DEPARTMENT OF COMPUTER SCIENCE

AND ENGINEERING

CCS354- NETWORK SECURITY LABORATORY

REG.NO…………………………………..…
NAME……………………………………….
 SRI RANGAPOOPATHI COLLEGE OF ENGINEERING
Alampoondi-604 151, Gingee - TK

BONAFIDE CERTIFICATE
NAME :

YEAR/SEM : Third / Sixth

BRANCH : Computer Science and Engineering

SUBJECT CODE : CCS354

SUBJECT NAME : NETWORK SECURITY LAB

REGISTER NO. :

Certified that this is a bonafide record of work done by the above student in the

CCS354 – NETWORK SECURITY LABORATORY during the Academic year

Signature of Staff in charge Head of the Department

Submitted for the Practical Examination Held On

Internal Examiner External Examiner

 TABLE OF CONTENTS

MARKS/
S.NO. DATE EXPERIMENT TITLE SIGN.
10

1. IMPLEMENT SYMMETRIC KEY

ALGORITHMS

2. IMPLEMENT ASYMMETRIC KEY

(A) ALGORITHMS AND KEY EXCHANGE
ALGORITHMS – RSA ALGORITHM

2. IMPLEMENT ASYMMETRIC KEY

(B) ALGORITHMS AND KEY EXCHANGE
ALGORITHMS – DIFFIE-
HELLMANKEYEXCHANGEALGORITH
M
IMPLEMENT DIGITAL
3. SIGNATURE SCHEMES

INSTALLATION OF WIRE SHARK,

4. TCPDUMP AND OBSERVE DATA
TRANSFERRED IN CLIENT-
SERVER COMMUNICATION
USING UDP/TCP AND IDENTIFY
THE UDP/TCP DATAGRAM
CHECK MESSAGE INTEGRITY AND
5. CONFIDENTIALITY USING SSL

6. EXPERIMENT EAVESDROPPING,
DICTIONARY ATTACKS, MITM
ATTACKS
7. EXPERIMENT WITH SNIFF TRAFFIC
USING ARP POISONING

8. DEMONSTRATE INTRUSION
DETECTION SYSTEM USING SNORT
SOFTWARE TOOL
9. EXPLORE NETWORK MONITORING
TOOLS

10. STUDY TO CONFIGURE FIREWALL,

VPN
 EX.No:1 - IMPLEMENT SYMMETRIC KEY ALGORITHMS

AIM:
To use Data Encryption Standard (DES) Algorithm for a practical application like
User MessageEncryption.

ALGORITHM:
1. Create a DES Key.
2. Create a Cipher instance from Cipher class, specify the following
information and separated by a slash (/).
a. Algorithmname
b. Mode(optional)
c. Paddingscheme(optional)
3. Convert String into Byte[] array format.
4. Make Cipher in encrypt mode, and encrypt it with Cipher.doFinal() method.
5. Make Cipher in decrypt mode, and decrypt it with Cipher.doFinal() method.

PROGRAM:

DES.java
Import java.security.InvalidKeyException;
Import java.security.NoSuchAlgorithmException;
Import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuch Padding Exception;
import javax.crypto.Secretey;
public class DES
{
 Public static void main(String[] argv)
{
try{
System.out.println("MessageEncryptionUsingDESAlgorithm\n ---------- ");
KeyGeneratorkeygenerator=KeyGenerator.getInstance("DES");
SecretKeymyDesKey=keygenerator.generateKey();
CipherdesCipher;
desCipher=Cipher.getInstance("DES/ECB/PKCS5Padding");
desCipher.init(Cipher.ENCRYPT_MODE,myDesKey);
byte[] text = "Secret Information ".getBytes();
System.out.println("Message [Byte Format] : " + text);
System.out.println("Message :"+new String(text));
byte[] textEncrypted = desCipher.doFinal(text);
System.out.println("EncryptedMessage:"+textEncrypted);
desCipher.init(Cipher.DECRYPT_MODE, myDesKey);
byte[]textDecrypted=desCipher.doFinal(textEncrypted);
System.out.println("Decrypted Message:"+newString(textDecrypted));
}catch(NoSuchAlgorithmException e){
e.printStackTrace();
}catch(NoSuchPaddingException e){
e.printStackTrace();
}catch(InvalidKeyException e){
e.printStackTrace();
}catch(IllegalBlockSizeException e){
e.printStackTrace();
}catch(BlockPaddingException e){
e.printStackTrace();
}}}
 OUTPUT:

Message Encryption Using DES Algorithm

Message[ByteFormat]:[B@4dcbadb4
Message: Secret Information
EncryptedMessage:[B@504bae78
DecryptedMessage:SecretInformation

RESULT:
Thus the java program for DES Algorithm has been implemented and the output
verified successfully.
EX.No:2a IMPLEMENT ASYMMETRIC KEY ALGORITHMS AND KEY
EXCHANGE ALGORITHMS – RSA ALGORITHM

AIM:
To implement RSA (Rivest–Shamir–Adleman) algorithm by using HTML and Java
script.

ALGORITHM:
1. Choosetwoprime numberpand q
2. Compute thevalue ofnandp
3. Findthevalue ofe (public key)
4. Compute the value of d(private key) using gcd()
5. Dotheencryptionanddecryption
a. Encryptionisgivenas,
c=te mod n
b. Decryption is given as,
t=cd mod n
PROGRAM:rsa.html
<html>
<head>
<title>RSAEncryption</title>
<metaname="viewport"content="width=device-width,initial-scale=1.0">
</head>
<body>
<center>
<h1>RSAAlgorithm</h1>
<h2>Implemented Using HTML&Javascript</h2>
<hr>
<table>
<tr>
<td>Enter FirstPrimeNumber:</td>
<td><inputtype="number"value="53"id="p"></td>
</tr>
<tr>
<td>EnterSecondPrimeNumber:</td>
<td><inputtype="number"value="59"id="q"></p>
</td>
</tr>
<tr>
<td>Enter the Message (ciphertext):<br>[A=1,B=2,...]</td>
<td><inputtype="number"value="89"id="msg"></p>
</td>
</tr>
<tr>
<td>PublicKey:</td>
<td>
<pid="publickey"></p>
</td>

</tr>
<tr>
<td>Exponent:</td>
<td>
<pid="exponent"></p>
</td>
</tr>
<tr>
<td>PrivateKey:</td>
 <td>
<pid="privatekey"></p>
</td></tr>
<tr>
<td>CipherText:</td>
<td>
<pid="ciphertext"></p>
</td></tr>
<tr>
<td><buttononclick="RSA();">ApplyRSA</button></td>
<\tr>
<\table></center></body>
<scripttype="text/javascript">
Function RSA(){
vargcd,p,q, no,n, t,e,i,x;
gcd = function (a, b) { return (!b) ? a : gcd(b, a % b); };
p= document.getElementById('p').value;
q=document.getElementById('q').value;
no=document.getElementById('msg').value;
n = p * q;
t= (p - 1) * (q- 1);
for(e=2;e<t;e++){
if(gcd(e,t)==1){
break;
}}
for(i=0;i<10;i++){
x = 1 +i* t
if (x % e == 0) {
d = x / e;
break;
} }
ctt=Math.pow(no,e).toFixed(0);
ct =ctt% n;
dtt=Math.pow(ct,d).toFixed(0);
dt= dtt% n;
document.getElementById('publickey').innerHTML = n;
document.getElementById('exponent').innerHTML = e;
document.getElementById('privatekey').innerHTML=d;
document.getElementById('ciphertext').innerHTML=ct;
}
</script>
</html>

OUTPUT:

RESULT:
Thus the RSA algorithm has been implemented using HTML & CSS and the
output has been verified successfully.
EX.No:2b IMPLEMENT ASYMMETRIC KEY ALGORITHMS AND KEY
EXCHANGE ALGORITHMS –
DIFFIE-HELLMANKEYEXCHANGEALGORITHM

AIM:
To implement the Diffie-Hellman Key Exchange algorithm for a given problem.

ALGORITHM:
1. Alice and Bob publicly agree to use a modulus p=23 and base g=5 (which
is a primitive root modulo 23).
2. Alice chooses a secret integer a=4,thensendsBob A =gamodp
o A=54mod 23=4
3. Bob chooses a secret integerb=3,thensends Alice B=gbmodp
o B=53mod 23=10
4. Alicecomputess=Bamod p
o s=104 mod 23=18
5. Bob computes s=Abmodp
o s=43 mod 23=18
6. Alice and Bob now share a secret(the number18).

PROGRAM:
DiffieHellman.java
Class DiffieHellman{
Public static void main(Stringargs[]){
int p=23;/* publiclyknown(prime number)*/
int g = 5; /* publicly known (primitive root) */
int x=4;/*onlyAlice knowsthissecret*/
int y = 3; /* only Bob knows this secret */
double alice Sends =(Math.pow(g, x))%p;
double bob Computes=(Math.pow(aliceSends,y))%p;
double bob Sends = (Math.pow(g,y)) %p;
 double alice Computes =(Math.pow(bobSends,x))%p;
double shared Secret =(Math.pow(g,(x* y)))% p;
System.out.println("simulationofDiffie-Hellman keyexchangealgorithm\n----
");
System.out.println("Alice Sends : " + aliceSends);
System.out.println("Bob Computes : " + bobComputes);
System.out.println("Bob Sends : " + bobSends);
System.out.println("AliceComputes:"+aliceComputes);
System.out.println("SharedSecret :"+sharedSecret);
/*sharedsecretsshould matchandequality istransitive*/
if((aliceComputes==sharedSecret)&&(aliceComputes==bobComputes))
System.out.println("Success:SharedSecretsMatches!"+sharedSecret);
else
System.out.println("Error:SharedSecretsdoesnotMatch");
}}

OUTPUT:
Simulation of Diffie-Hellman key exchange algorithm

Alice Sends:4.0
Bob Computes:18.0
Bob Sends:10.0
Alice Computes:18.0
Shared Secret :18.0
Success:SharedSecretsMatches!18.0

RESULT:
Thus the Diffie-Hellman key exchange algorithm has been implemented using Java
Program and the output has been verified successfully.
EX.No:3 IMPLEMENT DIGITAL SIGNATURE SCHEMES

AIM:
To implement the SIGNATURE SCHEME –Digital Signature Standard.

ALGORITHM:
1. Create a Key Pair Generator object.
2. Initialize the Key Pair Generator object.
3. Generate the Key Pair Generator.
4. Get the private key from the pair.
5. Create a signature object.
6. Initialize the Signature object.
7. Add data to the Signature object.
8. Calculate the Signature

PROGRAM:
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.Signature;
import java.util.Scanner;
public classCreatingDigitalSignature{
public static void main(Stringargs[])throwsException{
Scanner sc = new Scanner(System.in);
System.out.println("Enter some text");
Stringmsg =sc.nextLine();
KeyPairGenerator keyPair Gen=KeyPairGenerator.getInstance("DSA");
keyPairGen.initialize(2048);
KeyPairpair=keyPairGen.generateKeyPair();

CCS354 NETWORK SECURITY LAB 10

Downloaded by Seran M ([email protected])
 PrivateKeyprivKey=pair.getPrivate();
Signaturesign=Signature.getInstance("SHA256withDSA");
sign.initSign(privKey);
byte[]bytes="msg".getBytes();
sign.update(bytes);
byte[]signature=sign.sign();
System.out.println("Digital signatureforgiventext:"+newString(signature,
"UTF8"));
}
}

OUTPUT:
Entersometext
Hihoware you
Digitalsignatureforgiventext:0=@gRD???-?.????/yGL?i??a!?

RESULT:
Thus the Digital Signature Standard Signature Scheme has been implemented and
the output has been verified successfully.

CCS354 NETWORK SECURITY LAB 11

Downloaded by Seran M ([email protected])
 INSTALLATION OF WIRE SHARK, TCPDUMP AND OBSERVE
EX.No:4
DATA TRANSFERRED IN CLIENT-SERVER COMMUNICATION
USING UDP/TCP AND IDENTIFY THE UDP/TCP DATAGRAM

AIM:

To installation of Wireshark, tcpdump and observed at a transferred in client-server

communication using UDP/TCP and identify the UDP/TCP datagram.

PROCEDURE:

The first part of the lab introduces packet sniffer, Wireshark. Wiresharkis a
freeopen-source network protocol analyzer. It is used for network troubleshooting and
communicationprotocol analysis. Wireshark captures network packets in real time and
display them inhuman-readable format. It provides many advanced features Including live
capture and offline analysis, three-pane packet browser, coloring rules for analysis. This
document usesWireshark for the experiments, and it covers Wireshark installation, packet
capturing, andprotocol analysis.

Figure1:Wireshark in KaliLinux

CCS354 NETWORK SECURITY LAB 12

Downloaded by Seran M ([email protected])
 Background
TCP/IPNetworkStack

Figure2:EncapsulationofDatain theTCP/IPNetworkStack

PacketSniffer

Packet sniffer is a basic tool for observing network packet exchangesin a

computer.As thename suggests, a packet sniffer captures (“sniffs”) packets being
sent/received from/by yourcomputer; it will also typically store and/or display the contents
of the various protocol fields inthese captured packets. A packet sniffer itself is passive. It
observes messages being sent andreceivedbyapplicationsandprotocolsrunning onyour
computer,butneversends packetsitself.

CCS354 NETWORK SECURITY LAB 13

Downloaded by Seran M ([email protected])
GettingWireshark
TheKaiLinuxhasWiresharkinstalled.YoucanjustlaunchtheKaliLinuxVMandopenWiresharkt
here.
Wiresharkcanalsobedownloadedfromhere:https://www.wireshark.org/download.html

StartingWireshark:
WhenyouruntheWiresharkprogram,theWiresharkgraphicuserinterface

Figure: Currently,theprogramisnotcapturingthepackets

CCS354 NETWORK SECURITY LAB 14

Downloaded by Seran M ([email protected])
Then, you need to choose an interface. If you are running the Wireshark on your laptop,
you need to select WiFi interface. If you are at a desktop, you need to select the Ethernet
interfacebeing used. Note that there could be multiple interfaces. In general, you can select

any interfacebut that does not mean that traffic will flow through that interface. The
network interfaces (i.e.,the physical connections) that your computer has to the network
are shown.
Afteryouselecttheinterface,youcanclickstartto capturethepackets asbelow.

CCS354 NETWORK SECURITY LAB 15

Downloaded by Seran M ([email protected])
CapturingPackets

After downloading and installing Wireshark, you can launch it and click the name of an
interfaceunder Interface List to start capturing packets on that interface. For example, if
you want tocapture trafficonthewirelessnetwork,click yourwirelessinterface.

TestRun
Dothefollowingsteps:
1. Startup the Wireshark program (selectaninterfaceandpressstarttocapturepackets).
2. Startup your favourite browser (ceweaselinKaliLinux).
3. In your browser, goto Wayne State home page by typing www.wayne.edu.
4. After your browser has displayed the http://www.wayne.edupage, stop Wireshark
packet capture by selecting stop in the Wireshark capture window. This will cause the
Wireshark capture window to disappear and the main Wireshark window to display all
packets captured since you began packet capture see image below:

CCS354 NETWORK SECURITY LAB 16

Downloaded by Seran M ([email protected])
 CCS354 NETWORK SECURITY LAB 17
Downloaded by Seran M ([email protected])
 CCS354 NETWORK SECURITY LAB 18
Downloaded by Seran M ([email protected])
RESULT:
Installation of Wireshark, tcpdump and observe data transfer red in
client-server communication using UDP/TCP and identify the UDP/TCP datagram.

CCS354 NETWORK SECURITY LAB 19

Downloaded by Seran M ([email protected])
EX.No:5 CHECK MESSAGE INTEGRITY AND
CONFIDENTIALITY USING SSL

AIM:
To check the Message Integrity and Confidentiality using SSL.

PROCEDURE:

SSL Session in Details

Handshaking-Ciphersuit Negotiation
Client sends a plaintext Client_Hello message and suggests so mecry photographic
parameters(collectivelycalledciphersuit) to be used for their communication session.
TheClient_Hellomessagealsocontainsa 32-byterandom number denoted as client_random.
Forexample,.
Client_Hello:
Protocol Version: TLSv1 if you can, else SSLv3.
KeyExchange:RSAifyoucan,elseDiffe-Hellman.
Secret Key Cipher Method: 3DES if you can, else DES.
Message Digest:SHA-1ifyoucan,elseMD5.
Data Compression Method:PKZipif youcan,else gzip.
Client RandomNumber:32bytes
The stronger method (in terms of security) shall precede the weaker one, e.g. RSA (1024-
bit)precedesDH,3DESprecedesDES,SHA-1 (160-bit)precedesMD5 (128-bit).
Server responds with a plaintext Server_Helllo to state the cipher suit of choice (server
decides on the cipher suit). Themessagealsocontainsa32-byte random number denoted as
server_random.

Forexample,
Server_Hello:

CCS354 NETWORK SECURITY LAB 20

Downloaded by Seran M ([email protected])
 ProtocolVersion:TLSv1
KeyExchange:RSA.
SecretKeyCipherMethod:DES.
Message Digest:SHA-1
DataCompressionMethod:PKZip.
ServerRandomNumber: 32bytes
Handshaking-KeyExchange

The server sends its digital certificate to the client, which is supposedly signed by a
root CA. Theclient uses the root CA'spublic key to verify the server's certificate (trusted
root-CAs' public keyare pre-installed inside the browser). It then retrieves the server's
public key from the server'scertificate.(If the server'scertificateis signed by a sub-CA, the
clienthas to build a digitalcertificate chain, leadingtoatrustedroot CA,toverifythe
server'scertificate.)
Thenextstepisto establishtheSession Key:
1. The client generates a 48-byte (384-bit) random number called pre_master_secret,
encrypts it using the verified server's public key and sends it to the server.
2. Server decrypts the pre_master_secret using its own private key. Eavesdroppers
cannot decrypt the pre_master_secret, as they do not possess thes ever's private key.
3. Client and serverthen independently and simultaneously create the session key,
based onthe pre_master_secret, client_random and server_random. Notice that both the
server andclient contribute to the session key,through the inclusion of the random number
exchangein the hello messages. Eavesdroppers can intercept client_random and
server_random as they are sent in plaintext,but cannot decrypt the pre_master_secret.
4. In a SSL/TLS session, the session key consist so f6 secret keys(tothwart crypto-
analysis).3 secret keys are used for client-to-server messages, and the other 3 secret keys
are used for server-to-client messages. Among the 3 secret keys, one is used for encryption
(e.g., DESsecret key), one is used for message integrity (e.g., HMAC) and one is used for
cipherinitialization. (Cipher initialization uses a random plaintext called Initial Vector (IV)
toprime thecipherpump.)
5. Client and server use the pre_master_secret (48-byte random number created by the
clientandexchangesecurely),client_random,server_random,andapseudo-

CCS354 NETWORK SECURITY LAB 21

Downloaded by Seran M ([email protected])
randomfunction(PRF)togenerateamaster_secret.Theycanusethemaster_secret,client_rando
m,server_random, and the pseudo-random function (PRF) to generate all the 6 shared
secretkeys. Once the secret keys are generated, the pre_master_secret is no longer needed
andshould bedeleted.
6. Fromthispointonwards,alltheexchanges areencryptedusingthesessionkey.
7. The client sends Finished handshake message using their newly created session key.
Serverrespondswith aFinishedhandshakemessage.
MessageExchange
Clientandservercanusetheagreed-uponsessionkey(consistsof6secretkeys)forsecureexchange
of messages

Sendingmessages:
1. The sender compresses the message using the agreed-upon compression
method(e.g.,PKZip,gzip).
2. The sender has the compressed data and the secret HMAC key to make an HMAC,to
assure message integrity.
3. The sender encrypts the compressed data and HMAC using encryption/decryption
secretkey, to assure message confidentiality.
ASSLSessionTrace
We could use Open SSL'ss_client(with debug option)to produce a SSL session trace
> openssls_client?
(Displaytheavailableoptions)
The following command turns on the debug option and forces the protocol to beTLSv1:
 openssls_client -connectlocalhost:443-CAfile ca.crt-debug-tls1

Loading'screen'intorandomstate–done
CONNECTED(00000760)
writeto00988EB0[009952C8](102bytes=>102 (0x66))
0000- 16 03 01 00 61 01 00 00-5d03 01 40 44 35 27 5c....a...]..@D5'\
0010-5ae8 74 26e9 49 37 e2-063b 1c6d 7737 d1aeZ.t&.I7..;.mw7..

CCS354 NETWORK SECURITY LAB 22

Downloaded by Seran M ([email protected])
0020- 44 07 86 47 98 fa 84 1a-8d f472 00 00 3600 39D..G ........................... r..6.9
0030 - 00 38 00 35 00 16 00 13-00 0a00 33 00 32 00 2f.8.5.......3.2./
0040- 00 07 00 66 0005 00 04-00 63 00 6200 61 00 15...f.....c.b.a..
0050- 00 12 00 09 00 65 00 64-00 60 00 14 00 11 00 08 .....e.d.`......
0060 - 00 06 00 03 01 .....
0066-<SPACES/NULS>
read from 00988EB0 [00990AB8] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 2a *

TraceAnalysis
The data to be transmitted is broken up into series of fragments. Each fragment is
protected forintegrityusingHMAC.
EachSSLrecordbeginswith a5-byteheader:
Byte0:Record Content Type.
Four Content Types are defined, as follows:
Content Type HexCode Description
Handshake 0x16 The record carries a handshaking message
Application_Data 0x17 Encrypted Application Data
Change_Cipher_Spec 0x14 To indicate a change in encryption methods.
Alert 0x15 To signal various types of errors

Byte 1&2: SSL version(0x0301forTLSv1,0x0300 forSSLv3).

Byte3&4:Therecord length,excluding the5-byte header.

Client_Hello
The first handshake message is always sent by the client, called client_hello message. In
thismessage, the client tells the server its preferences in terms of protocol version, cipher
suit, and compression method. The client also includes a 32-byte random number

CCS354 NETWORK SECURITY LAB 23

Downloaded by Seran M ([email protected])
(client_random) in the message, which is made up of a 4-byte GMT Unix time (seconds
since 1970), plus another 28randombytes.
Server_Hello
In response to the client_hello message, the server returns a server_hello message to tell
the client its choice of protocol version,cipher suit and compression method. The several
so includes a32-byterandomnumber(server_random) in the message.
Certificate
The certificate message consists of a chain of X.509 certificates in the correct order. The
firstcertificate belongs to the server, and the next certificate contains the key that certifies
the firstcertificate (i.e., the server's certificate), and so on. The client uses the server's
public key (containedinsidetheserver'scertificate)to either encrypt the pre_master_secret or
verify the server_key_exchange, depending on which cipher suit is used.
Server_Key_Exchange Server_Hello_Done
This is an empty message indicating that the server has sent all the handshaking messages.
This isneededbecausethe servercansendsomeoptionalmessagesafter thecertificatemessage
Client_Key_Exchange
The client_key_exchange message contains the pre_master_secret when RSA key
exchangeis used. The pre_master_secret is 48-byte, consists of protocol version (2 bytes)
and 46 random bytes.

Certificate_Verify Change_Cipher_Spec
UnknownHandshakingMessage(D4) -tocheck
Application_Data
Client-to-Server-the HTTP request message:GET/test.html HTTP/1.0
Server-to-Client –the HTTP response message Alert

RESULT:
Thus the confidentiality and Integrity using SSL was verified.

CCS354 NETWORK SECURITY LAB 24

Downloaded by Seran M ([email protected])
EX.No:6 EXPERIMENT EAVESDROPPING, DICTIONARY
ATTACKS, MITM ATTACKS

AIM:
To experiment eaves dropping, Dictionary attacks, MITM attacks.

PROCEDURE:
Password cracking is a term used to describe the penetration of a network, system,
or resourcewith or without the use of tools to unlock a resource that has been secured with
a password.Password cracking tools may seem like powerful decryptors, but in reality are
little more thanfast,sophisticatedguessingmachines.

Types of password breaking

Dictionaryattack
Asimpledictionaryattackisusuallythefastestwaytobreakintoamachine.Adictionaryfile (a text
file full of dictionary words) is loaded into a cracking application, which is runagainst
useraccountslocatedby theapplication
Bruteforceattack
A brute force attack is a very powerful form of attack, though it may often take a long time
towork depending on the complexity of the password. The program will begin trying any
andeverycombinationofnumbers andlettersandrunning them againstthehashedpasswords.
Hybridattack
Another well-known form of attack is the hybrid attack. A hybrid attack will add numbers
orsymbols to the search words to successfully crack a password. Many people change
theirpasswords by simply adding a number to the end of their current password. Therefore,
thistype of attack is the most versatile, while it takes longer then a standard dictionary
attack itdoesnottakeas long as a bruteforceattack.

CCS354 NETWORK SECURITY LAB 25

Downloaded by Seran M ([email protected])
Task1–MicrosoftOfficePassword Recovery
ManyapplicationsrequireyoutoestablishanIDandpasswordthatmaybesavedandaut
omatically substituted for future authentication. The password will usually appear on
thescreen as a series of asterisks. This is fine as long as your system remembers the
password foryou but what if it "forgets" or you need it for use on another system.
Fortunately, many utilitieshave been written to recover such passwords. In this task, you
will use OfficeKey to recover the password for a MS word document.
Step1:Findthefolder“Lab1” onyourdesktop,andopenit.
You will find Office Key and a MS document in the folder.
Step2:Openthe OfficeKey–PasswordRecoverytool
Step3:Press the“Recover” button inthe upperleft corner, orselectFile Recover
Step4:Choosethepassword protectedMS OfficeFileyouhavesavedto theDesktop.

Step 5: After running the first password auditing session, check to see if Office key has
crackedthe password. If the password has not been cracked press the Settings button on
theuppertoolbar.

CCS354 NETWORK SECURITY LAB 26

Downloaded by Seran M ([email protected])
Step6:OnceintheSettings menuyouwillbeabletomodifythesearchparameters andcustomize
amoretargetedsearch

Step7:Repeatsteps3and4until thepassword hasbeencrackedand openstheMS Office File.

Step8:Write down the contents of the MS word document and the pass word into your lab
report and submit it to your TA.

RESULT:
Thus the experiment for Eavesdropping, Dictionary attacks, MITM attacks was
done successfully.

CCS354 NETWORK SECURITY LAB 27

Downloaded by Seran M ([email protected])
EX.No:7 EXPERIMENT WITH SNIFF TRAFFIC USING ARP
POISONING

AIM
To perform an experiment to Sniff Traffic using ARP Poisoning.

PROCEDURE:
ARP is the acronym for Address Resolution Protocol. It is used to convert IP
address to physicaladdresses [MAC address] on a switch. The host sends an ARP
broadcast on the network, and therecipient computer responds with its physical address
[MAC Address]. The resolved IP/MAC address is then used to communicate. ARP
poisoning is sending fake MAC addresses to the switch so thatit can associate the fake
MAC addresses with the IP address of a genuine computer onanetworkandhijack the
traffic.
ARP Poisoning Counter measures:
Static ARP entries: these can be defined in the local ARP cache and the switch
configured to ignore all auto ARP reply packets. The disadvantage of this method is, it’s
difficult to maintain on large networks. IP/MAC address mapping has to be distributed to
all the computers on the network.
ARP poisoning detection software: These systems can be used to cross check the
IP/MAC address resolution and certify them if they are authenticated. Uncertified IP/MAC
addressresolutionscanthenbeblocked.
Whatisnetworksniffing?
ComputerscommunicatebybroadcastingmessagesonanetworkusingIPaddresses.Onc
eamessage has been sent on a network, the recipient computer with the matching IP
addressrespondswithits MACaddress.
Network sniffing is the process of intercepting data packets sent over a
network.

CCS354 NETWORK SECURITY LAB 28

Downloaded by Seran M ([email protected])
Passive and Active Sniffing
Before we look at passive and active sniffing, let’s look at two major devices used to
networkcomputers; hubs and switches.

Ahubworksbysendingbroadcastmessagestoalloutputportsonitexcepttheonethathassent
thebroadcast.

A switch works differently; it maps IP/MAC addresses to physical ports on it.

CCS354 NETWORK SECURITY LAB 29

Downloaded by Seran M ([email protected])
Passive sniffing is intercepting packages transmitted over a network that uses a hub.
It is called passive sniffing because it is difficult to detect. It is also easy to erform as the
hub sends broad cast messages to all the computers on the network.
Active sniffing is intercepting packages transmitted over a network that uses a switch.
There are two main methods used to sniff switch linked networks, ARP Poisoning ,and
MAC flooding.
SniffingthenetworkusingWireshark
DownloadWiresharkfromthislinkhttp://www.wireshark.org/download.html
• OpenWireshark
• Youwillgetthefollowing screen

Select the network interface you want to sniff. Note for this demonstration, we are using a
wireless network connection. If you are on a local area network, then you should select the
local area network interface.
• Click onstart buttonas shownabove

CCS354 NETWORK SECURITY LAB 30

Downloaded by Seran M ([email protected])
• Openyourwebbrowserandtypeinhttp://www.techpanda.org/

• Theloginemail [email protected] isPassword2010

• Clickonsubmitbutton
• Asuccessfullogonshould giveyouthefollowingdashboard

• GobacktoWiresharkandstopthelivecapture

CCS354 NETWORK SECURITY LAB 31

Downloaded by Seran M ([email protected])
 • FilterforHTTPprotocolresultsonly using thefiltertextbox

• Locate the Info column and look for entries with the HTTP verb POST and click on it

• Just below the log entries, there is a panel with a summary of captured data. Look for
the summary that says Line-based text data: application/x-www-form-url encoded
• You should be able to view the plaintext values of all the POST variables submitted
totheserver viaHTTP protocol.

Result:
Thus the experiment to Sniff Traffic using ARP Poisoning was performed
successfully.

CCS354 NETWORK SECURITY LAB 32

Downloaded by Seran M ([email protected])
EX.No:8 DEMONSTRATE INTRUSION DETECTION SYSTEM
USING SNORT SOFTWARE TOOL

AIM:
To demonstrate Intrusion Detection System (IDS) using Snort software tool.

STEPS ON CONFIGURING AND INTRUSION DETECTION:

1. Download Snort from the Snort.org website.(http://www.snort.org/snort-downloads)
2. Download Rules (https://www.snort.org/snort-rules). You must register to get the
rules. (You should download these often)
3. Double click on the .exe to install snort. This will install snort in the “C:\Snort” folder.
It is important to have Win Pcap(https://www.winpcap.org/install/)installed
4. Extract the Rules file. You will need WinRAR for the .gz file.
5. Copy all files from the “rules” folder of the extracted folder. Now paste the rules into
“C:\Snort\rules”folder.
6. Copy “snort.conf” file from the “etc” folder of the extracted folder. You must paste it
into “C:\Snort\etc”folder.Overwrite anyexisting file. Remember if you modify your
snort.conf file and download a new file, you must modify it for Snort to work.
7. Openacommandprompt(cmd.exe)andnavigatetofolder“C:\Snort\bin”folder.
8. Tostart(execute)snortinsniffer modeusefollowingcommand:
snort -dev-i 3 -i indicates the interface number. You must pick the correct interface
number.
In my case,itis3. –dev is used to run snort to capture packets on your network.

CCS354 NETWORK SECURITY LAB 33

Downloaded by Seran M ([email protected])
To check the interface list, use following command:
snort-W

Finding an interface
You can tell which interface to use by looking at the Index number and finding Microsoft.
As you can see in the above example, the other interfaces are for VMWare.
To run snort in IDS mode, you will need to configure the file “snort.conf” according to
your networkenvironment.
To specify the network address that you want to protect in snort.conf file, look for the
following line.varHOME_NET192.168.1.0/24(You willnormallysee anyhere)
Youmay alsowantto settheaddressesofDNS_SERVERS, ifyouhavesomeonyournetwork.

Example snort
Change the RULE_PATH variable to the path of rules folder.var
RULE_PATHc:\snort\rules
pathtorules
Change the path of all library files with the name and path on your system. And you must
change the path of snort_dynamic preprocessor variable.
C:\Snort\lib\snort_dynamic c preprocessor

CCS354 NETWORK SECURITY LAB 34

Downloaded by Seran M ([email protected])
You need to do this to all library files in the “C:\Snort\lib” folder. The old path might
be:“/usr/local/lib/…”.youwillneedtoreplacethatpathwithyoursystempath.UsingC:\Snort\lib
Changethe path of the“dynamicengine” variablevalue inthe “snort.conf”file.
dynamicengineC:\Snort\lib\snort_dynamicengine\sf_engine.dll
Addthepathsfor“include classification.config”and“include reference.config”files.include
c:\snort\etc\classification.config
includec:\snort\etc\reference.config
Removethecomment(#)ontheline to allowICMPrules, if itiscommentedwith a#.include
$RULE_PATH/icmp.rules
You can also remove the comment of ICMP-info rules comment, if it iscommented.include
$RULE_PATH/icmp-info.rules
To add log files to store alerts generated by snort,search for the “output log” test in
snort.conf andaddthefollowing line:
outputalert_fast:snort-alerts.ids
Comment(adda#)thewhitelist $WHITE_LIST_PATH/white_list.rulesandtheblacklist
Change the nested_ipinner,\tonested_ip inner#,\Comment out(#)followinglines:
#preprocessornormalize_ip4
#preprocessornormalize_tcp:ipsecnstream
#preprocessor normalize_icmp4
#preprocessornormalize_ip6
#preprocessornormalize_icmp6
Savethe“snort.conf”file.
TostartsnortinIDS mode,runthe followingcommand:
snort -c c:\snort\etc\snort.conf -l c:\snort\log -i 3(Note: 3isusedformyinterfacecard)
If a log is created, select the appropriate program to open it. You can use Word Pardor
Note Pad++to read the file.
To generate Log files in ASCII mode, you can use following command while running snort
in IDSmode:snort-Aconsole-i3-cc:\Snort\etc\snort.conf-lc:\Snort\log-Kascii
Scan the computer that is running snort from another computer by using PING or NMap

CCS354 NETWORK SECURITY LAB 35

Downloaded by Seran M ([email protected])
(ZenMap).After scanning or during the scan you can check the snort-alerts.ids file in the
log folder to insure it is logging properly. You will see IP address folders appear.
Snort monitoring traffic –

RESULT:
Thus the Intrusion Detection System(IDS) has been demonstrated by using the
Open SourceSnortIntrusion DetectionTool.

CCS354 NETWORK SECURITY LAB 36

Downloaded by Seran M ([email protected])
EX.No:9 EXPLORE NETWORK MONITORING TOOLS

AIM:
To explore about Network monitoring tools
Network monitoring is an essential part of network management. It involves using
various tools to monitor a system network and determines lowness and weak connections,
among other issues. Knowing more about these tools can help you understand them better
and use the right ones that suityour requirements.

PROCEDURE:
What Are Network Monitoring Tools?
Network monitoring tools are software that you can use to evaluate network
connections. Thesesoftware programs can help you monitor a network connection and
identify network issues, which may include failing network components, slow connection
speed, network out age or unidentifiable connections. Network management and
monitoring tools can also help you resolve these issues or establish solutions that prevent
specific issues from occurring in the future.

Network Monitoring Tools

Here are eight monitoring tools along with their descriptions and features:
1. Solar Winds Network Performance Monitor
Solar Winds Network Performance Monitor is a multi-vendor monitoring tool. It
allows users to monitor multiple vendors' networks at the same time. It also provides
network insights for thorough visibility into the health of the networks. Some prominent
features include network availability monitoring, intelligent network mapping, critical path
visualization, performance analysis and advanced alerting. Solar Winds also allow users to
track VPN tunnel status. It prompts when a VPN tunnel is available to help users ensure a
stable connection between sites. Solar Winds provide a seven-day free trial, after which
users can choose a preferred subscription plan.

CCS354 NETWORK SECURITY LAB 37

Downloaded by Seran M ([email protected])
2. Auvik
Auvik is a network monitoring and management tool. It offers a quick
implementation process thathelps users to set up the tool easily. It also has a clean user
interface that makes it easy to navigate anduse. The tool provides in-depth network
visibility that enables faster troubleshooting for networkissues. Users can automate
network visibility using Auvik. It provides real-time updates on
networkissuesandconfigurationchanges.
3. Datadog Network Monitoring
Datadog Network Monitoring offers services for on-premises devices and cloud
networks. A highlighting feature of this tool is the visualizations. It offers various
graphical representationsof allthe network connections on a system. It also allows users to
track key metrics like network latency,connection churn and transmission control protocol
(TCP) retransmits. Users can monitor the health ofa network connection at different
endpoints at the application, IP address, port or process ID
layers.Otherprominentfeaturesinclude automatedlogcollectionand user interfacemonitoring.
4. Paessler PRTG Network Monitor
Paessler's network connection monitoring tool provides a clean user interface and
network visibility onmultiple devices. Users can track the health of different connection
types like local area networks (LAN), wide area network(WAN), servers, websites,
applications and services. The tools also integrate with various technologies, which makes
it easier to use it for different types of applications. Itprovides distribute monitoring,
allowing users to track network connections on devices in differentlocations. The tool also
provides apps for mobile platforms that can help users to track network
healthonmobilephones.
5. Manage Engine OpManager
Manage Engine OpManager is a good network monitoring and managing tool for
users that prefer in-depth view of network health and issues. This tool provides over 2000
network performance monitors that allow users to track and monitor their connections and
perform detailed analyses on issues. It also provides over 200 dashboard widgets that can

CCS354 NETWORK SECURITY LAB 38

Downloaded by Seran M ([email protected])
help users customise their dashboard to their ownsuitability. Other features include CPU,
memory and disk utilisation monitoring on local and virtualmachines. It also allows setting
network performance threshold and notifies the user in case of aviolation.
6. Domotz
Domotz is an expansive tool that provides a list of features for monitoring network
connections. It allows users to customise their network monitoring preferences. Users can
write scripts the retrieve thedata they wish to evaluate. It also allows connection to open
ports on remote devices while ensuringnetwork security. Users can also scan and monitor
network connections globally. Domotz also allowsto backup and restore network
configuration for switches, firewalls and access points and alerts whenthere is achangein
theconfiguration.
7. Checkmk
Checkmk is a tool that allows users to automate it completely. You can customise
its operations and enable it to perform tasks automatically. It also identifies network and
security components without theuser requiring manual set up. For example, the tool can
identify a firewall even if the user has not set itup. Its Agent Bakery feature enables users
to manageagents and automate agentupdating. Thisreduces manual effort to monitor
network connections. The tool also includes over 2000 plug-ins forenhancing network
monitoring.
8. Progress Whatsup Gold
Progress Whatsup Gold is a basic network monitoring software. It provides a minimal user
interface with essential features like device monitoring, application monitoring, analysing
network traffic and managing configurations. The tool allows users to monitor cloud
devices, inspect suspicious connections, automate configuration backups and identify, and
resolve band width issues.

CCS354 NETWORK SECURITY LAB 39

Downloaded by Seran M ([email protected])
Other Tools For Network Monitoring
Herearethreeadditionaltools fornetworkmonitoring:
For traInter mapper: This tool enables users to monitor network connections using
networkmaps, allowing them to get a holistic view of all the connections. Italso provides
variouscolour codes for different network status, along with real-time notifications through
text, email and sound.

Nagios Core: Nagios Core is a monitoring engine that works as the primary
application for al l Nagios projects, including the Nagios Network Analyser. It integrates
with other Nagios applications and provides users with features like a visual dashboard,
custom application monitoring, automated alert system, advanced user management and
network security monitoring.

Zabbix: Zabbix provides a thorough network monitoring solution with features like
server monitoring, cloud monitoring, application monitoring and service monitoring. The
tool also includes features like metric collection; business monitoring and root cause
analyses of network issues, and allows users to establish a threshold for connection
anomalies.

To Choose a Network Monitoring And Management Tool:

Understand the requirements

Understanding why you require network monitoring software is important in the
process. Define whatfeature you want and for what purpose. This can help you identify the
right tool for your use. It mayalsohelp youchoosethecorrectsubscription planonpaidtools.

CCS354 NETWORK SECURITY LAB 40

Downloaded by Seran M ([email protected])
Browse multiple tools
Once you identify the requirements, consider browsing multiple tools. Visit the
websites of the toolsand look for the features you require. Spend time studying the features
and understand how they can be useful to your requirements. You can also identify a few
tools and compare their features to each other.

Consider the budget

Some tools may be free to use, while some may require you to purchase a
subscription plan. Paid tools typically offer a free trial period of upto 30days. Once you
identify which tool you may like to use, see if it is free or requires payment. If it is a paid
tool, try exploring its features and efficiency during the trial period. Consider keeping a
backup tool in case the tool that you choose does not fit your usage.

RESULT:
Thus the network monitoring tools was explored.
EX.No:10 STUDY TO CONFIGURE FIREWALL, VPN

AIM:
To study the features of firewall in providing network security and to set Firewall
Security in windows.

PROCEDURE:
FirewallinWindows7
Windows 7 comes with two firewalls that work together. One is the Windows
Firewall, and the other is Windows Firewall with Advanced Security (WFAS).The main
difference between them is the complexity of the rules configuration. Windows Firewall
uses simple rules that directly relate to a program or a service. The rules in WFAS can be
configured based on protocols, ports, addresses andauthentication. By default, both
firewalls come with predefined set of rules that allow us to utilizenetwork resources. This
includes things like browsing the web, receiving e-mails, etc. Other standardfirewall
exceptions are File and Printer Sharing, Network Discovery, Performance Logs and Alerts,
Remote Administration, Windows Remote Management, Remote Assistance, Remote
Desktop, Windows Media Player, Windows Media Player Network Sharing Service with
firewall in Windows 7 we can configure inbound and outbound rules. By default, all
outboundtraffic is allowed, and inbound responses to that traffic are also allowed. Inbound
trafficinitiatedfrom externalsourcesis automaticallyblocked.
When we first connect to some network, we are prompted toselecta network location.
This featureis known as Network Location Awareness(NLA). This feature enables us to
assign a network profileto the connection based on the location. Different network profiles
contain different collections offirewall rules. In Windows 7, different network profiles can
be configured on different interfaces. Forexample, our wired interface can have different
profile than our wireless interface.
There are threedifferentnetworkprofilesavailable:
• Public
• Home/Work-privatenetwork
• Domain-usedwithinadomain
Configuring Windows Firewall
To open Windows Firewall we can goto Start>ControlPanel>Windows

By default, Windows Firewall is enabled for both private(home or work)and public

networks. Itis also configured to block all connectionsto programs that are not on the list of
allowed programs.To configure exceptions we can go to the menu on the left and select
"Allow a program or featurethroughWindows Firewall"option.
Firewall Customization
Note that we can modify settings for each type of network location (private or
public).Interesting thing here is that we can block all incoming connections, including
those in the list of allowed programs.
Windows Firewall is actually a Windows service. As you know, services can be
stoppedand started. If the Windows Firewall service is stopped, the Windows Firewall will
notwork.

FirewallService
In our case the service is running.Ifwestop it, wewillgeta warningthatwe shouldturnon
ourWindowsFirewall.
How to Start & Use the Windows Firewall with Advanced Security
The Windows Firewall with Advanced Security is a tool which gives you detailed
controlovertherulesthatareappliedbytheWindowsFirewall.Youcanviewallthe rulesthatare
used by the Windows Firewall, change their properties, create new rules or
disableexistingones.
You have several alternatives to opening the Windows Firewall with Advanced Security:
OneistoopenthestandardWindowsFirewallwindow,bygoingto"ControlPanel-
>SystemandSecurity->WindowsFirewall".Then,click ortapAdvanced settings.

InWindows7,anothermethodistosearchforthewordfirewallintheStartMenusearchboxandclic
kthe"WindowsFirewall withAdvanced Security"result.
What Are The Inbound & Outbound Rules?
In order to provide the security you need, the Windows Firewall has a standard set
ofinbound and outbound rules, which are enabled depending on the location of the network
you are connected to.

Inbound rules are applied to the traffic that is coming from the network and the
Internet toyour computer or device. Outbound rules apply to the traffic from your computer
to the network or the Internet.

These rules can be configured so that they are specific to: computers, users,
programs, services, ports or protocols. You can also specify to which type of network
adapter (e.g.wireless,cable,virtualprivatenetwork)or user profile it is applied to.
In the Windows Firewall withAdvancedSecurity,youcanaccessallrules and edittheir
properties. All you have to do is clickor tap the appropriate unit in the left-side panel.
What are the Connection Security Rules?
Connection security rules are used to secure traffic between two computers while
itcrosses the network. One example would be a rule which defines that
connectionsbetweentwospecificcomputersmustbeencrypted

If you want to see if there are any such rules on your computer, click or tap"
Connection Security Rules" on the panel on the left. By default, there are no such rules
defined on Windows computers and devices. They are generally used in business
environments and such rules are set by the network administrator.
What does the Windows Firewall with Advanced Security Monitor?

The Windows Firewall with Advanced Security includes some monitoring features
aswell. Inthe Monitoring section you can find the following information: the
firewallrulesthatareactive (both inbound and outbound), the connection security rules that
are active and whetherthere areany activesecurity associations.

RESULT:
Thus study of the features of firewall in providing network security and to set
Firewall Security in windows.