Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

Lab Manual

Lab Code Lab Name Credit

CSL602 Cryptography & System Security Lab 1

Prerequisite: Computer Network

Lab Objectives:
1 To apply various encryption techniques
2 To study and implement various security mechanism
3 To explore the network security concept and tools

Lab Outcomes: At the end of the course, the students will be able to
1 To be able to apply the knowledge of symmetric and asymmetric cryptography to
implement simple ciphers.

2 To explore the different network reconnaissance tools to gather information about

networks.
3 To explore and use tools like sniffers, port scanners and other related tools for analysing
packets in a Network.

4 To be able to set up firewalls and intrusion detection systems using open-source

technologies and to
explore email security.
5 To be able to explore various attacks like buffer-overflow and web application attack.

1
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

Programming Assignments:

Exp-1

Aim: To implement a program in java for password cracking using Brute Force.

A brute-force attack is a cryptanalytic attack that can, in theory, be used to attempt to decrypt
any encrypted data (except for data encrypted in an information-theoretically
secure manner. Such an attack might be used when it is not possible to take advantage of
other weaknesses in an encryption system (if any exist) that would make the task easier.
We assume the input to be a password to be of length 4 and having only lowercase letters.
We try all possible combinations of lower-case letters to try and decode the password.

Input:

1. Enter password of length 4

2. Convert it into string
3. Find length of the string
4. Starting at each iteration: Guess the string
5. If it matches then print the string and no. of iterations

Output:

1. Print the password

2. Print the iteration number in which the password was cracked successfully

Exp-2

Aim: Implementation of Caesar cipher

Example:

It is a type of substitution cipher in which each letter in the plaintext is shifted by a certain
number of places. The key is the number of characters to shift the cipher alphabet.

First we translate all of our characters to numbers, 'a'=0, 'b'=1, 'c'=2, ... , 'z'=25.

We can now represent the caesar cipher encryption function, e(x), where x is the character we
are encrypting, as:

Where k is the key (the shift) applied to each letter.

2
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

After applying this function the result is a number which must then be translated back into a
letter.

The decryption function is :

Exp-3

Aim: Implementation of Playfair cipher

1. It is a polyalphabetic cipher
2. Secret key is arranged in a 5X5 matrix
3. Any sequence of 25 letters can be used as a key, and there are no repetition
4. Combine "i" and "j"

Encryption Rules:

1. Remove any punctuation or characters that are not present in the key square (this may
mean spelling out numbers, punctuation etc.).
2. Identify any double letters in the plaintext and replace the second occurence with an
'x' e.g. 'hammer' -> 'hamxer'.
3. If the plaintext has an odd number of characters, append an 'x' to the end to make it
even. e.g: ‘today’ -> ‘todayx’
4. Break the plaintext into pairs of letters, e.g. 'hamxer' ->'ha mx er'
5. The algorithm now works on each of the letter pairs.
6. Locate the letters in the key square,
7. If the letters are in different rows and columns, replace the pair with the letters on the
same row respectively but at the other pair of corners of the rectangle defined by the
original pair. The order is important – the first encrypted letter of the pair is the one
that lies on the same row as the first plaintext letter. 'ha' -> 'bo', 'es' -> 'il'
8. If the letters appear on the same row of the table, replace them with the letters to their
immediate right respectively (wrapping around to the left side of the row if a letter in
the original pair was on the right side of the row). 'ma' -> 'or', 'lp' -> 'pq'
9. If the letters appear on the same column of the table, replace them with the letters
immediately below respectively (wrapping around to the top side of the column if a
letter in the original pair was on the bottom side of the column). 'rk' -> 'dt', 'pv' -> 'vo'

3
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

EXP-4

Aim: Find the multiplicative inverse of any number Zn using Extended Euclidean
algorithm. Also find the gcd, s and t values. Show the output of each step.

Example: Find the multiplicative inverse of 23 in Z100

Initial values of r1= 100 and r2=23

The gcd(100,23) is 1. The inverse of 23 is -13 or 87 (-13 mod 100=87)

Exp-5

Aim: Implementation of Euler’s Totient Function

The totient φ(n) of a positive integer n greater than 1 is defined to be the number of positive
integers less than n that are coprime to n.

• φ(1) is defined to be 1.

• When n is a prime number (e.g. 2, 3, 5, 7, 11, 13), φ(n) = n-1.

• But for composite numbers:

for example, 15 = 3*5 and φ(15) = φ(3)*φ(5) = 2*4 = 8.

But this multiplicative relationship is conditional.

It is true only when m and n are coprime, φ(m*n) = φ(m)*φ(n).

It does not hold for 4, 8, 9.

For example, 9 = 3*3 , but φ(9) = 6 ≠ φ(3)*φ(3) = 2*2 =4

4
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

Exp-6

Aim: Implement RSA algorithm.

• Take input as p,q and encryption key e

• Find values for decryption key d
• Input the message
• Display the encrypted text and again decrypted text

Steps:
 Randomly choose two LARGE distinct primes p and q.
 Let n=pq
 Calculate ϕ(n)=(p−1)(q−1)
 Choose an integer e such that (e,ϕ(n))=1
 Find an integer d which satisfies ed≡1modϕ(n)
Your public key will be the ordered pair (e,n), while your private key is the ordered pair (d,n).

