Cryptography and Network Security Lab Manual

Cryptography and Network Security
Lab Manual
LAB MANUAL [CNS] Page 1

Lab Objectives: Students will try:
1. To be able to apply the knowledge of symmetric cryptography to implement simple
ciphers
2. To be able to analyze and implement public key algorithms like RSA and El Gamal
3. To analyze and evaluate performance of hashing algorithms
4. To explore the different network reconnaissance tools to gather information about
networks
5. To explore and use tools like sniffers, port scanners and other related tools for analyzing
1. packets in a network.
6. To be able to set up firewalls and intrusion detection systems using open source
technologies and to explore email security.
Lab Outcome: Students will learn to:

1. Apply the knowledge of symmetric cryptography to implement simple ciphers
2. Analyze and implement public key algorithms like RSA and El Gamal
3. Analyze and evaluate performance of hashing algorithms
4. Explore the different network reconnaissance tools to gather information about networks
5. Use tools like sniffers, port scanners and other related tools for analyzing packets in a
network.
6. Apply and set up firewalls and intrusion detection systems using open source
technologies and to explore email security.
Hardware Requirements
PC With following Configuration
1. Intel Core i3/i5/i7 Processor
2. 4 GB RAM
3. 500 GB Harddisk
Software Requirements
1. Windows or Linux Desktop OS
2. wireshark
3. ARPWATCH
4. Kismet
5. NESSUS

Design and Implementation of a product cipher using Substitution and
Transposition ciphers
Theory:
Source Code:
import java.util.*;
class ProductCipher {
public static void main(String args[]) {
System.out.println("Enter the input to be encrypted:");
String substitutionInput = new Scanner(System.in).nextLine();
System.out.println("Enter a number:");
int n = new Scanner(System.in).nextInt();
// Substitution encryption
StringBuffer substitutionOutput = new StringBuffer();
for(int i=0 ; i<substitutionInput.length() ; i++) {
char c = substitutionInput.charAt(i);
substitutionOutput.append((char) (c+5));
}
System.out.println("\nSubstituted text:");
System.out.println(substitutionOutput);
// Transposition encryption
String transpositionInput = substitutionOutput.toString();
int modulus;
if((modulus = transpositionInput.length()%n) != 0) {
modulus = n-modulus;
// ‘modulus’ is now the number of blanks/padding (X) to be appended
for( ; modulus!=0 ; modulus--) {
transpositionInput += "/";
}
}
StringBuffer transpositionOutput = new StringBuffer();
System.out.println("\nTransposition Matrix:");
for(int i=0 ; i<n ; i++) {
for(int j=0 ; j<transpositionInput.length()/n ; j++) {
char c = transpositionInput.charAt(i+(j*n));
System.out.print(c);

transpositionOutput.append(c);
}
System.out.println();
}
System.out.println("\nFinal encrypted text:");
System.out.println(transpositionOutput);
// Transposition decryption
n = transpositionOutput.length()/n;
StringBuffer transpositionPlaintext = new StringBuffer();
for(int i=0 ; i<n ; i++) {
for(int j=0 ; j<transpositionOutput.length()/n ; j++) {
char c = transpositionOutput.charAt(i+(j*n));
transpositionPlaintext.append(c);
}
}
// Substitution decryption
StringBuffer plaintext = new StringBuffer();
for(int i=0 ; i<transpositionPlaintext.length() ; i++) {
char c = transpositionPlaintext.charAt(i);
plaintext.append((char) (c-5));
}
System.out.println("\nPlaintext:");
System.out.println(plaintext);
}
}
Output:
Enter the input to be encrypted:

sangita
Enter a number:
3
Substituted text:
xfslnyf
Transposition Matrix:
xlf
fn/

sy/
Final encrypted text:

xlffn/sy/
Plaintext:
sangita

Implementation of RSA cryptosystem
Theory:
Substitution cipher is a method of encryption by which units of plaintext are replaced with ciphertext
according to a regular system; the "units" may be single letters (the most common), pairs of letters,
triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing
an inverse substitution.
Transposition cipher is a method of encryption by which the positions held by units of plaintext
(which are commonly characters or groups of characters) are shifted according to a regular system,
so that the ciphertext constitutes a permutation of the plaintext. That is, the order of the units is
changed.
Substitution ciphers can be compared with Transposition ciphers. In a transposition cipher, the units
of the plaintext are rearranged in a different and usually quite complex order, but the units themselves
are left unchanged. By contrast, in a substitution cipher, the units of the plaintext are retained in the
same sequence in the ciphertext, but the units themselves are altered.
1. Caesar Cipher: In cryptography, a Caesar cipher, also known as a Caesar's cipher, the shift cipher,
Caesar's code or Caesar shift, is one of the simplest and most widely known encryption techniques.
It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed
number of positions down the alphabet. For example, with a shift of 3, A would be replaced by D, B
would become E, and so on. The method is named after Julius Caesar, who used it to communicate
with his generals.
Example:
The transformation can be represented by aligning two alphabets; the cipher alphabet is the plain
alphabet rotated left or right by some number of positions. For instance, here is a Caesar cipher using
a left rotation of three places (the shift parameter, here 3, is used as the key):
Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC
When encrypting, a person looks up each letter of the message in the "plain" line and writes down the
corresponding letter in the "cipher" line. Deciphering is done in reverse.
Plaintext: the quick brown fox jumps over the lazy dog
Ciphertext: WKH TXLFN EURZQ IRA MXPSV RYHU WKH ODCB GRJ

2. Columnar Transposition: In a columnar transposition, the message is written out in rows of a fixed
length, and then read out again column by column, and the columns are chosen in some scrambled
order. Both the width of the rows and the permutation of the columns are usually defined by a
keyword. For example, the word ZEBRAS is of length 6 (so the rows are of length 6), and the
permutation is defined by the alphabetical order of the letters in the keyword. In this case, the order
would be "6 3 2 4 1 5".
In a regular columnar transposition cipher, any spare spaces are filled with nulls; in an irregular
columnar transposition cipher, the spaces are left blank. Finally, the message is read off in columns,
in the order specified by the keyword. For example, suppose we use the keyword ZEBRAS and the
message WE ARE DISCOVERED. FLEE AT ONCE. In a regular columnar transposition, we write
this into the grid as:
632415WEAREDISCOVEREDFLEEATONCEQKJEU
The ciphertext is then read off as:
EVLNE ACDTK ESEAQ ROFOJ DEECU WIREE
RSA was invented by Ron Rivest, Adi Shamir, and Len Adleman and hence, it is termed as
RSA cryptosystem.We will see two aspects of the RSA cryptosystem, firstly generation of key
pair and secondly encryption-decryption algorithms.
Generation of RSA Key Pair
Each person or a party who desires to participate in communication using encryption needs to
generate a pair of keys, namely public key and private key. The process followed in the generation of
keys is described below −
● Generate the RSA modulus (n)
○ Select two large primes, p and q.
○ Calculate n=p*q. For strong unbreakable encryption, let n be a large number, typically
a minimum of 512 bits.
● Find Derived Number (e)
○ Number e must be greater than 1 and less than (p − 1)(q − 1).
○ There must be no common factor for e and (p − 1)(q − 1) except for 1. In other words
two numbers e and (p – 1)(q – 1) are coprime.
● Form the public key
○ The pair of numbers (n, e) form the RSA public key and is made public.

○ Interestingly, though n is part of the public key, difficulty in factorizing a large prime
number ensures that attacker cannot find in finite time the two primes (p & q) used to
obtain n. This is strength of RSA.
● Generate the private key
○ Private Key d is calculated from p, q, and e. For given n and e, there is unique number
d.
○ Number d is the inverse of e modulo (p - 1)(q – 1). This means that d is the number
less than (p - 1)(q - 1) such that when multiplied by e, it is equal to 1 modulo (p - 1)(q
- 1).
○ This relationship is written mathematically as follows −
ed = 1 mod (p − 1)(q − 1)
The Extended Euclidean Algorithm takes p, q, and e as input and gives d as output.
Example
An example of generating RSA Key pair is given below. (For ease of understanding, the primes p &
q taken here are small values. Practically, these values are very high).
● Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 x 13 = 91.
● Select e = 5, which is a valid choice since there is no number that is common factor of 5 and
(p − 1)(q − 1) = 6 × 12 = 72, except for 1.
● The pair of numbers (n, e) = (91, 5) forms the public key and can be made available to anyone
whom we wish to be able to send us encrypted messages.
● Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will be d =
29.
● Check that the d calculated is correct by computing −
de = 29 × 5 = 145 = 1 mod 72
● Hence, public key is (91, 5) and private keys is (91, 29).
Encryption and Decryption

Once the key pair has been generated, the process of encryption and decryption are relatively
straightforward and computationally easy.
RSA Encryption
● Suppose the sender wish to send some text message to someone whose public key is (n, e).
● The sender then represents the plaintext as a series of numbers less than n.

● To encrypt the first plaintext P, which is a number modulo n. The encryption process is simple
mathematical step as −
C = Pe mod n
● In other words, the ciphertext C is equal to the plaintext P multiplied by itself e times and then
reduced modulo n. This means that C is also a number less than n.
● Returning to our Key Generation example with plaintext P = 10, we get ciphertext C −
C = 105 mod 91
RSA Cryptosystem
This cryptosystem is one the initial system. It remains most employed cryptosystem even today. The
system was invented by three scholars Ron Rivest, Adi Shamir, and Len Adleman and hence, it is
termed as RSA cryptosystem.We will see two aspects of the RSA cryptosystem, firstly generation of
key pair and secondly encryption-decryption algorithms.
Generation of RSA Key Pair
Each person or a party who desires to participate in communication using encryption needs to
generate a pair of keys, namely public key and private key. The process followed in the generation of
keys is described below −
● Generate the RSA modulus (n)
○ Select two large primes, p and q.
○ Calculate n=p*q. For strong unbreakable encryption, let n be a large number, typically
a minimum of 512 bits.
● Find Derived Number (e)
○ Number e must be greater than 1 and less than (p − 1)(q − 1).
○ There must be no common factor for e and (p − 1)(q − 1) except for 1. In other words
two numbers e and (p – 1)(q – 1) are coprime.
● Form the public key
○ The pair of numbers (n, e) form the RSA public key and is made public.
○ Interestingly, though n is part of the public key, difficulty in factorizing a large prime
number ensures that attacker cannot find in finite time the two primes (p & q) used to
obtain n. This is strength of RSA.
● Generate the private key
○ Private Key d is calculated from p, q, and e. For given n and e, there is unique number
d.

