Professional Documents
Culture Documents
Lab Manual
Hardware Requirements
2. 4 GB RAM
3. 500 GB Harddisk
Software Requirements
2. wireshark
3. ARPWATCH
4. Kismet
5. NESSUS
Theory:
Source Code:
import java.util.*;
class ProductCipher {
public static void main(String args[]) {
System.out.println("Enter the input to be encrypted:");
String substitutionInput = new Scanner(System.in).nextLine();
System.out.println("Enter a number:");
int n = new Scanner(System.in).nextInt();
// Substitution encryption
StringBuffer substitutionOutput = new StringBuffer();
for(int i=0 ; i<substitutionInput.length() ; i++) {
char c = substitutionInput.charAt(i);
substitutionOutput.append((char) (c+5));
}
System.out.println("\nSubstituted text:");
System.out.println(substitutionOutput);
// Transposition encryption
String transpositionInput = substitutionOutput.toString();
int modulus;
if((modulus = transpositionInput.length()%n) != 0) {
modulus = n-modulus;
// ‘modulus’ is now the number of blanks/padding (X) to be appended
for( ; modulus!=0 ; modulus--) {
transpositionInput += "/";
}
}
StringBuffer transpositionOutput = new StringBuffer();
System.out.println("\nTransposition Matrix:");
for(int i=0 ; i<n ; i++) {
for(int j=0 ; j<transpositionInput.length()/n ; j++) {
char c = transpositionInput.charAt(i+(j*n));
System.out.print(c);
// Transposition decryption
n = transpositionOutput.length()/n;
StringBuffer transpositionPlaintext = new StringBuffer();
for(int i=0 ; i<n ; i++) {
for(int j=0 ; j<transpositionOutput.length()/n ; j++) {
char c = transpositionOutput.charAt(i+(j*n));
transpositionPlaintext.append(c);
}
}
// Substitution decryption
StringBuffer plaintext = new StringBuffer();
for(int i=0 ; i<transpositionPlaintext.length() ; i++) {
char c = transpositionPlaintext.charAt(i);
plaintext.append((char) (c-5));
}
System.out.println("\nPlaintext:");
System.out.println(plaintext);
}
}
Output:
Substituted text:
xfslnyf
Transposition Matrix:
xlf
fn/
Plaintext:
sangita
Theory:
Substitution cipher is a method of encryption by which units of plaintext are replaced with ciphertext
according to a regular system; the "units" may be single letters (the most common), pairs of letters,
triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing
an inverse substitution.
Transposition cipher is a method of encryption by which the positions held by units of plaintext
(which are commonly characters or groups of characters) are shifted according to a regular system,
so that the ciphertext constitutes a permutation of the plaintext. That is, the order of the units is
changed.
Substitution ciphers can be compared with Transposition ciphers. In a transposition cipher, the units
of the plaintext are rearranged in a different and usually quite complex order, but the units themselves
are left unchanged. By contrast, in a substitution cipher, the units of the plaintext are retained in the
same sequence in the ciphertext, but the units themselves are altered.
1. Caesar Cipher: In cryptography, a Caesar cipher, also known as a Caesar's cipher, the shift cipher,
Caesar's code or Caesar shift, is one of the simplest and most widely known encryption techniques.
It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed
number of positions down the alphabet. For example, with a shift of 3, A would be replaced by D, B
would become E, and so on. The method is named after Julius Caesar, who used it to communicate
with his generals.
Example:
The transformation can be represented by aligning two alphabets; the cipher alphabet is the plain
alphabet rotated left or right by some number of positions. For instance, here is a Caesar cipher using
a left rotation of three places (the shift parameter, here 3, is used as the key):
Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC
When encrypting, a person looks up each letter of the message in the "plain" line and writes down the
corresponding letter in the "cipher" line. Deciphering is done in reverse.
Plaintext: the quick brown fox jumps over the lazy dog
Ciphertext: WKH TXLFN EURZQ IRA MXPSV RYHU WKH ODCB GRJ
In a regular columnar transposition cipher, any spare spaces are filled with nulls; in an irregular
columnar transposition cipher, the spaces are left blank. Finally, the message is read off in columns,
in the order specified by the keyword. For example, suppose we use the keyword ZEBRAS and the
message WE ARE DISCOVERED. FLEE AT ONCE. In a regular columnar transposition, we write
this into the grid as:
632415WEAREDISCOVEREDFLEEATONCEQKJEU
RSA was invented by Ron Rivest, Adi Shamir, and Len Adleman and hence, it is termed as
RSA cryptosystem.We will see two aspects of the RSA cryptosystem, firstly generation of key
pair and secondly encryption-decryption algorithms.
Generation of RSA Key Pair
Each person or a party who desires to participate in communication using encryption needs to
generate a pair of keys, namely public key and private key. The process followed in the generation of
keys is described below −
● Generate the RSA modulus (n)
○ Select two large primes, p and q.
○ Calculate n=p*q. For strong unbreakable encryption, let n be a large number, typically
a minimum of 512 bits.
● Find Derived Number (e)
○ Number e must be greater than 1 and less than (p − 1)(q − 1).
○ There must be no common factor for e and (p − 1)(q − 1) except for 1. In other words
two numbers e and (p – 1)(q – 1) are coprime.
