Professional Documents
Culture Documents
Lab Manual Cyber Security Workshop (BCS453)
Lab Manual Cyber Security Workshop (BCS453)
List of Experiments:
Module 1: Packet Analysis using Wire shark
1. Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic protocols like HTTP,
DNS, and SMTP to understand how data is transmitted and received.
2. Detecting Suspicious Activity: Analyze network traffic to identify suspicious patterns, such as repeated
connection attempts or unusual communication between hosts.
3. Malware Traffic Analysis: Analyze captured traffic to identify signs of malware communication, such as
command-and-control traffic or data infiltration.
4. Password Sniffing: Simulate a scenario where a password is transmitted in plaintext. Use Wireshark to capture
and analyze the packets to demonstrate the vulnerability and the importance of encryption.
5. ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap. Analyze the captured packets
to understand how the attack can lead to a Man-in-the-Middle scenario.
3. Cross-Site Request Forgery (CSRF): Set up a CSRF attack in DVWA to demonstrate how attackers can
manipulate authenticated users into performing unintended actions.
4. File Inclusion Vulnerabilities: Explore remote and local file inclusion vulnerabilities in DVWA. Show how
attackers can include malicious files on a server and execute arbitrary code.
5. Brute-Force and Dictionary Attacks: Use DVWA to simulate login pages and demonstrate brute-force and
dictionary attacks against weak passwords. Emphasize the importance of strong password policies.
Experiments Beyond Syllabus:
1. Objective:
b. Analyze basic protocols like HTTP, DNS, and SMTP to understand how data is transmitted and
received.
2. Procedure:
a. The Main Window: Please refer Annexure - 1
b. Interfaces
e. Flow Graph:
f. Applying Filters:
Viva Questions:
Objectives: Analyze network traffic to identify suspicious patterns, such as repeated connection
attempts or unusual communication between hosts.
Introduction:
Signs of suspicious activity include unusual logins, abnormal access patterns, atypical network traffic,
multiple failed login attempts, unexpected application usage, lateral movement, changes in user
behavior, unusual outbound connections, suspicious system processes, and altered configurations.
The above images provide the patterns in isolated traffic. However, it is not always easy to spot the given patterns in
big capture files. Therefore analysts need to use a generic filter to view the initial anomaly patterns, and then it will
be easier to focus on a specific traffic point. The given filter shows the TCP Connect scan patterns in a capture file.
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024
The filter below shows the UDP scan patterns in a capture file.
icmp.type==3 and icmp.code==3
UDP port in the 55–70 port range is open:
Viva Questions:
How do you detect suspicious network activity?
How does Wireshark detect malicious traffic?
What is detect suspicious networks?
What is a suspicious IP? How do hackers see your IP?
Experiment – 3
Malware Traffic Analysis
Objectives: Analyze captured traffic to identify signs of malware communication, such as command-
and-control traffic or data infiltration.
Introduction:
Malware is a software or computer program that is used to carry out malicious activity. Malware is made
with the aim of harming user’s device because it can change user’s data, use up bandwidth and other
resources without user's permission. Malware traffic is any network activity that is generated by
malicious software such as viruses, worms, ransomeware or botnets. It can pose a serious threat to the
network security, as it can steal, damage, or disrupt data and systems.
Procedure:
Downloaded the pcap file named 2019–09–25 Trickbot Pcap from Malware-Traffic-Analysis.net Filtered
with basic filter and see suspicious get/post requests.
Follow the TCP stream on www.dchristjan.com and there has been a zip file included in this infection.
Exported the zip file from the pcap. Unzipped the file and used the file command to obtain info.
The file type was .lnk. Most of the time attackers use lnk files with msi packages or hidden .bat files.
Used sha256sum to generate the hash of the file and asked Virustotal. The screen went red after that
By the categorizations, I knew that this was only a downloader. Hovering over to the relations there were
the network IOCs I was looking for. We have seen the solar.php earlier when filtering for HTTP traffic.
Click the objects and saved the solar.php after that. When trying to open the file on Vscode it implied
that the file was unsupported. Opened and used the file command on solar.php and discovered that
solar.php is actually a Windows executable.
