Professional Documents
Culture Documents
Lab Manual
2. Analyze and implement public key algorithms like RSA and El Gamal.
4. Explore the different network reconnaissance tools to gather information about networks.
5. Explore and use tools like sniffers, port scanners and other related tools for analyzing packets
in a network.
6. Set up firewalls and intrusion detection systems using open source technologies and to explore
email security.
Hardware Requirements
2. 4 GB RAM
3. 500 GB Harddisk
Software Requirements
2. wireshark
3. ARPWATCH
1 Design and Implementation of a product cipher using Substitution and Transposition ciphers
2 Implementation and analysis of RSA cryptosystem and Digital signature scheme using
RSA/El Gamal
3 Implementation of Diffie Hellman Key exchange algorithm
4 For varying message sizes, test integrity of message using MD-5, SHA-1, and analyse
the performance of the two protocols. Use crypt APIs
5 Study the use of network reconnaissance tools like WHOIS, dig, traceroute, nslookup
to gather information about networks and domain registrars.
6 Study of packet sniffer tools : wireshark, :
1. Download and install wireshark and capture icmp, tcp, and http packets in
promiscuous mode.
2. Explore how the packets can be traced based on different filters.
7 Download and install nmap. Use it with different options to scan open ports, perform
OS fingerprinting, do a ping scan, tcp port scan, udp port scan, xmas scan etc.
8 Detect ARP spoofing using nmap and/or open source tool ARPWATCH and
wireshark. Use arping tool to generate gratuitous arps and monitor using wireshark
9 Simulate DOS attack using Hping, hping3 and other tools.
10 Simulate buffer overflow attack using Ollydbg, Splint, Cppcheck etc.
11 a. Set up IPSEC under LINUX.
b. Set up Snort and study the logs.
12 Setting up personal Firewall using iptables
13 Explore the GPG tool of linux to implement email security
14 SQL injection attack, Cross-Cite Scripting attack simulation
Objectives:
• To understand the encryption and decryption fundamentals.
• To understand the concepts of the product cipher.
Theory:
Substitution cipher is a method of encryption by which units of plaintext are replaced with ciphertext
according to a regular system; the "units" may be single letters (the most common), pairs of letters,
triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing
an inverse substitution.
Transposition cipher is a method of encryption by which the positions held by units of plaintext
(which are commonly characters or groups of characters) are shifted according to a regular system,
so that the ciphertext constitutes a permutation of the plaintext. That is, the order of the units is
changed.
Substitution ciphers can be compared with Transposition ciphers. In a transposition cipher, the units
of the plaintext are rearranged in a different and usually quite complex order, but the units themselves
are left unchanged. By contrast, in a substitution cipher, the units of the plaintext are retained in the
same sequence in the ciphertext, but the units themselves are altered.
1. Caesar Cipher: In cryptography, a Caesar cipher, also known as a Caesar's cipher, the shift cipher,
Caesar's code or Caesar shift, is one of the simplest and most widely known encryption techniques.
It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed
number of positions down the alphabet. For example, with a shift of 3, A would be replaced by D, B
would become E, and so on. The method is named after Julius Caesar, who used it to communicate
with his generals.
The transformation can be represented by aligning two alphabets; the cipher alphabet is the plain
alphabet rotated left or right by some number of positions. For instance, here is a Caesar cipher using
a left rotation of three places (the shift parameter, here 3, is used as the key):
Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC
2. Columnar Transposition: In a columnar transposition, the message is written out in rows of a fixed
length, and then read out again column by column, and the columns are chosen in some scrambled
order. Both the width of the rows and the permutation of the columns are usually defined by a
keyword.
In a regular columnar transposition cipher, any spare spaces are filled with nulls; in an irregular
columnar transposition cipher, the spaces are left blank. Finally, the message is read off in columns,
in the order specified by the keyword.
Algorithm/Procedure:
• Substitution
• Transposition
1. Count how many letters are in your ciphertext (for example, 75) and factor that number (75
=5*5*3).
2. Create all of the possible matrices to fit this ciphertext (in our case, 3x25, 5x15, 15x5, 25x3).
3. Write the ciphertext into these matrices down the columns.
4. For each of your matrices, consider all of the possible permutations of the columns (for n
columns, there are n! possible rearrangements). In our case, we hope that the message was
enciphered using one of the last two matrices (the 15x5 and the 25x3), since in those cases,
we have only 6 and 120 possibilities to check (3! = 6, 5! = 120, 15! ~ 1.31x10^12, 25! ~
1.55x10^25).
5. Rearrange each matrix to see if you get anything intelligible. Read the message off row-by-
row. Note that this is much more easily done by a computer than by hand, but it is doable (for
small matrices).
Source Code:
import java.util.*;
class ProductCipher {
public static void main(String args[]) {
System.out.println("Enter the input to be encrypted:");
String substitutionInput = new Scanner(System.in).nextLine();
System.out.println("Enter a number:");
int n = new Scanner(System.in).nextInt();
// Transposition encryption
String transpositionInput = substitutionOutput.toString();
int modulus;
if((modulus = transpositionInput.length()%n) != 0) {
modulus = n-modulus;
// ‘modulus’ is now the number of blanks/padding (X) to be appended
for( ; modulus!=0 ; modulus--) {
transpositionInput += "/";
}
}
StringBuffer transpositionOutput = new StringBuffer();
System.out.println("\nTransposition Matrix:");
for(int i=0 ; i<n ; i++) {
for(int j=0 ; j<transpositionInput.length()/n ; j++) {
char c = transpositionInput.charAt(i+(j*n));
System.out.print(c);
transpositionOutput.append(c);
}
System.out.println();
}
System.out.println("\nFinal encrypted text:");
System.out.println(transpositionOutput);
// Transposition decryption
n = transpositionOutput.length()/n;
StringBuffer transpositionPlaintext = new StringBuffer();
for(int i=0 ; i<n ; i++) {
for(int j=0 ; j<transpositionOutput.length()/n ; j++) {
char c = transpositionOutput.charAt(i+(j*n));
transpositionPlaintext.append(c);
}
}
// Substitution decryption
LAB MANUAL [SSL] Page 7
StringBuffer plaintext = new StringBuffer();
for(int i=0 ; i<transpositionPlaintext.length() ; i++) {
char c = transpositionPlaintext.charAt(i);
plaintext.append((char) (c-5));
}
System.out.println("\nPlaintext:");
System.out.println(plaintext);
}
}
Output:
Substituted text:
xfslnyf
Transposition Matrix:
xlf
fn/
sy/
Plaintext:
sangita
Conclusion :
A product cipher is a composite of two or more elementary ciphers with the goal of producing a cipher
which is more secure that any of the individual components. In product cipher substitution and
transposition are applied to create confusion and diffusion in the text message.
Objectives:
• To understand the concept of public key cryptosystem.
• To understand the RSA cryptosystem.
• To understand RSA Digital signature scheme.
• To understand the possible attacks on RSA cryptosystem.
Theory:
RSA was invented by Ron Rivest, Adi Shamir, and Len Adleman and hence, it is termed as RSA
cryptosystem. We will see two aspects of the RSA cryptosystem, firstly generation of key pair and
secondly encryption-decryption algorithms.
