Week 1: Reconnaissance, Information Gathering, and Scanning

INT302: Kali Linux Tools and System Security – Lab 4: Basic Port
Scanning
Lab Overview

In this lab, you will perform basic and advanced port scanning techniques using nmap and nikto. You will
gather the IP addresses of your OWASP Broken Web Applications Project VM and utilize these IPs for
scanning to identify open ports, services running on those ports, potential vulnerabilities, and the
operating system of the target.

Lab Objectives

By the end of this lab, you will:

1. Conduct a basic port scan using nmap.

2. Perform an aggressive scan to determine service versions and the operating system.

3. Utilize nmap for vulnerability scanning.

4. Use nikto to perform web server vulnerability scans.

Tools Used

• Kali Linux: A Linux distribution tailored for penetration testing.

• nmap: A versatile network scanning tool for discovering hosts and services on a computer
network.

• nikto: A web server scanner that tests for dangerous files/programs, outdated server software,
and other vulnerabilities.

Prerequisites

• Basic knowledge of Kali Linux and command-line operations.

• Access to the OWASP Broken Web Applications Project VM.

• nmap and nikto installed in your Kali Linux environment (they usually come pre-installed).

Lab Steps

Step 1: Gather the IP Address of Your OWASP VM

1. Start your OWASP Broken Web Applications Project VM.

2. Open a terminal and run the following command to find the IP address:

Command Syntax:

ifconfig

3. Look for the inet address under your active network interface (usually eth0 or ens33).

Record the IP Address:

• OWASP VM IP Address: __________

Step 2: Basic Port Scanning with nmap

Now that you have the IP address of your OWASP VM, use nmap to discover open ports.

Instructions:

1. Open your Terminal in Kali Linux.

2. Use the following command to scan for open ports on your OWASP VM.

Command Syntax:

nmap <IP address>

Example:

nmap 192.168.56.101 # Replace with the actual IP of your OWASP VM

Expected Output:
The output will display a list of open ports on the specified IP address.

Exercise 1:

Perform a basic port scan on your OWASP VM IP address and record your findings:

• Open Ports:

Step 3: Aggressive Scanning with nmap

Aggressive scanning with nmap can reveal service versions and the operating system running on open
ports.

Instructions:
 1. Use the following command to perform an aggressive scan.

Command Syntax:

nmap -sV -O <IP address>

Example:

nmap -sV -O 192.168.56.101 # Replace with the actual IP of your OWASP VM

Expected Output:
The output will display open ports, service versions, and operating system details.

Exercise 2:

Perform an aggressive scan on your OWASP VM IP address and record your findings:

• Service Versions:

o
• Operating System:

Step 4: Vulnerability Scanning with nmap

nmap allows you to run vulnerability scans against the target system.

Instructions:

1. Use the following command to perform a vulnerability scan.

Command Syntax:

nmap --script vuln <IP address>

Example:

nmap --script vuln 192.168.56.101 # Replace with the actual IP of your OWASP VM

Expected Output:
The output will display any vulnerabilities found on the target system.

Exercise 3:

Conduct a vulnerability scan on your OWASP VM IP address and record your findings:

• Vulnerabilities:

o
Step 5: Web Vulnerability Scanning with nikto

nikto is a comprehensive web server scanner that checks for various vulnerabilities.

Instructions:

1. Use the following command to perform a web server vulnerability scan.

Command Syntax:

nikto -h <target URL>

Example:

nikto -h http://192.168.56.101 # Replace with the actual URL of your OWASP VM

Expected Output:
The output will display any vulnerabilities found on the web server.

Exercise 4:

Perform a vulnerability scan on your OWASP VM and record your findings:

• Vulnerabilities Found:

Submission Instructions

Submit your results from all exercises, including:

• Detected open ports from the basic scan.

• Service versions and operating system from the aggressive scan.

• Any vulnerabilities discovered using nmap.

• Vulnerabilities found using nikto.

Conclusion

In this lab, you explored techniques for basic port scanning and vulnerability assessment
using nmap and nikto. These skills are essential for identifying potential attack vectors and securing
network infrastructures.
INT302: Kali Linux Tools and System Security – Lab 5: Wireshark
Lab Overview

Wireshark is a powerful, open-source network protocol analyzer used for network troubleshooting,
analysis, and software development. In this lab, you will learn to capture and analyze network traffic
using Wireshark and its command-line tool, tshark. Understanding network packets and their structure is
crucial for identifying vulnerabilities and securing networks.

Lab Objectives

By the end of this lab, you will be able to:

1. Launch and navigate the Wireshark GUI effectively.

2. Capture live network traffic using both Wireshark and tshark.

3. Apply filters to isolate and analyze specific packets.

4. Understand packet details, including protocols and their flags.

5. Utilize advanced features such as statistics and graphing.

6. Recognize potential security issues in captured traffic.

Tools Used

• Wireshark: A graphical network protocol analyzer.

• tshark: The terminal-based version of Wireshark.

Prerequisites

• Basic knowledge of networking concepts.

• Installed Wireshark on your Kali Linux environment.

Lab Steps

Step 1: Launching Wireshark

1. Open a terminal in Kali Linux.

2. Launch Wireshark by typing the following command:

Command:
wireshark

3. Familiarize yourself with the interface, noting the main components:

o Capture Interfaces: Where you can select which network interface to capture from.

o Packet List Pane: Displays a list of captured packets.

o Packet Details Pane: Shows detailed information about the selected packet.

o Packet Bytes Pane: Displays the raw data of the selected packet.

o Statistics: Provides information about protocols, conversations, and endpoints.

Exercise 1:

• Explore the Wireshark GUI. Identify and list the main components you see, including where to
find the Statistics menu.

Step 2: Capturing Network Traffic

Using the Wireshark GUI:

1. Select an interface to capture traffic (e.g., wlan0 for wireless or eth0 for wired).

2. Click the Start Capturing Packets button (the shark fin icon).

3. Allow the capture to run for a few minutes while you browse the internet or perform other
network activities.

Using tshark:

1. Open a new terminal window.

2. Use the following command to capture packets on a specific interface:

Command Syntax:

tshark -i <interface>

Example:

tshark -i wlan0 # Replace with your actual interface

Exercise 2:

• Capture network traffic using both Wireshark and tshark. Compare the two methods and note
any differences in the user experience.

Step 3: Analyzing Captured Packets

2. Analyze the captured packets in the Packet List Pane.

3. Apply display filters to isolate specific types of traffic. Common filters include:

o Filter for HTTP traffic: http

o Filter for DNS traffic: dns

o Filter for specific IP addresses: ip.addr == <target IP>

o Filter for TCP packets: tcp

Exercise 3:

• Use filters to analyze different types of traffic. Record the following:

o Number of HTTP packets captured: __________

o Number of DNS packets captured: __________

o Specific IP addresses you identified in the traffic: __________

Step 4: Understanding Packet Details

1. Click on a packet in the Packet List Pane to view its details in the Packet Details Pane.

2. Expand different protocol layers to understand the encapsulation and the data contained within
each packet.

Key Areas to Focus On:

• Source and Destination IP Addresses

• Protocol Types (TCP, UDP, ICMP, etc.)

• TCP Flags (SYN, ACK, FIN, etc.)

• Application Layer Protocols (HTTP, DNS, etc.)

Exercise 4:

• Select a packet and list the following information:

o Source IP: __________

o Destination IP: __________

o Protocol: __________

o Any TCP Flags observed: __________

1. Follow TCP Stream:

o Right-click on any TCP packet and select Follow > TCP Stream to see the entire
conversation.

o This feature is useful for understanding the context of the traffic.

Exercise 5:

• Follow a TCP stream for a specific session and summarize the data exchanged between the client
and server.

2. Protocol Hierarchy:

o Navigate to Statistics > Protocol Hierarchy to see a breakdown of captured protocols.

o This will help you identify which protocols are most common in your capture.

Exercise 6:

• Take a screenshot of the Protocol Hierarchy and analyze the data. Which protocol is most
prevalent in your capture? __________

3. IO Graphs:

o Access Statistics > IO Graphs to visualize traffic over time.

o This can help identify spikes in traffic, indicating potential issues or security events.

Exercise 7:

• Create an IO Graph showing TCP traffic. Describe any noticeable patterns you observe:
__________

Step 6: Exporting Captured Data

1. Save your captured packets for further analysis or reporting.

o Go to File > Save As and choose a file format (e.g., .pcap).

Exercise 8:

• Save your capture file and describe a scenario where you would need to review this data later.
What specific findings do you hope to extract?

Step 7: Practical Applications of Wireshark

o Use Wireshark to analyze a failing network connection or slow performance.

o Look for excessive retransmissions or packet loss indicators.

Exercise 9:

• Describe a real-world scenario where you would use Wireshark to troubleshoot a network issue.
What specific symptoms would you investigate? __________

2. Security Analysis:

o Use Wireshark to identify potential security threats, such as unauthorized access

o Investigate any suspicious packets and document your findings.

Exercise 10:

• Identify at least two potential security threats in your captured traffic. What indicators led you to
suspect these activities? __________

Conclusion

In this lab, you have gained hands-on experience with Wireshark, capturing and analyzing network
traffic. Understanding how to use this tool effectively is essential for network security assessments and
troubleshooting network issues. The exercises provided in this lab aim to enhance your skills and prepare
you for real-world cybersecurity challenges.

INT302: Kali Linux Tools and System Security – Lab 6: Advanced Packet
Analysis Techniques
Lab Overview

In this lab, participants will delve deeper into packet analysis using Wireshark. You will learn how to
dissect various protocols, create custom filters for targeted analysis, and identify vulnerabilities within
network traffic. This hands-on lab will enhance your understanding of network security and equip you
with the skills to perform thorough traffic analysis.

Lab Objectives
By the end of this lab, you will be able to:

1. Dissect various network protocols and understand their structure.

2. Create custom display filters to isolate specific packets of interest.

3. Analyze traffic for signs of vulnerabilities and malicious activities.

4. Use advanced features in Wireshark for effective network troubleshooting and security
assessment.

Tools Used

• Wireshark: A graphical network protocol analyzer.

• tshark: The terminal-based version of Wireshark.

Prerequisites

• Completion of Lab 5: Wireshark.

• Basic understanding of networking concepts and protocols.

Lab Steps

Step 1: Dissecting Protocols

1. TCP Analysis:

o Capture some TCP traffic (e.g., browsing a website) using Wireshark.

o Select a TCP packet and expand the details in the Packet Details Pane.

o Identify key components such as TCP flags (SYN, ACK, FIN) and sequence numbers.

Exercise 1:

• Describe the purpose of the SYN and ACK flags in the TCP handshake. How do these flags
indicate the status of a connection? __________

2. HTTP Analysis:

o Filter the captured traffic to show only HTTP packets using the filter: http.

o Examine the headers of an HTTP request and response.

Key Headers to Focus On:

• Request Method (GET, POST, etc.)

• User-Agent

Exercise 2:

• Choose an HTTP packet and summarize its request method, status code, and any notable
headers. What can you infer about the transaction? __________

3. DNS Analysis:

o Capture DNS queries by using the filter: dns.

o Examine the DNS response packets to see the resolved IP addresses for the queried
domains.

Exercise 3:

• Identify a DNS query and its corresponding response. What information does the response
provide, and how is it structured? __________

Step 2: Creating Custom Filters

1. Filter Basics:

o Learn about basic filtering syntax in Wireshark.

o Combine multiple filters using logical operators (and, or, not).

Examples:

• Filter for HTTP traffic from a specific IP: http and ip.src == <source IP>

• Filter for DNS queries excluding specific domains: dns and !(dns.qry.name == "<excluded
domain>")

Exercise 4:

• Create a custom filter that captures only TCP traffic from your machine to a specific target IP.
Document the filter syntax and the packets captured. __________

2. Using Filter Expressions:

o Utilize the Wireshark display filter expression dialog to construct complex filters.

o Practice filtering packets based on multiple criteria, such as source/destination IP,

Exercise 5:

• Write a filter that captures traffic on a specific port (e.g., HTTP port 80) and analyze the results.
What packets were captured? __________
Step 3: Identifying Vulnerabilities

1. Recognizing Anomalies:

o Look for signs of potential vulnerabilities, such as unusual traffic patterns, unencrypted
sensitive information, or malicious payloads.

Common Indicators:

• Repeated SYN packets (possible SYN flood attack).

• HTTP packets containing sensitive information (e.g., passwords, credit card numbers).

Exercise 6:

• Analyze your capture for any anomalies or indicators of potential vulnerabilities. Document your
findings and suggest possible remediation steps. __________

2. Security Protocols:

o Examine traffic from secure protocols (HTTPS) and identify how encryption affects
packet analysis.

o Use the ssl filter to analyze SSL/TLS handshake packets.

Exercise 7:

• Capture HTTPS traffic and identify the initial handshake packets. What information is exchanged
during this handshake, and how does it contribute to security? __________

Step 4: Practical Applications and Reporting

1. Conduct a Security Assessment:

o Using the knowledge gained from this lab, conduct a mini security assessment on your
network traffic.

o Look for signs of compromised traffic, open ports, or unauthorized access attempts.

Exercise 8:

• Prepare a brief report summarizing your findings during the assessment. Include potential risks
and recommended actions. __________

2. Creating a Capture Report:

o Document your analysis steps, findings, and any relevant screenshots or packet details.

o Prepare a presentation summarizing your lab experience and learnings.

Exercise 9:
 • Create a capture report that includes your objectives, methods, key findings, and any
recommendations for improving network security. __________

Conclusion

In this lab, you have explored advanced packet analysis techniques using Wireshark. You learned to
dissect protocols, create custom filters, and identify vulnerabilities in network traffic. These skills are
essential for performing thorough traffic analysis and enhancing your capabilities as a cybersecurity
professional.