

A brute force attack uses trial-and-error to guess login info, encryption keys, or find a hidden
web page. Hackers work through all possible combinations hoping to guess correctly. These
attacks are done by ‘brute force’ meaning they use excessive forceful attempts to try and ‘force’
their way into your private account(s). This is an old attack method, but it's still effective and
popular with hackers. Because depending on the length and complexity of the password,
cracking it can take anywhere from a few seconds to many years.

Burp Suite is one of the most helpful website hacking tools for conducting security testing of
web applications. It has various ethical hacking tools that work seamlessly together to support
the entire penetration testing process. It ranges from initial mapping to analysis of an
application’s weakness.

a. Brute Force attack on DVWA with Burp Suite

Step 1: Inside DVWA, select the Brute Force option, which takes user to a Login page.

Step 2: Enter admin for the username and admin for the password, which is the wrong
username and password.
Step 3: In the Burp Suite tool, follow the path: Target → Site map → http://localhost → URL
Containing the following:
/DVWA/vulnerabilities/brute/?username=admin&password=admin&Login=Login
HTTP/1.1
The Raw Request data is the HTTP request sent to the server during a brute-force attack. It
contains all the details required to send a request, such as the HTTP method, target URL, request
headers, and request body.
As one can see, the username and password, admin & admin, user initially tried to log in with
appears in line 1.

Navigated to Request → Raw tab → Right-click inside → Send to Repeater.

Step 4: Select the Repeater tab.

The Repeater in Burp Suite is a tool that allows security testers to manually modify and re-send
HTTP requests and view the responses from a web application. It is a handy tool for testing the
functionality and security of web applications, as it allows testers to quickly and easily modify
the parameters and other data in a request to see how the application responds.
In addition to modifying requests, the Repeater displays the responses received from the
application, allowing testers to analyze and assess the security of the application’s response
handling. Testers can also use the Repeater to compare responses to identify differences and
inconsistencies that could indicate a vulnerability or other security issue.
Step 5: Right-click inside the Raw data area → Send to Intruder.

The Intruder in Burp Suite performs automated attacks on web applications and is designed to
automate sending a large number of requests with various payloads to a target application to test
for vulnerabilities. For example, the Intruder can try multiple input validation vulnerabilities,
such as SQL injection, cross-site scripting (XSS), buffer overflows, and directory traversal
attacks.

Step 6: Select the Intruder tab → Positions.

Here we can Choose an attack type, Add or Clear payload markers, and Start
attack.

Clear all the payload markers, which are highlighted in green.

All payload markers cleared.

Step 7: Insert new payload markers.

Highlighted admin after username → Selected Add.

Highlighted admin after password → Selected Add.

Both username=admin and password=admin are marked as payloads.

Step 8: Selected Choose an attack type → Cluster bomb.

Clicked on the Payloads tab to configure and add a list of strings used as payloads.
For the first Payload set, Type a list of 17 words for the username.
Click the drop-down arrow in Payload set and select 2 for the second Payload set.

b. Start the Attacking with Kali Linux using dictionary attack for authentication login.

Step 1: The DVWA website from victim machine

Step 2: The website victim we will try to attack using password attack , it’s called dictionary
attack.

Step 3: We will open Burp on Kali and interrupt the request and send it to the intruder to use the
dictionary attack.
Burp Proxy

Burp Intruder

We will use the most common password list in the payload to do the attack.

Viva Questions:
1. How do dictionary attacks relate to brute force attacks?
2. Which type of attack allow an attacker to use a brute-force approach?
3. How long does a dictionary attack take?
4. What are the techniques used in preventing a brute force attack?
5. What are the targets of brute force attacks?