Internshipreport: Tjinstituteoftechnology
Internshipreport: Tjinstituteoftechnology
Internshipreport: Tjinstituteoftechnology
Submittedby
NAME:VINOTH.A REGNO:312521104042
TJINSTITUTEOFTECHNOLOGY
KARAPAKKAM
CHENNAI-600097
ANNAUNIVERSITY
CHENNAI-600025
TJINSTITUTEOFTECHNOLOGY
RAJIVGANDHISALAI,OMRTHORAIPAKKAM,CHENNAI-600097
ANNAUNIVERSITY,CHENNAI-600025
BONAFIDECERTIFICATE
CertifiedthatthisinternshipCyberSecurityby
VEBBOXSOFTWARESOLUTIONisthebonafideworkof
VinothAwhocarriedouttheinternshipundermysupervision.
SIGNATURE SIGNATURE
MS.D.EVANGELINENESAPRIYA MR.MOHAMADARSATH
HEADOFTHEDEPARTMENT CLASSINCHARGE
ACKNOWLEDGEMENT
Thisworkisjustnotanindividualcontributiontillitscompletion,Itake
this opportunity to express a deep gratitude towards myteacher
for providing excellent guidance encouragement
andinspirationthroughoutthetrainingwork.Withouttheirinvaluabl
eguidancethisworkwouldneverhave beenasuccessfulone.
Atlastwemustexpressoursincereheartfeltgratitudetoallthestaffmembe
rs of Computer Science and Engineering Department
whohelpedmedirectlyorindirectlyduringthiscourseofwork.
VinothA
(SIGNATUREOFSTUDENT)Re
gNo:312521104042
Date:
TableofContents
Acknowledgment…………………….………………………………………………………….
1Introduction……………………………………………………………………………….....
1.1Objectives...............................................................................................................................
1.2Definitions...............................................................................................................................
1.3ScopeofInternship...................................................................................................................
2 BasicNetworkingConcepts..............................................................................................................
2.1Introduction............................................................................................................................
2.1.1ComponentsofComputerNetworks...............................................................................
2.2TypesofNetworks..................................................................................................................
2.3IPAddress.................................................................................................................................
2.3.1IPV4.............................................................................................................................
2.3.2IPV6.............................................................................................................................
3 LinuxAdministrationandCommands................................................................................................
3.1Introduction..............................................................................................................................
3.1.1HistoryofLinux..........................................................................................................
3.1.2DirectoryStructure......................................................................................................
3.2BasicCommands......................................................................................................................
3.3HardLinkandSoftLink...........................................................................................................
4 EvadingIDS,FirewallsandHoneypots..................................................................................................
4.1Introduction...............................................................................................................................
4.2WorkingMechanisms.................................................................................................................
4.2.1WorkingofIDS.............................................................................................................
4.2.2WorkingofFirewalls……………………………………………………….
4.2.3WorkingofHoneypots.................................................................................................
4.3Countermeasures.......................................................................................................................
5 CaseStudy……………………………………………………………………………..
5.1ProjectDefinition.........................................................................................................................
5.1.1ProjectObjectives…………………………………………………………….
5.1.2ProjectRequirements...................................................................................................
5.2Methodologies…………………………………………………………………….
5.3 VulnerabilityAssessmentProcess……………………………………………………
5.4AttackNarrative........................................................................................................................
5.4.1InformationGathering………………………………………………………
5.4.2ServiceEnumeration………………………………………………………..
5.4.3PenetrationTesting…………………………………………………………..
5.4.4MaintainingAccess....................................................................................................
5.4.5ClearingTracks..........................................................................................................
6 Conclusion..........................................................................................................................................
6.1KnowledgeandSkillsAcquired..................................................................................................
6.2Limitations..................................................................................................................................
1. INTRODUCTION
Cybercrime is a global problem that‘s been dominating the news cycle. It poses a threat to
individualsecurity and an even bigger threat to large international companies, banks, and governments.
CyberSecurity involves protecting key information and devices from cyber threats. It is a critical part
ofcompanies that collect and maintain huge databases of customer information, social platforms
wherepersonal information are submitted and government organizations where secret, political and
defenseinformation are involved.It describes how personal and key government data is protected
againstvulnerable attacks that pose a threat to important information, may it be on the cloud, across
variousapplications,networks and devices.
Lot of money is invested in protecting all this information on an online platform. With the number
ofpeopleaccessingtheinformationonlineincreasingeachday,threatstotheinformationarealsoincreasing,with
thecostofonlinecrimesestimatedinbillions.Historically,organizationsandgovernments have taken a
reactive, ―point product‖approach to combating cyber threats, producing individual security
technologies – one on top of another to save their networks and the valuable datawithin them. The use of
cyber security can help prevent cyber-attacks, data breaches and identity theftandcanaid in risk
management.
Whenanorganizationhasastrongsenseofnetworksecurityandaneffectiveincidentresponseplan,itis better
able to prevent and seriousness of these attacks. For example, end user protection defendsinformation
and guards against loss or theft while also scanning computers for malicious code. Cyber-attacks will
cause more damage financially and reputational even to the most resistant organisation. Theorganisation
which suffers cyber-attack, has to face the losing assets, business reputation and potentiallythe
organisation have to face regulatory fines and taking legal action and the costs of
remediation.Scalableandcustomizedcybersecurity-drivenbusinessmodelincludes disaster-recovery
capabilitiesand secures data and the underlying infrastructure of the organization, thus building a safe
barrier for theinformation even before it is attacked and saving the organization from a loss of billions of
dollars thatcouldresult from the securitythreat.
1.1 Objectives
TheobjectivesofaprogramofIndustrialTrainingare:
● ApplyingacquiredknowledgeinproblembasedexercisesinreallifeIndustrialprojects.
● Ensuringtherelevantdegreecourseworkandtrainingprogramsconductedaccordingtotheexpectatio
nsof theindustry,to ensurethesubject contents arerelevantandup todate.
● Providinganopportunityforstudentstoacquireinterpersonalskillsandabilityforteamworkthrough
interaction with professionals intheirfield ofstudy.
● Learningaboutethicsintheindustry.
● Learningacceptedsafetypracticesintheindustry.
● Providinganopportunityforstudentstolearnabouttheindustryoftheirdisciplineandrelatedenvironm
ent.
● Providinganopportunityfortheindustrytoidentifypotentialemployeesandtofeedbackcommentson
thedegreeprogram at large.
● Providingopportunitytoobtainknowledgeofhowtomakeoptimaldecisionstoresolveworkchallenges
.
1.2 Definitions
● InformationSystem-Anelectronicinformationsystemthatprocessesdataelectronicallythrough the
use of information technology - including but not limited to computer systems,servers,
workstations, terminals, storage media, communication devices, network resources,
andanyotherinput/output devices.
● Integrity - Only authorized persons are allowed to make changes to the information stored
orprocessedbyInformationSystems in anyaspects.
● InformationTechnology(IT)-Theterm―informationtechnology‖meanscomputers,software
andfirmware(Hardware)andsimilarprocedures,services(includingsupportservices)andrelated
resources. This also includes any equipment or interconnected system or subsystem
ofequipment,whichisusedintheautomatic
acquisition,storage,manipulation,management,movement,control,display,switching,interchange,t
ransmission,orreceptionofdataorinformation.
● Threat - Any circumstance or event with the potential to harm an information system
throughunauthorizedaccess,destruction, disclosure,modificationofdata, and/or denialofservice.
● Trojan horse -A piece of malware that often allows a hacker to gain remote access to
acomputer through a―back door‖.
● Botnet - A type of software application or script that performs tasks on command, allowing
anattacker to take complete control remotely of an affected computer. A collection of
theseinfected computers is known asa ―botnet‖and are controlled bythe hacker.