Exp-7

Aim: Implement Diffie Hellman Algorithm

• Take input as p,q, x and y

• Calculate values of R1 and R2 and Print them
• Calculate values of K using R2, x and p
• Calculate values of K using R1, y and p

Diffie Hellman is a Symmetric Key Agreement Algorithm

Alice and Bob will agree upon a symmetric key K=qxymod p

Steps:
 Alice and Bob select two numbers, p(large) and q respectively where p is prime and q is a
generator of group<Zp, *> of order p-1
Alice selects a large random number, x such that 0 ≤ x ≤ p-1
 Alice Calculates R1=qx mod p
 Bob selects large random number, y such that 0 ≤ y ≤ p-1
Bob Calculates R2=qy mod p

5
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

 Alice sends R1 to Bob. (Print the value of R1)

 Bob sends R2 to Alice. (Print the value of R2)
 Alice Calculates K=R2x mod p
 Bob Calculates K=R1y mod p

Exp-8

Aim: Implement RSA Digital Signature

• Take input as p,q

• Find values of e and d
• Input the message, M
• Calculate the signature, S
• Calculate the Verified message, M’
• Check M’≡ M (mod n)
• Print whether the message is Accepted or Rejected

Exp-9

Aim: Implementation of MD5 algorithm

Theory:-

MD5 (Message Digest algorithm 5) is a widely used cryptographic hash function with a 128
bit hash value. An MD5 hash is typically expressed as a 32 digit hexadecimal number. MD5
processes a variable length message into a fixed length output of 128 bits. The input message
is broken up into chunks of 512 bit blocks (sixteen 32bit little endian integers) ; The message
is padded so that its length is divisible by 512. The padding works as follows: first a single
bit, 1, is appended to the end of the message. This is followed by as many zeros as are
required to bring the length of the message up to 64 bits less than a multiple of 512. The
remaining bits are filled up with a 64bit integer representing the length of the original
message, in bits.

6
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

Figure 1: One MD5 operation. MD5 consists of 64 of these operations, grouped in four
rounds of 16 operations. F is a nonlinear function; one function is used in each round. Mi
denotes a 32bit block of the message input, and Ki denotes a 32bit constant, different for each
operation.

The main MD5 algorithm operates on a 128bit state, divided into four 32bit words, denoted
A, B, C and D. These are initialized to certain fixed constants. The main algorithm then
operates on each 512bit message block in turn, each block modifying the state. The
processing of a message block consists of four similar stages, termed rounds; each round is
composed of 16 similar operations based on a nonlinear function F, modular addition, and left
rotation.

Figure 1 illustrates one operation within a round. There are four possible functions F; a
different one is used in each round:

Algorithm:

1. Append Padding Bits The message is "padded" (extended) so that its length (in bits) is
congruent to 448, modulo 512. That is, the message is extended so that it is just 64 bits shy of

7
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

being a multiple of 512 bits long. Padding is always performed, even if the length of the
message is already congruent to 448, modulo 512. Padding is performed as follows: a single
"1" bit is appended to the message, and then "0" bits are appended so that the length in bits of
the padded message becomes congruent to 448, modulo 512. In all, at least one bit and at
most 512 bits are appended.

2. Append Length A 64 bit representation of b (the length of the message before the padding
bits were added) is appended to the result of the previous step. In the unlikely event that b is
greater than 2^64, then only the low order 64 bits of b are used. (These bits are appended as
two 32bit words and appended loworder word first in accordance with the previous
conventions.) At this point the resulting message (after padding with bits and with b) has a
length that is an exact multiple of 512 bits. Equivalently, this message has a length that is an
exact multiple of 16 (32 bit) words. Let M[0 ... N1] denote the words of the resulting
message, where N is a multiple of 16. 3. Initialize MD Buffer A fourword buffer (A,B,C,D)
is used to compute the message digest. Here each of A, B, C, D is a 32bit register. These
registers are initialized to the following values in hexadecimal, loworder bytes first):

4. Process Message in 16Word Blocks We first define four auxiliary functions that each take
as input three 32bit words and produce as output one 32bit word.

5. Output The message digest produced as output is A, B, C, D. That is, we begin with the
low order byte of A, and end with the highorder byte of D

Exp-10
Aim: To create a virus using Java

Write a program in JAVA which shows some unintended activities in the system

Exp-11

Aim: Simulation of SQL Injection Attack

Create a database and run SQL queries to show the attack

Exp-12

Aim: Simulate Buffer overflow attack using Splint

Theory:
Buffer overflow is a mistake that exist in some C implementations. These classes of bugs are

8
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

dangerous as they write past the end of a buffer or array and hence corrupt the process
stack.They often change the return address of a process after a function call to a secret
memory location where a malicious code is planted.
There are main two types
• Stack based attacks
• Heap based attacks
Heap-based attacks flood the memory space reserved for a program, but the difficulty
involved with performing such an attack makes them rare. Stack-based buffer overflows are
by far the most common.
Splint is a tool for statically checking C programs for security vulnerabilities and
programming mistakes. Splint does many of the traditional lint checks including unused
declarations, type inconsistencies, use before definition, unreachable code, ignored return
values, execution paths with no return, likely infinite loops, and fall through cases. More
powerful checks are made possible by additional information given in source code
annotations. Annotations are stylized comments that document assumptions about functions,
variables, parameters and types. In addition to the checks specifically enabled by annotations,
many of the traditional lint checks are improved by exploiting this additional information.
Splint is designed to be flexible and allow programmers to select appropriate points on the
effort benefit curve for particular projects. As different checks are turned on and more
information is given in code annotations the number of bugs that can be detected increases
dramatically.

