XAVIER INSTITUTE OF ENGINEERING

DEPARTMENT OF INFORMATION TECHNOLOGY

A.Y. 2020 - 21

LAB MANUAL

COURSE NAME: SECURITY LAB

CLASS : T.E

SEMESTER : V

COURSE CODE: ITL502

SUBJECT / PRACTICAL INCHARGE : Prof. Suvarna Aranjo

 XAVIER INSTITUTE OF ENGINEERING

CLASS: T.E. SEM: V

COURSE CODE: ITL502 COURSE NAME: SECURITY LAB

LAB OBJECTIVES:
Students will try:
1. To be able to apply the knowledge of symmetric cryptography to implement simple ciphers.
2. To be able to analyze and implement public key algorithms like RSA and El Gamal.
3. To analyze and evaluate performance of hashing algorithms.
4. To explore the different network reconnaissance tools to gather information about networks.
5. To explore and use tools like sniffers, port scanners and other related tools for analysing packets
in a network.
6. To be able to set up firewalls and intrusion detection systems using open source technologies and
to explore email security.

Bloom’s Taxanomy Levels:

1 = Remembering, 2= Understanding, 3 = Applying, 4 = Analyzing, 5 = Evaluating, 6 =
Creating

LAB OUTCOMES:
Students will learn to:
LO Description Bloom’s PO
Level
LO1 Apply the knowledge of symmetric cryptography to 1 1,3
implement simple ciphers. (Remembering)
6
(Creating)
LO2 Analyze and implement public key algorithms like RSA and 4 1,2,3
El Gamal. (Analyzing)
6
(Creating)
LO3 Analyze and evaluate performance of hashing algorithms. 4 1,2,3,4
(Analyzing)
5
(Evaluate)
LO4 Explore the different network reconnaissance tools to gather 4 2,3,4,5,6,8,9,12
information about networks. (Analyzing)
LO5 Use tools like sniffers, port scanners and other related tools 4 2,3,4,5,6,8,9,12
for analyzing packets in a network. (Analyzing)
LO6 Apply and set up firewalls and intrusion detection systems 2 2,3,4,5,6,8,9,12
using open source technologies andto explore email security. (Understanding)
3
(Applying)
 XAVIER INSTITUTE OF ENGINEERING
LIST OF EXPERIMENTS
SR. NAME OF EXPERIMENT LO BLOOM’S PO
NO. LEVEL
1 (a) Design and Implementation of Substitution LO1 1,6 1,3
Cipher.
(b) Design and Implementation of Transposition
Cipher.
(c) Design and Implementation of Product
Cipher using Substitution Cipher and
Transposition Cipher.
2 (a) Implementation and Analysis of RSA LO2 4,6 1,2,3
Cryptosystem.
(b) Implementation of Diffie Hellman Key
Exchange Algorithm
3 For varying message sizes, test integrity ofmessage LO3 4,5 1,2,3,4
using MD-5, SHA-1, and analyse theperformance of
the two protocols. Use cryptAPIs.
4 Study the use of network reconnaissance toolslike LO4 4 2,3,4,5,6,8,9,12
WHOIS, dig, traceroute, nslookup to gather
information about networks and domain registrars.
5 Study of packet sniffer tools like wireshark. Use LO5 4 2,3,4,5,6,8,9,12
the tool to do the following:
1. Observer performance in promiscuous as
well as non-promiscuous mode.
2. Show that packets can be traced based on
different filters
6 Download and install nmap. Use it with different LO5 4 2,3,4,5,6,8,9,12
options to scan open ports, perform OS
fingerprinting, do a ping scan, tcp port scan, udp port
scan, etc.
7 Detect ARP spoofing using open source tool LO5 4 2,3,4,5,6,8,9,12
ARPWATCH.
8 Use the Nessus tool to scan the network for LO4 4 2,3,4,5,6,8,9,12
vulnerabilities.
9 Set up IPSEC under LINUX. LO6 2,3 2,3,4,5,6,8,9,12
10 Install IDS (e.g. SNORT) and study the logs. LO6 2,3 2,3,4,5,6,8,9,12
11 Use of iptables in linux to create firewalls. LO6 2,3 2,3,4,5,6,8,9,12
 XAVIER INSTITUTE OF ENGINEERING

EXPERIMENT NO : 1
Aim: [ A ] Design and implementation of Substitution Cipher.

Theory : In cryptography, a substitution cipher is a method of encrypting by which units of

plaintext are replaced with ciphertext, according to a fixed system; the "units" may be single
letters (the most common), pairs of letters, triplets of letters, mixtures of the above, and so forth.
The receiver deciphers the text by performing the inverse substitution.
Substitution ciphers can be compared with transposition ciphers. In a transposition cipher, the
units of the plaintext are rearranged in a different and usually quite complex order, but the units
themselves are left unchanged. By contrast, in a substitution cipher, the units of the plaintext are
retained in the same sequence in the ciphertext, but the units themselves are altered.
There are a number of different types of substitution cipher. If the cipher operates on single
letters, it is termed a simple substitution cipher; a cipher that operates on larger groups of
letters is termed polygraphic. A monoalphabetic cipher uses fixed substitution over the entire
message, whereas a polyalphabetic cipher uses a number of substitutions at different positions
in the message, where a unit from the plaintext is mapped to one of several possibilities in the
ciphertext and vice versa.

Expected Output:
 XAVIER INSTITUTE OF ENGINEERING
Aim: [ B ]Design and implementation of rail fence cipher.

