CCS340 - CYBER SECURITY LABV Semester AI&DS

Ex.No: 1 Installation of Kali Linux in Virtual Box

Date :

AIM:
To learn and experience different ways of Install Kali Linux on Virtual box

Kali Linux
Kali Linux (formerly known as BackTrack Linux) is an open-source, Debian-based Linux
distribution aimed at advanced Penetration Testing and Security Auditing.

Virtual Box
Oracle VM VirtualBox (formerly Sun VirtualBox, Sun xVM VirtualBox and InnoTek
VirtualBox) is a type-2 hypervisor for x86 virtualization developed by Oracle

Installation of Kali Linux in Virtual Box

Download Kali Linux:

 After downloading
$
that zip file extract that zip file
#!/bin/bash# A simple variable example
which bash
greeting=Hello Click the blue color VDI Image file Now it will get installed in VirtualBox
touch
chmodhello_world.sh
name=Tux u+x hello_world.sh
Next, run that
#! /usr/bin/bashecho
echo $greeting $name
KaliWorld"
"Hello machine
#! /bin/bash

The default Username: kali and the Password: kali

RESULT:
Thus the Procedure for Install Kali Linux on Virtual box was launched and tested
 Ex.No: 2 Explore Kali Linux and bash scripting
Date :

Aim
To understand kali linux and bash scripting

Explore Kali Linux

Kali Linux is a popular Linux distribution designed for digital forensics, penetration testing,
and network security assessments.
1. Purpose and Features:

Kali Linux is specifically built for security auditing and testing purposes.
It includes numerous pre-installed tools for vulnerability assessment, penetration testing, and
digital forensics.
The distribution focuses on providing a robust environment for security professionals to
assess and strengthen the security of systems and networks.
2. Penetration Testing:

Kali Linux offers a vast array of tools for penetration testing, including network scanning,
vulnerability assessment, wireless attacks, web application testing, and more.
3. Digital Forensics:

Kali Linux provides a rich set of tools and utilities for digital forensics and incident
response.
Tools like Autopsy, Foremost, Sleuth Kit, and Volatility help in analyzing and recovering
data from digital devices, investigating security incidents, and conducting forensic
examinations.
4. Customization and Package Management:

Kali Linux is built on Debian and uses the APT (Advanced Package Tool) package manager,
making it easy to install and manage additional software packages.
The distribution allows customization of the environment, including the desktop
environment, themes, and configurations, to suit individual preferences.
python theHarvester.py -d rpfront.com -l 50 -b urlscan
Securitycode
 5. Documentation
python theHarvester.py and Community
-d moslempress.com Support:
-l 50 -b all -f moslempress.html

sudo apt update

https://sitereport.netcraft.com/?url=tesla.com&tab=phishing
https://sitereport.netcraft.com/?url=[WEBSITE_URL]
https://sitereport.netcraft.com/?url=[WEBSITE_URL]&tbl=server
sudo apt upgrade
python Kali Linux
theHarvester.py
sudo apt install hasmoslempress.com
-d extensive documentation
git python3-venv available
-l 10 -b hunter on their official website, including
tutorials, guides, and a user forum.
https://sitereport.netcraft.com/?url=tesla.com&tbl=server

The Kali Linux community is active and supportive, providing assistance and sharing
knowledge through forums, blogs, and social media channels.
https://sitereport.netcraft.com/?url=[WEBSITE_URL]&tab=phishing

Bash scripting
python3 -m venv
harvest cd harvest/
source bin/activate
git clone https://github.com/laramies/theHarvester
cd theHarvester/
pip install wheel
pip install -r requirements/base.txt

A bash script is a series of commands written in a file. These are read and executed by the
bash program. The program executes line by line.By naming conventions, bash scripts end
with a .sh
Scripts start with a bash bang.

Scripts are also identified with a shebang . Shebang is a combination of bash # and followed
the the bash shell path. This is the first line of the script. Shebang tells the shell to execute it
via bash shell. Shebang is simply an absolute path to the bash interpreter.

Below is an example of the shebang statement.

The path of the bash program can vary. We will see later how to identify it.
Execution rights
Scripts have execution rights for the user executing them.An execution right is represented
by x. In the example below, my user has the rwx (read, write, execute) rights for the file
test_script.sh

File colour
Executable scripts appear in a different colour from rest of the files and folders. In my
case, the scripts with execution rights appear as green.

nmap -d nmap -sC

-h
 How
nmap -sC -sV to Create
192.168.1.0 Your First Bash Script
Let's create a simple script in bash that outputs Hello world

Create a file named hello_world.sh

Find the path to your bash shell.

In my case, the path is /usr/bin/bash and I will include this in the shebang.

