Professional Documents
Culture Documents
A.Y. 2020 - 21
LAB MANUAL
CLASS : T.E
SEMESTER : V
LAB OBJECTIVES:
Students will try:
1. To be able to apply the knowledge of symmetric cryptography to implement simple ciphers.
2. To be able to analyze and implement public key algorithms like RSA and El Gamal.
3. To analyze and evaluate performance of hashing algorithms.
4. To explore the different network reconnaissance tools to gather information about networks.
5. To explore and use tools like sniffers, port scanners and other related tools for analysing packets
in a network.
6. To be able to set up firewalls and intrusion detection systems using open source technologies and
to explore email security.
LAB OUTCOMES:
Students will learn to:
LO Description Bloom’s PO
Level
LO1 Apply the knowledge of symmetric cryptography to 1 1,3
implement simple ciphers. (Remembering)
6
(Creating)
LO2 Analyze and implement public key algorithms like RSA and 4 1,2,3
El Gamal. (Analyzing)
6
(Creating)
LO3 Analyze and evaluate performance of hashing algorithms. 4 1,2,3,4
(Analyzing)
5
(Evaluate)
LO4 Explore the different network reconnaissance tools to gather 4 2,3,4,5,6,8,9,12
information about networks. (Analyzing)
LO5 Use tools like sniffers, port scanners and other related tools 4 2,3,4,5,6,8,9,12
for analyzing packets in a network. (Analyzing)
LO6 Apply and set up firewalls and intrusion detection systems 2 2,3,4,5,6,8,9,12
using open source technologies andto explore email security. (Understanding)
3
(Applying)
XAVIER INSTITUTE OF ENGINEERING
LIST OF EXPERIMENTS
SR. NAME OF EXPERIMENT LO BLOOM’S PO
NO. LEVEL
1 (a) Design and Implementation of Substitution LO1 1,6 1,3
Cipher.
(b) Design and Implementation of Transposition
Cipher.
(c) Design and Implementation of Product
Cipher using Substitution Cipher and
Transposition Cipher.
2 (a) Implementation and Analysis of RSA LO2 4,6 1,2,3
Cryptosystem.
(b) Implementation of Diffie Hellman Key
Exchange Algorithm
3 For varying message sizes, test integrity ofmessage LO3 4,5 1,2,3,4
using MD-5, SHA-1, and analyse theperformance of
the two protocols. Use cryptAPIs.
4 Study the use of network reconnaissance toolslike LO4 4 2,3,4,5,6,8,9,12
WHOIS, dig, traceroute, nslookup to gather
information about networks and domain registrars.
5 Study of packet sniffer tools like wireshark. Use LO5 4 2,3,4,5,6,8,9,12
the tool to do the following:
1. Observer performance in promiscuous as
well as non-promiscuous mode.
2. Show that packets can be traced based on
different filters
6 Download and install nmap. Use it with different LO5 4 2,3,4,5,6,8,9,12
options to scan open ports, perform OS
fingerprinting, do a ping scan, tcp port scan, udp port
scan, etc.
7 Detect ARP spoofing using open source tool LO5 4 2,3,4,5,6,8,9,12
ARPWATCH.
8 Use the Nessus tool to scan the network for LO4 4 2,3,4,5,6,8,9,12
vulnerabilities.
9 Set up IPSEC under LINUX. LO6 2,3 2,3,4,5,6,8,9,12
10 Install IDS (e.g. SNORT) and study the logs. LO6 2,3 2,3,4,5,6,8,9,12
11 Use of iptables in linux to create firewalls. LO6 2,3 2,3,4,5,6,8,9,12
XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 1
Aim: [ A ] Design and implementation of Substitution Cipher.
Expected Output:
XAVIER INSTITUTE OF ENGINEERING
Aim: [ B ]Design and implementation of rail fence cipher.
W...E...C...R...L...T...E
.E.R.D.S.O.E.E.F.E.A.O.C.
..A...I...V...D...E...N..
(The ciphrer has broken this ciphertext up into blocks of five to help avoid errors. This is a
common technique used to make the cipher more easily readable. The spacing is not related to
spaces in the plaintext and so does not carry any information about the plaintext.)