Theory : In cryptography , a transposition cipher is a method of encryption by which the

positions held by units of plaintext (which are commonly characters or groups of characters) are
shifted according to a regular system, so that the ciphertext constitutes a permutation of the
plaintext. That is, the order of the units is changed (the plaintext is reordered). Mathematically
a bijective function is used on the characters' positions to encrypt and an inverse function to
decrypt.

Rail Fence cipher

The Rail Fence cipher is a form of transposition cipher that gets its name from the way in which
it is encoded. In the rail fence cipher, the plaintext is written downwards on successive "rails" of
an imaginary fence, then moving up when we get to the bottom. The message is then read off in
rows. For example, using three "rails" and a message of 'WE ARE DISCOVERED. FLEE AT
ONCE', the cipherer writes out:

W...E...C...R...L...T...E
.E.R.D.S.O.E.E.F.E.A.O.C.
..A...I...V...D...E...N..

Then reads off:

WECRL TEERD SOEEF EAOCA IVDEN

(The ciphrer has broken this ciphertext up into blocks of five to help avoid errors. This is a
common technique used to make the cipher more easily readable. The spacing is not related to
spaces in the plaintext and so does not carry any information about the plaintext.)
The rail fence cipher was used by the ancient Greeks in the scytale, a mechanical system of
producing a transposition cipher. The system consisted of a cylinder and a ribbon that was
wrapped around the cylinder. The message to be encrypted was written on the coiled ribbon. The
letters of the original message would be rearranged when the ribbon was uncoiled from the
cylinder. However, the message was easily decrypted when the ribbon was recoiled on a cylinder
of the same diameter as the encrypting cylinder
 XAVIER INSTITUTE OF ENGINEERING
Expected Output:
 XAVIER INSTITUTE OF ENGINEERING
Aim:[ C ]Design and implementation of Product Cipher.

Theory : In cryptography, a product cipher combines two or more transformations in a manner

intending that the resulting cipher is more secure than the individual components to make it
resistant to cryptanalysis.[1] The product cipher combines a sequence of simple transformations
such as substitution (S-box), permutation (P-box), and modular arithmetic. The concept of
product ciphers is due to Claude Shannon, who presented the idea in his foundational
paper, Communication Theory of Secrecy Systems.
For transformation involving reasonable number of n message symbols, both of the foregoing
cipher systems (the S-box and P-box) are by themselves wanting. Shannon suggested using a
combination of S-box and P-box transformation—a product cipher. The combination could yield
a cipher system more powerful than either one alone. This approach of alternatively applying
substitution and permutation transformation has been used by IBM in the Lucifer cipher system,
and has become the standard for national data encryption standards such as the Data Encryption
Standard and the Advanced Encryption Standard. A product cipher that uses only substitutions
and permutations is called a SP-network. Feistel ciphers are an important class of product
ciphers.

Output:
 XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 2
Aim: [ A ] Implementation and Analysis of RSA Cryptosystem.

Theory : RSA (Rivest–Shamir–Adleman) is one of the first public-key cryptosystems and is

widely used for secure data transmission. In such a cryptosystem, the encryption key is public
and it is different from the decryption key which is kept secret (private). In RSA, this asymmetry
is based on the practical difficulty of the factorization of the product of two large prime numbers,
the "factoring problem". The acronym RSA is made of the initial letters of the surnames of Ron
Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the algorithm in
1978. Clifford Cocks, an English mathematician working for the British intelligence
agency Government Communications Headquarters (GCHQ), had developed an equivalent
system in 1973, but this was not declassified until 1997.[1]
A user of RSA creates and then publishes a public key based on two large prime numbers, along
with an auxiliary value. The prime numbers must be kept secret. Anyone can use the public key
to encrypt a message, but with currently published methods, and if the public key is large
enough, only someone with knowledge of the prime numbers can decode the message
feasibly.[2] Breaking RSA encryption is known as the RSA problem. Whether it is as difficult as
the factoring problem remains an open question.
RSA is a relatively slow algorithm, and because of this, it is less commonly used to directly
encrypt user data. More often, RSA passes encrypted shared keys for symmetric
key cryptography which in turn can perform bulk encryption-decryption operations at much
higher speed.

OUTPUT:
 XAVIER INSTITUTE OF ENGINEERING
Aim: [ B ] Implementation of Diffie Hellman Key Exchange Algorithm

Theory : Diffie–Hellman key exchange establishes a shared secret between two parties that can
be used for secret communication for exchanging data over a public network. The conceptual
diagram to the right illustrates the general idea of the key exchange by using colors instead of
very large numbers.
The process begins by having the two parties, Alice and Bob, agree on an arbitrary starting color
that does not need to be kept secret (but should be different every time [3]); in this example, the
color is yellow. Each of them selects a secret color that they keep to themselves – in this case,
red and blue-green. The crucial part of the process is that Alice and Bob each mix their own
secret color together with their mutually shared color, resulting in orange-tan and light-blue
mixtures respectively, and then publicly exchange the two mixed colors. Finally, each of the two
mixes the color they received from the partner with their own private color. The result is a final
color mixture (yellow-brown in this case) that is identical to the partner's final color mixture.
If a third party listened to the exchange, it would only know the common color (yellow) and the
first mixed colors (orange-tan and light-blue), but it would be computationally difficult for this
party to determine the final secret color (yellow-brown). In fact, when using large numbers rather
than colors, this action is computationally expensive: It is impossible to do in a reasonable
amount of time even for modern supercomputers.
Cryptographic explanation
The simplest and the original implementation[2] of the protocol uses the multiplicative group of
integers modulo p, where p is prime, and g is a primitive root modulo p. These two values are
chosen in this way to ensure that the resulting shared secret can take on any value from 1 to p–1.
Here is an example of the protocol, with non-secret values in blue, and secret values in red.