● Form the public key
○ The pair of numbers (n, e) form the RSA public key and is made public.
if(k==1)
{
e=i;
break search;
}
}
}
System.out.println("e="+e);
go:{
for(int i=1;i<=pn;i++)
{
int x=(e*i)%pn;
if(x==1)
{
System.out.println("d="+i);
System.out.println("The private key is (d) "+i);
d=i;
break go;
}
}
}
System.out.println("The public key is (n,e) "+n+", "+e);
String t;
int c;
System.out.println("Enter plaintext");
t=sc.next();
int m = 0;
for (int i = 0; i < t.length(); i++){
m += (int)t.charAt(i);
}
c=((m)^e)%n;
System.out.println("The Encryted message is "+m);
m=(c^d)%n;
LAB MANUAL [CNS] Page 12
System.out.println("The decrypted message is "+t);
}
}
Input and Output:
Theory:
A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message
or documents. A valid digital signature gives a recipient reason to believe that the message was
created by a known sender, that the sender cannot deny having sent the message (authentication and
non-repudiation), and that the message was not altered in transit.
Alice wants to sign message m. She computes the signature of m (let’s call it y) and sends the signed
message (m,y) to Bob. Bob gets (m,y), runs the verification algorithm on it. The algorithm returns
“true” iff y is Alice’s signature of m.
6. Bob can verify the signature by calculating z = yea mod n. (The signature is valid iff m=z).
import sun.misc.BASE64Encoder;
sig.initVerify(keyPair.getPublic());
sig.update(data);
System.out.println(sig.verify(signatureBytes));
}
}
Output:
Singature:ecmcCxZyBjI4ueSJF3mULwVM9YnYHq8137X1DOnIq9KRClUpdfQjAn75t9Gm72Uh
jzPp/w r0vSSj
GlNdgACyqrQc0fbAXLCBwibstPO8ojEerLjJzaGfly9VZA+dCOZNpChELBDDEHMJ+RZSf0H3
SUEH 8/48p5EbQGDNutgAk/c
Theory:
Diffie-Hellman key exchange is a cryptographic protocol that allows two parties that have no prior
knowledge of each other to jointly establish a shared secret key over an insecure communications
channel. This key can then be used to encrypt subsequent communications using a symmetric key
cipher.
The simplest, and original, implementation of the protocol uses the Multiplicative group of integers
modulo p, where p is prime and g is primitive root mod p. Here is an example of the protocol:
1. Alice and Bob agree to use a prime number p=23 and base g=5.
2. Alice chooses a secret integer Xa=6, then sends Bob (g^XA) mod p.
56 mod 23 = 8.
3. Bob chooses a secret integer Xb=15, then sends Alice (g^XB) mod p.
515 mod 3 = 19.
In the original description, the Diffie-Hellman exchange by itself does not provide authentication of
the communicating parties and is thus vulnerable to a man-in-the-middle attack. A person in the
middle may establish two distinct Diffie-Hellman key exchanges, one with Alice and the other with
Bob, effectively masquerading as Alice to Bob, and vice versa, allowing the attacker to decrypt (and
read or store) then re-encrypt the messages passed between them. A method to authenticate the
communicating parties to each other is generally needed to prevent this type of attack.
Algorithm:
Alice and Bob, two users who wish to establish secure communications. We can assume that Alice
and Bob know nothing about each other but are in contact.
1. Communicating in the clear, Alice and Bob agree on two large positive integers, p and g,
where p is a prime number and g is a primitive root mod p.
2. Alice randomly chooses another large positive integer, XA, which is smaller than p. XA will
serve as Alice's private key.
3. Bob similarly chooses his own private key, XB.
4. Alice computes her public key, YA, using the formula YA = (g^XA) mod p.
5. Bob similarly computes his public key, YB, using the formula YB = (g^XB) mod p.
6. Alice and Bob exchange public keys over the insecure circuit.
Source Code:
import java.util.*;
import java.math.BigInteger;
// Once A and B receive their values, they make their new calculations.
// This involved getting their new numbers and raising them to the
// same power as before, their secret number.
BigInteger KeyACalculates = resultb.modPow(a, n);
BigInteger KeyBCalculates = resulta.modPow(b, n);
Output:
Enter the first prime no:
7
First prime is: 7.
Theory:
MD5 (Message Digest algorithm 5) is a widely used cryptographic hash function with a 128bit
hash value. An MD5 hash is typically expressed as a 32 digit hexadecimal number. MD5 processes a
variable length message into a fixed length output of 128 bits. The input message is broken up into
chunks of 512 bit blocks (sixteen 32bit little endian integers) ; The message is padded so that its
length is divisible by 512. The padding works as follows: first a single bit, 1, is appended to the end
of the message. This is followed by as many zeros as are required to bring the length of the message
up to 64 bits less than a multiple of 512. The remaining bits are filled up with a 64bit integer
representing the length of the original message, in bits.
The main MD5 algorithm operates on a 128bit state, divided into four 32bit words, denoted
A, B, C and D. These are initialized to certain fixed constants. The main algorithm then operates on
each 512bit message block in turn, each block modifying the state. The processing of a message block
consists of four similar stages, termed rounds; each round is composed of 16 similar operations based
on a nonlinear function F, modular addition, and left rotation.
Figure 1: One MD5 operation. MD5 consists of 64 of these operations, grouped in four rounds of 16
operations. F is a nonlinear function; one function is used in each round. Mi denotes a 32bit block of
the message input, and Ki denotes a 32bit constant, different for each operation.