The rail fence cipher was used by the ancient Greeks in the scytale, a mechanical system of
producing a transposition cipher. The system consisted of a cylinder and a ribbon that was
wrapped around the cylinder. The message to be encrypted was written on the coiled ribbon. The
letters of the original message would be rearranged when the ribbon was uncoiled from the
cylinder. However, the message was easily decrypted when the ribbon was recoiled on a cylinder
of the same diameter as the encrypting cylinder
XAVIER INSTITUTE OF ENGINEERING
Expected Output:
XAVIER INSTITUTE OF ENGINEERING
Aim:[ C ]Design and implementation of Product Cipher.
Output:
XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 2
Aim: [ A ] Implementation and Analysis of RSA Cryptosystem.
OUTPUT:
XAVIER INSTITUTE OF ENGINEERING
Aim: [ B ] Implementation of Diffie Hellman Key Exchange Algorithm
Theory : Diffie–Hellman key exchange establishes a shared secret between two parties that can
be used for secret communication for exchanging data over a public network. The conceptual
diagram to the right illustrates the general idea of the key exchange by using colors instead of
very large numbers.
The process begins by having the two parties, Alice and Bob, agree on an arbitrary starting color
that does not need to be kept secret (but should be different every time [3]); in this example, the
color is yellow. Each of them selects a secret color that they keep to themselves – in this case,
red and blue-green. The crucial part of the process is that Alice and Bob each mix their own
secret color together with their mutually shared color, resulting in orange-tan and light-blue
mixtures respectively, and then publicly exchange the two mixed colors. Finally, each of the two
mixes the color they received from the partner with their own private color. The result is a final
color mixture (yellow-brown in this case) that is identical to the partner's final color mixture.
If a third party listened to the exchange, it would only know the common color (yellow) and the
first mixed colors (orange-tan and light-blue), but it would be computationally difficult for this
party to determine the final secret color (yellow-brown). In fact, when using large numbers rather
than colors, this action is computationally expensive: It is impossible to do in a reasonable
amount of time even for modern supercomputers.
Cryptographic explanation
The simplest and the original implementation[2] of the protocol uses the multiplicative group of
integers modulo p, where p is prime, and g is a primitive root modulo p. These two values are
chosen in this way to ensure that the resulting shared secret can take on any value from 1 to p–1.
Here is an example of the protocol, with non-secret values in blue, and secret values in red.
1. Alice and Bob publicly agree to use a modulus p = 23 and base g = 5 (which is a
primitive root modulo 23).
2. Alice chooses a secret integer a = 4, then sends Bob A = ga mod p
A = 54 mod 23 = 4
3. Bob chooses a secret integer b = 3, then sends Alice B = gb mod p
B = 53 mod 23 = 10
4. Alice computes s = Ba mod p
s = 104 mod 23 = 18
5. Bob computes s = Ab mod p
s = 43 mod 23 = 18
6. Alice and Bob now share a secret (the number 18).
Both Alice and Bob have arrived at the same value s, because, under mod p,
Note that only a, b, and (gab mod p = gba mod p) are kept secret. All the other values –
p, g, ga mod p, and gb mod p – are sent in the clear. Once Alice and Bob compute the shared
XAVIER INSTITUTE OF ENGINEERING
secret they can use it as an encryption key, known only to them, for sending messages across the
same open communications channel.
Expected Output:
XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 3
Aim: For varying message sizes, test integrity ofmessage using MD-5, SHA-1, and analyze
theperformance of the two protocols. Use cryptAPIs.