1. Alice and Bob publicly agree to use a modulus p = 23 and base g = 5 (which is a
primitive root modulo 23).
2. Alice chooses a secret integer a = 4, then sends Bob A = ga mod p
 A = 54 mod 23 = 4
3. Bob chooses a secret integer b = 3, then sends Alice B = gb mod p
 B = 53 mod 23 = 10
4. Alice computes s = Ba mod p
 s = 104 mod 23 = 18
5. Bob computes s = Ab mod p
 s = 43 mod 23 = 18
6. Alice and Bob now share a secret (the number 18).
Both Alice and Bob have arrived at the same value s, because, under mod p,

Note that only a, b, and (gab mod p = gba mod p) are kept secret. All the other values –
p, g, ga mod p, and gb mod p – are sent in the clear. Once Alice and Bob compute the shared
 XAVIER INSTITUTE OF ENGINEERING
secret they can use it as an encryption key, known only to them, for sending messages across the
same open communications channel.

Expected Output:
 XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 3

Aim: For varying message sizes, test integrity ofmessage using MD-5, SHA-1, and analyze
theperformance of the two protocols. Use cryptAPIs.

Program:

importhashlib
importtimeit
message=input("Enter message: ")
message=message.encode()
print("Performance analysis: ")
print("-----MD5-----")
#MD5 DIGEST
md5_digest = hashlib.md5(message)
print("The hexadecimal equivalent of md5 hash is : "+md5_digest.hexdigest())
#MD5 TIME
print("Time taken to execute in micro sec: ",end="")
print(timeit.timeit('hashlib.md5(message)', setup='import hashlib; message="%s".encode();' %
message))
#MD5 LENGTH
print("Length of message digest in bits:",end="")
print(md5_digest.digest_size*8)
print("-----SHA1-----")
#SHA1 DIGEST
sha1_digest = hashlib.sha1(message)
print("The hexadecimal equivalent of sha1 hash is : "+sha1_digest.hexdigest())
#SHA1 TIME
print("Time taken to execute in micro sec: ",end="")
print(timeit.timeit('hashlib.sha1(message)', setup='import hashlib; message="%s".encode();' %
message))
#SHA1 LENGTH
print("Length of message digest in bits:",end="")
print(sha1_digest.digest_size*8)

Output:
 XAVIER INSTITUTE OF ENGINEERING

Conclusion: Thus, we have analyzed the performance of the two protocols: MD5 and SHA-1
and tested the integrity of messages of varying sizes.
 XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 4

Aim: Study the use of network reconnaissance tools like whois, dig, traceroute, nslookup to
gather information about networks and domain registers
Theory:
1. whois:
whois searches for an object in a WHOIS database. WHOIS is a query and
response protocol that is widely used for querying databases that store the
registered users of an Internet resource.

Syntax:
whois [ -h HOST ] [ -p PORT ] [ -aCFHlLMmrRSVx ] [ -g SOURCE:FIRST-
LAST ]
[ -i ATTR ] [ -S SOURCE ] [ -T TYPE ] object
whois -t TYPE
whois -v TYPE

whois -q keyword

Options:
-h HOST Connect to WHOIS database host HOST.
-H Suppress the display of legal disclaimers.
-p PORT When connecting, connect to network port PORT.
--verbose Operate verbosely.
--help Display a help message, and exit

2. dig:
dig (domain information groper) is a network administration command-line tool
for querying Domain Name System (DNS) servers. dig is useful for network
troubleshooting and for educational purposes. dig can operate in interactive
command line mode or in batch mode by reading requests from an operating
system file.

Syntax:
dig [@server] [-b address] [-c class] [-f filename] [-k filename]
XAVIER INSTITUTE OF ENGINEERING
[-m] [-p port#] [-q name] [-t type] [-x addr] [-y [hmac:]name:key]
[-4] [-6] [name] [type] [class] [queryopt...]
dig [-h]
dig [global-queryopt...] [query...]

Options:
-b address
The -b option sets the source IP address of the query to address
-c class
The default query class (IN for Internet) is overridden by the -c option. class is
any valid class, such as HS for Hesiod records or CH for CHAOSNET records.
-f filename
The -f option makes dig operate in batch mode by reading a list of lookup
requests to process from the file filename.
-p port#
If a non-standard port number is to be queried, the -p option is used. port# is the
port number that dig will send its queries instead of the standard DNS port
number 53.
-4
The -4 option forces dig to only use IPv4 query transport.
-6
The -6 option forces dig to only use IPv6 query transport.
-t type
The -t option sets the query type to type. It can be any valid query type that is
supported in BIND9.
-x addr
Reverse lookups (mapping addresses to names) are simplified by the -x option.
addr is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6
address.
-k filename
To sign the DNS queries sent by dig and their responses using transaction
signatures (TSIG), specify a TSIG key file using the -k option.
-y [hmac:]name:key
You can also specify the TSIG key itself on the command line using the -y option.
 XAVIER INSTITUTE OF ENGINEERING

3. traceroute:
traceroute is a computer network diagnostic tool for displaying the route (path)
and measuring transit delays of packets across an Internet Protocol (IP) network.
The history of the route is recorded as the round-trip times of the packets received
from each successive host (remote node) in the route (path); the sum of the mean
times in each hop is a measure of the total time spent to establish the connection.
traceroute proceeds unless all (three) sent packets are lost more than twice, then
the connection is lost and the route cannot be evaluated.