Figure 1 illustrates one operation within a round. There are four possible functions F; a different one
is used in each round:
F ( X , Y , Z ) = ( X Y ) ( X Z )
G ( X , Y , Z ) = ( X Z ) (Y Z )
I ( X , Y , Z ) = Y ( X Z )
2. Append Length
A 64bit representation of b (the length of the message before the padding bits were added) is appended
to the result of the previous step. In the unlikely event that b is greater than 2^64, then only the
loworder 64 bits of b are used. (These bits are appended as two 32bit words and appended loworder
word first in accordance with the previous conventions.) At this point the resulting message (after
padding with bits and with b) has a length that is an exact multiple of 512 bits. Equivalently, this
message has a length that is an exact multiple of 16 (32 bit) words. Let M[0 ... N1] denote the words
of the resulting message, where N is a multiple of 16.
3. Initialize MD Buffer
A fourword buffer (A,B,C,D) is used to compute the message digest. Here each of A, B, C, D is a
32bit register. These registers are initialized to the following values in hexadecimal, loworder bytes
first):
5. Output
The message digest produced as output is A, B, C, D. That is, we begin with the low order byte of A,
and end with the highorder byte of D.
Source Code:
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
public class SimpleMD5Example
{
public static void main(String[] args)
{
String passwordToHash = "password";
String generatedPassword = null;
Output:
5f4dcc3b5aa765d61d8327deb882cf99
Theory:
Kismet is an open source wireless network analyzer running under the Linux, Unix and Mac OS.
Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection system. Kismet works
with any wireless card which supports raw monitoring mode, and can sniff 802.11b, 802.11a,
802.11g, and 802.11n traffic. Kismet identifies networks by passively collecting packets and
detecting networks.
Installation of Kismet:
Output:
WHOIS :
WHOIS is the Linux utility for searching an object in a WHOIS database. The WHOIS database of
a domain is the publicly displayed information about a domains ownership, billing, technical,
administrative, and nameserver information. Running a WHOIS on your domain will look the domain
up at the registrar for the domain information. All domains have WHOIS information. WHOIS
database can be queried to obtain the following information via
WHOIS:
Dig - Dig is a networking tool that can query DNS servers for information. It can be very helpful for
diagnosing problems with domain pointing and is a good way to verify that your configuration is
working. The most basic way to use dig is to specify the domain we wish to query:
dig example.com
$ dig duckduckgo.com
;; Got answer:
;; QUESTION SECTION:
;duckduckgo.com. IN A
;; ANSWER SECTION:
duckduckgo.com. 99 IN A 107.21.1.61
duckduckgo.com. 99 IN A 184.72.106.253
duckduckgo.com. 99 IN A 184.72.115.86
;; SERVER: 8.8.8.8#53(8.8.8.8)
The lines above act as a header for the query performed. It is possible to run dig in batch mode,
;; Got answer:
The next section gives us a technical summary of our query results. We can see that the query
was successful, certain flags were used, and that 4 "answers" were received.
;; QUESTION SECTION:
;duckduckgo.com. IN A
;; ANSWER SECTION:
duckduckgo.com. 99 IN A 107.21.1.61
duckduckgo.com. 99 IN A 184.72.106.253
duckduckgo.com. 99 IN A 184.72.106.52
duckduckgo.com. 99 IN A 184.72.115.86
The above section of the output contains the actual results we were looking for. It restates the
query and then returns the matching DNS records for that domain name.
Here, we can see that there are four "A" records for "duckduckgo.com". By default, "A" records
are returned. This gives us the IP addresses that the domain name resolves to.
The "99" is the TTL (time to live) before the DNS server rechecks the association between the
domain name and the IP address. The "IN" means the class of the record is a standard internet
class.
LAB MANUAL [CNS] Page 32
;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
These lines simply provide some statistics about the actual query results. The query time can be
Traceroute - traceroute prints the route that packets take to a network host. Traceroute utility uses
the TTL field in the IP header to achieve its operation. For users who are new to TTL field, this field
describes how much hops a particular packet will take while traveling on network. So, this effectively
outlines the lifetime of the packet on network. This field is usually set to 32 or 64. Each time the
packet is held on an intermediate router, it decreases the TTL value by 1. When a router finds the
TTL value of 1 in a received packet then that packet is not forwarded but instead discarded. After
discarding the packet, router sends an ICMP error message of ―Time exceeded‖ back to the source
from where packet generated. The ICMP packet that is sent back contains the IP address of the router.
So now it can be easily understood that traceroute operates by sending packets with TTL value starting
from 1 and then incrementing by one each time. Each time a router receives the packet, it checks the
TTL field, if TTL field is 1 then it discards the packet and sends the ICMP error packet containing its
IP address and this is what traceroute requires. So traceroute incrementally fetches the IP of all the
routers between the source and the destination.
Nslookup - The nslookup command is used to query internet name servers interactively for
information. nslookup, which stands for "name server lookup", is a useful tool for finding out
information about a named domain. By default, nslookup will translate a domain name to an IP
address (or vice versa). For instance, to find out what the IP address of microsoft.com is, you could
run the command:
LAB MANUAL [CNS] Page 33
nslookup microsoft.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name:
microsoft.com
Address: 134.170.185.46
Name:
microsoft.com
Address: 134.170.188.221
Here, 8.8.8.8 is the address of our system's Domain Name Server. This is the server our system is
configured to use to translate domain names into IP addresses. "#53" indicates that we are
communicating with it on port 53, which is the standard port number domain name servers use to
accept queries. Below this, we have our lookup information for microsoft.com. Our name server
returned two entries, 134.170.185.46 and 134.170.188.221. This indicates that microsoft.com uses a
round robin setup to distribute server load. When you accessmicrsoft.com, you may be directed to
either of these servers and your packets will be routed to the correct destination. You can see that we
have received a "Non-authoritative answer" to our query. An answer is "authoritative" only if our
DNS has the complete zone file information for the domain in question. More often, our DNS will
have a cache of information representing the last authoritative answer it received when it made a
similar query, this information is passed on to you, but the server qualifies it as "non-authoritative":
the information was recently received from an authoritative source, but the DNS server is not itself
that authority.
