 Now we will have a question answering session where you can ask any questions regarding the tools that were demoed in the workshop. Bharatwada Institute. We are facing a lot of difficult things, not installation. Is there any alternative way of not installing tools? I believe SNOT is already installed in the virtual machine. For installing it on your own systems, you can follow the online manual. In very easy steps, explain how to install SNOT and Barnyard. If you want, we can post the link to that manual on Moodle. Double 173. This is from the Agriculture Engineering College. Go ahead. Our doubt is before attending this workshop, we have downloaded this SNOT in Windows. So how to view the rules in the Windows version? In Windows machine, how did you install SNOT? It was available in the web. Okay, so you downloaded the installer. Ah, yes. When you go to the installation directory of SNOT, there should be a folder called rules. In that folder, you can see a file local.rules. If not, you can create a file and write the SNOT rules there. Thank you. My question is, what are the different rules that can be written using SNOT other than the TCP and the UDP, etc. Apart from TCP and UDP, the only three protocols that we can give is TCP, UDP and ICMP. And there are many rule options available. You can see the SNOT manual and you have to use your own creativity in creating new rules. Also you can download, you can subscribe for SNOT rules on that website and you can download the rules from there. Dranacharya College. Can you explain the various alert modes of SNOT, for example, pull, console, etc. And what are the difference between them? The modes that are available are alert for generating alert, log for logging the packet and pass for ignoring the packet. Apart from these three, there is also an option of dropping the packet. But that option is available only on the inline mode of SNOT. For inline mode, you have to use a different kind of installation. In this installation, you can only make alert or log the packet. 1145. Yeah, we are having the SNOT over here as a demo. So what are the other features provided by SNOT? Port spanning, detecting synchronous alert likewise. What are the additional features it can provide? As I have already told you, SNOT is used to capture packet and analyze them and then generate alert if anything suspicious is found. So this is the most basic functionality of SNOT. You can change it any way you like using the SNOT rules. You can write any creative rule and see the results after restarting SNOT. The only thing that you can do is change SNOT rules so that it suits your specification. Can we make use of this tool for all kinds of web servers? SNOT is not related to the web services in any way. SNOT only captures the packet and analyzes them. So it can capture any kind of packet which is targeted for any web server. It is not related to the web servers. It can capture any packet. You have demonstrated using the net operating system. So how to make use of the tool in Windows? You can make use of in all other operating systems also the same tool. In the demo, we have installed SNOT in Ubuntu. Additionally, you can install it on Windows also. There is no problem installing in Windows. Thank you. I have two questions on SNOT. First, is it possible to define multiple rules on local.rules file? Say for example, one on TCP and another one on UDP. Yes, you can develop any other rules in the local.rules file. Okay. So the second one is is it possible to have a list of attacking vectors redefined in a place and use it? Say for example, if I am running a web application service in a port and if I am trying to do an SQL injection, is it possible for me to define SQL injection in a place? At once if the attacking vector reaches the port, I can write an alert. Is it possible? Actually, when you open the directory SNOT rules, it will have different files for different attacking vectors. In each file, there are rules for that attacking vector only. So if you want to create rules for different attacking vectors differently, you can make a separate file. You have to remember that whenever you make a new rules file, you have to enter the name of that rules file in SNOT.con. When you open SNOT.con file, you can see that there are various rule files listed. You have to enlist your rule file also. And then restart SNOT. Thank you. Is it possible? Good afternoon, sir. Sir, what does blacklist and whitelist rule indicates in SNOT? Blacklist and whitelist are not rules. Rules are only that are defined in SNOT slash rules directory. Sir, what are the packages we have to install to execute SNOT in Kali Linux? I believe Kali Linux is a version of Ubuntu, of a version of Linux. So there won't be any problem if you follow the same steps that are used to install it on Ubuntu. You can follow the manual for installation, which will be uploaded on Moodle soon. And it will work also on Kali Linux. Vala Nehru. In OSSEC yesterday, we were not able to connect to the remote machine, or to the nearby machine at least, and analyze using SSL command. Whether the problem would be in the network settings or anything other than that. Most probably the problem would be from your network setting, the way you installed virtual box. See, during installation, you have to enable virtual box networking. So in the instruction, it was given to disable it. So that is why most of the problem comes. So you just need to reinstall virtual box with default settings. And then you can be able to SSH from the host machine to the virtual machine. So the experiment is designed in such a way that it will ping from any other machine if you give a bridge connection option. I think that answered your question. And if you want more specific doubt or specific details, you can use our forum. And you can print some screenshots so that we can get more idea about the error. Ekno India