Syntax:
traceroute [-46dFITUnreAV] [-f first_ttl] [-g gate,...] [-i device]
[-m max_ttl] [-p port] [-s src_addr] [-q nqueries]
[-N squeries] [-t tos] [-l flow_label] [-w waittime]
[-z sendwait] [-UL] [-D] [-P proto] [--sport=port] [-M method]
[-O mod_options] [--mtu] [--back] host [packet_len]

Options:
--help Display a help message, and exit.
-4, -6 Explicitly force IPv4 or IPv6 tracerouting.
-I Use ICMP ECHO for probes.
-T Use TCP SYN for probes.
-d Enable socket level debugging (if the kernel supports it).
-F Do not fragment probe packets. (For IPv4 it also sets DF bit, which tells
intermediate routers not to fragment remotely as well).
-f first_ttl Specifies with what TTL to start. Defaults to 1.
 XAVIER INSTITUTE OF ENGINEERING
-g gateway Tells traceroute to add an IP source routing option to the outgoing
packet that tells the network to route the packet through the specified gateway.
-i interface Specifies the interface through which traceroute should send
packets.
-m max_ttl Specifies the maximum number of hops (max time-to-live value)
traceroute will probe. The default is 30.
-N squeries Specifies the number of probe packets sent out simultaneously.
-n Do not try to map IP addresses to host names when displaying them.
-p port For UDP tracing, specifies the destination port base traceroute will use
-t tos For IPv4, set the Type of Service (TOS) and Precedence value.
-l flow_label Use specified flow_label for IPv6 packets.
-w waittime Set the time (in seconds) to wait for a response to a probe (default
is 5.0).
-q nqueries Sets the number of probe packets per hop. The default is 3.
-r Bypass the normal routing tables and send directly to a host on an attached
network
-s source_addr Chooses an alternative source address.
-z sendwait Minimal time interval between .
-e Show ICMP extensions.
-A Perform AS path lookups in routing registries and print results directly
after the corresponding addresses.
-V Print version information, and exit.

4. nslookup:
nslookup is a network administration command-line tool available for many
computer operating systems for querying the Domain Name System (DNS) to
obtain domain name or IP address mapping or for any other specific DNS record.

Syntax:
nslookup [option] [name|-] [server]

Options:
host [server] Look up information for host using the current default server, or
server if specified
exit Exits the program.
set keyword[=value] This command is used to change state information that
affects the lookups. Valid keywords are:
 XAVIER INSTITUTE OF ENGINEERING
all Prints the current values of the frequently used options to set. Information
about the current default server and host is also printed.
class=value Change the query class to one of:

IN the Internet class

CH the Chaos class
HS the Hesiod class
ANY wildcard

Conclusion:Thus, network reconnaissance tools like whois, dig, traceroute, nslookup to gather
information about networks and domain registers have been studied and implemented
successfully.
 XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 5

Aim: Study of packet sniffer tools like Wireshark. Use the tool to do the following:
1. Observe performance in promiscuous mode as well as non-promiscuous mode.
2. Show that packets can be traced based on different filters.

Theory:

Wireshark:
Wireshark is a network packet analyzer. A network packet analyzer will try to capture network
packets and tries to display that packet data as detailed as possible.A network packet analyzer is
a measuring device used to examine what’s going on inside a network cable, just like a voltmeter
is used by an electrician to examine what’s going on inside an electric cable. Wireshark is very
similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering
options. Wireshark lets the user put network interface controllers into promiscuous mode (if
supported by the network interface controller), so they can see all the traffic visible on that
interface including unicast traffic not sent to that network interface controller's MAC address.
The following are some of the many features Wireshark provides:
 Available for UNIX and Windows.
 Capture live packet data from a network interface.
 Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a
number of other packet capture programs.
 Import packets from text files containing hex dumps of packet data.
 Display packets with very detailed protocol information.
 Save packet data captured.
 Export some or all packets in a number of capture file formats.
 Filter packets on many criteria.
 Search for packets on many criteria.
 Colorize packet display based on filters.

Pre-requisite:
Before starting to capture web packets by Wireshark it is necessary to perform the following:
1. Open a new web browser window or tab.
2. Search the Internet for an http website.(e.g:www.google.com)

Capturing HTTP packets using Wireshark:

Step 1: Start Wireshark and capture traffic:
Open Wireshark by typing “wireshark” in the terminal. Click on "Capture > Interfaces". A pop
up window will show up. You probably want to capture traffic that goes through your ethernet
driver. So, choose the eth0 checkbox. Click on the Start button to start capturing traffic via this
interface as shown in Fig 1.
 XAVIER INSTITUTE OF ENGINEERING

Fig 1: The “Capture Interfaces” dialog box on Linux/Unix

Step 2: Filter captured traffic for HTTP data:

At this point Wireshark is listening to all network traffic and capturing them. When the
authentication process is complete and you are logged in, go back and stopthe capture in
Wireshark. Now, our main aim is to tell Wireshark to filter all the HTTP data. This can be done
using the “filter” section present at the top left corner of Wireshark. To filter all traffic and locate
HTTP data, type in “HTTP” in the filter section as shown in Fig 2.

Fig 2: Filtering captured traffic for HTTP data

 XAVIER INSTITUTE OF ENGINEERING

Step 3: Analyze HTTP data for the required information:

Left click on each and every line and check the bottom screen for the required information as
shown in Fig 3.

