0% found this document useful (0 votes)
358 views46 pages

Cyber Security Lab Manual

Uploaded by

parthgupta1026
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
358 views46 pages

Cyber Security Lab Manual

Uploaded by

parthgupta1026
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 46

PRACTICAL FILE OF FUNDAMENTAL OF CYBER SECURITY

(B.Tech: II Year)

Department of Computer Science & Information Technology

Name of the Student : Shivansh Gupta

Branch & section : Cyber Security

Roll No. : 0827CY221059


Year : 2nd

Department of Computer Science & Information Technology


AITR, Indore

1
2
ACROPOLIS INSTITUTE OF TECHNOLOGY & RESEARCH, INDORE
Department of Computer Science & Information Technology

Certificate

This is to certify that the experimental work entered in this journal as per the
BTech II year syllabus prescribed by the RGPV was done by Mr. / Ms.
…………………………………….. in …… semester in the Laboratory of this
institute during the academic year 2022 - 2026

Signature of Head Signature of the Faculty

3
ACROPOLIS INSTITUTE OF TECHNOLOGY & RESEARCH, INDORE
GENERAL INSTRUCTIONS FOR LABORATORY CLASSES
DO’S

 Without Prior permission do not enter into the Laboratory.


 While entering into the LAB students should wear their ID cards.
 The Students should come with proper uniform.
 Students should maintain silence inside the laboratory.
 After completing the laboratory exercise, make sure to shut down the system properly.

DONT’S

 Students bringing the bags inside the laboratory.


 Students using the computers in an improper way.
 Students scribbling on the desk and mishandling the chairs.
 Students using mobile phones inside the laboratory.
 Students making noise inside the laboratory.

4
SYLLABUS

CY402 Fundamental of Cyber Security

Unit 1
Introduction of Cyber Crime, Challenges of cybercrime, Classifications of Cybercrimes: E-Mail Spoofing,
Spamming, Internet Time Theft, Salami attack/Salami Technique
UNIT 2
Web jacking, Online Frauds, Software Piracy, Computer Network Intrusions, Password Sniffing, Identity
Theft, cyber terrorism, Virtual Crime, Perception of cyber criminals: hackers, insurgents and extremist group
etc. Web servers were hacking, session hijacking.
UNIT 3
Cyber Crime and Criminal justice: Concept of Cyber Crime and the IT Act, 2000, Hacking, Teenage Web
Vandals, Cyber Fraud and Cheating, Defamation, Harassment and E-mail Abuse, Other IT Act Offences,
Monetary Penalties, jurisdiction and Cyber Crimes, Nature of Criminality, Strategies to tackle Cyber Crime
and Trends.
UNIT 4
The Indian Evidence Act of 1872 v. Information Technology Act, 2000: Status of Electronic Records as
Evidence, Proof and Management of Electronic Records; Relevancy, Admissibility and Probative Value of E-
Evidence, Proving Digital Signatures, Proof of Electronic Agreements, Proving Electronic Messages.
UNIT 5
Tools and Methods in Cybercrime: Proxy Servers and Anonymizers, Password Cracking, Key loggers and
Spyware, virus and worms, Trojan Horses, Backdoors, DoS and DDoS Attacks, Buffer and Overflow, Attack
on Wireless Networks, Phishing: Method of Phishing, Phishing Techniques.

5
Lab Plan
CY402 Fundamental of Cyber Security

S.No Name of Experiment Page No.


1. Submit the case study of Equifax data breach 6-7

2. Submit the case study of WannaCry ransomware attack 10-11

3. Submit the case study of Cosmos Bank Cyber Attack 12-19

4. Study of Wireshark 20-25

5. Study of VPN 26-31

6. Submit the Study of Slowloris 32-37

7. Study of NMap 38-45

8. Study of burp suit 46-48

6
Exp – 1

2017 Equifax data breach


On September 7, 2017, the Big 3 credit agency Equifax disclosed that they had suffered a
catastrophic data breach, with initial estimates saying data was stolen from north of 140 million
American consumers. Immediately, the news sent chills throughout the US economy. After all,
Equifax and competitors such as Experian and TransUnion are custodians of a tremendous
amount of the exact data that keeps online fraudsters in business.

Forecasts of the damage alongside the discomfort of knowing all of one’s data quickly led to
changes at Equifax, garnered investigations by the Federal Bureau of Investigation and other
authorities, and made headlines as never before. All of it was warranted: the Equifax event
came too close to home, with virtually every American adult with an account at a consumer
bank affected. Even today people doubt that a breach could measure the same in scope and
severity.

1. Equifax suffered an initial breach followed by a significant


intrusion.

In all, hackers were active for 76 days inside Equifax’s systems. However, forensic analysis
revealed that the attack was two-stage, and likely carried out by two separate teams of intruders.
On March 6, 2017, Chinese security reacher Nike Zheng discovered an exploit in backend
software many companies use for open web applications, Apache Struts. Once Zheng posted his
discovery, called CVE-2017-5638, for the benefit of Apache and enterprise users, the “patch
now” exploit news made its way around message boards where hackers saw it. As they scanned
for Apache Struts users, they found Equifax and perhaps not understanding its value, entered
their systems on May 12th. Equifax, having not updated Struts even by the intrusion date,
discovered the 76-day breach on July 29, 2017. Once inside, the initial team installed one or
more web shells but struggled to navigate the system and surmount firewalls and other elements
of the security framework. Forensic data shows that another group of illegitimate users entered
the system and, using 30 web shells under different addresses, sought data on consumers by,
among other methods, abusing credentials of legitimate Equifax users (see corporate account
takeover, or CATO).

2. Equifax’s breached data is among the most valuable to criminals.

Equifax’s bread and butter is consumer financial information it collects free from banks as
people at all income levels check their credit worthiness, data which it analyzes and repackages
for lenders and others throughout the market for loanable funds. At a minimum, this data
contains personally-identifiable information (PII) — information that people are loathe to
disclose to strangers even in conversation. A breathtaking amount of, by-definition, sensitive
financial information and PII on people was exfiltrated: data 147.9 million Americans, on 15.2
million UK citizens, and on 19,000 Canadian citizens . A subset of the American data included
credit card numbers on 209,000 US consumers and other documents displaying PII. For its
holder, the information allows them to carry out account takeover (ATO) and other kinds of
fraud since it comprises an identity profile. According to Equifax’s initial analysis, the data
typically included first and last names, Social Security numbers, birth dates, addresses as well
as driver's license numbers for some, as well as the aforementioned bankcard numbers for
some.
7
3. Equifax learned of the breach through poor encryption
management.