● Spyware-
Atypeofmalwarethatfunctionsbyspyingonuseractivitywithouttheirknowledge.Thecapabilitiesincl
udeactivitymonitoring,collectingkeystrokes,dataharvesting.
● DDoS - An acronym that stands for distributed denial of service – a form of cyber attack.
Thisattack aimstomakeaservicesuchasawebsiteunusableby―flooding‖itwithmalicious traffic
ordata from multiple sources (often botnets).
● Pen-testing - This practice is a means of evaluating security using hacker tools and
techniqueswiththeaim of discoveringvulnerabilities and evaluatingsecurityflaws.
● SocialEngineering-
Atechniqueusedtomanipulateanddeceivepeopletogainsensitiveandprivateinformation.
● Backgroundofthehostorganizationbeforetestingforvulnerabilities.
● Deepknowledgeoflinuxoperatingsystemsandadministration.
● Profoundunderstandinginvariouscybersecuritytoolstoperformattacksandmitigatingit.
● PerformingIncidentManagementafterattackingorganization‘smachines.
● Understandingandreproducingattacksonwirelessnetworks.
● Enumerationofnetworksandwebsitesbeforeperformingtheattacksonalargescale.
● Developingzerodayexploitsforwindow‘soperatingsystemsandmitigatingit.
2. BASICNETWORKINGCONCEPTS
2.1 INTRODUCTION:
An interconnection of multiple devices, also known as hosts, that are connected using multiple paths
forthe purpose of sending/receiving data or media is called a computer network. Computer networks
canalso include multiple devices which help in the communication between two different devices; these
areknownas Networkdevices andincludethings such asrouters, switches, hubs, andbridges.
2.1.1 ComponentsofComputerNetwork:
Themaincomponentsof acomputernetworkincludesrouters,hubs,
bridges,wirelessrouters,switches,WirelessRouters, Switches, Wirelessbridges,Modems, Cablesand
Connectors etc
Routers:Routersconnectmultiplenetworkstogether.Theyalsoconnectcomputersonthosenetworks to the
Internet. Routers enable all networked computers to share a single Internet connection,which saves
money. A router acts as a dispatcher. It analyzes data being sent across a network, choosesthebest route
fordata totravel, andsends it onits way.
Hub: Hub is a central device that splits the network connection into multiple devices. When a
computerrequests information from a computer, it sends the request to the Hub. Hub distributes this
request to alltheinterconnected computers.
Switch:Switchisanetworkingdevicethatgroupsallthedevicesoverthenetwork totransferthedatatoanother
device. A switch is better than Hub as it does not broadcast the message over the network, i.e., itsends
the message to the device for which it belongs to. Therefore, we can say that switch sends
themessagedirectlyfrom sourceto thedestination.
Modem: Modem connects the computer to the internet over the existing telephone line. A modem is
notintegrated with the computer motherboard. A modem is a separate part on the PC slot found on
themotherboard.
Bridge: A bridge is a network device that connects multipleLANs(local area networks) together toform
a larger LAN. The process of aggregating networks is called network bridging. A bridge connectsthe
different components so that they appear as parts of a single network. Bridges operate at the data
linklayeroftheOSImodel andhencealso referred to asLayer2 switches.
Repeater:A repeater operates at the physical layer. Its job is to regenerate the signal over the
samenetwork before the signal becomes too weak or corrupted so as to extend the length to which the
signalcan be transmitted over the same network. An important point to be noted about repeaters is that
they
donotamplifythesignal.Whenthesignalbecomesweak,theycopythesignalbitbybitandregenerateitattheorigin
al strength.Itis a 2 portdevice.
2.2 TYPESOFNETWORK:
There are various types of computer networks available. We can categorize them according to their
sizeas well as their purpose. The size of a network should be expressed by the geographic area and
numberof computers, which are a part of their networks. It includes devices housed in a single room to
millionsofdevices spreadacross theworld.
Acomputernetworkismainlyoffourtypes:
● LAN(LocalAreaNetwork)
● PAN(PersonalAreaNetwork)
● MAN(MetropolitanAreaNetwork)
● WAN(WideAreaNetwork)
1. LAN(LocalAreaNetwork):
Local Area Network is a group of computers connected to each other in a small area such as a
building,office.
● LANisusedforconnectingtwoormorepersonalcomputers throughacommunicationmediumsuchas
twisted pair, coaxial cable, etc.
● Itislesscostlyasitisbuiltwithinexpensivehardwaresuchashubs,networkadapters,andethernetcables.
● ThedataistransferredatanextremelyfasterrateinLocalAreaNetwork.
● LocalAreaNetworkprovideshighersecurity.
DisadvantagesofLAN:
Herearetheimportantcons/drawbacksofLAN:
● LANwillindeedsavecostbecauseofsharedcomputerresources,buttheinitial
costofinstallingLocalAreaNetworks isquitehigh.
● TheLANadmincancheckpersonaldatafilesofeveryLANuser,soitdoesnotoffergoodprivacy.
● Unauthorized users can access critical data of an organization in case LAN admin is not able
tosecure centralized data repository.
● LocalAreaNetworkrequiresaconstantLANadministrationasthereareissuesrelatedtosoftwaresetu
p and hardware failures
2. PAN(PersonalAreaNetwork):
● PersonalAreaNetworkisusedforconnectingthecomputerdevicesofpersonaluse.
● ThomasZimmermanwasthefirstresearchscientisttobringtheideaofthePersonalAreaNetwork.
● PersonalAreaNetworkcoversanareaof30feet.
● Personalcomputerdevicesthatareusedtodevelopthepersonalareanetworkarethelaptop,mobilephone
s, mediaplayer and playstations.
DisadvantagesofPAN:
ThedrawbacksofusingPANnetwork:
● Itmayestablishabadconnectiontoothernetworksatthesameradiobands.
● Ithasdistancelimitsi.eitcoversonlyshortdistances.
3. MAN(MetropolitanAreaNetwork):
AmetropolitanareanetworkisanetworkthatcoversalargergeographicareabyinterconnectingadifferentLAN to form
a larger network.
● GovernmentagenciesuseMANtoconnecttothecitizensandprivateindustries.
● InMAN,variousLANsareconnectedtoeachotherthroughatelephoneexchangeline.
● The most widely used protocols in MAN are RS-232, Frame Relay, ATM, ISDN, OC-3,
ADSL,etc.
● IthasahigherrangethanLocalAreaNetwork(LAN).
DisadvantagesofMAN:
ThedrawbacksofusingtheMANnetwork:
● YouneedmorecabletoestablishMANconnectionfromoneplacetoanother.
● IntheMANnetworkitistoughtomakethesystemsecurefromhackers.
4. WAN(WideAreaNetwork):
● AWideAreaNetworkisanetworkthatextends overalargegeographicalareasuch
asstatesorcountries.
● AWideAreaNetworkisquiteabiggernetworkthantheLAN.
● AWideAreaNetworkisnotlimitedtoasinglelocation,butitspansoveralargegeographicalareathrou
gh atelephoneline, fibreopticcable orsatellite links.
● TheinternetisoneofthebiggestWANsintheworld.
● AWideAreaNetworkiswidelyusedinthefieldofBusiness,government,andeducation.
DisadvantageofWAN:
ThedrawbacksofusingWAN:
● Theinitialsetupcostofinvestmentisveryhigh.
● ItisdifficulttomaintaintheWANnetwork.Youneedskilledtechniciansandnetworkadministrators.
● Therearemoreerrorsandissuesbecauseofthewidecoverageandtheuseofdifferenttechnologies.