Sarlik. I have a question out here. When we are doing penetration testing, we use NASAS and Metasploit to do it. So whenever we are doing it, can you just explain it how we can use NASAS and Metasploit in doing penetration testing? So we demoed actually the same thing. I mean, to do any penetration testing, you will first have to scan the open ports that you can do using NANDMAP and NASAS both. Once you scan an open port, based on the database of NASAS, it will have many vulnerabilities present in that system. So for example, Windows, when we have port 445 open, it will give the vulnerability MS08067, which we have demoed today. Based on that exploit, you can actually use the Metasploit to exploit that, so which is already told to you. Just a follow-up question on that. So after we get the exploit, so what is the next step? Can we usually go for using, when we are doing the port scan, can we use SNOT there? Yeah, SNOT is not for preventing any sort of thing. It is just to detect. So if you figure out that there is a vulnerability in that, you just use SNOT, based on that rules, and then you can figure out whether a port scan or some exploitation is being done on that. Thank you. Yes, go ahead. What are the different file formats? This is SNOT log support. Can I repeat? I need to export some analysis. What do you mean by file format? If I need to do some analysis on the logs, I need the log in certain formats. So say XML format is generally used by many people. So does SNOT support that? No, SNOT doesn't produce logs in XML format. SNOT produces logs in .log format or .u2.sum numbers, and that log can be read using barnyard. That's why barnyard is installed. You don't have to worry about how those rules are saved in your system. You only have to run barnyard. It will read the rules for you and display on the interface. OK, so suppose say if I'm going to get an alert on an inclusion. So how will that data be stored? That data is stored in SNOT format. It is snot.u2.sum number. So suppose if I want to do an analysis on the historical data, so are there any tunes to do the analysis? Say I want to do a correlation with these logs for several months. I will say that I haven't tried that. But one thing that I can suggest is when SNOT logs are stored, barnyard can read them and update on a database. You can write a query on that database and extract all the alerts that have been generated since the beginning. And you can choose any format, text format also. And you can write a program to access that file. That will be easier than reading SNOT logs. OK, Spatil. Yeah, my question is for Nmap. How can we figure out which version of OS is running using Nmap? So in Nmap, there is an option of OS fingerprinting. In the demo, I showed a scan option which is called aggressive scan, which performs all kinds of tests on the target host. It also does OS fingerprinting. But Nmap has a database of OS fingerprints, the well-known operating systems. The fingerprints are there in the database already. But if we find some new fingerprint and it is not there, the Nmap does not predict what operating system is there, then we can contribute that fingerprint to the Nmap database. So this way, the database of Nmap keeps on growing every day. So OS fingerprinting is an option in Nmap, which you can use. ACDM Memorial College. So my question is how to run SSH command in OSAC tool? As I said, mostly this problem is because of the installation of the way virtual box is installed. You need to reinstall the virtual box with its default settings. And then you can be able to SSH. You saw the video, OSAC video. In that video, this SSH is completely explained. So you stick to the video that will guide you better. And if you have any more specific question like any configuration or something which need to be done for SSH, then you can post that question in model. We will try to answer it as soon as possible. So we have to reinstall the virtual box again. Yeah, because in the video, I have shown that you have to select the bridge network. So if you disabled the virtual box networking during the installation, then you won't be able to see anything which is listed in the Dropbox menu. So you need to reinstall to make it enabled. That will fix the problem, I believe. Thank you. Yeah, BH Gurney College. My question is compulsory between the Metasploit as a victim have XP OS or any other OS can be re-perform also. Yeah, there are a lot of exploits on Metasploit. There is a list of exploits you can see. So mostly they are on Windows. But you can find many exploits on Ubuntu as well. On Linux system specifically. And also, you can update your Metasploit. And it will have more and more exploits on Linux systems. Second question is, how can get a GUI of the victim? GUI of victims. In my demo, I have two virtual box. So actually, I am showing the operating system, victim operating system. In the real scenario, you may not get the GUI. But you can get a command prompt of that system on which you are attacking. You say that now. There is in two view in VMware, there is victim and attacker. OK? Yeah. In the attacker PC, how can we get GUI of the particular victim PC? No. See, actually, in my demonstration, I have two virtual boxes. So I have actually two operating systems residing on my one virtual box. So that's why I was able to open two operating systems. So I was actually showing you the Windows operating system as a complete different system. So in real scenario, Windows will be a different operating system. And you need to attack that. In the real scenario, you may not get the GUI of that system. OK, thank you, sir. See, Shankar is going to call you. Sir, my question is regarding inclusion detection system. First one is that the placement of ideas in network. And second is that when it gets a false negative, what is the type of, what is the level of risk in the network, in the whole