○ Number d is the inverse of e modulo (p - 1)(q – 1). This means that d is the number
less than (p - 1)(q - 1) such that when multiplied by e, it is equal to 1 modulo (p - 1)(q
- 1).
○ This relationship is written mathematically as follows −
ed = 1 mod (p − 1)(q − 1)
The Extended Euclidean Algorithm takes p, q, and e as input and gives d as output.
Example
An example of generating RSA Key pair is given below. (For ease of understanding, the primes p &
q taken here are small values. Practically, these values are very high).
● Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 x 13 = 91.
● Select e = 5, which is a valid choice since there is no number that is common factor of 5 and
(p − 1)(q − 1) = 6 × 12 = 72, except for 1.
● The pair of numbers (n, e) = (91, 5) forms the public key and can be made available to anyone
whom we wish to be able to send us encrypted messages.
● Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will be d =
29.
● Check that the d calculated is correct by computing −
de = 29 × 5 = 145 = 1 mod 72
● Hence, public key is (91, 5) and private keys is (91, 29).

Once the key pair has been generated, the process of encryption and decryption are relatively
straightforward and computationally easy.
RSA Encryption
● Suppose the sender wish to send some text message to someone whose public key is (n, e).
● The sender then represents the plaintext as a series of numbers less than n.
● To encrypt the first plaintext P, which is a number modulo n. The encryption process is simple
mathematical step as −
C = Pe mod n
● In other words, the ciphertext C is equal to the plaintext P multiplied by itself e times and then
reduced modulo n. This means that C is also a number less than n.
● Returning to our Key Generation example with plaintext P = 10, we get ciphertext C −
C = 105 mod 91
RSA Decryption
● The decryption process for RSA is also very straightforward. Suppose that the receiver of
public-key pair (n, e) has received a ciphertext C.
● Receiver raises C to the power of his private key d. The result modulo n will be the plaintext
P.
Plaintext = Cd mod n
● Returning again to our numerical example, the ciphertext C = 82 would get decrypted to
number 10 using private key 29 −
Plaintext = 8229 mod 91 = 10
Source Code:
import java.util.*;
class Exp1
{
public static void main(String args[])
{
Scanner sc=new Scanner(System.in);
int d=0;
System.out.println("Enter two prime numbers");
int p=sc.nextInt();
int q=sc.nextInt();
int n=p*q;
System.out.println("n="+n);
int e=0;
int pn=(p-1)*(q-1);
search:
{
for(int i=2;i<=pn;i++)
{
int r;
int j=i;
int k=pn;
while(k != j)
{
if(k > j)
k = k-j;

else
j = j-k;
}
if(k==1)
{
e=i;
break search;
}
}
}
System.out.println("e="+e);
go:{
for(int i=1;i<=pn;i++)
{
int x=(e*i)%pn;
if(x==1)
{
System.out.println("d="+i);
System.out.println("The private key is (d) "+i);
d=i;
break go;
}
}
}
System.out.println("The public key is (n,e) "+n+", "+e);
String t;
int c;
System.out.println("Enter plaintext");
t=sc.next();
int m = 0;
for (int i = 0; i < t.length(); i++){
m += (int)t.charAt(i);
}
c=((m)^e)%n;
System.out.println("The Encryted message is "+m);
m=(c^d)%n;
System.out.println("The decrypted message is "+t);
}
}
Input and Output:

Write a program for RSA Digital signature
Theory:
A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message
or documents. A valid digital signature gives a recipient reason to believe that the message was
created by a known sender, that the sender cannot deny having sent the message (authentication and
non-repudiation), and that the message was not altered in transit.
To sign: use a private signing algorithm
To verify: use a public verification algorithm
Alice wants to sign message m. She computes the signature of m (let’s call it y) and sends the signed
message (m,y) to Bob. Bob gets (m,y), runs the verification algorithm on it. The algorithm returns
“true” iff y is Alice’s signature of m.
The basic protocol:
1. Alice encrypts the document with her private key.
2. Alice sends the signed document to Bob.
3. Bob decrypts the document with Alice’s public key.
RSA Signature Scheme
1. Alice chooses secret odd primes p,q and computes n=pq.
2. Alice chooses eA with gcd(eA,Φ(n))=1.
3. Alice computes dA = eA-1 mod Φ(n).
4. Alice’s signature is y = mdA mod n.
5. The signed message is (m,y).
6. Bob can verify the signature by calculating z = yea mod n. (The signature is valid iff m=z).

Source Code:
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Signature;
import sun.misc.BASE64Encoder;
public class MainClass {

public static void main(String[] args) throws Exception {
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(1024);
KeyPair keyPair = kpg.genKeyPair();
byte[] data = "test".getBytes("UTF8");
Signature sig = Signature.getInstance("MD5WithRSA");

sig.initSign(keyPair.getPrivate());
sig.update(data);
byte[] signatureBytes = sig.sign();
System.out.println("Singature:" + new BASE64Encoder().encode(signatureBytes));
sig.initVerify(keyPair.getPublic());
sig.update(data);
System.out.println(sig.verify(signatureBytes));
}
}
Output:
Singature:ecmcCxZyBjI4ueSJF3mULwVM9YnYHq8137X1DOnIq9KRClUpdfQjAn75t9Gm72Uh
jzPp/w r0vSSj
GlNdgACyqrQc0fbAXLCBwibstPO8ojEerLjJzaGfly9VZA+dCOZNpChELBDDEHMJ+RZSf0H3
SUEH 8/48p5EbQGDNutgAk/c

Implementation of Diffie Hellman Key exchange algorithm
Theory:
Diffie-Hellman key exchange is a cryptographic protocol that allows two parties that have no prior
knowledge of each other to jointly establish a shared secret key over an insecure communications
channel. This key can then be used to encrypt subsequent communications using a symmetric key
cipher.
The simplest, and original, implementation of the protocol uses the Multiplicative group of integers
modulo p, where p is prime and g is primitive root mod p. Here is an example of the protocol:
1. Alice and Bob agree to use a prime number p=23 and base g=5.
2. Alice chooses a secret integer Xa=6, then sends Bob (g^XA) mod p.
56 mod 23 = 8.
3. Bob chooses a secret integer Xb=15, then sends Alice (g^XB) mod p.
515 mod 3 = 19.
4. Alice computes YA = (g^XA) mod p.

196 mod 23 = 2.
5. Bob computes YB = (g^XB) mod p.
815 mod 23 = 2.
In the original description, the Diffie-Hellman exchange by itself does not provide authentication of
the communicating parties and is thus vulnerable to a man-in-the-middle attack. A person in the
middle may establish two distinct Diffie-Hellman key exchanges, one with Alice and the other with
Bob, effectively masquerading as Alice to Bob, and vice versa, allowing the attacker to decrypt (and
read or store) then re-encrypt the messages passed between them. A method to authenticate the
communicating parties to each other is generally needed to prevent this type of attack.
Algorithm:
Alice and Bob, two users who wish to establish secure communications. We can assume that Alice
and Bob know nothing about each other but are in contact.
1. Communicating in the clear, Alice and Bob agree on two large positive integers, p and g,
where p is a prime number and g is a primitive root mod p.
2. Alice randomly chooses another large positive integer, XA, which is smaller than p. XA will
serve as Alice's private key.
3. Bob similarly chooses his own private key, XB.
4. Alice computes her public key, YA, using the formula YA = (g^XA) mod p.
5. Bob similarly computes his public key, YB, using the formula YB = (g^XB) mod p.
6. Alice and Bob exchange public keys over the insecure circuit.

7. Alice computes the shared secret key, k, using the formula k = (YB ^XA) mod p.
8. Bob computes the same shared secret key, k, using the formula k = (YA ^XB) mod p.
9. Alice and Bob communicate using the symmetric algorithm of their choice and the shared
secret key, k, which was never transmitted over the insecure circuit.
Source Code:
import java.util.*;
import java.math.BigInteger;
public class DiffieHellman {
final static BigInteger one = new BigInteger("1");
public static void main(String args[]) {
Scanner stdin = new Scanner(System.in);

BigInteger n;
// Get a start spot to pick a prime from the user.

System.out.println("Enter the first prime no:");
String ans = stdin.next();
n = getNextPrime(ans);
System.out.println("First prime is: " + n + ".");
// Get the base for exponentiation from the user.

System.out.println("Enter the second prime no(between 2 and n-1):");
BigInteger g = new BigInteger(stdin.next());
// Get A’s secret number.

System.out.println("Person A: enter your secret number now.i.e any random no(x)");
BigInteger a = new BigInteger(stdin.next());
// Make A’s calculation.

BigInteger resulta = g.modPow(a, n);
// This is the value that will get sent from A to B.

// This value does NOT compromise the value of a easily.
System.out.println("Person A sends" + resulta + "to person B.");
// Get B’s secret number.

System.out.println("Person B: enter your secret number now.i.e any random no(y)");
BigInteger b = new BigInteger(stdin.next());
// Make B’s calculation.

BigInteger resultb = g.modPow(b, n);
// This is the value that will get sent from B to A.

// This value does NOT compromise the value of b easily.
System.out.println("Person B sends" + resultb + "to person A.");
// Once A and B receive their values, they make their new calculations.
// This involved getting their new numbers and raising them to the
// same power as before, their secret number.
BigInteger KeyACalculates = resultb.modPow(a, n);
BigInteger KeyBCalculates = resulta.modPow(b, n);
// Print out the Key A calculates.
System.out.println("A takes" + resultb + "raises it to the power" + a + "mod" + n);

System.out.println("The Key A calculates is" + KeyACalculates + ".");
// Print out the Key B calculates.

System.out.println("B takes" + resulta + "raises it to the power" + b + "mod" + n);
System.out.println("The Key B calculates is" + KeyBCalculates + ".");
public static BigInteger getNextPrime(String ans) {
BigInteger test = new BigInteger(ans);

while (!test.isProbablePrime(99))
test = test.add(one);
return test;
}
Output:
Enter the first prime no:
7
First prime is: 7.

Enter the second prime no(between 2 and n-1):
3
Person A: enter your secret number now.i.e any random no(x)
10
Person A sends4to person B.
Person B: enter your secret number now.i.e any random no(y)
6
Person B sends1to person A.
A takes1raises it to the power10mod7
The Key A calculates is 1.
B takes4raises it to the power6mod7
The Key B calculates is 1.