Fig 3: Analyzing HTTP data for required information

Conclusion: Thus, we have studied and implemented packet capturing using packet sniffer tool
Wireshark successfully.
 XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 6

Aim: Download and install nmap. Use it with different options to scan open ports, perform OS
fingerprinting, do a ping scan, tcp port scan, udp port scan, etc.
Theory:
Nmap is a free and open source network discovery and security auditing utility that is widely
used in the Linux users community as it is simple to use yet very powerful. Nmap works by
sending data packets on a specific target (by IP) and by interpreting the incoming packets to
determine what posts are open/closed, what services are running on the scanned system, whether
firewalls or filters are set up and enabled, and finally what operation system is running. Those
abilities are used for a wide variety of reasons and howtoforge.com is not encouraging nor
suggesting the use of nmap for malicious purposes.NMAP stands for 'Network Mapper'. NMAP
can be used to scan a network of hosts and services and audit security. Further detailed
information can be gained to produce complete 'network map'.
NMAP was originally written for Linux but can be operated on Windows, Solaris, HP-UX, BSD,
AmigaOS and IRIX.
Installation:
1. Configure the Yum server on your red hat linux.
Yum Server:Yum server is a server which install the all dependency of packages mostly which
are on the Red hat Linux Disc
Let’s Start with yum server first.
A] Copy the packages from Red hat disc and paste everywhere on the desktop,opt,and root
where you want in my case I copy on desktop
Before You start the installion of createrpo package you must be in the package directory.
# cd /Desktop/Packages
B] Install the package of createrepo-0.9.8.-4.el6.noarch.rpm. But when you are installing it you
face a problem of dependencies.
deltarpm-3.5-0.5.20090913gt.el6.86_64.rpm
python-deltarpm-3.5-0.5.20090913git.el6.86_64.rpm
C] So you first install the dependencies like
#rpm -ivh deltarpm-3.5-0.5.20090913gt.el6.86_64.rpm
D] Now We are going to install the second dependency
# rpm -ivh python-deltarpm-3.5-0.5.20090913git.el6.86_64.rpm
E] Now the time to install the createrepo-0.9.8.-4.el6.noarch.rpm
 XAVIER INSTITUTE OF ENGINEERING
F]Now we are create repository of all dependencies
# createrepo -v /root /Desktop/Packages
G] Now we are creating a local.repo file in the /etc/yum.redos..d/
now create local.repo file here
# vimlocal.repo (press i for insert mode in vi editer )
[localrepo]
name = local yum server
baseurl = file:///root/Desktop/Packages ( in my case)
gpgcheck = 0
( esc(button) : wq to save and quit )
Now your server is ready to use. For checking the server’s working try #yum list all

2. Now run this command.

Syntax: yum install nmap

Now it will ask to install or not the enter the capital Y and press enter
 XAVIER INSTITUTE OF ENGINEERING

Now your nmap is installed and now use and enjoy open source.
Commands:

1. Ping scan:
nmap -sP (IP address) =>Ping scans the network, listing machines that respond to ping
Output:

2. Version detection :
nmap -sV (IP address) => Probe open ports to determine service/version info
Output:
 XAVIER INSTITUTE OF ENGINEERING

3. IP protocol scan:
nmap -sO (IP address) => IP protocol scan

Output:

4. Enable OS detection :
nmap –O (IP address) =>Enable OS Detection
Output:
 XAVIER INSTITUTE OF ENGINEERING

5. UDP scan:
nmap –sU -p- (IP address) => scans all the udp ports and displays them with state and services
Output:

6. TCP scan :
 XAVIER INSTITUTE OF ENGINEERING
nmap -p- (IP address) => scans all the tcp ports and displays them with state and services
Output:

Conclusion:Thus, we successfully studied the installation steps for nmap and used nmap
commands with different options to scan open ports, perform OS fingerprinting, do a ping scan,
tcp port scan, udp port scan, etc.
 XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 7
Aim: Detect ARP spoofing using open source tool ARPWATCH or ARPMONITOR.

Theory:

ARP Spoofing:
Address Resolution Protocol spoofing (ARP spoofing) is a form of attack in which an attacker
changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the
target computer's ARP cache with a forged ARP request and reply packets. This modifies the
layer -Ethernet MAC address into the hacker's known MAC address to monitor it. Because the
ARP replies are forged, the target computer unintentionally sends the frames to the hacker's
computer first instead of sending it to the original destination. As a result, both the user's data
and privacy are compromised. An effective ARP spoofing attempt is undetectable to the user.

ARP Monitor:
ARP Monitor allows you to monitor hosts via the ARP protocol and monitor MAC address
changes with the help of the ARP monitoring check.It’s a free tool like arpwatch but for
Windows OS. This tool can help with ARP activity monitoring in computer networks.The ARP
monitor checks the links by periodically sending ARP packets to the designated targets. If there
is no reply from a certain device, it considers the device to be down. The ARP monitor generates
regular traffic by issuing ARP probes. The ARP monitor is not supported by all of the bonding
modes.It keeps track of mappings between IP addresses and hardware addresses as informed by
ARP replies. Everytime two different hardware addresses are mapped to the same IP address, the
event is informed.

Implementation:
The ARP monitor is used for monitoring network and hardware addresses and network traffic.
All the necessary information about various connections currently available are displayed in the
Events tab as shown below:
 XAVIER INSTITUTE OF ENGINEERING

This windows software monitors ethernet activity like unixapwatch and keeps a database of
ethernet/ip address pairings.
 new activity - This ethernet/ip address pair has been used for the first time.
 new station - The ethernet address has not been seen before.
 flip flop - The ethernet address has changed from the most recently seen address to the
second most recently seen address.
 changedethernet address - The host switched to a new ethernet address.
ARP Monitor generates a log of IP addresses and MAC addresses along with a timestamp when
the pairing appeared on the network. These are displayed in the ARPLog tab as shown below:

The last date and time when the IP addresses and MAC addresses were updated and scanned are
listed in the IP-MAC tab as shown below:

Conclusion:Thus, we have studied and implemented detection of ARP spoofing using open
source tool ARPMONITOR successfully.
 XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 8

Aim:Use the Nessus tool to scan the network for vulnerabilities.

