List of Experiments

Sr.No. Experiments Name

1 Study the use of network reconnaissance tools like WHOIS, dig, traceroute, nslookup
to gather information about networks and domain registrars.

2 Study of packet sniffer tools like wireshark, ethereal, tcpdump etc. Use the tools to do
the following
1. Observer performance in promiscuous as well as non-promiscous mode.
2. Show that packets can be traced based on different filters.

3 Download and install nmap. Use it with different options to scan open ports, perform
OS fingerprinting, do a ping scan, tcp port scan, udp port scan, etc.
4 Detect ARP spoofing using open source tool ARPWATCH.

5 Use the Nessus tool to scan the network for vulnerabilities.

6 Implement a code to simulate buffer over flow attack.

7 Setup IPSEC under LINUX

8 Install IDS (e.g. SNORT) and study the logs.

9 Use of ip tables in linux to create firewalls.

10 Mini project

1
 Experiment No.1
Aim: Study the use of network reconnaissance tools like WHOIS, dig, traceroute, nslookup to
gather information about networks and domain registers

1. Objectives:To know how to gather information about the networks by using different n/w
reconnaissance tools.

2. Outcomes:The learner will be able to:-

• Understand, identify, analyze and design the problem, implement the same
using current techniques, skills, and tools and validate the solution
including both hardware and software.
• Use network-based tools for network analysis.

3. Hardware/Software Required: WHOIS client

4.Theory:

1.Whois – whois searches for an object in a WHOIS database. WHOIS is a query and
response protocol that is widely used for querying databases that store the registered usersof
an Internet resource, such as a domain name or an IP address block, but is also used for a
wider range of other information. Most modern versions of whois try to guess theright server
to ask for the specified object. If no guess can be made, whois will connect to
whois.networksolutions.com for NIC handles or whois.arin.net for IPv4 addresses and
network names.

Examples:

• Obtaining the domain WHOIS record for computer solutions.com

• WHOIS record by IP querying

• Querying WHOIS in google search engine

2. Dig-Dig is a networking tool that can query DNS servers for information.It can be very
helpful for diagnosing problems with domain pointing and is a good way to verify that your
configuration is working.The most basic way to use dig is to specify the domain we wish toquery:
dig example.com

2
3. Traceroute- Traceroute prints the route that packets take to a network host. Traceroute
utility uses the TTL field in the IP header to achieve its operation. For users who are new
to TTL field, this field describes how much hops a particular packet will take while traveling
on network. So, this effectively outlines the life time of the packet on net work.This field is
usually set to 32 or 64. Each time the packet is held on an intermediate router, it decreases
the TTL value by 1. When a router finds the TTL value of 1 in a received packet then that
packet is not forwarded but instead discarded. After discarding the packet, router send san
ICMP error message of―Time exceeded‖ back to the source from where packet generated.
The ICMP packet that is sent back contains the IP address of the router. So now it can be
easily understood that trace route operates by sending packets with TTL value starting
from1and then incrementing by one each time. Each time a router receives the packet, it
checks the TTL field, if TTL field is 1 then itdiscards the packet and sends the ICMP error
packet containing its IP address and this is what traceroute requires. So traceroute
incrementally fetches the IP of all the routers between the source andthe destination.

Example: traceroute example.com

Traceroute to example.com(64.13.192.208),64 hopsmax,40 byte

Packets 172.10.62.1(72.10.62.1)1.000 ms 0.739 ms 0.702ms

210.101.248.1(10.101.248.1)0.683ms 0.385ms 0.315ms

310.104.65.161(10.104.65.161)0.791ms 0.703ms 0.686ms

410.104.65.161(10.104.65.161)0.791ms 0.703ms 0.686ms

510.0.10.33(10.0.10.33)2.652ms 2.260ms 5.353ms

6 acmkokeaig.gs 01.gridserver.com(64.13.192.208)3.384ms 8.001ms 2.439ms

4. Nslookup- The nslookup command is used to query internet name servers interactively
for information. nslookup,which stands for "name server lookup",Is a useful tool for finding
out information about a named domain. By default, nslookup will translate a domain name
to an IP address(or viceversa).For instance, to find out what the IP address of
microsoft.comis,you could run the command:

nslookupmicrosoft.com
Server: 8.8.8.8
Address:8.8.8.8#53
Non-authoritative
answer: Name:
microsoft.com
Address:134.170.185.46