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and
display them in human-readable format. Wireshark includes filters, color-coding and other features
that let you dig deep into network traffic and inspect individual packets.
Features of Wireshark :
• Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a
• Import packets from text files containing hex dumps of packet data.
Capturing Packets
After downloading and installing wireshark, you can launch it and click the name of an interface
under Interface List to start capturing packets on that interface. For example, if you want to capture
traffic on the wireless network, click your wireless interface. You can configure advanced features
by clicking Capture Options.
Installation of Wireshark:
sudo apt-get install wireshark
As soon as you click the interface‘s name, you‘ll see the packets start to appear in real time.
Wireshark captures each packet sent to or from your system. If you‘re capturing on a wireless
LAB MANUAL [CNS] Page 36
interface and have promiscuous mode enabled in your capture options, you‘ll also see other the
other packets on the network
Click the stop capture button near the top left corner of the window when you want to stop capturing
traffic.
Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is TCP
traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with
LAB MANUAL [CNS] Page 37
problems — for example, they could have been delivered out-of-order.
Filtering Packets
If you‘re trying to inspect something specific, such as the traffic a program sends when phoning home,
it helps to close down all other applications using the network so you can narrow down the traffic.
Still, you‘ll likely have a large amount of packets to sift through. That‘s where Wireshark‘s filters
come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the window and
clicking Apply (or pressing Enter). For example, type ―dns‖ and you‘ll see only DNS packets. When
you start typing, Wireshark will help you autocomplete your filter.
perform OS fingerprinting, do a ping scan, tcp port scan, udp port scan, etc.
Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his
pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus
creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the
target host and then analyzes the responses. Unlike many simple port scanners that just send packets
at some predefined constant rate, Nmap accounts for the network conditions (latency fluctuations,
network congestion, the target interference with the scan) during the run. Also, owing to the large and
active user community providing feedback and contributing to its features, Nmap has been able to
extend its discovery capabilities beyond simply figuring out whether a host is up or down and which
ports are open and closed; it can determine the operating system of the target, names and versions of
the listening services, estimated uptime, type of device, and presence of a firewall.
Nmap features include:
• Host Discovery – Identifying hosts on a network. For example, listing the hosts which respond
to pings or have a particular port open.
• Port Scanning – Enumerating the open ports on one or more target hosts.
• Version Detection – Interrogating listening network services listening on remote devices to
determine the application name and version number.
• OS Detection – Remotely determining the operating system and some hardware
characteristics of network devices.
Basic commands working in Nmap:
• For target specifications: nmap <target‘s URL or IP with spaces between them>
• For OS detection: nmap -O <target-host's URL or IP>
• For version detection: nmap -sV <target-host's URL or IP>
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly,
scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is
also relatively unobtrusive and stealthy since it never completes TCP connections
Algorithm\Implementation Steps\Installation Steps:
• Installing Nmap from the link.
sudo apt-get install nmap
• Obtaining Your IP addresses.
LAB MANUAL [CNS] Page 40
Use the ifconfig command in Linux.
• Performing a Scan of the Local Network.
1. For the following steps, please use the nmap command line tool installed on Ubuntu
2. Scan your subnet to determine how many hosts can be found. For example, if you are on the
192.168.1.0 subnet, you would enter the following command: nmap –sP 192.168.1.*
i. What is your subnet? ________________
ii. How many hosts were found? ________________
3. Next perform a stealth scan (Please use the IP for your subnet): nmap –sS –P0 –p 192.169.1.*
4. Now, you’ll perform an OS identification. Use the Linux O/S to scan your Windows machine:
i. nmap –O Windows_IP_ADDRESS
ii. OS Type 1:______________________________
iii. Now we want to use the Windows machine to scan the Linux O/S. Go to a
Windows DOS prompt and enter the following command:
iv. nmap –O Linux_IP_ADDRESS
v. Now we will perform a service selection scan. Let’s scan for all computers
with FTP running. We would do that as follows:
nmap –p21 192.168.1.*
5. List the IP addresses with that has the FTP open: _____________________
Input and Output:
• Installation of nmap:
> sudo apt-get install nmap
• -O (Enable OS detection) .
Enables OS detection, as discussed above. Alternatively, you can use -A to enable OS
detection along with other things.
This tool is especially useful for Network administrators to keep a watch on ARP activity to
detect ARP spoofing or unexpected IP/MAC addresses modifications.
Installing Arpwatch in Linux
To watch a specific interface, type the following command with ‗-i‗ and device name.
# arpwatch -i eth0
So, whenever a new MAC is plugged or a particular IP is changing his MAC address on the
network, you will notice syslog entries at ‗/var/log/syslog‗ or ‗/var/log/message‗ file.
A Distributed Denial of Service (DDoS) attack is a DoS attack that comes from more than one source
at the same time. A DDoS attack is typically generated using thousands (potentially hundreds of
thousands) of unsuspecting zombie machines. The machines used in such attacks are collectively
known as “botnets” and will have previously been infected with malicious software, so they can be
remotely controlled by the attacker. According to research, tens of millions of computers are likely
to be infected with botnet programs worldwide.