Theory:

Acquiring Nessus:
Go to https://www.tenable.com/products/nessus/nessus-professional/evaluate to access the
Nessus’ website to get the trial code to install Nessus.

Fill the form to get your trial code by email, click on the “Download and install” link.
 XAVIER INSTITUTE OF ENGINEERING
After returning to Nessus’ page you can select the proper version for your test. Select your version, accept
the license terms and download.

Installing Nessus:
Installing Nessus is very easy, especially if you have read our tutorial on DPKG packages
manager.
Run:
sudo dpkg -i

And after the installation is done follow the instructions by running:

sudo /etc/init.d/nessusd start
 XAVIER INSTITUTE OF ENGINEERING
Your terminal should show very similar results to the following:

Following Nessus’ installation instructions lets go to: https://YOURPCNAME:8443 (change

YOURPCNOW for your computer’s name, works with localhost too).

When opening the Web interface, a SSL error may appear.

 XAVIER INSTITUTE OF ENGINEERING
Just add an exception and continue accessing:

Finally we’ll meet Nessus’ screen, login using “admin” both as user and password.
 XAVIER INSTITUTE OF ENGINEERING
In the next screen select the use you’ll give to Nessus and put the trial code you got by e-mail.

After filling everything Nessus will start initializing as shown in the next image, this step may take about
20 or 30 minutes, after finishing the next screen will be:

Scanning using Nessus:

To create a new scan, click New Scan icon.
 XAVIER INSTITUTE OF ENGINEERING

Select the type of scan.

Enter the details of the system where the scan is to be performed.

 XAVIER INSTITUTE OF ENGINEERING

Select the scan and click the drop-down more and then launch the scan.
 XAVIER INSTITUTE OF ENGINEERING
Select the scan to see the vulnerabilities in the target system.

Click the vulnerability to see the description and solution for the vulnerabilities.

Conclusion: Thus, we have installed, configured and used the Nessus tool to scan the network for
vulnerabilities successfully.
 XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 9
Aim: Set up IPSEC under LINUX.

Theory:

IPSec:
In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that
authenticates and encrypts the packets of data sent over an internet protocol network. It is used in
virtual private networks (VPNs). IPsec includes protocols for establishing mutual authentication
between agents at the beginning of a session and negotiation of cryptographic keys to use during
the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of
security gateways (network-to-network), or between a security gateway and a host (network-to-
host).[1] Internet Protocol security (IPsec) uses cryptographic security services to protect
communications over Internet Protocol (IP) networks. IPsec supports network-level peer
authentication, data-origin authentication, data integrity, data confidentiality (encryption), and
replay protection.

Modes of operation:
Transport Mode:
In transport mode, only the payload of the IP packet is usually encrypted or authenticated. The
routing is intact, since the IP header is neither modified nor encrypted; however, when the
authentication header is used, the IP addresses cannot be modified by network address
translation, as this always invalidates the hash value. The transport and application layers are
always secured by a hash, so they cannot be modified in any way, for example by translating the
port numbers. A means to encapsulate IPsec messages for NAT traversal has been defined by
RFC documents describing the NAT-T mechanism.

Tunnel Mode:
In tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a
new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for
network-to-network communications (e.g. between routers to link sites), host-to-network
communications (e.g. remote user access) and host-to-host communications (e.g. private chat).
Tunnel Mode supports NAT traversal.

IPSec Setup on Linux Ubuntu:

1. Strongswan installation (binary and source code):

Binary packages (deb/rpm ) of strongswan are available in almost all widely used Linux
distributions. The installation of strongswan by using binary and source code (with desired
features) will be comprehensively explained in this article.
The binary package of strongswan can be installed by using the following command on Ubuntu:

aptitude install strongswan

 XAVIER INSTITUTE OF ENGINEERING

After installation on Ubuntu platform, the configuration files & folders (ipsec.conf, ipsec.secrets,
ipsec.d,strongswan.conf, strongswan.d) are stored in the /etc directory.

2. Strongswan Compilation:
Go to the /usr/src/ folder and download the latest release of strongswan by using the wget
command.
cd /usr/src
wget https://download.strongswan.org/strongswan-5.5.0.tar.gz
 XAVIER INSTITUTE OF ENGINEERING

Extract the compressed file and go inside the extracted folder to run configure script.
tar –xzf strongswan-5.5.0.tar.gz
cd strongswan-5.5.0

Run the configure script to check the dependencies of strongswan. HSM support is already
enabled in the latest version fostrongswan as shown below.

Run the configure script, use prefix /usr/local and enable openssl support.
./configure --prefix=/usr/local --enable-openssl
The following snapshot shows that no error has been generated by the configure script as all
required dependencies were already installed on the system.
 XAVIER INSTITUTE OF ENGINEERING
Run the following two commands to compile and install strongswan under /usr/local directory.
make

make install

The compilation and installation of strongswan on the Ubuntu platform is complete, several
configuration files (strongswan.conf, ipsec.conf and ipsec.secrets) and folders
(strongswan.d,ipsec.d) are copied under /usr/local/etc path. The configuration ofthe VPN
policy is placed in the ipsec.conf file and confidential secrets are stored in the ipsec.secrets file.
Strongswan plugin configuration is stored in the strongswan.d directory.
 XAVIER INSTITUTE OF ENGINEERING
Both transport and tunnel VPN's are supported by strongswan. In the tunnel mode, site-to-site
security of the channel is provided and it works with other vendors such as cisco, huawei, and
juniper devices.
Site-to-Site VPN:
The following figure shows the placement of a strongswan based VPN gateway device in a
network. A secure communication channel will be established between the 192.168.223.0/24 and
192.168.222.0/24 private networks of the organization.

Before using IPsec between the A and B privates network, make sure routing between VPN
Gateways of organization is working so that VPN gateway at A side can ping remote side VPN
machine (B) which ensures the network connectivity is ok.
As shown below, the default configuration of the strongswan tool is inside
the /usr/local/etc/ directory.

Pre-shared key based tunnel:

In the first case, a shared secret based VPN will be created between gateway devices. The well
known key sharing algorithm Diffie-Hellman is used by strongswan for mutual authentication.
Details on how the IPsec protocol works are available at following link.
http://www.unixwiz.net/techtips/iguide-ipsec.html
Configuration of the VPN:
(A-side)
The main configuration of a strongswan VPN policy is in the ipsec.conf file. Information such
as given below is found in this configuration file.
Version of IKE
 XAVIER INSTITUTE OF ENGINEERING
Type of tunnel
source& destination gateways
privates networks of VPN
ipsec.conf of A side is given below.

IPsec secrets (shared keys, password of the private key, pin to unlock hsm ) are stored in
the ipsec.secrets file . As shown below, shard secrets between both VPN parties is "test12345".
192.168.1.101 192.168.1.102 : PSK 'test12345'

(B-side)
The configuration in the ipsec.conf and ipsec.secrets files at the remote side will be the reverse of
the local site as given below.
The content of ipsec.conf file is given below.
 XAVIER INSTITUTE OF ENGINEERING
The ipsec.secrets file contains the shared secret at remote side.
192.168.1.102 192.168.1.101 : PSK 'test12345'

Start the strongswan daemon (charon) using the following command after you setup the config
file son both sides.
ipsec restart

The following command shows the status of the created VPN on the devices.
ipsecstatusall
Status of the tunnel on both sides (local and remote) is shown below.

This Linux command shows the policies and states of IPsec tunnel.
 XAVIER INSTITUTE OF ENGINEERING
ipxfrm state
ipxfrm policy

As shown in the above command output, sensitive information esp/hmac (keys) are also shown
by ipxfrm command.

X.509 certificate based tunnel:

In the X.509 certificate (Public key Authentication) based tunnel, it is required to generate
certificates for the certification authority (CA), client A and B.
Generating a self-sign CA certificate using the PKI utility of strongswan is shown in following
screenshots.

Get inside the /usr/local/etc/ipsec.d path and run the following commands.
cd /usr/local/etc/ipsec.d
ipsecpki --gen --type rsa --size 4096 --outformpem> private/strongswanKey.pem
ipsecpki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=CH,
O=strongSwan, CN=Root CA" --outformpem>cacerts/strongswanCert.pem
 XAVIER INSTITUTE OF ENGINEERING

The content of ipsec.conf&ipsec.secrets for A side is given below.

The configuration of the B side is also given below.

Run ipsec restart command to apply above changes and check the status of tunnel created using
certificates.
 XAVIER INSTITUTE OF ENGINEERING
ipsecstatusall # at side A

ipsecstatusall # at side B

Finally, the certificate based VPN has been successfully created by using the strongswan tool.

Conclusion: Thus, we have studied and implemented setup and configuration of IPSec on Linux
successfully.
 XAVIER INSTITUTE OF ENGINEERING

EXPERIMENT NO : 10
Aim: Installation of SNORT Intrusion Detection System.

Theory:

Intrusion Detection System(IDS):

An intrusion detection system (IDS) is a device or software application that monitors
a network or systems for malicious activity or policy violations. Any malicious activity or
violation is typically reported either to an administrator or collected centrally using a security
information and event management (SIEM) system. A SIEM system combines outputs from
multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false
alarms. While there are several types of IDS, ranging in scope from single computers to large
networks,. the most common classifications are network intrusion detection systems (NIDS)
and host-based intrusion detection systems (HIDS). A system that monitors important operating
system files is an example of a HIDS, while a system that analyzes incoming network traffic is
an example of a NIDS. It is also possible to classify IDS by detection approach: the most well-
known variants are signature-based detection (recognizing bad patterns, such as malware)
and anomaly-based detection (detecting deviations from a model of "good" traffic, which often
relies on machine learning). Some IDS have the ability to respond to detected intrusions.
Systems with response capabilities are typically referred to as an intrusion prevention system.

Different types of intrusion detection systems:

Intrusion detection systems come in different flavors and detect suspicious activities using
different methods, including the following:
 A network intrusion detection system (NIDS) is deployed at a strategic point or points
within the network, where it can monitor inbound and outbound traffic to and from all the
devices on the network.
 Host intrusion detection systems (HIDS) run on all computers or devices in the network
with direct access to both the internet and the enterprise internal network. HIDS have an
advantage over NIDS in that they may be able to detect anomalous network packets that
originate from inside the organization or malicious traffic that a NIDS has failed to
detect. HIDS may also be able to identify malicious traffic that originates from the host
itself, as when the host has been infected with malware and is attempting to spread to
other systems.
 Signature-based intrusion detection systems monitor all the packets traversing the
network and compares them against a database of signatures or attributes of known
malicious threats, much like antivirus software.
 Anomaly-based intrusion detection systems monitor network traffic and compare it
against an established baseline, to determine what is considered normal for the network
with respect to bandwidth, protocols, ports and other devices. This type of IDS alerts
administrators to potentially malicious activity.
 XAVIER INSTITUTE OF ENGINEERING