● Itrequiresmoretimetoresolveissuesbecauseoftheinvolvementofmultiplewiredandwirelesstechnolo
gies.
● Itofferslowersecuritycomparedtoothertypesofnetworks.
2.3 IPADDRESS:
There are four different types of IP addresses: public, private, static, and dynamic. While the public
andprivate are indicative of the location of the network—private being used inside a network while
thepublicis used outside ofanetwork—staticand dynamicindicate permanency.
A static IP address is one that was manually created, as opposed to having been assigned. A
staticaddress also does not change, whereas a dynamic IP address has been assigned by a Dynamic
HostConfiguration Protocol (DHCP) server and is subject to change. Dynamic IP addresses are the
mostcommon type of internet protocol addresses. Dynamic IP addresses are only active for a certain
amountof time, after which they expire. The computer will either automatically request a new lease, or
thecomputermayreceiveanewIP address.
An IP address can be compared to a Social Security Number (SSN) since each one is completely
uniqueto the computer or user it is assigned to. The creation of these numbers allows routers to identify
wherethey are sending information on the internet. They also make sure that the correct devices are
receivingwhat isbeingsent.
TherearetwoIPversions:IPv4andIPv6.IPv4istheolderversionwhichhasaspaceofover4billionIP addresses.
However, the new IPv6 version can provide up to trillions of IP addresses to fulfill theneedsof all
internet usersand devices.
2.3.1 InternetProtocolVersion4(IPV4):
Internet Protocol being a layer-3 protocol (OSI) takes data Segments from layer-4 (Transport)
anddivides it into packets. The IP packet encapsulates data units received from the above layer and adds
toitsown header information.
The encapsulated data is referred to as IP Payload. IP header contains all the necessary information
todeliverthepacket at theotherend.
IPheaderincludesmanyrelevantinformationincludingVersionNumber,which,inthiscontext,is4.Other
detailsareas follows:
● Version−Versionno.ofInternetProtocolused(e.g.IPv4).
● IHL−InternetHeaderLength;LengthofentireIPheader.
● DSCP−DifferentiatedServicesCodePoint;thisisTypeofService.
● ECN−ExplicitCongestionNotification;Itcarries informationaboutthecongestionseenintheroute.
● TotalLength−LengthofentireIPPacket(includingIPheaderandIPPayload).
● Identification−Ifan IP
packetisfragmentedduringthetransmission,allthefragmentscontainthesame identification
number. to identifytheoriginalIP packettheybelongto.
● Flags−Asrequiredbythenetworkresources,iftheIPPacketistoolargeto
handle,these‗flags‘telliftheycanbe fragmentedornot.Inthis3-bitflag,theMSBisalwayssetto‗0‘.
● FragmentOffset−ThisoffsettellstheexactpositionofthefragmentintheoriginalIPPacket.
● Timeto Live−Toavoidloopingin thenetwork,everypacketis sentwithsomeTTLvalueset,which
tells the network how many routers (hops) this packet can cross. At each hop, its value
isdecrementedbyoneandwhen thevaluereaches zero, thepacketis discarded.
● Protocol−TellstheNetworklayeratthedestination host,towhichProtocolthispacketbelongsto, i.e.
the next level Protocol. For example protocol number of ICMP is 1, TCP is 6 and UDP is17.
● HeaderChecksum−Thisfield isusedtokeep thechecksumvalueoftheentireheaderwhichisthenused
to check if the packet isreceivederror-free.
● SourceAddress−32-bitaddressoftheSender(orsource)ofthepacket.
● DestinationAddress−32-bitaddressoftheReceiver(ordestination)ofthepacket.
● Options −Thisis anoptionalfield,whichisusedifthevalueof
IHLisgreaterthan5.Theseoptionsmaycontainvalues foroptionssuch asSecurity, Record
Route,Time Stamp,etc.
2.3.2 InternetProtocolVersion6(IPV6):
InternetProtocolversion6(IPv6)isthelatestrevisionoftheInternetProtocol(IP)andthefirstversionof the
protocol to be widely deployed. IPv6 was developed by the Internet Engineering Task Force(IETF)to
dealwith the long-anticipatedproblem ofIPv4addressexhaustion.
IPv6isredesignedentirely.Itoffersthefollowingfeatures:
● Larger Address Space: In contrast to IPv4, IPv6 uses 4 times more bits to address a device
onthe Internet. This much of extra bits can provide approximately 3.4×10 38 different
combinationsof addresses. This address can accumulate the aggressive requirement of address
allotment foralmost everything in this world. According to an estimate, 1564 addresses can be
allocated toeverysquaremeter ofthis earth.
● Simplified Header: IPv6‘s header has been simplified by moving all unnecessary
informationand options (which are present in IPv4 header) to the end of the IPv6 header. IPv6
header is onlytwiceas biggerthanIPv4provided thefact thatIPv6 addressis fourtimeslonger.
● End-to-End Connectivity: Every system now has a unique IP address and can traverse
throughtheInternetwithoutusingNATorothertranslatingcomponents.AfterIPv6isfullyimplemented,
every host can directly reach other hosts on the Internet, with some
limitationsinvolvedlikeFirewall, organization policies, etc.
● IPSec: Initially it was decided that IPv6 must have IPSec security, making it more secure
thanIPv4.This featurehas now been madeoptional.
● No Broadcast: Though Ethernet/Token Ring are considered as broadcast networks because
theysupport Broadcasting, IPv6 does not have any broadcast support any more. It uses multicast
tocommunicatewith multiple hosts.
● Anycast Support: This is another characteristic of IPv6. IPv6 has introduced Anycast mode
ofpacketrouting.
Inthismode,multipleinterfacesovertheInternetareassignedthesameAnycastIPaddress. Routers,
whilerouting, send thepacket to the nearestdestination.
● Mobility: IPv6 was designed keeping mobility in mind. This feature enables hosts (such
asmobile phones) to roam around in different geographical areas and remain connected with
thesame IP address. The mobility feature of IPv6 takes advantage of auto IP configuration
andExtensionheaders.
● EnhancedPrioritySupport:IPv4used6bitsDSCP(DifferentialServiceCodePoint)and2bits ECN
(Explicit Congestion Notification) to provide Quality of Service but it could only
beusediftheend-to-enddevicessupportit,thatis,thesourceanddestinationdeviceandunderlying
network must support it. In IPv6, Traffic class and Flow labels are used to tell
theunderlyingrouters howto efficientlyprocess thepacket androuteit.
● Smooth Transition: Large IP address scheme in IPv6 enables the allocation of devices
withglobally unique IP addresses. This mechanism saves IP addresses and NAT is not required.
Sodevices can send/receive data among each other, for example, VoIP and/or any streaming
mediacan be used much efficiently. Another fact is, the header is less loaded, so routers can
takeforwardingdecisions andforward them as quicklyas theyarrive.
● Extensibility: One of the major advantages of IPv6 header is that it is extensible to add
moreinformation in the option part. IPv4 provides only 40-bytes for options, whereas options in
IPv6canbeas much as the sizeofIPv6 packetitself.
An IPv6 address is 4 times larger than IPv4, but surprisingly, the header of an IPv6 address is only
2timeslargerthanthatofIPv4.IPv6headershaveoneFixedHeaderandzeroormoreOptional(Extension)
Headers. All the necessary information that is essential for a router is kept in the FixedHeader. The
Extension Header contains optional information that helps routers to understand how tohandleapacket
flow.
FixedHeader:
● Version(4-bits):ItrepresentstheversionofInternetProtocol,i.e.0110.
● Traffic Class (8-bits): These 8 bits are divided into two parts. The most significant 6 bits
areused for Type of Service to let the router know what services should be provided to this
packet.Theleast significant2 bits areusedforExplicit Congestion Notification(ECN).