Write program to demonstrate integrity management by implementing
message digest using MD5.
Theory:
MD5 (Message Digest algorithm 5) is a widely used cryptographic hash function with a 128bit
hash value. An MD5 hash is typically expressed as a 32 digit hexadecimal number. MD5 processes a
variable length message into a fixed length output of 128 bits. The input message is broken up into
chunks of 512 bit blocks (sixteen 32bit little endian integers) ; The message is padded so that its
length is divisible by 512. The padding works as follows: first a single bit, 1, is appended to the end
of the message. This is followed by as many zeros as are required to bring the length of the message
up to 64 bits less than a multiple of 512. The remaining bits are filled up with a 64bit integer
representing the length of the original message, in bits.
The main MD5 algorithm operates on a 128bit state, divided into four 32bit words, denoted
A, B, C and D. These are initialized to certain fixed constants. The main algorithm then operates on
each 512bit message block in turn, each block modifying the state. The processing of a message block
consists of four similar stages, termed rounds; each round is composed of 16 similar operations based
on a nonlinear function F, modular addition, and left rotation.
Figure 1: One MD5 operation. MD5 consists of 64 of these operations, grouped in four rounds of 16
operations. F is a nonlinear function; one function is used in each round. Mi denotes a 32bit block of
the message input, and Ki denotes a 32bit constant, different for each operation.
Figure 1 illustrates one operation within a round. There are four possible functions F; a different one
is used in each round:
F ( X , Y , Z ) = ( X  Y )  ( X  Z )
G ( X , Y , Z ) = ( X  Z )  (Y  Z )
I ( X , Y , Z ) = Y  ( X  Z )
 , , ,  denote the XOR, AND, OR and NOToperations respectively.

Algorithm:
Append Padding Bits
The message is "padded" (extended) so that its length (in bits) is congruent to 448, modulo 512. That is,
the message is extended so that it is just 64 bits shy of being a multiple of 512 bits long. Padding is
always performed, even if the length of the message is already congruent to 448, modulo 512. Padding
is performed as follows: a single "1" bit is appended to the message, and then "0" bits are appended
so that the length in bits of the padded message becomes congruent to 448, modulo 512. In all, at
least one bit and at most 512 bits are appended.
2. Append Length
A 64bit representation of b (the length of the message before the padding bits were added) is appended
to the result of the previous step. In the unlikely event that b is greater than 2^64, then only the
loworder 64 bits of b are used. (These bits are appended as two 32bit words and appended loworder
word first in accordance with the previous conventions.) At this point the resulting message (after
padding with bits and with b) has a length that is an exact multiple of 512 bits. Equivalently, this
message has a length that is an exact multiple of 16 (32 bit) words. Let M[0 ... N1] denote the words
of the resulting message, where N is a multiple of 16.
3. Initialize MD Buffer
A fourword buffer (A,B,C,D) is used to compute the message digest. Here each of A, B, C, D is a
32bit register. These registers are initialized to the following values in hexadecimal, loworder bytes
first):
4. Process Message in 16Word Blocks

We first define four auxiliary functions that each take as input three 32bit words and produce as output
one 32bit word.
5. Output
The message digest produced as output is A, B, C, D. That is, we begin with the low order byte of A,
and end with the highorder byte of D.
Source Code:
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
public class SimpleMD5Example
{
public static void main(String[] args)
{
String passwordToHash = "password";
String generatedPassword = null;

try {
// Create MessageDigest instance for MD5
MessageDigest md = MessageDigest.getInstance("MD5");
//Add password bytes to digest
md.update(passwordToHash.getBytes());
//Get the hash's bytes
byte[] bytes = md.digest();
//This bytes[] has bytes in decimal format;
//Convert it to hexadecimal format
StringBuilder sb = new StringBuilder();
for(int i=0; i< bytes.length ;i++)
{
sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
}
//Get complete hashed password in hex format
generatedPassword = sb.toString();
}
catch (NoSuchAlgorithmException e)
{
e.printStackTrace();
}
System.out.println(generatedPassword);
}
}
Output:
5f4dcc3b5aa765d61d8327deb882cf99

Study and use of wireless security tool- Kismet
Theory:
Kismet is an open source wireless network analyzer running under the Linux, Unix and Mac OS.
Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection system. Kismet works
with any wireless card which supports raw monitoring mode, and can sniff 802.11b, 802.11a,
802.11g, and 802.11n traffic. Kismet identifies networks by passively collecting packets and
detecting networks.
Installation of Kismet:
1. Download and install Kismet
#sudo apt-get install kismet
2. Set the Kismet configuration(/etc/kismet.kismet.conf) file
3. Set wireless source and wireless network interface in config file
Output:

Study the use of network reconnaissance tools like WHOIS, dig, traceroute,
nslookup to gather information about networks and domain registrars.
WHOIS :
WHOIS is the Linux utility for searching an object in a WHOIS database. The WHOIS database of
a domain is the publicly displayed information about a domains ownership, billing, technical,
administrative, and nameserver information. Running a WHOIS on your domain will look the domain
up at the registrar for the domain information. All domains have WHOIS information. WHOIS
database can be queried to obtain the following information via
WHOIS:
• Administrative contact details, including names, email addresses, and telephone

numbers
• Mailing addresses for office locations relating to the target organization
• Details of authoritative name servers for each given domain
Example: Querying Facebook.com

ssc@ssc-OptiPlex-380:~$ whois facebook.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Server Name: FACEBOOK.COM.BRETLANDTRUSTMERCHANDISINGDEPART.COM
IP Address: 69.63.176.11
Registrar: GOOGLE INC.
Whois Server: whois.rrpproxy.net
Referral URL: http://domains.google.com
Server Name:
FACEBOOK.COM.DISABLE.YOUR.TIMELINE.NOW.WITH.THE.ORIGINAL.TIMELINE-
REMOVE.NET
IP Address: 8.8.8.8
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Server Name: FACEBOOK.COM.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM
IP Address: 209.126.190.70
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Server Name: FACEBOOK.COM.LOVED.BY.WWW.SHQIPHOST.COM
IP Address: 46.4.210.254
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Server Name: FACEBOOK.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
IP Address: 203.36.226.2
Registrar: INSTRA CORPORATION PTY, LTD.
Whois Server: whois.instra.net
Referral URL: http://www.instra.com
Server Name:
FACEBOOK.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
IP Address: 69.41.185.229
Registrar: TUCOWS DOMAINS INC.
Whois Server: whois.tucows.com
Referral URL: http://www.tucowsdomains.com
Domain Name: FACEBOOK.COM
Registrar: MARKMONITOR INC.
Sponsoring Registrar IANA ID: 292
Whois Server: whois.markmonitor.com
Referral URL: http://www.markmonitor.com
Name Server: A.NS.FACEBOOK.COM
Name Server: B.NS.FACEBOOK.COM
Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Status:clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Status:clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Status:serverDeleteProhibited
http://www.icann.org/epp#serverDeleteProhibited
Status:serverTransferProhibited http://www.icann.org/epp#serverTransferProhibited
Status:serverUpdateProhibited http://www.icann.org/epp#serverUpdateProhibited
Updated Date: 28-sep-2012
Creation Date: 29-mar-1997
Expiration Date: 30-mar-2020
>>> Last update of whois database: Fri, 17 Jul 2015 04:12:12 GMT <<<
The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars.
For more information on Whois status codes, please visit
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en.
Domain Name: facebook.com
Registry Domain ID: 2320948_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2014-10-28T12:38:28-0700
reation Date: 1997-03-28T21:00:00-0800
Registrar Registration Expiration Date: 2020-03-29T21:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740

Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: Facebook, Inc.
Registrant Street: 1601 Willow Road,
Registrant City: Menlo Park
Registrant State/Province: CA
Registrant Postal Code: 94025
Registrant Country: US
Registrant Phone: +1.6505434800
Registrant Phone Ext:
Registrant Fax: +1.6505434800
Registrant Fax Ext:
Registrant Email: domain@fb.com
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: Facebook, Inc.
Admin Street: 1601 Willow Road,
Admin City: Menlo Park
Admin State/Province: CA
Admin Postal Code: 94025
Admin Country: US
Admin Phone: +1.6505434800
Admin Phone Ext:
Admin Fax: +1.6505434800
Admin Fax Ext:
Admin Email: domain@fb.com
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: Facebook, Inc.
Tech Street: 1601 Willow Road,
Tech City: Menlo Park
Tech State/Province: CA
Tech Postal Code: 94025
Tech Country: US
Tech Phone: +1.6505434800
Tech Phone Ext:
Tech Fax: +1.6505434800
Tech Fax Ext:
Tech Email: domain@fb.com
Name Server: b.ns.facebook.com
Name Server: a.ns.facebook.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2015-07-16T21:08:30-0700 <<<
The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for

information purposes, and to assist persons in obtaining information about or
related to a domain name registration record. MarkMonitor.com does not guarantee
its accuracy. By submitting a WHOIS query, you agree that you will use this Data
only for lawful purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail (spam); or
(2) enable high volume, automated, electronic processes that apply to
MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.
MarkMonitor is the Global Leader in Online Brand Protection.
MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services
Visit MarkMonitor at http://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220
ssc@ssc-OptiPlex-380:~$
Dig - Dig is a networking tool that can query DNS servers for information. It can be very helpful for
diagnosing problems with domain pointing and is a good way to verify that your configuration is
working. The most basic way to use dig is to specify the domain we wish to query:
dig example.com
$ dig duckduckgo.com
; <<>> DiG 9.8.1-P1 <<>> duckduckgo.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64399
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;duckduckgo.com. IN A
;; ANSWER SECTION:
duckduckgo.com. 99 IN A 107.21.1.61