Cybercriminals use DoS attacks to extort money from companies that rely on their websites being
accessible. But there have also been examples of legitimate businesses having paid underground
elements of the Internet to help them cripple rival websites. In addition, cybercriminals combine DoS
attacks and phishing to target online bank customers. They use a DoS attack to take down the bank's
website and then send out phishing e-mails to direct customers to a fake emergency site instead.
Algorithm\Implementation Steps\Installation Steps:
1. Install Hping3 and wireshark
2. Flood the victim with TCP/ICMP/UDP packet using Hping (-- flood option)
3. Observe the Dos attack and DDos attack using Wireshark
Nessus is one of the most popular and capable vulnerability scanners, particularly for UNIX systems.
It was initially free and open source, but they closed the source code in 2005 and removed the free
"Registered Feed" version in 2008. It now costs $1,200 per year, which still beats many of its
competitors. A free “Home Feed” is also available, though it is limited and only licensed for home
network use. Nessus is constantly updated with more than 46,000 plug-ins. Key features include
remote and local (authenticated) security checks, client/server architecture with a web-based
interface, and an embedded scripting language for writing your own plug-ins or understanding the
existing ones.
Installation Steps:
- Sign in for Nessus vulnerability scanner using login name and password
4. Create scan by clicking scan-> add scan -> provide scan details(scan name, type of scan, target
addr etc)
5. Check vulnerability report in Results
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a communication session. IPsec
includes protocols for establishing mutual authentication between agents at the beginning of the
session and negotiation of cryptographic keys to be used during the session. IPsec can be used in
protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways
(network-to-network), or between a security gateway and a host (network-to-host)
Internet Protocol security (IPsec) uses cryptographic security services to protect communications
over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data origin
authentication, data integrity, data confidentiality (encryption), and replay protection.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite,
while some other Internet security systems in widespread use, such as Transport Layer Security (TLS)
and Secure Shell (SSH), operate in the upper layers at Application layer. Hence, only IPsec protects
any application traffic over an IP network. Applications can be automatically secured by IPsec at the
IP layer.
Here ipsec is implemented using strongSwan tool. strongSwan is a IPsec implementation. It uses
openSSL pluugin (Eliptic Curve Cryptography).
Let two servers be red server (192.168.4.144) and blue server (192.168.4.145)
The following packages were automatically installed and are no longer required:
linux-headers-4.10.0-38 linux-headers-4.10.0-38-generic
linux-headers-4.13.0-32 linux-headers-4.13.0-32-generic
linux-headers-4.13.0-33 linux-headers-4.13.0-33-generic
linux-headers-4.13.0-37 linux-headers-4.13.0-37-generic
linux-image-4.10.0-38-generic linux-image-4.13.0-32-generic
linux-image-4.13.0-33-generic linux-image-4.13.0-37-generic
linux-image-extra-4.10.0-38-generic linux-image-extra-4.13.0-32-generic
linux-image-extra-4.13.0-33-generic linux-image-extra-4.13.0-37-generic
strongswan-libcharon
Suggested packages:
libstrongswan-extra-plugins libcharon-extra-plugins
racoon
strongswan-libcharon strongswan-starter
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent
xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
LAB MANUAL [CNS] Page 67
192.168.4.144
Connections:
Routed Connections:
None
The following packages were automatically installed and are no longer required:
linux-headers-4.13.0-32-generic linux-headers-4.13.0-36
linux-headers-4.13.0-36-generic linux-headers-4.13.0-37
linux-headers-4.13.0-37-generic linux-image-4.13.0-32-generic
linux-image-4.13.0-36-generic linux-image-4.13.0-37-generic
linux-image-extra-4.13.0-32-generic linux-image-extra-4.13.0-36-generic
linux-image-extra-4.13.0-37-generic
strongswan-libcharon
Suggested packages:
libstrongswan-extra-plugins libcharon-extra-plugins
racoon
strongswan-libcharon strongswan-starter
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by
Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the
most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly
400,000 registered users, Snort has become the de facto standard for IPS.
1. Sniffer mode : It simply reads the packets off of the network and displays them for you in a
continuous stream on the console (screen)
2. Packet Logger mode : logs the packets to disk
3. Network Intrusion Detection System (NIDS) mode: it performs detection and analysis on
network traffic. This is the most complex and configurable mode.
Input/Output
1. Sniffer Mode
• Printing out the TCP/IP packet headers to the screen (i.e. sniffer mode)
C:\snort\bin> snort -v
This command will run Snort and just show the IP and TCP/UDP/ICMP headers
This instructs Snort to display the packet data as well as the headers.
LAB MANUAL [CNS] Page 77
• For more descriptive display, showing the data link layer headers
C:\snort\bin>snort -vde
As an aside, notice that the command line switches can be listed separately or in a combined
form. Same result can be obtained using
C:\snort\bin>snort -d -v –e
• Other commands
If you want to record the packets to the disk, you need to specify a logging directory and Snort will
automatically know to go into packet logger mode:
Of course, this assumes you have a directory named log in the current directory. If you don't, Snort
will exit with an error message. When Snort runs in this mode, it collects every packet it sees and
places it in a directory hierarchy based upon the IP address of one of the hosts in the datagram.