● Flow Label (20-bits): This label is used to maintain the sequential flow of the packets
belongingtocommunicate.Thesourcelabelsthesequencetohelptherouteridentifythataparticularpack
et belongs to a specific flow of information. This field helps avoid reordering of datapackets.It is
designed for streaming/real-time media.
● PayloadLength(16-bits):Thisfieldisusedtotelltheroutershowmuchinformationaparticular packet
contains in its payload. Payload is composed of Extension Headers and
UpperLayerdata.With16bits,upto65535bytescanbeindicated;butiftheExtensionHeaderscontain
Hop-by-Hop Extension Header, then the payload may exceed 65535 bytes and this fieldis setto
0.
● Next Header (8-bits): This field is used to indicate either the type of Extension Header, or if
theExtensionHeaderisnotpresentthenitindicatestheUpperLayerPDU.ThevaluesforthetypeofUpper
Layer PDUare the same asIPv4‘s.
● Hop Limit (8-bits): This field is used to stop packets from looping in the network infinitely.
Thisis the same as TTL in IPv4. The value of Hop Limit field is decremented by 1 as it passes a
link(router/hop).When the field reaches 0thepacket is discarded.
● SourceAddress(128-bits):Thisfieldindicatestheaddressoforiginatorofthepacket.
● Destination Address (128-bits): This field provides the address of intended recipient of
thepacket.
3.LINUXADMINISTRATIONANDCOMMANDS
3.1 INTRODUCTION:
Linux is one of the popular versions of UNIX operating System. It is open source as its source code
isfreely available. It is free to use. Linux was designed considering UNIX compatibility. Its
functionalitylistis quite similarto thatof UNIX.
ComponentsofLinuxSystem:
LinuxOperatingSystem hasprimarilythreecomponents:
● Kernel − Kernel is the core part of Linux. It is responsible for all major activities of
thisoperating system. It consists of various modules and it interacts directly with the
underlyinghardware. Kernel provides the required abstraction to hide low level hardware details
to systemorapplication programs.
● System Library − System libraries are special functions or programs using which
applicationprograms or system utilities access Kernel's features. These libraries implement most
of thefunctionalitiesoftheoperatingsystemand donotrequirekernelmodule'scodeaccessrights.
● System Utility − System Utility programs are responsible to do specialized, individual
leveltasks.
KernelModevsUserMode:
Kernel component code executes in a special privileged mode called kernel mode with full access to
allresources of the computer. This code represents a single process, executes in a single address space
anddoes not require any context switch and hence is very efficient and fast. Kernel runs each process
andprovidessystemservicestoprocesses,providingprotectedaccesstohardwaretoprocesses.Supportcode
which is not required to run in kernel mode is in System Library. User programs and other
systemprograms work in User Mode which has no access to system hardware and kernel code. User
programs/utilitiesuseSystem librariesto accessKernel functionsto getsystem's lowlevel tasks.
BasicFeatures:
FollowingaresomeoftheimportantfeaturesofLinuxOperatingSystem.
● Portable − Portability means software can work on different types of hardware in the same
way.Linuxkernelandapplicationprogramssupporttheirinstallationonanykindofhardwareplatform.
● Open Source − Linux source code is freely available and it is a community based
developmentproject. Multiple teams work in collaboration to enhance the capability of the Linux
operatingsystemand it is continuouslyevolving.
● Multi-User − Linux is a multiuser system meaning multiple users can access system
resourceslikememory/ ram/ applicationprograms at sametime.
● Multiprogramming − Linux is a multiprogramming system meaning multiple applications
canrunat sametime.
● Hierarchical File System − Linux provides a standard file structure in which system files/
userfilesare arranged.
● Shell − Linux provides a special interpreter program which can be used to execute commands
oftheoperatingsystem.Itcanbeusedtodovarioustypesofoperations,calledapplicationprograms.etc.
● Security − Linux provides user security using authentication features like password
protection/controlledaccess to specificfiles/ encryption ofdata.
Architecture:
ThefollowingillustrationshowsthearchitectureofaLinuxsystem:
ThearchitectureofaLinuxSystemconsistsofthefollowinglayers−
● Hardwarelayer−Hardwareconsistsofallperipheraldevices(RAM/HDD/CPUetc).
● Kernel−ItisthecorecomponentoftheOperatingSystem,interactsdirectlywithhardware,provideslow
level services to upper layer components.
● Shell−Aninterfacetokernel,hidingcomplexityofkernel'sfunctionsfromusers.Theshelltakescomma
nds from theuserandexecutes thekernel's functions.
● Utilities− Utility programsthatprovidetheuser mostofthefunctionalities of anoperatingsystem.
3.1.1 HISTORYOFLINUX:
In 1969, a team of developers of Bell Labs started a project to make a common software for all
thecomputers and named it as 'Unix'. It was simple and elegant, used 'C' language instead of
assemblylanguage and its code was recyclable. As it was recyclable, a part of its code now commonly
called'kernel' was used to develop the operating system and other functions and could be used on
differentsystems.Also its sourcecodewas open source.
In the eighties, many organizations like IBM, HP and dozens of other companies started creating
theirown Unix. It results in a mess of Unix dialects. Then in 1983, Richard Stallman developed the
GNUproject with the goal to make it freely available Unix-like operating system and to be used by
everyone.But his project failed in gaining popularity. Many other Unix-like operating systems came into
existencebutnone ofthem was ableto gain popularity.
In April, 1991, Linus Torvalds, a 21-years old student in computer science at the University of
Helsinki,Finland, began his personal project, to create a new operating system kernel. Linus took an
early interestin computers mainly through the influence of his maternal grandfather, Leo Toerngvist, a
professor ofstatistics at the University of Helsinki. In the mid-1970s, Toerngvist bought one of the first
personalcomputers, a Commodore Vic 20. Linus soon became bored with the few programs that were
availablefor it, and by the time he was 10, he thus began to create new ones, first using the BASIC
programminglanguageandthenusingthemuchmoredifficultbutalsomorepowerfulassembly
language.Hepublished the Linux kernel under his own license and was restricted to use it commercially.
Linux usesmost of its tools from GNU software and are under GNU copyright. In 1992, he releasedthe
kernelunderGNUGeneral PublicLicense.
3.1.2 DIRECTORYSTRUCTURE:
The Linux File Hierarchy Structure or the File system Hierarchy Standard (FHS) defines the
directorystructureanddirectorycontentsinUnix-
likeoperatingsystems.ItismaintainedbytheLinuxFoundation.
● In the FHS, all files and directories appear under the root directory /, even if they are stored
ondifferentphysical or virtual devices.
● Some of these directories only exist on a particular system if certain subsystems, such as the
XWindowSystem, areinstalled.
● Most of these directories exist in all UNIX operating systems and are generally used in much
thesame way; however, the descriptions here are those used specifically for the FHS, and are
notconsideredauthoritativeforplatforms otherthanLinux.
1. /–Root:
● Everysinglefileanddirectorystarts fromtherootdirectory.
● Onlytherootuserhaswriteprivilegeunderthisdirectory.
● Notethat/rootistherootuser‘shomedirectory,whichisnotthesameas/.
2. /bin–UserBinaries:
● ItContainsbinaryexecutables.
● Commonlinuxcommandsyouneedtouseinsingle-usermodesarelocatedunderthisdirectory.
● Commandsusedbyalltheusersofthesystemarelocatedhere.
● Forexample:ps,ls,ping,grep,cp.
3. /sbin–SystemBinaries:
● Justlike/bin,/sbinalsocontainsbinaryexecutables.
