LAB MANUAL FOR VULNERABILITY ASSESSMENT

AND PENETRATION TESTING LAB

1. Information gathering using the Harvester
The Harvester gathers emails, subdomains, hosts, employee names, open ports and banners from different public
sources like a search engine, PGP key servers and SHODAN computer database.

Lab Objectives
The objective of this lab is to demonstrate how to identify vulnerabilities and information disclosures in search
engines using The Harvester.

Students will learn how to:

Extract Email, Subdomain names, virtual hosts,etc.from the webpages

Lab Requirements
Kali Linux running as a virtual machine

Procedure
Step 1: Log into Kali Linux machine and open a Terminal Window

Step 2: Type theharvester -d certifiedhacker.com -l 300 -b all and hit Enter to launch the Harvester

Step 3: TheHarvester starts extracting the details and displays them on the screen. Since there is so much
information to go through, we will write the output to an HTML file for better readability.
Step 4: Press Ctrl+C to terminate the current session

Step 5: Type theharvester -d certifiedhacker.com -l 300 -b all -f test and hit Enter to export the results as a
file named test

Step 6: Navigate to the home folder in Kali machine and you will find two files named as test, one in HTML
format and one in XML format. Open the HTML format files to view the results.

Step 7: Here you can also see a graph of all the different information extracted by the Harvester displayed for better
analysis. Collect and note the information disclosed about the target.
2. Open Source Intelligence Gathering Using OSRFramework
OSRFramework is a set of libraries to perform Open Source Intelligence tasks. They include references to a
bunch of different applications related to username checking, DNS lookups, information leaks research, deep web
search, regular expressions extraction and many others.

Lab Objectives
The objective of this lab is to demonstrate how to identify usernames of the target on different social media
platforms.

Lab Requirements
To carry out the lab you need:

Kali Linux running as a virtual machine

Web Browser with internet access

Procedure
Step 1: Log into Kali Linux machine

Step 2: Launch a command line terminal by clicking on the Terminal icon from the Taskbar

Step 3: usufy.py checks for the existence of a profile for given user details in the different platforms. Type
usufy.py -n

<Target username or profile name> -p twitter facebook youtube and press Enter

Note: -n is the list of nicknames to process,-p platform for search

Step 4: Ge usufy.py will search the user details in the mentioned platform and will provide you with the
existence of the user.
Step 5: Searchfy.py checks with the existing users of a page/handlers for given details in the all social networking
platforms. Type searchfy.py -q <Page Name or Handler Name> and press Enter.

Step 6: It will put out all the details who are subscribed to target social networking pages that are provided.

Collect and note the information disclosed about the target.

3. Footprinting a Target using Maltego

Maltego is an open source intelligence and forensics application. It gathers information about a target and
represents this information in an easily understandable format.
Lab Objectives
The objective of this lab is to help students gather as much information as possible about the target. With this
lab, the student can

Identify the Server-Side Technology

Identify the Domain

Identify the Domain Name Schema

Identify the Service Oriented Architecture(SOA) Information

Identify the Mail Exchanger

Identify the Name Server

Identify the IP Address

Identify the Geographical Location

Identify the Entities

Find out the Email Addresses

Lab Requirements
To carry out the lab you need:

Kali Linux running as a virtual machine

A Web Browser with an Internet connection

Administrative privileges to run the tools

A valid email account (Hotmail, Gmail, Yahoo, etc.).We suggest you sign up with any of the services to obtain a
new email account for this lab. Do not use your real email accounts and passwords in these exercises.

Run this lab on Kali machine

Procedure
Step 1: Launch Maltego from the taskbar from the left-hand side.

Step 2: A product selection wiZard appears on the Maltego GUI.Click Run from Maltego CE (Free) option

Step 3: You will be redirected to the Login section. Click register here.
Step 4: Register your account and activate it. By filling up the required details

Step 5: Login to the maltego

Step 6: The Install Transforms section appears. Leave the settings to default and click Next

Step 7: The Help Improve Maltego section appears, Leave the options set to default and click Next

Step 8: The Ready section appears. Select the radio button of Open a blank graph and let me play around and click
Finish in order to perform footprinting printing manually.

Step 9: Click the + icon located at the top-left corner of the GUI (in the toolbar) to start a new graph
Step 10: Ge New Graph (1) window appears along with a palette in the left pane. It contains a list of default
built-in transforms.

Step 11: Expand the Infrastructure node under Entity Palette

Step 12: Drag the website entity into the New Graph (1) section

Step 13: The entity appears on the new graph, with the www.paterva.com URL selected by default

Step 14: Double-click paterva.com and rename the domain name to the www.certifiedhacker.com.Press Enter

Step 15: Right-click the entity and select All Transforms

Step 16: Ge Run Transform(s) list appears. Click To server Technologies [using Builtwith]

Step 17: Maltego starts running the transform to server Technologies [using Built with] entity.
Step 18: Observe the status in the progress bar

Step 19: Once Maltego completes the Transforming Server Side Technologies, it displays the technology
implemented on the server that hosts the website.