system? You can see in this diagram, I have already explained the placement of ideas. The topmost part is internet, which connects to a router of our network and which leads to a switch. In that switch, there is a mirrored port. On that port, ideas is connected. It is connected to a mirrored port so that the ideas receives a copy of every packet that is passing through the network. And then the internal network part that consists of a firewall followed by the risks that are present in the network. This is the simplest kind of installation that we can have. Yeah, 1173. My question is regarding a metasplite tool. So we sent R host and L host. We gave the command exploit, but it says that failed. So what's the reason behind? Maybe the situation is that your firewall in Windows XP might be on. So you try to close the firewall, switch off the firewall. I mean, we are doing penetration testing. So this is justifiable that we are closing the firewall. So you should try that and then attempt. OK, is there any case study for a metasplite? Can you tell any problem where we can apply these tools? There are a lot of exploits on Windows. I mean, you can easily see them online. So I mean, maybe if you want, we can just provide you the link on Moodle. And you can look at it and then we'll tell you. You just post this query on Moodle. So we'll respond to that. Sir, Ram Krishnan Institute. Sir, my doubt is, can SNOT be used for personal computers? In case if we are doing a research and I install SNOT in my PC, is it possible to work with it? Yes, it is absolutely fine. In the virtual machine that we are given, it is installed on a personal computer only. So that is working fine. You can install it on your personal computer also. That will totally be fine. Thank you, sir. VN College. Sir, my question is, whenever we run command with Pudo, it didn't give results. But if we delete the Pudo, then it gives results. Why it is so? I think this more question, more relevant to OSAC. So I have used Pudo in OSAC experiments. Basically, Pudo is to give a user a privilege of root so that some system-level changes can be made. So I think that answers your question. Basically, it's for doing some changes in the basic software components of Ubuntu or Linux. So a normal user won't be able to do any changes. But a root user can change the configuration. So to get the root user privilege, we are using Pudo. There will be separate file which is saying who are the Pudoers. So I think you can explore on the internet what is Pudo as, what is Pudo permission that will give you a broader idea. So did I answer your question? Yes, sir. Thank you. Nyanamani College of Engineering. Why DWA can run only in virtual machine? Actually, DWA can be run on any machine. There is no requirement of virtual machine. And you should have web server running on your system where you can host DWA. St. Gates College. Can we use SNOT to protect a network from denial of service with the default settings? By using the default rules, yes, it can stop DOS and DDOS. But there can be many varieties of DOS and DDOS. SNOT rules cover only a few of them. If there is some new kind of attack, new kind of DOS attack or DDOS attack, then you will have to write a new rule to cater to that attack. After Malingham College. Sir, is there any guy-based SNOT tools there? For Ubuntu, no, there is no GUI. There's only one command. You can simply run it from there. For Windows also, there is no GUI. For Windows also, you have to run it using CMD. However, for seeing the results, for seeing the alerts, there is a GUI that we have mentioned in the demo. For running SNOT tool, you'd only have to run one command. That's why you don't have any GUI. One more question. How we can able to create the IDS data set using SNOT? If you want to analyze the data, SNOT only does it captures packets and generates alerts based on rules. Those alerts are logged in SNOT logs and they can be read using Barnyard and they are updated to a database. If you want to analyze that database, then you can simply log into MySQL and export all the data that has been generated by SNOT. Then you can use any other process. You can write any other program to analyze that data set. If you want the details, how to extract data from the database, you simply have to log into MySQL, in SNOT, the password is MySQL in the virtual machine that has been given to you. I will upload the steps in Moodle later. Rajalaxmi Engineering College. I just want to know about the Nmap tool and we actually use Nmap tool within the intranet only. You ask that whether Nmap tool can be used in intranet only or whether it can be used on the internet also. See, the Nmap tool, by intranet, we mean the network of a particular institution which uses a private address. It can be used there. It can also be used on the internet. But the only thing is that the internet may contain many security devices which can skew the result of Nmap. You can definitely use Nmap on the internet also. But there are some things like the ARP discovery protocol which we demonstrated in Nmap cannot be used on the internet. Whenever there is a router between us and the target host, we cannot use the ARP discovery protocol. That's it. There is no other change. J.L. Bajaj. My question is regarding OSCEC. When I was installing OSCEC yesterday in the lab, so there was four options, namely that server, agent, hybrid and local. And at the last, that worked for local only. So had I made something or that works for only local only? In OSCEC. In OSCEC, local, we have made it so that it will work only in that system, particular system for experimentation. But for the practical usage, it is usually done in a network where OSCEC server will be separately installed in a server with a high capability and the agents will be separately installed in the other nodes so that the alerts will be sending to the server. So server will do the processing. So simple answer is, no, you can also install, it is meant to be installed in network systems. So did I answer your question or? Thank you. Srinivore Institute. My question is from Nmap. What is aggressive scanning in case of Nmap? The aggressive scanning option in Nmap performs a lot of tests on the target machine. First it does a discovery, whether the host is up or not. After that, it tries to scan all the ports, whichever ports are open. Mostly it scans the well-known ports, the first 1000 ports which are there. After that, it tries to send some malformed package to the target machine and by looking at the response which the machine gives, it tries to guess the version of the software running. Like for example, if there is an FTP server running and you are sending a malformed packet with some bad flags to that particular port and by seeing the response of that machine, you can guess what version of FTP it is running. And similarly, all other ports which are open, we can guess the version of the services which are running and we can also similarly guess the version of the operating system which is running. And that feature is called OS ringer printing. My second question is that, how we can know which ports are currently opened? Like which well-known or registered port is currently open in my system by using Nmap? You want to know what ports are open on your own system, am I correct? Yeah, yeah. See, you can do this by Nmap only. You can use Nmap space minus small s capital P. This will not do the discovery check, but even if it does, there is no problem. After that, you give the range of ports for it to check. You can do a TCP scene check or whatever TCP connect check, whichever options which I have shown in the demo and it will give all the list of ports to you. Another command in Linux is s s small s s space minus a and t. This command in Linux will show you what ports are open and listening on your own machine. So, you can find this out without Nmap also. I have another question. Traditionally, the IP format, frame format, having lots of frames, can you modify the frame by using some commands like the TTL or any other fields of IP datagram frame format manually? You want to create custom packets. That's what you were asking, right? So, there is a tool for it. It's called HPING, H-P-I-N-G. You can use that tool and it creates whatever kinds of packets we want and there is another tool called network packet generator and you can, to this network packet generator, you can provide exactly the packet which you want to transmit in a file and it takes the input from the file and simply transmit it on the wire. Central University. Is it possible to develop some applications that directly communicate with the data that is provided as output by this node? No, I haven't worked on any application which directly reads the data. The only application we have used is Barnyard and as I've already told, if you want to read the data using some program, then you can extract the data from the MySQL database on which Barnyard updates it. You can use the database and export the data from there and then run any program on that. If I come across some application that can directly read the snot logs, then I will certainly inform you. Thank you. VMS college. Sir, how to try out the new detection algorithm among these tools? Like in BVM, BVR, VESHA, and in this. If I am correct, like you are actually asking for how to try out your own algorithms. Like say if you want to try your own algorithm which you designed and you want to try out using some of these tools, am I correct? Yes, sir. It depends on the algorithm you are using. Like if you create some algorithm for network intrusion detection, see most of these tools are open source tools. So these tools are mostly available online in GitHub and you can go to the websites and you can find where the source files are present. So you can download the source files. You can find out where exactly those things are there. Like those functions were written. So you can write a file which adapt to that particular software and you can plug it in or you can modify the software so that you can try out your own algorithms. So these tools are open source tools. So you are free to work with it and you are free to modify it on your own risk. If you want to add a new plugin into Nessus which will do perform your new detection algorithm, then you can write it using NASL language which is provided by Nessus. So Nessus community users do write their own plugins and add it to Nessus database so that it can be used through Nessus to perform that particular intended activity. So Nessus is a tool you can use. Shastra University. How do we protect the SNOT because in the morning session we saw that we can tell it to even lock from a machine. Is there any possibility to disable whether the intro can disable SNOT or if you identify that the idea is running on a machine and it go ahead and disable the SNOT and what are the procedures we need to follow to prevent that kind of action? Yes, it is very possible that the attacker can attack SNOT. It depends on the skill level of the attacker. So I think it is possible to attack SNOT also. And if you want to know there can be multiple level of ideas. Like we have installed only one ideas on our system. You can install two or three ideas also. So if attacker attacks one of them the next ideas can detect that attack. You can install SNOT in that way also. PvP. Can we capture MANET connections using any tool? So I am not sure about this answer. But let's say you connected your mobile with your system and your system is running Wireshark. And the MANET network is on in your system and you can access from your system. Then Wireshark can capture all the packages which is sent through or sent to your mobile and it can be done, I believe. I am not sure about this. So you can post a more detailed question on this if you want a detailed answer on the module. Also in SNOT if you are connected to a mobile ad hoc network that network interface will be visible in your system. So when you run SNOT there is the last option where we have given it's zero. That is for Ethernet interface. You can replace it with your mobile networks interface also. Then it will capture and monitor the packets of mobile network. Hello sir, I have one more question for you. Sir, what are the tools we are using that NSS and SNOT or we are used for connection oriented networks? Can we have all the monitoring tools for any wireless networks or this can be used for the same purpose? As I just explained SNOT, I can tell about SNOT. SNOT can be used for wireless networks also. Instead of Ethernet interface you have to mention the wireless interface which is usually WLAN zero in most Ubuntu systems. So you can use that interface to capture the wireless packets. Virishak also it's possible. Only thing is during selecting the interface you have to select the wireless network. Pranachari college? My question is if suppose we are getting some threatening emails from no reply server. So can you suggest me any tool to find out the sender's location? It's sending from no reply email ID. So basically Google, Yahoo and what are the mail servers? It have a no reply email ID specifically for sending no reply emails. So that is the sender. So apart from that you want to know more details about the email where it sent from, where it came and all those things can be got from email header. And there are online tools which are available. You just search in Google like analyzing email headers. So you can find the tool. You just need to copy the header and then paste it there. And that will give you entire details of I mean what is the, when it send and who send, what server it used and all those details. So you can get it from email headers. So search for email header analysis on Google. You can get those tools, group. How will you use this Nmap tools for ethical hacking? Nmap tool for ethical hacking. See the tool doesn't mean for like, the tool is for that purpose. Using Nmap, what you does is up to you. Whether you're going to use it for ethical hacking or something else, so it's up to you. Basically you can use the tool for its purpose. Like I think my colleague he will give you more details. In any kind of hacking there are various phases. Like if someone is trying to rob a bank, the first few, first for many few days he will try to observe the schedule when the security guard comes in and out, which door are vulnerable and when do the vehicles come and go and such things. So like in, when you are trying to attack a network or a remote host, here also you have to do some intelligence gathering. So Nmap helps us in this. It's used in the reconnaissance phase of the attack and it is not intended to cause any harm to the remote machine. It's just for gathering information which can be used later to cause harm. So in ethical hacking sense you can use Nmap to scan your own precious machines and to see which ports are open, which ports you want to be close, you can close them up or you can put a firewall and filter the ports. Nmap is used for gathering the intelligence, that's all. Anna University. In TVW, we execute some of the SQL injection attack. We execute the attack for three different categories. Low-level security algorithms, medium-level security algorithms, high-level security. Low-level security allows, when a user enters, user name has one R1 equal to one and password has one R1 equal to one. In that case, it displays the surname as well as the last name in the website. But when we go for a big level R, high-level security, it prevents single quotes as well as double quotes if it is entered in the user name and password fields. But my question is, is there any other methods other than removing the single quotes and double quotes from the user name and password for preventing the SQL injection attack in TVW software, is there any other methods for preventing the SQL injection attack? Actually, you want to ask that, is there any method apart from removing quotes from the string to prevent the SQL injection, right? Yes. Yeah. There are hackers who can craft creative attacks in SQL. So therefore, instead of blacklisting, you should whitelist your input. Like, you should, while sanitizing input, you should check that if input is intended to be in digit value or in string, that should be done at the client side while checking the input. So that will be the one solution. And another solution is you should detect queries in your input. Like, SQL has syntaxes select from these keywords you can detect and you can code your web page to detect these inputs and block these input while writing into the input field. This can be the one solution. So, Sainte Zavius, please ask you a question. I had to know if firewall is installed in the network, whether we can work with Nexus 2 or we have to configure in the Nexus tool regarding that. I had to know whether if firewall is installed in the network, whether we can work with the Nexus tool or not, or we have to do any configuration in the Nexus tool for working with the network which has a firewall. Actually, what the firewall does, firewall skew the packets coming in more number from any another machine. So what does Nexus do? Nexus, in trying to ping that machine, sends more than five to six packets to that machine. So if the firewall is there, then obviously those packets will be silently dropped by the firewall. So it will be good to turn off the firewall. And the main purpose of using Nexus is to do penetration testing. So that's why we should turn off the firewall and do scanning using Nexus. So and no other configuration need to be done inside Nexus to skew the firewall. Did that answer your question? Yes, sir. Thank you.