Cyber Security Lab Manual
Cyber Security Lab Manual
(B.Tech: II Year)
1
2
ACROPOLIS INSTITUTE OF TECHNOLOGY & RESEARCH, INDORE
Department of Computer Science & Information Technology
Certificate
This is to certify that the experimental work entered in this journal as per the
BTech II year syllabus prescribed by the RGPV was done by Mr. / Ms.
…………………………………….. in …… semester in the Laboratory of this
institute during the academic year 2022 - 2026
3
ACROPOLIS INSTITUTE OF TECHNOLOGY & RESEARCH, INDORE
GENERAL INSTRUCTIONS FOR LABORATORY CLASSES
DO’S
DONT’S
4
SYLLABUS
Unit 1
Introduction of Cyber Crime, Challenges of cybercrime, Classifications of Cybercrimes: E-Mail Spoofing,
Spamming, Internet Time Theft, Salami attack/Salami Technique
UNIT 2
Web jacking, Online Frauds, Software Piracy, Computer Network Intrusions, Password Sniffing, Identity
Theft, cyber terrorism, Virtual Crime, Perception of cyber criminals: hackers, insurgents and extremist group
etc. Web servers were hacking, session hijacking.
UNIT 3
Cyber Crime and Criminal justice: Concept of Cyber Crime and the IT Act, 2000, Hacking, Teenage Web
Vandals, Cyber Fraud and Cheating, Defamation, Harassment and E-mail Abuse, Other IT Act Offences,
Monetary Penalties, jurisdiction and Cyber Crimes, Nature of Criminality, Strategies to tackle Cyber Crime
and Trends.
UNIT 4
The Indian Evidence Act of 1872 v. Information Technology Act, 2000: Status of Electronic Records as
Evidence, Proof and Management of Electronic Records; Relevancy, Admissibility and Probative Value of E-
Evidence, Proving Digital Signatures, Proof of Electronic Agreements, Proving Electronic Messages.
UNIT 5
Tools and Methods in Cybercrime: Proxy Servers and Anonymizers, Password Cracking, Key loggers and
Spyware, virus and worms, Trojan Horses, Backdoors, DoS and DDoS Attacks, Buffer and Overflow, Attack
on Wireless Networks, Phishing: Method of Phishing, Phishing Techniques.
5
Lab Plan
CY402 Fundamental of Cyber Security
6
Exp – 1
Forecasts of the damage alongside the discomfort of knowing all of one’s data quickly led to
changes at Equifax, garnered investigations by the Federal Bureau of Investigation and other
authorities, and made headlines as never before. All of it was warranted: the Equifax event
came too close to home, with virtually every American adult with an account at a consumer
bank affected. Even today people doubt that a breach could measure the same in scope and
severity.
In all, hackers were active for 76 days inside Equifax’s systems. However, forensic analysis
revealed that the attack was two-stage, and likely carried out by two separate teams of intruders.
On March 6, 2017, Chinese security reacher Nike Zheng discovered an exploit in backend
software many companies use for open web applications, Apache Struts. Once Zheng posted his
discovery, called CVE-2017-5638, for the benefit of Apache and enterprise users, the “patch
now” exploit news made its way around message boards where hackers saw it. As they scanned
for Apache Struts users, they found Equifax and perhaps not understanding its value, entered
their systems on May 12th. Equifax, having not updated Struts even by the intrusion date,
discovered the 76-day breach on July 29, 2017. Once inside, the initial team installed one or
more web shells but struggled to navigate the system and surmount firewalls and other elements
of the security framework. Forensic data shows that another group of illegitimate users entered
the system and, using 30 web shells under different addresses, sought data on consumers by,
among other methods, abusing credentials of legitimate Equifax users (see corporate account
takeover, or CATO).
Equifax’s bread and butter is consumer financial information it collects free from banks as
people at all income levels check their credit worthiness, data which it analyzes and repackages
for lenders and others throughout the market for loanable funds. At a minimum, this data
contains personally-identifiable information (PII) — information that people are loathe to
disclose to strangers even in conversation. A breathtaking amount of, by-definition, sensitive
financial information and PII on people was exfiltrated: data 147.9 million Americans, on 15.2
million UK citizens, and on 19,000 Canadian citizens . A subset of the American data included
credit card numbers on 209,000 US consumers and other documents displaying PII. For its
holder, the information allows them to carry out account takeover (ATO) and other kinds of
fraud since it comprises an identity profile. According to Equifax’s initial analysis, the data
typically included first and last names, Social Security numbers, birth dates, addresses as well
as driver's license numbers for some, as well as the aforementioned bankcard numbers for
some.
7
3. Equifax learned of the breach through poor encryption
management.
Equifax is blamed for its poor security posture, especially in the context of their size and the
kind of data it handles. However, one shortcoming of theirs is glaring: Equifax neglected to
renew a public-key certificate from a certificate authority for at least 10 months prior to
discovering the breach. This is a routine security task that anyone operating web services needs
to perform and is a rather mundane duty for security practitioners. PKI certificates enable data
in transit to be encrypted and decrypted between trusted parties, but they require annual
renewal. Once Equifax made its tardy renewal, it gave them visibility into the illicit movements
of their data, as certificates provide their owner with inspection capability.
In February 2020, the US Government indicted members of the Chinese People’s Liberation
Army for the attack on Equifax (though their involvement was denied by the Chinese
Communist Party). Data breach forensic evidence supports the conclusion that China was
involved but so does circumstantial evidence. For one, the data never appeared en masse on the
dark web where it could be leveraged for millions or even billions of dollars in financial fraud
in the breach aftermath. This points to an advanced persistent threat such as a nation-statey, as a
well-heeled adversary has no need for financial gain such as through credit card, mortgage, or
property theft. Investigators note that the Equifax tactics have the hallmarks of other CCP
attacks such as the 2015 ones on the US Office of Personnel Management (OPM) and health
insurer Anthem, Inc. Barring financial gain, what then would be the motive? Experts postulate
that the information on so many American and western targets could analyze the data for
strategic decision-making, that they were targeting a high net worth subset of all the Equifax
victims, or that they were looking financially-vulnerable persons in authority so they could lean
on them to have them betray US interests.
On July 22, 2019, Equifax settled with the US Federal Trade Commission (FTC) and various
states, territories and authorities on penalties, victims compensation and how to avoid future
breaches The total cost of the settlement was around $575 million. The damage to its reputation
was incalculable, with a breach of trust in line with the breach in records. Additionally, in the
8
immediate aftermath of the breach, Equifax was mocked and villainized for its incident
response, which saw them stumbling out of the gate and even allegations of insider trading by
those looking to skirt their financial losses. It will take many years for people to equate the
name Equifax with something other than “massive data breach”.
That’s five things you now know about the Equifax data breach.
9
Exp – 2
Ransomware does this by either encrypting valuable files, so you are unable to read them, or by
locking you out of your computer, so you are not able to use it.
Ransomware that uses encryption is called crypto ransomware. The type that locks you out of
your computer is called locker ransomware.
Like other types of crypto-ransomware, WannaCry takes your data hostage, promising to return
it if you pay a ransom.
WannaCry targets computers using Microsoft Windows as an operating system. It encrypts data
and demands payment of a ransom in the cryptocurrency Bitcoin for its return.
The WannaCry ransomware attack was a global epidemic that took place in May 2017.
This ransomware attack spread through computers operating Microsoft Windows. User’s files
were held hostage, and a Bitcoin ransom was demanded for their return.
Were it not for the continued use of outdated computer systems and poor education around the
need to update software, the damage caused by this attack could have been avoided.
The cybercriminals responsible for the attack took advantage of a weakness in the Microsoft
Windows operating system using a hack that was allegedly developed by the United States
National Security Agency.
Known as EternalBlue, this hack was made public by a group of hackers called the Shadow
Brokers before the WannaCry attack.
Microsoft released a security patch which protected user’s systems against this exploit almost
two months before the WannaCry ransomware attack began. Unfortunately, many individuals
and organizations do not regularly update their operating systems and so were left exposed to
the attack.
Those that had not run a Microsoft Windows update before the attack did not benefit from the
patch and the vulnerability exploited by EternalBlue left them open to attack.
When it first happened, people assumed that the WannaCry ransomware attack had initially
spread through a phishing campaign (a phishing campaign is where spam emails with infected
links or attachments lure users to download malware). However, EternalBlue was the exploit
10
that allowed WannaCry to propagate and spread, with DoublePulsar being the ‘backdoor’
installed on the compromised computers (used to execute WannaCry).
The attackers demanded $300 worth of bitcoins and then later increased the ransom demand to
$600 worth of bitcoins. If victims did not pay the ransom within three days, victims of the
WannaCry ransomware attack were told that their files would be permanently deleted.
The advice when it comes to ransom payments is not to cave into the pressure. Always avoid
paying a ransom, as there is no guarantee that your data will be returned and every payment
validates the criminals’ business model, making future attacks more likely.
This advice proved wise during the WannaCry attack as, reportedly, the coding used in the
attack was faulty. When victims paid their ransom, the attackers had no way of associating the
payment with a specific victim’s computer.
There’s some doubt about whether anyone got their files back. Some researchers claimed that
no one got their data back. However, a company called F-Secure claimed that some did. This is
a stark reminder of why it is never a good idea to pay the ransom if you experience a
ransomware attack.
11
Exp - 3
A fearless cyber-attack was carried out in August 2018 on the Pune branch of Cosmos Bank,
where almost 94 Crores Rupees were siphoned off. Hackers brushed out the money and
transferred it to a bank based in Hong Kong by breaching Cosmos Bank’s computer. Hackers
broke into the bank’s ATM server and robbed information from several Visa and Rupay card
owners. The attack was not on Cosmos Bank’s centralized banking solution. The balances and
overall statistics of the accounts stayed unaffected and there was no impact on the bank account
of the holders. The switching mechanism, which performs as an interactive interface between the
payment gateways and the bank’s centralized banking solution, was targeted. The malware
assault on the switching device brought up several erroneous messages backing various visa and
Rupay debit card payment demands internationally. In two days, hackers drew a total of Rs 78
crore from various ATMs in 28 countries, including Hong Kong, Canada, and a few ATMs in
India, and another Rs 2.5 crore was taken out within India The total number of transactions was
12
BACKGROUND
In the wake of recent cyber heist carried out by attackers on Cosmos Cooperative Bank in
August 2018, it is necessary to understand the history and anatomy of such attacks which are no
Government infrastructure, banks and other entities are very closely associated with the financial
well being of a nation, and are attractive targets for the attackers for the same reason. Another
It has been observed in the recent past that these type of attacks, specifically on banks, have
become horrifyingly common place, leaving the consumers feeling highly insecure. This paper
attempts to understand some subtle and some not-so-subtle reasons behind the Cosmos bank
case. Although a lot of content in this paper is based on the news articles published in this regard
till date (sources credit in the end section), some of it is speculation to fill in the gaps where the
INTRODUCTION
The Cosmos Cooperative Bank, Pune, India, had to take various change management measures
taken by the bank for improving its cyber security architecture and managing its balance sheet in
the wake of cyber attack on bank’s ATM and SWIFT Payment Gateway.
The bank faced a Cyber-attack on its ATM Infrastructure on 11th August 2019 and again on
SWIFT Infrastructure on 13th August 2018. This attack was the biggest ever, damaging and well
planned in the history of the Banking Industry. This attack focused on the Bank’s Infrastructure
effectively bypassing the main layers of defense. Due to this attack, the entire banking industry,
RBI, Cert-In, SWIFT, NPCI, VISA etc. institutions relating to the Banking Industry were
shocked to the core. In the cyber-attack, the attackers operated from 29 countries and more than
13
12000 transactions worth Rs.81.99 crore were carried out through ATMs using VISA Debit
cards and 2800 transactions worth Rs.2.75 crore from domestic ATMs through Rupay Cards
were withdrawn within just four hours. Again total Rs.13.92 crore was transferred fraudulently
to the account of M/s. ALM Trading Limited having account with Hang Seng Bank, Hong Kong
As this was a Malware Attack, the ATM Transactions did not reach the Bank’s Switching
System. While these transactions were going on, if VISA, NPCI could have observed the regular
transaction pattern of the Bank they would have understood the abnormality of the said
transactions and stopped them on time, thus avoiding the loss to the Bank.
The amount of Rs. 13.92 crore transferred through SWIFT Payment was traced in just 15
minutes. Immediate action was taken, and the bank requested Hang Seng Bank in Hong Kong to
hold the amount. With the assistance of Hong Kong Police and the judicial support bank
recovered Rs.8 crore. Due to this cyber-attack, the Bank not only lost money, but the day to day
operating system and all payment systems were affected causing direct impact on bank’s
transactions until the entire security system was analysed and restored. This cyber-attack that
took place despite all security systems being in place, shocked not only Cosmos bank, but the
entire banking sector. Before reinstating the necessary security systems a detailed audit and
inspection was carried out. Considering the need of the time, and taking advice from the
consultants, the bank have introduced more efficient and robust security systems in the bank, and
it has made additional capital investments in hardening the new systems. The cyber-attack and
restoration of payment systems back to normalcy caused an impact on the customers and their
transactions. Bank faced premature withdrawal of term deposit of approx. Rs.500 crore and
saving deposits amounting to Rs. 415 crore and lost Rs.3.70 crore from card commission due to
this cyber-incident. Due to this incident, doubts and fear was raised in the minds of customers
regarding the position of the bank which resulted in some of the customers choosing to withdraw
14
situation and streamlined the day-to-day work successfully within a short span. During this
phase some members of society, started spreading rumors that the bank was facing severe losses
and it might shut down business. While various banking organizations from cooperative sector
solidarity with the bank. Similarly, all media put the bank’s say about this incident positively.
In the six-monthly review taken in Board of Director’s meeting held in October 2018 the
situation caused by cyber-attack was analysed and the expected business for the next 6 months
was appraised.
The bank’s internal infrastructure, primarily the ATM infrastructure, were most likely
Once the malware successfully travelled through the bank’s infrastructure it is possible that it
The malware severed the connection between the switch and the bank’s Core Banking System
(CBS). This enabled the attackers to give instructions and control the response of the ATM
infrastructure. The Bank claims that a proxy switch was installed by the attackers.
The attackers also tampered the balances of some target accounts and allowed unauthorised cash
Designated mules across the world, aided in immediate cash withdrawals upon receiving the
signals.
15
Since the CBS was completely kept out of loop, none of these withdrawals were recorded or
It is possible that preparation for this activity started months ago. The attackers stole customer
SWIFT TRANSFER
On August 13, 2018, the malicious threat actor continued the attack against Cosmos Bank likely
by moving laterally.
The Cosmos bank’s SWIFT SAA environment Left security officer/Right security officer
Trading Limited at Hang Seng Bank in Hong Kong amounting to around US$2 million.
Although nothing can be said with certainty as of now, it is being speculated that the North
Korean state-sponsored threat group, Lazarus is behind this attack. However, as per our research,
there has been no conclusive evidence to indicate this. Additionally, there is no visible chatter
Having said this, it cannot be denied that the Lazarus group could have spawned copycats in the
hacker community leading to a similar M.O. The attack bears signature of the Lazarus Group
that includes the use of Windows Admin Shares for lateral movement, custom Command and
Control (C2) that mimics TLS, adding new services on targets for persistence, Windows Firewall
16
The Bangladesh bank heist has been attributed to the Lazarus group. Here is a brief history and
evolution of Lazarus.
The main objective of this paper is to come up with a comprehensive list of Dos and Don’ts that
This measure, although probably the most basic, is also the most overlooked one. The reasons
for this range from sheer negligence to business department’s reluctance to allow a downtime.
The amount of attention that the test infrastructure gets is extremely wanting. The UAT systems
usually are unpatched and at the same time connected to the production systems leading to a
potentially dangerous vulnerability. It is highly recommended that the test systems are patched
Application whitelisting should be introduced into critical bank servers. This will prevent
attackers from installing their remote control tools, monitoring financial transactions, and
escalating privileges. It also helps to identify unauthorized attempts to run such malicious
applications.
As an additional defense layer, the network can be configured to allow only certain connections
to ensure that only applications that are supposed to communicate with each other do so.
17
Network traffic analysis
Continuous monitoring and regular analysis of network traffic goes a long way in preventing
nasty outcomes. In the case where the bank lacks this expertise it is highly recommended that it
looks for external expert assistance. This is no longer a matter of choice on the bank’s part.
Having said that, it is important for the banks to understand that outsourcing the monitoring and
analysis does not absolve them from the responsibility. Banks should constantly be in touch with
the monitoring service providers, understand the threats and take the appropriate corrective
Awareness
Almost all bank heists seem to have started with an unaware or careless employee clicking on a
malicious link.It is highly evident in all the bank heists that the people awareness factor played
probably the most important part. User trainings on phishing and other social engineering tactics
is a must, no matter how repetitive or boring it is for the employees. Constant reminders about
being wary of genuine seeming emails asking for sensitive information or asking the reader to
click on links.
It should be borne in mind at all times that the phishers are getting cleverer and more and more
It is worth noting here that the attacks were executed over a weekend and the alerts that
otherwise would have been attended to, went completely unnoticed. Banks have to start being
18
SWIFT
Banks should keep an eye out for advisories and tips released by SWIFT from time to time, in
CONCLUSION
The cybercrime event had affected entire business of the bank and questioned its integrity of
processes. Reputation risk manifested in run on deposits of approx. 1000 crores. The bank
managed the turnaround by various change management measures. The bank management was
able to create urgency and coalition of entire staff to ward off customers fears, and the
investigation and various balance sheet exercises to restore profitability as well as confidence
which helped to garner new business. It was extremely difficult and challenging task, but the
bank has successfully enhanced its image by increasing business and thus it can be said that the
year under review was productive and optimistic. The Prime Minister Office took cognizance of
this cyber attack as it considered this to be attack on country’s cyber security system and not just
on our Bank. RBI issued new directive principles with reference to the Digital Banking which
previously were applicable only to the Commercial Banks. Considering the modus operandi of
the cyber-attack, various seminars, workshops were conducted on the national level for
19
Exp – 4
Case Study of Wireshark
What is Wireshark?
Wireshark is a sniffer, as well as a packet analyzer.
You can think of a sniffer as a measuring device. We use it to examine what’s going on inside a
network cable, or in the air if we are dealing with a wireless network. A sniffer shows us the
data that passes through our network card.
But Wireshark does more than that. A sniffer could just display a stream of bits - ones and
zeroes, that the network card sees. Wireshark is also a packer analyzer that displays lots of
meaningful data about the frames that it sees.
Wireshark is an open-source and free tool, and is widely used to analyze network traffic.
Wireshark can be helpful in many cases. It might be helpful for debugging problems in your
network, for instance – if you can’t connect from one computer to another, and want to
understand what’s going on.
It can also help programmers. For example, imagine that you were implementing a chat
program between two clients, and something was not working. In order to understand what
exactly is being sent, you may use Wireshark to see the data transmitted over the wire.
https://www.wireshark.org/#download
20
Follow the instructions on the installer and you should be good to go.
So, again, I’ve used Ctrl+K (or Cmd+K) and got this screen:
The Capture
Optionswindow in Wireshark (Source: Brief)
Here we can see a list of interfaces, and I happen to have quite a few. Which one is relevant? If
you’re not sure at this point, you can look at the Traffic column, and see which interfaces
currently have traffic.
Here we can see that Wi-Fi 3 has got traffic going through it, as the line is high. Select the
relevant network interface, and then hit Enter, or click the button Start.
Let Wireshark sniff the network for a bit, and then stop the sniff using Ctrl+E / Cmd+E. Again,
this can be achieved in other ways – such as going to Capture->Stop or clicking the Stop icon.
Consider the different sections:
Wire
shark's sections (Source: Brief)
The section marked in red includes Wireshark’s menu, with all kinds of interesting options.
The main toolbar is marked in blue, providing quick access to some items from the menu.
Next, marked in green, is the display filter. We will get back to it shortly, as this is one of the
21
most important features of Wireshark.
Then follows:
(Note: the term Frame belongs to a sequence of bytes in the Data Link layer, while a Packet is a
sequence of bytes from the Network layer. In this post I will use the terms interchangeably,
though to be accurate, every packet is a frame, but not every frame is a packet, as there are
frames that don't hold network layer data.)
As you can see in the image above, we have a few columns here:
NUMBER (No.) – The number of the packet in the capture file. This number won’t change,
even if we use filters. This is just a sequential number – the first frame that you have sniffed
gets the number 1, the second frame gets the number 2, and so on.
Time – The timestamp of the packet. It shows how much time has passed from the very first
packet we have sniffed until we sniffed the packet in question. Therefore, the time for packet
number 1 is always 0.
Source – The address where this packet is coming from. Don’t worry if you don’t understand
the format of the addresses just yet, we will cover different addresses in future tutorials.
Protocol – The protocol name in a short version. This will be the top protocol – that is, the
protocol of the highest layer.
Info – Additional information about the packet content. This changes according to the protocol.
By clicking on packets in this pane, you control what is displayed in the other two panes which
I will now describe.
Now, the packet details pane displays the packet selected in the packet list pane in more detail.
22
You can see the layers here.
In the example above, we have Ethernet II as the second layer, IPv4 as the third layer, UDP as
the fourth layer, and some data as a payload.
When we click on a specific layer, we actually see the header of that layer.
Notice that we don’t see the first layer on its own. As a reminder, the first layer is responsible
for transmitting a single bit – 0 or 1 – over the network (if you need a refresher about the
different layers, check out this post).
Below the packet details pane, we have the packet bytes pane. It displays the data from the
packet selected in the packet list pane. This is the actual data being sent over the wire. We can
see the data in hexadecimal base, as well as ASCII form.
How to Use the Display Filter
Wireshark has many different functions, and today we will focus on one thing – the display
filter.
As you can see, once you start sniffing data, you get a LOT of traffic. But you definitely don’t
want to look at everything.
Recall the example from before – using Wireshark in order to debug a chat program that you’ve
implemented. In that case, you would like to see the traffic related to the chat program only.
Let’s say I want to filter only messages sent by the source address of frame number 149
( 192.168.1.3 ). I will cover IP addresses in future posts, but for now you can see that it consists
four numbers, delimited by a dot:
Now, even if you don’t know how to filter only packets sent from this IP address, you can use
Wireshark to show you how it’s done.
23
For that, go to the right field we would like to filter – in this case, the source IP address. Then
right click -> and choose filter -> Apply as Filter.
After applying the filter, you only see packets that have been sent from this address. Also, you
can look at the display filter line and see the command used. In this way, you can learn about
the display filter syntax (in this example, it is ip.src for the IP source address field):
Now, try to filter only packets that have been sent from this address, and to the
address 172.217.16.142 (as in Frame 130 in the image above). How would you do that?
Well, you could go to the relevant field – in this case, the IP destination address. Now, right
click -> Apply as Filter -> and select ...and Selected:
If you look at the display filter line after applying this filter:
24
You can also learn that you can use the && operand in order to perform and. You could also
write the word and, instead, and get the same result.
25
Exp - 5
What Is a VPN?
Virtual Private Network
A virtual private network, or VPN, is an encrypted connection over the Internet from a device
to a network. The encrypted connection helps ensure that sensitive data is safely transmitted.
It prevents unauthorized people from eavesdropping on the traffic and allows the user to
conduct work remotely. VPN technology is widely used in corporate environments.
History of VPNs
ARPANET introduced the idea of connecting distant computers in the 1960s. The foundation
for current internet connectivity was established by ensuring the development of protocols
like TCP/IP in the 1980s. Particular VPN technologies first appeared in the 1990s in response
to the growing concerns about online privacy and security.
Let us understand VPN with an example think of a situation where the corporate office of a
bank is situated in Washington, USA. This office has a local network consisting of say 100
computers. Suppose other branches of the bank are in Mumbai, India, and Tokyo, Japan. The
traditional method of establishing a secure connection between the head office and the branch
was to have a leased line between the branches and head office which was a very costly as
well as troublesome job. VPN lets us effectively overcome this issue.
26
address that belongs to the series of IP addresses belonging to a local network of the
corporate office.
Thus person from the Mumbai branch becomes local to the head
office and information can be shared securely over the public internet.
So this is the intuitive way of extending the local network even
across the geographical borders of the country.
27
Types of VPN
There are several types of VPN and these are vary from specific requirement in computer
network. Some of the VPN are as follows:
1. Remote Access VPN
1. Site to Site VPN
1. Cloud VPN
1. Mobile VPN
1. SSL VPN
For more details you can refer Types of VPN published article. VPN Protocols
A cryptographic protocol that prioritises security is called
OpenVPN. OpenVPN is compatible protocol that provides a variety of setup
choices.
PPTP is not utilized
because there are many other secure choices with higher and more advanced encryption that
protect data.
Wireguard is a good choice that indicates capability in terms of
performance.
SSTP is developed for
Windows users by Microsoft. It is not widely used due to the lack of connectivity.
It connects a user to the VPN
server but lacks encryption hence it is frequently used with IPSec to offer connection,
encryption, and security simultaneously.
28
games that may be restricted in your region, opening up a world of endless gaming possibilities.
: When it comes to downloading
copyrighted content through torrenting, it’s essential to keep your IP address hidden. A VPN
can mask your identity and avoid potential exposure, ensuring a safe and private torrenting
experience.
Are you tired of your
Internet speed slowing down when downloading large files? Your Internet Service Provider
(ISP) might be intentionally throttling your bandwidth. Thankfully, a VPN can rescue you
by keeping your online activities anonymous, effectively preventing ISP throttling. Say
goodbye to sluggish connections and embrace blazing-fast speeds.
VPNs are essential for maintaining security
when using public Wi-Fi networks, such as those in coffee shops, airports, or hotels. These
networks are often vulnerable to cyberattacks, and using a VPN encrypts your internet
connection, protecting your data from potential hackers and eavesdroppers when you connect
to untrusted Wi-Fi hotspots.
Are VPNs legal or illegal?
Using a VPN is legal in most countries, The legality of using a VPN service depends on the
country and its geopolitical relations with another country as well. A reliable and secure VPN
is always legal if you do not intend to use it for any illegal activities like committing fraud
online, cyber theft, or in some countries downloading copyrighted content. China has decided
to block all VPNs (Virtual private network) by next year, as per the report of Bloomberg.
Many Chinese Internet users use VPNs to privately access websites that are blocked under
China’s so-called “great firewall”. This is done to avoid any information leakage to rival
countries and to tighten the information security.
What to Look for When Choosing a VPN?
Be sure the VPN has appropriate speed, a lot of providers have trouble
keeping up with Netflix viewing or downloading.
Read both user and expert evaluations to gain a good idea of how well the VPN
operates.
Select a VPN provider that provides shared IP addresses.
More servers translate into faster browsing because there will be less traffic on
each one.
29
Benefits of VPN
When you use VPN it is possible to switch IP.
The internet connection is safe and encrypted with VPN
Sharing files is confidential and secure.
Your privacy is protected when using the internet.
There is no longer a bandwidth restriction.
It facilitates cost savings for internet shopping.
Limitations of VPN
VPN may decrease your internet speed.
Premium VPNs are not cheap.
VPN usage may be banned in some nations.
While VPNs enhance privacy, it’s not entirely foolproof. In some cases, determined
adversaries, such as government agencies, may employ advanced techniques to trace VPN
usage. However, for typical online privacy needs, a VPN provides a high level of protection.
VPNs can introduce some degree of latency due to the encryption and routing processes. The
extent of the speed reduction depends on various factors, including the VPN provider’s
infrastructure, server location, and your internet connection. In many cases, the impact on
speed is minimal, and modern VPN services strive to provide fast connections.
Yes, there are free VPN services available. However, they often come with limitations such
as data caps, slower speeds, and less robust security features. Paid VPN services generally
offer more reliable performance and better security.
30
Despite being heavily used in major parts of the worlds, VPNs are strictly prohibited in few countries that
includes:
Russia
China
Belarus
North Korea
Iraq, etc.
31
Exp – 6
What is Slowloris?
Slowloris is basically an HTTP Denial of Service attack that affects threaded servers. It works
like this:
This exhausts the servers thread pool and the server can't reply to other people.
Slowloris is not a category of attack but is instead a specific attack tool designed to allow a
single machine to take down a server without using a lot of bandwidth. Unlike bandwidth-
consuming reflection-based DDoS attacks such as NTP amplification, this type of attack uses
a low amount of bandwidth, and instead aims to use up server resources with requests that
seem slower than normal but otherwise mimic regular
32
traffic. It falls in the category of attacks known as “low and slow” attacks. The targeted
server will only have so many threads available to handle concurrent connections.
Each server thread will attempt to stay alive while waiting for the slow request to complete,
which never occurs. When the server’s maximum possible connections has been exceeded,
each additional connection will not be answered and denial-of-service will occur.
1. The attacker first opens multiple connections to the targeted server by sending
multiple partial HTTP request headers.
2. The target opens a thread for each incoming request, with the intent of closing
the thread once the connection is completed. In order to be efficient, if a
connection takes too long, the server will timeout the exceedingly long
connection, freeing the thread up for the next request.
3. To prevent the target from timing out the connections, the attacker periodically
sends partial request headers to the target in order to keep the request alive. In
essence saying, “I’m still here! I’m just slow, please wait for me.”
4. The targeted server is never able to release any of the open partial connections
while waiting for the termination of the request. Once all available threads are in
use, the server will be unable to respond to additional requests made from
regular traffic, resulting in denial-of-service.
The key behind a Slowloris is its ability to cause a lot of trouble with very little
bandwidth consumption.
For web servers that are vulnerable to Slowloris, there are ways to mitigate some of the impact.
Mitigation options for vulnerable servers can be broken down into 3 general categories:
2. Rate limit incoming requests - Restricting access based on certain usage factors
will help mitigate a Slowloris attack. Techniques such as limiting the
maximum number of
33
connections a single IP address is allowed to make, restricting slow transfer speeds,
and limiting the maximum time a client is allowed to stay connected are all
approaches for limiting the effectiveness of low and slow attacks.
34
INSTALLATION OF SLOWLORIS
35
4. Now Perform Slowloris attack
36
Exp - 7
Study of Nmap
Nmap can be a solution to the problem of identifying activity on a network as it scans the entire
system and makes a map of every part of it. A common issue with internet systems is that they
are too complicated for the ordinary person to understand. Even a small home-based system is
extremely complex. That complexity grows exponentially when it comes to larger companies
and agencies that deal with hundreds or even thousands of computers on the network.
Nmap is a widely used tool by network administrators, security professionals, and ethical
hackers for network mapping, vulnerability assessment, and network security auditing.
If you want to know which ports are open and the corresponding rules, you can use Nmap. This
program scans the network your computer is connected to and provides a list of ports, device
names, operating systems, and other identifiers to help you understand your connection status.
However, hackers can also use Nmap to access uncontrolled ports on a system. They can run
37
Nmap on a targeted approach, identify vulnerabilities, and exploit them. But Nmap is not only
used by hackers - IT security companies also use it to simulate potential attacks that a system
may face.
How is all of that accomplished? Nmap utilizes a complex system of scripts that communicate
with every part of the network. The scripts act as communication tools between the network
components and their human users. The scripts that Nmap uses are capable of vulnerability
detection, backdoor detection, vulnerability exploitation, and network discovery. Nmap is an
extremely powerful piece of software, but there does tend to be a good deal of background
knowledge required to use it correctly.
Internet security companies can use Nmap to scan a system and understand what weaknesses
exist that a hacker could potentially exploit. As the program is open-source and free, it is one of
the more common tools used for scanning networks for open ports and other weaknesses. At
Holm Security, we use this technology in a very effective way, as we provide an excellent web-
based security service, which ensures that the clients’ ports remain securely closed to those not
granted permission.
Conclusion
Whether you are a private user with important information on your system, a major corporation
or a government agency protecting a wealth of highly sensitive data, Nmap can provide the
level of knowledge and pre-emptive thought required to keep things safe.
Commands
Let's look at some Nmap commands. If you don't have Nmap installed, you can get it from here.
Basic scans
Scanning the list of active devices on a network is the first step in network mapping. There are
two types of scans you can use for that:
Ping scan — Scans the list of devices up and running on a given subnet.
> nmap -sp 192.168.1.1/24
38
Scan a single host — Scans a single host for 1000 well-known ports. These ports are
the ones used by popular services like SQL, SNTP, apache, and others.
> nmap scanme.nmap.org
Stealth scan
Stealth scanning is performed by sending an SYN packet and analyzing the response. If
SYN/ACK is received, it means the port is open, and you can open a TCP connection.
However, a stealth scan never completes the 3-way handshake, which makes it hard for the
target to determine the scanning system.
> nmap -sS scanme.nmap.org
You can use the ‘-sS’ command to perform a stealth scan. Remember, stealth scanning is slower
and not as aggressive as the other types of scanning, so you might have to wait a while to get a
response.
Version scanning
Finding application versions is a crucial part in penetration testing.
It makes your life easier since you can find an existing vulnerability from the Common
Vulnerabilities and Exploits (CVE) database for a particular version of the service. You can
then use it to attack a machine using an exploitation tool like Metasploit.
> nmap -sV scanme.nmap.org
To do a version scan, use the ‘-sV’ command. Nmap will provide a list of services with its
versions. Do keep in mind that version scans are not always 100% accurate, but it does take you
one step closer to successfully getting into a system.
39
OS Scanning
In addition to the services and their versions, Nmap can provide information about the
underlying operating system using TCP/IP fingerprinting. Nmap will also try to find the system
uptime during an OS scan.
Again, OS detection is not always accurate, but it goes a long way towards helping a pen tester
get closer to their target.
Aggressive Scanning
Nmap has an aggressive mode that enables OS detection, version detection, script scanning, and
traceroute. You can use the -A argument to perform an aggressive scan.
40
Scanning Multiple Hosts
Nmap has the capability of scanning multiple hosts simultaneously. This feature comes in real
handy when you are managing vast network infrastructure.
Write all the IP addresses in a single row to scan all of the hosts at the same time.
Port Scanning
Port scanning is one of the most fundamental features of Nmap. You can scan for ports in
several ways.
41
> nmap -p T:7777, 973 192.164.0.1
A range of ports can be scanned by separating them with a hyphen.
Verbose Output
> nmap -v scanme.nmap.org
The verbose output provides additional information about the scan being performed. It is useful
to monitor step by step actions Nmap performs on a network, especially if you are an outsider
scanning a client’s network.
Normal output
Nmap scans can also be exported to a text file. It will be slightly different from the original
command line output, but it will capture all the essential scan results.
42
> nmap -oN output.txt scanme.nmap.org
XML output
Nmap scans can also be exported to XML. It is also the preferred file format of most pen-
testing tools, making it easily parsable when importing scan results.
Multiple Formats
You can also export the scan results in all the available formats at once using the -oA
command.
Nmap Help
Nmap has a built-in help command that lists all the flags and options you can use. It is often
handy given the number of command-line arguments Nmap comes with.
> nmap -h
43
Nmap Scripting Engine
N map output
Port/host detail
Exp – 8
44
Study of Burp Suite
Burp Suite is a leading commercial cybersecurity tool specifically designed for web
application security testing and vulnerability assessment. It is developed by PortSwigger, a
company specializing in web security solutions. Burp Suite offers a wide range of features and
capabilities to help security professionals, penetration testers, and developers identify and
address security vulnerabilities in web applications.
1. Vulnerability Scanning: Burp Suite can perform automated scans of web applications
to identify common security issues such as cross-site scripting (XSS), SQL injection,
and more.
2. Proxy Interception: It acts as an intercepting proxy, allowing users to capture and
inspect HTTP and HTTPS traffic between their browser and the target web application.
This is essential for identifying vulnerabilities in real-time.
3. Crawling and Spidering: Burp Suite can crawl web applications to map their structure
and discover new pages, forms, and functionality for testing.
4. Manual Testing: Security professionals can use Burp Suite’s suite of tools for manual
testing, including the Repeater, Intruder, and Sequencer, to conduct in-depth security
assessments.
5. Fuzz Testing: The tool supports fuzzing, allowing testers to send malformed data to
web forms and APIs to discover input validation and security issues.
6. Session Management Testing: Burp Suite helps identify vulnerabilities related to
session management, including session fixation, hijacking, and cookie security issues.
7. Authentication Testing: Testers can assess the security of authentication mechanisms,
including brute force attacks, weak password policies, and authentication bypass
vulnerabilities.
8. API Security Testing: Burp Suite is capable of testing REST and SOAP APIs for
security vulnerabilities, ensuring that API endpoints are secure from attacks.
9. Intruder and Sniper: These tools within Burp Suite are used for automated
vulnerability scanning and testing. Intruder allows for customized attacks on web
applications, while Sniper focuses on single request/response testing.
10. Customization and Integration: Burp Suite offers extensive customization options,
including the ability to create custom extensions and integrations with other tools and
services. This flexibility allows users to tailor their testing workflows to their specific
needs.
Burp Suite’s rich set of features, combined with its user-friendly interface and strong
community support, make it a popular choice among security professionals for web application
security testing and assessment. It provides both automated scanning capabilities and a suite of
manual testing tools to comprehensively evaluate the security of web applications.
Burp Suite is a comprehensive web application security testing tool known for its wide range
of features and capabilities. Below are the key features of Burp Suite and an overview of how it
works and its architecture:
45
Features of Burp Suite:
1. Proxy: Acts as an intercepting proxy, allowing users to capture and manipulate HTTP
and HTTPS traffic between their browser and the target web application.
2. Scanner: Provides automated vulnerability scanning for web applications, identifying
common security issues such as SQL injection, cross-site scripting (XSS), and more.
3. Spider: Crawls and maps the structure of web applications to discover new pages,
forms, and functionality for testing.
4. Repeater: Enables manual testing by allowing users to modify and re-send requests to
the target application.
5. Intruder: Automates attacks against web applications, making it easier to identify
vulnerabilities through brute force, fuzzing, and payload manipulation.
6. Sequencer: Analyzes the quality of for detecting issues like parameter manipulation.
7. Extender: Allows users to create custom extensions and integrations with other tools
and services, enhancing Burp Suite’s functionality.
8. Collaborator: Provides a unique domain for each testing engagement, allowing testers
to detect out-of-band vulnerabilities and interactions with external systems.
9. Scanner Checks: Offers a wide range of predefined security checks for identifying
vulnerabilities in web applications.
46