If you just specify a plain -l switch, you may notice that Snort sometimes uses the address of the
remote computer as the directory in which it places packets and sometimes it uses the local host
address. In order to log relative to the home network, you need to tell Snort which network is the
home network:
This rule tells Snort that you want to print out the data link and TCP/IP headers as well as application
data into the directory ./log, and you want to log the packets relative to the 192.168.1.0 class C
network. All incoming packets will be recorded into subdirectories of the log directory, with the
directory names being based on the address of the remote (non-192.168.1) host.
c:\snort\bin>snort -l c:\snort\log -b
Note the command line changes here. We don't need to specify a home network any longer because
binary mode logs everything into a single file, which eliminates the need to tell it how to format the
output directory structure. Additionally, you don't need to run in verbose mode or specify the -d or -
e switches because in binary mode the entire packet is logged, not just sections of it. All you really
need to do to place Snort into logger mode is to specify a logging directory at the command line using
the -l switch--the -b binary logging switch merely provides a modifier that tells Snort to log the
packets in something other than the default output format of plain ASCII text.
Once the packets have been logged to the binary file, you can read the packets back out of the file
with any sniffer that supports the tcpdump binary format (such as tcpdump or Ethereal). Snort can
also read the packets back by using the -r switch, which puts it into playback mode. Packets from any
tcpdump formatted file can be processed through Snort in any of its run modes. For example, if you
wanted to run a binary log file through Snort in sniffer mode to dump the packets to the screen, you
can try something like this:
You can manipulate the data in the file in a number of ways through Snort's packet logging and
intrusion detection modes, as well as with the BPF interface that's available from the command line.
For example, if you only wanted to see the ICMP packets from the log file, simply specify a BPF
filter at the command line and Snort will only see the ICMP packets in the file:
Note here created a simple rule which will display corresponding message
When ping command is used i.e ICMP
cg16@cg16:/etc/snort/rules$ sudogeditlocald.rules
cg16@cg16:/etc/snort/rules$ cat locald.rules
alerticmp any any -> $HOME_NET any (msg:"ICMP test pooja"; sid:10000002;)
cg16@cg16:/etc/snort/rules$ ls
attack-responses.rules community-web-iis.rules
community-misc.rulesimap.rulestftp.rules
community-nntp.rulesinfo.rulesvirus.rules
community-oracle.ruleslocald.rules web-attacks.rules
community-policy.ruleslocal.rules web-cgi.rules
community-sip.rulesmisc.rules
include $RULE_PATH/locald.rules
#include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/bad-traffic.rules
LAB MANUAL [CNS] Page 81
## include $RULE_PATH/blacklist.rules
## include $RULE_PATH/botnet-cnc.rules
##include $RULE_PATH/chat.rules
## include $RULE_PATH/content-replace.rules
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/community-dos.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/community-exploit.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/community-ftp.rules
##include $RULE_PATH/icmp.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/community-imap.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/misc.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/netbios.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/community-nntp.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/community-oracle.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/p2p.rules
## include $RULE_PATH/phishing-spam.rules
#include $RULE_PATH/policy.rules
## include $RULE_PATH/community-policy.rules
## include $RULE_PATH/community-inappropriate.rules
## include $RULE_PATH/community-game.rules
## include $RULE_PATH/community-misc.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
## include $RULE_PATH/scada.rules
#include $RULE_PATH/scan.rules
## Note: this rule is extremely chatty, enable with care
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/community-smtp.rules
#include $RULE_PATH/snmp.rules
## include $RULE_PATH/specific-threats.rules
# #include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/telnet.rules
LAB MANUAL [CNS] Page 82
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/virus.rules
##include $RULE_PATH/community-virus.rules
#include $RULE_PATH/community-bot.rules
## include $RULE_PATH/voip.rules
#include $RULE_PATH/community-sip.rules
## Specific web server rules:
## include $RULE_PATH/web-activex.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/community-sql-injection.rules
#include $RULE_PATH/community-web-client.rules
#include $RULE_PATH/community-web-dos.rules
#include $RULE_PATH/community-web-iis.rules
#include $RULE_PATH/community-web-misc.rules
#include $RULE_PATH/community-web-php.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/community-sql-injection.rules
#include $RULE_PATH/community-web-client.rules
#include $RULE_PATH/community-web-dos.rules
#include $RULE_PATH/community-web-iis.rules
#include $RULE_PATH/community-web-misc.rules
#include $RULE_PATH/community-web-php.rules
#include $RULE_PATH/x11.rules
#include $RULE_PATH/test.rules
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides
cryptographic privacy and authentication for data communication. PGP is often used for signing,
encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase
the security of e-mail communications.
PGP encryption uses a serial combination of hashing, data compression, symmetric-key
cryptography, and finally public-key cryptography; each step uses one of several supported
algorithms. Each public key is bound to a user name and/or an e-mail address. The first version of
this system was generally known as a web of trust to contrast with the X.509 system, which uses a
hierarchical approach based on certificate authority and which was added to PGP implementations
later. Current versions of PGP encryption include both options through an automated key
management server.
GNU Privacy Guard (GnuPG or GPG) is a free software replacement for Symantec's PGP
cryptographic software suite. GnuPG is a hybrid-encryption software program because it uses a
combination of conventional symmetric-key cryptography for speed, and public-key cryptography
for ease of secure key exchange, typically by using the recipient's public key to encrypt a session key
which is only used once. This mode of operation is part of the OpenPGP standard and has been part
of PGP from its first version.
Procedure:
Installation of gpg
Generation of Key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 200 more bytes)
...+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 256 more bytes)
........+++++
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 246 more bytes)
+++++
gpg: /home/it/.gnupg/trustdb.gpg: trustdb created
gpg: key A0FBAFBC marked as ultimately trusted
public and secret key created and signed.