Problems detected by Splint include:

• Dereferencing a possibly null pointer

• Using possibly undefined storage or returning storage that is not properly defined

• Type mismatches, with greater precision and flexibility than provided by C compilers

• Violations of information hiding

• Memory management errors including uses of dangling references and memory leaks

• Dangerous aliasing

• Modifications and global variable uses that are inconsistent with specified interfaces

• Problematic control flow such as likely infinite loops, fall through cases or incomplete
switches and suspicious statements

• Buffer overflow vulnerabilities

• Dangerous macro implementations or invocations

9
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

• Violations of customized naming conventions

Steps :

1. Installation

$ sudo apt-get install splint

2. Checking Vulnerability

$ splint program1.c

Program1.c is the program whose vulnerability is to be checked.

#include <stdio.h>
#include <string.h>

int main(void)
{
char buff[15];
int pass = 0;

printf("\n Enter the password : \n");

gets(buff);

if(strcmp(buff, "thegeekstuff"))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
pass = 1;
}

if(pass)
{
/* Now Give root or admin rights to user*/
printf ("\n Root privileges given to the user \n");
}

return 0;
}

/* Output
splint program1.c
Splint 3.1.2 --- 03 May 2009

program1.c: (in function main)

program1.c:10:5: Use of gets leads to a buffer overflow vulnerability.
Use fgets
instead: gets
Use of function that may lead to buffer overflow. (Use -
bufferoverflowhigh to
inhibit warning)
buffer.c:10:5: Return value (type char *) ignored: gets(buff)

10
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

Result returned by function call is not used. If this is intended,

can cast
result to (void) to eliminate message. (Use -retvalother to inhibit
warning)
program1.c:12:8: Test expression for if not boolean, type int:
strcmp(buff, "thegeekstuff")
Test expression type is not boolean or int. (Use -predboolint to
inhibit
warning)
program1.c:22:8: Test expression for if not boolean, type int: pass

Finished checking --- 4 code warnings

*/

#include<stdio.h>
main()
{
char buff[5];
printf("My stack looks
like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n");
buff[5]='abcdefghijklmnophsgkgfks';
printf("%c\n",buff[5]);
printf("My new stack looks
like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n");
}

/*Output:

splint bufferoverflow.c
Splint 3.1.2 --- 03 May 2009

bufferoverflow.c: (in function main)

bufferoverflow.c:5:2: No argument corresponding to printf format code 1
(%p):
"My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
Types are incompatible. (Use -type to inhibit warning)
bufferoverflow.c:5:33: Corresponding format code
bufferoverflow.c:5:2: No argument corresponding to printf format code 2
(%p):
"My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:5:37: Corresponding format code
bufferoverflow.c:5:2: No argument corresponding to printf format code 3
(%p):
"My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:5:41: Corresponding format code
bufferoverflow.c:5:2: No argument corresponding to printf format code 4
(%p):
"My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:5:45: Corresponding format code
bufferoverflow.c:5:2: No argument corresponding to printf format code 5
(%p):
"My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"

11
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

bufferoverflow.c:5:49: Corresponding format code

bufferoverflow.c:5:2: No argument corresponding to printf format code 6
(%p):
"My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:5:53: Corresponding format code
bufferoverflow.c:5:2: No argument corresponding to printf format code 7
(%p):
"My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:5:57: Corresponding format code
bufferoverflow.c:5:2: No argument corresponding to printf format code 8
(%p):
"My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:5:61: Corresponding format code
bufferoverflow.c:5:2: No argument corresponding to printf format code 9
(%p):
"My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:5:65: Corresponding format code
bufferoverflow.c:5:2: No argument corresponding to printf format code
10 (%p):
"My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:5:69: Corresponding format code
bufferoverflow.c:8:2: No argument corresponding to printf format code 1
(%p):
"My new stack looks
like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:8:37: Corresponding format code
bufferoverflow.c:8:2: No argument corresponding to printf format code 2
(%p):
"My new stack looks
like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:8:41: Corresponding format code
bufferoverflow.c:8:2: No argument corresponding to printf format code 3
(%p):
"My new stack looks
like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:8:45: Corresponding format code
bufferoverflow.c:8:2: No argument corresponding to printf format code 4
(%p):
"My new stack looks
like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:8:49: Corresponding format code
bufferoverflow.c:8:2: No argument corresponding to printf format code 5
(%p):
"My new stack looks
like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:8:53: Corresponding format code
bufferoverflow.c:8:2: No argument corresponding to printf format code 6
(%p):
"My new stack looks
like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:8:57: Corresponding format code
bufferoverflow.c:8:2: No argument corresponding to printf format code 7
(%p):
"My new stack looks
like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:8:61: Corresponding format code
bufferoverflow.c:8:2: No argument corresponding to printf format code 8
(%p):