● But,thelinuxcommandslocatedunderthisdirectoryareusedtypicallybysystemadminsformaintenanc
epurposes.
● Forexample:iptables,reboot,fdisk,ifconfig,swapon
4. /etc–ConfigurationFiles:
● ItContainsconfigurationfilesrequiredbyallprograms.
● Thisalsocontainsstartupandshutdownshellscriptsusedtostart/stopindividualprograms.
● Forexample:/etc/resolv.conf,/etc/logrotate.conf
5. /dev–DeviceFiles:
● ItContainsdevicefiles.
● Theseincludeterminaldevices,usb,oranydeviceattachedtothesystem.
● Forexample:/dev/tty1,/dev/usbmon0
6. /proc–ProcessInformation:
● ItContainsinformationaboutthesystemprocess.
● Thisisapseudofilesystem containing information about the running process.For example:
/proc/{pid} directory contains information about the process with that particularpid.
● This is a virtual filesystemwith text information about system
resources.Forexample: /proc/uptime
7. /var–VariableFiles:
● varstandsforvariablefiles.
● Contentofthefilesthatareexpectedtogrowcanbefoundunderthisdirectory.
● Thisincludes—systemlogfiles(/var/log);packagesanddatabasefiles(/var/lib);emails(/var/mail);
print queues (/var/spool); lock files (/var/lock); temp files needed across reboots(/var/tmp);
8. /tmp–TemporaryFiles:
● Directorythatcontainstemporaryfilescreatedbysystemandusers.
● Filesunderthisdirectoryaredeletedwhenthesystemisrebooted.
9. /usr–UserPrograms:
● ItContainsbinaries,libraries,documentation,andsource-codeforsecondlevelprograms.
● /usr/bin contains binary files for user programs. If you can‘t find a user binary under /bin,
lookunder /usr/bin.
Forexample:at,awk,cc,less,scp
● /usr/sbincontainsbinaryfilesforsystemadministrators.Ifyoucan‘tfindasystembinaryunder
/sbin, look under
/usr/sbin.Forexample: atd, cron, sshd, useradd, userdel
● /usr/libcontainslibrariesfor/usr/binand/usr/sbin
● /usr/local contains users programs that you install from
source.Forexample,whenyou installapache from source,itgoes under/usr/local/apache2
10. /home–HomeDirectories:
● Homedirectoriesforalluserstostoretheirpersonalfiles.
● Forexample:/home/vivek,/home/aaryan
11. /boot–BootLoaderFiles:
● ItContainsbootloaderrelatedfiles.
● Kernelinitrd,vmlinux,grubfilesarelocatedunder/boot.
● Forexample:initrd.img-2.6.32-24-generic,vmlinuz-2.6.32-24-genericetc
12. /lib–SystemLibraries:
● Containslibraryfilesthatsupportthebinarieslocatedunder/binand/sbin.
● Libraryfilenamesareeitherld*orlib*.so.*
● Forexample:ld-2.11.1.so,libncurses.so.5.7etc
13. /opt–Optionaladd-onApplications:
● optstandsforoptional.
● ItContainsadd-onapplicationsfromindividualvendors.
● Theadd-onapplicationsshouldbeinstalledundereither/opt/or/opt/sub-directory.
14. /mnt–MountDirectory:
● Temporarymountdirectorywheresysadminscanmountfilesystems.
15. /media–RemovableMediaDevices:
● Temporarymountdirectoryforremovabledevices.
● Forexample:/media/cdromforCD-ROM;/media/floppyforfloppydrives;/media/cdrecorderforCD
writer.
16. /srv–ServiceData:
● srvstandsforservice.
● ItContainsserverspecificservicesrelateddata.
● Forexample:/srv/cvscontainsCVSrelateddata.
3.2 BASICCOMMANDS:
Linux is a Unix-Like operating system. All the Linux/Unix commands are run in the terminal
providedby the Linux system. This terminal is just like the command prompt of Windows OS.
Linux/Unixcommands are case-sensitive. The terminal can be used to accomplish all Administrative
tasks.
Thisincludespackageinstallation,filemanipulation,andusermanagement.Linuxterminalisuserinteractive.T
heterminaloutputs the resultsof commands whicharespecified bythe user itself.
1. pwd:Thepwdcommandisusedtodisplaythelocationofthecurrentworkingdirectory.
2. mkdir:Themkdircommandisusedtocreateanewdirectoryunderanydirectory.
3. rmdir:Thermdircommandisusedtodeleteadirectory.
4. ls:Thelscommandisusedtodisplayalistofcontentofadirectory.
5. cd:Thecdcommandisusedtochangethecurrentdirectory.
6. touch:Thetouchcommandisusedtocreateemptyfiles.Wecancreatemultipleemptyfilesbyexecutingit
once.
8. rm:Thermcommandisusedtoremoveafile.
9. cp:Thecpcommandisusedtocopyafileordirectory.
10. mv:Themvcommandisusedtomoveafileoradirectoryfromonelocationtoanotherlocation.
11. rename:Therenamecommandisusedtorenamefiles.Itisusefulforrenamingalargegroupoffiles.
15. more: The more command is quite similar to the cat command, as it is used to display the
filecontentinthesamewaythatthecatcommanddoes.Theonlydifferencebetweenbothcommandsisthat,in
caseof largerfiles,the morecommand displays screenfuloutput at a time.
16. less: The less command is similar to the more command. It also includes some extra features such
as'adjustmentinwidthandheightoftheterminal.'Comparatively,themorecommandcutstheoutputinthewidth
of theterminal.
17. su: The su command provides administrative access to another user. In other words, it allows
accessoftheLinuxshell to anotheruser.
19. useradd:TheuseraddcommandisusedtoaddorremoveauseronaLinuxserver.
20. passwd:Thepasswdcommandisusedtocreateandchangethepasswordforauser.
21. groupadd:Thegroupaddcommandisusedtocreateausergroup.
22. grep: The grep is the most powerful and used filter in a Linux system. The 'grep' stands for
"globalregular expression print." It is useful for searching the content from a file. Generally, it is used
with thepipe.
23. find: The find command is used to find a particular file within a directory. It also supports
variousoptions to find afilesuchas byname, bytype,bydate, and more.
24. date:Thedatecommandisusedtodisplaydate,time,timezone,andmore.
25. cal:Thecalcommandisusedtodisplaythecurrentmonth'scalendarwiththecurrentdatehighlighted.
26. exit: exit command is used to exit from the current shell. It takes a parameter as a number and
exitstheshell with a return ofstatus number.
27. clear:clearcommandisusedtocleartheterminalscreen.
30. ssh:sshcommandisusedtocreatearemoteconnectionthroughthesshprotocol.
3.3 HARDLINKANDSOFTLINK:
A link in UNIX is a pointer to a file. Like pointers in any programming languages, links in UNIX
arepointers pointing to a file or a directory. Creating links is a kind of a shortcut to access files. Links
allowmorethan onefilenameto refer to thesamefile,elsewhere.
Therearetwotypesoflinks:
1. HardLinks
2. SoftLinkorSymboliclinks
1. HardLinks:
● Each hard linked file isassigned the same Inode value as the original, therefore they referencethe
same physical file location. Hard links are more flexible and remain linked even if theoriginal or
linked files are moved throughout the file system, although hard links are unable tocrossdifferent
file systems.
● ls-lcommandshowsallthelinkswiththelinkcolumnshowsthenumberoflinks.
● Linkshaveactualfilecontents.
● Removinganylink,just reducesthelinkcount,butdoesn‘taffectotherlinks.
● Wecannotcreateahardlinkforadirectorytoavoidrecursiveloops.
● Iftheoriginalfileisremovedthenthelinkwillstillshowthecontentofthefile.
Commandtocreateahardlinkis:ln[originalfilename][linkname]
2. SoftLinks:
● A soft link is similar to the file shortcut feature which is used in Windows Operating
systems.Each soft linked file contains a separate Inode value that points to the original file. As
similar tohard links, any changes to the data in either file is reflected in the other. Soft links can
be linkedacross different file systems, although if the original file is deleted or moved, the soft
linked filewillnot work correctly(called hanginglink).
● ls-lcommandshowsalllinkswithfirstcolumnvaluelandthelinkpointstotheoriginalfile.
● SoftLinkcontainsthepathfortheoriginalfileandnotthecontents.
● Removingthesoft linkdoesn‘taffectanythingbutremovingthe originalfile,the linkbecomesa
―dangling‖link which points to nonexistent file.
● Asoftlinkcanlinktoadirectory.
● Ifyouwanttolinkfilesacrossthefilesystems,youcanonlyusesymlinks/softlinks.
CommandtocreateaSoftlinkis:ln-s[originalfilename][linkname]
4.EVADINGIDS,FIREWALLSANDHONEYPOTS
4.1 INTRODUCTION:
Attackers have a method that they work by. They follow phases to ensure success when attempting
tobreachanetwork.Manyotheraspectsofthesephasesthatdon'tfitconvenientlyintoanyrigidcategories.Thefiv
e phases of an attackare:
1. Reconnaissance
2. Scanning
3. GainingAccess
4. MaintainingAccess
5. ClearingTracks
TothwarttheseattacksIntrusionDetectionSystem(IDS),firewalls,andhoneypotsareusedinindustries.
TERMINOLOGIES:
Intrusion Detection System (IDS): An IDS inspects all of the inbound and outbound network
activity,andidentifies suspiciouspatterns thatindicate anattackthat mightcompromiseasystem.
Firewall: A firewall is a program or hardware device that protects the resources of a private
networkfromusers ofother networks
Honeypot: A honeypot is a device intended to be compromised. The goal of a honeypot is, to have
thesystemprobed, attacked,and potentiallyexploited.
4.2 WORKINGMECHANISMS:
4.2.1 WORKINGOFIDS:
The main purposes of IDes are that they not only prevent intrusions but also alert the
administratorimmediately when the attack is still going on. The administrator could identify me hods
and techniquesbeingused bythe intruder and also thesourceofattack.
AnIDSworksinthefollowingway:
● IDSeshavesensorstodetectsignaturesandsomeadvancedUSeshavebehavioralactivitydetection to
determine malicious behavior. Even if signatures don't match this activity detectionsystemcan
alertadministrators about possibleattacks.
● Oncethesignatureismatched,thensensorspassonanomalydetection,whetherthereceivedpacketorreq
uest matches or not.
● Ifthepacketpassestheanomalystage,thenstatefulprotocolanalysisisdone.AfterThatthrough the
switch the packets are passed on to the network. If anything mismatches again, theconnections
are cut down from that IP source, the packet is dropped, and the alarm notifies theadminand
packet can bedropped.
4.2.2 WORKINGOFFIREWALLS:
● A firewall is a set of related programs located at the network gateway server that protects
theresources of a private network from users on other networks. Firewalls are a set of tools
thatmonitortheflowoftrafficbetweennetworks.Afirewall,placedatthenetworklevelandworking
closely with a router, filters all network packets to determine whether or not to
forwardthemtoward their destinations.
● Afirewallisanintrusiondetectionmechanism.Firewallsarespecifictoanorganization'ssecurity
policy. The settings of the firewalls can be changed to make appropriate changes to
thefirewallfunctionality.
● Firewalls can be configured to restrict incoming traffic to POP and SNMP and to enable
emailaccess.Certain firewallsblocktheemail servicesto secureagainstspam.
Afirewallworksinthefollowingway:
● Firewalls can be configured to check inbound traffic at a point called the "choke point/
׳wheresecurity audit is performed. The firewall can also act as an active "phone tap"tool in
identifyingthe intruder's attempt to dial into the modems within the network that is secured by
the firewall.The firewall logs consist of logging information that reports to the administrator on
all theattemptsof various incomingservices.
● The firewall verifies the incoming and outgoing traffic against firewall rules. It acts as a router
tomovedatabetweennetworks.Firewallsmanage accessofprivatenetworkstohostapplications.
● Alltheattemptstologintothenetworkareidentifiedforauditing.UnauthorizedAttemptscanbe
identified by embedding an alarm that is triggered when an unauthorized user attempts
tologin.Firewalls can filterpacketsbased onaddress andtypesof traffic.
4.2.3 WORKINGOFHONEYPOTS:
● A honeypot is a system that is intended to attract and trap people who try unauthorized or
illicitutilization of the host system. Whenever there is any interaction with a honeypot, it is most
likelytobeamalicious activity. Honeypots areunique; theydo not solve specific problems.
● Somehoneypotscanbeusedtohelppreventattacks;otherscanbeusedtodetectattacks;whileafewhoney
pots can beused forinformation gatheringandresearch.
● TheSituationalAwarenessandForensics(SAF)platformwasspecificallydesignedtoallowforensic
investigation while still maintaining, but not compromising functionality. The
strategytouseactualautomationhardwareovercametheinherentfidelityweaknessesofavirtualizedIC
Splatform,wherebythepotentialforhardwareinteractionislargelyabsentatthelevelofdetailsupported
byactualequipment,whichisakeyfeatureofphysicalICSplatforms.
● TheOThoneypotconsistsoffourmajorcomponents:
1. Controlsystemsandprocesssimulation
2. SituationalAwarenessandForensics(SAF)platform
3. Theattacker‘sinfrastructure
4. RemotemonitoringinfrastructurefortheHoneypot.
● This was implemented in a standalone environment. The aim being to explore the feasibility
ofdifferentimplementations,whilstmakingthesystemattractive(efficient),andmaintainseparationfro
m actual operational systems
4.3 COUNTERMEASURES:
EvadingFirewall:
● UsingFragmentedPackets.
● UsingFirewalkingtoscanbeyondthefirewallforopenports.
● UsingSourcerouting,avoidingtherouteofFirewall.
EvadingIDS:
● DeployingInsertionattacksagainstthetargetsystem.
● LaunchingDDOSattacksagainstthetargetserver.
● Usingsessionsplicingandfragmentation.
● SendinginvalidTCPpackets.
● Modifyingtheattackpayloads(PolymorphicShellcodes).
EvadingHoneypots:
● Attackerscandeterminethepresenceofhoneypotsbyprobingtheservicesrunningonthesystem
.
● AttackerscraftmaliciousprobepacketstoscanforservicessuchasHTTPoverSSL(HTTPS),SMTPo
ver SSL(SMPTS), andIMAP over SSL(IMAPS).
5. CASESTUDY
5.1 ProjectDefinition-PenetrationTesting:
As part of the internship program, I was assigned to perform Penetration Testing on Windows
10Operating System by developing an zero day exploit code and running it inside the system in order
toexploit the machine and gain shells and to maintain persistence. Furthermore I provided
remediationmethods for the exploit. Due to confidentiality agreements, the details pertaining to the
exploit can't bemadepublic. Butthereportwill cover Requirements,ObjectiveScopeandVAPT process.
5.1.1 Objectives:
Projectobjectivesareasfollows:
● Identifythetargetmachineandperformreconnaissance.
● CheckingforfirewallsandbypassingitforIntenseNMAPScans.
● Developinganexploitandcreatingbackdoorsforwindows10systems.
● Bindingtheexploitcodewithlegitimatesoftwareforpayloads.
● Sendingthepayloadtothevictim'scomputerandaccessingthesystem.
