CSS EXPERIMENT 1

AIM: Design and implementation of a product cipher using substitution and

transposition ciphers.

THEORY:
Product ciphers are a cryptographic technique that combines multiple
encryption methods to strengthen security. By integrating both substitution and
transposition ciphers, a more secure encryption can be achieved. Substitution
ciphers replace plaintext characters with ciphertext characters based on a
predefined key, while transposition ciphers rearrange the order of characters in
the plaintext.
In this experiment, the product cipher will first apply a substitution cipher to the
plaintext, where each character is substituted according to a specific rule or key.
Following this, a transposition cipher will be employed to shuffle the resulting
ciphertext's characters based on another key. By combining these two
techniques, we introduce complexity and confusion into the encryption process,
making it more challenging for adversaries to decipher the original message.
Product ciphers were widely used in manual cryptography, with double
transposition or product ciphers on key word-based rectangular matrices being
particularly popular[1]. Fractionation systems, such as the ADFGVX cipher
used by the German army during World War I, combined substitution and
transposition ciphers to create more secure encryption[1].
The strength of the product cipher lies in the synergistic effect of both
substitution and transposition, offering a higher level of security compared to
using either cipher in isolation. The experiment involves implementing a
product cipher using substitution and transposition ciphers, as demonstrated in
the Java code provided in[4]. The code encrypts the input text by first applying
a substitution cipher, then a transposition cipher, and finally decrypting the text
by reversing the process[4]. This experiment aims to design and implement a
product cipher using substitution and transposition ciphers, demonstrating the
enhanced security provided by combining these encryption methods.
CODE:
import time

def monoalphabetic_cipher_encrypt(plaintext, key):

ciphertext = ""
for char in plaintext:
if char.isalpha():
if char.islower():
index = ord(char) - ord('a')
ciphertext += key[index].lower()
elif char.isupper():
index = ord(char) - ord('A')
ciphertext += key[index]
else:
ciphertext += char
return ciphertext

# Example usage
plaintext = input("Enter the plain-text (Plain-text should contain only alphabets
and spaces): ").replace(" ", "").upper()
key = input("Enter the key (key must be in capital alphabets with all unique
letters and length should be 26): ")

start_time = time.time()
cipher_text = monoalphabetic_cipher_encrypt(plaintext, key)
end_time = time.time()

print("Cipher-text is:", cipher_text)

print("Time required for encryption =", end_time - start_time)

OUTPUT:

CONCLUSION:
The integration of substitution and transposition ciphers in a product cipher
enhances encryption security by introducing complexity and confusion. This
experiment demonstrates the effectiveness of combining these techniques to
create a more robust encryption scheme.
 EXPERIMENT-02

Aim: Implementation and analysis of RSA cryptosystem and Digital signature scheme using
RSA/El Gamal.

Theory:
RSA algorithm is an asymmetric cryptography algorithm. Asymmetric actually means that it
works on two different keys i.e. Public Key and Private Key. As the name describes, the
Public Key is given to everyone and the Private key is kept private.

An example of asymmetric cryptography:

● A client (for example browser) sends its public key to the server and requests
some data.
● The server encrypts the data using the client’s public key and sends the
encrypted data.
● The client receives this data and decrypts it.

Why is the RSA algorithm used?

RSA derives its security from the difficulty of factoring large integers that are the product of
two large prime numbers. Multiplying these two numbers is easy, but determining the
original prime numbers from the total -- or factoring -- is considered infeasible due to the
time it would take using even today's supercomputers.

The public and private key generation algorithm is the most complex part of RSA
cryptography. Two large prime numbers, p and q, are generated using the Rabin-Miller
primality test algorithm. A modulus, n, is calculated by multiplying p and q. This number is
used by both the public and private keys and provides the link between them. Its length,
usually expressed in bits, is called the key length.

The public key consists of the modulus n and a public exponent, e, which is normally set at
65537, as it's a prime number that is not too large. The e figure doesn't have to be a
secretly selected prime number, as the public key is shared with everyone.

The private key consists of the modulus n and the private exponent d, which is calculated
using the Extended Euclidean algorithm to find the multiplicative inverse with respect to the
totient of n.
Algorithms
Begin
1. Choose two prime numbers p and q.
2. Compute n = p*q.
3. Calculate phi = (p-1) * (q-1).
4. Choose an integer e such that 1 < e < phi(n) and gcd(e, phi(n)) = 1; i.e., e and phi(n)
are coprime.
5. Calculate d as d ≡ e−1 (mod phi(n)); here, d is the modular multiplicative inverse of
e modulo phi(n).
 6. For encryption, c = me mod n, where m = original message.
7. For decryption, m = c d mod
n. End
How does the RSA algorithm work?

Alice generates her RSA keys by selecting two primes: p=11 and q=13. The modulus is
n=p×q=143. The totient is n ϕ(n)=(p−1)x(q−1)=120. She chooses 7 for her RSA public key e
and calculates her RSA private key using the Extended Euclidean algorithm, which gives her
103.

Bob wants to send Alice an encrypted message, M, so he obtains her RSA public key (n, e)
which, in this example, is (143, 7). His plaintext message is just the number 9 and is
encrypted into ciphertext, C, as follows:

Me mod n = 97 mod 143 = 48 = C

When Alice receives Bob's message, she decrypts it by using her RSA private key (d, n) as
follows:

Cd mod n = 48103 mod 143 = 9 = M

To use RSA keys to digitally sign a message, Alice would need to create a hash -- a
message digest of her message to Bob -- encrypt the hash value with her RSA private key,
and add the key to the message. Bob can then verify that the message has been sent by
Alice and has not been altered by decrypting the hash value with her public key. If this value
matches the hash of the original message, then only Alice could have sent it --
authentication and non-repudiation -- and the message is exactly as she wrote it -- integrity.

CODE:
#include<iostream>
#include<math.h>
using namespace std;
int gcd(int a, int b) {
int t;
while(1)
{
t= a%b;
if(t==0)
return
b; a = b;
b= t;
}
}
int main()
{ double p =
13; double q
= 11;
 double
n=p*q;
double track;
double phi= (p-1)*(q-1);
double e=7;
while(e<phi) {
track = gcd(e,phi);
if(track==1)
break;
else
e++;
}
double d1=1/e;
double d=fmod(d1,phi);
double message = 9;
double c =
pow(message,e); double m
= pow(c,d); c=fmod(c,n);
m=fmod(m,n);
cout<<"Original Message = "<<message;
cout<<"\n"<<"p = "<<p;
cout<<"\n"<<"q = "<<q;
cout<<"\n"<<"n = pq = "<<n;
cout<<"\n"<<"phi = "<<phi;
cout<<"\n"<<"e = "<<e;
cout<<"\n"<<"d = "<<d;
cout<<"\n"<<"Encrypted message = "<<c;
cout<<"\n"<<"Decrypted message = "<<m;
return 0;
}

OUTPUT:
Conclusion:
We have successfully implemented and analysis of RSA cryptosystem
and Digital signature scheme using RSA/El Gamal.
Aim:
Experiment No :3

Study packet Sniffing using wireshark tool and also analyse ARP Packets and TCP/IP
Layer.

Theory:

Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real
time and display them in human-readable format. Wireshark includes filters, color
coding, and other features that let you dig deep into network traffic and inspect
individual packets.

Capturing Packets

After downloading and installing Wireshark, you can launch it and double-click the
name of a network interface under Capture to start capturing packets on that interface.
For example, if you want to capture traffic on your wireless network, click your wireless
interface. You can configure advanced features by clicking Capture > Options, but this
isn’t necessary for now.
STOP
As soon as you click the interface’s name, you’ll see the packets start to appear in real time.
Wireshark captures each packet sent to or from your system.
If you have promiscuous mode enabled—it’s enabled by default—you’ll also see all the other
packets on the network instead of only packets addressed to your network adapter. To check if
promiscuous mode is enabled, click Capture > Options and verify the “Enable promiscuous
mode on all interfaces” checkbox is activated at the bottom of this window.
Click the red “Stop” button near the top left corner of the window when you want to stop
capturing traffic.

Colouring rules
As soon as you click the interface’s name, you’ll see the packets start to appear in real
time. Wireshark captures each packet sent to or from your system.

If you have promiscuous mode enabled—it’s enabled by default—you’ll also see all the
other packets on the network instead of only packets addressed to your network
adapter. To check if promiscuous mode is enabled, click Capture > Options and verify
the “Enable promiscuous mode on all interfaces” checkbox is activated at the bottom of
this window.

Click the red “Stop” button near the top left corner of the window when you want to stop
capturing traffic.

Searching specific network

If you’re trying to inspect something specific, such as the traffic a program sends when
phoning home, it helps to close down all other applications using the network so you
can narrow down the traffic.
Still, you’ll likely have a large amount of packets to sift through. That’s where
Wireshark’s filters come in.

The most basic way to apply a filter is by typing it into the filter box at the top of the
window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll
see only DNS packets. When you start typing, Wireshark will help you autocomplete
your filter.
Displaying Filter
You can also click Analyze > Display Filters to choose a filter from among the default
filters included in Wireshark. From here, you can add your own custom filters and save
them to easily access them in the future.
For more information on Wireshark’s display filtering language, read the Building
display filter expressions page in the official Wireshark documentation.

TCP conversation btw client and server

Another interesting thing you can do is right-click a packet and select Follow > TCP
Stream. You’ll see the full TCP conversation between the client and the server. You can
also click other protocols in the Follow menu to see the full conversations for other
protocols, if applicable.
Showing packets that made the conversation

Close the window and you’ll find a filter has been applied automatically.
Wireshark is showing you the packets that make up the conversation.
Applying filters
Click a packet to select it and you can dig down to view its details.

You can also create filters from here — just right-click one of the details and use the
Apply as Filter submenu to create a filter based on it.

Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of
what you can do with it. Professionals use it to debug network protocol
implementations, examine security problems and inspect network protocol internals.
Capture file properties

Properties:

File: Displays the general information about the capture file like its full path, size in
bytes, cryptographic hash values, file format, and encapsulation.
Time: Displays the timestamps of the first and the last packet in the file along with the
time duration during which the capture is ongoing.
Capture: Displays information about the capture environment including the hardware,
OS, and application. Only the “.pcapng” format has this information, while the “.pcap”
doesn’t.
Interfaces: Displays information about the capture interface or interfaces.
Statistics: It displays the statistical summary of the saved capture file. We will see
values in the Captured column only if the filter primitive is already set. We will see
values in the Marked column if any packets are marked.
Capture file comments: We can write a text comment for the entire file and can also
view and edit this comment here.

I/OGraph

● Now go into the Wireshark and click on Statistics→ I/O Graph menu or toolbar item.
● This will then bring up Wireshark’s “I/O Graph” window
● The screenshot above of the I/O Graph window displays the graph of the
captured network packets that are highly configurable.

TCP Stream Graph

Show different visual representations of the TCP streams in a capture.

Time Sequence (Stevens)

This is a simple graph of the TCP sequence number over time, similar to the ones used in
Richard Stevens’ “TCP/IP Illustrated” series of books.

Conclusion:
In conclusion, Wireshark is a powerful tool for packet sniffing, enabling real-time
capture and analysis of network traffic. The use of filters allows for focused inspection,
and features like TCP Stream analysis provide valuable insights into communication
between clients and servers. Wireshark's extensive capabilities make it an essential tool
for professionals in network debugging, security analysis, and protocol examination.
 Experiment No.:4
Aim: To implement digital signature scheme using Elgamal theory
Theory:
What is Elgamal?

Elgamal is a public key cryptosystem developed by Taher Elgamal in 1985. It is based on the Diffie-
Hellman key exchange method and operates in a similar mathematical framework, primarily within
the context of modular arithmetic and discrete logarithms. Elgamal consists of three major
components: key generation, encryption, and decryption. It can also be adapted for use as a digital
signature algorithm, which is its application in the context of your query.

Why is Elgamal Used?

Elgamal is used primarily because it provides a robust method of ensuring the confidentiality,
authenticity, and integrity of transmitted data. In the realm of digital signatures, Elgamal is
particularly valued for its capability to provide non-repudiation, ensuring that a signer cannot
successfully deny signing something if they indeed signed it. This feature is crucial in many legal,
financial, and transactional environments.

Where is Elgamal Used?

Elgamal encryption and signature schemes are used in various applications where secure data
transmission and authentication are required. This includes:Secure email communication, such as
PGP (Pretty Good Privacy) and GPG (GNU Privacy Guard).Software signing to verify the integrity
and origin of software packages.Electronic voting systems to secure the voting process while
preserving voter privacy.Financial transactions where secure and authenticated message exchange is
necessary.

Advantages of Elgamal

Security: Based on the difficulty of the discrete logarithm problem, making it computationally
infeasible to break with current technology when appropriately implemented.

Confidentiality and Authenticity: Ensures that messages are both secure and verifiable.

Flexibility: Can be implemented for both encryption and digital signatures, offering versatility in its
application.

Forward Secrecy: Can provide forward secrecy in an encryption setting if keys are handled
appropriately.

Disadvantages of Elgamal

Speed: Generally slower than some other cryptosystems, such as RSA, due to more computationally
intensive operations.

Key Size and Bandwidth: Requires larger key sizes compared to RSA for equivalent security
levels, leading to larger ciphertexts.

Implementation Complexity: Proper implementation requires careful handling to avoid

vulnerabilities, particularly in generating random numbers and managing key exchanges.
Code:
# Import libraries

import random

from math import

pow # Get rand int

a = random.randint(2, 10)

# GCD

def gcd(a,

b): if a <

b:

return gcd(b, a)

elif a % b == 0:

return b;

else:

return gcd(b, a % b)

# Generating large random numbers

def gen_key(q):

key = random.randint(pow(10, 20), q)

while gcd(q, key) != 1:

key = random.randint(pow(10, 20), q)

return key

# Modular exponentiation

def power(a, b, c):

x=1

y=a

while b > 0:

if b % 2 != 0:
 x = (x * y) % c;

y = (y * y) % c

b = int(b / 2)

return x % c

# Asymmetric encryption

def encrypt(msg, q, h, g):

en_msg = []

k = gen_key(q) # Private key for

sender s = power(h, k, q)

p = power(g, k, q)

for i in range(0, len(msg)):

en_msg.append(msg[i])

print("g^k used : ", p)

print("g^ak used : ", s)

for i in range(0, len(en_msg)):

en_msg[i] = s *

ord(en_msg[i])

return en_msg, p

# Decryption

def decrypt(en_msg, p, key, q):

dr_msg = []

h = power(p, key, q)

for i in range(0, len(en_msg)):

 dr_msg.append(chr(int(en_msg[i]/h)))

return dr_msg

# Driver code

msg =

'encryption'

print("Original Message :", msg)

q = random.randint(pow(10, 20), pow(10,

50)) g = random.randint(2, q)

key = gen_key(q) # Private key for

receiver h = power(g, key, q)

print("g used : ", g)

print("g^a used : ", h)

en_msg, p = encrypt(msg, q, h, g)

dr_msg = decrypt(en_msg, p, key, q)

dmsg = ''.join(dr_msg)

print("Decrypted Message :", dmsg)

Output:

Conclusion:
In this experiment, we explored the Elgamal cryptographic system, particularly its application in digital
signature schemes. Elgamal provides a secure method for ensuring the integrity and authenticity of
digital communications, leveraging the complexity of the discrete logarithm problem for robust security.
Despite its computational demands and larger key sizes, the practical implementation demonstrated
Elgamal's effectiveness in providing non-repudiation in digital transactions. This makes it a valuable
tool for secure communications and other applications where privacy and verification are paramount.
 Experiment 5
Aim: To implement MD5 and SHA algorithms using Python libraries
Theory:
Introduction to MD5 and SHA Hash Functions

The MD5 (Message-Digest Algorithm 5) and SHA (Secure Hash Algorithm) are cryptographic hash
functions designed to provide a way of encoding data into a fixed-size hash value. These functions
are widely used to ensure data integrity in various applications, such as password storage, file
checksums, and digital signatures.

MD5 Algorithm

MD5, developed by Ronald Rivest in 1991, produces a 128-bit (16-byte) hash value. It is commonly
used to verify data integrity but has been found vulnerable to hash collisions and is generally considered
deprecated in security-sensitive applications. However, it remains in use for less critical applications
due to its speed and simplicity.

Steps in MD5 Algorithm:

Padding: The input message is padded so its length is congruent to 448, modulo 512. The padding
includes the original message length (as a 64-bit value).

Initialization: A 128-bit buffer (four 32-bit words) is used to store the state of the hash.

Processing: The main loop processes each 512-bit block of the message through a series of non-
linear functions; each block updates the hash buffer.

Output: The final output is the 128-bit digest of the input message.

SHA Family

The SHA family includes several algorithms: SHA-0, SHA-1, SHA-2 (with its variants like SHA-
256 and SHA-512), and SHA-3. Each version aims to improve security or performance. SHA-1
produces a 160-bit hash and has also been compromised in terms of security. SHA-2 is more secure
and provides options for different output hash sizes (e.g., 256 bits, 512 bits), making it suitable for
current security applications. SHA-3, the latest standard, provides a different cryptographic
foundation from SHA-2, offering higher security levels.

Steps in SHA Algorithms:

Padding: Similar to MD5, the message is padded to ensure its length is right for processing.

Initialization: Each variant uses a unique set of constants for initialization.

Processing: SHA employs more complex functions and message schedules for processing blocks, which
helps enhance its resistance to attacks.

Output: The output size depends on the SHA variant used (e.g., 256 bits for SHA-256).

Python Libraries for Hashing

Python's hashlib library supports multiple hashing algorithms, including MD5, SHA-1, SHA-256,
and SHA-512. This library provides a straightforward interface to hash data efficiently and is part of
Python's standard library, ensuring accessibility and ease of implementation.

Code:
import hashlib # Import

hashlib import sys # To call

exit

data = input("Enter data: ").encode() # Take input and encode it in UTF-8 (required by hashing
functions)

# Menu

while (True):

# Valid choice

try:

choice = int(input("\nEnter algorithm:\n1. SHA-256\n2. SHA-384\n3. SHA-224\n4. SHA-512\n5.

SHA-1\n6. MD5\n\nYour choice: ")) # Menu options and choice entry

# Invalid choice

(exit) except

ValueError:

sys.exit()

# SHA-256

if choice == 1:

result = hashlib.sha256(data)

# SHA-384

elif choice == 2:

result = hashlib.sha384(data)

# SHA-224

elif choice == 3:

result = hashlib.sha224(data)

# SHA-512
 elif choice == 4:

result = hashlib.sha512(data)

# SHA-1

elif choice == 5:

result = hashlib.sha1(data)

# MD5

elif choice == 6:

result = hashlib.md5(data)

# Print the hashes

print(f"The byte equivalent of the hash is: {result.digest()}") # Print the byte equivalent of the hash

print(f"The hexadecimal equivalent of the hash is: {result.hexdigest()}") # Print the hexadecimal
equivalent of the hash

Output:
Conclusion: Thus, we have successfully implemented MD5 and SHA algorithms using Python
libraries.
 Experiment No.6
Aim: Study the use of network reconnaissance and tools like WHOIS, dig,
tranceroute, nslookup to gather information about the networks in the
domain registrars.

1. ipconfig - The ipconfig command is used to display information about your

network configuration and refresh DHCP and DNS Settings. By default, the
ipconfig command displays your IP Address, Subnet Mask, and default
gateway.
2. ping - ing is the primary TCP/IP command used to troubleshoot
connectivity, reachability, and name resolution. You can also use this
command to test both the computer name and the IP address of the
computer.

3. netstat - The netstat command is used to show network status.

Traditionally, it is used more for problem determination than for performance
measurement. However, the netstat command can be used to determine the
amount of traffic on the network to ascertain whether performance problems
are due to network congestion.The netstat command displays information
regarding traffic on the configured network interfaces, such as the following:
• The address of any protocol control blocks associated with the
sockets and the state of all sockets
• The number of packets received, transmitted, and dropped in
the communications subsystem
 • Cumulative statistics per interface
• Routes and their status

4. nslookup- Nslookup is the name of a program that lets users enter a host
name and find out the corresponding IP address or domain name system
(DNS) record. Users can also enter a command in nslookup to do a reverse
DNS lookup and find the host name for a specified IP address.
5. arp- ARP is necessary because the software address (IP address) of the
host or computer connected to the network needs to be translated to a
hardware address (MAC address). Without ARP, a host would not be able to
figure out the hardware address of another host.

6. hostname- The HOSTNAME command displays the hostname of the

system. The hostname command is much easier to use than going into the
system settings to search for it.

7. tracert- The TRACERT command is used to trace the route during the
transmission of the data packet over to the destination host and also provides
us with the “hop” count during transmission.Using the number of hops and
the hop IP address, we can troubleshoot network issues and identify the point
of the problem during the transmission of the data packet.
8. systeminfo- Using the SYSTEMINFO command, we can access the system’s
hardware and software details, such as processor data, booting data,
Windows version, etc.
9. getmac- Every network capable device on the internet has a unique
identifying number called its MAC address. The number is assigned during
manufacture and is established in the hardware of the device. Using the
Getmac command, a user can determine the MAC address of their various
network devices. Some administrators will use the unique MAC addresses
of devices to limit what can and cannot connect to a network.
10. pathping- Generally speaking, the Windows 10 network command
PathPing combines the ping command with the tracert command, providing
information about network latency and network loss at intermediate hops
between a source and destination. The PathPing command provides more
detail than either ping or tracert can provide, such as latency reports and
statistics on packet loss.
 CSS EXPERIMENT 7

Aim: To Download & install npm use it with different op6ons to scan open ports
perform os fingerprin6ng do a ping scan ,tcp scan, udp port scan etc.

THEORY:

1. OS Fingerprin6ng:

Opera6ng System (OS) Fingerprin6ng is the process of analysing data

packets which originate from a network in an aDempt to glean intelligence to
be used in later aDacks. By detec6ng which opera6ng system a network
operates on, hackers have an easier 6me targe6ng known vulnerabili6es.
OS Fingerprin6ng can also collect configura6on aDributes from remote
devices. This type of recon aDack is usually the first step in a larger,
persistent effort. Networks running old, outdated, or unpatched
Opera6ng Systems became big targets when aDackers spot their
weakness.
How to Recognise This Threat: To detect OS Fingerprin6ng, it is important to
understand how it occurs. There are two types of OS Fingerprin6ng: Ac6ve
&
Passive.
In an ac6ve OS Fingerprin6ng aDempt, aDackers send a packet to a vic6m and
then wait on a response to analyse TCP packet contents. In a passive
aDempt aDackers act more as a “sniffer” that makes no deliberate changes
or ac6ons against the network. Passive OS Fingerprin6ng is a more stealth,
but far slower process. NMAP is perhaps the most popular and commonly-
used tool for OS Fingerprin6ng.
How to Prevent This Threat: The best way to prevent fingerprin6ng is to limit
the types of traffic that your network accepts and responds to, as well as
6ghtly control what informa6on your network returns. By blocking
6mestamps, echo replies, and address masks, admins can greatly reduce
the usefulness of informa6on that aDackers can exfiltrate. Our team of
cer6fied engineers can help you reduce aDack surfaces on your network and
ensure that your firewall and opera6ng system are as stealth as possible.
COMMAND:
AKSHAT S MEHTA T21-2101069
2. PING-SCAN
Ping works
took to by asending
receive reply oran
theInternet Control Message Protocol (ICMP) Echo
Request to
a specified interface on the network and wai 6ng for a reply. When a ping
command is issued, a ping signal is sent to a speci fied address. When the
target host receives the echo request, it responds by sending an echo
reply packet.
and determining round-trip 6me (RTT) or latency.
RTT is a measure of how long it took to receive a response. Measured in
milliseconds (ms), the process starts when a browser sends a request
to a server and is completed when a response from the server is
received.
metric RTTapplica6ons.
of web is a key performance
By default, ping commands send mul 6ple
requests -- usually four or five -- and display the results. The echo
ping results show whether a par6cular request received a successful
response. It also includes the number of bytes received and the 6me it
6me-to-live.

COMMAND:

AKSHAT S MEHTA T21-2101069

3. UDP PORT SCAN :
n computer networking, the User Datagram Protocol (UDP) is one of the
core communica6on protocols of the Internet protocol suite used to send
messages (transported as datagrams in packets) to other hosts on an
Internet Protocol (IP) network. Within an IP network, UDP does not require prior
communica 6on to set up communica6on channels or data paths.
UDP uses a simple connec 6onless communica 6on model with a
minimum of protocol mechanisms. UDP provides checksums for data
integrity, and port numbers for addressing di fferent func 6ons at the
source and des 6na6on of the datagram. It has no handshaking dialogues
and thus exposes the user's program to any unreliability of the
underlying network; there is no guarantee of delivery, ordering, or
duplicate protec 6on. If error-correc 6on facili 6es are needed at the
network interface level, an applica 6on may instead use Transmission
Control Protocol (TCP) or Stream Control Transmission Protocol (SCTP)
which are designed for this purpose.
UDP is suitable for purposes where error checking and correc
6on are either not necessary or
are performed in the applica 6on; UDP avoids the overhead of
such processing in the protocol stack. Time-sensi 6ve applica6ons o^en
use UDP because dropping packets is preferable to wai 6ng for packets
delayed due to retransmission, which may not be an op6on in a real-
6me system.

COMMAND:
AKSHAT S MEHTA T21-2101069
4. TCP SCAN :
TCP Connect Scan (-sT): TCP Connect scan uses the concept of a full three-
way handshake to discover whether a given port is open, filtered, or closed
according to the response it receives. Namp sends a TCP request
packet to each and every port specified and determines the status of the
port by the response it receives. RFC 793 says,
If the connec 6on does not exist (CLOSED) then a reset is sent in
response to any incoming segment except another reset. In par
6cular, SYNs addressed to a
non- existent connec6on are rejected by this means.
What it essen 6ally means is that if Namp sends a TCP request to a
closed port with its SYN flag set, then it receives a TCP packet with its RESET
FLAG set from the target server. This tells Namp that the specified port is
“closed”.
The third possibility is that if a port is filtered, most of the server’s
firewalls are configured to just drop
incoming packets. Namp doesn’t receive any response back. This essen6ally
means that the given port is running behind a firewall (i.e “filtered”). TCP
SYN Scan (-sS): SYN scans are o ^en called “Half-open” or “Stealth”
scans. SYN scan works the same way as TCP Connect scan with closed and
filtered ports i.e
receives a RST packet for closed port and no response for filtered
ports. The only difference is in the way they handle the open ports. SYN
scan sends a response packet to the server with its RESET FLAG set(but
not ACK which is usually the default in the actual three-way handshake) a
^er receiving SYN/ACK from the target server. This is to avoid the server
from con 6nuously making requests to
establish a connec6on and thereby reduce the scan 6me.
COMMAND -
AKSHAT S MEHTA T21-2101069
TOPOLOGY:
Topology studies proper6es of spaces that are invariant under any
con6nuous deforma6on. It is some6mes called "rubber-sheet
geometry" because the objects can be stretched and contracted
like rubber, but cannot be broken.

CONCLUSION - We have successfully performed OS

fingerprin6ng, ping scan, tcp scan, udp port scan successfully.

AKSHAT S MEHTA T21-2101069

 Exp No.8 Wireshark

AIM: Study packet sniffing using Wireshark tool also analyse ARP
packets and TCP/IP layer .

THEORY:
Wireshark, a network analysis tool formerly known as Ethereal, captures
packets in real time and display them in human-readable format.
Wireshark includes filters, colour coding, and other features that let you
dig deep into network traffic and inspect individual packets.

Capturing Packets
After downloading and installing Wireshark, you can launch it and
double-click the name of a network interface under Capture to
start
capturing packets on that interface. For example, if you want to capture
traffic on your wireless network, click your wireless interface. You can
configure advanced features by clicking Capture > Options, but this isn’t
necessary for now
As soon as you click the interface’s name, you’ll see the packets start to
appear in real time. Wireshark captures each packet sent to or from your
system. If you have promiscuous mode enabled—it’s enabled by
default—you’ll also see all the other packets on the network instead of
only packets addressed to your network adapter. To check if
promiscuous mode is enabled, click Capture > Options and verify the
“Enable promiscuous mode on all interfaces” checkbox is activated at
the bottom of this window.
Click the red “Stop” button near the top left corner of the window when
you want to stop capturing traffic.
Colour Coding
You’ll probably see packets highlighted in a variety of different colours.
Wireshark uses colours to help you identify the types of traffic at a
glance. By default, light purple is TCP traffic, light blue is UDP traffic,
and black identifies packets with errors—for example, they could have
been delivered out of order.
To view exactly what the colour codes mean, click View > Colouring
Rules. You can also customize and modify the colouring rules from
here, if you like
Sample Captures
If there’s nothing interesting on your own network to inspect,
Wireshark’s wiki has you covered. The wiki contains a page of sample
capture files that you can load and inspect.
Click File > Open in Wireshark and browse for your downloaded file to
open one. You can also save your own captures in Wireshark and open
them later. Click File > Save to save your captured packets
Filtering Packets
If you’re trying to inspect something specific, such as the traffic a
program sends when phoning home, it helps to close down all other
applications using the network so you can narrow down the traffic.
Still, you’ll likely have a large number of packets to sift through. That’s
where Wireshark’s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the
top of the window and clicking Apply (or pressing Enter). For example,
type “dns” and you’ll see only DNS packets. When you start typing,
Wireshark will help you autocomplete your filter You can also click
Analyse > Display Filters to choose a filter from among the default filters
included in Wireshark. From here, you can add your own custom filters
and save them to easily access them in the future

Another interesting thing you can do is right-click a packet and select

Follow > TCP Stream. You’ll see the full TCP conversation between the
client and the server. You can also click other protocols in the Follow
menu to see the full conversations for other protocols, if applicable.
Close the window and you’ll find a filter has been applied automatically.
Wireshark is
showing you the packets that make up the conversation

Inspecting Packets Click a packet to select it and you can dig down to
view its details. You can also create filters from here — just right-click
one of the details and use the Apply as Filter submenu to create a filter
based on it.
Wireshark is an extremely powerful tool, and this tutorial is just
scratching the surface of what you can do with it. Professionals use it to
debug network protocol implementations, examine security problems
and inspect network protocol internals.
One of the really handy parts of the Wireshark is being able to see all
the data that we have captured in really useful ways such as a
graph. This can be very useful if we want to see how much traffic is
flowing
across our network and is very useful if we have a huge amount of data
to sift through. The Wireshark’s I/O graph is one of the basic graphs
that are created using the packets present in the capture file. It helps us
to
plot packet and protocol data in many ways.
I/O Graph for a Trace File:
To open the “I/O Graph” in Wireshark for a trace file follow the below
steps:
Start the Wireshark by selecting the network we want to analyse.
Now go into the Wireshark and click on Statistics→ I/O Graph menu or
toolbar item.
CONCLUSION:
In summary, the exploration of packet sniffing through Wireshark,
alongside the analysis of ARP packets and the TCP/IP layer, yielded
valuable insights into network traffic and protocol behaviours. Wireshark,
as a powerful tool, facilitated the examination of packet data, enabling
the observation of network communication patterns and identifying
potential security vulnerabilities. Moreover, the analysis of ARP packets
provided visibility into address resolution processes, while delving into
the TCP/IP layer enhanced comprehension of data transmission across
networks. Through this study, the combination of Wireshark and
ARP/TCP/IP analysis emerged as an effective approach for
understanding network protocols, diagnosing issues, and bolstering
network security.
 Experiment 9
Aim: To study Nessus vulnerability scanning tool

Theory:

Introduction to Nessus
Nessus is a widely recognized vulnerability scanning tool developed by Tenable Network
Security. It is one of the most comprehensive and widely deployed vulnerability assessment
tools that scans computing systems for vulnerabilities, misconfigurations, and potential
security threats. Nessus is used by thousands of organizations worldwide, ranging from large
enterprises to small businesses, across various industries.

Key Features of Nessus

1. Extensive Vulnerability Coverage: Nessus maintains a constantly updated database of
vulnerabilities that can detect security weaknesses in various software and operating
systems.
2. Policy Customization: Users can create custom scan policies to target specific areas of their
network or system based on their security needs.
3. Compliance Checking: It provides comprehensive checks against compliance standards such
as PCI DSS, HIPAA, SOX, and more, helping organizations comply with legal and security
standards.
4. High-Speed Discovery: Nessus efficiently scans large networks quickly, identifying live hosts,
open ports, and running services along with their associated vulnerabilities.
5. Plugin Architecture: Nessus uses plugins to extend its functionality, allowing for new
vulnerabilities to be easily added and detected in the scanning process.
How Nessus Works
Nessus performs scans through a client-server architecture. The Nessus server is installed on
one of the machines in the network, and it performs the scans directed by user commands
from a client, which could be a web-based interface or a command-line interface. Here's a
general overview of its operation:

1. Preparation: The user configures a scan by setting the target IP addresses, choosing a scan
type, and optionally customizing the scanning rules.
2. Scanning: Nessus scans the specified targets using its plugins to identify vulnerabilities,
misconfigurations, and other security-related issues.
3. Analysis: After the scan, Nessus compiles the results, categorizing vulnerabilities based on
their severity—critical, high, medium, and low.
4. Reporting: It generates detailed reports that outline the vulnerabilities found, their potential
impacts, and often provides remediation steps or links to more information for resolving the
issues.
Applications of Nessus
 Network Security : Identifying and fixing vulnerabilities in network services, configurations,
and devices.
 Compliance Auditing : Ensuring systems comply with industry standards and regulations.
 Web Application Scanning : Detecting vulnerabilities in web applications.
 Organizational Security Assessments : Regularly assessing the security posture of an
organization to identify and mitigate risks.
Advantages of Nessus
 Comprehensive Detection : Ability to detect a wide range of vulnerabilities.
 Flexibility : Customizable scans and extensible through plugins.

User-Friendly : Accessible via an intuitive web interface.

Community Support : Strong community and professional support from Tenable.
Disadvantages of Nessus
 Cost: While there is a free version available, it is limited in features, and the professional
version can be costly for some organizations.
 Resource Intensity: Scans can be resource-intensive and may slow down network or system
performance during a scan.
 Complexity: Although user-friendly, the sheer number of features and options can
overwhelm new users.

Implementation:

Installing and running the software:

Running a basic network scan:

Running an advanced network scan:
Conclusion: Thus, we have successfully studied Nessus vulnerability scanning tool.
 EXPERIMENT 10

Aim: Case Study on SNORT IDS tool.

Theory:
1. Detection Engine: Snort's detection engine is the core component responsible for
analyzing network traffic. It utilizes a variety of detection methods, including
signature-based detection, anomaly-based detection, and protocol analysis, to identify
potential security threats.

2. Rule-Based Detection: Snort uses a rule-based approach for intrusion detection, where
administrators define rules that specify patterns or characteristics of network traffic
indicative of malicious activity. These rules can be customized and tailored to match
the specific security requirements of the network environment.

3. Flexible Deployment: Snort can be deployed in different network configurations,

including inline mode for intrusion prevention and passive mode for intrusion
detection. It can also operate as a network-based IDS, inspecting traffic at the network
level, or as a host-based IDS, monitoring activity on individual hosts.

4. Alerting and Logging: When Snort detects suspicious activity that matches a defined
rule, it generates an alert and logs relevant information about the detected event.
Administrators can configure alerting mechanisms to notify them of potential security
incidents in real time, enabling timely response and mitigation.

5. Community Support: Snort benefits from a large and active user community,
contributing to the continuous development, improvement, and refinement of the tool.
The availability of community-contributed rules and plugins enhances Snort's
effectiveness and adaptability to evolving threats.

Conclusion:
Snort is a powerful and versatile intrusion detection and prevention tool that plays a crucial
role in safeguarding network security. Its rule-based detection engine, flexible deployment
options, and alerting capabilities make it well-suited for detecting and mitigating a wide
range of security threats. With its open-source nature and strong community support, Snort
continues to be a valuable asset for organizations seeking to enhance their network security
posture and protect against cyber threats.