Step 20: After obtaining the built-in technologies of the server, attackers might search for vulnerabilities related
to any of them and simulate exploitation techniques to hack them

Step 21: To start a new transform, select all entities by pressing Ctrl+A on the keyboard and press Delete.

Step22: A Delete pop-up appears. Click yes

Step 23: Right-click the entity and select All Transforms -> To Domains [DNS]

Step 24: The domain corresponding to the website displays

Note: Some of the screenshots may differ in your lab environment

Step 25: Right-click the entity and select All Transforms -> To DNS Name [using Name Schema diction...]

Step 26: observe the status in the progress bar

Step 27: This transform will attempt to test various name schema against a domain and try to identify a specific name
schema for the domain
Step 28: Right-click the entity and select All transforms ->To DNS Name -SOA (Start of Authority).

Step 29: This returns the primary name server and the email of the domain administrator

Step 30: By extracting the SOA related information, attackers attempt to find vulnerabilities in their services
and architectures, and exploit them

Step 31: Select both the name server and the email by dragging and deleting them

Step 32: Right-click the entity and select ALL Transforms -> To DNS Name -MX (mail server)
Step 33: This transform returns the mail server associated with the certifiedhacker.com domain

Step 34: By identifying the mail exchanger server, attackers attempt to exploit the vulnerabilities in the server and
thereby use it to perform malicious activities such s sending spam e-mails

Step 35: Select only the mail server by dragging and deleting it.

Step 36: Right-click the entity and select All Transforms -> To DNS Name-Ns (name server)

Step 37: This returns the name servers associated with the domain.

Step 38: By identifying the primary name server, an attacker can implement various techniques to exploit the
server and thereby perform malicious activities su ch as DNS Hijacking and URL redirection.
Step 39: Right-click the entity and select All Transforms -> To IP Address [DNS]

Step 40: This displays the IP address of the website

Step 41: By obtaining the IP address of the website, an attacker can simulate various scanning techniques to find
open ports and vulnerabilities and thereby attempt to intrude in the network and exploit them.

Step 42: Right-click the entity and select All transforms -> To location [city, country], this transforms
identifies the geographical location where the IP address is located

Step 43: By obtaining the information related to geographical location, attackers can perform social engineering
attacks by making voice calls (vishing) to an individual in an attempt to leverage sensitive information.
Step 44: Right-click the domain entity (certifiedhacker.com) and select Run Transform -> To Entities from
whois

Step 45: This transform returns the entities pertaining to the owner of the domain.

Step 46: By obtaining this information, an attacker can exploit the servers displayed in the result or simulate a brute
force attack or any other technique to hack into the admin mail account and

Step 47: send phishing emails to the contacts in that account.

Step 48: Perform footprinting on a target person to obtain the email address and phone number

Step 49: Click the + icon located at the top-left corner of the GUI to start a new graph

Step 50: A new graph (New Graph (2)) appears in Maltego. Expand the Personal tab in the left pane and
drag the person entity to the New Graph (2) section.

Step 51: The name of the entity is set as John Doe by default
Step 52: To assign a target person name, double-click John Doe and type the name of the person (here, Rini
Mathews)

Step 53: Right-click the entity and select All Transforms -> To Email Address [verify common]

Step 54: Maltego displays all the valid email addresses corresponding to the given name.

By extracting all informational attacker can simulate actions such as enumeration, web application Hacking,
social engineering etc. which may allow access to a system or network, gain credentials etc.
4. Daisy Chaining using Proxy Workbench
Proxy Workbench is a unique proxy server ideal for developers, security experts, and trainers-that displays data in real
time

Lab Objectives

This lab will show you how to create daisy proxy chaining using the proxy workbench tool.

Lab Requirements

Windows 7 running as a virtual machine (attacker machine)

Another windows machines running as a virtual machine(victim machine)

A web browser with internet access

Administrative privileges to run tools

Procedure
Step 1: After the installation is complete, switch back to the attacker machine and launch the Firefox web
browser

Step 2: Click the open menu button at the top-right corner of the browser window and click options

Step 3: The options window opens. Scroll down and click settings...Under the Network Proxy heading

Step 4: Select the Manual Proxy Configuration radio button in the Connection Settings WiZard

Step 5: Type 127.0.0.1 as the HTTP Proxy, enter the port values 8080 and check to Use this proxy server for
all the protocols. Then click ok.
Step 6: If you encounter a port error during configuration, simply ignore it

Step 7: Launch Proxy Workbench and click ok for welcome pop--up

Step 8: The configure Proxy Workbench window opens. Select HTTP Proxy-web in the left pane and check
the HTTP protocol in the right pane.

Step 9: Click configure HTTP for Port 8080

Step 10: The HTTP Properties window opens. Click Connect via another proxy

Step 11: Enter the IP address of the Windows 7 virtual machine in the Proxy server field, and port number
8080 in the port field.

Note: In this lab, the IP address may vary in your lab environment.

Step 12: Click close to Configure Proxy Workbench window

Step 13: Login to another machine and launch Proxy workbench. Repeat the configuration steps.

Step 14: Switch Back to the Host machine (attacker machine), launch the Firefox web browser, and browse
websites such as http://www.cnet.com

Step 15: Open the Proxy workbench GUI for more detailed information. Observe that the request is coming
from 127.0.0.1(localhost) and going to another machine IP. In other words, you are browsing with IP address of the
windows machine, proxies of windows 7 already running in the background, thereby providing you with the
greatest anonymity.

Document all the IP addresses, open ports and running applications, and protocols you discovered during this lab.

5. Identify Target System’s OS with Time-to-Live (TTL) and TCP Window

Sizes using Wireshark
Identifying the OS used in the target host allows an attacker to figure out the vulnerabilities the system poses
and the exploits that might work on a system to further perform additional attacks.

Lab Objectives

Sniff/capture the response generated from the target machine using packet-sniffing tools such as Wireshark and
observer the TTL and TCP window siZe fields.

Lab Requirements

To carry out this lab, you need the following

Windows 7 running as a virtual machine

Windows 8 running as a virtual machine

Kali Linux running as a virtual machine

Procedure

Step 1: Launch Wireshark in windows 7 virtual machine. Wireshark main window appears and selects the
available Ethernet or interface start the packet capture.

Step 2: Launch windows 8 virtual machine and from the command prompt ping the windows 7 machine.

Step 3: Switch to the windows 7 machine and observe the packets captured by Wireshark

Step 4: Choose any packet of ICMP request from windows 8 to windows 7 machine, and expand Internet
Protocol version noted in the Packet Details Pane

Note: Ge IP address may vary in your lab environment

Step 5: TTL value recorded as 128, which means the ICMP request came from the Windows-based machine.

Step 6: Now start the new packet capturing and switch to Kali Linux machine

Step 7: In a terminal window of Kali Linux, type ping <windows 7 machine IP> and press Enter. After few
packets sent form Kali Linux, press Ctrl+C to terminate the ping request.

Step 8: Switch to windows 7 machine and choose any type of ICMP request from Kali Linux to windows 7
machine and expand Internet Protocol Version node in the Packet details pane.

Note: The IP address may vary in your lab environment

Step 9: TTL value recorded as 64 means that the ICMP request came from a Linux-based machine.
Stop the running capture in the Wireshark window, and close all the windows that were opened in the three
virtual machines.

6. HTTrack
HTTrack is a free (GPL, libre/free software) and easy-to-use offline browser utility. It allows
you to download a World Wide Web site from the Internet to a local directory, building
recursively all directories, getting HTML, images, and other files from the server to your
computer.

Link to Download Tool for windows.

https://www.httrack.com/

How to Download HTTrack

Step 1: Search for Httrack download in google.

Step 2: Screendump of official website of Httrack.

Step 3: Platform and Versions details of HTtracks.

Step 4: Choose the file to download according to system configurations.

Step 5: After download file with name Httrack appears on download folder of the system.

Step 6: Click on NEXT to Install the software.

Step 7: Accept the agreement and click on NEXT.

Step 8: Choose the path to INSTALL the file.

Step 9: Click on NEXT to continue.

Step 10:Select additional Task and click on NEXT.

Step 11:Click on INSTALL.

Step 12:Click on FINISH to complete the Setup.

Step 13:Run the file and click on Next.

Step 14:Write the Project name and category.

Step 15:Select the Action “Download web site” and click on NEXT.

Step 16:Open the website whose clone we want to create.

Step 17:Paste the URL of the website to clone and click on NEXT.

Step 18:Click on FINISH.

Step 19:Cloning and transferring data will take some time after that click on NEXT.

Step 20:Finally click on Finish to complete the Task.

Step 21:Following folders will be created by HTtrack in the end.
7. Introduction to CURL
Curl is small computer utility which is used for transferringdata from various protocols. Libs
curl is a free client-side URL transfer library. It support cookies, HTTP, HTTP/2, FTP and
Gopher etc. It also performs SSL certificate verification.

Steps to Run Curl

Step 1: To connect and fetch the data just write this command in terminal of kali.

Step 2: Here it is showing the result of the command i.e. curlmodernindianbabynames.com

Step 3: Result continue

Step 4: Command if user want to send particular request by using different http method.

Step 5: Here it is showing the result of the command i.e. curl –v –X HEAD
modernindianbabynames.com
Step 6: To check the redirection we use the command i.e. curl google.com

Step 7: Here the result of the command 301 and 301 Moved means it is redirected.

Step 8: To get the details of redirected website we use the command i.e. curl –L google.com
Step 9: Here it is showing the result of the command

Step 10: We use this command to save the websites HTML Content.
Step 11: Result of the command showing total 29859 files saved.

Step 12: To view the details of downloaded files use the command vim curl.txt