The document is an internship report that includes:
- Details about the internship organization and the internship period.
- An overview of ethical hacking and the internship project involving identifying vulnerabilities.
- A description of tasks completed including Portswigger labs, detecting vulnerabilities on a banking website, and executing a payload on a vulnerable website.
- Results from ethical hacking quizzes and a generated vulnerability report using OWASP-ZAP.
- Conclusions about gaining technical security knowledge around hacking techniques and prevention.
2. ABOUT INDUSTRY/ORGANIZATION
DETAILS
ORGANIZATION NAME : INTERNSHIP STUDIO
• Internship Studio is an online training and internship platform founded on
the principle that students interested in any field should not be required to
have any sort of perspective knowledge in order to start their journey in that
field.
• The Founder and CEO of Internship Studio is Mr. Aniket Bihani.
• I have done this internship by virtual mode.
• The Internship Studio is located in MVPM Spark, Lane No 6, Ram Indu
Park, Nr. Balewadi High St, Baner, Pune-411045, Maharashtra, IN.
• Contact details: contact@internshipstudio.com
4. MY INTERNSHIP
ETHICAL HACKING
ETHICAL HACKING is a process of detecting vulnerabilities in an application, system,
or organization's infrastructure.
Ethical hacking involves an authorized attempt to gain unauthorized access to a
computer system, application, or data.
Carrying out an ethical hack involves duplicating strategies and actions of malicious
attackers.
This practice helps to identify security vulnerabilities which can then be resolved
before a malicious attacker has the opportunity to exploit them.
Hence, Ethical hackers use their knowledge to secure and improve the technology of
organizations.
5. INTERNSHIP DESCRIPTION:
• I thoroughly enjoyed my experience as an intern for the ethical hacking team.
• The work was challenging and engaging, and I appreciated the opportunity to
work on such a wide variety of projects.
• I would recommend this internship to anyone interested in ethical hacking or
cybersecurity.
• The purpose of this project is to identify, assess, and document potential
vulnerabilities in an information system.
• The project will also develop recommendations for mitigating or eliminating the
identified vulnerabilities. The goal of this project is to ensure that the information
system is secure and protected from attack.
• By identifying and assessing potential vulnerabilities, the project will help to
ensure that the system is not susceptible to exploitation.
• This project is important because it will help to protect the information system
from being compromised. By identifying and assessing potential vulnerabilities,
the project will help to ensure that the system is not susceptible to exploitation.
6. THINGS I LEARNED IN THIS INTERNSHIP:
Kali Linux
Networking
Wireshark and analysis
Cryptography
Man in the middle attack
Information gathering
Android Hacking With Metasploit
Password Cracking
Proxy chains and TOR
Web Application Security
Cross Site Scripting Practical
Types of CSS: Introduction to Portswigger
Social Engineering attack
Automatic Vulnerability Scanner
Reporting And Communication: Hands On Bug Bounty
7. My Personal Benefit
• I feel this internship has set me up for a better understanding of what legal
studies are.
• I feel empowered to be successful through the tools I have learned throughout
this process.
• This internship has allowed me to create a better understanding of how to find
resources and other information systems to create real-life experience for
comparing law and legal culture for future jobs.
• The skills I have learned through creating this legal comparison has allowed me
to build on my critical thinking skills.
• Learning how to conduct ethical hacking assessments and penetration tests.
• Gaining practical experience in report writing and presenting findings to
clients or senior management.
8. Networking:
The fundamental of Hacking A network is a collection of computers, servers, mainframes, network devices,
peripherals, or other devices connected to one another to allow the sharing of data.
Protocols:
★ TCP(Transmission Control Protocol)
★ IP(Internet Protocol)
★ UDP(User Datagram Protocol)
★ FTP(File Transfer Protocol)
★ HTTP(Hyper Text Transfer Protocol)
★ HTTPS(Hyper Text Transfer Protocol Secure)
★ SMTP(Simple Mail Transfer Protocol)
Internet Protocol addresses (IP addresses): makes the world go 'round. Or, at least, enable us to email, Skype, and
navigate the web. It's almost as important as the world going around! Each digital device (computer, laptop, phone,
tablet, etc.) is assigned an IP address, and this is what enables us to communicate and connect with it. Imagine an IP
address as similar to your house address. Without that address, no one could find you and send you snail mail.
9. Cryptography:
Cryptography is a method of protecting information and communications through the use of codes, so that only those
for whom the information is intended can read and process it.
Objectives of Cryptography
★ Confidentiality : the information cannot be understood by
anyone for whom it was unintended
★ Integrity : the information cannot be altered in storage or transit
between sender and receiver.
★ Non-repudiation : the creator/sender of the information cannot
deny at a later stage his or her intentions in the creation or
transmission of the information
★ Authentication: the sender and receiver can confirm each
other's identity and the origin/destination of the information
Types of Cryptography
1. Single-key or symmetric-key encryption
2. Public-Key or asymmetric-key encryption
10. Man in the Middle Attack:
A man in the middle attack is a type of attack where the attacker intercepts communications between two parties and
impersonates each party to the other. The attacker then has the ability to eavesdrop on the conversations, modify the
messages, or even inject new messages.
11. ARP Spoofing Tool :We can use arpsoof tool available in linux to spoof the arp and act as MITM. Let’s dive into the
real man in the middle attack
Steps to reproduce:
Install ARPSPOOF by typing apt-get install dsniff
Syntax:
Arpsoof -i (interface) -t (Client IP) (Your gateway)
Arpsoof -i (interface) -t (Your Gateway) (Client IP)
12. Information Gathering Using Nmap:
• Nmap is short for Network Mapper. It is an open-source Linux command-line tool
that is used to scan IP addresses and ports in a network and to detect installed
applications.
• Ping Scan: Scan can list devices up or running.
• > nmap -sp 192.168.1.1/24
• Scan a single host: Scans a single host for 1000 well-known ports. These ports are the
ones used by popular services like SQL, SNTP, apache, and others
• It makes your life easier since you can find an existing vulnerability from the Common
Vulnerabilities and Exploits (CVE) database for a particular version of the service.
You can then use it to attack a machine using an exploitation tool like Metasploit.
13. Web Application Security:
• A Web application (Web app) is an application program that is stored on a remote
server and delivered over the Internet through a browser interface
• Web application security is the process of protecting websites and online services
against different security threats that exploit vulnerabilities in an application's code.
... The inherent complexity of their source code, which increases the likelihood of
unattended vulnerabilities and malicious code manipulation.
Different types of security tests:
Dynamic Application Security Test (DAST)
Static Application Security Test (SAST)
Penetration Test
Runtime Application Self Protection (RASP)
14. We have three training weeks in internship. Each week there was 1 Quiz , so we have three Quiz’s
Ethical hacking quiz 1: I scored 100%
17. ASSESSING VULNERABILITIES
It is the process of identifying vulnerabilities in the computer
systems, networks, and the communication channels. It is performed
as a part of auditing and also to defend the systems from further
attacks. The vulnerabilities are identified, classified and reported to
the authorities so that necessary measures can be taken to fix them
and protect the organization.
18. IN THIS PROJECT WE HAVE GIVEN THREE TASKS
• TASK 1 : COMPLETING 3 PORTSWIGGER LABS
• TASK 2: THEY’VE GIVEN A BANK APPLICATION WEBSITE . IN THIS WEBSITE WE
DETECT VULNERABILITIES
• TASK 3: TO EXECUTE A PAYLOAD IN THE WEBSITE(VULNWEB.COM) AND REPORT
THE EFFECT OF THE VULNERABILITY IN THE WEBSITE.
19. TASK 1: COMPLETING 3 PORTSWIGGER LABS
LAB 1
Reflected XSS into HTML context with nothing encoded
20.
21. LAB 2 : Stored XSS into HTML context with nothing encoded
22.
23. LAB 3: DOM XSS in document.write sink using source location. search
24.
25. TASK 2: GIVEN THAT TO FIND A VULNERABILITY OF A GIVEN WEBSITE/COMPANY AND
GENERATE A REPORT OF THE VULNERABILITY THAT ARE AVAILABLE IN THE WEBSITE.
26. THE GENERATED REPORT IS DONE FROM THE OWASP-ZAP TOOL AND THE GENERATED
REPORT IS SHOWN AS BELOW.
27. TASK 3: TO EXECUTE A PAYLOAD IN THE WEBSITE(VULNWEB.COM) AND REPORT THE EFFECT
OF THE VULNERABILITY IN THE WEBSITE.
30. • Title : Cross Site Scripting
• Domain : vulnweb.com
• SubDomain: testasp.vulnweb.com
Steps to reproduce:
step1: Visit http://testasp.vulnweb.com
step2: On the top of the menu you will find a search option
step3: Click on it and you will be prompted to the search box
step4: you can intercept the request in the burp suite
step5: Now you can find different payloads for XSS(cross site scripting)
step6: Send the request to the intruder and paste all the payloads
step7: Try to find a successful payload for XSS
31. Effect of this attack : Cross Site Scripting can lead to stealing of
your user data and it can be harmful for your website/company
Mitigation: If you want to prevent your website from XSS then
you can just enable noscript on browser and by modifying the
code which is vulnerable for which is linked with the user data.
32. Conclusion
• From this ethical hacking internship, I have gained a better insight into the network
and computer security of an organization.
• I have also gained a lot of technical knowledge. I have learnt the techniques of
hacking and have also learnt how to prevent the network and computers of an
organization from being hacked.
• I have also learnt how to secure the data of an organization. I have also learnt about
the legal aspects of hacking.
• I have also learnt about the various tools used by hackers. I have also learnt about
the various types of attacks that can be launched on an organization.