Listing Keys
/home/it/.gnupg/pubring.gpg
---------------------------
pub 4096R/A0FBAFBC 2018-07-09 [expires: 2019-07-09]
LAB MANUAL [CNS] Page 87
uid sangita (this is gpg) <sangita.sc@gmail.com>
sub 4096R/3E147825 2018-07-09 [expires: 2019-07-09]
mQINBFtDlhgBEADq+sCM1e9vaHwaLP5HhMU84lLmAMBrdPCVlSUfXeU6yez3jYI+
T6d27D3f8EWIP69mkyN6qf82OTIDrWF2fsUV52ob4v6ftPWV1jPNBs0GQ2ZgHa9v
HqI8yhPEfbVY8BMZ0nwdnUzejcthhdfdaM/Ez9VRbIfMERV3+GJwyXX/Gep4I89J
CwiPLzvcO5/dPTv956YMle9uApUwYMU7bzDdaU1YBWHZ5h31LXe5R/8MwdUUKDwo
OC1TeEgTR1JN3filASVVCIQ67bSysQofTOpoeLfTFCv9rv5MKgGHf/Ejxa27p71h
izjBR+fE8O9jkvWOvU+AkDwn75ESXTFFuZ792ofINRyKXBl/Z+Au4L54veI8wGHV
br8IBeSIluHkqZl3vP/J77NB7k3utxM86BcTm25y7z6FK2fLnllsQUNd3mDyLEtv
TdrW2SF1K/CAe3B26LxUJXsCt52RVwa6Sze0QjvuCRpcMtACyuDa6Vd7ljFwlzOP
feRXMrjDAlAah/26mcetpTc3ri81njjQXvf1P/DaOpT2rHsHdn3zvulTt0VH6hrV
+DG2oKwW50ps9NjM4NbqNd2D0aHbrQr1djnexItBrqkOrucQt+XLevM8LAApT/KB
7Ru7ng+uzOAygAQUTZXrCXAGqPDh/7atX6c5whNpcaF+LfwSZ6yLC1XppQARAQAB
tCxzYW5naXRhICh0aGlzIGlzIGdwZykgPHNhbmdpdGEuc2NAZ21haWwuY29tPokC
PgQTAQIAKAUCW0OWGAIbAwUJAeEzgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4
AA
CgkQYuH3Y6D7r7zhYg//ZlwkGZxQRT4UUWSTg2+oZhWaOVqm0dG9f2fQKYSpEGzk
KKkb315siYsevEKS3kjDApAFKjFls6mqMS07+X2YEKlKdFRpjl00fb7SJ/XMosAb
WxCtyANhSsjwlU2HLnVI8Utm1PGxr5iz19z5++83dZulhigY51yESbk+1Ed7b8tM
3Kf/Wa5qrung8YPDWXab/FGxDbPOLs67cJ5twRRO/GjrvrsQ/gX6Btpb/ns8Y8Lg
Awa9+2Gruk1LTIUntX8caW8PWrllUeIA650+dh3mXUHruCX89F+SnloAO0V51Na8
yxaLDSA8ZyhQs1M8J/f8O13WhC7otlhzlzjf0pImXHQqT29pLCH0BEi3prdkLEzb
Jd9ZHM50iHU7O07HTDJ2iv525d6wWnoNMXk1UJMHK6oIUcyRpJs2PebHP0QlZx2W
vE/4WuQeDakjO2+EYU3Ba49UVg3cnH7x4yj3aR3/GJd9GNQs0X7aA+T/YzPsiSPv
HyM2XOHseVL3JU0cO3WKaR1dKiVdBZKlnwL29d7MLf7vLik1QGclMRpVLLISBTXk
sqT28glcMhRX/v2snZNXAB3SXtzoHjjIwT+VzR591tmftyyYluhvkbWl7yZHVc40
GUB6g4ULFaiLvHPr+tl8xeQFppbP/59BH9Tn8Qpq7rPHH6WvKTkCH6mm7FiokpC5
Ag0EW0OWGAEQAMjQzpOwi/CF6qLpqP2riH2zhBqg4dxghEsJsen1ldEACaHJRFzG
kYaxQVS271om2BljpE4ZmniwOsAy0IpeceHWIjvgNNEIrsGg+7yA1s+2ydhJXCjp
xCLyUzlvihfjRRSnnYCkdTB4Saj+fpO+iTckHTKs0Ajbo93nrISpX0rOrn+rwKah
xbgxX9ViQ9Of9CodMyHyBe7Yedoh2W1ChxZ7Sro3sopOlHRcpj3wqHy4PA5cqkCy
iiD/exUWMI98J2Sh1y562kLYVWBwZYOJFM0RHAD//9of72QMGSno0BQlZj62ow66
eueMzm9Wgswo2fi9CKL/+yRAconPU1fZBRsg2AcLc3S6xIz68CDN9eTJ4g+RLF1A
tfMVPaJvZe2FhUJ+i6GTr7C8MQ67wOxrgPYDcNNaUIGGWxE/jut3/rOPFkWBymVU
9leH7tqa+5T7t8Fe2+lmHoRL+gRZ101JaCzb/ilMempZfXrrQo5UZhLPIre4yazI
FuE/tcRlgFXDQDrUn+jFjCKBNp0WQ+FA8DhXqT3QKzhUf/ZZXO8vbf+DnfycebKk
s2jvdI2nklOWyzSpnRJzaIbqi1mYpT1Xkv4Ml+htsZJj46SVSobnvRPTFVLFrxJF
LAB MANUAL [CNS] Page 88
XPHqCfsZZiV2UYuascQ/vl/7eLRgaVcMRUL9U0Qswfpeqri/7kvbcKNZABEBAAGJ
AiUEGAECAA8FAltDlhgCGwwFCQHhM4AACgkQYuH3Y6D7r7zYFRAAzIsNhjYtDL9/
XFTdTi2tju0qqtAyE98vqcp2s0tBqEop9vbyHjtGvXUD2SxChVCpO5r2NSm63OaO
krDMCFHDhhvMtuFZ7JhdI7js8HesBofqbuBj83NhOKutFdC4e2cG5CiIA/LU9tPa
JguCw4UeNe7adNkjJJcY7Y0VjGJWetIgeH99tMwq7L936Lst9ig9TgMwTUEtWHFr
aHIbz3g6fwdOmzMx71yUQokoVTepu3bjmt+QAksH8eNiluYzD52MpRZPSEkfmmIF
vXvo7Gs2mPkYItaq/wRLYn/UXQPwGX5R7TyFLF61le23QEmM4gYlG/q6ACayqu19
j7A9/anQiogyOss/DYsMKpjcwm1jqN7jvWfwr5GYQdlfbCpAiGOTvpDWY+nmabQ2