Program:
importhashlib
importtimeit
message=input("Enter message: ")
message=message.encode()
print("Performance analysis: ")
print("-----MD5-----")
#MD5 DIGEST
md5_digest = hashlib.md5(message)
print("The hexadecimal equivalent of md5 hash is : "+md5_digest.hexdigest())
#MD5 TIME
print("Time taken to execute in micro sec: ",end="")
print(timeit.timeit('hashlib.md5(message)', setup='import hashlib; message="%s".encode();' %
message))
#MD5 LENGTH
print("Length of message digest in bits:",end="")
print(md5_digest.digest_size*8)
print("-----SHA1-----")
#SHA1 DIGEST
sha1_digest = hashlib.sha1(message)
print("The hexadecimal equivalent of sha1 hash is : "+sha1_digest.hexdigest())
#SHA1 TIME
print("Time taken to execute in micro sec: ",end="")
print(timeit.timeit('hashlib.sha1(message)', setup='import hashlib; message="%s".encode();' %
message))
#SHA1 LENGTH
print("Length of message digest in bits:",end="")
print(sha1_digest.digest_size*8)
Output:
XAVIER INSTITUTE OF ENGINEERING
Conclusion: Thus, we have analyzed the performance of the two protocols: MD5 and SHA-1
and tested the integrity of messages of varying sizes.
XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 4
Aim: Study the use of network reconnaissance tools like whois, dig, traceroute, nslookup to
gather information about networks and domain registers
Theory:
1. whois:
whois searches for an object in a WHOIS database. WHOIS is a query and
response protocol that is widely used for querying databases that store the
registered users of an Internet resource.
Syntax:
whois [ -h HOST ] [ -p PORT ] [ -aCFHlLMmrRSVx ] [ -g SOURCE:FIRST-
LAST ]
[ -i ATTR ] [ -S SOURCE ] [ -T TYPE ] object
whois -t TYPE
whois -v TYPE
whois -q keyword
Options:
-h HOST Connect to WHOIS database host HOST.
-H Suppress the display of legal disclaimers.
-p PORT When connecting, connect to network port PORT.
--verbose Operate verbosely.
--help Display a help message, and exit
2. dig:
dig (domain information groper) is a network administration command-line tool
for querying Domain Name System (DNS) servers. dig is useful for network
troubleshooting and for educational purposes. dig can operate in interactive
command line mode or in batch mode by reading requests from an operating
system file.
Syntax:
dig [@server] [-b address] [-c class] [-f filename] [-k filename]
XAVIER INSTITUTE OF ENGINEERING
[-m] [-p port#] [-q name] [-t type] [-x addr] [-y [hmac:]name:key]
[-4] [-6] [name] [type] [class] [queryopt...]
dig [-h]
dig [global-queryopt...] [query...]
Options:
-b address
The -b option sets the source IP address of the query to address
-c class
The default query class (IN for Internet) is overridden by the -c option. class is
any valid class, such as HS for Hesiod records or CH for CHAOSNET records.
-f filename
The -f option makes dig operate in batch mode by reading a list of lookup
requests to process from the file filename.
-p port#
If a non-standard port number is to be queried, the -p option is used. port# is the
port number that dig will send its queries instead of the standard DNS port
number 53.
-4
The -4 option forces dig to only use IPv4 query transport.
-6
The -6 option forces dig to only use IPv6 query transport.
-t type
The -t option sets the query type to type. It can be any valid query type that is
supported in BIND9.
-x addr
Reverse lookups (mapping addresses to names) are simplified by the -x option.
addr is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6
address.
-k filename
To sign the DNS queries sent by dig and their responses using transaction
signatures (TSIG), specify a TSIG key file using the -k option.
-y [hmac:]name:key
You can also specify the TSIG key itself on the command line using the -y option.
XAVIER INSTITUTE OF ENGINEERING
3. traceroute:
traceroute is a computer network diagnostic tool for displaying the route (path)
and measuring transit delays of packets across an Internet Protocol (IP) network.
The history of the route is recorded as the round-trip times of the packets received
from each successive host (remote node) in the route (path); the sum of the mean
times in each hop is a measure of the total time spent to establish the connection.
traceroute proceeds unless all (three) sent packets are lost more than twice, then
the connection is lost and the route cannot be evaluated.
Syntax:
traceroute [-46dFITUnreAV] [-f first_ttl] [-g gate,...] [-i device]
[-m max_ttl] [-p port] [-s src_addr] [-q nqueries]
[-N squeries] [-t tos] [-l flow_label] [-w waittime]
[-z sendwait] [-UL] [-D] [-P proto] [--sport=port] [-M method]
[-O mod_options] [--mtu] [--back] host [packet_len]
Options:
--help Display a help message, and exit.