Equifax is blamed for its poor security posture, especially in the context of their size and the
kind of data it handles. However, one shortcoming of theirs is glaring: Equifax neglected to
renew a public-key certificate from a certificate authority for at least 10 months prior to
discovering the breach. This is a routine security task that anyone operating web services needs
to perform and is a rather mundane duty for security practitioners. PKI certificates enable data
in transit to be encrypted and decrypted between trusted parties, but they require annual
renewal. Once Equifax made its tardy renewal, it gave them visibility into the illicit movements
of their data, as certificates provide their owner with inspection capability.

4. Equifax had a poor security posture, and there are several


examples.

In addition to allowing a PKI certificate to lapse, postmortem investigation and analysis


confirmed that pre-breach Equifax had other security challenges that may have facilitated or
worsened the breach. These run the gamut of failures to properly segment data, to prevent its
wholesale loss. They were also said to have a practice of giving users broad permissions as
opposed to limiting users from viewing or managing data above their “pay grade”. (See the
principle of least privilege.) In addition, as part of a change in corporate leadership that
predated the breach, the firm hired a well-known firm to evaluate their security posture and
records show their relationship with the firm soured as the external party raised issues of
widespread security challenges. Others point to specific weaknesses in intrusion detection but
ltogether, deficiencies around privacy abounded, with visible display and audible discussion of
consumer PII being the norm. As expected, post-breach Equifax invested considerable
resources — $1.4 billion — in fortifying their defense of what should be closely-held data.

5. Equifax was attacked by China in a state-sponsored attack on the


US.

In February 2020, the US Government indicted members of the Chinese People’s Liberation
Army for the attack on Equifax (though their involvement was denied by the Chinese
Communist Party). Data breach forensic evidence supports the conclusion that China was
involved but so does circumstantial evidence. For one, the data never appeared en masse on the
dark web where it could be leveraged for millions or even billions of dollars in financial fraud
in the breach aftermath. This points to an advanced persistent threat such as a nation-statey, as a
well-heeled adversary has no need for financial gain such as through credit card, mortgage, or
property theft. Investigators note that the Equifax tactics have the hallmarks of other CCP
attacks such as the 2015 ones on the US Office of Personnel Management (OPM) and health
insurer Anthem, Inc. Barring financial gain, what then would be the motive? Experts postulate
that the information on so many American and western targets could analyze the data for
strategic decision-making, that they were targeting a high net worth subset of all the Equifax
victims, or that they were looking financially-vulnerable persons in authority so they could lean
on them to have them betray US interests.

On July 22, 2019, Equifax settled with the US Federal Trade Commission (FTC) and various
states, territories and authorities on penalties, victims compensation and how to avoid future
breaches The total cost of the settlement was around $575 million. The damage to its reputation
was incalculable, with a breach of trust in line with the breach in records. Additionally, in the
8
immediate aftermath of the breach, Equifax was mocked and villainized for its incident
response, which saw them stumbling out of the gate and even allegations of insider trading by
those looking to skirt their financial losses. It will take many years for people to equate the
name Equifax with something other than “massive data breach”.

That’s five things you now know about the Equifax data breach.

9
Exp – 2

WannaCry ransomware attack

WannaCry is an example of crypto ransomware, a type of malicious software (malware) used


by cybercriminals to extort money.

Ransomware does this by either encrypting valuable files, so you are unable to read them, or by
locking you out of your computer, so you are not able to use it.

Ransomware that uses encryption is called crypto ransomware. The type that locks you out of
your computer is called locker ransomware.

Like other types of crypto-ransomware, WannaCry takes your data hostage, promising to return
it if you pay a ransom.

WannaCry targets computers using Microsoft Windows as an operating system. It encrypts data
and demands payment of a ransom in the cryptocurrency Bitcoin for its return.

What was the WannaCry ransomware attack?

The WannaCry ransomware attack was a global epidemic that took place in May 2017.

This ransomware attack spread through computers operating Microsoft Windows. User’s files
were held hostage, and a Bitcoin ransom was demanded for their return.

Were it not for the continued use of outdated computer systems and poor education around the
need to update software, the damage caused by this attack could have been avoided.

How does a WannaCry attack work?

The cybercriminals responsible for the attack took advantage of a weakness in the Microsoft
Windows operating system using a hack that was allegedly developed by the United States
National Security Agency.
Known as EternalBlue, this hack was made public by a group of hackers called the Shadow
Brokers before the WannaCry attack.

Microsoft released a security patch which protected user’s systems against this exploit almost
two months before the WannaCry ransomware attack began. Unfortunately, many individuals
and organizations do not regularly update their operating systems and so were left exposed to
the attack.

Those that had not run a Microsoft Windows update before the attack did not benefit from the
patch and the vulnerability exploited by EternalBlue left them open to attack.

When it first happened, people assumed that the WannaCry ransomware attack had initially
spread through a phishing campaign (a phishing campaign is where spam emails with infected
links or attachments lure users to download malware). However, EternalBlue was the exploit

10
that allowed WannaCry to propagate and spread, with DoublePulsar being the ‘backdoor’
installed on the compromised computers (used to execute WannaCry).

What happened if the WannaCry ransom was not paid?

The attackers demanded $300 worth of bitcoins and then later increased the ransom demand to
$600 worth of bitcoins. If victims did not pay the ransom within three days, victims of the
WannaCry ransomware attack were told that their files would be permanently deleted.

The advice when it comes to ransom payments is not to cave into the pressure. Always avoid
paying a ransom, as there is no guarantee that your data will be returned and every payment
validates the criminals’ business model, making future attacks more likely.

This advice proved wise during the WannaCry attack as, reportedly, the coding used in the
attack was faulty. When victims paid their ransom, the attackers had no way of associating the
payment with a specific victim’s computer.

There’s some doubt about whether anyone got their files back. Some researchers claimed that
no one got their data back. However, a company called F-Secure claimed that some did. This is
a stark reminder of why it is never a good idea to pay the ransom if you experience a
ransomware attack.

11
Exp - 3

Case study: 2018 Pune’s Cosmos Bank Cyber attack

A fearless cyber-attack was carried out in August 2018 on the Pune branch of Cosmos Bank,

where almost 94 Crores Rupees were siphoned off. Hackers brushed out the money and

transferred it to a bank based in Hong Kong by breaching Cosmos Bank’s computer. Hackers

broke into the bank’s ATM server and robbed information from several Visa and Rupay card

owners. The attack was not on Cosmos Bank’s centralized banking solution. The balances and

overall statistics of the accounts stayed unaffected and there was no impact on the bank account

of the holders. The switching mechanism, which performs as an interactive interface between the

payment gateways and the bank’s centralized banking solution, was targeted. The malware

assault on the switching device brought up several erroneous messages backing various visa and

Rupay debit card payment demands internationally. In two days, hackers drew a total of Rs 78

crore from various ATMs in 28 countries, including Hong Kong, Canada, and a few ATMs in

India, and another Rs 2.5 crore was taken out within India The total number of transactions was

14,000, with over 450 cards in 28 countries.

12
BACKGROUND

In the wake of recent cyber heist carried out by attackers on Cosmos Cooperative Bank in

August 2018, it is necessary to understand the history and anatomy of such attacks which are no

longer far and between and hence unignorable.

Government infrastructure, banks and other entities are very closely associated with the financial

well being of a nation, and are attractive targets for the attackers for the same reason. Another

reason of course is MONEY.

It has been observed in the recent past that these type of attacks, specifically on banks, have

become horrifyingly common place, leaving the consumers feeling highly insecure. This paper

attempts to understand some subtle and some not-so-subtle reasons behind the Cosmos bank

case. Although a lot of content in this paper is based on the news articles published in this regard

till date (sources credit in the end section), some of it is speculation to fill in the gaps where the

facts are still unknown/undisclosed.

INTRODUCTION

The Cosmos Cooperative Bank, Pune, India, had to take various change management measures

taken by the bank for improving its cyber security architecture and managing its balance sheet in

the wake of cyber attack on bank’s ATM and SWIFT Payment Gateway.

The bank faced a Cyber-attack on its ATM Infrastructure on 11th August 2019 and again on

SWIFT Infrastructure on 13th August 2018. This attack was the biggest ever, damaging and well

planned in the history of the Banking Industry. This attack focused on the Bank’s Infrastructure

effectively bypassing the main layers of defense. Due to this attack, the entire banking industry,

RBI, Cert-In, SWIFT, NPCI, VISA etc. institutions relating to the Banking Industry were

shocked to the core. In the cyber-attack, the attackers operated from 29 countries and more than
13
12000 transactions worth Rs.81.99 crore were carried out through ATMs using VISA Debit

cards and 2800 transactions worth Rs.2.75 crore from domestic ATMs through Rupay Cards

were withdrawn within just four hours. Again total Rs.13.92 crore was transferred fraudulently

to the account of M/s. ALM Trading Limited having account with Hang Seng Bank, Hong Kong

through cyber-attack on SWIFT Payment Gateway.

As this was a Malware Attack, the ATM Transactions did not reach the Bank’s Switching

System. While these transactions were going on, if VISA, NPCI could have observed the regular

transaction pattern of the Bank they would have understood the abnormality of the said

transactions and stopped them on time, thus avoiding the loss to the Bank.

The amount of Rs. 13.92 crore transferred through SWIFT Payment was traced in just 15

minutes. Immediate action was taken, and the bank requested Hang Seng Bank in Hong Kong to

hold the amount. With the assistance of Hong Kong Police and the judicial support bank

recovered Rs.8 crore. Due to this cyber-attack, the Bank not only lost money, but the day to day

operating system and all payment systems were affected causing direct impact on bank’s

transactions until the entire security system was analysed and restored. This cyber-attack that

took place despite all security systems being in place, shocked not only Cosmos bank, but the

entire banking sector. Before reinstating the necessary security systems a detailed audit and

inspection was carried out. Considering the need of the time, and taking advice from the

consultants, the bank have introduced more efficient and robust security systems in the bank, and

it has made additional capital investments in hardening the new systems. The cyber-attack and

restoration of payment systems back to normalcy caused an impact on the customers and their

transactions. Bank faced premature withdrawal of term deposit of approx. Rs.500 crore and

saving deposits amounting to Rs. 415 crore and lost Rs.3.70 crore from card commission due to

this cyber-incident. Due to this incident, doubts and fear was raised in the minds of customers

regarding the position of the bank which resulted in some of the customers choosing to withdraw

deposits prematurely. The bank stood very strong in this critical

14
situation and streamlined the day-to-day work successfully within a short span. During this

phase some members of society, started spreading rumors that the bank was facing severe losses

and it might shut down business. While various banking organizations from cooperative sector

and members of cooperative fraternity, living up to their pledge of cooperation stood in

solidarity with the bank. Similarly, all media put the bank’s say about this incident positively.

In the six-monthly review taken in Board of Director’s meeting held in October 2018 the

situation caused by cyber-attack was analysed and the expected business for the next 6 months

was appraised.

HOW IT HAPPENED? ATM WITHDRAWALS

The bank’s internal infrastructure, primarily the ATM infrastructure, were most likely

compromised through a malware using a spear phishing campaign.

Once the malware successfully travelled through the bank’s infrastructure it is possible that it

infected the ATM or POS switch.

The malware severed the connection between the switch and the bank’s Core Banking System

(CBS). This enabled the attackers to give instructions and control the response of the ATM

infrastructure. The Bank claims that a proxy switch was installed by the attackers.

The attackers also tampered the balances of some target accounts and allowed unauthorised cash

withdrawals from ATMs.

Designated mules across the world, aided in immediate cash withdrawals upon receiving the

signals.

15
Since the CBS was completely kept out of loop, none of these withdrawals were recorded or

committed to the accounts.

It is possible that preparation for this activity started months ago. The attackers stole customer

data and cloned cards for the theft.

SWIFT TRANSFER

On August 13, 2018, the malicious threat actor continued the attack against Cosmos Bank likely

by moving laterally.

The Cosmos bank’s SWIFT SAA environment Left security officer/Right security officer

(LSO/RSO) compromise/authentication was used to send three malicious MT103 to ALM

Trading Limited at Hang Seng Bank in Hong Kong amounting to around US$2 million.

WHO DID IT?

Although nothing can be said with certainty as of now, it is being speculated that the North

Korean state-sponsored threat group, Lazarus is behind this attack. However, as per our research,

there has been no conclusive evidence to indicate this. Additionally, there is no visible chatter

about the Cosmos Bank heist on the dark web.

Having said this, it cannot be denied that the Lazarus group could have spawned copycats in the

hacker community leading to a similar M.O. The attack bears signature of the Lazarus Group

that includes the use of Windows Admin Shares for lateral movement, custom Command and

Control (C2) that mimics TLS, adding new services on targets for persistence, Windows Firewall

changes and a number of other techniques.

16
The Bangladesh bank heist has been attributed to the Lazarus group. Here is a brief history and

evolution of Lazarus.

WHAT COULD HAVE PREVENTED IT?

The main objective of this paper is to come up with a comprehensive list of Dos and Don’ts that

will help banks to avoid these type of situations in the future.

Updates of software and operating systems

This measure, although probably the most basic, is also the most overlooked one. The reasons

for this range from sheer negligence to business department’s reluctance to allow a downtime.

Protection of the testing infrastructure

The amount of attention that the test infrastructure gets is extremely wanting. The UAT systems

usually are unpatched and at the same time connected to the production systems leading to a

potentially dangerous vulnerability. It is highly recommended that the test systems are patched

and protected to avoid opening weaknesses in the system.

Application Whitelisting on Bank’s Critical Server

Application whitelisting should be introduced into critical bank servers. This will prevent

attackers from installing their remote control tools, monitoring financial transactions, and

escalating privileges. It also helps to identify unauthorized attempts to run such malicious

applications.

As an additional defense layer, the network can be configured to allow only certain connections

to ensure that only applications that are supposed to communicate with each other do so.
17
Network traffic analysis

Continuous monitoring and regular analysis of network traffic goes a long way in preventing

nasty outcomes. In the case where the bank lacks this expertise it is highly recommended that it

looks for external expert assistance. This is no longer a matter of choice on the bank’s part.

Having said that, it is important for the banks to understand that outsourcing the monitoring and

analysis does not absolve them from the responsibility. Banks should constantly be in touch with

the monitoring service providers, understand the threats and take the appropriate corrective

and/or preventive measures.

Awareness

Almost all bank heists seem to have started with an unaware or careless employee clicking on a

malicious link.It is highly evident in all the bank heists that the people awareness factor played

probably the most important part. User trainings on phishing and other social engineering tactics

is a must, no matter how repetitive or boring it is for the employees. Constant reminders about

being wary of genuine seeming emails asking for sensitive information or asking the reader to
click on links.

It should be borne in mind at all times that the phishers are getting cleverer and more and more

sophisticated by the day.

The holiday syndrome

It is worth noting here that the attacks were executed over a weekend and the alerts that

otherwise would have been attended to, went completely unnoticed. Banks have to start being

extra vigilant over holidays.

18
SWIFT

Banks should keep an eye out for advisories and tips released by SWIFT from time to time, in

the restricted customer section of its main website.

CONCLUSION

The cybercrime event had affected entire business of the bank and questioned its integrity of

processes. Reputation risk manifested in run on deposits of approx. 1000 crores. The bank

managed the turnaround by various change management measures. The bank management was

able to create urgency and coalition of entire staff to ward off customers fears, and the

management created a strategy encompassing restoring reputation, technological solution,

investigation and various balance sheet exercises to restore profitability as well as confidence

which helped to garner new business. It was extremely difficult and challenging task, but the

bank has successfully enhanced its image by increasing business and thus it can be said that the

year under review was productive and optimistic. The Prime Minister Office took cognizance of

this cyber attack as it considered this to be attack on country’s cyber security system and not just

on our Bank. RBI issued new directive principles with reference to the Digital Banking which

previously were applicable only to the Commercial Banks. Considering the modus operandi of

the cyber-attack, various seminars, workshops were conducted on the national level for

strengthening the Digital Banking Security.

19
Exp – 4
Case Study of Wireshark

What is Wireshark?
Wireshark is a sniffer, as well as a packet analyzer.

What does that mean?

You can think of a sniffer as a measuring device. We use it to examine what’s going on inside a
network cable, or in the air if we are dealing with a wireless network. A sniffer shows us the
data that passes through our network card.
But Wireshark does more than that. A sniffer could just display a stream of bits - ones and
zeroes, that the network card sees. Wireshark is also a packer analyzer that displays lots of
meaningful data about the frames that it sees.
Wireshark is an open-source and free tool, and is widely used to analyze network traffic.

Wireshark can be helpful in many cases. It might be helpful for debugging problems in your
network, for instance – if you can’t connect from one computer to another, and want to
understand what’s going on.

It can also help programmers. For example, imagine that you were implementing a chat
program between two clients, and something was not working. In order to understand what
exactly is being sent, you may use Wireshark to see the data transmitted over the wire.

So, let’s get to know Wireshark.

How to Download and Install Wireshark


Start by downloading Wireshark from its official website:

https://www.wireshark.org/#download
20
Follow the instructions on the installer and you should be good to go.

How to Sniff Traffic with Wireshark


Launch Wireshark, and start by sniffing some data. For that, you can hit Ctrl+K (PC)
or Cmd+K (Mac) to get the Capture Options window. Notice that you can reach this window in
other ways. You can go to Capture->Options. Alternatively, you can click the Capture
Options icon.
I encourage you to use keyboard shortcuts and get comfortable with them right from the start, as
they'll allow you to save time and work more efficiently.

So, again, I’ve used Ctrl+K (or Cmd+K) and got this screen:

The Capture
Optionswindow in Wireshark (Source: Brief)
Here we can see a list of interfaces, and I happen to have quite a few. Which one is relevant? If
you’re not sure at this point, you can look at the Traffic column, and see which interfaces
currently have traffic.
Here we can see that Wi-Fi 3 has got traffic going through it, as the line is high. Select the
relevant network interface, and then hit Enter, or click the button Start.
Let Wireshark sniff the network for a bit, and then stop the sniff using Ctrl+E / Cmd+E. Again,
this can be achieved in other ways – such as going to Capture->Stop or clicking the Stop icon.
Consider the different sections:

Wire
shark's sections (Source: Brief)
The section marked in red includes Wireshark’s menu, with all kinds of interesting options.

The main toolbar is marked in blue, providing quick access to some items from the menu.

Next, marked in green, is the display filter. We will get back to it shortly, as this is one of the
21
most important features of Wireshark.
Then follows:

The Packet List Pane


The packet list pane is marked in orange. It displays a short summary of each packet captured.

(Note: the term Frame belongs to a sequence of bytes in the Data Link layer, while a Packet is a
sequence of bytes from the Network layer. In this post I will use the terms interchangeably,
though to be accurate, every packet is a frame, but not every frame is a packet, as there are
frames that don't hold network layer data.)
As you can see in the image above, we have a few columns here:

NUMBER (No.) – The number of the packet in the capture file. This number won’t change,
even if we use filters. This is just a sequential number – the first frame that you have sniffed
gets the number 1, the second frame gets the number 2, and so on.