;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 23 14:26:17 2013
;; MSG SIZE rcvd: 96
The lines above act as a header for the query performed. It is possible to run dig in batch mode,
so proper labeling of the output is essential to allow for correct analysis.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64399
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
The next section gives us a technical summary of our query results. We can see that the query
was successful, certain flags were used, and that 4 "answers" were received.
;; QUESTION SECTION:
;duckduckgo.com. IN A
;; ANSWER SECTION:
The above section of the output contains the actual results we were looking for. It restates the
query and then returns the matching DNS records for that domain name.
Here, we can see that there are four "A" records for "duckduckgo.com". By default, "A" records
are returned. This gives us the IP addresses that the domain name resolves to.
The "99" is the TTL (time to live) before the DNS server rechecks the association between the
domain name and the IP address. The "IN" means the class of the record is a standard internet
class.
;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 23 14:26:17 2013
;; MSG SIZE rcvd: 96
These lines simply provide some statistics about the actual query results. The query time can be
indicative of problems with the DNS servers.
Traceroute - traceroute prints the route that packets take to a network host. Traceroute utility uses
the TTL field in the IP header to achieve its operation. For users who are new to TTL field, this field
describes how much hops a particular packet will take while traveling on network. So, this effectively
outlines the lifetime of the packet on network. This field is usually set to 32 or 64. Each time the
packet is held on an intermediate router, it decreases the TTL value by 1. When a router finds the
TTL value of 1 in a received packet then that packet is not forwarded but instead discarded. After
discarding the packet, router sends an ICMP error message of ―Time exceeded‖ back to the source
from where packet generated. The ICMP packet that is sent back contains the IP address of the router.
So now it can be easily understood that traceroute operates by sending packets with TTL value starting
from 1 and then incrementing by one each time. Each time a router receives the packet, it checks the
TTL field, if TTL field is 1 then it discards the packet and sends the ICMP error packet containing its
IP address and this is what traceroute requires. So traceroute incrementally fetches the IP of all the
routers between the source and the destination.
Example: traceroute example.com
traceroute to example.com (64.13.192.208), 64 hops max, 40 byte packets
1 72.10.62.1 (72.10.62.1) 1.000 ms 0.739 ms 0.702 ms
2 10.101.248.1 (10.101.248.1) 0.683 ms 0.385 ms 0.315 ms
3 10.104.65.161 (10.104.65.161) 0.791 ms 0.703 ms 0.686 ms
4 10.104.65.161 (10.104.65.161) 0.791 ms 0.703 ms 0.686 ms
5 10.0.10.33 (10.0.10.33) 2.652 ms 2.260 ms 5.353 ms
6 acmkokeaig.gs01.gridserver.com (64.13.192.208) 3.384 ms 8.001 ms 2.439 ms
Nslookup - The nslookup command is used to query internet name servers interactively for
information. nslookup, which stands for "name server lookup", is a useful tool for finding out
information about a named domain. By default, nslookup will translate a domain name to an IP
address (or vice versa). For instance, to find out what the IP address of microsoft.com is, you could
run the command:
nslookup microsoft.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name:
microsoft.com
Address: 134.170.185.46
Name:
microsoft.com
Address: 134.170.188.221
Here, 8.8.8.8 is the address of our system's Domain Name Server. This is the server our system is
configured to use to translate domain names into IP addresses. "#53" indicates that we are
communicating with it on port 53, which is the standard port number domain name servers use to
accept queries. Below this, we have our lookup information for microsoft.com. Our name server
returned two entries, 134.170.185.46 and 134.170.188.221. This indicates that microsoft.com uses a
round robin setup to distribute server load. When you accessmicrsoft.com, you may be directed to
either of these servers and your packets will be routed to the correct destination. You can see that we
have received a "Non-authoritative answer" to our query. An answer is "authoritative" only if our
DNS has the complete zone file information for the domain in question. More often, our DNS will
have a cache of information representing the last authoritative answer it received when it made a
similar query, this information is passed on to you, but the server qualifies it as "non-authoritative":
the information was recently received from an authoritative source, but the DNS server is not itself
that authority.

Study of packet sniffer tools wireshark
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and
display them in human-readable format. Wireshark includes filters, color-coding and other features
that let you dig deep into network traffic and inspect individual packets.
Features of Wireshark :
• Available for UNIX and Windows.
• Capture live packet data from a network interface.
• Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a
• number of other packet capture programs.
• Import packets from text files containing hex dumps of packet data.
• Display packets with very detailed protocol information.
• Export some or all packets in a number of capture file formats.
• Filter packets on many criteria.
• Search for packets on many criteria.
• Colorize packet display based on filters.
• Create various statistics.
Capturing Packets
After downloading and installing wireshark, you can launch it and click the name of an interface
under Interface List to start capturing packets on that interface. For example, if you want to capture
traffic on the wireless network, click your wireless interface. You can configure advanced features
by clicking Capture Options.
Installation of Wireshark:
sudo apt-get install wireshark

After downloading and installing wireshark, you can launch it and click the name of an interface
under Interface List to start capturing packets on that interface. For example, if you want to capture
traffic on the wireless network, click your wireless interface. You can configure advanced features
by clicking Capture Options.
As soon as you click the interface‘s name, you‘ll see the packets start to appear in real time.
Wireshark captures each packet sent to or from your system. If you‘re capturing on a wireless
interface and have promiscuous mode enabled in your capture options, you‘ll also see other the
other packets on the network
Click the stop capture button near the top left corner of the window when you want to stop capturing
traffic.
Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is TCP
traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with
problems — for example, they could have been delivered out-of-order.
Filtering Packets
If you‘re trying to inspect something specific, such as the traffic a program sends when phoning home,
it helps to close down all other applications using the network so you can narrow down the traffic.
Still, you‘ll likely have a large amount of packets to sift through. That‘s where Wireshark‘s filters
come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the window and
clicking Apply (or pressing Enter). For example, type ―dns‖ and you‘ll see only DNS packets. When
you start typing, Wireshark will help you autocomplete your filter.

Download and install nmap. Use it with different options to scan open ports,
perform OS fingerprinting, do a ping scan, tcp port scan, udp port scan, etc.
Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his
pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus
creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the
target host and then analyzes the responses. Unlike many simple port scanners that just send packets
at some predefined constant rate, Nmap accounts for the network conditions (latency fluctuations,
network congestion, the target interference with the scan) during the run. Also, owing to the large and
active user community providing feedback and contributing to its features, Nmap has been able to
extend its discovery capabilities beyond simply figuring out whether a host is up or down and which
ports are open and closed; it can determine the operating system of the target, names and versions of
the listening services, estimated uptime, type of device, and presence of a firewall.
Nmap features include:
• Host Discovery – Identifying hosts on a network. For example, listing the hosts which respond
to pings or have a particular port open.
• Port Scanning – Enumerating the open ports on one or more target hosts.
• Version Detection – Interrogating listening network services listening on remote devices to
determine the application name and version number.
• OS Detection – Remotely determining the operating system and some hardware
characteristics of network devices.
Basic commands working in Nmap:
• For target specifications: nmap <target‘s URL or IP with spaces between them>
• For OS detection: nmap -O <target-host's URL or IP>
• For version detection: nmap -sV <target-host's URL or IP>
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly,
scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is
also relatively unobtrusive and stealthy since it never completes TCP connections
Algorithm\Implementation Steps\Installation Steps:
• Installing Nmap from the link.
sudo apt-get install nmap
• Obtaining Your IP addresses.
Use the ifconfig command in Linux.
• Performing a Scan of the Local Network.
1. For the following steps, please use the nmap command line tool installed on Ubuntu
2. Scan your subnet to determine how many hosts can be found. For example, if you are on the
192.168.1.0 subnet, you would enter the following command: nmap –sP 192.168.1.*
i. What is your subnet? ________________
ii. How many hosts were found? ________________
3. Next perform a stealth scan (Please use the IP for your subnet): nmap –sS –P0 –p 192.169.1.*
4. Now, you’ll perform an OS identification. Use the Linux O/S to scan your Windows machine:
i. nmap –O Windows_IP_ADDRESS
ii. OS Type 1:______________________________
iii. Now we want to use the Windows machine to scan the Linux O/S. Go to a
Windows DOS prompt and enter the following command:
iv. nmap –O Linux_IP_ADDRESS
v. Now we will perform a service selection scan. Let’s scan for all computers
with FTP running. We would do that as follows:
nmap –p21 192.168.1.*
5. List the IP addresses with that has the FTP open: _____________________
Input and Output:
• Installation of nmap:
> sudo apt-get install nmap

• nmap -sP 10.0.0.0/24
Ping scans the network, listing machines that respond to ping.
• FIN scan (-sF)

Sets just the TCP FIN bit.
• -sV (Version detection) .

Enables version detection, as discussed above. Alternatively, can use -A, which enables

version detection among other things.
• -sO (IP protocol scan) .

IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are
supported by target machines. This isn´t technically a port scan, since it cycles through IP
protocol numbers rather than TCP or UDP port numbers.
• -O (Enable OS detection) .
Enables OS detection, as discussed above. Alternatively, you can use -A to enable OS
detection along with other things.

• -p port ranges (Only scan specified ports) .
This option specifies which ports you want to scan and overrides the default. Individual port
numbers are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or
end values of a range may be omitted, causing Nmap to use 1 and 65535, respectively.
• --top-ports <integer of 1 or greater>

Scans the N highest-ratio ports found in nmap-services file.

• nmap –iflist
host interface and route information with nmap by using ―–iflist‖ option.

ARP spoofing using ARPWATCH
Theory:
Arpwatch is an open source computer software program that helps you to monitor Ethernet traffic
activity (like Changing IP and MAC Addresses) on your network and maintains a database of
ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information
along with a timestamps, so you can carefully watch when the pairing activity appeared on the
network. It also has the option to send reports via email to an network administrator when a pairing
added or changed.
This tool is especially useful for Network administrators to keep a watch on ARP activity to
detect ARP spoofing or unexpected IP/MAC addresses modifications.
Installing Arpwatch in Linux
To watch a specific interface, type the following command with ‗-i‗ and device name.
# arpwatch -i eth0
So, whenever a new MAC is plugged or a particular IP is changing his MAC address on the
network, you will notice syslog entries at ‗/var/log/syslog‗ or ‗/var/log/message‗ file.

Simulate DOS attack using Hping and Wireshark
Denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to

its intended users, such as to temporarily or indefinitely interrupt or suspend services. A distributed
denial-of-service (DDoS) is where the attack source is more than one, often thousands of, unique IP
addresses. It is analogous to a group of people crowding the entry door or gate to a shop or business,
and not letting legitimate parties enter into the shop or business, disrupting normal operations.
A DoS attack tries to make a web resource unavailable to its users by flooding the target URL with
more requests than the server can handle. That means that during the attack period, regular traffic on
the website will be either slowed down or completely interrupted.
A Distributed Denial of Service (DDoS) attack is a DoS attack that comes from more than one source
at the same time. A DDoS attack is typically generated using thousands (potentially hundreds of
thousands) of unsuspecting zombie machines. The machines used in such attacks are collectively
known as “botnets” and will have previously been infected with malicious software, so they can be
remotely controlled by the attacker. According to research, tens of millions of computers are likely
to be infected with botnet programs worldwide.
Cybercriminals use DoS attacks to extort money from companies that rely on their websites being
accessible. But there have also been examples of legitimate businesses having paid underground
elements of the Internet to help them cripple rival websites. In addition, cybercriminals combine DoS
attacks and phishing to target online bank customers. They use a DoS attack to take down the bank's
website and then send out phishing e-mails to direct customers to a fake emergency site instead.
1. Install Hping3 and wireshark
2. Flood the victim with TCP/ICMP/UDP packet using Hping (-- flood option)
3. Observe the Dos attack and DDos attack using Wireshark

Input/Output

Use the NESSUS to scan the network for vulnerabilities
Nessus is one of the most popular and capable vulnerability scanners, particularly for UNIX systems.
It was initially free and open source, but they closed the source code in 2005 and removed the free
"Registered Feed" version in 2008. It now costs $1,200 per year, which still beats many of its
competitors. A free “Home Feed” is also available, though it is limited and only licensed for home
network use. Nessus is constantly updated with more than 46,000 plug-ins. Key features include
remote and local (authenticated) security checks, client/server architecture with a web-based
interface, and an embedded scripting language for writing your own plug-ins or understanding the
existing ones.
Installation Steps:
1. Download Nessus setup file

- Go to www.tenable.com -> products -> Nessus-> download
- Download Nessus for ubuntu14.4
2. Install Nessus
• Open a Terminal and go to the download directory (cd)
• Run sudo dpkg -i Nessus*.deb. Enter root password.