-4, -6 Explicitly force IPv4 or IPv6 tracerouting.
-I Use ICMP ECHO for probes.
-T Use TCP SYN for probes.
-d Enable socket level debugging (if the kernel supports it).
-F Do not fragment probe packets. (For IPv4 it also sets DF bit, which tells
intermediate routers not to fragment remotely as well).
-f first_ttl Specifies with what TTL to start. Defaults to 1.
XAVIER INSTITUTE OF ENGINEERING
-g gateway Tells traceroute to add an IP source routing option to the outgoing
packet that tells the network to route the packet through the specified gateway.
-i interface Specifies the interface through which traceroute should send
packets.
-m max_ttl Specifies the maximum number of hops (max time-to-live value)
traceroute will probe. The default is 30.
-N squeries Specifies the number of probe packets sent out simultaneously.
-n Do not try to map IP addresses to host names when displaying them.
-p port For UDP tracing, specifies the destination port base traceroute will use
-t tos For IPv4, set the Type of Service (TOS) and Precedence value.
-l flow_label Use specified flow_label for IPv6 packets.
-w waittime Set the time (in seconds) to wait for a response to a probe (default
is 5.0).
-q nqueries Sets the number of probe packets per hop. The default is 3.
-r Bypass the normal routing tables and send directly to a host on an attached
network
-s source_addr Chooses an alternative source address.
-z sendwait Minimal time interval between .
-e Show ICMP extensions.
-A Perform AS path lookups in routing registries and print results directly
after the corresponding addresses.
-V Print version information, and exit.
4. nslookup:
nslookup is a network administration command-line tool available for many
computer operating systems for querying the Domain Name System (DNS) to
obtain domain name or IP address mapping or for any other specific DNS record.
Syntax:
nslookup [option] [name|-] [server]
Options:
host [server] Look up information for host using the current default server, or
server if specified
exit Exits the program.
set keyword[=value] This command is used to change state information that
affects the lookups. Valid keywords are:
XAVIER INSTITUTE OF ENGINEERING
all Prints the current values of the frequently used options to set. Information
about the current default server and host is also printed.
class=value Change the query class to one of:
Conclusion:Thus, network reconnaissance tools like whois, dig, traceroute, nslookup to gather
information about networks and domain registers have been studied and implemented
successfully.
XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 5
Aim: Study of packet sniffer tools like Wireshark. Use the tool to do the following:
1. Observe performance in promiscuous mode as well as non-promiscuous mode.
2. Show that packets can be traced based on different filters.
Theory:
Wireshark:
Wireshark is a network packet analyzer. A network packet analyzer will try to capture network
packets and tries to display that packet data as detailed as possible.A network packet analyzer is
a measuring device used to examine what’s going on inside a network cable, just like a voltmeter
is used by an electrician to examine what’s going on inside an electric cable. Wireshark is very
similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering
options. Wireshark lets the user put network interface controllers into promiscuous mode (if
supported by the network interface controller), so they can see all the traffic visible on that
interface including unicast traffic not sent to that network interface controller's MAC address.
The following are some of the many features Wireshark provides:
Available for UNIX and Windows.
Capture live packet data from a network interface.
Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a
number of other packet capture programs.
Import packets from text files containing hex dumps of packet data.
Display packets with very detailed protocol information.
Save packet data captured.
Export some or all packets in a number of capture file formats.
Filter packets on many criteria.
Search for packets on many criteria.
Colorize packet display based on filters.
Pre-requisite:
Before starting to capture web packets by Wireshark it is necessary to perform the following:
1. Open a new web browser window or tab.
2. Search the Internet for an http website.(e.g:www.google.com)
Conclusion: Thus, we have studied and implemented packet capturing using packet sniffer tool
Wireshark successfully.
XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 6
Aim: Download and install nmap. Use it with different options to scan open ports, perform OS
fingerprinting, do a ping scan, tcp port scan, udp port scan, etc.
