THE NATIONAL INSTITUTE OF ENGINEERING

Mananathavadi Road, Mysuru - 570008

Phone : 0821 -2480475,2481220,4004947 Fax : 0821-2485802,
Email: [email protected]

COURSE TITLE: INTRODUCTION TO CYBER SECURITY COURSE CODE: BETCK1051

ASSIGNMENT: EXPLORING PENETRATION TESTING TOOLS, ENVIRONMENT

BY
DHANANJAYA B
EEE DEPARMENT
“A” SECTION
USN: 2024EE0008 SUBMITTED TO,
Prof .ANAND SRIVATSA
 TASK 1
Task 1: Environment Setup

1. Install Oracle VirtualBox:

o Provide a step-by-step installation guide with screenshots.

2. Install Kali Linux on VirtualBox:

o Document the installation process with screenshots from start to completion.
o Confirm successful installation with a screenshot of the running Kali Linux interface.
TASK 1:

BROWSING TO INSTALL ORACLE VIRTUAL BOX

ALLOWING TO INSTALL
INSTALLATION INSTRUCTION …
ALLOWING TO
SET UP THE
SELECTION OF CUSTOM SETUP….
ME PAGE OF A VIRTUAL PAGE …
SEARCHING FOR KALI LINUX
BROWSING TO GET KALI LINIX IN VIRTUAL BOX
ALLOWING TO DOWNLOAD THE KALI LINUX
LOGIN PAGE OF THE KALI
HOMW PAGE OF A KALI LINUX
TASK 2

Task 2: Zphisher Setup and Website Phishing Exploration .

1. Install Zphisher :
o Use appropriate commands to install Zphisher in Kali Linux.
o Include a screenshot of the successful installation.

2. Explore Phishing Attacks:

o Launch at least 2 phishing website attacks (e.g., social media login cloning or email spoofing).
o Provide screenshots of the phishing pages created and describe the functionality.
o Note: Perform this in an isolated and ethical environment
BROWSING TO FIND THE ZPHISHER
EXTRCTING THE ZPHISHER LINK FROM THE GITHUB
LINK IS GENERATED
OPENDED THE GITHUB LINK IN THE TERMINL
SECLETING THE OPTION NUMBER 13 TO DO PHISHING
SECLETING THE PORT NUMBER 01
SECLRTING WHEATHER TO CUSTOM THE PORT BY {Y/N}
OPENING THE LINK
OPEN PAGE OF THE SNAPCHAT BY ZPHISHER
ANOTHER PHISHING
SECLETING THE OPTION 25
SECLETING THE PORT01
WAITING FOR THE LOGIN INFO……..
HOME PAGE OF THE YAHOO! BY PHISHING
STARTING THE SESSSION
 TASK 3
Mutillidae Installation and Configuration .
1. Install Mutillidae:

o Document the installation process of Mutillidae in Kali Linux.

o Include screenshots showing the following:
▪ Successful installation.
▪ Access to the Mutillidae dashboard.

2. Explore Mutillidae:
o Briefly describe the purpose of Mutillidae as a web application testing tool.
BROWSING THE XAMPP TO ONSTALL MUTILLIDAE
Download the xampp for the linux os
ALLOWING TO INSTALL
HOME PAGE OF THE XAMPP. TO PROVIDE WEB
SEVER TO THE MUTILLIDAE
COPY THE LINK OF THE MUTILLIDAE LINK FROM
THE BROWSER&
PASTE INTO TERMINAL WITH SOME ABOVE
WEB PAGE OF THE MUTILLIDAE
HOME PAGE OF THE
MUTILLIDAE.
WE CAN USE SOME TOOLS RELATED TO WEB
APPLICATION TESTING TOOL, AS ABOVE
MENTIONED.
I HAD CREATE MY OWN ACCOUNT
IN LAB TOOL WE CAN ATTEMPT QUIZ AND
SOLUTION RELATED WEB APPLICATION.
2. Explore Mutillidae
Mutillidae is a vulnerable web application designed to simulate real-world vulnerabilities, such as SQL
injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and more. Here’s how to
explore it:
Accessing the Mutillidae Dashboard
Once installed, navigate to the Mutillidae dashboard by visiting:
arduino
http://localhost/mutillidae
Here, you will be able to view the following:
•Home Page: The landing page of Mutillidae contains various links and security exercises.
•Login Form: The login page is intentionally vulnerable to SQL injection attacks, so you can practice
exploiting this vulnerability.
•Admin Panel: The admin panel allows you to test your skills on privilege escalation and other web
application vulnerabilities.
•Vulnerable Pages: Mutillidae includes several vulnerable pages where you can practice techniques
such as:
•SQL Injection
•Cross-Site Scripting (XSS)
•File Inclusion Attacks
•Command Injection
Example of Vulnerable Features to Explore
1.SQL Injection:
•Try exploiting the login form by using SQL injection
techniques. For example, using ' OR '1'='1 as the
username and password should bypass the login.
2.Cross-Site Scripting (XSS):
•You can input malicious JavaScript code into form fields to
see how the app is vulnerable to XSS attacks.
3.File Inclusion:
•Try exploiting the file inclusion vulnerability by modifying
URL parameters to include files from the server.
4.Cross-Site Request Forgery (CSRF):
•Test how well the app is protected from CSRF attacks by
submitting forms without proper authentication.
Task 4
Demonstrating Applications in Pen Testing

1. Select Two Applications:

o Choose any two tools available in Kali Linux for penetration testing.
Examples include:
▪ Nmap: For network scanning.
▪ Metasploit: For vulnerability exploitation.
▪ Hydra: For password cracking.

o Tool 1: Describe the tool, show how to launch it, and document an
example test .
o Tool 2: Repeat the same steps for another tool.
2. Include the Following: o Commands used.
o Screenshots of results or outcomes. o Brief explanations of what
the tool achieved.
SOCIAL ENGINEERING TOOL IN THE KALI LINUX TOOLS.
USING THE TOOL SET TOOL KIT
SELECTING THE OPTION 01
AFTER SELECTING THE OPTION 01 WE GET INTO THIS TERMINAL TO SELECT THE PORT AND I SELECTED THE 08
THIS TERMINAL IS FOR TO ENTER THE URL OF ANY WEBSITE TO TAKE THEIR QR CODE
I ENTERED THE YOUTUBR URL
THE QR CODE IS GENERATED IN A HIDDEN FILE ………..FINDING TO GET THE QR CODE
FOLDER PAGE
THE QR CODE IS HIDDEN IN THE ROOT FOLDER
THRE QR CODDE IS HIDDEN IN .SET FOLDER
IN REPORTSTH QR CODE IS GENERATED
THE GENERATED QR CODE
TOOL 2 USING THE TOOL ZENMAP
THE PAGE OF THE ZENMAP AND I AM ENTERING THE TARGET 203.0.113.0/24 AND GIVING THE PROFILE “PING SCAN “
NMAP OUTPUT
TROPOLOGY OF THE APPIED TARGET
HOST DEATIS OF THE APPLIED TARGET IN ZENMAP
DETAAILS OF THE SCANS OF THE APPLIRD TARGET
CONCLUSION :
Environment Setup
•Virtualization: Setting up a proper penetration testing environment is crucial for security testing. Using virtual machines
ensures isolation, allowing the tools to operate without affecting the primary system.
•Kali Linux: Kali Linux is a powerful penetration testing operating system, preloaded with tools required for security
testing. Understanding how to set up a Kali Linux VM and configure essential network settings was essential for a smooth
testing environment.
•Network Configuration: Ensuring that the virtual machines are properly networked together for penetration testing,
allowing you to conduct security tests without interfering with external systems.

Zphisher Setup
•Phishing Automation: Zphisher is a tool for creating phishing pages. Learning to set it up on Kali Linux allowed for the
exploration of phishing attacks in a controlled environment.
•Social Engineering: The use of phishing attacks demonstrated the importance of social engineering in penetration testing.
Zphisher makes it easy to create convincing phishing pages, which highlights how attackers can trick users into divulging
personal information.
•Ethical Use: The importance of using phishing attacks in ethical and legal environments is critical. Understanding how phishing
works, combined with the knowledge gained from using Zphisher, provides an in-depth view of these attacks.
Website Phishing Exploration
•Phishing Techniques: Experimenting with website phishing demonstrated how attackers mimic legitimate websites to steal
sensitive data. Recognizing common phishing tactics such as URL manipulation, credential harvesting, and using fake login
forms is critical for cybersecurity professionals.
•Detection and Prevention: Understanding how phishing works is essential for developing defenses against it. Exploring how
web servers handle phishing attacks also helped in understanding the technical measures to mitigate such threats.

Mutillidae Installation and Configuration

•Vulnerable Web Application: Installing Mutillidae provided hands-on experience with a vulnerable web application that
simulates real-world security issues. This allowed for exploration of common vulnerabilities such as SQL injection, Cross-Site
Scripting (XSS), and Cross-Site Request Forgery (CSRF).
•Database Configuration: The installation process required setting up and configuring a MySQL database. Understanding the
relationship between web applications and databases, as well as configuring them for testing, was crucial in building
penetration testing skills.
•Penetration Testing Practice: Mutillidae was used as a sandbox environment to practice exploiting different vulnerabilities
and assessing web application security. This helped solidify the understanding of how various attacks like SQL injection and
XSS work in a real-world environment.
 Penetration Testing Application
•Exploiting Web Vulnerabilities: Using tools like Zphisher and Mutillidae helped practice common penetration testing
techniques, such as exploiting web vulnerabilities, creating exploits, and performing simulated attacks.
•Security Auditing: The process reinforced the importance of auditing web applications for vulnerabilities, using tools to scan
for weaknesses, and applying appropriate patches to secure systems.
•Reporting: Documenting and reporting findings after penetration testing is vital in real-world scenarios. The process of
identifying vulnerabilities and creating a comprehensive report mirrors professional penetration testing assessments.

CHALLENGES FACED
Zphisher Setup Challenges
•Tool Dependencies: Zphisher required additional libraries and dependencies to run smoothly on Kali Linux. Resolving these
dependencies took time and required knowledge of package management in Kali Linux.
•Ethical Considerations: While setting up Zphisher, it was important to ensure that phishing pages were not deployed in
environments that could cause harm or violate laws. Maintaining ethical standards in penetration testing and phishing
exercises is essential.
•Network Configuration: Ensuring that the tool operated correctly in the virtualized network environment sometimes
required network configuration adjustments, which took extra time.
Website Phishing Exploration Challenges
•Realistic Page Design: Designing convincing phishing pages that could bypass detection required attention to detail. Simple
mistakes like incorrect branding or text could make the page easily detectable by trained users or security systems.
•Legal Concerns: Engaging in phishing activities, even in a testing environment, carries legal and ethical considerations.
Ensuring that phishing tests are conducted in a controlled, ethical, and legal manner is crucial.
•Detection and Mitigation: Understanding and identifying countermeasures against phishing, like SSL/TLS encryption and
multi-factor authentication, was a challenge. Building defenses against phishing attacks is just as important as learning to
exploit Them .

Mutillidae Installation and Configuration Challenges

•Database Configuration: Setting up the MySQL database correctly required attention to detail. Incorrect configuration led
to issues where Mutillidae could not connect to the database or failed to install properly.
•Permission Issues: Apache required proper file permissions for Mutillidae to function. Misconfiguring these permissions
led to access errors and required troubleshooting.
•Software Compatibility: Ensuring that the correct versions of Apache, MySQL, and PHP were installed to ensure
compatibility with Mutillidae was a challenge, as different versions of these software packages can sometimes cause issues.
General Penetration Testing Challenges
•Time Constraints: Penetration testing, especially in a learning environment, can be time-consuming. It requires attention to
detail, testing each vulnerability, and properly analyzing the results. Balancing this with the need to understand different attack
vectors was challenging.
•Documentation and Reporting: After conducting penetration tests and exploiting vulnerabilities, documenting findings and
making recommendations for securing systems proved to be a time-consuming task. Properly formatting and detailing
vulnerabilities is a critical aspect of penetration testing.
•Tool Familiarity: Mastering the use of various tools like Zphisher and Mutillidae required time and practice to understand the
best ways to leverage these tools for different types of attacks.
Final Thoughts
This exercise helped gain hands-on experience with penetration testing and security assessments using various tools and
techniques. Key takeaways include:
•Understanding the importance of setting up a controlled environment for penetration testing.
•The ethical considerations involved in using tools like Zphisher and performing phishing attacks.
•The significance of knowing how to exploit and mitigate web vulnerabilities using applications like Mutillidae.
•The value of continuous learning and hands-on practice in penetration testing to develop a strong foundation in
cybersecurity.
Despite the challenges faced during installation and exploration, the overall experience enhanced the practical
understanding of penetration testing and web application vulnerabilities. It has emphasized the need for a responsible
approach to security testing and provided insights into the tools and techniques that security professionals use to
safeguard systems from malicious actors.
By
DHANANJAYA.B