The C2 server is another IP address that we found earlier with basic filtering;
There is an unusual traffic between 170[.]238.117.187 over 8082 and by following the TCP stream you
may see that a malicious executable sent information about the pc named BACHMANN-BTO-
PC_W617601 with the POST method to C2 server.
On the screenshot, there is a GET request to 185[.98.87.185 requesting a .png file. Since there is no
HTML request it is a bit suspicious. I followed the TCP stream and it turned into a Windows executable
too.
So in our analysis, we have found that malware downloads more malware in a Quickbot infection.
Wireshark is a tool that allows security analysts to capture and inspect network traffic in real-time. By
analyzing the traffic captured with Wireshark, experts can gain insights into the activities of malware,
such as command and control (C&C) communications, data exfiltration, or exploit attempts.
Viva Questions:
1. What is malware traffic?
2. How to do malware analysis in Wireshark?
3. What is API in malware analysis?
4. What is the first step in malware analysis?
5. Is malware analysis hard?
Module 2:
Web Application Security using
DVWA
Introduction: Damn Vulnerable Web App (DVWA)
This package contains a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an
aid for security professionals to test their skills and tools in a legal environment, help web developers
better understand the processes of securing web applications and to aid both students & teachers to learn
about web application security in a controlled class room environment.
The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of
difficulty, with a simple straightforward interface. Please note, there are both documented and
undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and
discover as many issues as possible.
WARNING: Do not upload it to your hosting provider’s public html folder or any Internet facing
servers, as they will be compromised.
Its main goals are to be an aid for security professionals to test their skills and tools in a legal
environment, help web developers better understand the processes of securing web applications and aid
teachers/students to teach/learn web application security in a class room environment.
● Brute Force
● Command Execution
● CSRF
● File Inclusion
● SQL Injection
● SQL Injection (Blind)
● Shell Uploading
● XSS ( Reflected )
● XSS ( Stored)
Benefits of DVWA –
Experiment:5
Wireshark Lab: Ethernet and
ARP v8.0
Supplement to Computer Networking: A Top-Down Approach,
8th ed., J.F. Kurose and K.W. Ross
In this lab, we’ll investigate the Ethernet protocol and the ARP protocol. Before
beginning this lab, you’ll probably want to review sections 6.4.1 (Link-layer
addressing and ARP) and 6.4.2 (Ethernet) in the text1. RFC 826 (ftp://ftp.rfc-
editor.org/in- notes/std/std37.txt) contains the gory details of the ARP protocol, which
is used by an IP device to determine the IP address of a remote interface whose
Ethernet address is known.
First, make sure your browser’s cache is empty. To do this under Mozilla Firefox V3, select
Tools->Clear Recent History and check the box for Cache. For Internet Explorer, select Tools-
>Internet Options->Delete Files. Start up the Wireshark packet sniffer
Enter the following URL into your browser http://gaia.cs.umass.edu/wireshark-
labs/HTTP-ethereal-lab-file3.html Your browser should display the rather lengthy
US Bill of Rights.
1
References to figures and sections are for the 8th edition of our text, Computer Networks, A Top-down Approach, 8th ed.,
J.F. Kurose and K.W. Ross, Addison-Wesley/Pearson, 2020.
2
If you are unable to run Wireshark live on a computer, you can download the zip file
http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the file ethernet--ethereal-trace-1. The traces in
this zip file were collected by Wireshark running on one of the author’s computers, while performing the steps indicated
in the Wireshark lab. Once you have downloaded the trace, you can load it into Wireshark and view the trace using the
File pull down menu, choosing Open, and then selecting the ethernet-ethereal-trace-1 trace file. You can then use this
trace file to answer the questions below.
Stop Wireshark packet capture. First, find the packet numbers (the leftmost
column in the upper Wireshark window) of the HTTP GET message that was sent
from your computer to gaia.cs.umass.edu, as well as the beginning of the HTTP
response message sent to your computer by gaia.cs.umass.edu. You should see
a screen that looks something like this (where packet 4 in the screen shot below
contains the HTTP GET message)
Since this lab is about Ethernet and ARP, we’re not interested in IP or higher-
layer protocols. So let’s change Wireshark’s “listing of captured packets” window
so that it shows information only about protocols below IP. To have Wireshark
do this, select Analyze->Enabled Protocols. Then uncheck the IP box and select
OK. You should now see a Wireshark window that looks like:
In order to answer the following questions, you’ll need to look into the packet
details and packet contents windows (the middle and lower display windows
in Wireshark).
Select the Ethernet frame containing the HTTP GET message. (Recall that
the HTTP GET message is carried inside of a TCP segment, which is
carried inside of an IP datagram, which is carried inside of an Ethernet
frame; reread section 1.5.2 in the text if you find this encapsulation a bit
confusing). Expand the Ethernet II information in the packet details
window. Note that the contents of the Ethernet frame (header as well as
payload) are displayed in the packet contents window.
Answer the following questions, based on the contents of the Ethernet frame
containing the HTTP GET message. Whenever possible, when answering a
question you should hand in a printout of the packet(s) within the trace that
you used to answer the question asked. Annotate the printout3 to explain
your answer. To print a packet, use File->Print, choose Selected packet
only, choose Packet summary line, and select the minimum amount of
packet detail that you need to answer the question.
Next, answer the following questions, based on the contents of the Ethernet
frame containing the first byte of the HTTP response message.
5. What is the value of the Ethernet source address? Is this the address of your
computer, or of gaia.cs.umass.edu (Hint: the answer is no). What device has
this as its Ethernet address?
6. What is the destination address in the Ethernet frame? Is this the Ethernet
address of your computer?
7. Give the hexadecimal value for the two-byte Frame type field. What upper
layer protocol does this correspond to?
8. How many bytes from the very start of the Ethernet frame does the ASCII “O” in
“OK” (i.e., the HTTP response code) appear in the Ethernet frame?
3
What do we mean by “annotate”? If you hand in a paper copy, please highlight where in the printout
you’ve found the answer and add some text (preferably with a colored pen) noting what you found in what
you ‘ve highlight. If you hand in an electronic copy, it would be great if you could also highlight and
annotate.
2. The Address Resolution Protocol
In this section, we’ll observe the ARP protocol in action. We strongly
recommend that you re-read section 6.4.1 in the text before proceeding.
ARP Caching
Let’s take a look at the contents of the ARP cache on your computer:
The Windows arp command with no arguments will display the contents of
the ARP cache on your computer. Run the arp command.
9. Write down the contents of your computer’s ARP cache. What is the meaning
of each column value?
MS-DOS. The MS-DOS arp –d * command will clear your ARP cache. The –d flag
indicates a deletion operation, and the * is the wildcard that says to delete all
table entries.
Linux/Unix/MacOS. The arp –d * will clear your ARP cache. In order to run this
command you’ll need root privileges. If you don’t have root privileges and can’t
run Wireshark on a Windows machine, you can skip the trace collection part of
this lab and just use the trace discussed in the earlier footnote.
Observing ARP in action
Do the following4:
4
The ethernet-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip
was created using the steps below (in particular after the ARP cache had been flushed).
In the example above, the first two frames in the trace contain ARP messages
(as does the 6th message). The screen shot above corresponds to the trace
referenced in footnote 1.
10. What are the hexadecimal values for the source and destination addresses in
the Ethernet frame containing the ARP request message?
11. Give the hexadecimal value for the two-byte Ethernet Frame type field.
What upper layer protocol does this correspond to?
12. Download the ARP specification from
ftp://ftp.rfc-editor.org/in-notes/std/std37.txt. A readable, detailed
discussion of ARP is also at
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html.
a) How many bytes from the very beginning of the Ethernet frame does
the ARP opcode field begin?
b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP request is made?
c) Does the ARP message contain the IP address of the sender?
d) Where in the ARP request does the “question” appear – the Ethernet
address of the machine whose corresponding IP address is being queried?
13. Now find the ARP reply that was sent in response to the ARP request.
a) How many bytes from the very beginning of the Ethernet frame does the
ARP opcode field begin?
b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP response is made?
c) Where in the ARP message does the “answer” to the earlier ARP request
appear – the IP address of the machine having the Ethernet address whose
corresponding IP address is being queried?
14. What are the hexadecimal values for the source and destination addresses in the
Ethernet frame containing the ARP reply message?
15. Open the ethernet-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-
labs/wireshark-traces.zip. The first and second ARP packets in this trace correspond
to an ARP request sent by the computer
running Wireshark, and the ARP reply sent to the computer running
Wireshark by the computer with the ARP-requested Ethernet address. But
there is yet another computer on this network, as indicated by packet 6 –
another ARP request. Why is there no ARP reply (sent in response to the
ARP request in packet 6) in the packet trace?
Extra Credit
allows you to manually add an entry to the ARP cache that resolves the IP
address InetAddr to the physical address EtherAddr. What would happen
if, when you manually added an entry, you entered the correct IP address,
but the wrong Ethernet address for that remote interface?
EX-2. What is the default amount of time that an entry remains in your ARP
cache before being removed. You can determine this empirically (by
monitoring the cache contents) or by looking this up in your operation
system documentation. Indicate how/where you determined this value.
Module 2:
Web Application Security
using
DVWA
Introduction: Damn Vulnerable Web App (DVWA)
This package contains a PHP/MySQL web application that is damn vulnerable. Its main goal is
to be an aid for security professionals to test their skills and tools in a legal environment, help
web developers better understand the processes of securing web applications and to aid both
students & teachers to learn about web application security in a controlled class room
environment.
The aim of DVWA is to practice some of the most common web vulnerabilities, with various
levels of difficulty, with a simple straightforward interface. Please note, there are both
documented and undocumented vulnerabilities with this software. This is intentional. You are
encouraged to try and discover as many issues as possible.
WARNING: Do not upload it to your hosting provider’s public html folder or any Internet facing
servers, as they will be compromised.
Its main goals are to be an aid for security professionals to test their skills and tools in a legal
environment, help web developers better understand the processes of securing web applications
and aid teachers/students to teach/learn web application security in a class room environment.
● Brute Force
● Command Execution
● CSRF
● File Inclusion
● SQL Injection
● SQL Injection (Blind)
● Shell Uploading
● XSS ( Reflected )
● XSS ( Stored)
Benefits of DVWA –
Here we clone DVWA from it’s Github repository. To clone it we run following command:
After the cloning complete, we rename the DVWA to dvwa (it is not necessary but it will save
our effort).
Now we have to setup this web application to run properly for that we have to go into
/dvwa/config directory.
In the above screenshot we can see the config.inc.php.dist file. This file contains default
configuration. We need to make a copy of this file with .php extension name, we are coping this
file because in future if anything goes wrong then we have the default values. So we copy this
file with .php extension name using following command:-
We will make changes in this part the p@ssw0rd to pass and the user from root. see the
following screenshot:-
Here we have opened a new terminal window closing the previous one. We start the mysql at
first using following command:-
If there are no errors that means the service is started.
Now to setup a database, we start with creating a new user by applying following command.
create user 'user'@'127.0.0.1' identified by 'pass';
Here using this command we are creating a user called ‘user’ running server on
127.0.0.1(localhost) and the password is ‘pass’. Remember that this username and password
should exactly same as the password and username we have entered in the configuration file of
dvwa web application.
In the screenshot we can see the query is OK. That means the user is created.
Then we grant this user all the privileges over the database. For that we type following
command:-
grant all privileges on dvwa.* to 'user'@'127.0.0.1' identified by 'pass';
Yes, we have finished the work of database, now we configure the server. For this we need to
configure our apache2 server. Let’s change our directory to /etc/php/7.4/apache2
Here we are using version 7.4, if we use another version then the path might be change.
cd /etc/php/7.4/apache2
Here we configure the php.ini file.
We need to change the allow_url_fopen and allow_url_include values. We set both of them
‘On’. In some cases when we are first time configuring it, we might find that one of this or both
of this configuration is set to ‘Off’. We have turned both of these configuration to ‘On’, as the
following screenshot:-
Then we save and close the file.
Then it will create and configure the database and we redirected to DVWA login page.
The default login is
● Username:- admin
● Password:- password
After login we are in Damn Vulnerable Web Applications main page. Here is some general
information and warnings.
On the left side we can see lots of vulnerable pages are available we can practice here.
DVWA have different security levels to change those we navigate to DVWA security. There are
some security levels low, medium, high, impossible. We can choose difficulty as we need.
Now we can run penetration testing tools and techniques in our localhost.
This is how we can setup DVWA, Damn Vulnerable Web Application in our Kali Linux
system.
Experiment – 1
SQL Injection
Objectives:
Introduction:
SQL injection is a technique used to extract user data by injecting web page inputs as
statements through SQL commands. Basically, malicious users can use these instructions to
manipulate the application’s web server.
1. SQL injection is a code injection technique that can compromise your database.
2. SQL injection is one of the most common web hacking techniques.
3. SQL injection is the injection of malicious code into SQL statements via web page
input.
Requirements:
● Xampp/Wamp Server
● DVWA Lab
● Kali Linux: Burp suite, SQLmap tool
Now open the DVWA in your pc and log in with following credentials:
Username – admin
Password – password
Click on DVWA Security and set Website Security Level low
From the list of vulnerability select SQL Injection for your attack.
Type user ID: 1 in the text box. Don’t click on submit button without setting browser proxy. Set
your browser proxy to make burp suite work properly.
The flaw in the code you provided is that it is vulnerable to SQL injection
attacks. The vulnerability arises from directly concatenating user input into
the SQL query without proper sanitization or parameterization.
$id = $_REQUEST['id'];
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
1' OR '1'='1'#
For high level, after clicking the “here to change your ID”, we can see a window where we can
Viva Questions:
1 What is SQL injection in DVWA?
2. Why is it called SQL injection?
3. What is SQL command?
4. Which tool is used for SQL injection attack?
5. What is the weakness of SQL injection?
Experiment – 2
a. Exploit XSS vulnerabilities in DVWA to inject malicious scripts into web pages.
b. Show the potential impact of XSS attacks, such as stealing cookies or defacing
websites
Cross Site Scripting or XSS is the most critical vulnerabilities in web applications. XSS allows
the attacker to send malicious scripts or code to the victim's computer system. With that code
injection can come numerous malicious activities.
If an application is vulnerable to XSS, the hacker can develop a URL that includes malicious
code and pass the code to the app as a legitimate user. When the user clicks on the link sent by
the hacker, the request is sent to the app. The code or script is generated on the server, sent to the
user's browser and is executed.
The classic Proof of Concept (POC) for XSS is to use JavaScript to trigger an alert box when the
script is run in the user's browser. This in itself is not malicious, but only indicates that the
application is vulnerable to injecting code.
XSS Payloads:
XSS can deliver multiple types of payloads. Javascript is powerful and flexible and therefore is
capable of delivering a wide range of malicious payloads. Some of the payloads include;
1. Pop up alerts
2. Hijacking session identifiers
3. Downloading and installing software
4. Redirecting to a different URL
5. Installing a keylogger
4. Invoking a reverse shell such as the Metasploit meterpreter
5. Launching client side attacks
Types of XSS
To start, boot up a system running DVWA. Then, connect to the DVWA with your browser from
your Kali system.
Using some simple XSS that is usually sanitized by modern secure web applications. For
demonstration purposes we are disabling that sanitizing process. For that reason, we need to set
the security level on our DVWA to "low".
To perform a Reflected XSS, the victim must perform some action such as clicking on a link,
doing a search or some other functionality. The victim must also be logged into the application
when they click on the link.
To start, navigate to the Reflected XSS page in DVWA as seen below.
Now, go ahead and enter your name. I entered my name in the form "Occupy the web".
As one can see above, the application comes back and greets me "Hello Occupy the web" after
hitting Submit.
This time we will enter some script and see whether we can get the application to execute it. The
script to enter is;
So, instead of entering our name into the form, let's enter this script.
Now, hit Submit.
As you can see, the script was executed and an alert box was triggered with the message "Hello
Hackers-Arise". Clearly, this application is vulnerable to a Reflected XSS attack!
Reflected XSS is a one-time attack. Whoever clicks on the link will have the script executed in
their browser.
When we ran the Reflected XSS, you can see that the URL created by the attack changed. We
could use this URL that was created to execute the attack. The attacker could send this link to
the victim to execute the attack. To demonstrate, simply copy and paste the URL and enter it into
another tab in your browser.
As you can see, it works equally well to trigger the Reflected XSS attack.
Step 5: Attacking Session Cookies
Although generating a pop-up alert box is interesting and proves the concept, it really does not
provide the attacker anything of value. What if we could have the alert box grab the session
cookie of the victim? In this way, the attacker could then use the cookie to authenticate against
the app as the legitimate user.
In this case, we will create a script that generates an alert, grabs the session cookie and displays
it.
The following script should do just that.
<script>alert(document.cookie)</script>
As you can see, when we run this script, the application grabs and displays the users session ID
that then could be used to authenticate the attacker to the application!
The persistent or stored XSS is very different from the Reflected XSS attack. Most importantly,
the attacker does not need to social engineer the victim to click on a URL, but rather stores the
malicious code into the application. In this way, every one who visits the malicious web page
will fall victim to this attack.
Persistent XSS attacks are far more malicious and damaging than reflected attacks. They are
capable of attacking numerous victims and implanting malware or other payloads into the target
system.
Let's start by clicking on the DVWA Stored Cross Site Scripting app.
This app represents a "Guest Book" of a web app where each user can enter their name and
comments. Obviously, a Guest Book will store the information entered into a back-end database
(MySQL in this case). If we can send a script to that back-end database, our script will be stored
there and run time and time again as people visit and use the Guest book.
Let's begin by entering our name, OTW. Then let's enter a bit of Javascript.
<script>alert("Hackers-Arise is BEST")</script>
If this script runs, it will open an alert box stating the obvious "Hackers-Arise is BEST".
When we click "Sign Guestbook", an alert box opens stating what we all know to be true.
As the application stores this information into the back-end database, we may be able to get that
script to run whenever anyone logs into the Guestbook.
Let's test that by entering as a different Guest and enter a different message. In this case, I will
enter as "John Doe" and leave a message "I'm so happy to be here".
When John Doe clicks to "Sign Guestbook" they get the same message that "Hackers-Arise is
BEST". Our XSS has persisted in the database and every guest will now be greeted with our
message!
Cross Site Scripting (XSS) is one of the most important and malicious vulnerabilities in web
applications. These attacks are capable of injecting any number of malicious payloads into the
victim's browser and ultimately into their computer system.
Viva Questions:
Objectives:
Set up a CSRF attack in DVWA to demonstrate how attackers can manipulate authenticated
users into performing unintended actions
Introduction:
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted
actions on a web application in which they’re currently authenticated. With a little help of social
engineering (such as sending a link via email or chat), an attacker may trick the users of a web
application into executing actions of the attacker’s choosing. If the victim is a normal user, a
successful CSRF attack can force the user to perform state changing requests like transferring
funds, changing their email address, and so forth. If the victim is an administrative account,
CSRF can compromise the entire web application.
Before going into implementation, it would be nicer to understand why and how the attacks
work. To elaborate, first, we need to know what HTTP protocol is. HTTP protocol (a.k.a Hyper
Text Transfer Protocol) is a network protocol for the web applications.
It works as following:
Clients ask for HTTP request to server, and server responds to the client by giving status code.
However, it is very important to notice that HTTP is stateless. That is, there is no record of
previous interactions and thus, users have to go through the authentication/verification process
whenever they make a new request. Think of checking email. Though you have definitely logged
into google to check your email, you have to log in again when you check your mailbox. What a
big inconvenience! And this is where the session and cookie come in.
Two things to know. The first cookie, and second session. cookie contains data in form of
dictionary for purpose of transferring data between client and server. And session is to have a
state, allowing to maintain a particular state until closing the browser. The basic idea is
following:
Once accessing to web application, cookie is stored at local hard disk and session ID is
generated, and session ID is also stored in cookie. if clients try to access again, cookie with
session ID is transferred to web server to give false impression that clients have been
maintaining the state.
First, we need to know how the process normally works. Please select CSRF from the menu bar,
and try to change the password. Accordingly, you can find the HTTP request on Burp-suite as
following.
Get method to transfer new password being used
User can notice that Get method is used to transfer passwords without any encryption. What we
are going to do is that by exploiting data from HTTP request, we aim to change the password of
the victim as we have previously set.
To make it a bit realistic, I sent an e-mail claiming that I won a lottery to myself (victim) with
HTML containing a malicious request. Like this. (you can find sample HTML file(csrf.html)
Once the receiver (me) found the e-mail and clicked the provided link, you can find that Get
request is transferred to web server and the password of the innocent receiver has been
simultaneously changed. The thing is unless specifically notified of changing password, the
victim is very unlikely to notice the change. While I have made a button to make change visible,
You may try to use on load function.
On left, you can find request has successfully transferred / On right is the screen of csrf.html
In order to launch an attack successfully, it is necessary that the victim should be logged in.
The grounds for a successful attack lie on the cookie. As seen above, the same cookie has been
used, meaning that web server has no choice but to treat the malicious requests as equally as
normal requests. Also, you can notice that the parameter for changing password and referer,
origin indicating where the request came from have been changed.
Next, we will try to hack medium level. In medium level, web server tries to protect itself from
being attacked by checking ‘referer’.
Changing security level to medium — it checks ‘referer’
You can see that an identical attack used for low security does not work as intended. You can
check this on Burp-suite (click the response tab for the request and go to render.
DVWA provides one of ideal solution to protect password from CSRF attack. That is, to require
users to provide current password. It can be seen if you change security level to impossible.
If the attacker implements CSRF only attack, there is no way for him to get current password. As
he cannot extract current password, the attack is never going to happen.
Viva Questions:
1. What is CSRF?
2. How do you check if your application is vulnerable to CSRF attacks?
3. What’s the difference between XSS and CSRF?
4. In what ways can you mitigate CSRF risks?
5. Mentioned some examples of how a CSRF attack might occur?
Experiment 4:
Objectives:
It is an attack that allows an attacker to include a file on the web server through a php script. This
vulnerability arises when a web application lets the client submit input into files or upload files
to the server. A file include vulnerability is distinct from a generic Directory Traversal Attack, in
that directory traversal is a way of gaining unauthorized file system access, and a file inclusion
vulnerability subverts how an application loads code for execution. Successful exploitation of a
file include vulnerability will result in remote code execution on the web server that runs the
affected web application.
Types:
LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim
machine. This can be very dangerous because if the web server is misconfigured and running
with high privileges, the attacker may gain access to sensitive information. If the attacker is able
to place code on the web server through other means, then they may be able to execute arbitrary
commands.
RFI vulnerabilities are easier to exploit but less common. Instead of accessing a file on the local
machine, the attacker is able to execute code hosted on their own machine.
Remote File inclusion (RFI) and Local File Inclusion (LFI) are vulnerabilities that are often
found in poorly-written web applications. These vulnerabilities occur when a web application
allows the user to submit input into files or upload files to the server.
a. Local File Inclusion in Action
Difficulty: LOW
Now start your machine and login to DVWA, then go to DVWA security tab and change the
difficulty level to low.
Go to file inclusion tab and change the URL from incude.php to ?page=../../../../../../etc/passwd.
change the URL from?page=../../../../../../etc/passwd to ?page=../../../../../../proc/version.
Difficulty: MEDIUM
Now, go on and try the exploits we used in low difficulty. You will notice that you can’t read
files like before using the directory traversal method. So, as you can see in the below snapshot of
source page, the server is more secure and is filtering the ‘../’ or ‘..\’pattern. Let’s try to access
the file without ‘../’ or ‘..\’.
Difficulty: HIGH
Change the difficulty to HIGH and try all exploits from medium difficulty, and you’ll notice
none of them will works because the target is more secure, as it is only accepting “include.php”
or inputs starting with the word “file”. If you try anything else, it will show “File not
Found”.
In this level of security, we can still gather sensitive info using the “File” URI scheme. (because
it starts with the word “file”)
Change the URL from include.php to ?page=file:///etc/passwd
Now, let’s try to exploit this vulnerability using remote files hosted on the attacker machine.
Difficulty: LOW
Now, Let’s start with the Low difficulty.
Change the difficulty to low and go to file inclusion tab.
Let’s change include.php to http://www.google.com so the final URL will look something like
this,
?page=http://www.google.com
Difficulty: MEDIUM
Change the difficulty to medium and check as we did it in the low difficulty. You’ll notice, it’s
not working anymore. The target is now filtering “http” and “https” as shown in source page.
So try the attack with “HTTP” (in CAPS) or any one word in caps like I used as shown in
snapshot (httP)and it’ll work.
?page=httP://imdb.com
Difficulty: HIGH
We can’t exploit the high difficulty using RFI as we can see in source page, we know that the
target web-server is only accepting “include.php” or anything that’s starting with the word “file”
that’s why we can’t include anything from an outside server.
Viva Questions:
7. What are the different types of file inclusion?
8. What is remote file inclusion?
9. Why is file inclusion possible?
10. Differentiate between local file inclusion and remote file inclusion?
11. What is the impact of file inclusion vulnerability?
Experiment – 5
Objectives: Use DVWA to simulate login pages and demonstrate Brute Force and
Dictionary Attacks against weak passwords. Emphasize the importance of strong password
policies.
A brute force attack uses trial-and-error to guess login info, encryption keys, or find a hidden
web page. Hackers work through all possible combinations hoping to guess correctly. These
attacks are done by ‘brute force’ meaning they use excessive forceful attempts to try and ‘force’
their way into your private account(s). This is an old attack method, but it's still effective and
popular with hackers. Because depending on the length and complexity of the password,
cracking it can take anywhere from a few seconds to many years.
Burp Suite is one of the most helpful website hacking tools for conducting security testing of
web applications. It has various ethical hacking tools that work seamlessly together to support
the entire penetration testing process. It ranges from initial mapping to analysis of an
application’s weakness.
Step 1: Inside DVWA, select the Brute Force option, which takes user to a Login page.
Step 2: Enter admin for the username and admin for the password, which is the wrong
username and password.
Step 3: In the Burp Suite tool, follow the path: Target → Site map → http://localhost → URL
Containing the following:
/DVWA/vulnerabilities/brute/?username=admin&password=admin&Login=Login
HTTP/1.1
The Raw Request data is the HTTP request sent to the server during a brute-force attack. It
contains all the details required to send a request, such as the HTTP method, target URL, request
headers, and request body.
As one can see, the username and password, admin & admin, user initially tried to log in with
appears in line 1.
The Repeater in Burp Suite is a tool that allows security testers to manually modify and re-send
HTTP requests and view the responses from a web application. It is a handy tool for testing the
functionality and security of web applications, as it allows testers to quickly and easily modify
the parameters and other data in a request to see how the application responds.
In addition to modifying requests, the Repeater displays the responses received from the
application, allowing testers to analyze and assess the security of the application’s response
handling. Testers can also use the Repeater to compare responses to identify differences and
inconsistencies that could indicate a vulnerability or other security issue.
Step 5: Right-click inside the Raw data area → Send to Intruder.
The Intruder in Burp Suite performs automated attacks on web applications and is designed to
automate sending a large number of requests with various payloads to a target application to test
for vulnerabilities. For example, the Intruder can try multiple input validation vulnerabilities,
such as SQL injection, cross-site scripting (XSS), buffer overflows, and directory traversal
attacks.
Clicked on the Payloads tab to configure and add a list of strings used as payloads.
For the first Payload set, Type a list of 17 words for the username.
Click the drop-down arrow in Payload set and select 2 for the second Payload set.
b. Start the Attacking with Kali Linux using dictionary attack for authentication login.
Step 2: The website victim we will try to attack using password attack , it’s called dictionary
attack.
Step 3: We will open Burp on Kali and interrupt the request and send it to the intruder to use the
dictionary attack.
Burp Proxy
Burp Intruder
We will use the most common password list in the payload to do the attack.
Viva Questions:
1. How do dictionary attacks relate to brute force attacks?
2. Which type of attack allow an attacker to use a brute-force approach?
3. How long does a dictionary attack take?
4. What are the techniques used in preventing a brute force attack?
5. What are the targets of brute force attacks?