Theory:
Nmap is a free and open source network discovery and security auditing utility that is widely
used in the Linux users community as it is simple to use yet very powerful. Nmap works by
sending data packets on a specific target (by IP) and by interpreting the incoming packets to
determine what posts are open/closed, what services are running on the scanned system, whether
firewalls or filters are set up and enabled, and finally what operation system is running. Those
abilities are used for a wide variety of reasons and howtoforge.com is not encouraging nor
suggesting the use of nmap for malicious purposes.NMAP stands for 'Network Mapper'. NMAP
can be used to scan a network of hosts and services and audit security. Further detailed
information can be gained to produce complete 'network map'.
NMAP was originally written for Linux but can be operated on Windows, Solaris, HP-UX, BSD,
AmigaOS and IRIX.
Installation:
1. Configure the Yum server on your red hat linux.
Yum Server:Yum server is a server which install the all dependency of packages mostly which
are on the Red hat Linux Disc
Let’s Start with yum server first.
A] Copy the packages from Red hat disc and paste everywhere on the desktop,opt,and root
where you want in my case I copy on desktop
Before You start the installion of createrpo package you must be in the package directory.
# cd /Desktop/Packages
B] Install the package of createrepo-0.9.8.-4.el6.noarch.rpm. But when you are installing it you
face a problem of dependencies.
deltarpm-3.5-0.5.20090913gt.el6.86_64.rpm
python-deltarpm-3.5-0.5.20090913git.el6.86_64.rpm
C] So you first install the dependencies like
#rpm -ivh deltarpm-3.5-0.5.20090913gt.el6.86_64.rpm
D] Now We are going to install the second dependency
# rpm -ivh python-deltarpm-3.5-0.5.20090913git.el6.86_64.rpm
E] Now the time to install the createrepo-0.9.8.-4.el6.noarch.rpm
XAVIER INSTITUTE OF ENGINEERING
F]Now we are create repository of all dependencies
# createrepo -v /root /Desktop/Packages
G] Now we are creating a local.repo file in the /etc/yum.redos..d/
now create local.repo file here
# vimlocal.repo (press i for insert mode in vi editer )
[localrepo]
name = local yum server
baseurl = file:///root/Desktop/Packages ( in my case)
gpgcheck = 0
( esc(button) : wq to save and quit )
Now your server is ready to use. For checking the server’s working try #yum list all
Now it will ask to install or not the enter the capital Y and press enter
XAVIER INSTITUTE OF ENGINEERING
Now your nmap is installed and now use and enjoy open source.
Commands:
1. Ping scan:
nmap -sP (IP address) =>Ping scans the network, listing machines that respond to ping
Output:
2. Version detection :
nmap -sV (IP address) => Probe open ports to determine service/version info
Output:
XAVIER INSTITUTE OF ENGINEERING
3. IP protocol scan:
nmap -sO (IP address) => IP protocol scan
Output:
4. Enable OS detection :
nmap –O (IP address) =>Enable OS Detection
Output:
XAVIER INSTITUTE OF ENGINEERING
5. UDP scan:
nmap –sU -p- (IP address) => scans all the udp ports and displays them with state and services
Output:
6. TCP scan :
XAVIER INSTITUTE OF ENGINEERING
nmap -p- (IP address) => scans all the tcp ports and displays them with state and services
Output:
Conclusion:Thus, we successfully studied the installation steps for nmap and used nmap
commands with different options to scan open ports, perform OS fingerprinting, do a ping scan,
tcp port scan, udp port scan, etc.
XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 7
Aim: Detect ARP spoofing using open source tool ARPWATCH or ARPMONITOR.
Theory:
ARP Spoofing:
Address Resolution Protocol spoofing (ARP spoofing) is a form of attack in which an attacker
changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the
target computer's ARP cache with a forged ARP request and reply packets. This modifies the
layer -Ethernet MAC address into the hacker's known MAC address to monitor it. Because the
ARP replies are forged, the target computer unintentionally sends the frames to the hacker's
computer first instead of sending it to the original destination. As a result, both the user's data
and privacy are compromised. An effective ARP spoofing attempt is undetectable to the user.