SNORT:
Snort is a free open source network intrusion detection system (IDS)[4] created by Martin
Roesch in 1998. Snort is now developed by Sourcefire, of which Roesch is the founder
and CTO, and which has been owned by Cisco since 2013. In 2009, Snort entered InfoWorld's
Open Source Hall of Fame as one of the "greatest [pieces of] open source software of all time
Snort's open source network-based intrusion detection system (IDS) has the ability to perform
real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs
protocol analysis, content searching and matching.
The program can also be used to detect probes or attacks, including, but not limited to, operating
system fingerprintingattempts, semantic URL attacks, buffer overflows, server message
block probes, and stealth port scans. Snort can be configured in three main modes: sniffer,
packet logger, and network intrusion detection. In sniffer mode, the program will read network
packets and display them on the console. In packet logger mode, the program will log packets to
the disk. In intrusion detection mode, the program will monitor network traffic and analyze it
against a rule set defined by the user. The program will then perform a specific action based on
what has been identified.

Installation of SNORT on Windows:

Before you install Snort, you must download and install the WinPcap driver:
1. Download the WinPcap driver from http://WinPcap.polito.it/install/default.htm. The
latest stable version of WinPcap at the time of this writing is Version 3.0.
2. Double-click on the install file—WinPcap_3_0.exe, in this case—to launch the
installation.
3. The Welcome to the Installation Wizard window appears. Click Next to continue.
4. You are presented with the license agreement. Click on the box labeled "Yes, I agree with
all the terms of this license agreement," and then click Next to continue.
5. The WinPcap installation status appears on the screen, and you are presented with the
Readme Information window. Click Next to continue.
6. Last, you'll see the Installation Complete window stating that WinPcap 3.0 has been
successfully installed. Click OK to exit the installation.
7. Next, it is a good practice to reboot after installing the WinPcap drivers.

Now that WinPcap is installed, continue with the Snort installation:

1. Download the Snort executable file from http://www.snort.org/dl/binaries/win32. The
latest stable version of Snort at the time of this writing is Version 2.2.0.
2. Double-click on the install file—snort-2_2_0.exe, in this case—to launch the installation.
3. You are presented with the GNU General Public License agreement (Figure 1-1). Once
you have read and accepted the terms of the agreement, click I Agree.
 XAVIER INSTITUTE OF ENGINEERING

Figure 1-1. License Agreement window

4. Next you must determine what type of database support you need (Figure 1-2). If you
require support for Microsoft SQL Server or Oracle, you must have the necessary client
software already installed on your computer. For basic installation in this example, accept
the default and install Snort without SQL Server or Oracle database support. Click Next.

5. The next screen allows you to choose the Snort components that you wish to install
(Figure 1-3). You can see the description by dragging your mouse over each component.
By default, all components are selected. Click Next.
 XAVIER INSTITUTE OF ENGINEERING

6. The next screen allows you to choose an install location for Snort (Figure 1-4). The
default location is C:\Snort. You may select a different location by typing directly into
the Destination Folder area, or by choosing Browse and selecting a location. Click Install.

7. You now see the status of the Snort installation (Figure 1-5). You can click on Show
Details to see more information for each file that is being installed.
 XAVIER INSTITUTE OF ENGINEERING

8. The installation status informs you when the installation is complete (Figure 1-6). If you
would like to view the details of the installation, you may scroll through them in the
status window or you can right-click on this window and choose Copy Details to
Clipboard. This saves the complete details of the installation to a buffer. You may then
open Notepad, or another text editor, and paste the results by choosing EditPaste or by
typing Ctrl-V. Click Close in the Snort installation window to close the dialog box.

9. Last, you see a window that states that Snort was successfully installed (Figure 1-7).
Click OK to close this window.
XAVIER INSTITUTE OF ENGINEERING
 XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 11
Aim:Use of iptables in Linux to create firewalls.

Theory:

Iptables:
Iptables is a Linux command line firewall that allows system administrators to manage incoming
and outgoing traffic via a set of configurable table rules. Iptables uses a set of tables which have
chains that contain set of built-in or user defined rules. Thanks to them a system administrator
can properly filter the network traffic of his system.Iptables is a rule based firewall system and it
is normally pre-installed on a Unix operating system which is controlling the incoming and
outgoing packets. By-default the iptables is running without any rules, we can create, add, edit
rules into it. You can install Iptables by using the following command:

sudo apt-get install iptables-persistent

Firewalls:
A firewall is a network security system that monitors and controls incoming and outgoing
network traffic based on predetermined security rules. A firewall typically establishes a barrier
between a trusted internal network and untrusted external network, such as the Internet. Firewalls
are often categorized as either network firewalls or host-based firewalls. Network firewalls filter
traffic between two or more networks and run on network hardware. Host-based firewalls run on
host computers and control network traffic in and out of those machines.

Implementation:
Prior to the implementation, we need to connect a separate client machine to our main machine
by using the ping command. First, we may use the ping command to find IP addresses of both
the machines. For our case, the IP address of our main machine is 172.20.39.30 and that of our
client machine is 172.20.39.29. Now, run the ping command on the client machine as follows:

Now, to block all the packets coming from the client machine, run the following command on
main machine:
sudoiptables –I INPUT –s 172.20.39.29 –j DROP
 XAVIER INSTITUTE OF ENGINEERING

This will give the following screen:

This will block all the packets coming from the client machine as shown below:

To again start accepting packets from the client machine, run the following command:
sudoiptables –I INPUT –s 172.20.39.29 –j ACCEPT
This is illustrated as follows:
 XAVIER INSTITUTE OF ENGINEERING
This will again start accepting all packets from the client machine as shown below:

Conclusion:Thus, we have studied and implemented iptables in Linux to create firewalls

successfully.