3
Here, 8.8.8.8 is the address of our system's Domain Name Server. This is the server our system
Is configured to use to translate domain names into IP addresses. "#53" indicates that weare
communicating with it on port 53, which is the standard port number domain name servers
use to accept queries. Below this, we have our lookup information formicrosoft.com. Our
nameserver returned two entries, 134.170.185.46 and 134.170.188.221. This indicates that
microsoft.com uses a round robin setup to distribute server load. When you access
micrsoft.com,youmaybe directed to either of these servers and your packets will be routed to
the correct destination.You can see that we have received a "Non- authoritative answer" to
our query. An answer is "authoritative" only if our DNS has the complete zone file information
for the domain in question.More often,our DNS will have acache of information representing
the last authoritative answer it received when it made a similar query, this information is
passed on to you, but the server qualifies it as "non- authoritative": the information was
recently received from an authoritative source, but the DNS server is not itself that authority.
Using nslook upto enumerate basic mx records

4. Conclusion:
In this experiment you learned how to take the first steps toward ethical hacking. Information
gathering, in the form of reconnaissance, foot printing, and social engineering, is necessary to
learn as much about the target as possible. By following the information-gathering
methodology, ethical hackers can ensure they are not missing any steps and valuable
information.Time spent in the information- gathering phase is well worth it to speed up and
produce successful hacking exploits

4
 Experiment No.2
1. Aim:Study of packets niffer tools like wireshark, ethereal, tcp dump etc

2. Objectives: To observe the performance in promiscuous & non-promiscuous mode &

to find the packets based on different filters.

3. Outcomes:The learnerwill be ableto:-

• Identify different packets moving in/out of network using packet sniffer for network
analysis.
• Understand professional, ethical, legal, security and social issues and
responsibilities. Also will be able to analyze the local and global impact of
computing on individuals, organizations, and society.
• Match the industry requirements in the domains of Database management,
Programming and Networking with the required management skills.

4. Hardware/SoftwareRequired:Wireshark,Etherealandtcpdump.

5. Theory:
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real
time and display them in human-readable format. Wireshark includes filters, color-coding
andother features that let you dig deep into network traffic and inspect individualpackets.

Applications:
• Network administrators use it to troubleshoot network problems
• Network security engineers use it to examine security problems
• Developers use it to debug protocol implementations
• Peopleuseittolearnnetworkprotocolinternalsbesidetheseexamplescanbe helpful in
many other situations too.

Features:

The following are some of the many features wire shark provides:
• Available for UNIX and Windows.
• Capture live packet data from a network interface.
• Open files containing packet data captured with tcpdump/WinDump, Wireshark,
and a number of other packet capture programs.
• Import packets from text files containing hex dumps of packet data.
• Display packets with very detailed protocol information.
5
 • Export some or all packets in a number of capture file formats.
• Filter packets on many criteria.
• Search for packets on many criteria.
• Colorize packet display based on filters.
• Create various statistics.

CapturingPackets

After downloading and installing wireshark, you can launch it and click the name of an
interface under Interface List to start capturing packets on that interface. For example, if you
want to capture traffic on the wireless network, click your wireless interface. You can configure
advanced features by clicking Capture Options.

As soon as you click the interface‘s name, you‘ll see the packets start to appear in realtime.
Wireshark captures each packet sent to or from your system. If you‘re capturing on awireless
interface and have promiscuous mode enabled in your capture options, you‘ll also see other the
other packets on the network.

6
Click the stop capture button near the top left corner of the window when you want to stop capturing
traffic.

Wireshark uses colors to help you identify the types of traffic at a glance. By default, green
is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP
packets with problems — for example, they could have been delivered out-of-order.

7
Filtering Packets

If you‘re trying to inspect something specific, such as the traffic a program sends when
phoning home, it helps to close down all other applications using the network so you can
narrow down the traffic. Still, you‘ll likely have a large amount of packets to sift through.
That‘s where Wireshark‘s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the window
and clicking Apply (or pressing Enter). For example, type ―dns‖ and you‘ll see only DNS
packets. When you start typing, Wireshark will help you autocomplete your filter.

Anotherr interesting thing you can do is right-click a packet and select Follow TCP Stream.

8
 You‘ll see the full conversation between the client and the server.

Close the window and you‘ll find a filter has been applied automatically — Wire shark is
showing you the packets that make up the conversation.

9
Inspecting Packets
Click a packet to select it and you can dig down to view its details.

10
You can also create filters from here—just right-click one of the details and use the Apply as
Filter sub menu to create a filter based on it.

Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of
what you can do with it. Professionals use it to debug network protocol implementations,
examine security problems and inspect network protocol internals.

1. Conclusion:
In this experiment we analyze various packet sniffing tools that monitor network traffic
transmitted between legitimate users or in the network. The packet sniffer is network
monitoring tool. It is opted for network monitoring, traffic analysis, troubleshooting,
Packet grapping, message, protocol analysis, penetration testing and many other
purposes.

11
 Experiment No.3
1. Aim: Download and install n map. Use it with different options to scan open ports,
perform OS fingerprinting, do a ping scan, tcp port scan, udp port scan, etc.

2. Objectives:objectiveofthismoduletolearnnmapinstallation&usethistoscan different
ports.

3. Outcomes:The learner will be ableto:-

• Scan the network using scanning techniques available in NMAP.
• Use current techniques, skills, and tools necessary for computing practice

4. Hardware/Software Required: NMAP Tool

5. Theory:
Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known
by his pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer
network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially
crafted packets to the target host and then analyzes the responses. Unlike many simple port
scanners that just send packets at some predefined constant rate, Nmap accounts for the
network
conditions (latency fluctuations, network congestion, the target interference with the scan)
during the run. Also, owing to the large and active user community providing feedback and
contributing to its features, Nmap has been able to extend its discovery capabilities beyond
simply figuring out whether a host is up or down and which ports are open and closed; it can
determine the operating system of the target, names and versions of the listening services,
estimated uptime, type of device, and presence of a firewall.

Nmap features include:

Host Discovery – Identifying hosts on a network. For example, listing the hosts which
respond to pings or have a particular port open.

Port Scanning –Enumerating the open ports on one or more target hosts.

Version Detection – Interrogating listening network services listening on remote devices

to determine the application name and version number.

OS Detection–Remotely determining the operating system and some hardware characteristics o f

network devices.

Basic commands working in Nmap

12
 For targetspecifications:
nmap<target‘s URL or IP with spaces between them>
For OS detection:
nmap-O<target-host's URL or IP>
For version detection:
nmap-s V<target-host's URL or IP>

After the installation of nmap:>sudoapt-getinstallnmap

SYN scan is the default and most popular scan option for good reasons.It can be performed
quickly,scanning thousands of ports per second on a fast net work not hampered by restrictive
firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP
connections.

FIN scan(-sF)

Sets just the TCP FIN bit.

13
-sV (Version detection) :Enables version detection, as discussed above. Alternatively, we can
use -A, which enables version detection among other things.

14
-PO protocol list(IP Protocol Ping) :
The newest host discovery option is the IP protocol ping, which sends IP packets with the
specified protocol number set in their IP header. The protocol list takes the same format as do
port lists in the previously discussed TCP, UDP and SCTP host discovery options.

-p port ranges (Only scan specified ports) .

This option specifies which ports you want to scan and overrides the default. Individual port
numbers are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/orend
values of a range may be omitted, causing Nmap to use 1 and 65535, respectively.

15
-sO(IPprotocolscan).
IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are
supported by target machines. This isn´t technically a port scan, since it cycles through IP
protocol numbers rather than TCP or UDP port numbers.

--open(Show only open (orpossiblyopen) ports).

Sometimes you only care about ports you can actually connect to(openones),and don´t want
results cluttered with closed, filtered, and closed| filtered ports.
16
-pportranges (Only scan specified ports) :
This option specifies which ports you want to scan and overrides the default. Individual port
numbers are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/orend
values of a range may be omitted, causing Nmap to use 1 and 65535, respectively.

17
-sT (TCP connect scan) .
TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the
case when a user does not have raw packet privileges or is scanning IPv6 networks. Insteadof
writing raw packets as most other scan types do, Nmap asks the underlying operating system
to establish a connection with the target machine and port by issuing the connect system call.
Along with spoofing.

Null scan (-sN):

Does not set any bits (TCP flagheader is 0)

18
--top-ports<integer of1 or greater>
Scans the N highest-ratioports found in nmap-services file.

19
-PSport list(TCP SYN Ping) .

This option sends an empty TCP packet with the SYN flag set.The default destination port is
80(configurableeat compile time by changing DEFAULT_TCP_PROBE_PORT_SPEC in
nmap.h).Alter nate port scanbespecifiedasaparameter.Thesyntaxisthesameasforthe
-p except that port type specifiers like T:are not allowed.

nmap –iflist

host interface and routein formation with nmap by using―–if list ‖ option.

20
Conclusion:

Networkscanningprovidesawealthofinformationaboutthetargetnetwork,whichis
valuable regardless of whether you're trying to attack the network or protect it from
attack. While performing a basic scan is a simple matter, the network scanners covered
in this experiment provide a wide array of options to tweak your scan to achieve the
best results. Nmap is used to detect IP spoofing and port scanning.

21
 Experiment No.4
Aim:Detect ARP spoofing using open source tool ARPWATCH.

1. Objectives:Objective of the module to find ARP spoofing using open source.

2. Outcomes: The learner will be able to:-

• Identify network vulnerability with tool usage.

• Also recognize the need of such tool to identify ARP spoofing, and an
ability to engage in life-long learning to exploit gained skills and
knowledge of contemporary issues.

3. Hardware/SoftwareRequired:ARP WATCH Tool

4. Theory:

Arpwatch Commands and Usage

To watch a specific interface,type the following command with‗-i‗and device name.

So, whenever a new MAC is plugged or a particular IP is changing his MAC address on the
network,you will notice syslog entries at‗/var/log/syslog‗or‗/var/log/message‗file.

Sample Output

The above output displays new workstation. If any changes are made, you will get following
output.

You can also check current ARP table, by using following command.
22
Sample Output:

If you want to send alerts to your custom email id,then open the main configuration
file‗/etc/sysconfig/arpwatch‗ and add the email as shown below.

Here is an example of an email report, when a new MAC is connected on.

23
 Conclusion:

Arp watch is a software or program tool for monitoring Address Resolution Protocol traffic on a
computer network. Its main goal is to detect arp poisoning attacks like (e.g. ARP Poisoning, Ettercap,
and Net cut) also detect intruders in your network by sending an email to an administrator when new
Ethernet MAC addresses seen on the network.

24
 ExperimentNo.5
1. Aim: Use the Nessus tool to scan the network for vulnerabilities.

2. Objectives: Objective of the module is scan system and network analysis.

3. Outcomes: The learner will be able to:-usage.

• Identify network vulnerability with tool

• Use current techniques, skills, and tools to find out different vulnerabilities
and the counter measures for identified vulnerabilities.

4. Hardware / Software Required : Nessus Vulnerability Scanner | Tenable Network

Security tool

5. Theory:
Nessus is aproprietary comprehensive vulnerability scanner which is developed by Tenable
Network Security. It is free of charge for personal use in a non-enterprise environment.
Operation

• Nessus allows scans for the following types of vulnerabilities:

• Vulnerabilities that allow a remote hacker to control or access sensitive data
on a system.
• Misconfiguration(e.g. open mail relay, missing patches, etc.).

Default passwords, a few common passwords, and blank/absent passwords on some system
accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.Denials of
service against the TCP/IP stack by using malformed packets

Preparation for PCI DSS audits

On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the
scanning, and nessus, the client, which controls scans and presents the vulnerability results to
theuser.In typical operation,Nessus begins by doing a port scan with one of its four internal
Security

25
port scanners (or it can optionally use AmapM[4] or Nmap[5]) to determine which ports are
open on the target and then tries various exploits on the open ports. The vulnerability tests,
available as subscriptions, are written in NASL(Nessus Attack Scripting Language), a scripting
language optimized for custom network interaction. Tenable Network Security produces
several dozen new vulnerability checks (called plugins) each week, usually on a daily basis.
These checks are available for free to the general public; commercial customers are not allowed
to use this Home Feed any more. The Professional Feed (which is not free) also give access to
support and additional scripts (e.g. audit files, compliance tests, additional vulnerability
detection plugins). Optionally, the results of the scan can be reported in various formats, such
as plain text, XML, HTML and LaTeX. The results can also be saved in a knowledge base for
debugging. On UNIX, scanning can be automated through the use of a command-line client.
There exist many different commercial, free and open source tools for both UNIX and
Windows to manage individual or distributed Nessus scanners. If the user chooses to do so (by
disabling the option 'safe checks'), some of Nessus' vulnerability test may try to cause
vulnerable services or operating systems to crash. This lets a user test the
resistanceofadevicebeforeputtingitinproduction.Nessusprovidesadditionalfunctionality
beyond testing for known network vulnerabilities. For instance, it can use Windows
credentialstoexaminepatchlevelsoncomputersrunningtheWindowsoperatingsystem,and can
perform password auditing using dictionary and brute force methods. Nessus 3 and later can
also audit systems to make sure they have been configured per a specific policy, such as the
NSA's guide for hardening Windows servers.

Basic Network scanning:

26
Advanced scanning in general search:

Ntstat portscanning:

27
Vulnerability Mapping:

Policies:

28
Plugins:

General Scanning:

29
30
Port Scanning:

Conclusion:

Running a security scanner against your systems is a very important part of the job. It is a
system administrator or security officer‘s job to keep their systems secure and the data
contained in them safe. Hackers have access to all the same information and tools that the rest
of us do. Hackers run the very same tools and it is advantageous to know what the results are
that they see if they scan your system. They find time to do the research, so we must also.
Nessus provides a lot of functionality in one tool. It utilizes Nmap, easy to update plug-ins, and
nice reporting tools for upper management. It is has repeatedly scored high on comparisons
between scanners including commercial scanners that come with a hefty price tag. And of
course as budgets tighten, remember Nessus is a free tool. The only cost is the users time in
learning it and using it, but that is a cost associated with all tools. And luckily Nessus is an
easy to learn tool. Using this tool and seeing the vulnerabilities will help you gain knowledge
of your systems and help teach you how to protect them.

31
 Experiment No.6
1. Aim: Implement a code to simulate buffer overflow attack.

2. Objectives: Objective of the module Is to check buffer overflow in an NS2

environment

3. Outcomes: The learner will be able to:-

• Identify different type of types of buffer overflow vulnerabilities and

attacks, and survey the various defensive measures that mitigate buffer
overflow vulnerabilities.
• Identify the use higher-level programming languages that are stronglytype,
does not allow direct memory access and are effective countermeasure to
avoid buffer overflow attack.
• Engage in life-long learning to exploit gained skills and knowledge of
contemporary issues.

4. Hardware/Software Required : Stack Guard compiler.

5. Theory:
A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a
buffer, overruns the buffer's boundary and overwrites adjacent memory locations. This is a
special case of the violation of memory safety.

A buffer overflow occurs when a program or process tries to store more data in a buffer
(temporary data storage area) than it was intended to hold.

Buffer overflow:

Code:
#include <stdio.h>
#include<string.h>

int main(void)
{
char
buff[15];
int pass = 0;
printf("\n Enter the password:\n");

32
 gets(buff);
if(strcmp(buff,"the correct paswd"))
{
printf("\nWrong Password\n");
}
else
{

printf("\nCorrect Password\n"); pass

= 1;
}
if(pass)
{
/* Now Give root or admin rights to user*/
printf("\nRoot privileges given to the user\n");
}
return0;
}

Output :

>>administrator@PIIT-05:~/Desktop/me CS pracs$ gcc -Wall -fno-stack-protector

bufferoverflow.c -o

>>bufferoverflow

The above command deactivates the default GC Compiler's flag which detects Stack
Smashing
>>administrator@PIIT-05:~/Desktop/meCSpracs$./bufferoverflow

>>Enterthepassword :

thewrong

Wrong Password

>>administrator@PIIT-05:~/Desktop/meCSpracs$ ./bufferoverflow

>>Enterthepassword :

Thecorrectpas
Wd CorrectPassword
Root privileges given to the user
33
administrator@PIIT-05:~/Desktop/meCSpracs$./bufferoverflow
Enter the password :
thewrongpasswordenteredWron
g Password
Root privileges given to the user

Here, the entered password length is above the permissible length with wrong contents
stillthe user is given the ROOT PRIVILEDGES. This demonstrates the Buffer Overflow.

Conclusion:

Buffer overflow has been the most exploited vulnerability for more than a decade. Buffer overflow
vulnerabilities are the most common way to gain control of a remote host. Attacker can insert and
execute attack code. Error is made at program creation,is invisible to user. StackGuard is a systematic
compiler tool that prevents a broad class of buffer overflow security attacks from succeeding.

34
 Experiment No.7
1. Aim: Set up IPSEC under LINUX.

2. Objectives: Objective of the module for implementing security vulnerabilities

3. Outcomes: The learner will be able to:-

• Recognition of the need for end-to-end security.

• Install and understand different security mechanisms for network security
like firewall, IPSEC.
• Engage in continuing professional development and higher studies.

4. Hardware/Software Required: L2TP/IPsec VPN client setup

5. Theory:
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a communication session.
IPsec includes protocols for establishing mutual authentication between agents at the beginning
of the session and negotiation of cryptographic keys to be used during the session. IPsec can
be used in protecting data flows between a pair of hosts (host-to-host), between a pair of
security gateways (network-to-network), or between a security gateway and a host (network-
to-host).
Internet Protocol security (IPsec) uses cryptographic security services to protect
communications over Internet Protocol (IP) networks. IPsec supports network-level peer
authentication, data origin authentication, data integrity, data confidentiality(encryption),and
replay protection.
IP sec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol
Suite, while some other Internet security systems in widespread use, such as Transport Layer
Security (TLS) and Secure Shell (SSH), operate in the upper layers at Application layer. Hence,
only IPsec protects any application traffic over an IP network. Applications can be
automatically secured by IPsec at the IP layer.

The following commands will add the werner-jaeger PPA into your repo's,and then install
the 'l2tp-ip sec-vpn' package:
>>sudoapt-add-repositoryppa:werner-jaeger/ppa-werner-vpn
>>sudo apt-get update
>>sudoapt-getinstalll2tp-ipsec-vpn
35
· Now, we will white list our system tray which will allow our newly installed package to
show up on our system tray:

>>gsettingssetcom.canonical.Unity.Panelsystray-whitelist"['all']"
• After whitelisting our system tray, it's imperative that you reboot/restart your
machine.
• Once your machine has rebooted, click on the new icon, and click 'Edit
Connections ...' from the menu.

• This will show the "VPN Connections" window. Click the "Add ..." button and set
the connection name to anything you'd like, e.g. "HostVPN-L2TP",and click
"OK".

• Now select your newly added connection, and click "Edit ...".
• On the IP Sec tab, set there mote server to the server name from your Host VPN
e-mail. Select the "Use pre-shared key for authentication" and enter your PSK from
the Host VPN e-mail.

36
· On the PPP tab, select "Allow these protocols", and ensure all are selected except "Microsoft
CHAP Version 2 (MS-CHAPv2)". Fill in the "User name:" and "Password:" fields with your
HostVPN username and password, and then click "OK". Now click "Close" on the "VPN
Connections" window.

37
 • Click on the L2TP/IPSec VPN icon in the systray again and click on the
connection name that we just created.

Conclusion:
IP sec is an end-to-end security scheme operating in the Internet Layer of the Internet
Protocol Suite.IP sec protects all application traffic over an IP network.Also IP sec
supports network-level peer authentication, data origin authentication, data integrity,
data confidentiality (encryption), and replay protection.

38
 Experiment No.8
1. Aim: Install IDS(e.g. SNORT)and study the logs.

2. Objectives: From this experiment, the student will be able to

3. Outcomes: The learner will be able to:-

• Simulate intrusion detection system using snort tool.

• To use current techniques, skills, and IDS tools necessary for computing
practice.
• Understand professional, ethical, legal, security and social issues and
responsibilities.

4. Hardware/Software Required:Snort tool.

5. Theory:
Snort is an intrusion detection system written by Martin Roesch. Snort is a lightweight network
intrusion detection system, capable of performing real-time traffic analysis and packet logging
on IP networks. It can perform protocol analysis, content searching/matching and can be used
to detect a variety of attacks and probes, such as buffer overflows, stealthport scans, CGI
attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules
language to describe traffic that it should collector pass,as well as a detection engine that
utilizes a modular plugin architecture.

Snort can be configured to run in three modes:

• Sniffer mode, which simply reads the packets off of the network and displays themfor
you in a continuous stream on the console (screen).

• PacketLogger mode,which logs the packets to disk.

• Network Intrusion Detection System (NIDS) mode, the most complex and
configurable configuration, which allows Snort to analyze network traffic for matches
against a user-defined rule set and performs several actions based upon what it sees.

• Inline mode, which obtains packets from iptables instead of from libpcap and then causes ip
tables to drop or pass packets based on Snort rules that use inline-specific ruletypes.

39
Sniffer Mode:

If you just want to print out the TCP/IP packet headers to the screen (i.e. sniffer mode), try
following, this command will run Snort and just show the IP and TCP/UDP/ICMP headers,
nothing else.

./snort–v

If you want to see the application data in transit, try the following, this instructs Snort to display
the packet data as well as the headers.

./snort–vd

If you want an even more descriptive display, showing the data link layer headers, do this:
./snort-vde

PacketLoggerMode:
If you want to record the packets to the disk, you need to specify a logging directory and Snort
will automatically know to go into packet logger mode:

./snort-dev-l ./log

Of course, this assumes you have a directory named log in the current directory. If you don't,
Snort will exit with an error message. When Snort runs in this mode, it collects every packetit
sees and places it in a directory hierarchy based upon the IP address of one of the hosts in the
datagram.

If you just specify a plain -l switch, you may notice that Snort sometimes uses the address of
the remote computer as the directory in which it places packets and sometimes it uses the local
host address. In order to log relative to the home network, you need to tell Snort which network
is the home network:

40
./snort-dev-l ./log -h 192.168.1.0/24

This rule tells Snort that you want to print out the data link and TCP/IP headers as well as
application data into the directory ./log, and you want to log the packets relative to the
192.168.1.0 class C network. All incoming packets will be recorded into subdirectories of the
log directory, with the directory names being based on the address of the remote (non-
192.168.1) host.

Note: Note that if both the source and destination hosts are on the home network, they are
logged to a directory with a name based on the higher of the two port numbers or, in the case
of a tie, the source address.

Oncethepacketshavebeenloggedtothebinaryfile,youcanreadthepacketsbackoutofthe file with

any sniffer that supports the tcpdump binary format (such as tcpdump or Ethereal). Snort
canalsoreadthepacketsbackby usingthe -rswitch,which puts itinto playbackmode. Packets from
any tcpdump formatted file can be processed through Snort in any of its run modes. For
example, if you wanted to run a binary log file through Snort in sniffer mode to dump the
packets to the screen, you can try something like this:

./snort -dv-r packet.log

You can manipulate the data in the file in a number of ways through Snort's packet logging and
intrusion detection modes, as well as with the BPF interface that's available from the command
line. For example, if you only wanted to see the ICMP packets from the log file, simply specify
a BPF filter at the command line and Snort will only see the ICMP packets in the file:

./snort -dvrpacket.log icmp

Network Intrusion Detection System(NIDS) mode:

To enable Network Intrusion Detection System (NIDS) mode so that you don't record every
single packet sent down the wire, try this:

41
./snort -dev-l ./log-h 192.168.1.0/24 -c snort.conf

Where snort.conf is the name of your rules file. This will apply the rules configured in the
snort.conf file to each packet to decide if an action based upon the rule type in the file should
be taken. If you don't specify an output directory for the program, it will default to
/var/log/snort.

One thing to note about the last command line is that if Snort is going to be used in a long term
way as an IDS, the -v switch should be left off the command line for the sake of speed. The
screen is a slow place to write data to, and packets can be dropped while writing to the display.

It's also not necessary to record the data link headers for most applications, so you can usually
omit the -e switch, too.

./snort-d-h 192.168.1.0/24-l ./log-c snort. conf

This will configure Snort to run in its most basic NIDS form, logging packets that trigger rules
specified in the snort.conf in plain ASCII to disk using a hierarchical directory structure (just
like packet logger mode).

Inline Mode:

Snort 2.3.0 RC1 integrated the intrusion prevention system (IPS) capability of Snort Inline into
the official Snort project. Snort Inline obtains packets from iptables instead of libpcap and then
uses new rule types to help iptables pass or drop packets based on Snort rules.

There are three rule types you can use when running Snort with Snort Inline:

• drop- The drop rule type will tell ip tables to drop the packet and log it via usual Snort
means.
• reject- The reject rule type will tell iptables to drop the packet, log it via usual Snort
means, and send a TCP reset if the protocol is TCP or an icmp port unreachable if the
protocol is UDP.
• sdrop- The sdrop rule type will tell iptables to drop the packet. Nothing is logged.

42
When using are ject rule, there are two options you can use to send TCP resets:

- You can use a RAW socket (the default behavior for Snort Inline), in which case you
must have an interface that has an IP address assigned to it. If there is not an interface with
an IP address assigned with access to the source of the packet, the packet will be logged
and the reset packet will never make it onto the network.

- You can also now perform resets via a physical device when using iptables. We take the
indev name from ip_queue and use this as the interface on which to send resets. We no
longer need an IP loaded on the bridge, and can remain pretty stealthy as the config
layer2_resets in snort_inline.conf takes a source MAC address which we substitue for the
MAC of the bridge.

For example:

configlayer2resets

tells Snort Inline to use layer2 resets and uses the MAC address of the bridge as thesource
MAC in the packet, and:

configlayer2resets:00:06:76:DD:5F:E3

will tell Snort Inline to use layer2 resets and uses the source MAC of 00:06:76:DD:5F:E3
in the reset packet.

- The command-line option -disable-inline-initialization can be used to not initialize IP

Tables when in inline mode. To be used with command-line option -T to test for a valid
configuration without requiring opening inline devices and adversely affecting traffic
flow.

Conclusion:
SNORT is an open source network intrusion prevention and detection system utilizing
a rule-driven language, which combines the benefits of signature, protocol and anomaly
based inspection methods.

43
 Experiment No.9
1. Aim: Use of iptables in linux to create firewalls

2. Objectives: To study how to create and destroy firewall security parameters.

3. Outcomes: The learner will be able to:-

• Recognize the need for having a security on host side by controlling

incoming / outgoing traffic using the acquired skills and knowledge.
• Design rules for the INPUT/OUTPUT/FORWARD chain.

4. Hardware/Software Required:

5. Theory:
IP tables are the tables provided by the Linux kernel firewall (implemented as different Netfilter
modules) and the chains and rules it stores. Different kernel modules and programs
arecurrentlyusedfordifferentprotocols;iptablesappliestoIPv4,ip6tablestoIPv6,arptables to ARP,
and ebtables to Ethernet frames.

iptables requires elevated privileges to operate and must be executed by user root, otherwiseit
failstofunction.OnmostLinuxsystems,iptablesisinstalledas/usr/sbin/iptables and documented in
its man pages which can be opened using man iptables when installed. It may also be found in
/sbin/iptables, but since iptables is more like a service rather than an "essential binary", the
preferred location remains /usr/sbin.

1. To drop all traffic:

#sudoiptables-PINPUT DROP

#sudoiptables -POUTPUTDROP

#sudoiptables-PFORWARDDROP #
sudoiptables -L -v –n

44
2. Only Block IncomingTraffic

To drop all incoming/forwarded packets, but allow outgoing traffic,

# sudoiptables -P INPUT DROP

#sudoiptables-PFORWARDDROP

#sudoiptables -POUTPUTACCEPT

#sudoiptables-AINPUT-mstate—state NEW,ESTABLISHED-jACCEPT #

sudoiptables -L -v –n

3. BlockOutgoingIPaddress

host -t a hostname

sudoiptables-AOUTPUT-doutgoingipaddress -j DROP

4. Blockor Allow ICMP ping request

sudoiptables-AINPUT-picmp--icmp-typeecho-request-j DROP/ACCEPT

Conclusion:

There are many other firewall utilities and some that may be easier, but iptables is a
good learning tool, if only because it exposes some of the underlying netfilterstructure
and because it is present in so many systems.

45
 Experiment No.10
1. Aim: Mini Project

2. Objectives: To implement Networking concepts.

3. Outcomes: The learner will be able to:-

• Understand, identify, analyze and design the engineering problems,

implement the same using current techniques, skills, and tools and validate
the solution including both hardware and software.
• Understand, identify vulnerabilities related to network security and also
present and communicate the countermeasures for the same.
• Able to recognize the need of studied tools to exploit/ cover network threats
and attacks with the gained skills and knowledge that is useful for life-long
learning.

4. Hardware/Software Required: Tools required for performing network analysis

based on the mini- project.

5. Theory:

1. For mini-project group of 3 students is formed.

2. The students are required to make use of utilities and tools available for
network analysis.
3. The student also needs to provide the counter measures available for security
threats encountered during scanning of host and network.

Conclusion:

The implementation of mini project will provide the student opportunity to explore even
other available tools for performing network analysis and finding vulnerability, threats
and attack on the host and network.

46