 As she has explained how Nmap works and how it is used for host discovery and port scanning. Now I am going to talk about the necessary. Necessity is an open source software vulnerabilities kind of tool. It is used for finding the vulnerabilities in a specific web application or it can be used for finding the vulnerabilities in a target host. It can also be used for finding, to discover which host are alive in the network and then perform a port scan on those host. Another feature of Necessity is it can scan a window system to identify or detect which mallows are sitting on that system. Now we will have a look at the Necessity tool. I have already installed Necessity tool in my system. Installation is quite straight forward and the instructions are given on their home page. Here you have to enter your user name and password and this is the home page of the Necess. Here you can see there are different tabs, scans, schedules, policies. So to start with the Necess first of all you should understand what is the flow of the Necess. Here you should first create a policy and then using those policies you can scan using those policies you can create a scan. You can do a scan on the target system or target web application. So what is a policy? Policy is basically a set of plugins and these plugins check for vulnerability in the target host or target web application. So there are already thousands of plugins in the Necess. You can see those plugins over here. There are many plugins and have a look at this plugin, CJA abuses, XSS. So what is XSS? XSS is cross site accepting. It is a software vulnerability that is found in web application. So this plugin will try to find XSS vulnerability in the web application. So this is a plugin, this is actually a plugin family and it has this many plugins inside this family. It has 554 plugins inside this family. So first of all in the Necess you have to create a policy and then use this policy in creating a scan. So how to create a policy? Go to the policies, click on the new policy and as you can see there are many options available here. Host discovery, basic network scan, web application test, Windows Milo machine and there are many more. So depending on what type of scan you want to do, you should choose an appropriate policy. Suppose you want to, suppose you want to discover which host are alive and do a port scanning on it. So you can choose that host discovery policy. You should give a policy name, say host discovery, visibility private or shared. When the visibility is shared then it is shared among other, among other users on the system. Then click next, discover type, host enumeration, it will just check whether the host is alive or not. There is also option for port scan, all ports are common ports. So depending on them you can perform a scan. Since this was already done in the end map so I am not going to do it again. Let's have a look at another policy, say basic network scan. This policy is used to find a vulnerability in the target host. First of all using the host discovery you are finding which host are alive and which ports are open in that host. Now using basic network scan you are going to find the vulnerabilities in those host. So in order to create this policy, select this one, give the policy name, basic network scan, select the visibility, private or shared, next here the scan type internal or external. Depending on the scan type a specific set of plugins will be enabled. And then just click on the next and the policy will be created. Here if you are going to scan a system which has windows operating system then you are required to give the username and password of that system. And if it is a Linux system then provide the password, username is always root and password of that Linux system. And then click on the save. So the policy will be created in this way. I have already created this policy, internal network scan, you have policy internal and network scan, scan type internal. And this is an optional step actually step 3 where you have to, you can or cannot provide credentials. Now once you have created the policy we are going to perform a scan, we are going to launch a scan. So let's go into the scan tab and when you want to launch a scan click on the new scan, give one name, say right now we are going to use basic internal network scan policy for in this scan. So let's go and name internal network scan, specify the policy that you are going to use, internal network scan, folder MyScan and specify the target on which you are going to perform this network scan. So you can specify the IP address of a single host or you can specify the IP address of a range of host. Like if you want to scan a single host then you will specify 192 dot something like this 192 dot 162 dot 2 dot 22 dot 1 and if you want to scan a range of host then you will specify 192 dot 162 dot 22 dot 0 slash 24. So it is going to scan 255 host in that, in that range. And then just click on the launch button. So it will launch a scan. I have already results of this, of this internal network scan so I am not going to do it again because this scan takes a little time. So I scanned this, I scanned one system which has this IP address 10.129.154 dot 1. I did a basic network scan basically internal network scan on this host and it shows that there are five critical vulnerabilities. One high vulnerability, two medium level vulnerabilities, one low and other is informational. So this shows that what