• Start it sudo /etc/init.d/nessusd start
3. After installation, go to https://localhost:8834

- Click on Get started for registration
- Initial account setup: provide login details
- Plug-in feed registration

a) Go to http://www.nessus.org/register/ for registration and activation code. Register
by entering user details and valid mail id. Activation code will be sent to given
mail id.

b) Activate using supplied activation code
c) Click on download plug-in
d) It will show following fetching plug-ins window
- Sign in for Nessus vulnerability scanner using login name and password
4. Create scan by clicking scan-> add scan -> provide scan details(scan name, type of scan, target
addr etc)
5. Check vulnerability report in Results
Basic Network scanning

Advanced Scanning in General Search

Ntstat port scanning

Vulnerability Mapping

Policies

Plugins

General Scanning

Port scanning

Set up IPSEC under LINUX
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a communication session. IPsec
includes protocols for establishing mutual authentication between agents at the beginning of the
session and negotiation of cryptographic keys to be used during the session. IPsec can be used in
protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways
(network-to-network), or between a security gateway and a host (network-to-host)
Internet Protocol security (IPsec) uses cryptographic security services to protect communications
over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data origin
authentication, data integrity, data confidentiality (encryption), and replay protection.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite,
while some other Internet security systems in widespread use, such as Transport Layer Security (TLS)
and Secure Shell (SSH), operate in the upper layers at Application layer. Hence, only IPsec protects
any application traffic over an IP network. Applications can be automatically secured by IPsec at the
IP layer.
Here ipsec is implemented using strongSwan tool. strongSwan is a IPsec implementation. It uses
openSSL pluugin (Eliptic Curve Cryptography).
Let two servers be red server (192.168.4.144) and blue server (192.168.4.145)
Installation and configuration on red server
Step 1: Installation of strongswan

project@project-OptiPlex-360:~$ sudo apt-get install ipsec-tools strongswan-starter
[sudo] password for project:
Reading package lists... Done
Building dependency tree
Reading state information... Done
ipsec-tools is already the newest version (1:0.8.2+20140711-5).
The following packages were automatically installed and are no longer required:

geoip-database-extra libjs-openlayers libllvm5.0 libqcustomplot1.3
libqt5scintilla2-12v5 libqt5scintilla2-l10n libwireshark10 libwireshark8
libwiretap6 libwiretap7 libwscodecs1 libwsutil7 libwsutil8
linux-headers-4.10.0-38 linux-headers-4.10.0-38-generic
linux-image-4.10.0-38-generic linux-image-4.13.0-32-generic
linux-image-extra-4.10.0-38-generic linux-image-extra-4.13.0-32-generic
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
libstrongswan libstrongswan-standard-plugins strongswan-charon
strongswan-libcharon
Suggested packages:
libstrongswan-extra-plugins libcharon-extra-plugins
The following packages will be REMOVED:
racoon
The following NEW packages will be installed:
strongswan-libcharon strongswan-starter
0 upgraded, 5 newly installed, 1 to remove and 51 not upgraded.
Need to get 3,563 kB of archives.
After this operation, 13.3 MB of additional disk space will be used.
Do you want to continue? [Y/n] y

Get:1 http://in.archive.ubuntu.com/ubuntu xenial-updates/main i386 libstrongswan i386 5.3.5-
1ubuntu3.5 [1,337 kB]
Get:2 http://in.archive.ubuntu.com/ubuntu xenial-updates/main i386 strongswan-libcharon i386

5.3.5-1ubuntu3.5 [1,191 kB]
Get:3 http://in.archive.ubuntu.com/ubuntu xenial-updates/main i386 strongswan-starter i386 5.3.5-

1ubuntu3.5 [720 kB]
Get:4 http://in.archive.ubuntu.com/ubuntu xenial-updates/main i386 strongswan-charon i386 5.3.5-

1ubuntu3.5 [54.5 kB]
Get:5 http://in.archive.ubuntu.com/ubuntu xenial-updates/main i386 libstrongswan-standard-plugins

i386 5.3.5-1ubuntu3.5 [260 kB]
Fetched 3,563 kB in 34s (104 kB/s)
Preconfiguring packages ...
(Reading database ... 406558 files and directories currently installed.)
Removing racoon (1:0.8.2+20140711-5) ...
Processing triggers for man-db (2.7.5-1) ...
Selecting previously unselected package libstrongswan.
Preparing to unpack .../libstrongswan_5.3.5-1ubuntu3.5_i386.deb ...
Unpacking libstrongswan (5.3.5-1ubuntu3.5) ...
Selecting previously unselected package strongswan-libcharon.
Preparing to unpack .../strongswan-libcharon_5.3.5-1ubuntu3.5_i386.deb ...
Unpacking strongswan-libcharon (5.3.5-1ubuntu3.5) ...
Selecting previously unselected package strongswan-starter.
Preparing to unpack .../strongswan-starter_5.3.5-1ubuntu3.5_i386.deb ...
Unpacking strongswan-starter (5.3.5-1ubuntu3.5) ...
Selecting previously unselected package strongswan-charon.
Preparing to unpack .../strongswan-charon_5.3.5-1ubuntu3.5_i386.deb ...
Unpacking strongswan-charon (5.3.5-1ubuntu3.5) ...

Selecting previously unselected package libstrongswan-standard-plugins.
Preparing to unpack .../libstrongswan-standard-plugins_5.3.5-1ubuntu3.5_i386.deb ...
Unpacking libstrongswan-standard-plugins (5.3.5-1ubuntu3.5) ...
Setting up libstrongswan (5.3.5-1ubuntu3.5) ...
Setting up strongswan-libcharon (5.3.5-1ubuntu3.5) ...
Setting up strongswan-starter (5.3.5-1ubuntu3.5) ...
Configuration file '/etc/ipsec.conf'
==> File on system created by you or by a script.
==> File also in package provided by package maintainer.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** ipsec.conf (Y/I/N/O/D/Z) [default=N] ? y
Installing new version of config file /etc/ipsec.conf ...
Setting up strongswan-charon (5.3.5-1ubuntu3.5) ...
Setting up libstrongswan-standard-plugins (5.3.5-1ubuntu3.5) ...
Step 2: Configuration of ipsec.conf

project@project-OptiPlex-360:~$ sudo gedit /etc/ipsec.conf

Step 3: Configuration of ipsec.secrets
project@project-OptiPlex-360:~$ sudo gedit /etc/ipsec.secrets

Step 4: Start ipsec
project@project-OptiPlex-360:~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.3.5 IPsec [starter]...
Step 5: Checking status information of ipsec

project@project-OptiPlex-360:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.15.0-24-generic, i686):
uptime: 29 seconds, since Jul 12 16:04:50 2018
malloc: sbrk 1212416, mmap 0, used 178752, free 1033664
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent
xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
192.168.4.144
Connections:
red-to-blue: 192.168.4.144...192.168.4.145 IKEv1/2
red-to-blue: local: [192.168.4.144] uses pre-shared key authentication
red-to-blue: remote: [192.168.4.145] uses pre-shared key authentication
red-to-blue: child: dynamic === dynamic TRANSPORT
Routed Connections:
red-to-blue{1}: ROUTED, TRANSPORT, reqid 1
red-to-blue{1}: 192.168.4.144/32 === 192.168.4.145/32
Security Associations (0 up, 0 connecting):
None

Installation and configuration on blue server
Step 1: Installation of strongswan

project@project-OptiPlex-360:~$ sudo apt-get install ipsec-tools strongswan-starter
[sudo] password for project:
ipsec-tools is already the newest version (1:0.8.2+20140711-5).
The following packages were automatically installed and are no longer required:
geoip-database-extra libjs-openlayers libwireshark8 libwiretap6 libwscodecs1
libwsutil7 libwsutil8 linux-headers-4.13.0-32
linux-headers-4.13.0-32-generic linux-headers-4.13.0-36
linux-headers-4.13.0-36-generic linux-headers-4.13.0-37
linux-headers-4.13.0-37-generic linux-image-4.13.0-32-generic
linux-image-extra-4.13.0-37-generic
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
strongswan-libcharon
Suggested packages:
libstrongswan-extra-plugins libcharon-extra-plugins
The following packages will be REMOVED:
racoon

The following NEW packages will be installed:
strongswan-libcharon strongswan-starter
Need to get 3,563 kB of archives.
After this operation, 13.3 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://in.archive.ubuntu.com/ubuntu xenial-updates/main i386 libstrongswan i386 5.3.5-

1ubuntu3.5 [1,337 kB]
Get:2 http://in.archive.ubuntu.com/ubuntu xenial-updates/main i386 strongswan-libcharon i386

5.3.5-1ubuntu3.5 [1,191 kB]
Get:3 http://in.archive.ubuntu.com/ubuntu xenial-updates/main i386 strongswan-starter i386 5.3.5-

1ubuntu3.5 [720 kB]
Get:4 http://in.archive.ubuntu.com/ubuntu xenial-updates/main i386 strongswan-charon i386 5.3.5-

1ubuntu3.5 [54.5 kB]
Get:5 http://in.archive.ubuntu.com/ubuntu xenial-updates/main i386 libstrongswan-standard-plugins

i386 5.3.5-1ubuntu3.5 [260 kB]
Fetched 3,563 kB in 12s (278 kB/s)
Preconfiguring packages ...
Removing racoon (1:0.8.2+20140711-5) ...
Selecting previously unselected package libstrongswan.
Preparing to unpack .../libstrongswan_5.3.5-1ubuntu3.5_i386.deb ...
Unpacking libstrongswan (5.3.5-1ubuntu3.5) ...
Selecting previously unselected package strongswan-libcharon.
Preparing to unpack .../strongswan-libcharon_5.3.5-1ubuntu3.5_i386.deb ...

Unpacking strongswan-libcharon (5.3.5-1ubuntu3.5) ...
Selecting previously unselected package strongswan-starter.
Preparing to unpack .../strongswan-starter_5.3.5-1ubuntu3.5_i386.deb ...
Unpacking strongswan-starter (5.3.5-1ubuntu3.5) ...
Selecting previously unselected package strongswan-charon.
Preparing to unpack .../strongswan-charon_5.3.5-1ubuntu3.5_i386.deb ...
Unpacking strongswan-charon (5.3.5-1ubuntu3.5) ...
Selecting previously unselected package libstrongswan-standard-plugins.
Preparing to unpack .../libstrongswan-standard-plugins_5.3.5-1ubuntu3.5_i386.deb ...
Unpacking libstrongswan-standard-plugins (5.3.5-1ubuntu3.5) ...
Setting up libstrongswan (5.3.5-1ubuntu3.5) ...
Setting up strongswan-libcharon (5.3.5-1ubuntu3.5) ...
Setting up strongswan-starter (5.3.5-1ubuntu3.5) ...
Configuration file '/etc/ipsec.conf'
==> File on system created by you or by a script.
==> File also in package provided by package maintainer.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** ipsec.conf (Y/I/N/O/D/Z) [default=N] ? y
Installing new version of config file /etc/ipsec.conf ...
Setting up strongswan-charon (5.3.5-1ubuntu3.5) ...