Generation of RSA Key Pair
Each person or a party who desires to participate in communication using encryption needs to
generate a pair of keys, namely public key and private key. The process followed in the generation of
keys is described below −
● Generate the RSA modulus (n)
○ Select two large primes, p and q.
○ Calculate n=p*q. For strong unbreakable encryption, let n be a large number, typically
a minimum of 512 bits.
● Find Derived Number (e)
○ Number e must be greater than 1 and less than (p − 1)(q − 1).
○ There must be no common factor for e and (p − 1)(q − 1) except for 1. In other words
two numbers e and (p – 1)(q – 1) are coprime.
● Form the public key
LAB MANUAL [SSL] Page 9
○ The pair of numbers (n, e) form the RSA public key and is made public.
○ Interestingly, though n is part of the public key, difficulty in factorizing a large prime
number ensures that attacker cannot find in finite time the two primes (p & q) used to
obtain n. This is strength of RSA.
● Generate the private key
○ Private Key d is calculated from p, q, and e. For given n and e, there is unique number
d.
○ Number d is the inverse of e modulo (p - 1)(q – 1). This means that d is the number
less than (p - 1)(q - 1) such that when multiplied by e, it is equal to 1 modulo (p - 1)(q
- 1).
○ This relationship is written mathematically as follows −
ed = 1 mod (p − 1)(q − 1)
The Extended Euclidean Algorithm takes p, q, and e as input and gives d as output.
Example
An example of generating RSA Key pair is given below. (For ease of understanding, the primes p &
q taken here are small values. Practically, these values are very high).
● Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 x 13 = 91.
● Select e = 5, which is a valid choice since there is no number that is common factor of 5 and
(p − 1)(q − 1) = 6 × 12 = 72, except for 1.
● The pair of numbers (n, e) = (91, 5) forms the public key and can be made available to anyone
whom we wish to be able to send us encrypted messages.
● Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will be d =
29.
● Check that the d calculated is correct by computing −
de = 29 × 5 = 145 = 1 mod 72
● Hence, public key is (91, 5) and private keys is (91, 29).
Source Code:
import java.util.*;
class Exp1
{
public static void main(String args[])
{
Scanner sc=new Scanner(System.in);
int d=0;
System.out.println("Enter two prime numbers");
int p=sc.nextInt();
int q=sc.nextInt();
int n=p*q;
System.out.println("n="+n);
int e=0;
int pn=(p-1)*(q-1);
LAB MANUAL [SSL] Page 11
search:
{
for(int i=2;i<=pn;i++)
{
int r;
int j=i;
int k=pn;
while(k != j)
{
if(k > j)
k = k-j;
else
j = j-k;
}
if(k==1)
{
e=i;
break search;
}
}
}
System.out.println("e="+e);
go:{
for(int i=1;i<=pn;i++)
{
int x=(e*i)%pn;
if(x==1)
{
System.out.println("d="+i);
System.out.println("The private key is (d) "+i);
d=i;
break go;
}
LAB MANUAL [SSL] Page 12
}
}
System.out.println("The public key is (n,e) "+n+", "+e);
String t;
int c;
System.out.println("Enter plaintext");
t=sc.next();
int m = 0;
for (int i = 0; i < t.length(); i++){
m += (int)t.charAt(i);
}
c=((m)^e)%n;
System.out.println("The Encryted message is "+m);
m=(c^d)%n;
System.out.println("The decrypted message is "+t);
}
}
Output:
Enter two prime numbers
7
11
n=77
e=7
d=43
The private key is (d) 43
The public key is (n,e) 77, 7
Enter plaintext
hello123
The Encrypted message is 682
The decrypted message is hello123
A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message
or documents. A valid digital signature gives a recipient reason to believe that the message was
created by a known sender, that the sender cannot deny having sent the message (authentication and
non-repudiation), and that the message was not altered in transit.
Alice wants to sign message m. She computes the signature of m (let’s call it y) and sends the signed
message (m,y) to Bob. Bob gets (m,y), runs the verification algorithm on it. The algorithm returns
“true” iff y is Alice’s signature of m.
6. Bob can verify the signature by calculating z = yea mod n. (The signature is valid iff m=z).
Source Code:
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Signature;
import sun.misc.BASE64Encoder;
sig.initVerify(keyPair.getPublic());
sig.update(data);
System.out.println(sig.verify(signatureBytes));
}
}
Output:
Singature:ecmcCxZyBjI4ueSJF3mULwVM9YnYHq8137X1DOnIq9KRClUpdfQjAn75t9Gm72Uh
jzPp/w r0vSSj
GlNdgACyqrQc0fbAXLCBwibstPO8ojEerLjJzaGfly9VZA+dCOZNpChELBDDEHMJ+RZSf0H3
SUEH 8/48p5EbQGDNutgAk/c
Conclusion:
RSA is a strong encryption algorithm. RSA implements a public-key cryptosystem that allows secure
communications and digital signatures, and its security rests in part on the difficulty of factoring large
numbers.
Objectives:
• To understand the principles of symmetric key cryptography.
• To understand the Diffie-Hellman Key exchange algorithm.
• To understand the possible attacks on Diffie-Hellman.
Theory:
Diffie-Hellman key exchange is a cryptographic protocol that allows two parties that have no prior
knowledge of each other to jointly establish a shared secret key over an insecure communications
channel. This key can then be used to encrypt subsequent communications using a symmetric key
cipher.
The Diffie–Hellman key exchange algorithm solves the following dilemma. Alice and Bob want to
share a secret key for use in a symmetric cipher, but their only means of communication is insecure.
Every piece of information that they exchange is observed by their adversary Eve. How is it possible
for Alice and Bob to share a key without making it available to Eve? At first glance it appears that
Alice and Bob face an impossible task. It was a brilliant insight of Diffie and Hellman that the
difficulty of the discrete logarithm problem for F*p provides a possible solution.
The simplest, and original, implementation of the protocol uses the Multiplicative group of integers
modulo p, where p is prime and g is primitive root mod p. Here is an example of the protocol:
1. Alice and Bob agree to use a prime number p=23 and base g=5.
2. Alice chooses a secret integer Xa=6, then sends Bob (g^XA) mod p.
56 mod 23 = 8.
3. Bob chooses a secret integer Xb=15, then sends Alice (g^XB) mod p.
515 mod 3 = 19.
Algorithm:
Alice and Bob, two users who wish to establish secure communications. We can assume that Alice
and Bob know nothing about each other but are in contact.
1. Communicating in the clear, Alice and Bob agree on two large positive integers, p and g,
where p is a prime number and g is a primitive root mod p.
2. Alice randomly chooses another large positive integer, XA, which is smaller than p. XA will
serve as Alice's private key.
3. Bob similarly chooses his own private key, XB.
4. Alice computes her public key, YA, using the formula YA = (g^XA) mod p.
5. Bob similarly computes his public key, YB, using the formula YB = (g^XB) mod p.
6. Alice and Bob exchange public keys over the insecure circuit.
7. Alice computes the shared secret key, k, using the formula k = (YB ^XA) mod p.
8. Bob computes the same shared secret key, k, using the formula k = (YA ^XB) mod p.
9. Alice and Bob communicate using the symmetric algorithm of their choice and the shared
secret key, k, which was never transmitted over the insecure circuit.
Source Code:
import java.util.*;
import java.math.BigInteger;
// Once A and B receive their values, they make their new calculations.
// This involved getting their new numbers and raising them to the
// same power as before, their secret number.
BigInteger KeyACalculates = resultb.modPow(a, n);
BigInteger KeyBCalculates = resulta.modPow(b, n);
Output:
Enter the first prime no:
7
First prime is: 7.
Enter the second prime no(between 2 and n-1):
3
Person A: enter your secret number now.i.e any random no(x)
10
Person A sends4to person B.
Person B: enter your secret number now.i.e any random no(y)
6
Person B sends1to person A.
A takes1raises it to the power10mod7
The Key A calculates is 1.
B takes4raises it to the power6mod7
The Key B calculates is 1.
Conclusion:
The Diffie-Hellman key exchange algorithm is used to make secure channel to share secret key
between sender and receiver.
Objectives:
• To understand the applications of cryptographic hash functions.
• To distinguish between MD5 & SHA-1.
• To differentiate between hashing and encryption.
Theory:
MD5 (Message Digest algorithm 5) is a widely used cryptographic hash function with a 128 bit hash
value. An MD5 hash is typically expressed as a 32 digit hexadecimal number. MD5 processes a
variable length message into a fixed length output of 128 bits. The input message is broken up into
chunks of 512 bit blocks (sixteen 32bit little endian integers) ; The message is padded so that its
length is divisible by 512. The padding works as follows: first a single bit, 1, is appended to the end
of the message. This is followed by as many zeros as are required to bring the length of the message
up to 64 bits less than a multiple of 512. The remaining bits are filled up with a 64bit integer
representing the length of the original message, in bits.
Figure 1: One MD5 operation. MD5 consists of 64 of these operations, grouped in four rounds of 16
operations. F is a nonlinear function; one function is used in each round. Mi denotes a 32bit block of
the message input, and Ki denotes a 32bit constant, different for each operation.
Figure 1 illustrates one operation within a round. There are four possible functions F; a different one
is used in each round:
F ( X , Y , Z ) = ( X Y ) (X Z )
G( X , Y , Z ) = ( X Z ) (Y Z )
I ( X , Y , Z ) = Y ( X Z )
Algorithm:
2. Append Length
A 64 bit representation of b (the length of the message before the padding bits were added) is
appended to the result of the previous step. In the unlikely event that b is greater than 2^64, then only
the low order 64 bits of b are used. (These bits are appended as two 32bit words and appended low-
order word first in accordance with the previous conventions.) At this point the resulting message
(after padding with bits and with b) has a length that is an exact multiple of 512 bits. Equivalently,
this message has a length that is an exact multiple of 16 (32 bit) words. Let M[0 ... N1] denote the
words of the resulting message, where N is a multiple of 16.
3. Initialize MD Buffer
A fourword buffer (A,B,C,D) is used to compute the message digest. Here each of A, B, C, D is a
32bit register. These registers are initialized to the following values in hexadecimal, loworder bytes
first):
Source Code:
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
public class SimpleMD5Example
{
public static void main(String[] args)
{
String passwordToHash = "password";
String generatedPassword = null;
try {
// Create MessageDigest instance for MD5
// for hashing using MD5 can be replaced by SHA1 in following line
MessageDigest md = MessageDigest.getInstance("MD5");
//Add password bytes to digest
md.update(passwordToHash.getBytes());
//Get the hash's bytes
byte[] bytes = md.digest();
//This bytes[] has bytes in decimal format;
//Convert it to hexadecimal format
StringBuilder sb = new StringBuilder();
for(int i=0; i< bytes.length ;i++)
{
sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
}
//Get complete hashed password in hex format
generatedPassword = sb.toString();
}
catch (NoSuchAlgorithmException e)
{
e.printStackTrace();
}
System.out.println(generatedPassword);
}
}
5f4dcc3b5aa765d61d8327deb882cf99
Conclusion:
The main aim of message digest algorithm is to ensure integrity of message. The strength of MD5
and SHA 1 algorithm lies in the chaining function, because of which integrity of message cannot be
compromised.
Objectives:
• To understand network information discovery.
• To study various basic network commands to gather network information.
• To understand passive attack technique.
Theory:
1. WHOIS : WHOIS is the Linux utility for searching an object in a WHOIS database. The WHOIS
database of a domain is the publicly displayed information about a domains ownership, billing,
technical, administrative, and nameserver information. Running a WHOIS on your domain will
look the domain up at the registrar for the domain information. All domains have WHOIS
information. WHOIS database can be queried to obtain the following information via
WHOIS:
2. Dig - Dig is a networking tool that can query DNS servers for information. It can be very helpful
for diagnosing problems with domain pointing and is a good way to verify that your configuration
is working. The most basic way to use dig is to specify the domain we wish to query:
Example:
$ dig duckduckgo.com
;; Got answer:
LAB MANUAL [SSL] Page 27
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64399
;; QUESTION SECTION:
;duckduckgo.com. IN A
;; ANSWER SECTION:
duckduckgo.com. 99 IN A 107.21.1.61
duckduckgo.com. 99 IN A 184.72.106.253
duckduckgo.com. 99 IN A 184.72.106.52
duckduckgo.com. 99 IN A 184.72.115.86
;; SERVER: 8.8.8.8#53(8.8.8.8)
The lines above act as a header for the query performed. It is possible to run dig in batch mode,
;; Got answer:
The next section gives us a technical summary of our query results. We can see that the query
was successful, certain flags were used, and that 4 "answers" were received.
;; QUESTION SECTION:
;duckduckgo.com. IN A
;; ANSWER SECTION:
duckduckgo.com. 99 IN A 107.21.1.61
duckduckgo.com. 99 IN A 184.72.106.253
duckduckgo.com. 99 IN A 184.72.106.52
duckduckgo.com. 99 IN A 184.72.115.86
LAB MANUAL [SSL] Page 28
The above section of the output contains the actual results we were looking for. It restates the
query and then returns the matching DNS records for that domain name.
Here, we can see that there are four "A" records for "duckduckgo.com". By default, "A" records
are returned. This gives us the IP addresses that the domain name resolves to.
The "99" is the TTL (time to live) before the DNS server rechecks the association between the
domain name and the IP address. The "IN" means the class of the record is a standard internet
class.
;; SERVER: 8.8.8.8#53(8.8.8.8)
These lines simply provide some statistics about the actual query results. The query time can be
3. Traceroute - traceroute prints the route that packets take to a network host. Traceroute utility
uses the TTL field in the IP header to achieve its operation. For users who are new to TTL field,
this field describes how much hops a particular packet will take while traveling on network. So,
this effectively outlines the lifetime of the packet on network. This field is usually set to 32 or 64.
Each time the packet is held on an intermediate router, it decreases the TTL value by 1. When a
router finds the TTL value of 1 in a received packet then that packet is not forwarded but instead
discarded. After discarding the packet, router sends an ICMP error message of ―Time exceeded‖
back to the source from where packet generated. The ICMP packet that is sent back contains the
IP address of the router. So now it can be easily understood that traceroute operates by sending
packets with TTL value starting from 1 and then incrementing by one each time. Each time a
router receives the packet, it checks the TTL field, if TTL field is 1 then it discards the packet and
sends the ICMP error packet containing its IP address and this is what traceroute requires. So
traceroute incrementally fetches the IP of all the routers between the source and the destination.
Example:
$traceroute example.com
4. Nslookup - The nslookup command is used to query internet name servers interactively for
information. nslookup, which stands for "name server lookup", is a useful tool for finding out
information about a named domain. By default, nslookup will translate a domain name to an IP
address (or vice versa). For instance, to find out what the IP address of microsoft.com is, you
could run the command:
Example:
$nslookup microsoft.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name:
microsoft.com
Address: 134.170.185.46
Name:
microsoft.com
Address: 134.170.188.221
Here, 8.8.8.8 is the address of our system's Domain Name Server. This is the server our system is
configured to use to translate domain names into IP addresses. "#53" indicates that we are
communicating with it on port 53, which is the standard port number domain name servers use to
accept queries. Below this, we have our lookup information for microsoft.com. Our name server
returned two entries, 134.170.185.46 and 134.170.188.221. This indicates that microsoft.com uses a
round robin setup to distribute server load. When you accessmicrsoft.com, you may be directed to
either of these servers and your packets will be routed to the correct destination. You can see that we
have received a "Non-authoritative answer" to our query. An answer is "authoritative" only if our
DNS has the complete zone file information for the domain in question. More often, our DNS will
have a cache of information representing the last authoritative answer it received when it made a
similar query, this information is passed on to you, but the server qualifies it as "non-authoritative":
Conclusion:
Various reconnaissance tools are studies and used to gather primary network information.
Objectives:
• Understand the need for traffic analysis.
• Understand the how packet sniffing is done using wireshark.
• Trace and understand various packets from dynamic traffic.
Theory:
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and
display them in human-readable format. Wireshark includes filters, color-coding and other features
that let you dig deep into network traffic and inspect individual packets.
Features of Wireshark :
• Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a
• Import packets from text files containing hex dumps of packet data.
Capturing Packets
After downloading and installing wireshark, you can launch it and click the name of an interface
under Interface List to start capturing packets on that interface. For example, if you want to capture
traffic on the wireless network, click your wireless interface. You can configure advanced features
by clicking Capture Options.
Installation of Wireshark:
sudo apt-get install wireshark
After downloading and installing wireshark, you can launch it and click the name of an interface
under Interface List to start capturing packets on that interface. For example, if you want to capture
traffic on the wireless network, click your wireless interface. You can configure advanced features
by clicking Capture Options.
Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is TCP
traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with
problems — for example, they could have been delivered out-of-order.
Objectives:
• Understand port scanning.
• Understand the how nmap helps to scan various ports.
• Explore various nmap options for OS fingerprinting and gathering detailed network
an d remote hosts information.
Outcomes: The learner will be able to
• Install and use nmap and use it for gathering detailed network and remote host
information.
Theory:
Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his
pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus
creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the
target host and then analyzes the responses. Unlike many simple port scanners that just send packets
at some predefined constant rate, Nmap accounts for the network conditions (latency fluctuations,
network congestion, the target interference with the scan) during the run. Also, owing to the large and
active user community providing feedback and contributing to its features, Nmap has been able to
extend its discovery capabilities beyond simply figuring out whether a host is up or down and which
ports are open and closed; it can determine the operating system of the target, names and versions of
the listening services, estimated uptime, type of device, and presence of a firewall.
Nmap features include:
• Host Discovery – Identifying hosts on a network. For example, listing the hosts which respond
to pings or have a particular port open.
• Port Scanning – Enumerating the open ports on one or more target hosts.
• Version Detection – Interrogating listening network services listening on remote devices to
determine the application name and version number.
Installation of Nmap:
• -O (Enable OS detection) .
Enables OS detection, as discussed above. Alternatively, you can use -A to enable OS
detection along with other things.
Conclusion :
Namp is studied and different types of nmap scans are used to gather host and network related
information.
Objectives:
• Understand ARP spoofing.
• Understand ARPWATCH and use it to detect ARP spoofing.
Theory:
Arpwatch is an open source computer software program that helps you to monitor Ethernet traffic
activity (like Changing IP and MAC Addresses) on your network and maintains a database of
ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information
along with a timestamps, so you can carefully watch when the pairing activity appeared on the
network. It also has the option to send reports via email to an network administrator when a pairing
added or changed.
This tool is especially useful for Network administrators to keep a watch on ARP activity to
detect ARP spoofing or unexpected IP/MAC addresses modifications.
Installing Arpwatch in Linux
To watch a specific interface, type the following command with -i and device name.
# arpwatch -i eth0
So, whenever a new MAC is plugged or a particular IP is changing corresponding to MAC address
on the network, you will notice syslog entries at /var/log/syslog or /var/log/message file.
ARP spoofing is common attack launched in the network. It can be detected using ARPWATCH
and some other network monitoring tools.
Objectives:
• Understand the concept of DOS attacks.
• Launch DOS attack using Hping3 and observe it using wireshark.
Analyze DOS attack and its effect on the network using Hping3 and wireshark.
Theory:
A Distributed Denial of Service (DDoS) attack is a DoS attack that comes from more than one source
at the same time. A DDoS attack is typically generated using thousands (potentially hundreds of
thousands) of unsuspecting zombie machines. The machines used in such attacks are collectively
known as “botnets” and will have previously been infected with malicious software, so they can be
remotely controlled by the attacker. According to research, tens of millions of computers are likely
to be infected with botnet programs worldwide.
Cybercriminals use DoS attacks to extort money from companies that rely on their websites being
accessible. But there have also been examples of legitimate businesses having paid underground
elements of the Internet to help them cripple rival websites. In addition, cybercriminals combine DoS
attacks and phishing to target online bank customers. They use a DoS attack to take down the bank's
website and then send out phishing e-mails to direct customers to a fake emergency site instead.
Installation Steps:
Output
Objectives:
• Understand the concept of buffer overflow.
• Understand and use Ollydbg, Splint and cppcheck to detect buffer overflow.
Theory:
1. Cppcheck : Cppcheck is a tool for static C/C++ code analysis (CLI). Cppcheck is a command-
line tool that tries to detect bugs that your C/C++ compiler doesn't see. It is versatile, and can
check non-standard code including various compiler extensions, inline assembly code, etc. Its
internal preprocessor can handle includes, macros, and several pre-processor commands. While
Cppcheck is highly configurable, you can start using it just by giving it a path to the source code.
* redundant if;
* incomplete statements;
Sample2.c
2. Splint : Splint is a tool for statically checking C programs for security vulnerabilities and
programming mistakes. Splint does many of the traditional lint checks including unused
declarations, type inconsistencies, use before definition, unreachable code, ignored return
values, execution paths with no return, likely infinite loops, and fall through cases. More
powerful checks are made possible by additional information given in source code annotations.
Annotations are stylized comments that document assumptions about functions, variables,
parameters and types. In addition to the checks specifically enabled by annotations, many of
the traditional lint checks are improved by exploiting this additional information.
Splint is designed to be flexible and allow programmers to select appropriate points on the effort-
benefit curve for particular projects. As different checks are turned on and more information is
given in code annotations the number of bugs that can be detected increases dramatically.
Problems detected by Splint include:
• Using possibly undefined storage or returning storage that is not properly defined
• Type mismatches, with greater precision and flexibility than provided by C compilers
• Dangerous aliasing
• Modifications and global variable uses that are inconsistent with specified interfaces
• Problematic control flow such as likely infinite loops, fall through cases or incomplete
switches and suspicious statements
Examples1 :
$ splint sample2.c
int main(void)
{
char buff[15];
int pass = 0;
if(strcmp(buff, "thegeekstuff"))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
pass = 1;
}
if(pass)
{
/* Now Give root or admin rights to user*/
printf ("\n Root privileges given to the user \n");
}
return 0;
}
$splint sample3.c
Sample4.c
#include <stdio.h>
#include <string.h>
char password[] = "password";
int get_password() {
int auth_ok = 0;
char buff[16];
printf("Enter password: ");
scanf("%s", buff);
if(strncmp(buff, password, sizeof(password)) == 0)
auth_ok = 1;
return auth_ok;
}
void success() {
printf("Success!\n");
}
int main(int argc, char** argv) {
int res = get_password();
if (res == 0) {
printf("Failure\n");
return 0;
}
success();
return 0;
}
LAB MANUAL [SSL] Page 56
$splint sample4.c
3. Ollydbg: OllyDbg is a 32-bit assembler level analysing debugger for Windows. It emphasizes
binary code analysis, which is useful when source code is not available. It traces registers,
recognizes procedures, API calls, switches, tables, constants and strings, as well as locates
routines from object files and libraries. It has a user friendly interface, and its functionality can
be extended by third-party plugins.
Installation: Download Ollydbg from ollydbg.org and install it on windows. Make executable
of following C program rtrace.c and open it in ollydbg for debugging.
rtrace.c
#include <stdio.h>
void f1(void) { printf("a"); }
void f2(void) { printf("b"); }
void f3(void) { printf("c"); }
void (*f[3])() = { f1,f2,f3 }
void main(void) {
int i,j,k;
for (i=0; i<100; i++) {
for (j=0; j<1000000; j++) ; // Long code
k=i/33;
if (k>3) continue;
f[k](); // Here error (when i==99)!
}
printf("\n");
}
Theory:
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a communication session. IPsec
includes protocols for establishing mutual authentication between agents at the beginning of the
session and negotiation of cryptographic keys to be used during the session. IPsec can be used in
protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways
(network-to-network), or between a security gateway and a host (network-to-host)
Internet Protocol security (IPsec) uses cryptographic security services to protect communications
over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data origin
authentication, data integrity, data confidentiality (encryption), and replay protection.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite,
while some other Internet security systems in widespread use, such as Transport Layer Security (TLS)
and Secure Shell (SSH), operate in the upper layers at Application layer. Hence, only IPsec protects
any application traffic over an IP network. Applications can be automatically secured by IPsec at the
IP layer.
Here ipsec is implemented using strongSwan tool. strongSwan is a IPsec implementation. It uses
openSSL pluugin (Eliptic Curve Cryptography).
Let two servers be red server (192.168.4.144) and blue server (192.168.4.145)
The following packages were automatically installed and are no longer required:
linux-headers-4.10.0-38 linux-headers-4.10.0-38-generic
linux-headers-4.13.0-32 linux-headers-4.13.0-32-generic
linux-headers-4.13.0-33 linux-headers-4.13.0-33-generic
linux-headers-4.13.0-37 linux-headers-4.13.0-37-generic
linux-image-4.10.0-38-generic linux-image-4.13.0-32-generic
linux-image-4.13.0-33-generic linux-image-4.13.0-37-generic
linux-image-extra-4.10.0-38-generic linux-image-extra-4.13.0-32-generic
linux-image-extra-4.13.0-33-generic linux-image-extra-4.13.0-37-generic
strongswan-libcharon
Suggested packages:
racoon
strongswan-libcharon strongswan-starter
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent
xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
LAB MANUAL [SSL] Page 65
192.168.4.144
Connections:
Routed Connections:
None
The following packages were automatically installed and are no longer required:
linux-headers-4.13.0-32-generic linux-headers-4.13.0-36
linux-headers-4.13.0-36-generic linux-headers-4.13.0-37
linux-headers-4.13.0-37-generic linux-image-4.13.0-32-generic
linux-image-4.13.0-36-generic linux-image-4.13.0-37-generic
linux-image-extra-4.13.0-32-generic linux-image-extra-4.13.0-36-generic
linux-image-extra-4.13.0-37-generic
strongswan-libcharon
Suggested packages:
libstrongswan-extra-plugins libcharon-extra-plugins
racoon
strongswan-libcharon strongswan-starter
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
1. Sniffer mode : It simply reads the packets off of the network and displays them for you in a
continuous stream on the console (screen)
2. Packet Logger mode : logs the packets to disk
3. Network Intrusion Detection System (NIDS) mode: it performs detection and analysis on
network traffic. This is the most complex and configurable mode.
Installation Steps:
1. Sniffer Mode
• Printing out the TCP/IP packet headers to the screen (i.e. sniffer mode)
C:\snort\bin> snort -v
This command will run Snort and just show the IP and TCP/UDP/ICMP headers
This instructs Snort to display the packet data as well as the headers.
• For more descriptive display, showing the data link layer headers
C:\snort\bin>snort -vde
As an aside, notice that the command line switches can be listed separately or in a combined
form. Same result can be obtained using
C:\snort\bin>snort -d -v –e
• Other commands
If you want to record the packets to the disk, you need to specify a logging directory and Snort will
automatically know to go into packet logger mode:
Of course, this assumes you have a directory named log in the current directory. If you don't, Snort
will exit with an error message. When Snort runs in this mode, it collects every packet it sees and
places it in a directory hierarchy based upon the IP address of one of the hosts in the datagram.
If you just specify a plain -l switch, you may notice that Snort sometimes uses the address of the
remote computer as the directory in which it places packets and sometimes it uses the local host
address. In order to log relative to the home network, you need to tell Snort which network is the
home network:
If you're on a high speed network or you want to log the packets into a more compact form for later
analysis, you should consider logging in binary mode. Binary mode logs the packets in tcpdump
format to a single binary file in the logging directory:
c:\snort\bin>snort -l c:\snort\log -b
Note the command line changes here. We don't need to specify a home network any longer because
binary mode logs everything into a single file, which eliminates the need to tell it how to format the
output directory structure. Additionally, you don't need to run in verbose mode or specify the -d or -
e switches because in binary mode the entire packet is logged, not just sections of it. All you really
need to do to place Snort into logger mode is to specify a logging directory at the command line using
the -l switch--the -b binary logging switch merely provides a modifier that tells Snort to log the
packets in something other than the default output format of plain ASCII text.
Once the packets have been logged to the binary file, you can read the packets back out of the file
with any sniffer that supports the tcpdump binary format (such as tcpdump or Ethereal). Snort can
also read the packets back by using the -r switch, which puts it into playback mode. Packets from any
tcpdump formatted file can be processed through Snort in any of its run modes. For example, if you
wanted to run a binary log file through Snort in sniffer mode to dump the packets to the screen, you
can try something like this:
You can manipulate the data in the file in a number of ways through Snort's packet logging and
intrusion detection modes, as well as with the BPF interface that's available from the command line.
For example, if you only wanted to see the ICMP packets from the log file, simply specify a BPF
filter at the command line and Snort will only see the ICMP packets in the file:
Note here created a simple rule which will display corresponding message
When ping command is used i.e ICMP
cg16@cg16:/etc/snort/rules$ sudogeditlocald.rules
cg16@cg16:/etc/snort/rules$ cat locald.rules
alerticmp any any -> $HOME_NET any (msg:"ICMP test pooja"; sid:10000002;)
cg16@cg16:/etc/snort/rules$ ls
attack-responses.rules community-web-iis.rules
community-misc.rulesimap.rulestftp.rules
community-nntp.rulesinfo.rulesvirus.rules
community-oracle.ruleslocald.rules web-attacks.rules
community-policy.ruleslocal.rules web-cgi.rules
community-sip.rulesmisc.rules
include $RULE_PATH/locald.rules
#include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/backdoor.rules
LAB MANUAL [SSL] Page 79
#include $RULE_PATH/bad-traffic.rules
## include $RULE_PATH/blacklist.rules
## include $RULE_PATH/botnet-cnc.rules
##include $RULE_PATH/chat.rules
## include $RULE_PATH/content-replace.rules
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/community-dos.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/community-exploit.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/community-ftp.rules
##include $RULE_PATH/icmp.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/community-imap.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/misc.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/netbios.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/community-nntp.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/community-oracle.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/p2p.rules
## include $RULE_PATH/phishing-spam.rules
#include $RULE_PATH/policy.rules
## include $RULE_PATH/community-policy.rules
## include $RULE_PATH/community-inappropriate.rules
## include $RULE_PATH/community-game.rules
## include $RULE_PATH/community-misc.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
## include $RULE_PATH/scada.rules
#include $RULE_PATH/scan.rules
## Note: this rule is extremely chatty, enable with care
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/community-smtp.rules
#include $RULE_PATH/snmp.rules
## include $RULE_PATH/specific-threats.rules
# #include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/sql.rules
LAB MANUAL [SSL] Page 80
#include $RULE_PATH/telnet.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/virus.rules
##include $RULE_PATH/community-virus.rules
#include $RULE_PATH/community-bot.rules
## include $RULE_PATH/voip.rules
#include $RULE_PATH/community-sip.rules
## Specific web server rules:
## include $RULE_PATH/web-activex.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/community-sql-injection.rules
#include $RULE_PATH/community-web-client.rules
#include $RULE_PATH/community-web-dos.rules
#include $RULE_PATH/community-web-iis.rules
#include $RULE_PATH/community-web-misc.rules
#include $RULE_PATH/community-web-php.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/community-sql-injection.rules
#include $RULE_PATH/community-web-client.rules
#include $RULE_PATH/community-web-dos.rules
#include $RULE_PATH/community-web-iis.rules
#include $RULE_PATH/community-web-misc.rules
#include $RULE_PATH/community-web-php.rules
#include $RULE_PATH/x11.rules
#include $RULE_PATH/test.rules
Conclusion:
IPSec tool provides security layer to facilitate secure communication between hosts. Packet sniffing,
logging and intrusion detection is studied using Snort.
Objectives:
• Understand the need for personal firewall.
• Learn how to use iptables to set firewall rules.
Theory:
All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing.
Each of these queues is dedicated to a particular type of packet activity and is controlled by an
associated packet transformation/filtering chain.
There are three tables in total. The first is the mangle table which is responsible for the alteration of
quality of service bits in the TCP header. This is hardly used in a home or SOHO environment.
The second table is the filter queue which is responsible for packet filtering. It has three built-in
chains in which you can place your firewall policy rules. These are the:
• Forward chain: Filters packets to servers protected by the firewall.
• Input chain: Filters packets destined for the firewall.
• Output chain: Filters packets originating from the firewall.
ACCEPT : iptables stops further processing.
The packet is handed over to the end application or the operating system for
processing.
DROP : iptables stops further processing.
The packet is blocked
REJECT : Works like the DROP target, but will also return an error message to the host sending
the packet that the packet was blocked
You can determine whether iptables is running or not via the service iptables status command.
Fedora Core will give a simple status message. For example
Firewall is stopped.
Iptables commands
iptables command
Description
Switch
-L Listing of rules present in the chain
-n Numeric output of addresses and ports
-v Displays the rules in verbose mode
-t <-table-> If you don't specify a table, then the filter table is assumed. As
discussed before, the possible built-in tables include: filter, nat,
mangle
-j <target> Jump to the specified target chain when the packet matches the
current rule.
-A Append rule to end of a chain
-F Flush. Deletes all the rules in the selected table
-p <protocol-type> Match protocol. Types include, icmp, tcp, udp, and all
-s <ip-address> Match source IP address
-d <ip-address> Match destination IP address
-i <interface-name> Match "input" interface on which the packet enters.
-o <interface- Match "output" interface on which the packet exits
name>
Conclusion:
Firewall plays an important role on security architecture of a medium size or large organizations.
Personal firewall is implemented using ruleset in iptables.
Objectives:
• Understand the need for email security.
• Understand the how GPG ensures email security.
Theory:
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides
cryptographic privacy and authentication for data communication. PGP is often used for signing,
encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase
the security of e-mail communications.
PGP encryption uses a serial combination of hashing, data compression, symmetric-key
cryptography, and finally public-key cryptography; each step uses one of several supported
algorithms. Each public key is bound to a user name and/or an e-mail address. The first version of
this system was generally known as a web of trust to contrast with the X.509 system, which uses a
hierarchical approach based on certificate authority and which was added to PGP implementations
later. Current versions of PGP encryption include both options through an automated key
management server.
GNU Privacy Guard (GnuPG or GPG) is a free software replacement for Symantec's PGP
cryptographic software suite. GnuPG is a hybrid-encryption software program because it uses a
combination of conventional symmetric-key cryptography for speed, and public-key cryptography
for ease of secure key exchange, typically by using the recipient's public key to encrypt a session key
which is only used once. This mode of operation is part of the OpenPGP standard and has been part
of PGP from its first version.
Procedure:
$ gpg --gen-key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 200 more bytes)
...+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 256 more bytes)
........+++++
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 246 more bytes)
+++++
gpg: /home/it/.gnupg/trustdb.gpg: trustdb created
gpg: key A0FBAFBC marked as ultimately trusted
public and secret key created and signed.
$ gpg --list-keys
/home/it/.gnupg/pubring.gpg
---------------------------
pub 4096R/A0FBAFBC 2018-07-09 [expires: 2019-07-09]
uid sangita (this is gpg) <sangita.sc@gmail.com>
sub 4096R/3E147825 2018-07-09 [expires: 2019-07-09]
mQINBFtDlhgBEADq+sCM1e9vaHwaLP5HhMU84lLmAMBrdPCVlSUfXeU6yez3jYI+
T6d27D3f8EWIP69mkyN6qf82OTIDrWF2fsUV52ob4v6ftPWV1jPNBs0GQ2ZgHa9v
HqI8yhPEfbVY8BMZ0nwdnUzejcthhdfdaM/Ez9VRbIfMERV3+GJwyXX/Gep4I89J
CwiPLzvcO5/dPTv956YMle9uApUwYMU7bzDdaU1YBWHZ5h31LXe5R/8MwdUUKDwo
OC1TeEgTR1JN3filASVVCIQ67bSysQofTOpoeLfTFCv9rv5MKgGHf/Ejxa27p71h
izjBR+fE8O9jkvWOvU+AkDwn75ESXTFFuZ792ofINRyKXBl/Z+Au4L54veI8wGHV
br8IBeSIluHkqZl3vP/J77NB7k3utxM86BcTm25y7z6FK2fLnllsQUNd3mDyLEtv
TdrW2SF1K/CAe3B26LxUJXsCt52RVwa6Sze0QjvuCRpcMtACyuDa6Vd7ljFwlzOP
feRXMrjDAlAah/26mcetpTc3ri81njjQXvf1P/DaOpT2rHsHdn3zvulTt0VH6hrV
+DG2oKwW50ps9NjM4NbqNd2D0aHbrQr1djnexItBrqkOrucQt+XLevM8LAApT/KB
7Ru7ng+uzOAygAQUTZXrCXAGqPDh/7atX6c5whNpcaF+LfwSZ6yLC1XppQARAQAB
tCxzYW5naXRhICh0aGlzIGlzIGdwZykgPHNhbmdpdGEuc2NAZ21haWwuY29tPokC
PgQTAQIAKAUCW0OWGAIbAwUJAeEzgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4
AA
CgkQYuH3Y6D7r7zhYg//ZlwkGZxQRT4UUWSTg2+oZhWaOVqm0dG9f2fQKYSpEGzk
KKkb315siYsevEKS3kjDApAFKjFls6mqMS07+X2YEKlKdFRpjl00fb7SJ/XMosAb
WxCtyANhSsjwlU2HLnVI8Utm1PGxr5iz19z5++83dZulhigY51yESbk+1Ed7b8tM
3Kf/Wa5qrung8YPDWXab/FGxDbPOLs67cJ5twRRO/GjrvrsQ/gX6Btpb/ns8Y8Lg
Awa9+2Gruk1LTIUntX8caW8PWrllUeIA650+dh3mXUHruCX89F+SnloAO0V51Na8
yxaLDSA8ZyhQs1M8J/f8O13WhC7otlhzlzjf0pImXHQqT29pLCH0BEi3prdkLEzb
Jd9ZHM50iHU7O07HTDJ2iv525d6wWnoNMXk1UJMHK6oIUcyRpJs2PebHP0QlZx2W
LAB MANUAL [SSL] Page 89
vE/4WuQeDakjO2+EYU3Ba49UVg3cnH7x4yj3aR3/GJd9GNQs0X7aA+T/YzPsiSPv
HyM2XOHseVL3JU0cO3WKaR1dKiVdBZKlnwL29d7MLf7vLik1QGclMRpVLLISBTXk
sqT28glcMhRX/v2snZNXAB3SXtzoHjjIwT+VzR591tmftyyYluhvkbWl7yZHVc40
GUB6g4ULFaiLvHPr+tl8xeQFppbP/59BH9Tn8Qpq7rPHH6WvKTkCH6mm7FiokpC5
Ag0EW0OWGAEQAMjQzpOwi/CF6qLpqP2riH2zhBqg4dxghEsJsen1ldEACaHJRFzG
kYaxQVS271om2BljpE4ZmniwOsAy0IpeceHWIjvgNNEIrsGg+7yA1s+2ydhJXCjp
xCLyUzlvihfjRRSnnYCkdTB4Saj+fpO+iTckHTKs0Ajbo93nrISpX0rOrn+rwKah
xbgxX9ViQ9Of9CodMyHyBe7Yedoh2W1ChxZ7Sro3sopOlHRcpj3wqHy4PA5cqkCy
iiD/exUWMI98J2Sh1y562kLYVWBwZYOJFM0RHAD//9of72QMGSno0BQlZj62ow66
eueMzm9Wgswo2fi9CKL/+yRAconPU1fZBRsg2AcLc3S6xIz68CDN9eTJ4g+RLF1A
tfMVPaJvZe2FhUJ+i6GTr7C8MQ67wOxrgPYDcNNaUIGGWxE/jut3/rOPFkWBymVU
9leH7tqa+5T7t8Fe2+lmHoRL+gRZ101JaCzb/ilMempZfXrrQo5UZhLPIre4yazI
FuE/tcRlgFXDQDrUn+jFjCKBNp0WQ+FA8DhXqT3QKzhUf/ZZXO8vbf+DnfycebKk
s2jvdI2nklOWyzSpnRJzaIbqi1mYpT1Xkv4Ml+htsZJj46SVSobnvRPTFVLFrxJF
XPHqCfsZZiV2UYuascQ/vl/7eLRgaVcMRUL9U0Qswfpeqri/7kvbcKNZABEBAAGJ
AiUEGAECAA8FAltDlhgCGwwFCQHhM4AACgkQYuH3Y6D7r7zYFRAAzIsNhjYtDL9/
XFTdTi2tju0qqtAyE98vqcp2s0tBqEop9vbyHjtGvXUD2SxChVCpO5r2NSm63OaO
krDMCFHDhhvMtuFZ7JhdI7js8HesBofqbuBj83NhOKutFdC4e2cG5CiIA/LU9tPa
JguCw4UeNe7adNkjJJcY7Y0VjGJWetIgeH99tMwq7L936Lst9ig9TgMwTUEtWHFr
aHIbz3g6fwdOmzMx71yUQokoVTepu3bjmt+QAksH8eNiluYzD52MpRZPSEkfmmIF
vXvo7Gs2mPkYItaq/wRLYn/UXQPwGX5R7TyFLF61le23QEmM4gYlG/q6ACayqu19
j7A9/anQiogyOss/DYsMKpjcwm1jqN7jvWfwr5GYQdlfbCpAiGOTvpDWY+nmabQ2
1bOfteEIvJOgcQTBvrZFFS72H/krHzH0UikdfmvQpiF2QZ0GGUBR2VQab/2hCIq8
+ZaFx5cA5MG1gy01FT2kjYt++5y5Ekdq1+9xYwF00aM4+ufVHpFYnY85WE46x00c
mveztzPiMMRw84OnEqhh5ebfR2LJGKbd+iyT5IlJMXqJfmR1bkBzp7wSvfGPXUyj
iAyZE2RbzByaT+2Hn26nPzkEl841WkhohwAwKWDs1MuiNaGeyIvnZOCKNBxXY9mt
6jkIjjL1hdBA3U04K7MmHo+6GrcQYGs=
=jpFF
-----END PGP PUBLIC KEY BLOCK-----
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 175 more bytes)
....+++++
...+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++
.+++++
gpg: key 4C8FAA8A marked as ultimately trusted
LAB MANUAL [SSL] Page 91
public and secret key created and signed.
Signing process:
gpg> fpr
pub 4096R/A0FBAFBC 2018-07-09 sangita (this is gpg) <sangita.sc@gmail.com>
Primary key fingerprint: 2B3A 3324 89F9 13A1 9BEA 2BCB 62E1 F763 A0FB AFBC
gpg> sign
"sangita (this is gpg) <sangita.sc@gmail.com>" was already signed by key A0FBAFBC
Nothing to sign with key A0FBAFBC
gpg> quit
$ cat secrets
hello
how r u?
Encryption
Current recipients:
Current recipients:
4096R/3E147825 2018-07-09 "sangita (this is gpg) <sangita.sc@gmail.com>"
it@it-Vostro-1014:~$ ls
a.out Desktop examples.desktop Pictures secrets_san TURBOC3
demo1.nam Documents Music Public Templates Videos
demo1.ns Downloads mypk secrets test.c
LAB MANUAL [SSL] Page 93
it@it-Vostro-1014:~$ cat secrets_san
�#
�k�F��ӥ#�D=7�P��#�%#0@��#��C�-bQYz�
؆�|�#!�E�h��
k6\#h��#g�$�������i���YBSxeZ����
v�#M�m<,h:6.��5��#�O,r
#����h#�#��F�#ϼz���#��R���#U~^Lnߐ2Fν��zM֝���
��#m+��#�K_##�@7�5Q��mI�M#H�X��0#@�T��NQ-�#���#�臁
�Q�wt��m@�u#t^�R���JU�#�t�q�-�r�K����iʼ���#�}��!a
�B�?���Wu#�#L���p0'/V�2�NKM!IY���}��kg����Fr#�7�$#��#"�
eU���PTC�##Eq#Ž �>5P�D�"�U�w�x�����i�Sѣ��
��>�#��#}t
�3�e#���ނ#�r��A�W.�o#t
"�wU#YZ#��V������9��#(m�&v�l&��`�#>)���©
�1(&6���H�E���Fa�`ls&�{m4E���Q#�
mn��1��
��i�,�fO$�;�d#��S#<�
@)����W�?�#yfB�W�l}
,�����;`�&it@it-Vostro-1014:~$
Decryption:
Conclusion:
GPG is used for authentication and privacy to messages over the internet. GPG was originated to
address the security concerns of plain e-mail or text messages. Gnupg is used to demonstrate usage
of GPG.
Objectives:
• Understand SQL injection and cross-site scripting attacks.
• Explore sqlmap tool to detect sql injection.
• Explore cross-site scripting attack.
Theory:
SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL
statements (also commonly referred to as a malicious payload) that control a web application’s
database server (also commonly referred to as a Relational Database Management System –
RDBMS). Since an SQL injection vulnerability could possibly affect any website or web application
that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and
most dangerous of web application vulnerabilities.
By leveraging an SQL injection vulnerability, given the right circumstances, an attacker can use it to
bypass a web application’s authentication and authorization mechanisms and retrieve the contents of
an entire database. SQL injection can also be used to add, modify and delete records in a database,
affecting data integrity.
To such an extent, SQL injection can provide an attacker with unauthorized access to sensitive data
including, customer data, personally identifiable information (PII), trade secrets, intellectual property
and other sensitive information.
In order to run malicious SQL queries against a database server, an attacker must first find an input
within the web application that is included inside of an SQL query.
The following server-side pseudo-code is used to authenticate users to the web application.
# Define POST variables
uname = request.POST['username']
passwd = request.POST['password']
The above script is a simple example of authenticating a user with a username and a password against
a database with a table named users, and a username and password column.
The above script is vulnerable to SQL injection because an attacker could submit malicious input in
such a way that would alter the SQL statement being executed by the database server.
A simple example of an SQL injection payload could be something as simple as setting the password
field to password’ OR 1=1.
This would result in the following SQL query being run against the database server.
An attacker can also comment out the rest of the SQL statement to control the execution of the SQL
query further.
Once the query executes, the result is returned to the application to be processed, resulting in an
authentication bypass. In the event of authentication bypass being possible, the application will most
LAB MANUAL [SSL] Page 97
likely log the attacker in with the first account from the query result — the first account in a database
is usually of an administrative user.
To check whether website is vulnerable, replace the value in the get request parameter with an
asterisk (*)
http://testphp.vulnweb.com/listproducts.php?cat=*
If this results in an error such as the error given below, then we can say that the website is vulnerable.
SQLMAP: sqlmap is an open source penetration testing tool that automates the process of detecting
and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful
detection engine, many niche features for the ultimate penetration tester and a broad range of switches
lasting from database fingerprinting, over data fetching from the database, to accessing the underlying
file system and executing commands on the operating system via out-of-band connections.
To check access to a database, - - dbs option can be used. - - dbs lists all the available databases.
It notifies vulnerability in parameter cat, various payloads executed, name of backend database, its
Each of the database can further explored to get tables information from them. Option -D can be used
to specify the name of the database we need to explore. If access to the database is allowed, we can
access the tables using --tables option along with name of database. Here, acuart database is accessed
and all available tables in that database are listed as an output of the following command.
Columns of a particular table can be viewed by specifying -T option before table name and --columns
option to query the column names. Access to table and its column for table "products" is displayed
by following command.
Information from specific column can be retrieved and displayed using -C. Multiple column can also
be listed separated by a comma and the –dump query retrieves the data. Flowing command shows all
Domain values of column name from product table from acuart database.
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute
malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web
application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a
web application makes use of unvalidated or unencoded user input within the output it generates.
By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a
vulnerability within a website or web application that the victim would visit, essentially using the
vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.
While XSS can be taken advantage of within VBScript, ActiveX and Flash (although now considered
legacy or even obsolete), unquestionably, the most widely abused is JavaScript – primarily because
JavaScript is fundamental to most browsing experiences.
In order to run malicious JavaScript code in a victim’s browser, an attacker must first find a way to
inject a payload into a web page that the victim visits. Of course, an attacker could use social
engineering techniques to convince a user to visit a vulnerable page with an injected JavaScript
payload.
In order for an XSS attack to take place the vulnerable website needs to directly include user input in
its pages. An attacker can then insert a string that will be used within the web page and treated as
code by the victim’s browser.
print "<html>"
print database.latestComment
print "</html>"
The above script is simply printing out the latest comment from a comments database and printing
the contents out to an HTML page, assuming that the comment printed out only consists of text.
The above page is vulnerable to XSS because an attacker could submit a comment that contains a
malicious payload such as <script>doSomethingEvil();</script>.
Users visiting the web page will get served the following HTML page.
<html>
<script>doSomethingEvil();</script>
</html>
When the page loads in the victim’s browser, the attacker’s malicious script will execute, most often
without the user realizing or being able to prevent such an attack.
Acunetix is a web based XSS vulnerability scanner similar to NESSUS. Following images shows few
screenshots of the same for scanning XSS vulnerable websites.