12
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

"My new stack looks

like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:8:65: Corresponding format code
bufferoverflow.c:8:2: No argument corresponding to printf format code 9
(%p):
"My new stack looks
like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:8:69: Corresponding format code
bufferoverflow.c:8:2: No argument corresponding to printf format code
10 (%p):
"My new stack looks
like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
bufferoverflow.c:8:73: Corresponding format code
bufferoverflow.c:9:2: Path with no return in function declared to
return int
There is a path through a function declared to return a value on
which there
is no return statement. This means the execution may fall through
without
returning a meaningful result to the caller. (Use -noret to inhibit
warning)

Finished checking --- 21 code warnings

*/

Network Security Assignments:

Exp-13

Aim: Use of network reconnaissance tools like WHOIS, dig, nslookup to gather information
about networks and domain registrars

Theory:-

Steps:

1. Open ubuntu terminal.

2. Get root access by typing “sudo su root”. Put the pc password.

3. Install the tool using the following command

#apt-get install whois

#apt-get install dig

#apt-get install traceroute

#apt-get install nslookup

13
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

whois
Example: Querying tsec.edu
student@lab:~#whoistsec.edu

dig
1. Simple dig Command Usage

student@lab:~# dig www.google.com

The dig command output has the following sections:

Header: This displays the dig command version number, the global options used by the dig
command, and few additional header information.

QUESTION SECTION: This displays the question it asked the DNS. i.e. input. Since we
said ‘dig google.com’, it indicates in this section that we asked for the record of the
google.com website.

ANSWER SECTION: This displays the answer it receives from the DNS. i.e This is your
output. This displays the record of google.com.

AUTHORITY SECTION: This displays the DNS name server that has the authority to
respond to this query. Basically this displays available name servers of google.com.

ADDITIONAL SECTION: This displays the ip address of the name servers listed in the
AUTHORITY SECTION.

Stats section at the bottom displays few dig command statistics including how much time it
took to execute this query

2. Display Only the ANSWER SECTION of the Dig command Output

All you need to look at is the “ANSWER SECTION” of the dig command. So, we can turn
off all other sections as shown below.

i) student@lab:~ #dig google.com +noquestion

ii) student@lab:~ #dig google.com +nocomments – Turn off the comment lines

iii) student@lab:~ # dig google.com +noauthority – Turn off the authority section
iv) student@lab:~ #dig google.com +noadditional – Turn off the additional section

14
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

v) student@lab:~ #dig google.com +nostats – Turn off the stats section

vi) student@lab:~ #dig google.com +noanswer – Turn off the answer section

3. Query MX Records Using dig MX

To query MX records, pass MX as an argument to the dig command as shown below.

student@lab:~ #dig google.com MX +noall +answer

4. Query NS Records Using dig NS

To query the NS record use the type NS as shown below.

student@lab:~ #dig google.com NS +noall +answer

5. View ALL DNS Records Types Using dig -t ANY

To view all the record types (A, MX, NS, etc.), use ANY as the record type as shown below.
student@lab:~ #dig -t ANY google.com +noall +answer

6. View Short Output Using dig +short

To view just the ip-address of a web site (i.e the A record), use the short form option as
shown below.
student@lab:~ #dig google.com +short

7. DNS Reverse Look-up Using dig –x

To perform a DNS reverse look up using the ip address using dig -x as shown below
student@lab:~ #dig -x 209.132.183.81

traceroute

Command:

student@lab:~#traceroute google.com

15
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

nslookup

1. Simple nslookup command

student@lab:~#nslookup google.com

2.Query the MX Record using -query=mx

student@lab:~#nslookup -query = mx google.com

MX (Mail Exchange) record maps a domain name to a list of mail exchange servers for that
domain

3. Query the NS Record using -type=ns

student@lab: ~ #nslookup -type = ns google.com

NS (Name Server) record maps a domain name to a list of DNS servers

authoritative for that domain.

4. Query the SOA Record using -type=soa

student@lab: ~ #nslookup -type = soagoogle.com

SOA record (start of authority) provides the authoritative information about the
domain, the e-mail address of the domain admin, the domain serial number,
etc

5. View available DNS records using -query=any

student@lab: ~ #nslookup -type = any google.

Exp-14

Aim: Examine the use of packet sniffer tool: Wireshark

a) Download and install wireshark and capture different packets like icmp, tcp and http
packets in promiscuous mode
b) Explore how the packets can be traced based on different filters
c) Capture packets of FTP and retrieve login ID and Password

Theory:-

16
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

Wireshark is a network packet analyzer. A network packet analyzer will try to capture
network packets and tries to display that packet data as detailed as possible.

Wireshark is used for:

• Network administrators use it to troubleshoot network problems

• Network security engineers use it to examine security problems
• Developers use it to debug protocol implementations
• People use it to learn network protocol internals

Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time
and display them in human-readable format. Wireshark includes filters, color-coding and
other features that let you dig deep into network traffic and inspect individual packets.
Features of Wireshark :
• Available for UNIX and Windows.
• Capture live packet data from a network interface.
• Open files containing packet data captured with tcpdump/WinDump, Wireshark, and
a
• Import packets from text files containing hex dumps of packet data.
• Display packets with very detailed protocol information.
• Export some or all packets in a number of capture file formats.
• Filter packets on many criteria.
• Search for packets on many criteria.
• Colorize packet display based on filters.
• Create various statistics.