is the criticality of the vulnerabilities that are present in the host. So when you click on it, it will show all the vulnerabilities that is present in the target host. Here as you can see it also shows what is the operating system that has been used on that host. So here the Microsoft Windows XP is used with the service pack 2 and service pack 3. Now let's have a look at the vulnerabilities. So select this one, Microsoft Windows XP unsupported installation ring. It says that the remote host is running Microsoft Windows XP. So this means that this is an outdated Windows XP and therefore the Microsoft is no longer creating or producing patches for the vulnerabilities that are found in XP. So if there are any new vulnerabilities that are found in XP, then it is going to harm your system and there are no patches for it. So it is also providing a solution, upgrade to a version of Windows that is currently supported. This was just a simple vulnerability. There are also technical vulnerabilities such as, let's take this one, MI067. It says that the remote host is vulnerable to buffer overrun in the server service. That may allow an attacker to execute arbitrary code on the remote host with the system privileges. So what this vulnerability means is, there is a C program in the Windows XP server. The name of that C program is NetAPI32.dll and in that program there is this buffer overflow vulnerability and the attacker may abuse that vulnerability. There is a C program in Windows XP server which has this vulnerability, buffer overflow vulnerability and the attacker may abuse that vulnerability. So this was about the basic network scan. Now suppose you want to, let's create another policy, say web application test. This policy is used for scanning the website to find different vulnerabilities that exist in the websites such as SQL injection or XSS or something. So if you have got your own website and you want to check whether it is secure or not, then you can use this policy, web application test. So in order to create this policy, select this one, web application test. Give the policy name, visibility, private or shared, next. Here scan type, less complex or more, less complex or more, it will scan accordingly. Web mirroring start pages here, you have to specify the URL of the website that you are going to scan. And then next, you have to specify the URL of the website that you are going to scan. So specify the URL of the website and this is an optional step where if the website requires user credentials, if the website requires username and password, then you can provide it over here in this login page. You can provide username and password in this form. And then just click on the save button and the policy will be created. I have already created this policy for scanning one website called http www.insecurelabs.com.org. So this is the policy that I have created. So policy name, insecure lives, next. I have specified the URL of the website and it doesn't require any username and password, so I haven't specified anything. Now, once this policy is created, now you can launch a scan to scan the target website, that website. Then click on the new scan, name, again, web application test, specify the policy that is the policy that you have created. This one, insecure lives, specify the policy that you have created. And again, you have to specify the URL of the website in the target. Same URL of the website. And then click on the launch. And this scan takes quite a long time. So I have this scan results already stored. So this was the website that I had scanned using that policy. So it says that there are six medium-level vulnerabilities and 24 informational vulnerabilities. So when you click on it, you will get a list of the vulnerabilities that are existing in that website. So as you can see, let's check this vulnerability. It says that the remote web server host, CGI script that failed to adequately sanitize the request strings with malicious JavaScript. It means that this website is vulnerable to accesses, actually. We had checked manually. And we saw that this website is vulnerable to accesses. And now, using the necessary tool, it was able to find that that website is now vulnerable to this. Using this necessary tool, it was able to find that vulnerability. These accesses are likely to be non-persistent or reflected. So using such policies, you can scan a website that you want. Now, when you select a particular policy, a set of plugins are automatically enabled. But if you want to create your own policy, where you want to specify which plugin should be enabled, you can go to the Advanced Policy and here, give the name and everything, name, basic, name of the policy that you are creating. And there are different option ports scanning, performance, how much, the number of hosts it must check in one scan. Different option you can specify. And here is the plugin that you can enable or disable. So by default, all plugins are enabled. So suppose you want to create a policy that is going to scan for a malware in the target system. So obviously, you don't want all of the plugins to be enabled because it will take a long time if they all are enabled. So you can filter the plugins. Using this, there is an option for filter plugins. Specify plugin name, contents, say malware. Then it will show all the plugins that has a malware in their name and apply. So it is searching for all the plugins that has a malware in their name. It will show 4 to 5 plugins that can be used for this malware scene. It takes, see here, these are the results. Now here, there are five plugins that has a name malware in their name. So this is the plugin. So you have got a set of plugins that can be used for finding the malware in the target host. So using this, this is a great tool for finding the vulnerabilities in the application as well as in the target host in your networks. Let's open the flow to questions. Can we check the application which is in the LAN or we can check the application in the LAN also? Yeah, in the LAN also. It's on private IP. Yeah, you have to specify the IP then followed by that. Private IP. Shall we add plugins? You said define plugins. No, you can't add plugins actually. There are already a list of plugins that are downloaded when you're installing this necessary. And you can just enable or disable. No, we are creating policies like we can add plugins. You can't add plugins. You can choose plugins but you can't add plugins. Plugins are downloaded from the server side actually. Here you can just enable or disable them. There isn't any option to add a plugin or create a plugin. How to install and configure this? Sorry? How to install and configure this Nesus? It is very straightforward actually. Just download the exe file and click on it. It will go on. So what about 1.2? Sorry? What about 1.2? Same process as we applied in the previous virus. Yeah. So for installation of all these softwares we are using, we will be giving you a VM which you can run on your virtual box. So this VM has already installed all the software we are using. So you can just load that VM inside virtual box and you can use those tools directly. If you want to use these tools in your colleges. So you do not need any installation separately. Yes, all the tools we are using, we will bundle them in a VM. You have scanned for a buffer overrun and said that some particular DLL has the. So actually how it is done? Actually the information about that vulnerability is provided in that itself. When you will see that vulnerability, it has given the description about it, the solution. Microsoft has released a set of patches and C also. Then it has given one link where you can find the information about that vulnerability. Let me see, just provide the information. Yeah, it will provide an information. It did not penetrate into the victim. Yes. Which is inside and analyze the DLL file. That is what. No, no, no. It only checks for the suppose it knows that this vulnerability is present in XP system of this version. So it sees that version and say, OK, there is a file which is not patched and this has a buffer over flow. Sir. Do you have to specify the IP address of that remote system? Is it legal? Yeah, it is legal. If you are doing it in your private network, then you can do it. So if you are not attacking and you are causing any harm, I think there is no harm in it. This is just for finding the vulnerability. So why do you want? OK, so tool is used for basically for your convenience only, for checking for your application. Like you have hosted an application, you want to check if there is any vulnerability or not. There can be a negative thing also. So you want to attack Google.com, say Gmail. Then you will be using this scanner. So this means that you want to do some harm. So I think you should not do that. This tool is for basically for your use, for your applications to check if there are any vulnerabilities or not. So by using it, I can find out what will be happening. Yes, you can check. But that is for you. It means you want to attack, right? Because you want to find the vulnerability or you want to inform them. Sir, suppose my machine is in the network and I don't want my machine to get scanned. What shall I do? OK, yeah. So suppose, OK, you are asking that if there are hosts inside your network and somebody else is using this scanner. You want that to prevent, right? So you can use some firewall or some rules. Any specifiers or rules inside your firewall so that another host cannot scan your system. There is definitely an ethical aspect to this whole thing. That is one of the reasons over the years, even though I've been teaching security again and again, I'm generally reluctant to start telling students in a huge class of 80 or 100 and so on to use all these, you know, ether cap to do ARP spoofing or DNS spoofing and so on because it can really create much havoc. So one of the question, that is why I always keep only three or four students who I absolutely trust who will not do anything wrong. There was a time when one of my small group actually, two or three of my students, they were working with me, they set up a honeypot and that honeypot was just sending messages in a crazy fashion. And then there were, you know, complaints from so many different people in the department that the network has slowed down, the system administrators and others that I simply abandoned this entire project completely. So there are many aspects of creating a security lab. In fact, I've got a very good book on this which I should share with you. It's not right now here with me to create a security lab. The question is who can use it? What are they doing with it? And so on and so forth. These are very, very, very critical issues because as a faculty member, you set up this lab and your students do something wrong, the blame ultimately goes to you. Why did you set this lab up? Why did you tell them to do this? This is one of the problems that I've been facing personally. So what we do, we do it in a very incremental way, just having two or three students do this thing. In fact, you will see that even in this lab that you are attending, we don't have you touch Nessus and Nmap and Snot and so on and so forth. For one thing, many of these vulnerability scanners, they generate a great deal of traffic. So we thought about it and we agonized over it. We would like you to have hands-on experience with these tools, but then it generates so much traffic, 250 participants or 220 participants that something is going to happen, the network is going to crash or something. So we said, okay, we'll just have demos and we will encourage you to install it in your colleges and interact with us about how things are going and so on and so forth. And regarding that other question about, can you scan remote hosts? Most of these attacks, the starting point, the onset of these attacks is the first step, if I want to attack a machine, is scanning that particular subnet or that particular network, that remote network. So that is the best way to catch a hacker. You see who is trying to scan your internal network, whether it's a port scan or a network scan or any kind of vulnerability scan, see where it is coming from, try and trace that. And the best way to do that is something called an IDS device called a honeypot, which traps all these things and the honeypot induces you to attack the network. See, I've got a honeypot that I've installed over here in our network. It induces hackers around whoever wants to hack to come into my network and start scanning and so on, to send certain worms and so on. And I trap those worms and then I can do a study and see what are these possibly new mutants of worms that are being unleashed around the place, et cetera. So yes, about the remote scanning, is it legal? That was the question, is it ethical? Is it legal, et cetera? Frankly, I don't know which rules exist today that say it is illegal and it's illegal. I believe you can do it. I think we have done it on Google and so on, right? We have scanned Google to see what are the services that are exposed, et cetera, et cetera. So you can do it provided you don't take it any step further because otherwise the blame will come to you. So be very, very careful. We are treading on water actually over here. There was one gentleman in the audience from Amrita. Where is he? Oh, yes, yes. So he had a very nice discussion with me over lunch about the ethical issues about this and whether we can address that. And I really think this is food for thought. We really have to have a session on ethics. Maybe we can't do it by the time this workshop closes but by the time we have the next workshop, we will put together ethics. I hope some of you will help me to put this together because it's a common problem for all of us. How to make our students do ethical hacking without doing anything bad, without doing anything wrong, without spreading wrong information and teaching others to do something wrong, et cetera. So that's a very, very serious issue in this course. You don't have this problem in other courses. You teach operating systems or architecture or databases. All these things don't exist but in security you have to be very careful about who is doing what. There's a great opportunity to abuse things. Yes, any other questions? Anything on N-Map that Ritu Bala showed you? Yes. Sir, once if he's scanning some remote host and if he found who is a hacker, then whom should we report? Well, you can't just say somebody is a hacker just because he's scanning your network. I mean, you know, there could be spoofed scanning, for example. Somebody else pretending to be this guy who's scanning. You have to be able to trace the footprints very, very carefully. First, something has to be, some harm had to be done, has to be done to you. It's scanning is not exactly a, you know, anything that's terribly bad. I mean, as I said, we have been scanning Google and so on, right? I mean, are we going to go to jail because of that? So you have to, that other party has to prove that you are guilty of something, of stealing information, of stealing credit cards, et cetera, et cetera. That becomes a big issue. That's the whole subject called forensics. Maybe Professor Shiva talked a little bit about it today. How do you catch, you know, how do they leave fingerprints? How do you, I've got books on this, by the way. I've got a collection of about 70 books on security. One of them is actually forensics. How do you catch, after the act, how do you catch this person? What fingerprints has he left all over the place so that you can actually nail it down to him and say, you were the guy responsible for this thing? Yes. Sir, is any case study for botnets? Case study for botnets? Not one, but 10 or 20. How to detect it and how to detect botnets? There are lots and lots of research papers right now. That's a very good area of research, actually. Not only the, both of them, to create a botnet, ethical hacking, and to detect botnets. It's very likely, I always ask myself the question, how many of the laptops on this campus are bot infested? And it's probably a very large number. Monitoring everything you do, et cetera, et cetera. How do you figure all these things out? That's a very active area of research. Sir, regarding the software you are going to, you are saying that you will give the