Setting up libstrongswan-standard-plugins (5.3.5-1ubuntu3.5) ...
Step 2: Configuration of ipsec.conf
project@project-OptiPlex-360:~$ sudo gedit /etc/ipsec.conf
Step 3: Configuration of ipsec.secrets

project@project-OptiPlex-360:~$ sudo gedit /etc/ipsec.secrets

Step 4: Start ipsec
project@project-OptiPlex-360:~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.3.5 IPsec [starter]...

Testing the Tunnel
Step 1: On red server (192.168.4.144), run following command

project@project-OptiPlex-360:~$ ping -s 4048 192.168.4.145
PING 192.168.4.145 (192.168.4.145) 4048(4076) bytes of data.
4056 bytes from 192.168.4.145: icmp_seq=2 ttl=64 time=1.63 ms
Step 2: Checking working of ipsec

project@project-OptiPlex-360:~$ sudo tcpdump esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:13:18.288011 IP 192.168.4.144 > 192.168.4.145: ESP(spi=0xc6c1b87d,seq=0x80), length 1440
16:13:18.288037 IP 192.168.4.144 > 192.168.4.145: esp
16:13:18.288042 IP 192.168.4.144 > 192.168.4.145: esp
16:13:18.288304 IP 192.168.4.145 > 192.168.4.144: ESP(spi=0xca32160f,seq=0x80), length 1440
16:13:18.288309 IP 192.168.4.145 > 192.168.4.144: esp
16:13:18.288312 IP 192.168.4.145 > 192.168.4.144: esp
16:13:19.289732 IP 192.168.4.144 > 192.168.4.145: esp
16:13:19.289736 IP 192.168.4.144 > 192.168.4.145: esp
16:13:19.290035 IP 192.168.4.145 > 192.168.4.144: esp
16:13:19.290038 IP 192.168.4.145 > 192.168.4.144: esp
16:13:20.291386 IP 192.168.4.144 > 192.168.4.145: esp
16:13:20.291471 IP 192.168.4.144 > 192.168.4.145: esp
16:13:20.291812 IP 192.168.4.145 > 192.168.4.144: esp
16:13:20.291815 IP 192.168.4.145 > 192.168.4.144: esp
16:13:21.293379 IP 192.168.4.144 > 192.168.4.145: esp
16:13:21.293384 IP 192.168.4.144 > 192.168.4.145: esp
16:13:21.293832 IP 192.168.4.145 > 192.168.4.144: esp
16:13:21.293834 IP 192.168.4.145 > 192.168.4.144: esp
16:13:22.295444 IP 192.168.4.144 > 192.168.4.145: esp

16:13:22.295452 IP 192.168.4.144 > 192.168.4.145: esp
16:13:22.295750 IP 192.168.4.145 > 192.168.4.144: esp
16:13:22.295753 IP 192.168.4.145 > 192.168.4.144: esp
16:13:23.297343 IP 192.168.4.144 > 192.168.4.145: esp
16:13:23.297348 IP 192.168.4.144 > 192.168.4.145: esp
16:13:23.297772 IP 192.168.4.145 > 192.168.4.144: esp
16:13:23.297775 IP 192.168.4.145 > 192.168.4.144: esp
16:13:24.299281 IP 192.168.4.144 > 192.168.4.145: esp
16:13:24.299286 IP 192.168.4.144 > 192.168.4.145: esp
16:13:24.299696 IP 192.168.4.145 > 192.168.4.144: esp
16:13:24.299699 IP 192.168.4.145 > 192.168.4.144: esp
16:13:25.301050 IP 192.168.4.144 > 192.168.4.145: esp
16:13:25.301204 IP 192.168.4.144 > 192.168.4.145: esp
16:13:25.301560 IP 192.168.4.145 > 192.168.4.144: esp
16:13:25.301562 IP 192.168.4.145 > 192.168.4.144: esp

Set up Snort and study the logs
Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by
Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the
most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly
400,000 registered users, Snort has become the de facto standard for IPS.
Snort can be configured to run in three modes:
1. Sniffer mode : It simply reads the packets off of the network and displays them for you in a
continuous stream on the console (screen)
2. Packet Logger mode : logs the packets to disk
3. Network Intrusion Detection System (NIDS) mode: it performs detection and analysis on
network traffic. This is the most complex and configurable mode.
1. Download snort from snort.org

2. Install installer file
3. Signup on snort.org
4. Download ruleset
5. Unzip it into c:\snort directory.
Input/Output
1. Sniffer Mode
• Printing out the TCP/IP packet headers to the screen (i.e. sniffer mode)
C:\snort\bin> snort -v
This command will run Snort and just show the IP and TCP/UDP/ICMP headers
• If you want to see the application data in transit
C:\snort\bin> snort -vd
This instructs Snort to display the packet data as well as the headers.
• For more descriptive display, showing the data link layer headers
C:\snort\bin>snort -vde
As an aside, notice that the command line switches can be listed separately or in a combined
form. Same result can be obtained using
C:\snort\bin>snort -d -v –e
• Other commands
C:\snort\bin> snort –W : show the interface number
• Packet dump mode
C:\snort\bin> snort –v –i1
Packet Logger Mode
If you want to record the packets to the disk, you need to specify a logging directory and Snort will
automatically know to go into packet logger mode:
c:\snort\bin> snort -dev -l c:\snort\log
Of course, this assumes you have a directory named log in the current directory. If you don't, Snort
will exit with an error message. When Snort runs in this mode, it collects every packet it sees and
places it in a directory hierarchy based upon the IP address of one of the hosts in the datagram.
If you just specify a plain -l switch, you may notice that Snort sometimes uses the address of the
remote computer as the directory in which it places packets and sometimes it uses the local host
address. In order to log relative to the home network, you need to tell Snort which network is the
home network:
c:\snort\bin>snort -dev -l c:\snort\bin\log -h 192.168.1.0/24
This rule tells Snort that you want to print out the data link and TCP/IP headers as well as application
data into the directory ./log, and you want to log the packets relative to the 192.168.1.0 class C
network. All incoming packets will be recorded into subdirectories of the log directory, with the
directory names being based on the address of the remote (non-192.168.1) host.

If you're on a high speed network or you want to log the packets into a more compact form for later
analysis, you should consider logging in binary mode. Binary mode logs the packets in tcpdump
format to a single binary file in the logging directory:
c:\snort\bin>snort -l c:\snort\log -b
Note the command line changes here. We don't need to specify a home network any longer because
binary mode logs everything into a single file, which eliminates the need to tell it how to format the
output directory structure. Additionally, you don't need to run in verbose mode or specify the -d or -
e switches because in binary mode the entire packet is logged, not just sections of it. All you really
need to do to place Snort into logger mode is to specify a logging directory at the command line using
the -l switch--the -b binary logging switch merely provides a modifier that tells Snort to log the
packets in something other than the default output format of plain ASCII text.
Once the packets have been logged to the binary file, you can read the packets back out of the file
with any sniffer that supports the tcpdump binary format (such as tcpdump or Ethereal). Snort can
also read the packets back by using the -r switch, which puts it into playback mode. Packets from any
tcpdump formatted file can be processed through Snort in any of its run modes. For example, if you
wanted to run a binary log file through Snort in sniffer mode to dump the packets to the screen, you
can try something like this:
C:\snort\bin>snort -dv -r packet.log
You can manipulate the data in the file in a number of ways through Snort's packet logging and
intrusion detection modes, as well as with the BPF interface that's available from the command line.
For example, if you only wanted to see the ICMP packets from the log file, simply specify a BPF
filter at the command line and Snort will only see the ICMP packets in the file:
C:\snort/bin>snort -dvr packet.log icmp

Network Intrusion Detection System (NIDS) mode
Predefined snort rules

cg16@cg16:/etc/snort/rules$ ls
attack-responses.rules community-web-dos.rules p2p.rules
backdoor.rules community-web-iis.rulespolicy.rules
bad-traffic.rules community-web-misc.rules pop2.rules
chat.rules community-web-php.rules pop3.rules
community-bot.rulesddos.rulesporn.rules
community-deleted.rulesdeleted.rulesrpc.rules
community-dos.rulesdns.rulesrservices.rules
community-exploit.rulesdos.rulesscan.rules
community-ftp.rulesexperimental.rulesshellcode.rules
community-game.rulesexploit.rulessmtp.rules
community-icmp.rulesfinger.rulessnmp.rules
community-imap.rulesftp.rulessql.rules
community-inappropriate.rulesicmp-info.rulestelnet.rules
community-mail-client.rulesicmp.rulestftp.rules
community-misc.rulesicmp.rules~ virus.rules
community-nntp.rulesimap.rules web-attacks.rules
community-oracle.rulesinfo.rules web-cgi.rules
community-policy.ruleslocal.rules web-client.rules
community-sip.rulesmisc.rules web-coldfusion.rules
community-smtp.rulesmultimedia.rules web-frontpage.rules
community-sql-injection.rulesmysql.rules web-iis.rules
community-virus.rulesnetbios.rules web-misc.rules
community-web-attacks.rulesnntp.rules web-php.rules
community-web-cgi.rulesoracle.rules x11.rules
community-web-client.rules other-ids.rules
Creating our new rule
Note here created a simple rule which will display corresponding message
When ping command is used i.e ICMP
cg16@cg16:/etc/snort/rules$ sudogeditlocald.rules
cg16@cg16:/etc/snort/rules$ cat locald.rules
alerticmp any any -> $HOME_NET any (msg:"ICMP test pooja"; sid:10000002;)
New rule(locald.rules) is added in snort-> rules folder
cg16@cg16:/etc/snort/rules$ ls
attack-responses.rules community-web-iis.rules
community-misc.rulesimap.rulestftp.rules
community-nntp.rulesinfo.rulesvirus.rules
community-oracle.ruleslocald.rules web-attacks.rules
community-policy.ruleslocal.rules web-cgi.rules
community-sip.rulesmisc.rules
Including our Rules in snort.conf file

# NOTE: All categories are enabled in this conf file
###################################################
#this is my rule mecomp d ;)
include $RULE_PATH/locald.rules
#commenting all other rules for time

# site specific rules
include $RULE_PATH/local.rules
#include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/bad-traffic.rules
## include $RULE_PATH/blacklist.rules
## include $RULE_PATH/botnet-cnc.rules
##include $RULE_PATH/chat.rules
## include $RULE_PATH/content-replace.rules
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/community-dos.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/community-exploit.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/community-ftp.rules
##include $RULE_PATH/icmp.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/community-imap.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/misc.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/netbios.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/community-nntp.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/community-oracle.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/p2p.rules
## include $RULE_PATH/phishing-spam.rules
#include $RULE_PATH/policy.rules
## include $RULE_PATH/community-policy.rules
## include $RULE_PATH/community-inappropriate.rules
## include $RULE_PATH/community-game.rules
## include $RULE_PATH/community-misc.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
## include $RULE_PATH/scada.rules
#include $RULE_PATH/scan.rules
## Note: this rule is extremely chatty, enable with care
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/community-smtp.rules
#include $RULE_PATH/snmp.rules
## include $RULE_PATH/specific-threats.rules
# #include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/telnet.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/virus.rules
##include $RULE_PATH/community-virus.rules
#include $RULE_PATH/community-bot.rules
## include $RULE_PATH/voip.rules
#include $RULE_PATH/community-sip.rules
## Specific web server rules:
## include $RULE_PATH/web-activex.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/community-sql-injection.rules
#include $RULE_PATH/community-web-client.rules
#include $RULE_PATH/community-web-dos.rules
#include $RULE_PATH/community-web-iis.rules
#include $RULE_PATH/community-web-misc.rules
#include $RULE_PATH/community-web-php.rules
#include $RULE_PATH/community-sql-injection.rules
#include $RULE_PATH/community-web-client.rules
#include $RULE_PATH/community-web-dos.rules
#include $RULE_PATH/community-web-iis.rules
#include $RULE_PATH/community-web-misc.rules
#include $RULE_PATH/community-web-php.rules
#include $RULE_PATH/x11.rules
#include $RULE_PATH/test.rules
Testing our new rule

cg16@cg16:~$ ping 192.168.3.145
PING 192.168.3.145 (192.168.3.145) 56(84) bytes of data.
64 bytes from 192.168.3.145: icmp_req=1 ttl=64 time=0.133 ms

64 bytes from 192.168.3.145: icmp_req=7 ttl=64 time=0.140
Checking snort log

cg16@cg16:/etc/snort$ sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
04/03-11:53:32.285790 [**] [1:10000001:0] ICMP test pooja[**] [Priority: 0] {IPV6-ICMP}
fe80::1cbd:1fbc:6196:df0b -> ff02::1:ffb0:1437
04/03-11:53:33.286465 [**] [1:10000001:0] ICMP test pooja [**] [Priority: 0] {IPV6-ICMP}
fe80::906:ad47:9ab4:dcfd -> ff02::1:ffb0:1437

Explore the GPG tool of Linux to implement email security
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides
cryptographic privacy and authentication for data communication. PGP is often used for signing,
encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase
the security of e-mail communications.
PGP encryption uses a serial combination of hashing, data compression, symmetric-key
cryptography, and finally public-key cryptography; each step uses one of several supported
algorithms. Each public key is bound to a user name and/or an e-mail address. The first version of
this system was generally known as a web of trust to contrast with the X.509 system, which uses a
hierarchical approach based on certificate authority and which was added to PGP implementations
later. Current versions of PGP encryption include both options through an automated key
management server.
GNU Privacy Guard (GnuPG or GPG) is a free software replacement for Symantec's PGP
cryptographic software suite. GnuPG is a hybrid-encryption software program because it uses a
combination of conventional symmetric-key cryptography for speed, and public-key cryptography
for ease of secure key exchange, typically by using the recipient's public key to encrypt a session key
which is only used once. This mode of operation is part of the OpenPGP standard and has been part
of PGP from its first version.
Procedure:
Installation of gpg
it@it-Vostro-1014:~$ sudo apt-get install gnupg

Suggested packages:
gnupg-curl gnupg-doc parcimonie
The following packages will be upgraded:
gnupg
Need to get 646 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://in.archive.ubuntu.com/ubuntu xenial-updates/main i386 gnupg i386 1.4.20-1ubuntu3.2
[646 kB]
Fetched 646 kB in 2s (246 kB/s)
Preparing to unpack .../gnupg_1.4.20-1ubuntu3.2_i386.deb ...
Unpacking gnupg (1.4.20-1ubuntu3.2) over (1.4.20-1ubuntu3.1) ...
Processing triggers for install-info (6.1.0.dfsg.1-5) ...
Setting up gnupg (1.4.20-1ubuntu3.2) ...
Generation of Key
it@it-Vostro-1014:~$ gpg --gen-key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:

(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Tuesday 09 July 2019 10:35:16 PM IST
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: sangita

Email address: sangita.sc@gmail.com
Comment: this is gpg
You selected this USER-ID:
"sangita (this is gpg) <sangita.sc@gmail.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...........+++++
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 200 more bytes)
...+++++
........+++++
+++++
gpg: /home/it/.gnupg/trustdb.gpg: trustdb created
gpg: key A0FBAFBC marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2019-07-09
pub 4096R/A0FBAFBC 2018-07-09 [expires: 2019-07-09]
Key fingerprint = 2B3A 3324 89F9 13A1 9BEA 2BCB 62E1 F763 A0FB AFBC
uid sangita (this is gpg) <sangita.sc@gmail.com>
sub 4096R/3E147825 2018-07-09 [expires: 2019-07-09]
Listing Keys
it@it-Vostro-1014:~$ gpg --list-keys
/home/it/.gnupg/pubring.gpg
---------------------------
sub 4096R/3E147825 2018-07-09 [expires: 2019-07-09]
it@it-Vostro-1014:~$ gpg --armor --export sangita.sc@gmail.com>mypk

it@it-Vostro-1014:~$ cat mypk
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFtDlhgBEADq+sCM1e9vaHwaLP5HhMU84lLmAMBrdPCVlSUfXeU6yez3jYI+
T6d27D3f8EWIP69mkyN6qf82OTIDrWF2fsUV52ob4v6ftPWV1jPNBs0GQ2ZgHa9v
HqI8yhPEfbVY8BMZ0nwdnUzejcthhdfdaM/Ez9VRbIfMERV3+GJwyXX/Gep4I89J
CwiPLzvcO5/dPTv956YMle9uApUwYMU7bzDdaU1YBWHZ5h31LXe5R/8MwdUUKDwo
OC1TeEgTR1JN3filASVVCIQ67bSysQofTOpoeLfTFCv9rv5MKgGHf/Ejxa27p71h
izjBR+fE8O9jkvWOvU+AkDwn75ESXTFFuZ792ofINRyKXBl/Z+Au4L54veI8wGHV
br8IBeSIluHkqZl3vP/J77NB7k3utxM86BcTm25y7z6FK2fLnllsQUNd3mDyLEtv
TdrW2SF1K/CAe3B26LxUJXsCt52RVwa6Sze0QjvuCRpcMtACyuDa6Vd7ljFwlzOP
feRXMrjDAlAah/26mcetpTc3ri81njjQXvf1P/DaOpT2rHsHdn3zvulTt0VH6hrV
+DG2oKwW50ps9NjM4NbqNd2D0aHbrQr1djnexItBrqkOrucQt+XLevM8LAApT/KB
7Ru7ng+uzOAygAQUTZXrCXAGqPDh/7atX6c5whNpcaF+LfwSZ6yLC1XppQARAQAB
tCxzYW5naXRhICh0aGlzIGlzIGdwZykgPHNhbmdpdGEuc2NAZ21haWwuY29tPokC
PgQTAQIAKAUCW0OWGAIbAwUJAeEzgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4
AA
CgkQYuH3Y6D7r7zhYg//ZlwkGZxQRT4UUWSTg2+oZhWaOVqm0dG9f2fQKYSpEGzk
KKkb315siYsevEKS3kjDApAFKjFls6mqMS07+X2YEKlKdFRpjl00fb7SJ/XMosAb
WxCtyANhSsjwlU2HLnVI8Utm1PGxr5iz19z5++83dZulhigY51yESbk+1Ed7b8tM
3Kf/Wa5qrung8YPDWXab/FGxDbPOLs67cJ5twRRO/GjrvrsQ/gX6Btpb/ns8Y8Lg
Awa9+2Gruk1LTIUntX8caW8PWrllUeIA650+dh3mXUHruCX89F+SnloAO0V51Na8
yxaLDSA8ZyhQs1M8J/f8O13WhC7otlhzlzjf0pImXHQqT29pLCH0BEi3prdkLEzb
Jd9ZHM50iHU7O07HTDJ2iv525d6wWnoNMXk1UJMHK6oIUcyRpJs2PebHP0QlZx2W
vE/4WuQeDakjO2+EYU3Ba49UVg3cnH7x4yj3aR3/GJd9GNQs0X7aA+T/YzPsiSPv
HyM2XOHseVL3JU0cO3WKaR1dKiVdBZKlnwL29d7MLf7vLik1QGclMRpVLLISBTXk
sqT28glcMhRX/v2snZNXAB3SXtzoHjjIwT+VzR591tmftyyYluhvkbWl7yZHVc40
GUB6g4ULFaiLvHPr+tl8xeQFppbP/59BH9Tn8Qpq7rPHH6WvKTkCH6mm7FiokpC5
Ag0EW0OWGAEQAMjQzpOwi/CF6qLpqP2riH2zhBqg4dxghEsJsen1ldEACaHJRFzG
kYaxQVS271om2BljpE4ZmniwOsAy0IpeceHWIjvgNNEIrsGg+7yA1s+2ydhJXCjp
xCLyUzlvihfjRRSnnYCkdTB4Saj+fpO+iTckHTKs0Ajbo93nrISpX0rOrn+rwKah
xbgxX9ViQ9Of9CodMyHyBe7Yedoh2W1ChxZ7Sro3sopOlHRcpj3wqHy4PA5cqkCy
iiD/exUWMI98J2Sh1y562kLYVWBwZYOJFM0RHAD//9of72QMGSno0BQlZj62ow66
eueMzm9Wgswo2fi9CKL/+yRAconPU1fZBRsg2AcLc3S6xIz68CDN9eTJ4g+RLF1A
tfMVPaJvZe2FhUJ+i6GTr7C8MQ67wOxrgPYDcNNaUIGGWxE/jut3/rOPFkWBymVU
9leH7tqa+5T7t8Fe2+lmHoRL+gRZ101JaCzb/ilMempZfXrrQo5UZhLPIre4yazI
FuE/tcRlgFXDQDrUn+jFjCKBNp0WQ+FA8DhXqT3QKzhUf/ZZXO8vbf+DnfycebKk
s2jvdI2nklOWyzSpnRJzaIbqi1mYpT1Xkv4Ml+htsZJj46SVSobnvRPTFVLFrxJF
XPHqCfsZZiV2UYuascQ/vl/7eLRgaVcMRUL9U0Qswfpeqri/7kvbcKNZABEBAAGJ
AiUEGAECAA8FAltDlhgCGwwFCQHhM4AACgkQYuH3Y6D7r7zYFRAAzIsNhjYtDL9/
XFTdTi2tju0qqtAyE98vqcp2s0tBqEop9vbyHjtGvXUD2SxChVCpO5r2NSm63OaO
krDMCFHDhhvMtuFZ7JhdI7js8HesBofqbuBj83NhOKutFdC4e2cG5CiIA/LU9tPa
JguCw4UeNe7adNkjJJcY7Y0VjGJWetIgeH99tMwq7L936Lst9ig9TgMwTUEtWHFr
aHIbz3g6fwdOmzMx71yUQokoVTepu3bjmt+QAksH8eNiluYzD52MpRZPSEkfmmIF
vXvo7Gs2mPkYItaq/wRLYn/UXQPwGX5R7TyFLF61le23QEmM4gYlG/q6ACayqu19
j7A9/anQiogyOss/DYsMKpjcwm1jqN7jvWfwr5GYQdlfbCpAiGOTvpDWY+nmabQ2
1bOfteEIvJOgcQTBvrZFFS72H/krHzH0UikdfmvQpiF2QZ0GGUBR2VQab/2hCIq8
+ZaFx5cA5MG1gy01FT2kjYt++5y5Ekdq1+9xYwF00aM4+ufVHpFYnY85WE46x00c
mveztzPiMMRw84OnEqhh5ebfR2LJGKbd+iyT5IlJMXqJfmR1bkBzp7wSvfGPXUyj
iAyZE2RbzByaT+2Hn26nPzkEl841WkhohwAwKWDs1MuiNaGeyIvnZOCKNBxXY9mt
6jkIjjL1hdBA3U04K7MmHo+6GrcQYGs=
=jpFF
-----END PGP PUBLIC KEY BLOCK-----
it@it-Vostro-1014:~$ gpg --gen-key