Steps:
1. Open ubuntu terminal
2. Install wireshark
#apt-get install wireshark
3. To know the name of your Ethernet interface: (Mostly it is “etht0”)
#ifconfig
4. Start wireshark
#sudowireshark

17
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

5. Once wireshark window opens, select the interface and click on start

a) Capturing Packets
After downloading and installing wireshark, you can launch it and click the name of an
interface under Interface List to start capturing packets on that interface.
For example, if you want to capture traffic on the wireless network, click your wireless
interface. You can configure advanced features by clicking Capture Options.
As soon as you click the interface‘s name, you‘ll see the packets start to appear in real time.
Wireshark captures each packet sent to or from your system.
Click the stop capture button near the top left corner of the window when you want to stop
capturing traffic
Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is
TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP
packets with problems — for example, they could have been delivered out-of-order.

Wireshark can record the capturing information in the file with extension .pcap (packet
capture).

This file can be again reopened for analysis in offline mode.

There is no need to remember filtering commands. Filters can be applied by putting

predefined strings in Wireshark.

Commands:-

1. Capturing packets of a particular host

ip.addr = = 192.168.42.3
Sets a filter for any packet with 192.168.42.3, as either the source or destination.

2. To capture a conversation between specified hosts

ip.addr == 10.0.5.119 &&ip.addr == 91.189.94.25
Sets a conversation filter between the two defined IP addresses.
b) Filtering Packets

18
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

The most basic way to apply a filter is by typing it into the filter box at the top of the window
and clicking Apply (or pressing Enter). For example, type ―dns and you‘ll see only DNS
packets. When you start typing, Wireshark will help you auto complete your filter.

Commands:-

1. To filter packets for a specific protocol

http or dns
Sets a filter to display all http and dns requests.

2. To filter packets for specific port

tcp.port==4000
Sets a filter for any TCP packet with 4000 as a source or destination port.

3. Filter specific packets

tcp.flags.reset== 0
Displays all TCP resets.

4. Filter for http request packets

Displays all HTTP GET requests.
http.request

5. To filter traffic except given protocol packets

!(arp or icmp or dns)
Masks out arp, icmp, dns, or whatever other protocols may be background noise, allowing
you to focus on the traffic of interest.

6. Capturing packets after applying multiple filters

not (tcp.port == 80) and not (tcp port == 25)
Get all packets which are not HTTP or UDP.

To stop capturing click on the “red square”

c)To capture packets of FTP server. (Login ID and Password)

19
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

What is FTP?
FTP stands for File Transfer Protocol. As the name suggest this network protocol allows you
to transfer files or directories from one host to another over the network whether it is your
LAN or Internet.
The package required to install FTP is known as VSFTPD (Very Secure File Transfer
Protocol Daemon)
Steps:-
1. Get root access: $ sudosu root
2. Find your ip address: # ifconfig

Installation of FTP server in Ubuntu

Name of Packages required: VSFTPD, XINETD

1. # sudo apt-get install vsftpd

2. # sudo apt-get install xinetd

The above command will install and start the xinetdsuperserver on your system. The chances
are that you already have xinetdinstalled on your system. In that case you can omit the above
installation command.
In the next step we need to edit the FTP server's configuration file which is present in
/etc/vsftpd.conf
3. # cd /etc
4. # ls
5. # geditvsftpd.conf
Change the following line:
Anonymous_enable=NO

To
Anonymous_enable=YES

This will instruct the FTP server to allow connecting with an anonymous client.
6. Save and close the gedit file

Now, that we are ready we can start the FTP server in the normal mode with:
7. # servicexinetd restart

20
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

8. # servicevsftpd restart
OR
# init.d/vsftpd restart

Start WIRESHARK. In the FILTER field put FTP. This will filter all FTP packets

Connectimg to a client present in other machine

$ ftp ip address of the FTP server

Name: anonymous
Please specify the password.
Password:
Login successful.
ftp>
ftp> quit
Goodbye.

While the client is establishing a connection with the FTP server, the wireshark running in the
background of the FTP server is able to capture all FTP packets. So, the Name and Password
entered by the client is visible in plain text in Wireshark. Apart from that the source and
destination address is also visible. If many clients are trying to connect with the server then
source address, name and password are visible for all of them.

Exp-15

Aim: Simulate port scanning attack using Nmap

Nmap features include:
• Host Discovery – Identifying hosts on a network. For example, listing the hosts
which respond to pings or have a particular port open.
• Port Scanning – Enumerating the open ports on one or more target hosts.
• Version Detection – Interrogating listening network services listening on remote
devices to determine the application name and version number.

• OS Detection – Remotely determining the operating system and some

hardware characteristics of network devices.
Basic commands working in Nmap:
• For target specifications: nmap<target‘s URL or IP with spaces between them>
• For OS detection: nmap -O <target-host's URL or IP>
• For version detection: nmap -sV<target-host's URL or IP>

21
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

SYN scan is the default and most popular scan option for good reasons. It can be performed
quickly, scanning thousands of ports per second on a fast network not hampered by restrictive
firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP
connections
Steps:-
1. Get root access: $ sudosu root
2. #ifconfig
3. # apt-get install nmap

Commands:-
1. # nmap -V

It gives the version of Nmap

2. # nmap 192.168.23.20

It gives information about a single host. It gives the output in column form where first
column is the PORT, second column is the STATE and third column is the SERVICE

3. #nmap –v 192.168.23.20

It gives the detailed information about remote host.