ARP Monitor:
ARP Monitor allows you to monitor hosts via the ARP protocol and monitor MAC address
changes with the help of the ARP monitoring check.It’s a free tool like arpwatch but for
Windows OS. This tool can help with ARP activity monitoring in computer networks.The ARP
monitor checks the links by periodically sending ARP packets to the designated targets. If there
is no reply from a certain device, it considers the device to be down. The ARP monitor generates
regular traffic by issuing ARP probes. The ARP monitor is not supported by all of the bonding
modes.It keeps track of mappings between IP addresses and hardware addresses as informed by
ARP replies. Everytime two different hardware addresses are mapped to the same IP address, the
event is informed.
Implementation:
The ARP monitor is used for monitoring network and hardware addresses and network traffic.
All the necessary information about various connections currently available are displayed in the
Events tab as shown below:
XAVIER INSTITUTE OF ENGINEERING
This windows software monitors ethernet activity like unixapwatch and keeps a database of
ethernet/ip address pairings.
new activity - This ethernet/ip address pair has been used for the first time.
new station - The ethernet address has not been seen before.
flip flop - The ethernet address has changed from the most recently seen address to the
second most recently seen address.
changedethernet address - The host switched to a new ethernet address.
ARP Monitor generates a log of IP addresses and MAC addresses along with a timestamp when
the pairing appeared on the network. These are displayed in the ARPLog tab as shown below:
The last date and time when the IP addresses and MAC addresses were updated and scanned are
listed in the IP-MAC tab as shown below:
Conclusion:Thus, we have studied and implemented detection of ARP spoofing using open
source tool ARPMONITOR successfully.
XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 8
Acquiring Nessus:
Go to https://www.tenable.com/products/nessus/nessus-professional/evaluate to access the
Nessus’ website to get the trial code to install Nessus.
Fill the form to get your trial code by email, click on the “Download and install” link.
XAVIER INSTITUTE OF ENGINEERING
After returning to Nessus’ page you can select the proper version for your test. Select your version, accept
the license terms and download.
Installing Nessus:
Installing Nessus is very easy, especially if you have read our tutorial on DPKG packages
manager.
Run:
sudo dpkg -i
Finally we’ll meet Nessus’ screen, login using “admin” both as user and password.
XAVIER INSTITUTE OF ENGINEERING
In the next screen select the use you’ll give to Nessus and put the trial code you got by e-mail.
After filling everything Nessus will start initializing as shown in the next image, this step may take about
20 or 30 minutes, after finishing the next screen will be:
Select the scan and click the drop-down more and then launch the scan.
XAVIER INSTITUTE OF ENGINEERING
Select the scan to see the vulnerabilities in the target system.
Click the vulnerability to see the description and solution for the vulnerabilities.
Conclusion: Thus, we have installed, configured and used the Nessus tool to scan the network for
vulnerabilities successfully.
XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 9
Aim: Set up IPSEC under LINUX.
Theory:
IPSec:
In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that
authenticates and encrypts the packets of data sent over an internet protocol network. It is used in
virtual private networks (VPNs). IPsec includes protocols for establishing mutual authentication
between agents at the beginning of a session and negotiation of cryptographic keys to use during
the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of
security gateways (network-to-network), or between a security gateway and a host (network-to-
host).[1] Internet Protocol security (IPsec) uses cryptographic security services to protect
communications over Internet Protocol (IP) networks. IPsec supports network-level peer
authentication, data-origin authentication, data integrity, data confidentiality (encryption), and
replay protection.
Modes of operation:
Transport Mode:
In transport mode, only the payload of the IP packet is usually encrypted or authenticated. The
routing is intact, since the IP header is neither modified nor encrypted; however, when the
authentication header is used, the IP addresses cannot be modified by network address
translation, as this always invalidates the hash value. The transport and application layers are
always secured by a hash, so they cannot be modified in any way, for example by translating the
port numbers. A means to encapsulate IPsec messages for NAT traversal has been defined by
RFC documents describing the NAT-T mechanism.
Tunnel Mode:
In tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a
new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for
network-to-network communications (e.g. between routers to link sites), host-to-network
communications (e.g. remote user access) and host-to-host communications (e.g. private chat).