Please select what kind of key you want:

(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Tuesday 09 July 2019 11:01:08 PM IST
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: ssc

Name must be at least 5 characters long
Real name: sschaudhari
Email address: sschaudhari@acpce.ac.in
Comment: gpg
You selected this USER-ID:
"sschaudhari (gpg) <sschaudhari@acpce.ac.in>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a Passphrase to protect your secret key.

....+++++
...+++++
.+++++
.+++++
gpg: key 4C8FAA8A marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2019-07-09
pub 1024R/4C8FAA8A 2018-07-09 [expires: 2019-07-09]
Key fingerprint = 72CE 9B82 48A2 47A2 5E58 4650 BDA7 5ED2 4C8F AA8A
uid sschaudhari (gpg) <sschaudhari@acpce.ac.in>
sub 1024R/5D9D9E6A 2018-07-09 [expires: 2019-07-09]

---------------------------
sub 4096R/3E147825 2018-07-09 [expires: 2019-07-09]

it@it-Vostro-1014:~$ gpg --import mypk

gpg: key A0FBAFBC: "sangita (this is gpg) <sangita.sc@gmail.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

---------------------------
sub 4096R/3E147825 2018-07-09 [expires: 2019-07-09]

Signing process:
it@it-Vostro-1014:~$ gpg --edit-key sangita@sangita.sc@gmail.com

gpg: key "sangita@sangita.sc@gmail.com" not found: public key not found

it@it-Vostro-1014:~$ gpg --edit-key sangita.sc@gmail.com
Secret key is available.
pub 4096R/A0FBAFBC created: 2018-07-09 expires: 2019-07-09 usage: SC

trust: ultimate validity: ultimate
sub 4096R/3E147825 created: 2018-07-09 expires: 2019-07-09 usage: E
[ultimate] (1). sangita (this is gpg) <sangita.sc@gmail.com>
gpg> fpr
pub 4096R/A0FBAFBC 2018-07-09 sangita (this is gpg) <sangita.sc@gmail.com>
Primary key fingerprint: 2B3A 3324 89F9 13A1 9BEA 2BCB 62E1 F763 A0FB AFBC
gpg> sign
"sangita (this is gpg) <sangita.sc@gmail.com>" was already signed by key A0FBAFBC
Nothing to sign with key A0FBAFBC
gpg> quit
it@it-Vostro-1014:~$ gpg --out secrets_to_sangita_ --encrypt secrets
You did not specify a user ID. (you may use "-r")
Current recipients:
Enter the user ID. End with an empty line: sangita.sc@gmail.com
Current recipients:
4096R/3E147825 2018-07-09 "sangita (this is gpg) <sangita.sc@gmail.com>"
Enter the user ID. End with an empty line: uu

No such user ID.
Current recipients:
Enter the user ID. End with an empty line: uu

No such user ID.
Current recipients:

gpg: skipped: public key already set
Current recipients:
Enter the user ID. End with an empty line: e
Current recipients:
1024R/5D9D9E6A 2018-07-09 "sschaudhari (gpg) <sschaudhari@acpce.ac.in>"
Current recipients:
Enter the user ID. End with an empty line: r

Current recipients:

Current recipients:

Current recipients:
Enter the user ID. End with an empty line:

gpg: can't open `secrets': No such file or directory
gpg: secrets: encryption failed: file open error
it@it-Vostro-1014:~$ gpg --output secrets_from_sangita_ --decrypt secrets_to chaudhari
usage: gpg [options] --decrypt [filename]
it@it-Vostro-1014:~$ gpg --output secrets_from_chaudhari --decrypt secrets_to_sangita_
gpg: can't open `secrets_to_sangita_'
gpg: decrypt_message failed: file open error
it@it-Vostro-1014:~$ gpg --out secrets_san --encrypt secrets
Current recipients:

Current recipients:
Current recipients:

gpg: can't open `secrets': No such file or directory
gpg: secrets: encryption failed: file open error
it@it-Vostro-1014:~$ cat > secrets

hello
how r u?
it@it-Vostro-1014:~$ cat secrets
hello
how r u?
Encryption
it@it-Vostro-1014:~$ gpg --out secrets_san --encrypt secrets

Current recipients:
Current recipients:

it@it-Vostro-1014:~$ ls
a.out Desktop examples.desktop Pictures secrets_san TURBOC3
demo1.nam Documents Music Public Templates Videos
demo1.ns Downloads mypk secrets test.c
it@it-Vostro-1014:~$ cat sectrets_san
cat: sectrets_san: No such file or directory
it@it-Vostro-1014:~$ cat secrets_san
�#
�k�F��ӥ#�D=7�P��#�%#0@��#��C�-bQYz�
؆�|�#!�E�h��
k6\#h��#g�$��i��YBSxeZ��
v�#M�m<,h:6.��5��#�O,r
#��h#�#��F�#ϼz��#��R��#U~^Lnߐ2Fν��zM֝��
��#m+��#�K_##�@7�5Q��mI�M#H�X��0#@�T��NQ-�#��#�臁
�Q�wt��m@�u#t^�R��JU�#�t�q�-�r�K��iʼ��#�}��!a
�B�?��Wu#�#L��p0'/V�2�NKM!IY��}��kg��Fr#�7�$#��#"�
eU��PTC�##Eq#Ž �>5P�D�"�U�w�x��i�Sѣ��
��>�#��#}t
�3�e#��‫ނ‬#�r��A�W.�o#t
"�wU#YZ#��V��9��#(m�&v�l&��`�#>)��©
�1(&6��H�E��Fa�`ls&�{m4E��Q#�
mn��1��
��i�,�fO$�;�d#��S#<�
@)��W�?�#yfB�W�l}
,��;`�&it@it-Vostro-1014:~$
Decryption:
it@it-Vostro-1014:~$ gpg --output secrets_fron_san --decrypt secrets_san
You need a passphrase to unlock the secret key for

user: "sangita (this is gpg) <sangita.sc@gmail.com>"
4096-bit RSA key, ID 3E147825, created 2018-07-09 (main key ID A0FBAFBC)
gpg: encrypted with 4096-bit RSA key, ID 3E147825, created 2018-07-09

"sangita (this is gpg) <sangita.sc@gmail.com>"
it@it-Vostro-1014:~$ ls
a.out Desktop examples.desktop Pictures secrets_fron_san test.c
demo1.nam Documents Music Public secrets_san TURBOC3
demo1.ns Downloads mypk secrets Templates Videos
it@it-Vostro-1014:~$ cat secrets_fron_san
hello
how r u?

it@it-Vostro-1014:~$ ^C
it@it-Vostro-1014:~$

Cryptography and Network Security Lab Manual

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cryptography and Network Security Lab Manual

Uploaded by

Copyright:

Available Formats

Cryptography and Network Security

LAB MANUAL [CNS] Page 1

Lab Outcome: Students will learn to:

PC With following Configuration

1. Intel Core i3/i5/i7 Processor

1. Windows or Linux Desktop OS

LAB MANUAL [CNS] Page 2

LAB MANUAL [CNS] Page 3

Enter the input to be encrypted:

LAB MANUAL [CNS] Page 4

Final encrypted text:

LAB MANUAL [CNS] Page 5

LAB MANUAL [CNS] Page 6

The ciphertext is then read off as:

EVLNE ACDTK ESEAQ ROFOJ DEECU WIREE

LAB MANUAL [CNS] Page 7

Encryption and Decryption

LAB MANUAL [CNS] Page 8

LAB MANUAL [CNS] Page 9

Encryption and Decryption

LAB MANUAL [CNS] Page 11

LAB MANUAL [CNS] Page 13

To sign: use a private signing algorithm

To verify: use a public verification algorithm

The basic protocol:

1. Alice encrypts the document with her private key.

2. Alice sends the signed document to Bob.

3. Bob decrypts the document with Alice’s public key.

RSA Signature Scheme

1. Alice chooses secret odd primes p,q and computes n=pq.

2. Alice chooses eA with gcd(eA,Φ(n))=1.

3. Alice computes dA = eA-1 mod Φ(n).

4. Alice’s signature is y = mdA mod n.

5. The signed message is (m,y).

LAB MANUAL [CNS] Page 14

public class MainClass {

byte[] data = "test".getBytes("UTF8");

Signature sig = Signature.getInstance("MD5WithRSA");

LAB MANUAL [CNS] Page 15

4. Alice computes YA = (g^XA) mod p.

LAB MANUAL [CNS] Page 16

public class DiffieHellman {

final static BigInteger one = new BigInteger("1");

public static void main(String args[]) {

Scanner stdin = new Scanner(System.in);

// Get a start spot to pick a prime from the user.

// Get the base for exponentiation from the user.

// Get A’s secret number.

// Make A’s calculation.

// This is the value that will get sent from A to B.

// Get B’s secret number.

// Make B’s calculation.

// This is the value that will get sent from B to A.

// Print out the Key A calculates.

System.out.println("A takes" + resultb + "raises it to the power" + a + "mod" + n);

// Print out the Key B calculates.

public static BigInteger getNextPrime(String ans) {

BigInteger test = new BigInteger(ans);

LAB MANUAL [CNS] Page 18

LAB MANUAL [CNS] Page 19

 , , ,  denote the XOR, AND, OR and NOToperations respectively.

LAB MANUAL [CNS] Page 20

4. Process Message in 16Word Blocks