Practical -6

AIM:- Implementation to identify web vulnerabilities, using OWASP project

Tools: OWASP ZAP Proxy (windows and kali)

Description:

Introducing ZAP :

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being
maintained under the umbrella of the Open Web Application Security Project
(OWASP). ZAP is designed specifically for testing web
applications and is both flexible and extensible. At its core, ZAP is what is known as a
“man-in-the-middle proxy.” It stands between the tester’s browser and the web
application so that it can intercept and inspect messages sent between browser and web
application, modify the contents if needed, and then forward those packets on to the
destination. It can be used as a stand-alone application, and as a daemon process.
If there is another network proxy already in use, as in many corporate environments,
ZAP can be configured to connect to that proxy.
ZAP provides functionality for a range of skill levels – from
developers to testers new to security testing, to security testing specialists. ZAP has
versions for each major OS and Docker, so you are not tied to asingle OS. Additional
functionality is freely available from a variety of add-ons in the ZAP Marketplace,
accessible from within the ZAP client. Because ZAP is open source, the source code can
be examined to see exactly how the functionality is implemented. Anyone can volunteer
to work on ZAP, fix bugs, add features, create pull requests to pull fixes into the project,
and author add-ons to support specialized situations.

Install and Configure ZAP

 ZAP has installers for Windows, Linux, and Mac OS/X. There are also Docker
images available on the download site listed below.

Install ZAP The first thing to do is install ZAP on the system you intend to perform
pen testing on.
Download the appropriate installer from ZAP’s download location at
https://www.zaproxy.org/download/ and execute the installer.

Note that ZAP requires Java 8+ in order to run. The Mac OS/X installer
includes an appropriate version of Java but you must install Java 8+ separately
for Windows, Linux, and Cross-Platform versions. The Docker versions do not
require you to install Java.

Once the installation is complete, launch ZAP and read the license terms. Click
Agree if you accept the terms, and ZAP will finish installing, then ZAP will
automatically start.

Persisting a Session When you first start ZAP, you will be asked if you want to
persist in the ZAP session. By default, ZAP sessions are always recorded to disk in a
HSQLDB database with a default name and location.

If you do not persist in the session, those files are deleted when you exit ZAP.

If you choose to persist a session, the session information will be saved in the local
database so you can access it later, and you will be able to provide custom names and
locations for saving the files.
For now, select No, I do not want to persist this session at this moment in time, then
click Start. The ZAP sessions will not be persisted for now.

ZAP Desktop UI:

The ZAP Desktop UI is composed of the following elements:

1.Menu Bar – Provides access to many of the automated and manual tools.

2.Toolbar – Includes buttons which provide easy access to most commonly used

features.

3.Tree Window – Displays the Sites tree and the Scripts tree.

4. Workspace Window – Displays requests, responses, and scripts and allows

you to

edit them.

5.Information Window – Displays details of the automated and manual tools.

6. Footer – Displays a summary of the alerts found and the status of the main

automated tools.
CHECK THE OUTPUT OF BELOW DASHBORD IN IMAGE
CLICK ON ALERT OPTION TO CHECK VULNERABLITIES IN BELOW IMAGE
 SELECT ANY LINK CHE
CK THAT DESCRIPTION ABOUT VULNERABILITY
CONCLUSION:
Number of reported web applications vulnerabilities is increasing dramatically. Most of them result from
improper or none input validation by the web application. Most existing approaches are based on the
Tainted Mode vulnerability model which cannot handle inter-module vulnerabilities.
 Practical-7
Aim: Implementation of IT Audit, malware analysis and Vulnerability assessment and generate the
report.

Objective: To know how to find vulnerabilities by

using NESSUS Requirements: Laptop, Kali linux,

Nessusd pakage in kali Malware analysis

 NESSUS:

Nessus, developed by Tenable Inc, is a widely-used open-source vulnerability scanner. It

offers a paid subscription, Nessus Professional, as well as a free version, Nessus Essentials,
which is limited to 16 IP addresses per scanner.

Nessus provides a range of services, including vulnerability assessments, network scans, web scans,
asset discovery, and more, to aid security professionals, penetration testers, and other cybersecurity
enthusiasts in proactively identifying and mitigating vulnerabilities in their networks.

How to install a Nessus in kali

Unlike many security tools, Nessus doesn't come installed on Kali Linux. But it is very easy to download
and install.

Follow these steps to install Nessus on your Kali:

1. Download the Nessus package for Debian on the Nessus website and make sure you set the
Platform to
Linux-Debian-amd64.
2. When it's finished downloading, open your Linux terminal and navigate to the location you
downloaded the Nessus file to.

Install Nessus using this command:

Start the Nessus service with this command:

On your browser, go to https://kali:8834/. It would show a warning page.

You can use e-mail address as temporary you can visit online temporary email address examples below.

Allow Nessus to download the necessary plugins

.
Click on New Scan to begin scanning for vulnerabilities

Click on Advance scan

Give name for scanning (e.g test,windows scan..etc)
Give the ip address of your windows that you want to scan for vulnerabilities in Target box shown in the
below

Give the credentials of your windows like username and password if you
known (OPTIONAL). NOTE:- Use of giving credential it will help you scan
more into your system.
Go down and save the Progress

Click on launch
Wait for some time to get the Output.
ON RIGHT SIDE CLICK ON REPORT TO GENERATE THE ENTIRE REPORT OF YOUR SYSTEM
VULNERABILITY
CONCLUSION:
A vulnerability assessment report will show you the raw number of vulnerabilities detected
in your systems at a point in time. Of course, in an ideal scenario, you want your
vulnerability report to contain nothing = zero issues.
 PRACTICAL-8

Aim : Implementation of OS hardening and RAM dump analysis to collect

the Artifacts and other information.

A memory dump is the process of taking all information content in RAM and
writing it to a storage drive as a memory dump file (*.RAW format).

Volatile memory, or RAM, is used to store data currently used by a running process:
whether it is a user application or a system service. This type of memory is much
quicker than a regular hard drive but unlike files permanently stored on a drive (unless
deleted), data from RAM may disappear instantly. At the same time, it may store data
crucial for your case, including passwords in raw format without encryption or encoding,
decrypted data otherwise kept encrypted on a drive, decryption keys for various services,
apps and WDE, remote sessions data, chats in social networks, malware code,
cryptocurrency transactions, various system info such as loaded registry branches, and
so on. This is why it is not argued that capturing RAM contents must be one of the first
steps in seizing a running computer or laptop.

There are various tools that can be used for memory dump. Some of them
are: 1.Autospy
2. IT

Procedure
Creating RAM dump using Dump-IT :

1. Download DumpIT tool from toolwar website

2. Open Dump-IT.exe
 Autopsy performs operations onto disk images which can be created using tools like FTK
Imager.
Here an already created image is used. You may download Autopsy from here and the
disk image used in this article from here.
 1. Getting Started
Open Autopsy and create a new case.

Click on Finish after completing both the steps.

2. Add a data source.
Select the appropriate data source type.

 Disk Image or VM file: Includes images that are an exact copy of a hard drive or
media card, or a virtual machine image.
 Local Disk: Includes Hard disk, Pendrive, memory card, etc.
● Logical Files. : Includes local folders or files.
● Unallocated Space Image File: Includes files that do not contain a file system
but need to run through ingest.
The data source used here is a disk image. Add the data source destination.

Configure ingest modules.

The ingest modules determine factors for which the data in the data source is to be analyzed. Here
is a brief overview of each of them.
● Recent Activity: Discover the recent operations performed on the disk, for example,
the files that were last viewed.

● Hash Lookup: Identify files using hash values.

● File Type Identification: Identify files based on their internal signatures rather than just file
.extensions.

● Extension Mismatch Detector: Identify files whose extensions are tampered

with/changed possibly to hide evidence.

● Embedded File Extractor: It extracts embedded files such as .zip, .rar, etc. and uses
the derived file for analysis. Another example could be a PNG image saved inside a
doc to make it appear as a document and thus hide crucial information.

● EXIF (Exchangeable Image File Format) Parser: It is used to retrieve metadata

about the files, for example, date of creation, geolocation, etc.

● Keyword Search: Search for a particular keyword/pattern in the data source.

● Email Parser: If the disk holds any form of email database, for example, pst/ost files
of outlook then information from these files can be extracted using an email parser.

● Encryption Detection: Detects and identifies encrypted / password-protected files.

● Interesting File Identifier: Let’s set custom rules regarding the filtering of
data. Examiner is notified when results pertaining to these rules are found.

● Correlation Engine: Allows saving properties in and then retrieved from the central
repository. It helps in displaying correlated properties.

● PhotoRec Carver: Recover files, photos, etc. from the unallocated space.

● Virtual Machine Extractor: Extract and analyze any Virtual machine found on the data
source.

● Data Source Integrity: Calculates the hash values and stores them in the database
in case they
aren’t already present. Otherwise, it will verify the hash values associated with the
database.

● Plaso: Extract timestamp for various types of files.

● Android Analyzer: Analyze SQLite and other files retrieved from an Android device.
 Select all that will serve the purpose of your investigation and click Next. Once the data
source is added, click Finish. It will take some buffer time to extract and analyze the data
depending upon the size of the Data Source.
3. Exploring the data source:
The Data Source information: Here the basic metadata is shown. A detailed analysis is
displayed in the bottom section. These details can be extracted in the form of Hex values,
Results, File Metadata, etc.
The disk image is then broken down based upon its volume partitions.

Each volume can be browsed for its contents, results for which are displayed in the
section at the bottom. For example, the content shown below belongs to Data
Sources -> Mantooth.E01 -> MSOCache-> [Parent Folder].
Views (Determines the factor of file classification)
● File Type: Here the files are categorized based upon their type. The classification can be
done either on the basis of file .extension or MIME type. While both of these provide a
hint about how to deal with a file, file extensions are commonly used by the OS to decide
what program shall be used to open a file and MIME types are used by the browser to
decide about how to present the data (or by the server on how to interpret the data
received ). Files displayed here also include the deleted files.
Deleted Files: Here information about the files that were specifically deleted can be
found. These deleted files can be recovered as well: Right-click on the file to be
recovered -> click on Extract File(s). -> Save the file in an appropriate destination.
 ● MB Size Files: Here files are classified based upon their size. The range starts
from 50MB. This enables the examiner to determine exclusively large files.

• Note: It is usually advised to not scan or extract any suspected files/ disks such as payload
files, etc. in the main system, rather scan them in safe environments such as a virtual machine,
and then extract the data, as they hold the possibility of being corrupt and may infect the
examiner’s system with viruses.

• Results:

All the extracted data is viewed in Views/ Data Source. In Results, we get the information
about this data.
● Extracted Content: Each Extracted Content displayed below can be further
explored. The following briefly explains each of them.
 ● EXIF Metadata: It contains all the .jpg images that have EXIF Metadata associated
with them, this Metadata can be analyzed further.
● Encryption Detection: It detects files that are password protected/ encrypted.
● Extension Mismatch Detection: As explained above, it Identifies the files whose
extensions do not match their MIME types and thus they may be suspicious.
● Installed Programs: It gives details about the software used by the user. This
information is extracted with the help of the Software Registry hive.
● Operating System Information: It gives information about the OS with the help
of the Windows Registry hive and the Software Registry hive.
● Operating System User Account: It lists information about all the user accounts, for
example, accounts belonging to the device are extracted from the Software Hive and the
accounts associated with the Internet Explorer using index.data files.
● Recent documents: Lists all the documents that were accessed nearby the time the
disk image was captured.
Recycle Bin: Files that are temporarily stored on the system before being permanently
deleted are visible here.
● Remote Drive: Shows information about all the remote drives accessed using the system.
● Shell bags: A shell bag is a set of registry keys that stores details about a folder being
viewed, such as its position, icon, and size. All the Shell bags from the system can be
viewed here.
● USB Device attached: All the information about the external devices attached to
the system is displayed here. This data is extracted from Windows Registry
which is actually a maintained database about all the activities taking place on the
system.
● Web Cookies: Cookies saves the user information from the sites and thus provide a lot of
information about the user’s online activities.
● Web History: All the details about the browser history is shown here.
● Web Searches: Details about the web searches made are displayed here.
● Keyword Hits: Here specific keywords can be looked for in the image of the
disk. Multiple data sources can be selected for the lookup. The search can be
restricted to Exact match, Substring match and Regular expression, for example,
emails/ IP Addresses, etc.
● HashSet Hits: Here the search can be made using hash values.
● E-mail Messages: Here all the outlook.pst files can be explored.
● Interesting Items: As discussed before, these are the file results based upon the
custom rules set by the examiner.
● Accounts: Here all the details regarding the accounts present on the disk are shown.
This disk has the following EMAIL accounts.
● Reports: Reports about the entire analysis of the data source can be generated and
exported in many formats.

.
● Communications: All the communications made using the source device are
displayed here. This device had communications only in the form of emails.
● Geolocation: This window displays the artifacts that have longitude and latitude
attributes as waypoints on a map. Here the data source has no waypoints.
● Timeline: Information about when the computer was used or what events took place
before or after a given event can be found, this greatly helps in investigating events near
about a particular time.

Almost all the basic features and how actually Autopsy works have been discussed in this
article.
However, it is always recommended to go through different sample data sources to explore even
more
CONCLUSION :

RAM dump acquisition and analysis are vital components of digital forensics and incident
response investigations.Ultimately, RAM dump plays a critical role in modern digital
investigations, helping investigators piece together the puzzle and provide essential insights
for resolving cases.
 PRACTICAL -9

Aim:
1. Update APT: sudo apt update

2. Install docker: sudo apt install docker.io

3. Search mobsf github on your web browser.

Next, download MobSF Docker image from

https://hub.docker.com/r/opensecurity/mobile-security-
framework-mobsf/ with the following command:

docker pull opensecurity/mobile-security-framework-mobsf:latest

Once you issue the command, you would notice the following output on your
console:

This signifies that the docker image for MobSF is being downloaded. Once
completed, the following message will appear:

Now that the docker image is downloaded, the image can be run with the following
command:

docker run -it -p 8000:8000 opensecurity/mobile-security-

framework-mobsf
Once done, you would see message “Listening at: http://0.0.0.0:8000”. This
signifies the URL from which one can access MobSF
Our MobSF framework is ready for us to conduct static analysis for APK files.

For our testing, we take Facebook Lite’s APK file.

Once you upload the APK file, you would notice the following output
being printed on our terminal:
CONCLUSION:
You can also notice a brief overview of the application you have reviewed.
You can also the report for the same.