4. #nmap –O 192.168.23.20

It finds the remote host operating system and version (OS detection)

5. # nmap –sP 192.168.23.0/24

It scans a network and discover which servers and devices are up and running(ping
scan)

22
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

6. # nmap -sA 192.168.23.20

To discover if a host/network is protected by a firewall. The output has the word

FILTEREDwhich shows presence of firewall. UNFILTEREDmeans no firewall.

7. # nmap -p T:23 192.168.23.20

It scans TCP port 23

8. #nmap -p 80,443 192.168.23.20

It scansmultiple ports at one time

9. # nmap -sV 192.168.23.20

It detect remote services (server / daemon) version numbers. Version numbers are
displayed only if the Port is open

10. nmap -sS 192.168.23.20

It performs SYN scan or Stealth scan.

Open wireshark.

Set the Filter to TCP.

See the grey and red color packets

Double click any grey color TCP packet where destination address is the neighbour’s
address

See the Flag field of TCP: SYN bit should be set to 1

11. # nmap -sN 192.168.23.20

It performs TCP Null Scan. It does not set any bits (TCP flag header is 0)

Open wireshark.
Set the Filter to TCP.
Double click any grey color TCP packet where destination address is the neighbour’s

23
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

address
See the Flag field of TCP: No flag bits should be set
12. # nmap –sF192.168.23.20
It performs FIN scan. It sets just the TCP FIN bit.
Open wireshark.
Set the Filter to TCP.
Double click any grey color TCP packet where destination address is the neighbour’s
address
See the Flag field of TCP: FIN flag should be set to 1

13.# nmap -sX 192.168.23.20

It performs TCP Xmas. It sets the FIN, PSH, and URG flags.

Open wireshark.
Set the Filter to TCP.
Double click any grey color TCP packet where destination address is the neighbour’s
address
See the Flag field of TCP: FIN, PSH, and URG flagsshould be set to 1

14. # nmap –sO192.168.23.20

It performs IP protocol scan and allows us to determine which IP protocols) are
supported by target machines.

15. #nmap –sU192.168.23.20

It performs UDP port scan.

Exp-16

Aim: Set up, configuration and use of SNORT for Intrusion Detection
Theory:
Snort is an open source network intrusion prevention and detection system (IDS/IPS)
developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based

24
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions
of downloads and nearly 400,000 registered users, Snort has become the de facto standard for
IPS.
Snort can be configured to run in three modes:
1. Sniffer mode : It simply reads the packets off of the network and displays them for you in a
continuous stream on the console (screen)
2. Packet Logger mode : logs the packets to disk
3. Network Intrusion Detection System (NIDS) mode: it performs detection and analysis on
network traffic. This is the most complex and configurable mode

Steps:
1. Get root access
$ sudosu root
2. Do updation
# apt-get update
3. Installation
# apt-get install snort
During installation:

• Put the name of network interface (by default it is eth0, change it to the interface
name of your machine)

• Put the IP address of the machine followed by /24 (by default it is the network
address. Replace it with your IP addr/24)
4. Configuration
# cd /etc
# ls
# cd /snort
# ls
# geditsnort.conf
Go to line no. 51
ipvar HOME_NET any
Replace “any” with your ip address i.e. ipvar HOME_NET 192.168._._

25
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

Save and close the file

5. Monitoring
# snort –q –A console –i enp2s0
enp2s0 is the name of the interface
6. Perform the following nmap command on neighbour’s machine and observe the output in
your machine
$ nmapipaddr of your machine (This command is to be performed on neignbour’s machine)
Output to be observed in SNORT terminal: IP address of the neighbour who is performing
Intrusion i.e. Port Scanning

Exp-17

Aim: Design personal Firewall using Iptables

Theory:
All packets inspected by iptables pass through a sequence of built-in tables (queues) for
processing. Each of these queues is dedicated to a particular type of packet activity and is
controlled by an associated packet transformation/filtering chain.

1. Filter Table

Filter is default table for iptables.

Iptables’s filter table has the following built-in chains.

• INPUT chain – Incoming to firewall. For packets coming to the local server.
• OUTPUT chain – Outgoing from firewall. For packets generated locally and going out
of the local server.
• FORWARD chain – Packet for another NIC on the local server. For packets routed
through the local server.

2. NAT Table

This table is consulted when a packet that creates a newconnection is encountered.

Iptable’s NAT table has the following built-in chains.

• PREROUTING chain – Alters packets before routing. i.e Packet translation happens
immediately after the packet comes to the system (and before routing). This helps to
translate the destination ip address of the packets to something that matches the

26
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

routing on the local server. This is used for DNAT (destination NAT).
• POSTROUTING chain – Alters packets after routing. i.e Packet translation happens
when the packets are leaving the system. This helps to translate the source ip address
of the packets to something that might match the routing on the destination server.
This is used for SNAT (source NAT).
• OUTPUT chain – NAT for locally generated packets on the firewall.

3. Mangle Table

Iptables’s Mangle table is for specialized packet alteration. This alters QOS bits in the TCP
header. Mangle table has the following built-in chains.

• PREROUTING chain
• OUTPUT chain
• FORWARD chain
• INPUT chain
• POSTROUTING chain

4. Raw Table

Iptable’s Raw table is for configuration exemptions. Raw table has the following built-in
chains.

• PREROUTING chain
• OUTPUT chain

5. Security Table
This table is used for Mandatory Access Control (MAC) networking rules, such as those
enabled by the SECMARK and CONNSECMARK targets. Mandatory Access Control is
implemented by Linux Security Modules such as SELinux. The security table is called after
the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to
take effect before MAC rules. This table provides the following built-in chains: INPUT (for
packets coming into the box itself), OUTPUT (for altering locally-generated packets before
routing), and FORWARD (for altering packets being routed through the box).

Chains

27
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

Tables consist of chains, Rules are combined into different chains. The kernel uses chains to
manage packets it receives and sends out. A chain is simply a checklist of rules which are
lists of rules which are followed in order. The rules operate with an if-then -else structure.

Input – This chain is used to control the behaviour for incoming connections. For example, if
a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and
port to a rule in the input chain.

Forward – This chain is used for incoming connections that aren’t actually being delivered
locally. Think of a router – data is always being sent to it but rarely actually destined for the
router itself; the data is just forwarded to its target.

Output – This chain is used for outgoing connections. For example, if you try to ping
howtogeek.com, iptables will check its output chain to see what the rules are regarding ping
and howtogeek.com before making a decision to allow or deny the connection attempt.

Targets:

ACCEPT: Allow packet to pass through the firewall.

DROP: Deny access by the packet.

REJECT: Deny access and notify the server.

QUEUE: Send packets to user space.

RETURN: jump to the end of the chain and let the default target process it

28
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

Steps:-
1. Get root access: $ sudosu root
2. # apt-get install iptables

Commands:-
1. To see the list of iptables rules

# iptables -L

. Initially it is empty

2. To block outgoing traffic to a particular destination for a specific protocol from a

machine

Syntax: iptables -I OUTPUT -s <your ip> -d <neighbourip> -p <protocol> -j <action>

Open one terminal and Ping the neighbour. Let the ping run.

#ping 192.168.208.6

Open another terminal and run the iptables command

# iptables -I OUTPUT -s 192.168.208.18 -d 192.168.208.6 -p icmp -j DROP

2. To allow outgoing traffic to a particular destination for a specific protocol from a

machine

29
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

# iptables -I OUTPUT -s 192.168.208.18 -d 192.168.208.6 -p icmp -j ACCEPT

3. To block outgoing traffic to a particular destination for a specific protocol from a

machine for sometime

# iptables -I OUTPUT -s 192.168.208.18 -d 192.168.208.6 -p icmp -j REJECT

Allow the traffic again by using ACCEPT instead of REJECT

4. To block incoming traffic from particular destination for a specific protocol to

machine

Syntax: iptables -I INPUT -s <neighbourip> -d <firewall ip> -p <protocol> -j <action>

Open one terminal and Ping the neighbour. Let the ping run.

#ping 192.168.208.6

Open another terminal and run the iptables command

#iptables -I INPUT -s 192.168.208.6 -d 192.168.208.18 -p icmp -j DROP

5. To allow incoming traffic from particular destination for a specific protocol to

machine

Syntax: iptables -I INPUT -s <neighbourip> -d <firewall ip> -p <protocol> -j <action>

Open another terminal and run the iptables command

#iptables -I INPUT -s 192.168.208.6 -d 192.168.208.18 -p icmp -j ACCEPT

Check the ping status on the other terminal

6. To clear the rules in iptables

# iptables -F

7. To block specific URL from machine

# iptables -t filter -I INPUT -m string --string facebook.com -j REJECT --algo kmp

30
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

It will block facebook.com by performing string matching. The algorithm used for string
matching is KMP.

If we change target from REJECT to ACCEPT, the site can be visited again.

Observations:

1. In case of OUTPUT chain, for DROP and REJECT chain, at source machine we get
two different messages.

For DROP – ‘Operation Not Permitted’. Here No acknowledgement is provided.

For REJECT – ‘Destination Port Unreachable’. Here acknowledgement is given.

2. In case of INPUT chain for DROP and REJECT chain at source machine we get two
different responses as follows:

For DROP – No message. Here No acknowledgement is provided.

For REJECT – ‘Destination Port Unreachable’. Here acknowledgement is given.

Exp-18

Aim: Simulate DOS attack

using Hping, hping3.

Theory:

hping – a Network Scanning Tool is a free packet generator and analyzer for the
TCP/IP protocoldistributed by Salvatore Sanfilippo (also known as Antirez).

It is one type of a tester for network security It is one of the de facto tools for
security auditing and testing of firewalls and networks and was used to exploit the
idle scan scanning technique (also invented by the hping author), and now
implemented in the Nmap Security Scanner.

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface

is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP
echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a
traceroute mode, the ability to send files between a covered channel, and many
other features.

31
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

While hping was mainly used as a security tool in the past, it can be used in many
ways by people that don’t care about security to test networks and hosts. A subset
of the stuff you can do using hping:

• Firewall testing
• Advanced port scanning
• Network testing, using different protocols, TOS, fragmentation
• Manual path MTU discovery
• Advanced traceroute, under all the supported protocols
• Remote OS fingerprinting
• Remote uptime guessing
• TCP/IP stacks auditing
• hping can also be useful to students that are learning TCP/IP.

Methodology:

In order to perform this project, we will need to set up two systems, the attacker
and the victim. For the attacker, we will use Kali Linux and for the victim, we will
use Windows. In order to isolate these environments, we will use virtual machines.
( Virtual Box )
To Set up the environment, we need to :
Download and install VirtualBox. Download Kali Linux ISO(1GB)
a. Create a new virtual machine called Kali Linux and give it 1GB
RAM and set the networkadapter to Host Only. Install Kali Linux iso
file in the virtual machine and boot it up.

b. Create another virtual machine and repeat the above step again.

1. Simple SYN flood – DoS:

On attacker’s side,type the command given below:

32
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

Syntax Explanation:

1. hping3 = Name of Binary Application

2. -S = SYN packets only.
3. --flood = Sending packets as fast as possible, without taking
care to show incomingreplies.
4. 192.168.56.101 = Destination IP address or target machines IP address.

At the victim's side,we can observe that huge number of TCP SYN packets come
in very shorttime interval. This could be traced by using WireShark tool.

2. Simple SYN flood with spoofed IP – DoS :

On attacker’s side,type the command given below:

Syntax Explanation:

1. hping3 = Name of Binary Application

2. -S = SYN packets only.
3. --flood = Sending packets as fast as possible, without taking
care to show incomingreplies.
4. --rand-source = Using Random Source IP Addresses. You can
also use -a or –spoof tohide hostnames.
5. 192.168.56.1 = Destination IP address or target machines IP address.

33
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

At the victim's side,we can observe that huge number of TCP SYN packets come
from randomIP addresses in very short time interval. This could be traced by using
WireShark tool.

3. Simple ICMP Flood with Spoofed IP -DOS:

On attacker’s side,type the command given below:

Syntax Explanation:

1. hping3 = Name of Binary Application

2. --icmp = ICMP Mode.
3. --flood = Sending packets as fast as possible, without taking
care to show incomingreplies.
4. --rand-source = Using Random Source IP Addresses. You can
also use -a or –spoof tohide hostnames.
5. -p = Destination Port

34
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

6. 192.168.56.101 = Destination IP address or target machines IP address.

At the victim's side,we can observe that huge number of ICMP packets come in
very short timeinterval. This could be traced by using WireShark tool.

4. Simple UDP Flood with Spoofed IP -DOS:

On attacker’s side,type the command given below:

Syntax Explanation:

1. hping3 = Name of Binary Application

2. -2 = UDP Mode.

35
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

3. --flood = Sending packets as fast as possible, without taking

care to show incomingreplies.
4. -a = Spoof Source IP Addresses.
5. 192.168.56.101 = Destination IP address or target machines IP address.
6. 192.168.56.102 = Source IP address
7. -p = Destination Port

At the victim's side,we can observe that huge number of UDP packets come in
very short timeinterval. This could be traced by using WireShark tool.

5. Checking port:

On attacker’s side,type the command given below:

36
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

Here hping3 will send a Syn packet to a specified port (80 in our example). We
can control alsofrom which local port will start the scan (5050).

Syntax Explanation:

1. hping3 = Name of Binary Application

2. -p = Destination Port
3. -s = Base Source Port
4. -V = Verbose Mode

6. Traceroute to a determined port:

On attacker’s side, type the command given below:

37
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)

A nice feature from Hping3 is that you can do a traceroute to a specified port
watching whereyour packet is blocked. Syntax Explanation:

1. hping3 = Name of Binary Application

2. -p = Destination Port
3. -s = Base Source Port
4. -V = Verbose Mode
5. --traceroute = Traceroute Mode

Conclusion:

DoS attacks affect availability of resources. DoS attack is simulated using Hping3
and resourcesare monitored using wireshark.

38
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)
Expt. 19

Aim: SQL injection attack, Cross-Cite Scripting

attack simulation.Theory:

Sqlmap for sql injection attack:

Sqlmap is written in python, the first thing you need is the python interpreter.
Download the python interpreter from python.org. There are two series of
python, 2.7.x and
3.3.x. Sqlmap
should run fine
with either.So
download and
install.
Next download the sqlmap zip file from sqlmap.org. Extract the zip files
in any directory.Launch the dos prompt and navigate to the directory of
sqlmap.
Now run the sqlmap.py script with the
python interpreter.Start with a simple
command:

sqlmap .py -u <URL to inject>.

sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1
Use –time-sec to speed up the process in case of slow server responses:
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --time-sec 15.

It will show the Mysql version along with useful information about the database.

Database
Obtain the names of available databases by adding –dbs to
the previous command:sqlmap.py -u
http://testphp.vulnweb.com/listproducts.php?cat=1 –dbs

Tables
Specify the desired database using –D and tell SQLmap to list the
tables using – - tablescommand.
sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acurt – - tables

39
Cryptography & System Security Lab Manual (CSL602) SEM VI (Computer Engineering)
Columns
Specify the database using –D, table using – T and columns using –columns:
sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 -
D acurt –T artists –-columns

Data
As usual, use –D for database, -T for table, -C for column and –
dump for data. The finalcommand to fetch data will appear as shown
below:
sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D
acuart -T artists –Caname --dump

Conclusion: Sqlmap tool is useful for identifying the need of input validation and Sql injection
vulnerability.

40