● Gettingtheadministratoraccessofthetargetmachineandcreatingpersistence.
● Sniffingthesystemtogetpasswordsandinfoaboutthetargetmachine.
● Creatinganuseraccountandturningoffthefirewalltoeditregistrysettings.
● SwitchingontheVirtualNetworkComputing(VNC)totakescreenshotsofthetargetmachine.
● Extractingandbreakinghashesfromthecompromisedmachine.
5.1.2 ProjectRequirements:
● RequirementofKalilinuxmachineforpenetrationtesting.
● Windows10machinewithupdatedantivirusenginesandfirewalls.
● Laptop/Desktopwithatleast8gigabytesoframand1TBofharddiskcapacity.
● Atleast10Mbpsspeedisrequiredfordownloadingpentesttools.
● NessusVulnerabilityTester.
● AcunetixVulnerabilityScanner.
5.2 Methodologies:
Asforthepenetrationtestingmethodologies,weadoptfromseveralwell-knownstandardssuchas:
NISTSP800-115-TechnicalGuidetoInformationSecurityTestingandAssessment
ISSAF-InformationSystemsSecurityAssessmentFramework
ISECOMOSSTMM-OpenSourceSecurityTestingMethodologyManual
5.3 TheVulnerabilityAssessmentProcess:
Examplesofthreatsthatcanbepreventedbyvulnerabilityassessmentinclude:
1. SQLinjection,XSSandothercodeinjectionattacks.
2. Escalationofprivilegesduetofaultyauthenticationmechanisms.
3. Insecuredefaults–softwarethatshipswithinsecuresettings,suchasaguessableadminpasswords.
Thereareseveraltypesofvulnerabilityassessments.Theseinclude:
2. Networkandwirelessassessment–
Theassessmentofpoliciesandpracticestopreventunauthorizedaccess
toprivateorpublicnetworksandnetwork-accessible resources.
3. Database assessment – The assessment of databases or big data systems for vulnerabilities
andmisconfigurations, identifying rogue databases or insecure dev/test environments, and
classifyingsensitivedata across an organization‘s infrastructure.
Thevulnerabilityassessmentstakesplaceinthreesteps:
● First,VA‘sareperformedonthetargetsystemandthetestertriestounderstandhowtheoperatingsyste
m or application actuallyworks in real-time scenarios.
● Lastly,theindividualsareassignedtoresolvetheissuesinalimitedperiodoftime.Theyarerequiredtorep
orttothe managementaboutthevulnerabilitiesandstepstheytooktoremedythat.
5.4 AttackNarrative:
For the purposes of this assessment of Windows 10 operating systems, we first use built-in tools
likeburpsuiteforscanningandenumeratingnetworkswhilstconsideringthefirewallisturnedoninwindowsmac
hines.Consideringthe resultswecangoeitherfor aggressive scanningordevelopingan
exploit specially intended to penetrate the system. The possibility of doing aggressive scanning at
thispoint is extremely rare because of active firewalls which do not give effective results as it blocks all
theports. At this point, we turn to exploit development. It usually is based on the machine you‘re
attackingand can change with varying operating systems. It is generally targeted over a particular
operatingsystemwhich has manyattack vectors for successful deployment.
Thestepsperformedafterdevelopingexploitare:
● InformationgatheringorFootprintingoftargetmachines.
● ServiceEnumerationoftargetmachines.
● Penetrationtestingusingexploitsasmiddle-men.
● MaintainingAccessandCreatingPersistence.
● Clearingtracksonthetargetmachine.
5.4.1 InformationGathering:
Theinformationgatheringportionfocusesonidentifyingthescopeofthepenetrationtest.Footprintingis a part
of the reconnaissance process which is used for gathering possible information about a targetcomputer
system or network. Footprinting could be both passive and active. Reviewing a company‘swebsite is an
example of passive footprinting, whereas attempting to gain access to sensitive informationthrough
social engineering is an example of active information gathering. It helps in reducing
attackareas,Identifyingvulnerabilities,and drawingnetworkmaps ofthetarget system.
Itcanalsobedoneusingkalilinuxtoolssuchas:
1. Nmap
2. Hping3
3. UnicornScan
4. Armitage
5. ZenMap
1. UsingNmapforcheckingopenports:
● Nmaphasaspecialflagtoactivateaggressivedetection,namely-
A.AggressivemodeenablesOSdetection(-O),versiondetection (-sV),scriptscanning(-sC),
andtraceroute.
● Thepointistoenableacomprehensivesetofscanoptionswithoutpeoplehavingtoremember a large
set of flags. However, because script scanning withthe default set
isconsideredintrusive,youshouldnotuse -Aagainst targetnetworkswithoutpermission.
● Sometimes you may need to scan more aggressively or want to run a quick scan. You
cancontrol this using the timing mechanisms. In NMAP, timing controls both the speed and
thedepthof thescan.
● There are other options such as T1, T2, T3, and T4 scans. For most scans, T3 and T4
timingswillbesufficient.
2. UsingHping3forEnumeratingtargetsystem:
● Hping3isacommand-orientedTCP/IPpacketassembler/analyzer.
● It has a traceroute mode, the ability to send files between a covered channel and even
performDDOSattacks.
● Hping3isalsousedfor:
1. AdvancedPortScanning.
2. Firewalltesting.
3. RemoteOSfingerprinting.
4. Advancedtracerouteunderallthesupportedprotocols.
By performing these scans , we noticed that there are open ports on windows machine but can‘t
beaccessed due to an active firewall. In such cases we develop an exploit or use automated tools for
furtherscanning ofthesenetworks.
5.4.2 ServiceEnumeration:
Enumeration is a process that allows us to gather information from a network. allows attackers
toconduct dictionary attacks againstsystems and reveals information about whohas access to
them.Against Windows systems, there are two known techniques to enumerate the users in the system:
SAMRenumeration and LSA bruteforcing. Both user enumeration techniques are implemented in the
NmapScripting Engine. While this attack requires a valid account on most systems, some systems
(Windows2000bydefault) allow user enumeration anonymously.
Itcanalsobedoneusingkalilinuxtoolssuchas:
1. UnicornScan
2. Armitage
1. UnicornScan:
Itisanasynchronousnetworkstimulusdelivery/responserecordingtool.Meaningitsendsoutbroken/
unorganized/fragmented packets (without a regular pattern unlike other port scanning tools) to ahostand
waits forthe target‘sresponse.
● After getting the response the TTL value is calculated for each port and thereby identifying
theoperatingsystem.
● One of the key features of unicornscan that sets it apart from nmap and other port scanners is
thatithasitsownTCP/IPstack.Theotherportscannersallusetheunderlyinghostoperatingsystem'sTCP/
IPstack. Thisenables unicornscanto scanmuch morequicklythantheothers.
ms-wbt-server is a common name for a protocol that is used by Windows Remote Desktop and uses
thewell known TCP port 3389. Microsoft which provides a user with a graphical user interface (GUI)
whileconnectingto anothercomputer over anetworkconnection.
5.4.3 PenetrationTesting:
The penetration testing portions of the assessment focus heavily on gaining access to windows
10systems. A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure
bysafely trying to exploit vulnerabilities. These vulnerabilities may exist in operating systems, services
andapplication flaws, improper configurations or risky end-user behavior. Such assessments are also
usefulinvalidatingthe efficacyofdefensive mechanisms, as well as end-user adherenceto securitypolicies.
Penetration testing is typically performed using manual or automated technologies to
systematicallycompromise servers, endpoints, web applications, wireless networks, network devices,
mobile devicesand other potential points of exposure. Once vulnerabilities have beensuccessfully
exploited on aparticular system, testers may attempt to use the compromised system to launch
subsequent exploits
atotherinternalresources,specificallybytryingtoincrementallyachievehigherlevelsofsecurityclearance and
deeper access toelectronicassets andinformation viaprivilegeescalation.
Inthiscase,weuseautomatedexploitingtoolslikearmitagetoexploitthewindows10machinesbutitis highly
unlikely that the exploit will work due to an active firewall and updated antivirus engines.
Wefirstdevelop an exploit code and run itin simulation.If the exploit works we bind itto
regularapplications and hide its signature. Then, we deliver the payload to the target machine either
remotelyor through social engineering. Due to confidentiality the details about the exploit cannot be
made public.Butwewillget a shellaftersuccessful exploitationof thetargetmachine as shownbelow.
The above used exploitation mechanism is metasploit. It helps deliver our payload to the target
machineremotely. As shown above, the exploit we developed is binded to another legitimate program
and placedin a var/www/html folder for the server to recognize in the kali linux machine. This exploit is
thenconverted into payload and delivered through metasploit as an intermediary. Netcat can also be used
as adeliverymechanism if metasploit is not available.
As shown in the above image, the exploit worked and a shell was launched from the target machine.
Weperformedacommand called―sysinfo‖whichdescribestheinternalcharacteristicsofthetargetmachine
andsimilarcommands will be available forotheruses.
5.4.4 CreatingpersistenceandMaintainingAccess:
Maintaining access to a system is important to attackers, ensuring that we can get back into a
systemafter it has been exploited is invaluable. The maintaining access phase of the penetration test
focuses
onensuringthatoncethefocusedattackhasoccurred(i.e.abufferoverflow),wehaveadministrativeaccess over
the system again. Many exploits may only be exploitable once and we may never be able togetback into
asystem after wehavealreadyperformed theexploit.
Persistence consists of techniques that adversaries use to keep access to systems across restarts,
changedcredentials,and otherinterruptions that could cutoff their access.
MethodsforGeneratingpersistenceusingMetasploit:
● Persistence_service
● Mitigationmethodforpersistence_serviceexploit.
● Persistence_exe
● Mitigationmethodforpersistence_exeexploit.
● Registry_persistence
● MitigationmethodforRegistry_persistenceexploit.
● PersistencethroughNetcat.
● PersistencethroughRemoteDesktopProtocol.
In this case, we use metasploit inbuilt persistence tools to create persistence in the target machine
asshown in the above image. After creating the persistence we switch to other sessions or we can exit
thecurrent shell. As we mentioned above, there are different ways to create persistence, in this case we
usedapersistent servicemethod and switched betweenthe sessions.
5.4.5 ClearingTracks:
Theclearingtracksportionsoftheprojectensuresthatremnantsofthepenetrationtestareremoved.Oftenfragme
ntsoftoolsoruseraccountsareleftonanorganization'scompuerwhichcancausesecurity issues down the road.
Ensuring that we are meticulous and no remnants of our penetration
testareleftoverisimportant.Itisthefinalstageofapenetrationtestasaprocess–alltherestispaperwork.In a
nutshell, its goal is to erase the digital signs left out by the pen tester during thearlier stages of
thetest.Thesedigitalsigns,inessence,provethepentester‘spresenceinthetargetedcomputersystem.
Itcanbedoneinfourways:
1. UsingreverseHTTPshells
2. UsingICMPtunnels
3. Clearingeventlogs
4. Shreddingcommandhistory
1. UsingReverseHTTPShells:
A shell is a code or program that executes user commands in a device like a server or mobile device.
Wefirst install reverse HTTP shells on the victim computer and use it to send communications to the
targetsystems. The reverse shell is designed in a way that the target device will always return
commands. Thisis possible since port 80 is always open, and therefore, these commands are not flagged
by the network‘sperimeter security devices like firewalls. Firewalls will read these as benign HTTP
traffic in the networkand, therefore, will allow communication between the devices. We can now gain
any information fromtheserver undetectedleavingno footprintbehindsinceallwedid wassendHTTP
commands.
2. UsingICMPTunnels:
The Internet Control Message Protocol (ICMP) is used by a network device to test connectivity.
UnlikeTCP or UDP protocols, which are used to transfer data, ICMP only transfers echo requests. We
firstencapsulatetheseechorequestswithTCPpayloadsandforwardthemtotheproxyserver.Thisrequestis then
de-encapsulated by the proxy server or system, which extracts the payload and sends it to theattacker‘s
system. The network‘s security devices read this communication as simple ICMP
packettransferhencefacilitatingthe attacker in coveringhis tracks.
3. ClearingEventLogs:
Another way is to hide our tracks is by clearing event logs in a windows machine. Event logs can
becleared in different ways; one of them is by using Metasploit‘sMeterpreter. First, we must exploit
anetwork or system using Metasploit. After a successful exploit, we then use the Meterpreter
commandpromptandusethescript―clearev‖whichclearsalltheeventlogsinthewindowsmachine.Eventlogs
can also be cleared using the clearlog.exe file. We first, install the program file into the system or
uploadit using TFTP and use it to delete logs. After deleting the event logs, the remove the clearlog.exe
filefrom the system since its mere presence could raise suspicion. Event logs in Linux systems can also
bedeleted usingtext editors such as ―kWrite''. Logs inLinux systems are stored in the ―/var/logs‖
directory. Byopening―kwrite/var/log/messages'',wecan viewand deleteevent logs to cover ourtracks.
4. ErasingorShreddingCommandHistory:
Ifwedonothavetimeto
gothroughalltheeventlogs,wecancoverourtracksbyerasingandshreddingthecommandhistory.Sinceabashsh
ellcouldsaveuptofivehundredcommandswefirstdeletetheirbash historybyresetting itssizetozero.
Thisisdoneusingthecommand―export HISTSIZE=0‖. The historyfile couldalso beshredded usingthe
command ―shred-root/bash_history‖.
Thereisaninbuiltcommandcalled―clearrev‖inmeterpretershelli.emetasploit.Usingthiscommand we can
automatically delete all the logs stored by the target computer or we can manually delete it
usingabovementioned methods.
Offerletter:
Certificate:
CONCLUSION
In today‘s business world, vital company information is accessed, stored and transferred
electronically.The security of this information and the systems storing this information are critical to the
reputation
andprosperityofcompanies.Therefore,vulnerabilityassessmentsandpenetrationtestingofcomputersystems
are routinely employed by businesses to obtain a complete evaluation of the security risks of thesystems.
However the methods for performing vulnerability assessments and penetration testing arevaried and
cost prohibitive. The purpose of this internship was to investigate and develop an exploit in aconvenient,
efficient andcosteffective method for conducting penetration tests.The resultsshow thatthe exploit can be
delivered through various payloads which resulted in successful exploitation of thetargetmachine.
5.5 KnowledgeandSkillsAcquired:
● Tounderstandanddeploysecurewebcommunicationsandtechnologies.
● AbilitytoScriptorWriteCodeusingPython,Perl,Powershellandbash.
● AcquiredSoftSkills(PublicSpeaking,ReportWriting,TeamPlayer).
● KnowledgeofVulnerabilitiesandExploitsOutsideofToolSuites.
● Understandingofwebvulnerabilities:codeexecution,fileupload,SQL,XSS.
● SignaljammingandDDoS:attacksanddefenses.
5.6 LimitationsofInternship:
The penetration testing is conducted with an objective to make a thorough study of various
exploitmechanisms, whether it is possible to tweak the exploits in order to obfuscate from firewalls
andantivirusengines. Thelimitations areas follows:
● Scheduledtimespanwasnotsufficienttowriteadvancedscriptcodes.