bundles of the software? Yes. So is it a virtual OS image that we have to load in the virtual box? Yes, yes. I think that images will be machine-specific. So will it run on our machines also? We have to version it on the virtual machine. But it will be configuration, it is specific to the machine and the configuration where that image is created. So will it work on our machine and our configuration also? Yes, it will work on your configuration because you will be using the virtual box. So this is a software which runs the operating system. So this does not depend on your hardware. So if the virtual box is, you can run virtual box on your machine, then you can run this virtual machine also. Otherwise, for this all software, I think Nisas, Wireshark, Nmap, for all those, I mean, they are also available for Windows. Yeah, they are also available for Windows. All the software, no? Yes, yes. Backtrack. Backtrack does not have the DVWA and all and some of... Backtrack is available. Yes, yes. Backtrack have all the things but some of them are not there. Like DVWA is not there and some more. So we are using those, so we should include that also. Yes, it is also available on Windows. You can also install. If you want, we can give you instructions for installing the DVWA inside the Windows. Is it possible to have attacks even on systems that have antivirus? That depends what the antivirus, if it is outdated and some new attacks are there, then it can, obviously. Instead of DVWA, can we use a web code? Yes, you can use also web code. Web code also has, I think, all the... Yeah, it has all the top 10 vulnerabilities, web... Yes, yes, you can also use that. But we were using the DVWA application more so we shot that. Web code is also another option. So I think with the Kali Linux, we could customize that. And all the software that you are mentioning could be fitted into a Kali Linux. Yes, Kali Linux is a new version of the Backtrack, actually. Now, Backtrack is outdated, it is another Backtrack. So they renamed it to the Kali Linux. So if we create and customize Kali Linux ISO, then it would be light and it could include only this software. Yeah, it could. So I think you all were working on the Ubuntu. So we thought that we will create the Ubuntu image. So this will have all the installation. So that was for your convenience. If you want, we can bundle all these software inside Kali Linux. It has many more software which we haven't showed you. No, we have to create the lab session at our end. Yes. Can we install all systems with Ubuntu? Yeah, sure, why not? Instead of going with two operating systems, can we practice only with one? It's not necessary that only one operating system is available. Okay. You suggest to have two windows as well as open. You can practice on either windows or Linux. Let it not create confusion so that we'll follow only one thing. Okay, so you just install the Ubuntu. Because many tools are available for Ubuntu. Like, your VyShark is pretty installed in your Ubuntu. Yes. And all these things, the backtrack. Yes. So shall we go for that Ubuntu? Yeah, if you want, you can go for the Ubuntu. But like you said, Windows doesn't have VyShark and my pre-installed. So you have to reinstall them. Because most of the Windows operating system have been outdated. They are coming with Windows 7 and so on. Yes, yes. I think you should use the Ubuntu then. Because it is. Go for Ubuntu, I think so. Yes, yes. Why are finally the students cannot attend the workshop? They're interested. We take finally the students. It's clearly mentioned that only teachers can attend the workshop at remote centers. So the question about whether students can attend, whether company people ask me can they attend, and so on and so forth, the answer is really speaking, they mandate from the ministry to us was to basically teach the teachers and to raise the standard of our colleges around the country. So you know very well that the standard overall, maybe there are of course exceptions, but the overall standard is not that great. I mean, you just go around, at least here in the city of Bombay, so many people are thinking of sending their children abroad for further studies, for a bachelor's. Why? Why can't we give them quality education here in itself? Why do they have to spend so many lakhs, tens of lakhs to send their kids abroad for education? At a fraction of the cost, we can educate them, right? So the onus, the responsibility is on us to develop very good courses, and I would really like to see security pick up and not only security, so many other courses and have not just a few universities that are very great in India, we would like to have many, many, many universities that are good in India, because we have such a large population, 1.2 billion. If you compare it with the United States, for example, just look at the number of universities, look at the top 100 or look at the top 50. Even the top 50, almost all of them have got good quality. Of course, the top five or the top 10 are absolutely terrific, but then the next 20 are very good and so on and so forth. While people complain over here, we don't, where do we send our child? He wants to go for medicine, but medicine is so expensive. We think of engineering, which college to send him to and so on and so forth, if he doesn't get into IIT or this thing or that thing. And we really need to improve the quality of education in our colleges. I mean, we should have hundreds of colleges that are top quality, not just 10 or 15 or something like that, for a population like this, 1.2 billion. So the goal was to actually spread high level of education around. So we've got many such courses that we've organized. I think recently Professor Fartuck had the programming course, C-Language Programming. Professor Kameshwari had the networks course. Professor Sudarshan had the database course. So that we have quality in many, many colleges around. Now, of course, one of the issues is one of the things that people say is, why don't you bring them all to IIT, Bombay and teach and so on. But of course, we can bring 200, but we can bring 10,000 over here. It becomes very difficult to scale up. So this great idea came about where we will try to improve the quality in say 200 colleges. And each of you has the mandate when you go back to your hometown, to your college, to bring 50 other people from 50 other colleges and train them and improve their standard greatly. That is why I'm so interested in it. I desire so much that this software be installed, you'll start using it, you'll start working on it. Unfortunately, we can't have you have hands-on experience over here for reasons I mentioned. But try to install it as soon as you can. Try to get familiar with it. Try to become a hero in this thing and sort of train a few students of yours, maybe a few colleagues of yours and eventually those 50 or whatever people from around your area. When they come to you in July, they should also become experts. Gradually we should build more and more expertise. I would like to see a day when people say India is one of the greatest in education. When people from around the world come to India to study. Here we have an exodus, people leaving and going here and there and there to study. We have very few people coming here. We've got few, we used to have few students from Ethiopia or some students from Cambodia or this or that. Few students coming. India is not the mecca of education, especially higher education. We need to become that because we have huge amount of talented manpower. Why not harness this manpower? You see, you see so many, you go to the US for example, I was there for 16 years. You go there and you see in every single university, research lab, Indians doing very, very well. If there is so much talent, why don't we do that here itself? Only when we go there, we do well. When we are here, we don't. And education is not something so difficult that we can't do, right? If everyone puts in the hard work, we can be centers of excellence over here. So the thing is that we have very few for this population. How can we increase it? So that parents don't have to regularly complain and get worried, where am I gonna send my child to? I mean, I've heard this at least 30 times. What do you think I should do? Where do you think he or she should go? Now, what do I answer, tell me? It's so difficult to get into IIT. So then the person says, it's impossible for my child to get into IIT. The competition is so much. But at least if I had 20 names to say, you could try this or this or this, and there's a fair chance of you getting the qualities very good, it would be much more gratifying to me, right? I would feel less embarrassed to answer that question. So let us do this. Let's all get together over here and say within one year, our college is terrific in a whole bunch of different courses. Let us start the education thing and then let's move on to research, where India is then known as a research superpower. Because we have all this human talent, right? People yearning to study, people yearning to work, et cetera. Let's build them up as a formidable force. I mean, I make a simple statement. If Indians can do well when they are abroad, why not over here? Can anybody, does anybody have the answer, satisfactory answer to that question? Why can't we create the conditions where our people flourish and thrive? Are very productive. Are you doing great research in your colleges? How many people are doing great research amongst your colleagues, et cetera? Are you publishing some great new ideas? Does the world know about those ideas? So that's the thing, right? We should start by this education thing. I know some of you have done very good PhDs. I've been talking to some of you in the last three days and I'm extremely impressed on the different things that you're doing. But we should have a larger number of those people for the population. So to answer your question, the mandate is not to bring students and everything because that sort of, you know, is not really the mission. I mean, we would like to have as many students. We'll have no end to this. But at least the multiplicative effect if we, you know, have 200 participants and then each of those 200 trains another 50, then straight away we've got 10,000 people trained through this two phase thing. That is very good. Even if out of those 10,000, 2,000 are trained very well and they train their students, I think we, you know, we are successful. And do this in many, many courses. So challenge yourself to be a hero in this, in this subject and in other subjects and also to make your college shine. Say we will go all out for excellence and we'll compete with international universities. Why, why, you know, shy away from that? Let's see where we are 10 years if all of us resolve to do this. But it requires a huge, huge amount of work and huge amount of sweat. Now there is a team, right?