Time – The timestamp of the packet. It shows how much time has passed from the very first
packet we have sniffed until we sniffed the packet in question. Therefore, the time for packet
number 1 is always 0.

Source – The address where this packet is coming from. Don’t worry if you don’t understand
the format of the addresses just yet, we will cover different addresses in future tutorials.

Destination – The address where this packet is going.

Protocol – The protocol name in a short version. This will be the top protocol – that is, the
protocol of the highest layer.

Length – The length of each packet, in bytes.

Info – Additional information about the packet content. This changes according to the protocol.

By clicking on packets in this pane, you control what is displayed in the other two panes which
I will now describe.

The Packet Details Pane


Click on one of the captured packets. In the example below I clicked on packet number 147:

Now, the packet details pane displays the packet selected in the packet list pane in more detail.

22
You can see the layers here.
In the example above, we have Ethernet II as the second layer, IPv4 as the third layer, UDP as
the fourth layer, and some data as a payload.

When we click on a specific layer, we actually see the header of that layer.
Notice that we don’t see the first layer on its own. As a reminder, the first layer is responsible
for transmitting a single bit – 0 or 1 – over the network (if you need a refresher about the
different layers, check out this post).

Below the packet details pane, we have the packet bytes pane. It displays the data from the
packet selected in the packet list pane. This is the actual data being sent over the wire. We can
see the data in hexadecimal base, as well as ASCII form.
How to Use the Display Filter
Wireshark has many different functions, and today we will focus on one thing – the display
filter.

As you can see, once you start sniffing data, you get a LOT of traffic. But you definitely don’t
want to look at everything.

Recall the example from before – using Wireshark in order to debug a chat program that you’ve
implemented. In that case, you would like to see the traffic related to the chat program only.

Let’s say I want to filter only messages sent by the source address of frame number 149
( 192.168.1.3 ). I will cover IP addresses in future posts, but for now you can see that it consists
four numbers, delimited by a dot:

Now, even if you don’t know how to filter only packets sent from this IP address, you can use
Wireshark to show you how it’s done.
23
For that, go to the right field we would like to filter – in this case, the source IP address. Then
right click -> and choose filter -> Apply as Filter.

After applying the filter, you only see packets that have been sent from this address. Also, you
can look at the display filter line and see the command used. In this way, you can learn about
the display filter syntax (in this example, it is ip.src for the IP source address field):

Now, try to filter only packets that have been sent from this address, and to the
address 172.217.16.142 (as in Frame 130 in the image above). How would you do that?
Well, you could go to the relevant field – in this case, the IP destination address. Now, right
click -> Apply as Filter -> and select ...and Selected:

If you look at the display filter line after applying this filter:

24
You can also learn that you can use the && operand in order to perform and. You could also
write the word and, instead, and get the same result.

How to Use Wireshark to Research the Ping Utility

Ping is a useful utility to check for remote servers’ connectivity.


This page explains how to use ping in Windows, and this page explains how to do that in OSX.
Now, we can try to ping <address> using the command line. By default, ping sends 4 requests
and waits for a pong answer. If we want it to send a single request, we could use -n 1:

25
Exp - 5

What Is a VPN?
Virtual Private Network

A virtual private network, or VPN, is an encrypted connection over the Internet from a device
to a network. The encrypted connection helps ensure that sensitive data is safely transmitted.
It prevents unauthorized people from eavesdropping on the traffic and allows the user to
conduct work remotely. VPN technology is widely used in corporate environments.

History of VPNs

ARPANET introduced the idea of connecting distant computers in the 1960s. The foundation
for current internet connectivity was established by ensuring the development of protocols
like TCP/IP in the 1980s. Particular VPN technologies first appeared in the 1990s in response
to the growing concerns about online privacy and security.

Let us understand VPN with an example think of a situation where the corporate office of a
bank is situated in Washington, USA. This office has a local network consisting of say 100
computers. Suppose other branches of the bank are in Mumbai, India, and Tokyo, Japan. The
traditional method of establishing a secure connection between the head office and the branch
was to have a leased line between the branches and head office which was a very costly as
well as troublesome job. VPN lets us effectively overcome this issue.

The situation is described below:


 All 100 hundred computers of the corporate office in Washington are connected
to the VPN server(which is a well-configured server containing a public IP
address and a switch to connect all computers present in the local network i.e. in
the US head office).
 The person sitting in the Mumbai office connects to The VPN server using a
dial-up window and the VPN server returns an IP

26
address that belongs to the series of IP addresses belonging to a local network of the
corporate office.
 Thus person from the Mumbai branch becomes local to the head
office and information can be shared securely over the public internet.
 So this is the intuitive way of extending the local network even
across the geographical borders of the country.

VPN is well Exploited all Across the Globe


We will explain to you with an example. Suppose we are using smartphones regularly.
Spotify Swedish music app that is not active in India But we are making full use of it sitting
in India. So how ?? VPN can be used to camouflage our geolocation.
 Suppose the IP address is 101.22.23.3 which belongs to India.
That’s why our device is not able to access the Spotify music app.
 But the magic began when we used the Psiphon app which is an Android app
used to change the device IP address to the IP address of the location we
want(say US where Spotify works seamlessly).
 The IP address is changed using VPN technology. Basically what happens is
that your device will connect to a VPN server of the respective country that you
have entered in your location textbox of the Psiphon app and now you will
inherit a new IP from this server.
Now we typed “What is my IP address”? Amazingly the IP address changed to 45.79.66.125
which belongs to the USA And since Spotify works well in the US, we can use it now being
in India (virtually in the USA). Is not that good? obviously, it is very useful.

 VPN also ensures security by providing an encrypted tunnel between the


client and the VPN server.
 VPN is used to bypass many blocked sites.
 VPN facilitates Anonymous browsing by hiding your IP address.
 Also, the most appropriate Search engine optimization (SEO) is done by
analyzing the data from VPN providers which provide country-wise statics
of browsing a particular product.
 VPNs encrypt your internet traffic, safeguarding your online activities from
potential eavesdropping and cyber threats, thereby enhancing your privacy and
data protection.

27
Types of VPN

There are several types of VPN and these are vary from specific requirement in computer
network. Some of the VPN are as follows:
1. Remote Access VPN
1. Site to Site VPN
1. Cloud VPN
1. Mobile VPN
1. SSL VPN
For more details you can refer Types of VPN published article. VPN Protocols
 A cryptographic protocol that prioritises security is called
OpenVPN. OpenVPN is compatible protocol that provides a variety of setup
choices.
 PPTP is not utilized
because there are many other secure choices with higher and more advanced encryption that
protect data.
 Wireguard is a good choice that indicates capability in terms of
performance.
 SSTP is developed for
Windows users by Microsoft. It is not widely used due to the lack of connectivity.
 It connects a user to the VPN
server but lacks encryption hence it is frequently used with IPSec to offer connection,
encryption, and security simultaneously.

Why Should Use VPN?

 Love streaming your favourite shows and


sports games? A VPN is your ultimate companion for unlocking streaming
services.
 Unleash your gaming
potential with the added layer of security and convenience provided by a VPN. Defend
yourself against vengeful competitors aiming to disrupt your gameplay while improving your
ping for smoother, lag-free sessions. Additionally, gain access to exclusive

28
games that may be restricted in your region, opening up a world of endless gaming possibilities.
 : When it comes to downloading
copyrighted content through torrenting, it’s essential to keep your IP address hidden. A VPN
can mask your identity and avoid potential exposure, ensuring a safe and private torrenting
experience.
 Are you tired of your
Internet speed slowing down when downloading large files? Your Internet Service Provider
(ISP) might be intentionally throttling your bandwidth. Thankfully, a VPN can rescue you
by keeping your online activities anonymous, effectively preventing ISP throttling. Say
goodbye to sluggish connections and embrace blazing-fast speeds.
 VPNs are essential for maintaining security
when using public Wi-Fi networks, such as those in coffee shops, airports, or hotels. These
networks are often vulnerable to cyberattacks, and using a VPN encrypts your internet
connection, protecting your data from potential hackers and eavesdroppers when you connect
to untrusted Wi-Fi hotspots.
Are VPNs legal or illegal?
Using a VPN is legal in most countries, The legality of using a VPN service depends on the
country and its geopolitical relations with another country as well. A reliable and secure VPN
is always legal if you do not intend to use it for any illegal activities like committing fraud
online, cyber theft, or in some countries downloading copyrighted content. China has decided
to block all VPNs (Virtual private network) by next year, as per the report of Bloomberg.
Many Chinese Internet users use VPNs to privately access websites that are blocked under
China’s so-called “great firewall”. This is done to avoid any information leakage to rival
countries and to tighten the information security.
What to Look for When Choosing a VPN?
 Be sure the VPN has appropriate speed, a lot of providers have trouble
keeping up with Netflix viewing or downloading.
 Read both user and expert evaluations to gain a good idea of how well the VPN
operates.
 Select a VPN provider that provides shared IP addresses.
 More servers translate into faster browsing because there will be less traffic on
each one.

29
Benefits of VPN
 When you use VPN it is possible to switch IP.
 The internet connection is safe and encrypted with VPN
 Sharing files is confidential and secure.
 Your privacy is protected when using the internet.
 There is no longer a bandwidth restriction.
 It facilitates cost savings for internet shopping.

Limitations of VPN
 VPN may decrease your internet speed.
 Premium VPNs are not cheap.
 VPN usage may be banned in some nations.

While VPNs enhance privacy, it’s not entirely foolproof. In some cases, determined
adversaries, such as government agencies, may employ advanced techniques to trace VPN
usage. However, for typical online privacy needs, a VPN provides a high level of protection.

VPNs can introduce some degree of latency due to the encryption and routing processes. The
extent of the speed reduction depends on various factors, including the VPN provider’s
infrastructure, server location, and your internet connection. In many cases, the impact on
speed is minimal, and modern VPN services strive to provide fast connections.

Yes, there are free VPN services available. However, they often come with limitations such
as data caps, slower speeds, and less robust security features. Paid VPN services generally
offer more reliable performance and better security.

30
Despite being heavily used in major parts of the worlds, VPNs are strictly prohibited in few countries that
includes:
 Russia
 China
 Belarus
 North Korea
 Iraq, etc.

31
Exp – 6

CASE STUDY OF SLOW-LORIS ATTACK

What is Slowloris?
Slowloris is basically an HTTP Denial of Service attack that affects threaded servers. It works
like this:

1. We start making lots of HTTP requests.


2. We send headers periodically (every ~15 seconds) to keep the connections open.
3. We never close the connection unless the server does so. If the server closes a
connection, we create a new one keep doing the same thing.

This exhausts the servers thread pool and the server can't reply to other people.

HOW DOES A SLOWLORIS ATTACK WORK?


Slowloris is an application layer attack which operates by utilizing partial HTTP requests. The
attack functions by opening connections to a targeted Web server and then keeping those
connections open as long as it can.

Slowloris is not a category of attack but is instead a specific attack tool designed to allow a
single machine to take down a server without using a lot of bandwidth. Unlike bandwidth-
consuming reflection-based DDoS attacks such as NTP amplification, this type of attack uses
a low amount of bandwidth, and instead aims to use up server resources with requests that
seem slower than normal but otherwise mimic regular

32
traffic. It falls in the category of attacks known as “low and slow” attacks. The targeted
server will only have so many threads available to handle concurrent connections.
Each server thread will attempt to stay alive while waiting for the slow request to complete,
which never occurs. When the server’s maximum possible connections has been exceeded,
each additional connection will not be answered and denial-of-service will occur.

A SLOWLORIS ATTACK OCCURS IN 4 STEPS:

1. The attacker first opens multiple connections to the targeted server by sending
multiple partial HTTP request headers.

2. The target opens a thread for each incoming request, with the intent of closing
the thread once the connection is completed. In order to be efficient, if a
connection takes too long, the server will timeout the exceedingly long
connection, freeing the thread up for the next request.

3. To prevent the target from timing out the connections, the attacker periodically
sends partial request headers to the target in order to keep the request alive. In
essence saying, “I’m still here! I’m just slow, please wait for me.”

4. The targeted server is never able to release any of the open partial connections
while waiting for the termination of the request. Once all available threads are in
use, the server will be unable to respond to additional requests made from
regular traffic, resulting in denial-of-service.

The key behind a Slowloris is its ability to cause a lot of trouble with very little
bandwidth consumption.

HOW IS A SLOWLORIS ATTACK MITIGATED?

For web servers that are vulnerable to Slowloris, there are ways to mitigate some of the impact.
Mitigation options for vulnerable servers can be broken down into 3 general categories:

1. Increase server availability - Increasing the maximum number of clients the


server will allow at any one time will increase the number of connections the
attacker must make before they can overload the server. Realistically, an
attacker may scale the number of attacks to overcome server capacity
regardless of increases.

2. Rate limit incoming requests - Restricting access based on certain usage factors
will help mitigate a Slowloris attack. Techniques such as limiting the
maximum number of
33
connections a single IP address is allowed to make, restricting slow transfer speeds,
and limiting the maximum time a client is allowed to stay connected are all
approaches for limiting the effectiveness of low and slow attacks.

3. Cloud-based protection - Use a service that can function as a reverse proxy,


protecting the origin server

WHAT IS THE BEST WAY TO STOP A SLOWLORIS ATTACK?


Slow-loris attacks can be mitigated by:

● Limiting the number of connections a single IP address may request to open.

● Increasing the minimum transfer speed allowed for any connection.

● Limiting the time a client is allowed to stay connected.

● Increasing the maximum number of clients the server will allow.

● Deploying robust cloud mitigation services, configuring robust load


balancers, using web application firewalls (WAFs) or other virtual patching
techniques, and rate-limiting the number of requests per source.

34
INSTALLATION OF SLOWLORIS

Check weather the python is or not

1. Then install slowloris with the command

2. Check whether the slowloris is installed or not ??

3. Now download and install the Xamp Control Panel server

35
4. Now Perform Slowloris attack

36
Exp - 7

Study of Nmap
Nmap can be a solution to the problem of identifying activity on a network as it scans the entire
system and makes a map of every part of it. A common issue with internet systems is that they
are too complicated for the ordinary person to understand. Even a small home-based system is
extremely complex. That complexity grows exponentially when it comes to larger companies
and agencies that deal with hundreds or even thousands of computers on the network.

What Nmap is used for?


Nmap, also known as Network Mapper, is a highly effective and adaptable network scanning
tool. Its primary purpose is to explore networks and perform security audits. With Nmap, users
can effortlessly discover hosts and services on a computer network, detect operating systems,
identify open ports, and collect information about different network devices.

Common Use Cases For Nmap


 Network Discovery: Nmap can scan an entire network or a range of IP addresses to
identify active hosts available on the network.
 Port Scanning: Nmap can scan target hosts to determine which ports are open, closed,
or filtered. This information is valuable for assessing the security posture of a network
and identifying potential vulnerabilities.
 Service Version Detection: Nmap can probe open ports to determine the version and
type of services running on those ports. This helps in identifying specific software
versions and potential vulnerabilities associated with them.
 Operating System Detection: Nmap can analyze network responses to identify the
operating systems running on remote hosts. This information is helpful for network
administrators to understand the composition of their network and implement
appropriate security measures.
 Scripting and Automation: Nmap provides a scripting engine (NSE - Nmap Scripting
Engine) that allows users to write custom scripts to automate various network scanning
tasks and perform specialized security checks.

Nmap is a widely used tool by network administrators, security professionals, and ethical
hackers for network mapping, vulnerability assessment, and network security auditing.

If you want to know which ports are open and the corresponding rules, you can use Nmap. This
program scans the network your computer is connected to and provides a list of ports, device
names, operating systems, and other identifiers to help you understand your connection status.

However, hackers can also use Nmap to access uncontrolled ports on a system. They can run

37
Nmap on a targeted approach, identify vulnerabilities, and exploit them. But Nmap is not only
used by hackers - IT security companies also use it to simulate potential attacks that a system
may face.

How Does it Work?


Nmap works by checking a network for hosts and services. Once found, the software platform
sends information to those hosts and services which then respond. Nmap reads and interprets
the response that comes back and uses the information to create a map of the network. The map
that is created includes detailed information on what each port is doing and who (or what) is
using it, how the hosts are connecting, what is and is not making it through the firewall, and
listing any security issues that come up.

How is all of that accomplished? Nmap utilizes a complex system of scripts that communicate
with every part of the network. The scripts act as communication tools between the network
components and their human users. The scripts that Nmap uses are capable of vulnerability
detection, backdoor detection, vulnerability exploitation, and network discovery. Nmap is an
extremely powerful piece of software, but there does tend to be a good deal of background
knowledge required to use it correctly.

Internet security companies can use Nmap to scan a system and understand what weaknesses
exist that a hacker could potentially exploit. As the program is open-source and free, it is one of
the more common tools used for scanning networks for open ports and other weaknesses. At
Holm Security, we use this technology in a very effective way, as we provide an excellent web-
based security service, which ensures that the clients’ ports remain securely closed to those not
granted permission.

Conclusion

Whether you are a private user with important information on your system, a major corporation
or a government agency protecting a wealth of highly sensitive data, Nmap can provide the
level of knowledge and pre-emptive thought required to keep things safe.

Commands
Let's look at some Nmap commands. If you don't have Nmap installed, you can get it from here.

Basic scans
Scanning the list of active devices on a network is the first step in network mapping. There are
two types of scans you can use for that:

 Ping scan — Scans the list of devices up and running on a given subnet.
> nmap -sp 192.168.1.1/24

38
 Scan a single host — Scans a single host for 1000 well-known ports. These ports are
the ones used by popular services like SQL, SNTP, apache, and others.
> nmap scanme.nmap.org

Stealth scan
Stealth scanning is performed by sending an SYN packet and analyzing the response. If
SYN/ACK is received, it means the port is open, and you can open a TCP connection.

However, a stealth scan never completes the 3-way handshake, which makes it hard for the
target to determine the scanning system.
> nmap -sS scanme.nmap.org
You can use the ‘-sS’ command to perform a stealth scan. Remember, stealth scanning is slower
and not as aggressive as the other types of scanning, so you might have to wait a while to get a
response.

Version scanning
Finding application versions is a crucial part in penetration testing.

It makes your life easier since you can find an existing vulnerability from the Common
Vulnerabilities and Exploits (CVE) database for a particular version of the service. You can
then use it to attack a machine using an exploitation tool like Metasploit.
> nmap -sV scanme.nmap.org
To do a version scan, use the ‘-sV’ command. Nmap will provide a list of services with its
versions. Do keep in mind that version scans are not always 100% accurate, but it does take you
one step closer to successfully getting into a system.

39
OS Scanning
In addition to the services and their versions, Nmap can provide information about the
underlying operating system using TCP/IP fingerprinting. Nmap will also try to find the system
uptime during an OS scan.

> nmap -sV scanme.nmap.org


You can use the additional flags like osscan-limit to limit the search to a few expected targets.
Nmap will display the confidence percentage for each OS guess.

Again, OS detection is not always accurate, but it goes a long way towards helping a pen tester
get closer to their target.

Aggressive Scanning
Nmap has an aggressive mode that enables OS detection, version detection, script scanning, and
traceroute. You can use the -A argument to perform an aggressive scan.

> nmap -A scanme.nmap.org


Aggressive scans provide far better information than regular scans. However, an aggressive
scan also sends out more probes, and it is more likely to be detected during security audits.

40
Scanning Multiple Hosts
Nmap has the capability of scanning multiple hosts simultaneously. This feature comes in real
handy when you are managing vast network infrastructure.

You can scan multiple hosts through numerous approaches:

 Write all the IP addresses in a single row to scan all of the hosts at the same time.

> nmap 192.164.1.1 192.164.0.2 192.164.0.2


 Use the asterisk (*) to scan all of the subnets at once.

> nmap 192.164.1.*


 Add commas to separate the addresses endings instead of typing the entire domains.

> nmap 192.164.0.1,2,3,4


 Use a hyphen to specify a range of IP addresses

> nmap 192.164.0.0–255

Port Scanning
Port scanning is one of the most fundamental features of Nmap. You can scan for ports in
several ways.

 Using the -p param to scan for a single port

> nmap -p 973 192.164.0.1


 If you specify the type of port, you can scan for information about a particular type of
connection, for example for a TCP connection.

41
> nmap -p T:7777, 973 192.164.0.1
 A range of ports can be scanned by separating them with a hyphen.

> nmap -p 76–973 192.164.0.1


 You can also use the -top-ports flag to specify the top n ports to scan.
> nmap --top-ports 10 scanme.nmap.org

Scanning from a File


If you want to scan a large list of IP addresses, you can do it by importing a file with the list of
IP addresses.

> nmap -iL /input_ips.txt


The above command will produce the scan results of all the given domains in the
“input_ips.txt” file. Other than simply scanning the IP addresses, you can use additional options
and flags as well.

Verbosity and Exporting Scan Results


Penetration testing can last days or even weeks. Exporting Nmap results can be useful to avoid
redundant work and to help with creating final reports. Let’s look at some ways to export Nmap
scan results.

Verbose Output
> nmap -v scanme.nmap.org
The verbose output provides additional information about the scan being performed. It is useful
to monitor step by step actions Nmap performs on a network, especially if you are an outsider
scanning a client’s network.

Normal output
Nmap scans can also be exported to a text file. It will be slightly different from the original
command line output, but it will capture all the essential scan results.
42
> nmap -oN output.txt scanme.nmap.org

XML output
Nmap scans can also be exported to XML. It is also the preferred file format of most pen-
testing tools, making it easily parsable when importing scan results.

> nmap -oX output.xml scanme.nmap.org

Multiple Formats
You can also export the scan results in all the available formats at once using the -oA
command.

> nmap -oA output scanme.nmap.org


The above command will export the scan result in three files — output.xml, output. Nmap and
output.gnmap.

Nmap Help
Nmap has a built-in help command that lists all the flags and options you can use. It is often
handy given the number of command-line arguments Nmap comes with.

> nmap -h

43
Nmap Scripting Engine

N map output

Port/host detail

Exp – 8
44
Study of Burp Suite
Burp Suite is a leading commercial cybersecurity tool specifically designed for web
application security testing and vulnerability assessment. It is developed by PortSwigger, a
company specializing in web security solutions. Burp Suite offers a wide range of features and
capabilities to help security professionals, penetration testers, and developers identify and
address security vulnerabilities in web applications.

Top 10 use cases of Burp Suite:

Here are the top 10 use cases for Burp Suite:

1. Vulnerability Scanning: Burp Suite can perform automated scans of web applications
to identify common security issues such as cross-site scripting (XSS), SQL injection,
and more.
2. Proxy Interception: It acts as an intercepting proxy, allowing users to capture and
inspect HTTP and HTTPS traffic between their browser and the target web application.
This is essential for identifying vulnerabilities in real-time.
3. Crawling and Spidering: Burp Suite can crawl web applications to map their structure
and discover new pages, forms, and functionality for testing.
4. Manual Testing: Security professionals can use Burp Suite’s suite of tools for manual
testing, including the Repeater, Intruder, and Sequencer, to conduct in-depth security
assessments.
5. Fuzz Testing: The tool supports fuzzing, allowing testers to send malformed data to
web forms and APIs to discover input validation and security issues.
6. Session Management Testing: Burp Suite helps identify vulnerabilities related to
session management, including session fixation, hijacking, and cookie security issues.
7. Authentication Testing: Testers can assess the security of authentication mechanisms,
including brute force attacks, weak password policies, and authentication bypass
vulnerabilities.
8. API Security Testing: Burp Suite is capable of testing REST and SOAP APIs for
security vulnerabilities, ensuring that API endpoints are secure from attacks.
9. Intruder and Sniper: These tools within Burp Suite are used for automated
vulnerability scanning and testing. Intruder allows for customized attacks on web
applications, while Sniper focuses on single request/response testing.
10. Customization and Integration: Burp Suite offers extensive customization options,
including the ability to create custom extensions and integrations with other tools and
services. This flexibility allows users to tailor their testing workflows to their specific
needs.

Burp Suite’s rich set of features, combined with its user-friendly interface and strong
community support, make it a popular choice among security professionals for web application
security testing and assessment. It provides both automated scanning capabilities and a suite of
manual testing tools to comprehensively evaluate the security of web applications.

What are the features of Burp Suite?

Burp Suite is a comprehensive web application security testing tool known for its wide range
of features and capabilities. Below are the key features of Burp Suite and an overview of how it
works and its architecture:
45
Features of Burp Suite:

1. Proxy: Acts as an intercepting proxy, allowing users to capture and manipulate HTTP
and HTTPS traffic between their browser and the target web application.
2. Scanner: Provides automated vulnerability scanning for web applications, identifying
common security issues such as SQL injection, cross-site scripting (XSS), and more.
3. Spider: Crawls and maps the structure of web applications to discover new pages,
forms, and functionality for testing.
4. Repeater: Enables manual testing by allowing users to modify and re-send requests to
the target application.
5. Intruder: Automates attacks against web applications, making it easier to identify
vulnerabilities through brute force, fuzzing, and payload manipulation.
6. Sequencer: Analyzes the quality of for detecting issues like parameter manipulation.
7. Extender: Allows users to create custom extensions and integrations with other tools
and services, enhancing Burp Suite’s functionality.
8. Collaborator: Provides a unique domain for each testing engagement, allowing testers
to detect out-of-band vulnerabilities and interactions with external systems.
9. Scanner Checks: Offers a wide range of predefined security checks for identifying
vulnerabilities in web applications.

46

You might also like