1bOfteEIvJOgcQTBvrZFFS72H/krHzH0UikdfmvQpiF2QZ0GGUBR2VQab/2hCIq8
+ZaFx5cA5MG1gy01FT2kjYt++5y5Ekdq1+9xYwF00aM4+ufVHpFYnY85WE46x00c
mveztzPiMMRw84OnEqhh5ebfR2LJGKbd+iyT5IlJMXqJfmR1bkBzp7wSvfGPXUyj
iAyZE2RbzByaT+2Hn26nPzkEl841WkhohwAwKWDs1MuiNaGeyIvnZOCKNBxXY9mt
6jkIjjL1hdBA3U04K7MmHo+6GrcQYGs=
=jpFF
-----END PGP PUBLIC KEY BLOCK-----
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
LAB MANUAL [CNS] Page 89
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 175 more bytes)
....+++++
...+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++
.+++++
gpg: key 4C8FAA8A marked as ultimately trusted
public and secret key created and signed.
Signing process:
gpg> sign
"sangita (this is gpg) <sangita.sc@gmail.com>" was already signed by key A0FBAFBC
Nothing to sign with key A0FBAFBC
gpg> quit
it@it-Vostro-1014:~$ gpg --out secrets_to_sangita_ --encrypt secrets
You did not specify a user ID. (you may use "-r")
Current recipients:
Current recipients:
4096R/3E147825 2018-07-09 "sangita (this is gpg) <sangita.sc@gmail.com>"
Current recipients:
4096R/3E147825 2018-07-09 "sangita (this is gpg) <sangita.sc@gmail.com>"
Current recipients:
4096R/3E147825 2018-07-09 "sangita (this is gpg) <sangita.sc@gmail.com>"
Current recipients:
4096R/3E147825 2018-07-09 "sangita (this is gpg) <sangita.sc@gmail.com>"
Current recipients:
1024R/5D9D9E6A 2018-07-09 "sschaudhari (gpg) <sschaudhari@acpce.ac.in>"
4096R/3E147825 2018-07-09 "sangita (this is gpg) <sangita.sc@gmail.com>"
LAB MANUAL [CNS] Page 92
Enter the user ID. End with an empty line: e
gpg: skipped: public key already set
Current recipients:
1024R/5D9D9E6A 2018-07-09 "sschaudhari (gpg) <sschaudhari@acpce.ac.in>"
4096R/3E147825 2018-07-09 "sangita (this is gpg) <sangita.sc@gmail.com>"
Current recipients:
1024R/5D9D9E6A 2018-07-09 "sschaudhari (gpg) <sschaudhari@acpce.ac.in>"
4096R/3E147825 2018-07-09 "sangita (this is gpg) <sangita.sc@gmail.com>"
Current recipients:
1024R/5D9D9E6A 2018-07-09 "sschaudhari (gpg) <sschaudhari@acpce.ac.in>"
4096R/3E147825 2018-07-09 "sangita (this is gpg) <sangita.sc@gmail.com>"
Current recipients:
1024R/5D9D9E6A 2018-07-09 "sschaudhari (gpg) <sschaudhari@acpce.ac.in>"
4096R/3E147825 2018-07-09 "sangita (this is gpg) <sangita.sc@gmail.com>"
Current recipients:
Current recipients:
1024R/5D9D9E6A 2018-07-09 "sschaudhari (gpg) <sschaudhari@acpce.ac.in>"
4096R/3E147825 2018-07-09 "sangita (this is gpg) <sangita.sc@gmail.com>"
Encryption
Current recipients:
Current recipients:
4096R/3E147825 2018-07-09 "sangita (this is gpg) <sangita.sc@gmail.com>"
#����h#�#��F�#ϼz���#��R���#U~^Lnߐ2Fν��zM֝���
��#m+��#�K_##�@7�5Q��mI�M#H�X��0#@�T��NQ-�#���#�臁
�Q�wt��m@�u#t^�R���JU�#�t�q�-�r�K����iʼ���#�}��!a
�B�?���Wu#�#L���p0'/V�2�NKM!IY���}��kg����Fr#�7�$#��#"�
eU���PTC�##Eq#Ž �>5P�D�"�U�w�x�����i�Sѣ��
��>�#��#}t
�3�e#���ނ#�r��A�W.�o#t
"�wU#YZ#��V������9��#(m�&v�l&��`�#>)���©
�1(&6���H�E���Fa�`ls&�{m4E���Q#�
mn��1��
��i�,�fO$�;�d#��S#<�
@)����W�?�#yfB�W�l}
,�����;`�&it@it-Vostro-1014:~$
Decryption: