INDEX ‘SINO EXPERIMENT NAME 1 Creating user accounts with security on Windows 2 Password setup and updating your windows system 3. Encrypting files using normal and winrar methods 4 Verifying a digital certificate of website 5. Install and Demonstrate a JCrypt tool 6 To Create Repository on GitHub using by command line 7 Demonstrate a Firewall on Windows 8 Install and demonstrate a process hacker and default windows method (Task Manager) 9 Demonstrate a NTFS File permission 10. | install and Demonstrate @ Microsoft Threat Modelling tool rT Install and Demonstrate Nmap tool 12. __| Install and Demonstrate of FlawFinder 13.__| Install and Demonstrate a Dynamic and Static file analysis using Sonarqube 14. | Install and Demonstrate a OWASP ZAP 15. __| Install and check/Demonstrate a OWASP Dependency check 16. _| Install and Demonstrate of Burpsuite Too! 17. | Install and Demonstrate WebGoat application and complete one practical excersice of OWASP Know Vulnerability. ~_DAST Analysis using Gitlab 18. _| Install and demonstrate of Reverse Engineering by using APK tool 19.__| install and Demonstrate of Nessus Tool to Monitor Vulnerabilities of the Network Digital assets 20 | Demonstration of wireshark application 21. _| Install and Demonstrate of Mobile Application Security Framework (Mobsf) 22. | Install and Demonstrate of Android Studio enable Android virtual machine Create a simple android application. 23. | Create a AWS Cloud account and enable Multifactor authentication Create a User accounts on Cloud platform and add a security policies for each users. 24 | Create S3 bucket and upload files in itEXPERIMENT-1 Creating User accounts With Security on Windows: Create a Microsoft account Step 1: Swipe in from the right edge of the screen, tap SettingsTap or click Accounts, and then tap or click Other accounts. Step 2:- Tap or click Add an account. Step 3:-Enter the account info for this person to sign in to Windows. There are four ways to do this: Step 4: If the person you're adding already has a Microsoft account, enter it now. Step 5:- If the person you're adding doesn't have a Microsoft account, you can use their email address to create one. Enter the email address that person uses most frequently. Step 6 =If the person you're adding doesn't have an email address, tap or click Sign up for a new email address. It's free. Step 7:-Tap or click Aecounts, and then tap or click Other accounts ‘Step 8:-Tap or click Add an account, and then tap or click Sign in without a Microsoft account (not recommended) Step 9:-Tap or click Local account. Step 10 :-Enter a user name for the new account. Step 11 --If you want this person to sign in with a password, enter and verify the password, add a password hint, and then tap or click Next. Step 12 :-If your PC is on a domain, depending on the domain's security settings, you might be able to skip this step and tap or click Next, if you prefer. Step 13:-Tap or click Finish.EXPERIMENT-2 Password setup or change pin Step1:- press the windows 11 keyboard shortcut “windows + I” to open the setting app. Now, move to accounts-> sing-in option. Step2:-here click to expané the “password’ section and then click the “change pin” button. Step3:-after that enter the current password of your windows 11 pe and click on “next”. a nthe next page, you can change the password easily, You can also add a hint to help you recover you account in case you forget the password. StepS :- finally click on “finish”, and you are done. You have successfully changed your windows 11 password.heck windows update and update th m Stepl:- first press the windows 11 keyboard shortcut “windows +1” to open the settings app. Next, navigate to the “windows update” section from the left sidebar, Pree Step2 :- once here, click on “check for updates’. If there is an update available, it will show up here and will be downloaded automatically Step3 :-after that the update will be installed, and you will be asked to restart your pc. Simply reboot Your windows peEXPERIMENT-3 Encrypting the file using Normal and Winrar methods Step 1:-Open MS-Word Step 2:- Click on new document Step 3:- write the information click on save option Step 4:-At save option click on tools and then click on general options Step 5:-there set a password for your fileEXPERIMENT-4 Check the browser and website certificates and analyze the certificates, Browser certificates view Step 1:- Open chrome and click on settings icon ‘Step 2 :- click manage more setting option and search for certificates Step 3:-click on manage certificates Step 4:- Select any one certificate and click view Step 5 :-:- open the certificate Step 6:- Now you can see the certificate Website certificate check Step 1:- Goto chrome and search any website Step 2:- Click lock icon on left side top comerStep 3:-Click connection secure Step 4:- Click more information Step 5 :- Now click view certificate Step = Now you can see the certificate detailsEXPERIMENT-5 Design A Simple Crypto System [Encryption, Decryption, Digital Signature] Using Any Crypto Tool Design A Simple Crypto System [Encryption, Decryption, Digital Signature] Using Any Crypto Tool ‘Steps for Encryption, Step 1: - Go to file & Click on the new in crypto tool [ik cop tect 1442 tanpenamie-entet Fett View EnenptDecrypt Dig SgratrePO indy Oren wo on Set Nea Step 2: - Then type the message Step 3: - Go to Encryption/Decryption option & Select asymmetric Then Click on the RSA encryption ‘Step 4: - Choose the recipient & Double click on the recipient Then click on the encryption Step 5:- Then your message will be encrypted Steps for Decryption :- Step 1: - Go to Encryption/Decryption & Select the asymmetric Then on the RSA decryption Step 2: - Select your secret key from the PSE list Then double click on the PSEStep 3: - Enter the PIN code Then click on the Decrypted iiid EEE “| i i BE2E RE EEEEEE Step 4:- Then your message will be decrypted ‘Steps for Digital Signature Go to file Then click on the new Step 1:- Type the message & go to digital signature Then click on the signature demonstration Step 2: - Click on the select hash function Step 3: - Click on MD 5 Then click on ok option Step 4: - Then click on the generate key Step 5: - Click on the generate prime numbers Step 6: - Select on the generate prime numbers Then click on apply primes Step 7: - Click on the provide certificateStep 8:- Create your PSE certificate Then click on the create certificate PSE Step 9:- Click on the encrypt hash value Step 10:- Click on the store signature Step 11- Shows the results Then click on ok option , a aint fete sp peeas oid ne i Step 12:- digital signature will be displayed on the screen. 10EXPERIMENT-6 Install Git app and perform the basic git operations in command prompt basic git operations: ‘Linstall Git Download and install it from the official Git website httos://git.scrn.com 2.Create a Github account Ityou don’t have a github account, create it otherwise Sign in to your account at https:/zithub.com/ 3 Set GIT Configuration. Open Git CMD and configure your name and email using the following commands. Git config -globalusername “taj” Git config -globaluser. email “[email protected]” 4,{nitialize a local Repository: Navigate to the folder where you want to create your project repository and use the follawing commands + Gitinit 5.Create files and make chances ‘Add your project files to the repository folder and make changes G.Add files to staging folder Use the following commands to stage the changes for commit © Gitadd 7.commit changes * Git commit -m “initial commit” 8.Create a Repository on Github: Go to https://githubs.com/: Login and click the ‘+’ icon at the top right to select “New Repository” Senter repository name and details and other settings 10. Push Local Repository: In your GIT CMD , use the following commands to connect your local repository to the remote repository ~ Git remote add origin https://eithub.com/taj/security.git 411.Push commits to github: - git push -u origin master 12.Authentication and enter credentials: You might be prompted to enter your github username and password to authenticate the push once these steps are completed your local repository will be connected to a repository on Github, you can manage and collaborate on your projects using GIT and GITHUB. ctEXPERIMENT-7 Demonstrate Turn on & off Windows OS Firewall Step 1:-Go to search bar and type settings (or) windows+i Step 2:- Search for windows security and then click on Navigation button Step 3:-click on Firewall and protection Step 4 :-if you installed any anti-virus software's the firewall will open in app , now you can on & the firewall 2= Observe the effect of terminating the process. Some processes may restart automatically. 5. View Process Details: - Double-click on a process to view detailed information about it. You can see information such as CPU and memory usage, threads, handles, and loaded modules. 6. Search for Processes: - Use the search feature within Process Hacker to quickly find specific processes by name or other criteria 7. Manipulate Process Priority’ = Right-click on a process and go to "Change Priority" to adjust the priority of a process. Be cautious when changing priorities, as it can affect system performance. 8. Gather Information: - Explore the various tabs and options within Process Hacker to gather information about CPU usage, memory usage, network activity, and more. 9. Monitor System Performance: - Use Process Hacker to monitor system performance in real-time. You can view CPU and memory usage graphs, among other metrics. 10. Advanced Featur ~ Explore advanced features such as creating process snapshots, viewing process trees, and analyzing process ‘memory, 11. Exit Process Hacker: -When you're done with the exercise, close Process Hacker. 14EXPERIMENT-9, Practical exercise of NTFS File Permission with Aim, procedure and Result Aim: ‘The aim of the NTFS (New Technology File System) file permission practical exercise is to demonstrate and understand how to configure and manage file and folder permissions on a Windows system using NTFS permissions. This exercise helps users gain hands-on experience in controlling access to files and folders to ensure data security and privacy. Procedure: 1. Accessing the File System: - Login to a Windows computer with administrative privileges. 2. Creating Test Files and Folders: - Create 2 folder named "Permissions_Test" on your desktop. - Inside this folder, create several test files and subfolders. 3. Setting Permissions: - Right-click on the "Permissions_Test" folder and select "Properties." ~ Go to the "Security" tab to view and modify permissions. + Click the "Edit" button to change permissions for specific users or groups. stpm Properties x General Secunty Detats Prewous Versions Object name Users 188sOneOe Documents pen ‘Group or usernames: |B papasa ssieem chabroen777shabreen777@gmall com) BL Aamnstators (mohanmedvAdronstators) To change pomissions, cick Eat = Permissions for SYSTEM Atou Deny Fut con v Road & execute 7 Read v ‘Special pormessions For special permssons or advanced HN9®, Advanced ‘Sick Advoncod. 15,- Description: Attempts to identify the operating system running on the target. 5. Service Version Detection: - Command: nmap -sV [target] ~ Example: nmap -sV 192.168.1.1 fam - Description: Detects and displays the versions of services running on open ports. 6. Aggressive Scan: - Command: nmap -A [target] ~ Gxample: nmap -A 192.168.1.1 - Description: Performs an aggressive scan, including OS detection, service version detection, and script scanning. 7. Script Scanning: - Command: nmap -sC [target] ~ Example: nmap -sC 192.168.1.1 22~ Start by adding elements to the DFD to represent the components + HtmiS local storage + Cache-renamed as My web app + Configuration file + SQL database + JBC + boundary renamed as browser boundary + https + extra naming pipelines ‘Step 9: Connect the Elements: “Take Browser client and Html5 local storage and add these two components in the boundary as browser boundary -take cache and configuration file and add it to another boundary name as App boundary -link https to browser client and my web app -divide a browser boundary and App boundary by Internet boundary -connect my web app to SQL database -take a new pipeline which is named as File system and connect it to my web app to configuration file Step 10: Add Threats ~ Click on the "Threats" tab to add threats to your model. You can specify potential threats related to the User Login process, such as "Brute Force Attack" or "Credential Theft." ‘Step 11: Document Assumptions and Mitigations: Use the tool to document assumptions and mitigations related to the identified threats. Describe how the system will protect against these threats. 18‘Step 12; Save and Export: ~ Save your threat model within the Microsoft Threat Modelling Tool. = You can also export the threat model in various formats for sharing and documentation purposes. Step 13 Review and Refine: - Review the User Login DFD and the associated threats. Step 14: click on generate report which will show all the threats, risks on each issue. Makin Redan Threat Modeling Report RESULT:- This User Login DFD created using Microsoft Threat Modelling Tool will help you visualize the flow of data during the login process, identify potential threats, and document security measures to protect user credentials and data, It's a valuable tool for enhancing the security of the website. 19- Add users or groups, such as "Administrators," "Users," or specific user accounts. - Set different permissions, such as "Full Control," "Modify," "Read & Execute,” "Read,” or "Write," for each user or group. - Observe how changing permissions affects access to the test files and folders within the "Permissions_Test" folder. 4. Testing Access: - Login with different user accounts to test access to the "Permissions_Test" folder and its contents, = Note “> #"--ances in a on the permissions assigned. 5. Inheritance and Advanced Permissions: - Explore the concepts of inheritance, where permissions set on parent folders propagate to subfolders and files. - Experiment with advanced permissions, including "Deny" permissions and custom permission settings. 6. Auditing and Monitoring: - Enable auditing on the folder or files to track access and changes. - Review the security logs to see audit trail entries. Results and Observations: 1. After performing this practical exercise, you should have a clear understanding of how NTFS file permissions work ‘a Windows environment. 2. You will observe that different user accounts or groups have different levels of access to files and folders based on the permissions you assigned. 3. You will understand the concept of inheritance, which allows permissions set an parent folders to affect subfolders and files. 4. If you enable auditing, you can monitor and track access to the files and folders, providing additional security and accountability, 16EXPERIMENT-10 -Using a Microsoft threat modelling software, create a threat model for any application architecture Creating a User Login Data Flow Diagram (DFO) using Microsoft Threat Model involves using Microsoft Threat Modelling Tool, Step:1-Go to any web browser search for Microsoft Threat modelling tool 2016 ‘Step:2-click on the first provided link and click on download, click on threat modelling tool 2016.msi 4.0 and then click next Step-3:-Finish the installation setup by clicking next option ‘Step-4:-AMfter Installation completed open threat modelling tool, In the interface click on new model ‘Step 5: Create a New Threat Model: ~ Click on "File" and select "New." MICROSOFT MICROSOFT THREAT MODELING TOOL (PREVIEW) Step 6: Define the Data Flow Diagram (DFD): ~ In the new threat model, go to the "Diagram" tab. ~ Click on "Data Flow Diagram (DFD)" to create a new DFD diagram( SQL DATABASE) Step-7:-Go to view cli Cn stencils, which will display all the tools ss [= Be) cree come Step:8-Add Elements to the DFD: 7Other DFD diagrams:- Ceph Monitor (controler) 20EXPERIMENT-11, Nmap (Network Mapper) is @ powerful open-source tool for network discovery and security auditing. To use Nmap ‘on Windows, you need to install it first. Here are some commonly used Nmap commands in Windows: 1. Basic Scan: ~ Command: nmap {target} ~ Example: nmap 192,168.1.1 - Description: Performs a basic scan of the specified target, showing open ports and their services. me [a 865 $$ CDs | is pov apatay CLE me specs mies at tate nna pe shams, 286 2. Scan Specific Ports: - Command: nmap -p [port(s)] [target] = Example: nmap -p 80,443 192.168.1.1 - Description: Scans specific ports on the target system. Sean Tooke Pfle Help Iwoet 192160561 = Pott: nmap -p- [target] - Example: nmap -p- 192,168,1.1 - Description: Scans all 65,535 ports on the target system. 4. 0S Detection: = Command: nmap -O [target] « Example: nmap -O 192.168.1.1 2EXPERIMENT-8. Practical exercise of Process Hacker with Aim and Procedure Process Hacker is a powerful open-source tool for monitoring and manipulating system processes on Windows. When performing a practical exercise using Process Hacker, the aim and procedure can vary depending on your specific goals. Below is a general example of an exercise using Process Hacker, but please adapt it to your specific needs: ‘Aim: The aim of this practical exercise is to use Process Hacker to monitor and manipulate system processes on a Windows computer. This exercise will help you understand how to view running processes, terminate processes, and gather information about system resource usage. Procedure: L.Download and install Process Hacker: - Ifyou haven't already, download and install Process Hacker from the official website (https://processhacker.sourceforge.io/). 2. Launch Process Hacker: ~ Start Process Hacker by running the executable. 3. View Running Processes: - Upon launching Process Hacker, you'll see a list of running processes in a tabular format. These processes represent running applications and system services. - Explore the list to identify various processes, including system processes and user applications. 4, Terminate a Process: - Be cautious when terminating processes, as this can affect system stability. Ensure you understand the purpose of the process you're terminating. - Right-click on a process you want to terminate and select "Terminate." Confirm the action if prompted. 13- Description: Runs default Nmap scripts against the target. 8, Scan Multiple Targets: - Command: nmap [target!] [target2] ... - Example: nmap 192. 168.1.1 192.168.1.2 _- aaa - Description: Scans multiple targets in a single command. 9. Save Output to a File: - Command: nmap -oN [output_file] [target] - Example: nmap -oN scan_results.txt 192.168.1.1 - Description: Saves scan results to a specified file. 10, Disable DNS Resolution: - Command: nmap -n [target] = Example: nmap -n 192.168.1.1 Description: Disables DNS resolution for faster scanning. (HE) se ea tei ey tea 23EXPERIMENT-12 FlawFinder Flawfinder is a command-4ine tool for analyzing C/C++ source code for potential security vulnerabilities, Here's a procedure for using Flawfinder on Windows along with an example: Step 1: Download Flawfinder You can download the Flawfinder tool for Windows from its official website: http://www.dwheeler.com/flawfinder/. Look for the Windows version and download the ZIP archive. Step 2: Extract the Flawfinder Archive - After downloading the ZIP archive, extract its contents to a directory of your choice, e.g., C:\Flawfinder. Step 3: Prepare Your C/C++ Source Code Ensure you have the C/C++ source code you want to analyze in a directory. For this example, let's assume you have a file named mycode.c in C:\MyProject. Step 4: Open Command Prompt Press Windows + R, type cmd, and press Enter to open the Command Prompt. Step 5: Navigate to the Flawfinder Directory run the command -- pip install flawfinder - Use the cd command to navigate to the directory where you extracted Flawfinder. For example: cd C:\Flawfinder Step 6: Run Flawfinder - Run Flawfinder with the following command, specifying the directory of your C/C++ source code: flawfinder C:\MyProject Replace C:\MyProject with the path to your source code directory. Step 7: Review the Results 2401-2019 David A. Wheeler RESULT :- Flawfinder will analyze your source code and display a list of potential security vulnerabilities it finds, along with a severity rating and line numbers. Review the results to identify and address security issues in your code, 25EXPERIMENT-13 Static Analysis-SonarQube: Step 1: to install sonarqube go to official website of sonar cube (sonarqube.org}in that you will get types of sonar cube editions in that select 9.6 the community edition from historical downloads. (https://www.sonarsource.com/products/sonarqube/downloads/historical-downloads/)> choose community edition and click on download for free, sonar cube will start downloading, Step 2: after download the file >go to download folder write click on the download file click on extract all option select destination folder and click on next > after extraction click on finish the extracted files will be saved in selected destination path. Step 3: To install sonar scanner > search sonar scanner in the browser > then click on JRE binary Microsoft 64 bit to download the sonar scanner. create a new folder add sonarqube and soner scanner to it, ‘Steps To Run Static Code Analysis In Sonarqub Step 1: to start sonarqube click on extracted sonar qube file > click on Bin > click on window 64 bit >copy the directory path > then open command prompt and change directory path to sonarqube file path> using command type :"StartSonar.bat” command to start sonarqube. Step 2: After Start up SonarQube in command prompt > search “ Localhost:9000" in your browser > Sonarqube will Create a project Project display name * sonar ° Project key * 26start in your browser > defauttly your login id and password is admin give a new password or update your new password Step 3: create a project by manually and click on setup > analyse your project by clicking manually Step 4: analyse your project by clicking generate token (or) use existing token then you will get token and click on continue option Step 5: choose which type of code you want to analyse (other) > then select the type of OS (windows) and copy the code given below to execute Step 6: open sonar cube extracted folder click on SonarQube 4.7 .0.2747 windows > click on bin and copy the directory path ‘Step 7: Open command prompt change the existing directory path to copied directory path > then paste the code which we copied from Sonarqube to execute and click on enter to scan the code Step 8: paste the code which we copied from sonarqube and edit the code near source © create a Java programme and add it to sonarqube folder * copy the bin path ‘near source (from the copied code) add the path and hit enter. * After adding the java program near source, finally add a command at the end of the code :\path of the java program) © (-D"sonar.projectBaseDir= ‘Step 9: open Sonarqube in Web > refresh the page and click on your project , click on overview then you will get the report of your scanned code RESULT: To analyze the program code with executing to known vulnerabilities 72. Click on "Active Scan" to perform vulnerabilit scanning on the web application. 3. Select the site you want to scan, and click "Attack. 4. ZAP will actively scan the web application for common vulnerabilities like SQL injection, cross-site scripting (XSS), and more. Step 7: Review Scan Results 1. Once the scanning is complete, you can review the scan results in the "Alerts" tab. ZAP will list any vulnerabilities it has discovered. ar Kae Ree ot wee wae dee + ie Se SSS 2. Click on each alert to get more details about the vulnerability, including its location and severity. Step 8: Generate Reports 1. Ifneeded, you can generate reports of the scan results for documentation or reporting purposes. 2.Goto the "Report" tab, choose the report format (e.g., HTML, POF), and configure the report settings. 3. Click "Generate Report” to create the report. Step 9: Save Session 1L. You can save your ZAP session for later use or analysis. 2.Goto the "File" menu and choose "Save Session." 3, Provide a name and location for the session file Step 10: Close OWASP ZAP When you're finished, you can close OWASP ZAP. 29EXPERIMENT-14 OWASP ZAP (Zed Attack Proxy) is an open-source security testing tool used for finding vulnerabilities in web applications, Below, is a step-by-step procedure for using OWASP ZAP on a Windows system along with an example: Step 1: Download and Install OWASP ZAP 1. Visit the OWASP ZAP official website to download the latest ver |: https://www.zaproxy.org/download/ 2. Choose the Windows version suitable for your system (32-bit or 64-bit) and download the installer. 3. Run the installer and follow the on-screen instructions to install OWASP ZAP on your Windows system. Step 2: Launch OWASP ZAP 1L After the installation is complete, launch OWASP ZAP by searching for "OWASP ZAP" in the Windows Start menu and opening the application. Step 3: Configure OWASP ZAP 1. When you first launch OWASP ZAP, it will ask you to choose a "Quick Start” option. You can select the one that best ‘matches your needs. For example, you can choose "For those who are new to security testing.” Step 4: Set Up Browser Proxy 1. Before you can start scanning a web application, you need to configure your web browser to use ZAP as a proxy. 2. Open your web browser's settings and find the proxy configuration. 3. Set the HTTP and HTTPS proxy to localhost and port 8080 (the default ZAP proxy port). Step 5: Start Spidering 1L.In the OWASP ZAP application, go to the "Quick Start” tab. 2. Click on "Spider a Site” to start scanning @ web application. 3. Enter the URL of the web application you want to scan (e.g., http://example.com) (e.g., http://itsecgames.com)and click "Attack." 4. ZAP will crawl the website, mapping its structure and identifying pages and resources. Step 6: Perform Active Scanning 1. After spidering is complete, go to the "Quick Start” tab again 28Keep in mind that this isa simplified example of using OWASP ZAP. RESULT: The tool provides extensive features for advanced security testing and scanning. Make sure to use it responsibly and with the appropriate permissions on websites you own or have explicit authorization to test.EXPERIMENT-21 MOBILE SECURITY FRAMEWORK- AIM: Demonstration of mobile security Frame work MoesF : Mobile application Security Framework (mobsf) is an automated all in one mobile application (android/ios/windows) Security Assessment framework capable of performing static and dynamic analysis. PROCEDURE: Step 1: Go to browser and search mobile application security framework tool and click on link Step 2: open the github link and click on download option Step 3: once download extract the files in a folder Step 4: Meet all the requirements for MOBSF: > Install GIT > Install Python 3.8-3.9 > Install JDK 8+ > Install Microsoft Visual C++ Build tools Install OpenSSL(Non-Light) Download and Install wkhtmitopdf * Add the folder that contains wkhtmitopdf binary to environment variable Path Install and complete the installation setup for all the requirements (Git, python, javg, C++, Build tools and open SSL} Y v Step 5: After meeting all the requirements open the bin path of mobsf tool and open it in command prompt. NOTE: Meet all the requirements (step-4 ) before executing it. Step 6: Open file location of mobsf extracted files in command prompt and execute the following commands: © Then type setup.bat..If all the requirements are satisfied then it will load the program. Then type run.bat., After running this command it will show the localhost port which is “Localhost:8000” Step 7: Open browser and type “Localhost:8000” the Interface of mobsf will get loaded.Step 4: Reviewing the Report Once the scan is complete, you'll find the generated reports in the C:\dependency-check\data directory (or wherever you configured it). There will be an HTML report (dependency-check-report html) and other formats available for review. (Open the HTML report in a web browser to view the details of identified vulnerabilities and recommended actions. yr f—- v DEPENDENCY-CHECK RESULT: OWASP Dependency-Check on Windows is to scan your project's dependencies for vulnerabilities. 32EXPERIMENT-16 BURP SUITE Burp Suite is a powerful web vulnerability scanner and testing tool used by security professionals for web application security assessments. Here's a step-by-step procedure to get you started with Burp Suite on Windows, along with an example of how to use it to perform a simple scan: Step 1: Download and install Burp Suite 1. Go to the PortSwigger website (https://portswigger.net/burp/community/download) and download the free community edition of Burp Suite for Windows. 2. Run the installer and follow the on-screen instructions to install Burp Suite on your Windows machine. Step 2: Launch Burp Suite 1. After installation, launch Burp Suite from your Start menu or desktop shortcut. 2. Upon first launch, you'll be prompted to configure some settings. For most users, the default settings are sufficient for initial use. Click "Next" and "Start Burp" to proceed. Step 3: Configure Your Browser 1. Open your web browser (e.g., Google Chrome or Firefox). 2. In the browser settings, configure the proxy to use Burp Suite as a proxy server. Burp Suite listens on 127.0.0.1 {(locathost) at port 8080 by default. You can adjust these settings in Burp Suite if needed. Step 4: Intercept and Analyze Requests Let's use Burp Suite to intercept and analyze HTTP requests and responses. 1. In Burp Suite, go to the "Proxy" tab. 2. Ensure that the "Intercept is on" button is pressed. This allows Burp Suite to intercept and modify HTTP traffic between your browser and the web server. 3. In your browser, visit a website you want to test (e.g., http://example.com). 334. You'll notice that Burp Suite intercepts the request. It will appear in the "Proxy" tab under the "Intercept" sub-tab. 5. Right-click on the intercepted request and select "Send to Intruder.” This sends the request to the Intruder tool for further analysis. Step 5: Use Intruder for Basic Testing In this step, we'll use the Intruder tool to perform a simple attack. 1. Inthe Intruder tab, select the "Positions" sub-tab. 2. Click the "Clear" button to remove any existing placeholders. 3. In your intercepted request, place the cursor where you want to test for vulnerabilities (e.g,, in a URL parameter). 4, Click the "Add §" button to mark the position as an insertion point. 5.Go to the "Payloads” sub-tab and enter a list of payloads to test (e.g,, 2 list of common SQL injection payloads). 6. Goto the "Options" sub-tab and configure any attack options, such as payload processing or delays. 7..Go back to the "intruder" tab and click the "Start attack" button. 8. Burp Suite will send multiple requests with different payloads to the specified insertion point and display the responses. Step 6: Analyze Result 1 Review the responses to the attack. Look for anomalies, error messages, or unexpected behavior. 2. Burp Suite provides various tools for analyzing results, including the “Target” tab for site mapping and the “Scanner” tab for automated vulnerability scanning, Step 7: Save and Export Data ‘After completing your assessment, you can save your project and export your findings in various formats. RESULT: procedure provides a basic introduction to using BurpSuite for web application security testing 34EXPERIMENT-17 DEMONSTRATION OF WEBGOAT APPLICATION: Step 1: Go to web browser and download web goat Step 2: go to (releases. github) open the first link and then click on 8.1.0 version and scroll down download the exe file of that Step 3: open the file location of a Webgoat and open in the command prompt and type the command: + Java -jar Webgoat-server-8.1.0.jar Step 4: it will load files, when the message shows JVM 2.0 seconds or JVM is up Step 5: If JVM is not up (or) shows database closed follow the below steps: -In the command prompt type ~ netstat -a -o -n which will load all the PID's of all the processes ‘open another command prompt as administrator type — taskkill /F /PID XXXX which will kill the task Then run the server again (or) follow step3 Step 5: open the web browser type - Localhost:8080/WebGoat/ SQL Injection (intro) Try It! String SQL injection 35Step 6: Web goat application is used to learn to predict the upcoming and existing vulnerabilities to prevent the attacks from hackers it helps us to get the knowledge on prevention methods against the cyber attacks 36DAST ANALYSIS USING GITLAB:- Step 1: Open browser search for Gitlab account, if you don’t have account then create an account in Gitlab if you have account continue by the following steps Step 2: After interface is loaded create an account using git lab (or) sign in to Git lab using Github account step 3 give the verification code to enter to the gitlab Step 4: After git lab account is created after the creation ‘* Forka project named “web goat” from security to your account by giving a space name of yours © After the project has been forked Lewcorces By os a= || aoe |) [wim fy Sr nt © [senna Step 5: Go to secure and then to security configuration ‘+ Insecurity configuration click on configure DAST. In configure DAST set a scanner profile and site profile ‘+ click on create scanner profile give scan mode as passive and let the remaining same click on create ‘© click on create site profile give the target url or any unsecured website to scan and let the remaining be same and click on create. AST CVD contguration i ‘* click on generate snippet code the code will be generated copy the code and click on “copy code and open gitlab.ci.ym!” file and then paste the code give commit option ‘© The pipelines will get loaded. Step 6: After it gets loaded (or) completed click on DAST 37EXPERIMENT-18 ‘APK TOOL APKTool is a powerful tool for reverse engineering Android applications. It allows you to decompile, modify, and recompile APK files. Here's a step-by-step procedure for using APKTool in Windows, along with an example: Prerequisites - Download and install Java Development kit (JDK) on your Windows machine. Download APKToo! from the official website: https://ibotpeaches.github.io/Apktool/ - Make sure you have an APK file you want to work with, Procedure: 1 Install Java Development kit (JDK) Download and install the latest version of JDK for Windows from the official Oracle website. Set up the JAVA_HOME environment variable by following these steps: Right-click on "This PC" or "My Computer” and select "Properties." ~ Click on "Advanced system settings" on the left - Click the “Environment Variables” button. Under "System variables," click "New and set the Variable Name to "JAVA_HOME" and the Variable Value to the JDK installation directory (e.g., C:\Program Files\Java\jdk1.8.0_281) Click "OK" to save the environment variable. 2. Install APKToo! search for apktool in any web browser, open the fist link and follow the instructions as per your operating system ©x-windows 3. Download windows wrapper script (which is provided on the website) copy the script and save it as apktool.bat 4, Download the latest version of apktool rename and save it as apktool.jar 5. move files apktool.jar and apktool.bat to your windows directory usually (c://windows) 6. add the file to your Environmental variables, system path variable. 7. open command prompt with apktoo! file path and type “apktool -version” it will show the version of it. anor are Seer ee teeny Peery 39RESULT :- DAST will let you know the vulnerabilities by interacting with a running application this enables it to identify both compile time and runtime vulnerabilities that are only detectable with running application 388. then type “apktoo!"” it will show the output. 9. now, execute some more commands:- © Download Apna APK from web browser (Open command prompt type the command ~ Apktoo! d apna.apk file path © After executing a file will be added to apktool file location copy that file path and execute it in next command. MESSED eC eer ce Ren CEU ECC Oe ic AC Uy Tetra ast eee ee Deseo R eee ss a Sieuree eae sat Pears RESULT: APK Tool is used for reverse engineering it makes possible to debug smail code step by step. 40EXPERIMENT-19 NESSUS TOOL: Step 1:Go to any web browser and search for Nessus tool Open the link “tenable.com/downloads/nessus” ‘© Download the latest version of it Step 2: then register for the tenable Nessus essentials open the link “tenable.com/products/Nessus/Nessus essentials. Register for new account in Nessus essentials. Step 3: Give your first name, last name and work email and hit get started. Step 4: After registered open the localhost port ~-Localhost ~ httas://localhost:8834/#/ Step 5:lt will ask for advanced settings hit advanced and continue with localhost Step 6:Connect to SSL ~Hfyou have account give username and password and sign in ~-If you are new create (or) Register for new account , new username and password and give Activation Code and then Register. Step 7: The Interface of Nessus essentials will get opened. Step 8: There click on New Scan and Scan them by using your device IP Address. Step 9: In the vulnerability section , click on Basic Network and give the name for scan and then enter your device IP address and click on scan Step 9:it will scan and give the vulnerabilities with the priorities and of risk high, Medium ,low, critical etc... aEXPERIMENT-20 WIRESHARK Wireshark is a software that is widely used in the analysis of data packets in the network .Itis completely free and open source-This packet analysis is used for variety of purposes like troubleshooting network, developing new protocols etc Installation Step 1: open any web browser and type (or) search for Wireshark for windows (or) go to Wireshark.org/downloads Step 2: click on windows installer Step 3: it will get installed on your device complete the installation Step 4: open Wireshark app then in the interface click on Ethernet acorangn mae x toe sone — Pesce Legh Step 5:it will load all the packets then click ctri+R then type ping 192.168.1.1 -t it will load all the packets DEVICE IP Frame 1: Ethernet RESULT : Wireshark which is used to analyse the data packets in the network. 42EXPERIMENT-15, OWSAP DEPENDENCY CHECK:- ‘The OWASP Dependency-Check is a tool that identifies project dependencies and checks if there are any known, Publicly disclosed, or exploitable vulnerabilities in those dependencies. Here's a procedure for using OWASP Dependency-Check on Windows Step 1: Prerequisites Ensure you have the following prerequisites installed: Java Development Kit (JDK): Dependency-Check requires Java to run. You can download and install the JOK from the Oracle or OpensDK website. Step 2: Download OWASP Dependency-Check 1. Visit the OWASP Dependency.Check GitHub releases page: https://github.com/jeremylong/DependencyCheck/releases 2. Download the latest release's ZIP file for Windows. 3. Extract the ZIP archive to a directory of your choice. Let's assume you've extracted it to C:\dependency-check Step 3: Running OWASP Dependency-Check You can run Dependency-Check either through the command prompt or by using the provided batch script. Using Command Prompt: 41. Open the Windows Command Prompt (cmd) 2. Navigate to the directory where you've extracted Dependency-Check. In our example, it's C:\dependency-check. 3. Run the following command to perform a scan on your project: dependency-check.bat ~project “my app name” ~scan Replace with the actual path to your project's root directory. 4, Dependency-Check will analyze your project's dependencies and check for vulnerabilities. Once the scan is complete, it will generate a report. Using the Provided Batch Script: 1 Navigate to the directory where you've extracted Dependency-Check, e.g., C:\dependency-check. 2. Run the dependency-check.bat script directly from the Windows File Explorer by double-clicking it. 3. The script will prompt you to enter the path to your project. Enter the path and press Enter. 4, Dependency-Check will perform the scan and generate a report once it's done. 31Step 8: Click on Upload and Analyze — upload a file after loaded it will give all the vulnerabilities, Risks and threats. Step 9: upload diva.android file for executing. The file has to met all the requirements like it has to be a Zip file (or) the apk file etc. RESULT:- MOBSF which is a security assessment framework wil be helpful for the dynamic and static analysis with a proper report.EXPERIMENT-22 INSTALL AND DEMONSTRATION OF ANDROID STUDIO AND APPLICATION: AIM: Demonstration of android studio app ANDRIOD STUDIO: Android studio a new ideal improved live edit will help you debug and improve the performance of your core including performance analysis tools ocedure Step 1: go to Google and type Android studio software Step 2: once opened the Web page , cheque the first established website choose download option and complete installation process Step 3: After installing click on new project click on Empty activity Step 4: configure your project with Name, package name etc... Step 5: Click on res and click on Main activity Step 6: Click on design and then click on text view ‘¢ Write the text as you want like font style ete. Step 7: Now run the ADV simulator Step 8: Click on device manager Step 9: Click on create device Step 10: Run the emulator , the emulator gets loaded and it will show you the text which you have altered in the Main.activity. 4546RESULT: Android studio is an official integrated development environment (IDE) for Android application development which helps for development, debugging, testing and performance which makes easier to develop apps. 47EXPERIMENT-23 CREATING AWS ACCOUNT: Step 1:-Open the chrome browser and search the AWS then click on the amazon web series (or) AWS official site Step 2 :- Then click on create free account (or) AWS free tier account Cae me Step 3 :-Enter your email address and AWS account name then click on verify email address Step 4:-Enter verification code then click on verify Sign up for AWS Step 6:- Enter root user password and confirm the password then click on continue Step 7:-Fillall the billing Information then click on Verify and continue 48,Step 8:-Enter one time password (OTP) then click on make payment Step 9:-Enter your phone number and captcha then click on send SMS Slon up for Aws. Step 10:-Then enter the verification code Step 11 :-then click on complete Sign up. Step 12:- Click on (or) go to AWS management console and sign in to console Step 13:-Select the IAM user (or) Root user addresses to sign in to console by entering the captcha. Sign in Account O12 ose wesourt as | Root user sign ino mat seanuiresiy gra or 49FA, Step 1:-Sign in to your AWS console Step 2:-Search for users from search bar Step 3:- Then click on IAM Click on user Step 4:- Then click on Add user Step 5: - Enter user name then if you want add multiple user Choose Add another user for each additional user & type their usernames .Select the password ~ AWS. then Select the customer password & Enter the password. Then click on Next: permission Step 6:-next click on permissions and give permissions (or) you can give specific pol CREATING Step 7: Click on create group Add user ‘San a yor cmon pir Ga tay ona 98 a cum ro Step 8: - Enter the group name & Give a policies then click on create groupStep 9: - Then group will be created Step 10: - Search the users then click on users Step 11:- Then click on Add MFA [AM dashboard Aiemniretne so Step 12:- Then click on Activate MFA Your Security Credentials Step 13: Enter the user name then click on continue 51Step 14:-Then download the google authentication app in your phone Step 15:-Then scan the QR code to add your AWS account to the Authenticator app. * Goto play store from your mobile phone ‘* Search for GOOGLE AUTHENTICATOR * Download the authenticator ‘* After downloading click on scan and scan the code which is in AWS account + Itwill generate a 6 digit code Step 16: - Enter the numeric code from the authentication into the AWS console, Then wait for a new code to appear in the authenticator. ‘* Enter the second code. Then click an “Assign MFA” Sete wa MEA ce . Step 17 :-Sign out from your AWS console and sign in again then it will ask for root user email, password and then MFA code, enter the MFA from the authenticator. 52EXPERIMENT-24 Demonstrate the creation of $3 bucket service in AWS & store some files in $3 bucket. Step 1: - After login, go to products in AWS & select the storage option then click on the Amazon simple storage service(S3) (or) Search for $3 Bucket in search bar, Open it. Step 2:- Click on Get started with amazon $3 Step 3: - Then click on create bucket Step 4: - Enter the bucket name then scroll down Step 5: Click on create bucket Step 6: - Then bucket will be created 53Step 7: - Select the bucket then click on the upload option Step 8: - Click on the Add files then click on the upload Step 9:-Then file will be uploading to 3 bucket. ect) me a) oeem fs <4