Tunnel Mode supports NAT traversal.
After installation on Ubuntu platform, the configuration files & folders (ipsec.conf, ipsec.secrets,
ipsec.d,strongswan.conf, strongswan.d) are stored in the /etc directory.
2. Strongswan Compilation:
Go to the /usr/src/ folder and download the latest release of strongswan by using the wget
command.
cd /usr/src
wget https://download.strongswan.org/strongswan-5.5.0.tar.gz
XAVIER INSTITUTE OF ENGINEERING
Extract the compressed file and go inside the extracted folder to run configure script.
tar –xzf strongswan-5.5.0.tar.gz
cd strongswan-5.5.0
Run the configure script to check the dependencies of strongswan. HSM support is already
enabled in the latest version fostrongswan as shown below.
Run the configure script, use prefix /usr/local and enable openssl support.
./configure --prefix=/usr/local --enable-openssl
The following snapshot shows that no error has been generated by the configure script as all
required dependencies were already installed on the system.
XAVIER INSTITUTE OF ENGINEERING
Run the following two commands to compile and install strongswan under /usr/local directory.
make
make install
The compilation and installation of strongswan on the Ubuntu platform is complete, several
configuration files (strongswan.conf, ipsec.conf and ipsec.secrets) and folders
(strongswan.d,ipsec.d) are copied under /usr/local/etc path. The configuration ofthe VPN
policy is placed in the ipsec.conf file and confidential secrets are stored in the ipsec.secrets file.
Strongswan plugin configuration is stored in the strongswan.d directory.
XAVIER INSTITUTE OF ENGINEERING
Both transport and tunnel VPN's are supported by strongswan. In the tunnel mode, site-to-site
security of the channel is provided and it works with other vendors such as cisco, huawei, and
juniper devices.
Site-to-Site VPN:
The following figure shows the placement of a strongswan based VPN gateway device in a
network. A secure communication channel will be established between the 192.168.223.0/24 and
192.168.222.0/24 private networks of the organization.
Before using IPsec between the A and B privates network, make sure routing between VPN
Gateways of organization is working so that VPN gateway at A side can ping remote side VPN
machine (B) which ensures the network connectivity is ok.
As shown below, the default configuration of the strongswan tool is inside
the /usr/local/etc/ directory.
IPsec secrets (shared keys, password of the private key, pin to unlock hsm ) are stored in
the ipsec.secrets file . As shown below, shard secrets between both VPN parties is "test12345".
192.168.1.101 192.168.1.102 : PSK 'test12345'
(B-side)
The configuration in the ipsec.conf and ipsec.secrets files at the remote side will be the reverse of
the local site as given below.
The content of ipsec.conf file is given below.
XAVIER INSTITUTE OF ENGINEERING
The ipsec.secrets file contains the shared secret at remote side.
192.168.1.102 192.168.1.101 : PSK 'test12345'
Start the strongswan daemon (charon) using the following command after you setup the config
file son both sides.
ipsec restart
The following command shows the status of the created VPN on the devices.
ipsecstatusall
Status of the tunnel on both sides (local and remote) is shown below.
This Linux command shows the policies and states of IPsec tunnel.
XAVIER INSTITUTE OF ENGINEERING
ipxfrm state
ipxfrm policy
As shown in the above command output, sensitive information esp/hmac (keys) are also shown
by ipxfrm command.
Get inside the /usr/local/etc/ipsec.d path and run the following commands.
cd /usr/local/etc/ipsec.d
ipsecpki --gen --type rsa --size 4096 --outformpem> private/strongswanKey.pem
ipsecpki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=CH,
O=strongSwan, CN=Root CA" --outformpem>cacerts/strongswanCert.pem
XAVIER INSTITUTE OF ENGINEERING
Run ipsec restart command to apply above changes and check the status of tunnel created using
certificates.
XAVIER INSTITUTE OF ENGINEERING
ipsecstatusall # at side A
ipsecstatusall # at side B
Finally, the certificate based VPN has been successfully created by using the strongswan tool.
Conclusion: Thus, we have studied and implemented setup and configuration of IPSec on Linux
successfully.
XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 10
Aim: Installation of SNORT Intrusion Detection System.
Theory:
SNORT:
Snort is a free open source network intrusion detection system (IDS)[4] created by Martin
Roesch in 1998. Snort is now developed by Sourcefire, of which Roesch is the founder
and CTO, and which has been owned by Cisco since 2013. In 2009, Snort entered InfoWorld's
Open Source Hall of Fame as one of the "greatest [pieces of] open source software of all time
Snort's open source network-based intrusion detection system (IDS) has the ability to perform
real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs
protocol analysis, content searching and matching.
The program can also be used to detect probes or attacks, including, but not limited to, operating
system fingerprintingattempts, semantic URL attacks, buffer overflows, server message
block probes, and stealth port scans. Snort can be configured in three main modes: sniffer,
packet logger, and network intrusion detection. In sniffer mode, the program will read network
packets and display them on the console. In packet logger mode, the program will log packets to
the disk. In intrusion detection mode, the program will monitor network traffic and analyze it
against a rule set defined by the user. The program will then perform a specific action based on
what has been identified.
5. The next screen allows you to choose the Snort components that you wish to install
(Figure 1-3). You can see the description by dragging your mouse over each component.
By default, all components are selected. Click Next.
XAVIER INSTITUTE OF ENGINEERING
6. The next screen allows you to choose an install location for Snort (Figure 1-4). The
default location is C:\Snort. You may select a different location by typing directly into
the Destination Folder area, or by choosing Browse and selecting a location. Click Install.
7. You now see the status of the Snort installation (Figure 1-5). You can click on Show
Details to see more information for each file that is being installed.
XAVIER INSTITUTE OF ENGINEERING
8. The installation status informs you when the installation is complete (Figure 1-6). If you
would like to view the details of the installation, you may scroll through them in the
status window or you can right-click on this window and choose Copy Details to
Clipboard. This saves the complete details of the installation to a buffer. You may then
open Notepad, or another text editor, and paste the results by choosing EditPaste or by
typing Ctrl-V. Click Close in the Snort installation window to close the dialog box.
9. Last, you see a window that states that Snort was successfully installed (Figure 1-7).
Click OK to close this window.
XAVIER INSTITUTE OF ENGINEERING
XAVIER INSTITUTE OF ENGINEERING
EXPERIMENT NO : 11
Aim:Use of iptables in Linux to create firewalls.
Theory:
Iptables:
Iptables is a Linux command line firewall that allows system administrators to manage incoming
and outgoing traffic via a set of configurable table rules. Iptables uses a set of tables which have
chains that contain set of built-in or user defined rules. Thanks to them a system administrator
can properly filter the network traffic of his system.Iptables is a rule based firewall system and it
is normally pre-installed on a Unix operating system which is controlling the incoming and
outgoing packets. By-default the iptables is running without any rules, we can create, add, edit
rules into it. You can install Iptables by using the following command:
Firewalls:
A firewall is a network security system that monitors and controls incoming and outgoing
network traffic based on predetermined security rules. A firewall typically establishes a barrier
between a trusted internal network and untrusted external network, such as the Internet. Firewalls
are often categorized as either network firewalls or host-based firewalls. Network firewalls filter
traffic between two or more networks and run on network hardware. Host-based firewalls run on
host computers and control network traffic in and out of those machines.
Implementation:
Prior to the implementation, we need to connect a separate client machine to our main machine
by using the ping command. First, we may use the ping command to find IP addresses of both
the machines. For our case, the IP address of our main machine is 172.20.39.30 and that of our
client machine is 172.20.39.29. Now, run the ping command on the client machine as follows:
Now, to block all the packets coming from the client machine, run the following command on
main machine:
sudoiptables –I INPUT –s 172.20.39.29 –j DROP
XAVIER INSTITUTE OF ENGINEERING
This will block all the packets coming from the client machine as shown below:
To again start accepting packets from the client machine, run the following command:
sudoiptables –I INPUT –s 172.20.39.29 –j ACCEPT
This is illustrated as follows:
XAVIER INSTITUTE OF ENGINEERING
This will again start accepting all packets from the client machine as shown below: