Network Security Lab

Expt No:1 Date:

Aim: Learn to install Virtual Box Software and install any guest OS onto it.

Theory:
Oracle VM VirtualBox (formerly Sun VirtualBox, Sun xVM VirtualBox and Innotek
VirtualBox) is a free and open-source hypervisor for x86 computers from Oracle Corporation.
Developed initially by Innotek GmbH, it was acquired by Sun Microsystems in 2008 which was
in turn acquired by Oracle in 2010.
VirtualBox may be installed on a number of host operating systems, including: Linux, OS X,
Windows, Solaris, and OpenSolaris. VirtualBox is being actively developed with frequent
releases and has an ever growing list of features, supported guest operating systems and
platforms it runs on.
There are also ports to FreeBSD and Genode.
It supports the creation and management of guest virtual machines running versions and
derivations of Windows, Linux, BSD, OS/2, Solaris, Haiku, OSx86 and others, and limited
virtualization of OS X guests on Apple hardware.
For some guest operating systems, a "Guest Additions" package of device drivers and system
applications is available, which typically improves performance, especially of graphics.

Emulated environment

Running Ubuntu Live CD under VirtualBox on Ubuntu

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 1
Network Security Lab

Users of VirtualBox can load multiple guest OSs under a single host operating-system (host OS).
Each guest can be started, paused and stopped independently within its own virtual machine
(VM). The user can independently configure each VM and run it under a choice of software-
based virtualization or hardware assisted virtualization if the underlying host hardware supports
this. The host OS and guest OSs and applications can communicate with each other through a
number of mechanisms including a common clipboard and a virtualized network facility. Guest
VMs can also directly communicate with each other if configured to do so.

Limitations:
 VirtualBox has a very low transfer rate from and to USB2 devices.
 Even though VirtualBox is an open source product some of its features are supplied only
in a binary form under a commercial license (see The extension pack below)
 USB3 devices pass through is not supported by older guest OSes like Windows Vista and
Windows XP due to the lack of drivers
 Windows 9x OSes do not support Guest additions.

Steps:
1. Install Virtual Box Software.
2. Open Virtual Box Software, click on “new” option, Enter the name of the new OS, click
on “next”.
3. Select base memory(RAM) in MB(Min-512MB), to be allocated to virtual box.
4. In the next window select “create new host disk” option and click on “next”.
5. In the next window, i.e. in the hard disk storage type window , click on “dynamic
expanding storage” option and click on “next”.
6. Select the virtual disk location and hard disk size and click on “finish”.
7. Click on the “start” option, select the guest OS that is “.iso” image and click on “start”.

Conclusion: Virtual Box is installed and Linux(ubuntu) is installed onto it as a guest OS.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 2
Network Security Lab

Expt No:2 Date:

Aim: Perform an experiment to grab a banner using telnet/nmap.

Theory:
Banner grabbing is a technique used to glean information about a computer system on a
network and the services running on its open ports. Administrators can use this to take inventory
of the systems and services on their network. However, an intruder can use banner grabbing in
order to find network hosts that are running versions of applications and operating systems with
known exploits.
Some examples of service ports used for banner grabbing are those used by Hyper Text
Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol
(SMTP); ports 80, 21, and 25 respectively. Tools commonly used to perform banner grabbing are
Telnet, which is included with most operating systems, and Netcat.
This information may be used by an administrator to catalog this system, or by an
intruder to narrow down a list of applicable exploits.
To prevent this, network administrators should restrict access to services on their
networks and shut down unused or unnecessary services running on network hosts.

Steps:
1. Go to Command Prompt.
2. Type cd/ & press “enter”.
3. Type “telnet” & website name & port number.
4. Press “enter” to see the output.

Conclusion: Banner grabbing is done using Nmap.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 3
Network Security Lab

Expt No:3 Date:

Aim: To perform Port Scanning with Nmap.

Theory:
Network ports are the entry points to a machine that is connected to the Internet. A
service that listens on a port is able to receive data from a client application, process it and send a
response back. Malicious clients can sometimes exploit vulnerabilities in the server code so they
gain access to sensitive data or execute malicious code on the machine remotely. That is why
testing for all ports is necessary in order to achieve a thorough security verification.
Port scanning is usually done in the initial phase of a penetration test in order to discover
all network entry points into the target system. Port scanning is done differently for TCP ports
and for UDP ports that's why we have different tools.

Parameters:

 Target: This is the hostname of IP address(es) to scan

 Ports to scan - Common: This option tells Nmap to scan only the top 100 most common
TCP ports (Nmap -F).
 Ports to scan - Range: You can specify a range of ports to be scanned. Valid ports are
between 1 and 65535.
 Ports to scan - List: You can specify a comma separated list of ports to be scanned.
 Detect service version: In this case Nmap will try to detect the version of the service that
is running on each open port. This is done using multiple techniques like banner
grabbing, reading server headers and sending specific requests.
 Detect operating system: If enabled, Nmap will try to determine the type and version of
the operating system that runs on the target host. The result is not always 100% accurate,
depending on the way the target responds to probe requests.
 Do traceroute: If enabled, Nmap will also do a traceroute to determine the path packets
take from our server to the target server, including the ip addresses of all network nodes
(routers).
 Don't ping host: If enabled, Nmap will not try to see if the host is up before scanning it
(which is the default behavior). This option is useful when the target host does not
respond to ICMP requests but it is actually up and it has open ports.

The disadvantage of this technique is that the type of scan is easily detectable and
filterable. The target host logs will show bunch of connections and then the connections
are immediately shutdown.

Steps:
1. Install N-map software.
2. Open nmap and type in the command line-the website name, click on “scan”.
3. All the open ports are displayed on the screen.

Conclusion: Open ports are scanned and displayed.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 4
Network Security Lab

Expt No:4 Date:

Aim: Using Nmap,

1. Find open ports on a system.
2. Find machines which are active.
3. Find the version of remote OS on other system.
4. Find the version of software installed on other system.

Theory:
Nmap is a tool for debugging. There are lot of times where you need to know if a port is
open or a server may be blocked by a firewall or to test the input.

Introduction:
Nmap(Network mapper) is an open source tool for network exploration and security
auditing. It is designed to rapidly scan large networks although it works fine on single
ports.Nmap uses raw input packets in a noble way to determine what hosts are available on the
network, what services those hosts are offering, what operating system are they running, what
type of packet filter firewalls are in use and other characteristics.
While Nmap is commonly used for security audit, many systems and network
administrators find it useful for routine tasks such as network inventory managing service,
upgrade schedules, monitoring host service uptime etc.

Syntax:
Nmap <options> <ip address> or <target adderss>

Different available options are:

S - TCP Scanning
O - OS on which it is running
SU - UDP Scanning
F - Fast Scan
Steps:
1. Install nmap software.
2. Open nmap and type website name with different options.
3. Output will be displayed according to given options.

Conclusion: Port scanning is done using nmap.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 5
Network Security Lab

Expt No-5 Date:

Aim: To perform an experiment on active and passive fingerprinting using

XProbe2/nmap/Nettools.

Theory:
OS fingerprinting is the process of determining the operating system used by a host on a
network.

Active fingerprinting: Active fingerprinting is the process of transmitting packets to a remote

host and analysing corresponding replies.

Passive fingerprinting: Passive fingerprinting is the process of analysing packets from a host on a
network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.

Fingerprinting techniques: Almost all fingerprinting techniques are based on detecting difference
in packets generated by different operating systems.

Common techniques are based on analysing:

 IP TTL values;
 IP ID values;
 TCP Window size;
 TCP Options (generally, in TCP SYN and SYN+ACK packets);
 DHCP requests;
 ICMP requests;
 HTTP packets (generally, User-Agent field).

Other techniques are based on analysing:

 Running services;
 Open port patterns.

Steps:

1. Install Nettools software.

2. Go to “new interface” and select option “finger-XPinger”
3. Type ip address and click on “ping”.
Conclusion: An experiment on active and passive fingerprinting is done using nettools.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 6
Network Security Lab

Expt No:6 Date:

Aim: Perform an experiment to demonstrate how to sniff for router traffic using wireshark.
Theory:
A packet sniffer is a utility that has been used since the original release of Ethernet,
which plugs into computer network and eavesdrops on the network traffic. Packet sniffing allows
individuals to capture data as it is transmitted over a network and is used by network
professionals to diagnose network issues, and by malicious users to capture unencrypted data,
like passwords and usernames. If this information is captured in transit, a user can gain access to
a system or network.
A program and/or device that monitors data traveling over a network. Sniffers can be
used both for legitimate network management functions and for stealing information off a
network. Unauthorized sniffers can be extremely dangerous to a network's security because they
are virtually impossible to detect and can be inserted almost anywhere. This makes them a
favorite weapon in the hacker's arsenal. On TCP/IP networks, where they sniff packets, they're
often called packet sniffers.
Sniffing also has an advantage over telephone wiretaps; many networks use shared
media, this means that you don’t need to break into wiring closet to install your wiretap, you can
do it from almost any network connection to eavesdrop on your neighbors, this is called
promiscuous mode sniffer”. However this shared technology is moving quickly towards
switched technology, where this will no longer be possible, which means you will not have
actually tap into the wire.
What it is used for???
 Automatic shifting of text, password and use names from network.
 Conversion of data to human readable format so that people can read the traffic.
 Fault analysis to discover problems in the network such as why computer-A cannot talk
to computer-B.
 Network intrusion detection in order to discover hackers.
 Network traffic login, to create logs that hackers cannot break into and erase.
Hoe does sniffing work???
Ethernet was built around a shared principle of all machines on a local networks share the
same wire. This implies that all machines are able to detect all traffic on the same wire, thus
Ethernet hardware is built with a filter that ignores all traffic that doesn’t belong to it. It MAC
addresses do not match. A wiretap program turns off this filter, putting the Ethernet hardware
into “promiscuous mode”, thus all the traffic can be seen.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 7
Network Security Lab

Packenet analyzer…
A packet analyzer is a computer program or a piece of computer hardware that can
intercept a log traffic passing over a digital software or port of a network. As data stream flow
across, the network captures each packet and if needed decodes the packet’s raw data, showing
the values of various fields in the packet and analyze its contents according to the appropriate
RFC or other applications.
How to sniff for network traffic using wireshark???
The internet is inherently insecure, whenever you send data across it, there is a chance
that data could be sniffed and someone could end up with your personal data. With the right tools
you can sniff this data yourself and any data passes through your network. This is because most
networks and your computer will ignore anything that’s not meant for it.
Steps:
1. Install wireshark software.
2. Open wiresharkin filter, type IP address.
3. Go to “capture”, select “interface” and “start”
4. All the packets will be visible.
Conclusion: Sniffing of traffic is done using wireshark.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 8
Network Security Lab

Expt No:7 Date:

Aim: Perform an experiment on how to use Dumpsec.
Theory:
DumpSec is a security auditing program for Microsoft Windows NT/XP/200x. It dumps
the permissions and audit settings for the file system, registry, printers and shares in a concise,
readable format, so that holes in system security are readily apparent. DumpSec also dumps user,
group and replication information.Verifying periodically the security of a certain system can
tackle a variety of aspects and among them the permissions are of the utmost importance,
because through them it is decided which user can access one resource or another.
This kind of auditing can be quiet tedious and time consuming, unless some specialized
tools are used. One of the simple applications that is dedicated to such tasks is the one going
by the name of Somarsoft DumpSec.Through a very plain interface, this utility will enable
system administrators to quickly get a detailed report for the access rights on any computer
they manage. The program is able to dump permissions for the file system, registry, printers
and shares.With the help of Somarsoft DumpSec it is also possible to view the details
concerning a specific shared directory or for all the shared folders. This is very
important because having write permissions enabled for such a directory could be a
vulnerability.

Other types of reports that can be generated by this software solution relate to users and
groups. More precisely, there are several ways in which this information can be presented: as
column, as table or as table with names only. Somarsoft DumpSec is also capable of dumping
policies, user rights and services. For the latter category there are several options that can be
set, so the report will include data about Windows32 services or kernel drivers.As a tool for
performing a security audit on any computer, Somarsoft DumpSec is fairly well equipped
thanks to the many types of reports it is able to provide. Otherwise, the feature set is quite
limited and the application is only suited for a basic job.

Installing and configuring DumpSec:

 The DumpSec installation is simple and the program is easy to run.

 Run DumpSec executable file “.exe” so that you get the DumpSec window.
 It can be used to dump security settings of the local system or of a remote system. In
order for Dumpsec to access a remote system, you must first login to the remote user with
administrative previliges.
 The remote system will prompt you to enter username and password, use any
administrative account and now dump settings for that system will be stored.

Conclusion: An experiment is performed using DumpSec.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 9
Network Security Lab

Expt No:8 Date:

Aim: Perform a wireless audit of an access point/router and decrypt WEP and WPA.[**]

Theory:

The audit list checks to control wireless deployment, whether the assessment was of
technology, those in the institution pointing to deploy in the wireless LAN, whether the risks are
understood and what precautions are being taken to mitigate the risk of wireless LAN
deployment.

Objective measures: Objective measures are those that can be checked whether a particular
option is enabled, and can be verified via an objective observation using a wireless sniffer or
some other tool. The auditory need not make the judgments based on the organization, security
for WLAN, all security option should be enabled, this helps to determine the casual drive.In
audit list, objective measures are denoted by; “Objective:…”.

Subjective measures: Subjective measures are those that the auditor needs to use, judgments in
determining whether they are adequate and these measures be mostly with procedure and policy
issue. The auditor needs to subjectively evaluate whether policy and/or procedures are in place.

Conventions used:

i. Seek the permission to perform the audit: Auditor will not proceed with the audit
unless written authorization has been granted by the organization whose system is to be
audited.
ii. Identify the organizational policy and procedures: The aim of this step is to identify
review of organization’s information, security policy and procedures to identify those
items related to WLAN.
iii. If there are local points for the organization’s wireless initiatives???: Yes/No… Who
is it?
iv. Author assign score of path if there is an identifiable person in the organization
responsible for WLAN. Assign FAIL if the organization uses WLAN but there is no
identifiable access point for such WLAN initiatives. Does the organization have a
hardware/software accreditation process???...
Yes/No
v. Detecting/Finding a WEP: Usually there is no score for this step. The intension is to
identify access points. If there are rogue sites, the auditor has to determine exactly rogue
access point.

Using NetStumbler:

If it detects an active WEP, the result is produced in this instance, we note that WEP is
enabled for which there is YES in WEP field, otherwise the field would be blank.

Conclusion: Wireless audit of an AP is done.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 10
Network Security Lab

Expt No:9 Date:

Aim: Perform an experiment to sniff traffic using ARP poisoning.

Theory:

Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol

address (IP address) to a physical machine address that is recognized in the local network. For
example, in IP Version 4, the most common level of IP in use today, an address is 32 bits long.
In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The
physical machine address is also known as a Media Access Control or MAC address.) A table,
usually called the ARP cache, is used to maintain a correlation between each MAC address and
its corresponding IP address. ARP provides the protocol rules for making this correlation and
providing address conversion in both directions.

Because ARP does not provide methods for authenticating ARP replies on a network,
ARP replies can come from systems other than the one with the required Layer 2 address. An
ARP proxy is a system which answers the ARP request on behalf of another system for which it
will forward traffic, normally as a part of the network's design, such as for a dialup internet
service. By contrast, in ARP spoofing the answering system, or spoofer, replies to a request for
another system's address with the aim of intercepting data bound for that system. A malicious
user may use ARP spoofing to perform a man-in-the-middle or denial-of-service attack on other
users on the network. Various software exists to both detect and perform ARP spoofing attacks,
though ARP itself does not provide any methods of protection from such attacks.
A peculiarity of ARP is that since it tries to reduce/limit the amount of network traffic used for
ARP a host MUST use all available information in any ARP packet that is received to update
its ARP_Table. Thus sometimes a host sends out ARP packets NOT in order to discover a
mapping but to use this side effect of ARP and preload the ARP table of a different host with an
entry. These special ARP packets are referred to as Gratuitous_ARPs and Wireshark will detect
and flag the most common versions of such ARPs in the packet summary pane.ARP Address
Resolution Protocol is defined mainly by RFC 826. Within Ethernet ARP, there are four types of
messages.
ARP request: A request for the destination hardware address that is typically sent to all hosts.
ARP reply: In response, this gives the host the hardware address of the destination host.
RARP request: Known as Reverse ARP request, this requests the IP address of a known MAC
address.
RARP reply: The response gives the IP address from a requested hardware address.
ARPs Role in Ethernet Switching and Sniffing Since Ethernet is a broadcast protocol,
everyone on an Ethernet segment receives everyone else's packets. On a network connected with
a hub, sniffing packets to gather information is easy since hubs do nothing to limit the natural
Dept. of Computer Science & Engg,
KLSVPP, Belagavi. Page 11
Network Security Lab

broadcast nature of Ethernet. Sniffing data is as easy as plugging into any open port and
listening. Systems connected with switches present a different problem. Traffic is no longer
broadcast to every host as the switch attempts to be more efficient. Instead the switch keeps track
of what MAC address is at what port and makes an attempt to limit traffic based on this
information. This is not meant to be a security feature, but rather a performance feature. To keep
down the ARP traffic on a network segment, Ethernet hosts and switches keep an ARP cache
usually consisting of a list of MAC and IP addresses. The system will use this information when
initiating a conversation with another system. If the address is not in the table, the system will
use ARP to determine the MAC address of the destination system. Switches use ARP tables to
limit the traffic that a port receives to just the MAC address registered for that port. In switched
environments, there are still ways to sniff packets. The first is to connect to an administrative
port on the switch and set it to broadcast mode. The administrative port will now receive all
traffic. Some switches allow one to choose the administrative port in a software setup, while
others restrict it to one particular physical port. The second method is to take advantage of the
fact that most switches will favor performance over security and quit using the internal cache of
MAC to IP address table if the table becomes too large. The switch will usually fail-open and
revert to hub-like behavior, sending all packets to everyone. An attacker can initiate a fail-open
by sending a large number of ARP entries to the switch. This behavior varies depending upon the
manufacturer and switch configuration. The final method is to craft ARP packets to fool a system
into thinking it knows the MAC address of a particular destination IP address. Most commonly
an attacker will impersonate a router by telling a victim that the attacker’s machine is the default
router for a subnet. The victim's system then sends all packets to the attacker who sniffs them
and sends them on to the real default router either through kernel level IP forwarding or a user
space program.
Arpoison: Arpoison is a simple command line tool by Steve Buer that creates a custom ARP
Reply packet. The attacker simply creates a packet, sends it to the victim and hopes the victim
system inserts the information into its local ARP table and acts on it when sending future
packets.
NAME arpoison -- arp cache update utility

SYNOPSIS arpoison -i -d -s -t -r [-a] [-n number of packets] [-w time between packets]

DESCRIPTION Arpoison constructs an ARP REQUEST or REPLY packet using the

specified hardware and protocol addresses and sends it out the specified interface.

-I Device e.g. eth0

-d Destination IP address in dotted decimal notation.
-s Source IP address in dotted decimal notation
-t Target MAC address e.g. 00:f3:b2:23:17:f5

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 12
Network Security Lab

-r Source MAC address

-a Send ARP REQUEST
-n Number of packets to send

-w Time in seconds between packets

Conclusion: Sniffing traffic using ARP poisoning is performed.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 13
Network Security Lab

Expt No:10 Date:

Aim: Install IPCop on a Linux system and learn all the functions available in the software.

Theory:

IPCop is a Linux distribution which aims to provide a simple-to-manage firewall

appliance based on PC hardware. IPCop is a stateful firewall built on the
Linux netfilter framework.
Originally a fork of the SmoothWall Linux firewall, the projects are developed independently,
and have now diverged significantly. IPCop includes a simple, user managed update mechanism
to install security updates when required.The IPCop project is a GNU/GPL project that offers an
exceptional feature packed stand alone firewall to the internet community. Its comprehensive
web interface, well documented administration guides, and its involved and helpful
user/administrative mailing lists make users of any technical capacity feel at home.
Firewalls have had to undergo a tremendous metamorphosis as a result of evolving
threats. IPCop is exemplary in offering such a range of default features and even further a large
set of optional plug-ins which can provide further functionality.
Some of IPCops impressive base install features include: secure https web administration GUI,
DHCP Server, Proxying (Squid), DNS Proxying, Dynamic DNS, Time Server, Traffic Shaping,
Traffic/Systems/Firewall/IDS graphing, Intrusion Detection (Snort), ISDN/ADSL device support
and VPN (IPSec/PPTP) functionality. As if these base features were not an astounding enough
there are dozens of add-ons which can further expand the functionality of your IPCop from Web
Filtering to Anti virus scanning.
Pre-requisites of IPCop:
IPCop installation generally runs 25 minutes, and you can complete it with relatively
modest hardware requirements such as a 386 processor with 32MB RAM and >300MB of disk,
and 3 Network Cards (2 if there is no need for a DMZ). If you plan to utilize caching proxy, IDS
or other add-ons, consider additional horsepower in terms of RAM/Processor.

Building Your IPCop: What you need???

 386 Processor with 32MB RAM, 300MB hard disk and 3 Network Cards
 2 x 5 port 10/100/1000 switch or a Layer 3 switch
 Network Cables
 Burned ISO CD

Installing IPCop:
1. Verify hardware capability at IPCop website.
2. Download the ISO’s butned CD.
3. Boot the CD.
4. Run through the simple prompt based installation.

Installation Process:
1. Select the language

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 14
Network Security Lab

2. Select installation medium(a CD in this case)

3. Configure network cards.

Password setup:
IPCop has 2 users which you will be asked to setup passwords for the root and admin. Set
both these to string passwords greater than 8 characters.
At the end of IPCop installation you will be asked to reboot, after reboot go to another
machine on your LAN and post your NIC to update your dynamic (DHCP) address with
IPConfig. Verify you are live and active on the network you have setup with an address of
192.168.1.X. With this validation connect to secure HTTP’s web interface of IPCop.

Architectural Decisions: Segmentation

One essential consideration you have to make before installing is network architecture
(segmentation/address space). IPCop uses color-coding system of Red, Green, Blue and Orange to
describe the roles or security levels which an interface/network segment will have in protecting
your network. Color coding is logical in that it represents a continuum of network access from
restricted to permissive. A RED interface is your untrusted interface/segment like the Internet,
whereas Green is the trusted interface/segment of your internal network. Additionally, Blue is for

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 15
Network Security Lab

a separate segment for Wireless Devices, while Orange is for a DMZ or where any publicly
accessible servers you want available to the Internet. In this case we are only configuring a
Green/Red/Orange network installation with 3 network interfaces one of which is your cable
broadband providers cable modem (Ethernet).

Conclusion: IPCop is installed on a Linux system.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 16
 Network Security Lab

Expt No: 11 Date:

Aim: Install JCrypt tool and demonstrate Asymmetric, Symmetric crypto algorithms, Hash and
digital/PKI signatures.

Theory:

JCrypt is a framework for developing crypto logical and crypto graphical programs, which works
based in RSA algorithm. RSA is a block cipher in which the plain text and the cipher text are integer
between 0 and n-1.Encryption and decryption are of the following form period for some plain text block M
and cipher text block C.

C= pow(M,e) mod n

M= pow(C,d) mod n

Both sender and receiver know the values of n and e and only the receiver knows the value of d.
This is a public key encryption algorithm with a public key of KU={e,n} and private key of KR{d,n} to satisfy
the algorithm.

1. It is possible to find the values of e,d,n such that pow(m,ed) mod n=M for all m<n.
2. It is relatively easy to calculate pow(c,e) and pow(c,d) for all values m<n.
3. It is inevitable to determine d, given e and n.

One way hash function: A hash function expects a variable size message M as input and
produces a fixed size message digest h(m) as output.

Asymmetric algorithm: Asymmetric algorithms (public key algorithms) use different keys for
encryption and decryption, and the decryption key cannot (practically) be derived from the
encryption key. Asymmetric algorithms are important because they can be used for transmitting
encryption keys or other data securely even when the parties have no opportunity to agree on a
secret key in private.

Symmetric algorithm: Symmetric-key algorithms are algorithms for cryptography that use the
same cryptographic keys for both encryption of plaintext and decryption of cipher text. The keys
may be identical or there may be a simple transformation to go between the two keys. The keys,
in practice, represent a shared secret between two or more parties that can be used to maintain a
private information link.[ This requirement that both parties have access to the secret key is one of
the main drawbacks of symmetric key encryption, in comparison to public-key encryption (also
known as asymmetric key encryption).

Digital Signatures: A digital signature is a mathematical scheme for demonstrating the

authenticity of a digital message or documents. A valid digital signature gives a recipient reason
to believe that the message was created by a known sender (authentication), that the sender
cannot deny having sent the message (non-repudiation), and that the message was not altered in
transit (integrity).

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 17
Network Security Lab

Digital signatures are a standard element of most cryptographic protocolsuites , and are
commonly used for software distribution, financial transactions, contract management software,
and in other cases where it is important to detect forgery or tampering.

Conclusion: JCrypt tool is installed and demonstrated.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 18
Network Security Lab

Expt No:12 Date:

Aim: Demonstrate Intrusion Detection System using any tool.(Snort or any other software).

Theory:

An intrusion detection system (IDS) is a device or software application that monitors a

network or systems for malicious activity or policy violations. Any detected activity or violation
is typically reported either to an administrator or collected centrally using a security information
and event management (SIEM) system. A SIEM system combines outputs from multiple sources,
and uses alarm filtering techniques to distinguish malicious activity from false alarms.Common
types of Intrusion Detection:

Network Based (Network IDS): Network based intrusion detection attempts to identify
unauthorized, illicit, and anomalous behavior based solely on network traffic. A network IDS,
using either a network tap, span port, or hub collects packets that traverse a given network. Using
the captured data, the IDS system processes and flags any suspicious traffic. Unlike an intrusion
prevention system, an intrusion detection system does not actively block network traffic. The
role of a network IDS is passive, only gathering, identifying, logging and alerting. Examples of
Network IDS:

 SNORT

Host Based (HIDS): Often referred to as HIDS, host based intrusion detection attempts to
identify unauthorized, illicit, and anomalous behavior on a specific device. HIDS generally
involves an agent installed on each system, monitoring and alerting on local OS and application
activity. The installed agent uses a combination of signatures, rules, and heuristics to identify
unauthorized activity. The role of a host IDS is passive, only gathering, identifying, logging, and
alerting. Examples of HIDS:

 OSSEC - Open Source Host-based Intrusion Detection System

 Tripwire
 AIDE - Advanced Intrusion Detection Environment
 Prelude Hybrid IDS

Physical (Physical IDS): Physical intrusion detection is the act of identifying threats to physical
systems. Physical intrusion detection is most often seen as physical controls put in place to
ensure CIA. In many cases physical intrusion detection systems act as prevention systems as
well. Examples of Physical intrusion detections are:

 Security Guards
 SecurityCameras
 Access Control Systems (Card, Biometric)
 Firewalls

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 19
Network Security Lab

 Man Traps
 Motion Sensors

Classifications:
IDS can be classified by where detection takes place (network or host) and the detection
method that is employed.
Analyzed activity:
Network intrusion detection systems: Network intrusion detection systems (NIDS) are placed
at a strategic point or points within the network to monitor traffic to and from all devices on the
network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic
that is passed on the subnets to the library of known attacks. Once an attack is identified, or
abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS
would be installing it on the subnet where firewalls are located in order to see if someone is
trying to break into the firewall. Ideally one would scan all inbound and outbound traffic,
however doing so might create a bottleneck that would impair the overall speed of the
network. OPNET and NetSim are commonly used for for simulation network intrusion detection
systems. NID Systems are also capable of comparing signatures for similar packets to link and
drop harmful detected packets which have a signature matching the records in the NIDS. When
we classify the designing of the NIDS according to the system interactivity property, there are
two types: on-line and off-line NIDS. On-line NIDS deals with the network in real time. It
analyses the Ethernet packets and applies some rules, to decide if it is an attack or not. Off-line
NIDS deals with stored data and passes it through some processes to decide if it is an attack or
not.
Host intrusion detection systems: Host intrusion detection systems (HIDS) run on individual
hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the
device only and will alert the user or administrator if suspicious activity is detected. It takes a
snapshot of existing system files and matches it to the previous snapshot. If the critical system
files were modified or deleted, an alert is sent to the administrator to investigate. An example of
HIDS usage can be seen on mission critical machines, which are not expected to change their
configurations.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 20
Network Security Lab

Detection method:
Signature-based: Signature-based IDS refers to the detection of attacks by looking for specific
patterns, such as byte sequences in network traffic, or known malicious instruction sequences
used by malware. This terminology originates from anti-virus software, which refers to these
detected patterns as signatures. Although signature-based IDS can easily detect known attacks, it
is impossible to detect new attacks, for which no pattern is available.
Anomaly-based: Anomaly-based intrusion detection systems were primarily introduced to
detect unknown attacks, in part due to the rapid development of malware. The basic approach is
to use machine learning to create a model of trustworthy activity, and then compare new
behavior against this model. Although this approach enables the detection of previously
unknown attacks, it may suffer from false positives: previously unknown legitimate activity may
also be classified as malicious.
New types of what could be called anomaly-based intrusion detection systems are being viewed
by Gartner as User and Entity Behavior Analytics (UEBA) (an evolution of the User Behavior
Analytics category) and Network Traffic Analysis (NTA). In particular, NTA deals with
malicious insiders as well as targeted external attacks that have compromised a user machine or
account. Gartner has noted that some organizations have opted for NTA over more traditional
IDS.

Intrusion Prevention: Intrusion prevention follows the same process of gathering and
identifying data and behavior, with the added ability to block (prevent) the activity. This can be
done with Network, Host, and Physical intrusion detection systems.
Steps:
1. Open Linux operating system.
2. Open terminal.
3. In terminal, type the following command;
 openssl genrsa
 openssl genrsa 12
 openssl passwd
 openssl passwd 12
4. Passwords will be generated.
Conclusion: Intrusion Detection System is demonstrated.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 21
Network Security Lab

Expt No: 13 Date:

Aim: Install Rootkits and study variety of options.

Theory:

A rootkit is a collection of computer software, typically malicious, designed to enable

access to a computer or areas of its software that would not otherwise be allowed (for example,
to an unauthorized user) and often masks its existence or the existence of other software. The
term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix-
likeoperating systems) and the word "kit" (which refers to the software components that
implement the tool). The term "rootkit" has negative connotations through its association
with malware.

Rootkit installation can be automated, or an attacker can install it once they've obtained root or
Administrator access. Obtaining this access is a result of direct attack on a system (i.e.),
exploiting a known vulnerability (such as privilege escalation) or a password (obtained
by cracking or social engineering tactics like "phishing"). Once installed, it becomes possible to
hide the intrusion as well as to maintain privileged access. The key is the root or administrator
access. Full control over a system means that existing software can be modified, including
software that might otherwise be used to detect or circumvent it.
Rootkit detection is difficult because a rootkit may be able to subvert the software that is
intended to find it. Detection methods include using an alternative and trusted operating system,
behavioral-based methods, signature scanning, difference scanning, and memory dump analysis.
Removal can be complicated or practically impossible, especially in cases where the rootkit
resides in the kernel; reinstallation of the operating system may be the only available solution to
the problem.[2] When dealing with firmware rootkits, removal may require hardware
replacement, or specialized equipment.
A rootkit is a type of software designed to hide the fact that an operating system has been
compromised, sometimes by replacing vital executables. Rootkits allow viruses and malware to
“hide in plain sight” by disguising as necessary files that your antivirussoftware will overlook.
Rootkits themselves are not harmful; they are simply used to hidemalware, bots and worms.
Rootkits get their name from the Unix term for the primary administrator account called “root”
and “kits,” which refer to the software pieces that implement the tool. To install a rootkit, an
attacker must first gain access to the root account by using an exploit or obtaining the password
by cracking it or social engineering. Rootkits were originally used in the early 1990’s and
targeted UNIX operating systems. Today, rootkits are available for many other operating
systems, including Windows. Because rootkits are activated before your operating system

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 22
Network Security Lab

evenboots up, they are very difficult to detect and therefore provide a powerful way for attackers
to access and use the targeted computer without the owner’s notice. Due to the way rootkits are
used and installed, they are notoriously difficult to remove. Rootkits today usually are not used
to gain elevated access, but instead are used to maskmalware payloads more effectively.
What Can a Rootkit Do?: A rootkit allows someone to maintain command and control over a
computer without the computer user/owner knowing about it. Once a rootkit has been installed,
the controller of the rootkit has the ability to remotely execute files and change system
configurations on the host machine. A rootkit on an infected computer can also access log files
and spy on the legitimate computer owner’s usage.

Rootkit Protection: Many rootkits penetrate computer systems by piggybacking with software
you trust or with a virus. You can safeguard your system from rootkits by ensuring it is kept
patched against known vulnerabilities. This includes patches of your OS, applications and up-to-
date virus definitions. Don't accept files or open email file attachments from unknown sources.
Be careful when installing software and carefully read the end-user license agreements.

Well-Known Rootkit Examples

 Lane Davis and Steven Dake - wrote the earliest known rootkit in the early 1990s.
 NTRootkit – one of the first malicious rootkits targeted at Windows OS.
 HackerDefender – this early Trojan altered/augmented the OS at a very low level of functions
calls.
 Machiavelli - the first rootkit targeting Mac OS X appeared in 2009. This rootkit creates
hidden system calls and kernel threads.
 Greek wiretapping – in 2004/05, intruders installed a rootkit that targeted Ericsson's AXE
PBX.
 Zeus, first identified in July 2007, is a Trojan horse that steals banking information by man-in-
the-browser keystroke logging and form grabbing.

Conclusion: Rootkits is installed and studied.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 23
Network Security Lab

Expt No: 14 Date:

Aim: Generate 10 passwords of length 12 characters using openssl command.
Theory:
In computer networking, OpenSSL is a software library to be used in applications that
need to secure communications against eavesdropping or need to ascertain the identity of the
party at the other end. It has found wide use in internet web servers, serving a majority of all web
sites.
OpenSSL contains an open-source implementation of the SSL and TLS protocols. The
core library, written in the C programming language, implements basic cryptographic functions
and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a
variety of computer languages are available.
Versions are available for most Unix and Unix-like operating systems
(including Solaris, Linux, Mac OS X and the various open-source BSD operating
systems), OpenVMS and Microsoft Windows. IBM provides a port for the System
i (OS/400).OpenSSL is a general purpose cryptography library that provides an open source
implementation of the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS)protocols.
The library includes tools for generating RSA private keys and Certificate Signing Requests
(CSRs), checksums, managing certificates and performing encryption/decryption. OpenSSL is
written in C, but wrappers are available for a wide variety of computer languages.

The genrsa command generates an RSA private key.

Options:
-out filename: specifies the output file name. If this argument is not specified then standard
output is used.
-passout arg: specifies the output file password source. For more information about the format
of arg see the PASS PHRASE ARGUMENTS section in the openssl reference page.
-des|-des3|-idea: These options encrypt the private key with the DES, triple DES, or the IDEA
ciphers respectively before outputting it. If none of these options is specified no encryption is
used. If encryption is used a pass phrase is prompted for if it is not supplied via the -
passout argument.
-F4|-3: the public exponent to use, either 65537 or 3. The default is 65537.
-rand file(s): a file or files containing random data used to seed the random number generator, or
an EGD socket. Multiple files can be specified separated by a OS-dependent character. The
separator is ; for MS-Windows, , for OpenVMS, and : for all others.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 24
Network Security Lab

Numbits: the size of the private key to generate in bits. This must be the last option specified.
The default is 512.
Conclusion: Passwords of length 12 characters are generated using openssl command.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 25
Network Security Lab

Expt No: 15 Date:

Aim: Setup a honey pot and monitor the honey pot on network.
Theory:
In computer terminology, a honeypot is a computer security mechanism set to detect,
deflect, or, in some manner, counteract attempts at unauthorized use of information systems.
Generally, a honeypot consists of data (for example, in a network site) that appears to be a
legitimate part of the site but is actually isolated and monitored, and that seems to contain
information or a resource of value to attackers, which are then blocked. This is similar to the
police baiting a criminal and then conducting undercover surveillance, and finally punishing the
criminal.[1]

Types:
Honeypots can be classified based on their deployment (use/action) and based on their
level of involvement. Based on deployment, honeypots may be classified as

1. Production honeypots
2. Research honeypots
Production honeypots are easy to use, capture only limited information, and are used
primarily by companies or corporations. Production honeypots are placed inside the production
network with other production servers by an organization to improve their overall state of
security. Normally, production honeypots are low-interaction honeypots, which are easier to
deploy. They give less information about the attacks or attackers than research
honeypots. Research honeypots are run to gather information about the motives and tactics of
the Black hat community targeting different networks. These honeypots do not add direct value
to a specific organization; instead, they are used to research the threats that organizations face
and to learn how to better protect against those threats.[2] Research honeypots are complex to
deploy and maintain, capture extensive information, and are used primarily by research, military,
or government organizations.
Based on design criteria, honeypots can be classified as:

1. Pure Honeypots
2. High-Interaction Honeypots
3. Low-Interaction Honeypots
Pure honeypots are full-fledged production systems. The activities of the attacker are
monitored by using a casual tap that has been installed on the honeypot's link to the network. No

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 26
Network Security Lab

other software needs to be installed. Even though a pure honeypot is useful, stealthiness of the
defense mechanisms can be ensured by a more controlled mechanism.
High-interaction honeypots imitate the activities of the production systems that host a
variety of services and, therefore, an attacker may be allowed a lot of services to waste his time.
By employing virtual machines, multiple honeypots can be hosted on a single physical machine.
Therefore, even if the honeypot is compromised, it can be restored more quickly. In general,
high-interaction honeypots provide more security by being difficult to detect, but they are
expensive to maintain. If virtual machines are not available, one physical computer must be
maintained for each honeypot, which can be exorbitantly expensive. Example: Honeynet.
Low-interaction honeypots simulate only the services frequently requested by attackers.
Since they consume relatively few resources, multiple virtual machines can easily be hosted on
one physical system, the virtual systems have a short response time, and less code is required,
reducing the complexity of the virtual system's security. Example: Honeyd.
Deception Technology: Recently, a new market segment called Deception Technology has
emerged using basic honeypot technology with the addition of advanced automation for scale.
Deception Technology addresses the automated deployment of honeypot resources over a large
commercial enterprise or government institution.
Malware honeypots: Malware honeypots are used to detect malware by exploiting the known
replication and attack vectors of malware. Replication vectors such as USB flash drives can
easily be verified for evidence of modifications, either through manual means or utilizing
special-purpose honeypots that emulate drives. Malware increasingly is used to search for and
steal cryptocurrencies, which provides opportunities for services such as Bitcoin Vigil to create
and monitor honeypots by using small amount of money to provide early warning alerts of
malware infection.
Spam versions: Spammers abuse vulnerable resources such as open mail relays and open
proxies. Some system administrators have created honeypot programs that masquerade as these
abusable resources to discover spammer activity. There are several capabilities such honeypots
provide to these administrators and the existence of such fake abusable systems makes abuse
more difficult or risky. Honeypots can be a powerful countermeasure to abuse from those who
rely on very high volume abuse (e.g., spammers).
These honeypots can reveal the apparent IP address of the abuse and provide bulk spam capture
(which enables operators to determine spammers' URLs and response mechanisms). For open
relay honeypots, it is possible to determine the e-mail addresses ("dropboxes") spammers use as
targets for their test messages, which are the tool they use to detect open relays. It is then simple
to deceive the spammer: transmit any illicit relay e-mail received addressed to that dropbox e-
mail address. That tells the spammer the honeypot is a genuine abusable open relay, and they
often respond by sending large quantities of relay spam to that honeypot, which stops it. The

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 27
Network Security Lab

apparent source may be another abused system—spammers and other abusers may use a chain of
abused systems to make detection of the original starting point of the abuse traffic difficult.
This in itself is indicative of the power of honeypots as anti-spam tools. In the early days of anti-
spam honeypots, spammers, with little concern for hiding their location, felt safe testing for
vulnerabilities and sending spam directly from their own systems. Honeypots made the abuse
riskier and more difficult.
Spam still flows through open relays, but the volume is much smaller than in 2001 to 2002.
While most spam originates in the U.S., spammers hop through open relays across political
boundaries to mask their origin. Honeypot operators may use intercepted relay tests to recognize
and thwart attempts to relay spam through their honeypots. "Thwart" may mean "accept the relay
spam but decline to deliver it." Honeypot operators may discover other details concerning the
spam and the spammer by examining the captured spam messages.
Open relay honeypots include Jackpot, written in Java by Jack Cleaver; smtpot.py, written
in Python by Karl A. Krueger; and spamhole (honeypot)|spamhole, written in C. The Bubblegum
Proxypot is an ;open source honeypot (or "proxypot").
Email trap: An email address that is not used for any other purpose than to receive spam can also
be considered a spam honeypot. Compared with the term "spamtrap", the term "honeypot" might
be more suitable for systems and techniques that are used to detect or counterattacks and probes.
With a spamtrap, spam arrives at its destination "legitimately"—exactly as non-spam email
would arrive.
An amalgam of these techniques is Project Honey Pot, a distributed, open source project that
uses honeypot pages installed on websites around the world. These honeypot pages disseminate
uniquely tagged spamtrap email addresses and spammers can then be tracked—the
corresponding spam mail is subsequently sent to these spamtrap e-mail addresses.
Database honeypot.
Databases often get attacked by intruders using SQL Injection. As such activities are not
recognized by basic firewalls, companies often use database firewalls for protection. Some of the
available SQL database firewalls provide/support honeypot architectures so that the intruder runs
against a trap database while the web application remains functional.

Detection:
Just as honeypots are weapons against spammers, honeypot detection systems are
spammer-employed counter-weapons. As detection systems would likely use unique
characteristics of specific honeypots to identify them, a great deal of honeypots in use makes the
set of unique characteristics larger and more daunting to those seeking to detect and thereby
identify them. This is an unusual circumstance in software: a situation in which "versionitis" (a

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 28
Network Security Lab

large number of versions of the same software, all differing slightly from each other) can be
beneficial. There's also an advantage in having some easy-to-detect honeypots deployed. Fred
Cohen, the inventor of the Deception Toolkit, even argues that every system running his
honeypot should have a deception port that adversaries can use to detect the honeypot. Cohen
believes that this might deter adversaries.
How to install and setup honeypot???:
A honey pot is a system design in such a way that an unauthorized hacker will want to
crack it immediately like fake diamonds in a glass card in a jewelry shop first, a quick strong and
risk man brought a super safe mode.
A honey pot immolates a server with serious security holes. The internet is to attack
network intruders so that they will spend time on useless jobs. Honey pots are closely monitored,
network deploys, and that serves several purposes.
Conclusion: Honey pot is setup in the network.

Dept. of Computer Science & Engg,

KLSVPP, Belagavi. Page 29