Cyber Security Workshop (BCS453)

List of Experiments

S. No Experiments
Module 1: Packet Analysis using Wire shark

Basic Packet Inspection: Capture network traffic using Wire shark and
analyze basic protocols like HTTP (Hyper Text Transfer Protocol), DNS
1
(Domain Name System),
and SMTP (Simple Mail Transfer Protocol) to understand how data is
transmitted andreceived.
Detecting Suspicious Activity: Analyze network traffic to identify suspicious
2 patterns, such as repeated connection attempts or unusual communication
between hosts.
Malware Traffic Analysis: Analyze captured traffic to identify signs of
3 malware communication, such as command-and-control traffic or data
infiltration.
Password Sniffing: Simulate a scenario where a password is transmitted in
4 plaintext. Use Wireshark to capture and analyze the packets to demonstrate
the vulnerability and the importance of encryption.
ARP Poisoning Attack: Set up an ARP poisoning attack using tools like
Ettercap. Analyze the captured packets to understand how the attack can lead
5 to a Man-in-the- Middle scenario.

Module 2: Web Application Security using DVWA

SQL Injection: Use DVWA to practice SQL injection attacks. Demonstrate
1 how an attacker can manipulate input fields to extract, modify, or delete
database information.
Cross-Site Scripting (XSS): Exploit XSS vulnerabilities in DVWA to inject
malicious scripts into web pages. Show the potential impact of XSS
2
attacks, such as stealing cookies or defacing websites.

Cross-Site Request Forgery (CSRF): Set up a CSRF attack in DVWA

to demonstrate how attackers can manipulate authenticated users
3
into performing unintended actions.

File Inclusion Vulnerabilities: Explore remote and local file inclusion

vulnerabilities in DVWA. Show how attackers can include malicious files
4
on a server and execute arbitrary code.

Brute-Force and Dictionary Attacks: Use DVWA to simulate login pages

and demonstrate brute-force and dictionary attacks against weak
5
passwords. Emphasize the importance of strong password policies.
 Module 1: Packet Analysis using Wire shark

Introduction to Wireshark
Wireshark is a network packet analyzer. A network packet analyzer presents captured packet
data in asmuch detail as possible.

You could think of a network packet analyzer as a measuring device for examining what’s
happening inside a network cable, just like an electrician uses a voltmeter for examining what’s
happening inside an electric cable (but at a higher level, of course)
Downloading Steps:

1. Your first step is to head to the Wireshark download page and locate the Windows installer.

Once your file is downloaded, you can open the file from your Download folder.
2. You will be presented with the Wireshark wizard to guide you through the
installation. Click “Next.”

3. Next, you can review, agree to the license agreement, and click “Noted” to continue.
4. The next screen will ask if you want to donate to the Wireshark Foundation to help
supportWireshark and Sharkfest at https://wiresharkfoundation.org/. Click “Next”
when finished.
5. Next, you will be asked what components you want to install. You can make your choice
and then click “Next.”

6. The following screen will ask if you want to create any shortcuts and if you want to
associate trace file extensions with Wireshark (recommended).
7. Now you must install Ncap (an open-source library for packet capture and network
analysis). It’s a library allowing Wireshark to capture and analyze network traffic
effectively. It enhances Wireshark's capabilities by providing optimized packet capture.
8. Wireshark will now begin the installation process.
 Experiment 1

Objective:
Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic protocols like
HTTP, DNS, and SMTP to understand how data is transmitted and received.
Tool Used: Wireshark

Protocols used in different OSI Layers:

SENDER/ BROWSER RECEIVER/SERVER

Commands used for making Reference Table:

 Ipconfig /all (for getting information of local host)
 arp -a (for getting MAC address of Gateway)
 ping httpforever.com for capturing http packets
 1. Steps to Analyse HTTP
protocol Step 1: Open ether/wifi
adapter in wireshark Step2: Apply http
filter as given below:
Step 3: Start Capturing
Step 4: open httpforever.com in the browser
Step 5: Analyse the TCP data (source port, destination port), source Mac, Destination Mac,
Source Ip etc. and compare it with the reference table
Step 6: check 3way handshaking befor establishing http connection by using the filter
tcp.port==56368*
Step 7: Now finally record the data for http header in the table given below:

2. Steps to analyse DNS protocol

DNS:
Command for cmd:
ipconfig
/displaydns
ipconfig /flushdns

DNS observation
Step 1: Start capturing via Wireshark
Step 2: ping nptel.ac.in (command
prompt) Step 3: Apply dns protocol filter
in wireshark Step 4: Observe the data in
the given table:

3. Step to analyse SMTP

protocol Step 1: Start capturing
via Wireshark
Step 2: Enable the telnet feature by usin windows feature
service Step 3: telnet gmail-smtp-in.l.google.com 25
(command prompt)
Helo
sahilquit
Commands to use:

Step 3: Apply smtp protocol filter in wireshark

Step 4: Observe the data in SMTP:

 Experiment 2

Objective : Detecting Suspicious Activity: Analyze network tra8ic to identify suspicious patterns,
such as repeated connection attempts or unusual communication between hosts.

Tool and Package Required:

Sec-sick client.pcapng

Aurora.pcap

Arp_poison.pcap

Step 1: Check the normal activity of di8erent protocol on the network by checking protocol
hierarchy and find the normal information being transferred under di8erent protocols susch as TCP
and UDP.

Protocol heirarchy:
Step 2: Open sec-sickclient.pcapng and observer the suspisious data being trasnferred in TCP
protocol and observe the path of the same.

Sec sick client:

Step 3: Load the other package “Aurora.pcap”- Spear Phishing attack and observe the line no 6 for
iframe attack

Line 6 I frame attack:

Step 4: Observe line 21 as some gif data is being transferred with unreadable language.

Line 21 :
Step 5: Check the TCP data by following TCP stream of the same and observe that the hacker is
trying to access the adming control by getting password and other credentials.

Line 25- TCP stream:

Step 6: Observe the suspicious activity by loading the package “ arp_poison.pcap” and check that
there is man in the middle attack is being happened in line no. 54, 55,56 and 57.
 Experiment 3
Objective: Malware Traffic Analysis: Analyze captured traffic to identify signs of malware
communication, such as command-and-control traffic or data infiltration.

Package: 2014-11-16-traffic-analysis-exercise.pcp

What are we looking for:

1. What are the infected file(s) downloaded and their hashes?

2. What is URL/ Domain of the infected site?

3. What is the IP address of the infected website?

4. What is the IP address of the infected machine ?

5. What is the hostname of the infected machine?

6. What is the mac address of the infected machine ?

To see only Get and Post Request : Filter ---→ http.request

To get the better understanding of destination: Right Click on host user HTTP

Now check Host Column

Sort column by Content type

We can save all suspicious files

We can directly upload the files to virus total but we avoid due to confidentiality, instead we
find the hash of file and then check for malicious activity.
Now, we checked the hash in virus total and found it infected.
2. What is URL/ Domain of the infected site?
Answer: see the host name of infected file.
stand.trustandprobaterealty.com

3. What is the IP address of the infected website?

37.200.69.143

4. What is the IP address of the infected machine ?

172.16.165.165

5. What is the hostname of the infected machine?

K34EN6W3N-PC

6. What is the mac address of the infected machine ?

f0:19:af:02:9b:f1

Host name using DHCP:

 1

EXPERIMENT 4
Objective 1: Simulate a scenario where a password is transmitted in plaintext. Use wire shark to capture and
analyze the packets to demonstrate the vulnerability and the importance of encryption.

Tool Used: Wireshark

Password Capturing/Sniffing
Wireshark can capture not only passwords but any type of information transmitted over the network:
usernames, email addresses, personal information, etc. As long as we can capture network traffic, Wireshark
can sniff passing passwords.
In sniffing can include passwords for various protocols such as HTTP, FTP, Telnet, etc. the captured data
can be used to troubleshoot network problems, but can also be used maliciously to gain unauthorized access
to sensitive information.
So, here we will see how we can capture the password using the Wireshark network capture analyzer. and
see the outputs of the following steps.
Step 1: First of all, open your Wireshark tool in your window or in Linux virtual machine. and start
capturing the network. suppose I am capturing my wireless fidelity.

Step 2: After starting the packet capturing we will go to the website and login the credential on that website
as you can see in the image.
 2

Step 3: Now after completing the login credential we will go and capture the password in Wireshark. for that
we have to use some filter that helps to find the login credential through the packet capturing.

Step 4: Wireshark has captured some packets but we specifically looking for HTTP packets. so in the
display filter bar we use some command to find all the captured HTTP packets. as you can see in the below
image the green bar where we apply the filter.

http
 3

Step 5: So there are some HTTP packets are captured but we specifically looking for form data that the user
submitted to the website. for that, we have a separate filter
As we know that there are main two methods used for submitting form data from web pages like login forms
to the server. the methods are-
 GET
 POST
Step 6: So firstly for knowing the credential we use the first method and apply the filter for the GET
methods as you can see below.
http.request.method == "GET"

GET method
As you can see in the image there are two packets where the login page was requested with a GET request as
well, but there is no form data submitted with a GET request.

Step 7: Now after checking the GET method if we didn’t find the form data, then we will try the POST
method for that we will apply the filter on Wireshark as you can see.

http.request.method == "POST"
 4

As you can see we have a packet with form data click on the packet with user info and the application URL
encoded. and click on the down-
HTML form URL Encoded where the login credential is found. login credential as it is the same that we
filed on the website in step 2.
Form item: "uname" = "Tonystark_44"
Form item: "pass" = "tony@1234"
 Experiment 5

Objective: ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap. Analyze
the captured packets to understand how the attack can lead to a Man-in-the-Middle scenario.

Install Virtual Box Manager on Windows

Install Kali Linux through Virtual Box

Choose Installer Image

Start Kali Linux:
Open Terminal and write command: ip add

Copy MAC address from above and run command in wireshark @kali

We observe: No traffic is being captured

Aim is to capture the traffic between Target and default gate way on same line.

So we go to Target Device (Windows) and find IP address and default gateway.

IPv4 Address. . . . . . . . . . . : 192.168.1.5

Default Gateway . . . . . . . . . : 192.168.1.1

We are going to sniff traffic once we enable ARP poising using Tool Ettercap

OR

Click on three dots and scan for hosts

Select Ip Address and Add to Target 1
Select Default Gateway and Add to Target 2

Still Nothing is capturing

Select Current Targets

Click ARP Poisoning and start sniffing

Now we can see, packets are being captured

Open Wireshark on target Machine and check ARP Poisoning

 Experiment No. 6

SQL Injection: Use DVWA to practice SQL injection attacks. Demonstrate how an attacker can
manipulate input fields to extract, modify, or delete database information.

Setting Up DVWA

1. Install DVWA:

 You can set up DVWA on your local machine using XAMPP or Docker.

 After installation, open DVWA in your web browser (usually accessible at

http://localhost/dvwa).

 Log in with the default credentials (username: admin, password: password).

2. Set Security Level:

 Go to the DVWA Security tab and set the security level to "Low" for simplicity in
this demonstration.

Basic SQL Injection Attack

1. Navigate to the SQL Injection Page:

 In the DVWA menu, click on "SQL Injection".

2. Understanding the Input Field:

 You will see an input field where you are asked to enter a user ID to fetch
information from the database.

3. Testing for SQL Injection Vulnerability:

 In the input field, enter a simple SQL injection payload, such as 1' OR '1'='1. This
input attempts to manipulate the SQL query behind the scenes.

 Click "Submit".

4. Analyzing the Result:

 If the application is vulnerable, it should return all user information from the
database, because the condition 1' OR '1'='1 is always true.

Extracting Database Information

1. Extracting All Users:

  Try a more sophisticated injection: ' OR 1=1--.

 This payload comments out the rest of the SQL query, causing the database to
return all records.

2. Retrieving Specific Information:

 To extract specific information, you can tailor your query. For example: 1'
UNION SELECT user, password FROM users--.

 This payload combines the results from the user ID query with a UNION
statement that fetches all usernames and passwords from the users table.

Modifying Database Information

1. Altering Data:

 SQL injection can also be used to modify database entries. For example: 1';
UPDATE users SET password='hacked' WHERE user_id=1--.

 This payload attempts to change the password of the user with user_id=1 to
'hacked'.

Deleting Database Information

1. Deleting Data:

 An attacker can delete records with a similar approach. For example: 1'; DELETE
FROM users WHERE user_id=1--.

 This payload deletes the user with user_id=1 from the database.

Protecting Against SQL Injection

To prevent SQL injection attacks:

1. Use Prepared Statements: Prepared statements with parameterized queries ensure that
SQL code is passed separately from data.
 2. Validate and Sanitize Input: Always validate and sanitize user inputs.

3. Use ORM Libraries: Object-Relational Mapping (ORM) libraries abstract away the SQL
queries.

4. Least Privilege Principle: Grant the minimum necessary database privileges to your
application.

Conclusion

Practicing SQL injection on DVWA provides hands-on experience on how attackers exploit
vulnerabilities in web applications. By understanding these attacks, developers can better secure
their applications against such threats. Always ensure you have permission to test and attack
systems and never use these skills maliciously.
 Experiment No. 7

Cross-Site Scripting (XSS): Exploit XSS vulnerabilities in DVWA to inject malicious scripts
into web pages. Show the potential impact of XSS attacks, such as stealing cookies or defacing
websites.

Steps to Exploit XSS Vulnerabilities in DVWA

1. Setup DVWA

 Install DVWA: Install DVWA on your local machine or a virtual environment. Ensure
you have a web server (e.g., Apache) and a database server (e.g., MySQL) set up.

 Configure DVWA: Modify the config/config.inc.php file with your database credentials
and other necessary configurations.

 Access DVWA: Navigate to http://localhost/dvwa or the appropriate URL to access the

DVWA interface.

2. Log in to DVWA

 Use the default credentials (admin / password).

 Set the DVWA security level to low for easier exploitation.

Injecting Malicious Scripts

Example 1: Stealing Cookies

1. Navigate to the XSS (Stored) section: This section allows you to inject scripts that will
be stored and executed whenever the affected page is loaded.

2. Inject a Malicious Script:

 In the message or input field, enter the following script:

  This script sends the user's cookies to an external server controlled by the
attacker. Replace http://attacker.com/steal.php with the attacker's actual server
address.

3. Submit the Form: Submit the input containing the script.

4. Verify Cookie Theft: On the attacker's server, verify that the cookies have been
received. This can be done by checking the logs or the steal.php script designed to log
cookies.

Example 2: Defacing Websites

1. Navigate to the XSS (Reflected) section: This section reflects input back to the user,
providing an opportunity to inject and execute scripts.

2. Inject a Defacement Script:

 In the input field, enter:

3. Submit the Form: Submit the input containing the script.

4. Verify Defacement: The web page should now display "Hacked by Attacker" instead of
its original content.

Potential Impact of XSS Attacks

1. Stealing Cookies:

 Attackers can hijack user sessions by stealing cookies, gaining unauthorized

access to user accounts.

 Example: If an attacker steals a session cookie from a logged-in user, they can
impersonate that user on the website.

2. Website Defacement:

 Attackers can alter the appearance of web pages, causing reputational damage to
the website.
  Example: Changing the content of a homepage to display offensive messages or
propaganda.

3. Phishing Attacks:

 XSS can be used to create realistic-looking login forms to steal credentials.

 Example: Injecting a fake login form that sends user credentials to the attacker.

4. Malware Distribution:

 Attackers can inject scripts that redirect users to malicious sites or download
malware.

 Example: Redirecting users to a site that automatically downloads ransomware.

Mitigating XSS Vulnerabilities

1. Input Validation: Sanitize and validate all user inputs to ensure they do not contain
malicious scripts.

2. Output Encoding: Encode outputs to ensure that any potentially malicious code is
rendered harmless.

3. Content Security Policy (CSP): Implement CSP to restrict the sources from which
scripts can be loaded.

4. Use Security Libraries: Utilize libraries and frameworks that offer built-in protection
against XSS.