Write the command.

We will echo "hello world" to the console.
Our script will look something like this:
Edit the file in it.

using a text editor of your choice and add the above lines

Provide execution rights to your user.

Modify the file permissions and allow execution of the script by using the command below:

chmod modifies the existing rights of a file for a particular user. We are adding to user
Run the script.
You can run the script in the following ways:
./hello_world.sh
bash hello_world.sh

Two ways to run scripts

The Basic Syntax of Bash Scripting

-A Just like any other programming language, bash scripting follows a set of rules to create
nmap -F
-A
programs understandable by the computer. In this section, we will study the syntax of bash
scanme.nmap.org www.google.com >> scaned.txt
 scripting.30 10.10.250.1/24
nmap -sT --min-host

nmap -sT scanme.nmap.org --min-rate

--min-host 30 --max-host 2 10.10.250.1/24
--host-timeout
100 1m
How to define variables
nmap -sT scanme.nmap.org --scan-delay 12s
We can define a variable by using the syntax. variable=value To get the value of
the variable, add $ before the variable.

nmap - - open www.google.com >> scanned.txt

nmap -F scanme.nmap.org 192.168.0.1 >> scaned.txt

CCS340 - CYBER SECURITY LABV Semester AI&DS

Fractions are not correctly calculated using the above methods and truncated.
For decimal calculations, we can use bc command to get the output to a particular number of
decimal places. bc (Bash Calculator) is a command line calculator that supports calculation
up to a certain number of decimal points.
echo “scale=2;22/7” | bc
Where scale defines the number of decimal places required in the output.
nmap -sC -sV 192.168.0.0

RESULT:
Thus the Procedure for Explore Kali Linux and bash scripting was launched and tested

Ex.No: 3 Perform open source intelligence gathering using

Netcraft, Whois
Date : Lookups, DNS Reconnaissance, Harvester and Maltego

Aim:
To Perform Open Source Intelligence Gathering Using Netcraft, Whois , Lookups,
DNS Reconnaissance, Harvester And Maltego.

Identify the hosting provider and IP address

The first thing a bug hunter can do is to use Netcraft to identify the hosting provider and IP
address of a website. This can be done by following these steps:
Step 1) Go to the Netcraft website and select "Site Report" from the top navigation menu.
Refer to the exhibit.
nmap -sC -sVStep
exploit 2) In the "URL or IP address"
192.168.0.0 field, enter the website's URL. Let's use tesla.com for
search vsftpd
show option
this example.
use exploit/unix/ftp/vsftpd_234_backdoor
 Step 3) Click on the "Search" button to generate the site report.
set RHOST 192.168.0.0

set LPORT 21

On the site report page, scroll down to the "Hosting History" section. This section will
show the hosting provider and IP address of the website.

You can do the above steps by searching a single query on your web browser. Below you can
see the query
To use a query string for this task, bug hunters can use the following URL:

sudo
ip a ufw
systemctl
apt allow status
enable
ssh
install ssh --now
openssh-server
sudo ufw
systemctl
statusstatus
verbosessh
sudo -i
sudo apt install openssh-client
sudo-p
ssh lsof
2222
-ivirtualbox-user-name@localhost
-P -n | grep LISTEN
 passwd

As you can see on the above snapshot it is providing a list of subdomains associated with the
website, along with additional information about their IP addresses and web server
technologies.

Identify the web server technology

The third thing a bug hunter can do is to use Netcraft to identify the web server technology
used by a website.
To use a query string for this task, bug hunters can use the following URL:

[Definition]
awk
grep
zgrep
iptables
[fail2ban-smtp]
awk
grep '($(NF-1)
...
"Ban
-h
iptables...-vnL
"Ban
'($(NF-1)
"Ban -I" For=
" example,
INPUT
/Ban/){printto search
/var/log/fail2ban.log
/var/log/fail2ban.log*
"210.213." -p--line-numbers
/var/log/fail2ban.log
INPUT
== "Ban"){print
tcp \for the
\ web
$NF,"("$NF")"}'
-sXXX.XXX.XXX.XXX/XX
-sXXX.XXX.XXX.XXX
$NF}'
server technology
/var/log/fail2ban.log used by Tesla, thetcp-
|--reject-with
sort \ query string would
zgrep
fail2ban.log:39
zcat
#
fail2ban-regex
zgrep
fail2ban-client
...
-f
-c
...
-h/var/log/fail2ban.log*
""Ban \ \ # /var/log/fail2ban.log
\ --dport
--dport
http
ftp ssh
smtp
-j
-jDROP
\REJECT
-j
-jREJECT
REJECT --reject-with
"--print-all-matched/var/log/fail2ban.log/etc/fail2ban/filter.d/fail2ban
/var/log/fail2ban.log*
add /var/log/fail2ban.log*
fail2ban-smtp tcp
|| awk
grep
75
failregex
reset
-smtp.conf
| awk
awk | be:
|logresolve
| 4 '{print
83.110.
XXX.net.pk
=$(date \ start
fail2ban.log.1.gz:129
-reset
fail2ban-client
sort
awk -F[\ uniq
\:]
4 '($(NF-1)
+%Y-%m-%d)
$6,$1}'
-c (XXX.83.169.221)
NOTICE
'{print
XXX.124.81.130
'{print |
$NF}'
== sort\ \
[[]sendmail(-\w+)?[]]
fail2ban-smtp
"Ban" $19,$17}'
-n
|[sendmail]
sort
&& |$NF ~|/^210\.213\./){print
uniq sort | uniq -c | sort
-c -n \
$NF}'
Unban
| sort
uniq
awk
ignoreregex
905 '{print
219.95.
XXX.248.175.246
-cuniq
| | sort
fail2ban.log.2.gz:55 $NF}'
-c
= [[][-\w]+[]]
-n | sort
(XXX.248.175.246)
\ Ban
| sort5 XXX.248.175.246
| uniq -c [sendmail]
 enabled
fail2ban.log.3.gz:78
| awk
154
8 =
'{print
210.213.
XXX.example.com.au
XXX.29.45.142
true already
$1,"("$1")"}'
banned$
[sendmail]
(XXX.29.45.142)
\
fail2ban.log.4.gz:22
|logresolve \
port
| uniq -c =| sort -n
smtp Check for phishing sites
logpath =/var/log/fail2ban.log
maxretry = 3
findtime = 6h
bantime = 1d

To check for phishing sites, bug hunters can use the following query string:

For example, to search for phishing sites associated with Tesla, the query string would be:

Whois Lookup
Whois is a query and response protocol that’s used for querying databases that store the
registered users or assignees of an internet resource, like a domain name, an IP address block
or an autonomous system, etc.
About Whois
Whois is an Internet service and protocol that searches and displays information about a
domain name from repositories of domain name registrars worldwide.

Features.

Identify and search for a specific domain name.

Provides administrative information such as registrar and contact information for the
individual or organization that controls the domain.
Supports searching IP addresses and propriety intranet systems.

essential resource for maintaining the integrity of the domain name registration and website
ownership process.
WHOIS Lookups
https://whois.domaintools.com/
https://www.name.com/whois-lookup

Some insights:

Whois Record
It is a record that contains all the basic information associated with the person, group, or
company that registers a particular domain name.

$ hydra -R
whoIs client output
root
$ hydra -C
-L <combinations.txt>
-l users.txt -p
<username>
username1:password1
$ hydra -pbutterfly
<password>
<ip>10.10.137.76
-M <host_file.txt>
ssh://<ip>
<ip> ssh -s <port>
<service>
<service> <service>
-h <username> -p <password>
-l <server>
<ip> <service>
<service>
-o <file.txt>
admin
Provides name(s) and phone number(s), physical address
username2:password2
user
username3:password3
and DNS servers, which can be
molly interrogated.
steve
 DNS reconnaissance
$ hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 1010.137.76 ssh
richard

DNS reconnaissance is part of the information gathering stage on a penetration test

engagement.When a penetration tester is performing a DNS reconnaissance is trying to
obtain as much as information as he can regarding the DNS servers and their
records.Standard Record Enumeration

Zone Transfer
The security problem with DNS zone transfer is that it can be used to decipher the topology
of a company’s network.Specifically when a user is trying to perform a zone transfer it sends
a DNS query to list all DNS information like name servers,host names,MX and CNAME
records,zone serial number,Time to Live records etc..
/dnsrecon.py -d <domain> -t axfr

Reverse Lookup
According to Wikipedia reverse DNS lookup is the determination of a domain name with the
associated IP address.DNSRecon can perform a reverse lookup for PTR (Pointer) records
against IPv4 and IPv6 address ranges.To run reverse lookup enumeration the command

./dnsrecon.py -r <startIP-endIP>
must be used.Also reverse lookup can be performed against all ranges in SPF records with
the command ./dnsrecon.py -d <domain> -s.In the next image you can see the output that
produces a reverse lookup in a range of IP addresses.
Reverse Lookup

Domain Brute-Force
For performing this technique all we have to do is to give a name list and it will try to
resolve the A,AAA and CNAME records against the domain by trying each entry one by
one.In order to run the Domain Name Brute-Force we need to type:
./dnsrecon.py -d <domain> -D <namelist> -t brt
Domain Brute-Force
As we can see we obtained A and CNAME records of the domain cnn.com and their IP
addresses.
Cache Snooping
DNS cache snooping is occurred when the DNS server has a specific DNS record cached.
./dnsrecon.py -t snoop -n Sever -D <Dict>

Zone Walking
This technique may unveils internal records if zone is not configured properly.The
information that can be obtained can help us to map network hosts by enumerating the
contents of a zone.In order to perform the zone walking we need to type the command:
./dnsrecon.py -d <host> -t zonewalk

theHarvester

What is theHarvester?
theHarvester is a commandline-based tool made by the team at Edge-Security. It is a
Python-based tool meant to be used in the initial stages of an investigation by
leveraging open source Intelligence (OSINT) to help determine a company's external threat
landscape on the internet.
Passive:
Baidu Bing
dnsdumpster Duckduckgo
Active:
DNS brute force: dictionary brute force enumeration
Installing
There are 4 different installation methods for theHarvester.
From Source (without using Pipenv) From Source (with Pipenv)
We can now proceed with installing the software by using the third option. As always,
it’s important to use some type of sandboxing environment when installing new software.
First, we should update our sandbox and install the software we will need:
Now we can make a Python virtual environment to install the necessary Python packages:
We found a minor bug during the installation and had to install the pip package 'wheel'
before installing the other packages from `base.txt'.

1. Securitycode
Run the following:

There is a lot more data here. We found 3 related IPs and 2 hosts.

2. ThreatCrowd
We found no results when using ThreatCrowd as the source.

3. UrlScan
Running:

We were able to find 5 IPs and 1 host.

Primary OSINT data sources are great for finding IPs and hosts. The good thing is that this
tool offers a big set of sources to choose from, we will now attempt to run more tests using
other third party services.
With the lack of results, it was a bit concerning that we might be doing something wrong.
So we decided to test out the Hunter API to see if we found any data regarding
'moslempress' there. Unfortunately, we found nothing there either:

The 2 data sources corroborate what is the current IP address for www[.]moslempress[.]com.
The number of data points here showcases the value of theHarvester.

Maltego

Maltego is a software used for open-source intelligence and forensics, developed by Paterva
from Pretoria, South Africa. Maltego focuses on providing a library of transforms for
discovery of data from open sources, and visualizing that information
in a graph format”

Maltego is pre-installed in Kali linux.

You can always download maltego for Windows, Linux or Mac. Official site
Maltego has 3 different packs-
1. community

2. Professionals
3. Enterprises

The community version is free to use and others are paid with more features

The Application button will open a application menu.

Maltego uses graphs to show the data and information it collects. Now, let’s see how to how
to create a new graph.

Graphs in Maltego
To create a new graph.

To create a new graph you can go to application tab and click on new graph or you can also

select
new graph option from top left corner.

This is how a Graph in Maltego looks like. Once you have created a new graph you will get
a fresh page within a new tab, surrounded by a range of control windows.
Now just select the entity you want to perform OSINT on like some domain name or DNS
system.
People

Groups of people (social networks)

Basically, you can gather information about all the things mentioned above. Just select an
entity.
Here we have selected domain name. Now, just put any domain you want and click on the
entity.
This will expand all the available information on the domain and show it as a tree like

below-

Here you can see all the possible DNS records of the domain.

Transform Hub
Now if you right-click after selecting an entity it will open up a context menu or transform
hub where you can search all sorts of things about the domain and fetch the available
information.

src-> maltego.com

This how a transform hub looks like and this is just a short part, It has a lot more options.
This is what you can find with just a domain with this amazing tool.

Result:
Perform open source intelligence gathering using Netcraft, Whois Lookups, DNS
Reconnaissance,Harvester and Maltego was tested and learned.

Ex.No: 4 Understand the nmap command d and scan a target using

nmap
Date :

Aim
To read , understand and practise about the nmap command d and scan a target using nmap .

About Nmap
Nmap is a free and open source network exploration and security auditing tool that is widely
used for discovering hosts and services on a computer network.
The command displays the help menu for Nmap. It provides a list of
available options and commands that can be used with the nmap command.

The command is used to enable debug mode in Nmap. When this option is

used,

scan a target using nmap

In nmap, there is various scan available and one of the most basic and commonly used scans
is the version detection scan.

When you use the option, Nmap runs a set of scripts that are deemed safe and
non-intrusive.
Here s means scan and V is version so it is called version scanning
CCS340 - CYBER SECURITY LABV Semester AI&DS

This command will perform a UDP scan of the target host at IP address 192.168.0.1. Nmap
will send UDP packets to each port on the target and analyze the responses to determine
which ports are open, closed, or filtered.

Aggressive scan

The option in Nmap enables aggressive scanning, which can provide more
information about the target host or network than a regular scan.
In nmap, we can able scan more than one host and IP address also.

If want to view only open ports and services.

Parallelism:
Host Group:
If you want to scan multiple hosts at the same time you can use this Minimum and
Maximum host group attribute to make time-efficient
Now the above command scan minimum of 30 hosts at the same time

We can able to give specific maximum host also

Host Timeout:

If want to scan the host for a particular period of time or time duration for a single port
You can able to do this with host timeout options
Scan Delay:

Scan delay which helps us to pause or delay the packet send by the specific time Or it will
pause the nmap between each probe or request that you send
This great when your dealing with time-based-firewall, rate Limting, IDS There is options
which is --scan-delay/--max-scan-delay

In the below image you able be to notice that the First SYN Packet is arrived at
01:54:53

The Second SYN Packet arrived at 01:55:05 (Here you can confirm that packet has 12-
second delay)

Packet Rate:

Packet Rate we can able to specific that how many packets we want to send at once per
second
There is two options which is --min-rate and --max-rate
Minimum Rate:

Now it will send the three packets at same time not less than

The First SYN Scan at time of 02:20:21

The Second SYN Scan at time of 02:20:21

Result :
Thus the Understanding of the nmap command and scan a target using nmap was practised
Ex.No: 5 Install metasploitable2 on the virtual box and search for
unpatched
Date : vulnerabilities

Aim:

To learn and experience about to Install metasploitable2 on the virtual box and search for
unpatched vulnerabilities

Metasploitable 2
A test environment provides a secure place to perform penetration testing and security
research.
Downloading and Setting Up Metasploitable 2
The easiest way to get a target machine is to use Metasploitable 2, which is an
intentionally vulnerable Ubuntu Linux virtual machine that is designed for testing common
vulnerabilities.
Install metasploitable2 on the virtual box

Metasploitable 2 is available at: https://www.vulnhub.com/entry/metasploitable-2,29/

After that extract that zip file and you will get the blue color VDI image file

Next, open your virtual box and click the new

Now you will get the virtual machine and operating system

Just name that machine as metasplotiable2 and change the type to Linux (Debian 64)

Now you will get the hardware section and set the base memory as 512 MB and processors
as 1
Now you will get the virtual hard disk section Here you want to click the use an existing
virtual hard disk file
Now click that add and add that VMDK file which metasploitable virtual disk image file
and click that choose
Finally, you get the summary. Just click that finish and start that metasploitable2 machine

Now you will get the metasploitable2 and the default username: msfadmin and password:
msfadmin
Now the metasploitable2 is successfully installed
Search for unpatched vulnerabilities
First, scan the metasploitable2 machine using Nmap

Now you will get the version and services details and in this I have found the FTP services
vulnerable to backdoor

So finally we have installed that metasploitable2 and find the unpatched vulnerability
RESULT:
Thus the Procedure for Install metasploitable2 on the virtual box and search for unpatched
vulnerabilitieswas launched and tested

Ex.No: 6 Use Metasploit to exploit an unpatched vulnerability

Date :

Aim:
By using Metasploit to exploit an unpatched vulnerability inside the system

Procedure
Metasploit is a popular penetration testing tool that can be used to identify and exploit
vulnerabilities in computer systems and networks.

First open your kali linux terminal

Next open your metasploit using msfconsole command

And fireup the metasploitable2 machine because we going to exploit that metasploitable 2
using our metasploit tool

Next scan the metasploitable2 machine using Nmap

Now you will get the version and services details and using this details I have found the FTP
services vulnerable to backdoor
Now you will get the exploit so just the use that exploit
Next modify the option using show option command
Here the RHOST ( Remote host Address ) and LPORT (Local Port Number)

Next execute the exploit command

Now you will successfully exploit that machine and you will get the meterpeter shell
So finally we Use Metasploit to exploit an unpatched vulnerability

Result:
Thus the learning about use Metasploit to exploit an unpatched vulnerability
was understand and practiced.

Ex.No: 7 Install Linus server on the virtual box and install ssh
Date :

Aim :
To learn and Experience the installing of Linux server on virtual box and install SSH

Procedure

1. Download Ubuntu 22.04 Server LTS ISO

First, we must have a bootable ISO file of Ubuntu 22.04 Server jammy jellyfish Linux
2. Do you have VirtualBox?
Of course, to install Ubuntu 22.04 server Virtual machine on VBox, we also need to have
VirtualBox installed on our existing host operating system.
3. Create Virtual Machine
Once you have installed the VirtualBox or if you already have then simply run it.

Create New VM
After that click on the “New” button to create a fresh Virtual machine.

Name Virtual Machine

Give some name to your virtual machine such as “Ubuntu 22.04” where select Type- Linux
and version to Ubuntu.

Set RAM for VM

If you are planning to install Ubuntu 22.04 Server with Desktop interface then for good
performance and if your host system allows, then set the RAM to 4GB or less as per your

system configuration.

Create a Virtual Hard disk

Let the “Create a virtual hard disk now” option be selected and move to the next step.

If you have any plan to use the Virtual hard disk later in VMware then go for VMDK
otherwise let the default option VDI be selected.
Also, let the default “Dynamic Allocated” option be selected as it is. Allocate around 30GB
of virtual space.

4. Start Ubuntu 22.04 server Virtual Machine

Finally, once all the above steps are done, you will see a newly created virtual machine on
your VirtualBox. Select that from the left side panel and hit
the Start button.
5. Add Ubuntu 22.04 server ISO to VirtualBox
Now, we need to select the downloaded Ubuntu 22.04 ISO file as a Start-up disk to boot our

As you have done this, the same ISO image will show in the “ISO Image selection ” area.
Scroll to your added Ubuntu 22.04 LTS image and hit the Choose button.Finally, click on
the Start button.

6. Grub Menu to select and boot the OS

Once the virtual machine is started, you will see the Grub menu as the first screen to select
“Try or Install Ubuntu Server” to boot with it
.

7. Install Ubuntu 22.04 on VirtualBox

Finally, from the installation wizard, select the language, by default it will be English.
In the next step, let the default keyboard layout be selected, and just press the Enter key to
move further.

8. Ubuntu Server standard or minimized

In the next step, the installation wizard will ask you what type of server installation do you
want? It is recommended to let the default option be selected and simply hit
the Enter key.

9. Network Connections VirtualBox

Ubuntu server will automatically identify the connected network and select the same to use.
If you want to customize that then use the arrow key and manually select the Adapter you
want to use.
Skip the Proxy in the next step and hit the Enter key again.

After that again press the Enter key to let the system select the default Ubuntu Mirror to
fetch packages.

10. Erase disk and Install Ubuntu 22.04 server

Now, the system will show the entire attached virtual hard disk where it is planning to install
the Ubuntu server. Use the TAB key to select the DONE option and hit
the Enter key.

11. Set Username and password

Soon, you will have the Profile Setup area from where we can create a user for our Server.
After that, if you want to access the server remotely using the SSH then you can select the
“Install OpenSSH Server” using arrow keys and spacebar otherwise simply select the
“DONE” and move forward because we can install it later.

12. Select the Ubuntu Server package to install (optional)

Do you want to install some popular and common server software packages such as Docker?
Then you can select them here otherwise, leave them unselected and select the Done option.
Move next and the system will start the installation process of the Ubuntu 22.04 server on
VirtualBox as a Virtual Machine.

13. Switch to root user and set a password

As you reboot the Ubuntu server virtual machine, a login interface will appear. Enter the
details of the user you have created while installing it.

Set Ubuntu root user password

Enter the new password for your root user.

In Ubuntu, you need to install the OpenSSH server package:

After the installation, check the SSH status:

If it is not, enable and start it manually:

Open SSH port in Firewall

If you have a firewall enabled in your VirtualBox, it may block your SSH connection. You
can find what ports are open with this command:

If you do not find the port 22 among open ports, open it in your firewall:

You can also do it using the graphical interface of the UFW firewall.

VirtualBox network settings

To open VirtualBox for SSH connections, we need to change the VirtualBox network
settings to allow the SSH connection.

Then go to Advanced -> Port Forwarding and add these settings: Name: ssh (or whatever
you like)
Protocol: TCP

Host Port: 2222 (or any other port you like) Gust port: 22
The IP fields can be left empty.
Similarly, you can also set port forwarding for other interfaces.

Install SSH client

To be able to SSH into the VirtualBox OS, you must have
an OpenSSH client installed on the computer you are going to connect from

Connect to VirtualBox from the guest OS

Now, connect to the VirtualBox OS using the port 2222 that we set earlier and the
username of your VirtualBox OS:

Connect to VirtualBox from another computer

Connecting to VirtualBox from another computer is a little more complicated.

Switch to the Bridge Adapter in VirtualBox

The Bridge Adapter creates a routing that makes your VirtualBox network interface look like
your host network interface.
You need to go to VirtualBox network settings and switch from NAT to Bridge Adapter.
Find out your VirtualBox IP
You can find your VirtualBox IP address, if you run this command:

Result:

Thus the Procedure for Install Linus server on the virtual box
and install ssh was
launched and tested .
Ex.No: 8 Use Fail2ban to scan log files and ban Ips that show the
Date : malicious signs

Aim
To understand the usage of Use Fail2banto scan log files and ban Ips to show the
malicious signs

Procedure
Format of the Logfile
At the simplest logging level, entries will appear in /var/log/fail2ban.log as follows
(fail2ban version 1.0.2):
...
2023-02-17 23:44:17,037 fail2ban.actions [992]: [apache-auth] Ban
NOTICE XXX.9
1.244.228
2023-02-17 23:44:26,259 fail2ban.actions [992]: [apache-auth] Unban
NOTICE XX
X.122.233.27
2023-02-17 23:54:15,034 fail2ban.actions [992]: [apache-auth] Unban
NOTICE XX
X.91.244.228
2023-02-18 00:58:41,938 fail2ban.actions [992]: [apache-noscript]
NOTICE Ban X
XX.239.163.126
This is all very interesting, but what if you want to see a summary report so that you can try
to identify IP addresses that regularly trigger Fail2Ban - so that you can send a report to their
ISP or block them using a firewall script for example?

1. Generating Simple Reports

All of the following commands can be run at the command line or via a script. They are
written for Linux/UNIX systems but may work on other platforms.

Grouping by IP address:

Note: the variable NF equals the number of fields in each row of the logfile. So $NF is the
value of the last field.
Sample output:

Remember that each time an IP address gets banned it's because they've been caught at least
max failure times, so a total of 8 represents maybe 30 matches in the relevant logfile.

This is the best report for identifying problem subnets. The output will be the first two bytes
of the most 'caught' subnets:

Let's take the last one on the list (highlighted) and see what it's been up to:

The output shows how many times those numbers appear in each logfile:
and which specific IP addresses are involved:
The output of this will be a list of the IP addresses starting with 210.213.
Grouping by IP address and Hostname:
The command for including hostnames in the list is a bit more complicated.

Note that the log resolve command can take some time to execute, especially if there are a
lot of IP addresses to be processed.

You can of course just run host, dig, nslookup or logresolve manually on the addresses that
you want to identify.

Group by IP address and Fail2Ban section:

This shows us which services each IP address has been trying to access/exploit:

Now you know which logfiles to look in to see what they were doing to get banned.

Reporting on 'today's activity:

Here's a report I find useful to run before midnight each day to generate a summary of the
day's activity:
The output will be the same as the second report above, but limited to just today's activity
rather than the whole logfile.

Grouping by Date and Fail2Ban section

This report scans all fail2ban logfiles and gives you a summary of how many ban events
there were for each section on each day:

This can give you an idea of longer-term trends and the effectiveness of your firewall rules.
This method of examining all logfiles rather than just the current one can also be applied to
most of the reports above.

2. Banning an IP block or subnet

If it turns out that a significant portion of 'unwanted' traffic comes from a single ISP then
you should try sending an email to their abuse address, but don't be too hopeful of getting a
response. If the abuse continues then it's time to get strict.

Block a subnet from accessing SSH:

Block a subnet from accessing SMTP (mail):

Block an IP address from HTTP:

Block an IP address from FTP (using DROP):

and so on for other services.

In the FTP example we've used the DROP policy instead of REJECT as that causes the
connection to hang for a longer time rather than giving an instant notification that they've
been rejected.

At some point (hopefully) the source computer will be 'fixed' or in any case stop abusing
your server. You should then remove the firewall rules.

3. Monitoring the fail2ban log with fail2ban 1.0.2

This is something I've been meaning to investigate for some time now, and there have been a
number of request for this ability. Can we use fail2ban to block for a
longer time (even permanently)

And then create a file /etc/fail2ban/filter.d/fail2ban-smtp.conf with the following:

Finally start the new jail:

With these settings, fail2ban will monitor it's own logfile and if a HOST is banned three
times (maxretry) in six hours (findtime) they will incur a new ban lasting a full 24 hours
(bantime).

4. Test new filters using fail2ban-regex

Whenever you add or change a filter you will want to test that the regular expressions are
correct by running it over an existing logfile.

The first argument is the logfile to be scanned and the second argument the jail configuration
file containing failregex.

If nothing is being matched, or everything is being matched that may suggest a problem with
the regexp. Otherwise, if everything looks ok, you can start the new jail as described above.

Result:
Thus the development about how to Use Fail2ban to scan log files and ban Ips that show the
malicious signs was developed and learned .
Ex.No:9 Launch brute-force attacks on the Linux server using
Hydra
Date :

Aim
To learn how to Launch brute-force attacks on the Linux server using Hydra.

Procedure

Hydra is a brute-forcing tool that helps penetration testers and ethical hackers crack the
passwords of network services.
How to Install Hydra
Hydra comes pre-installed with Kali Linux and Parros OS. So if you are using one of them,
you can start working with Hydra right away.
How to Work with Hydra
Let’s look at how to work with Hydra. We will go through the common formats and options
that Hydra provides for brute-forcing usernames and passwords. .

This will give you the list of flags and options that you can use as a reference when working
with Hydra.
How to Perform a Single Username/Password Attack with Hydra
Let’s start with a simple attack. If we have the username and password that we expect a
system to have, we can use Hydra to test it.
Here is the syntax:

Let’s assume we have a user named “molly” with a password of “butterfly” hosted at
10.10.137.76. Here is how we can use Hydra to test the credentials for SSH:

If it works, here is what the result will look like:

Hydra single username and password

How to Perform a Password Spraying Attack with Hydra

What if we know a password that someone is using, but we are not sure who it is? We can
use a password spray attack to determine the username.

Now we are going to test who has the password “butterfly”. Here is how we can run a
password spray attack using Hydra.

We will get a similar result to the following output if any of the users match with the given
password. You should also notice that we have used the flag -L instead of -l. -l is for a single
username and -L is for a list of usernames.

Hydra password spraying

How to Perform a Dictionary Attack with Hydra

A dictionary attack is where we have single/multiple usernames and we provide a password
wordlist to Hydra. Hydra then tests all these passwords against every user in the list.
I am going to use the Rockyou wordlist for this example along with the users.txt file we
created in the previous attack. If you are using Kali Linux, you can find the
RockYou wordlist under /usr/share/wordlists/rockyou.txt. Here is the command for a
dictionary attack:

If this attack is successful, we will see a similar result to the other two commands.
Hydra will highlight the successful username/password combinations in green for all the
matches.

How to Use the Verbosity and Debugging Flags in Hydra

Hydra can be awfully quiet when running large brute-force attacks. If we have to make sure
Hydra is doing what it is expected to do, there are two flags we can use.

Hydra verbose mode

We can also use the debug (-d) flag to gather even more information. Here is the same result
when using the debug flag:

How to Save Your Results in Hydra

Let's look at how to save results. There is no point in spending hours cracking a password
and losing it due to a system crash.

More flags and formats

Hydra also offers a few additional flags and formats that will be useful for us as pen testers.
Here are a few:

Service specification
Instead of specifying the service separately, we can use it with the IP address. For example,
to brute force SSH, we can use the following command:

How to resume attacks

If Hydra’s session exits when an attack is in progress, we can resume the attack using the -R
flag instead of starting from scratch.

How to use custom ports

Sometimes system administrators will change the default ports for service. For example,
FTP can run in port 3000 instead of its default port 21. In those cases, we can specify ports
using the -s flag.

How to attack multiple hosts

What if we have multiple hosts to attack? Easy, we can use the -M flag. The files.txt will
contain a list of IP addresses or hosts instead of a single IP address.

Targeted combinations
If we have a list of usernames and passwords, we can implement a dictionary attack. But if
we have more information on which usernames are likely to have a set of passwords, we can
prepare a custom list for Hydra.

We can then use the -C flag to tell Hydra to run these specific combinations instead of
looping through all the users and passwords.
Here is the syntax.

We have seen how to work with Hydra in detail. Now you should be ready to perform real-
world audits of network services like FTP, SSH, and Telnet.

Result:
Thus the Procedure for Launching brute-force attacks on the Linux server using Hydra was
launched and tested .

Ex.No:10 Perform real-time network traffic analysis and data

Date : packet logging using Snort

Aim
To learn how to Perform real-time network traffic analysis and data pocket logging using
Snort

About Snort

Snort is a widely used open-source intrusion detection and prevention system (IDS/IPS). It is
capable of performing real-time network traffic analysis, detecting various types of network
attacks, and logging data packets for further analysis.

1. Installation and Configuration:

Start by installing Snort on a system of your choice. Snort is available for various operating
systems, including Linux, Windows, and macOS.
2. Rule Configuration:

Snort uses rules to detect and identify various types of network traffic and attacks.
3. Real-time Traffic Analysis:

Snort continuously monitors network traffic on the specified interfaces in real time.
4. Alert Generation:

Snort can generate alerts when suspicious or malicious network traffic is detected.
5. Packet Logging:

Snort can log data packets for further analysis and investigation.
Packet logging allows for in-depth analysis of network traffic, identifying attack vectors, and
understanding the nature of network-based threats.
6. Analysis and Response:

The generated alerts and logged packets can be further analyzed using various tools and
techniques.

Result:
Thus the real-time network traffic analysis and data pocket logging using Snort was done
with the snort IDS