GLOBAL INSTITUTE OF TECHNOLOGY

(Approved by AICTE and Affiliated to RTU, Kota)

LABORATORY MANUAL
(2022-2023)

7CS4-22: Cyber Security Lab

IV YEAR & VII SEMESTER

COMPUTER SCIENCE & ENGINEERING

DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

INDEX

S.NO. CONTENTS PAGE NO.

1 SYLLABUS
 2 BOOKS

3 INSTRUCTIONAL METHODS

4 LEARNING MATERIALS

5 ASSESSMENT OF OUTCOMES

6 LIST OF EXPERIMENTS (RTU SYLLABUS)

1. COURSE OUTCOMES (COs)

Graduates would be able:
CO1: Understand the implementation of various techniques and security algorithms.

CO2: Apply different tools used for secure data transmission and for creating digital signature.

2. MAPPING OF COs & POs

Sem Subject Code L/T/P CO PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11 PO12

1.Understand
the
implementation
of various
techniques and
P security 3 3 2 2 3 3 2 2 3 2 2 3
algorithms.

Cyber 7CS4-
VII Security
Lab 22
2. Apply
different tools
used for secure
data
P 3 2 3 3 3 3 3 3 3 3 3 3
transmission
and for
creating digital
signature.
 Cyber Security Lab Year : IV
7CS4-22

Global Institute Technology, Jaipur COMPUTER SCIENCE ENGINEERING Sem : VII

(Approved by AICTE and Affiliated to

RTU, Kota)

SYLLABUS
7CS4-22: Cyber Security Lab

Credit: 2 Max. Marks: 100(IA:60, ETE:40)

0L+0T+4P End Term Exam: 2 Hours
SN List of Experiments

1 Implement the following Substitution & Transposition Techniques concepts:

a) Caesar Cipherb) Rail fence row & Column Transformation
2 Implement the Diffie-Hellman Key Exchange mechanism using HTML and
JavaScript. Consider the end user as one of the parties (Alice) and the JavaScript
application as other party (bob).
3 Implement the following Attack:
a) Dictionary Attack b) Brute Force Attack
4 Installation of Wire shark, tcpdump, etc and observe data transferred in client server
communication using UDP/TCP and identify the UDP/TCP
datagram.
5 Installation of rootkits and study about the variety of options.

6 Perform an Experiment to Sniff Traffic using ARP Poisoning.

7 Demonstrate intrusion detection system using any tool (snort or any other s/w).

8 Demonstrate how to provide secure data storage, secure data transmission

and for creating digital signatures.
 PROJECT:In a small area location such as a house, office or in a classroom, there is
a small network called a Local Area Network (LAN). The project aims to transfer a
file peer-to-peer from one computer to another computer in the same LAN. It
provides the necessary authentication for file transferring in the network
transmission. By implementing the Server-Client technology, use a File Transfer
Protocol mechanism and through socket programming, the end user is able to send and
receive the encrypted and decrypted file in the LAN. An additional aim of the project
is to transfer a file between computers securely in LANs. Elements of security are
needed in the project because securing the files is an important task, which ensures
files are not captured or altered by anyone on the same network. Whenever you
transmit files over a network, there is a good chance your data will be encrypted by
encryption technique.
Any algorithm like AES is used to encrypt the file that needs to transfer to another
computer. The encrypted file is then sent to a receiver computer and
will need to be decrypted before the user can open the file.

Cyber Security Lab Year : IV

7CS4-22

Global Institute Technology, Jaipur COMPUTER SCIENCE ENGINEERING

(Approved by AICTE and Affiliated to
RTU, Kota)

S.NO. List of Experiments

1 Implement the following Substitution & Transposition Techniques concepts: a)
Caesar Cipherb) Rail fence row & Column Transformation.
2 Implement the Diffie-Hellman Key Exchange mechanism using HTML and
JavaScript. Consider the end user as one of the parties (Alice) and the
JavaScriptapplication as other party (bob).
3 Implement the following Attack: a) Dictionary
Attack b) Brute Force Attack.
4 Installation of Wire shark, tcpdump, etc and observe data transferred in client server
communication using UDP/TCP and identify the UDP/TCP datagram.
5 Installation of rootkits and study about the variety of options.
6 Perform an Experiment to Sniff Traffic using ARP Poisoning.
7 Demonstrate intrusion detection system using
any tool (snort or any other s/w).
8 Demonstrate how to provide secure data
storage, secure data transmission and for creating digital signatures.
Outcomes:

At the end of the semester, the students should have clearly understood and implemented the
following:
• Implement the cipher techniques
• Develop the various security Algorithms
• Use different open source tools for network security and analysis

List of Hardware Requirements & Software

Requirements Software Requirements

 C
 C++
 Java or equivalent Compiler GnuPG
 Snort
Hardware Requirements

 Standalone Desktops (or) Server supporting 30 terminals or more

INSTRUCTIONAL METHODS

Direct Instructions:

• White board presentation

Interactive Instruction:

• coding

Indirect Instructions:

• Problem solving

LEARNING MATERIALS

Text/Lab Manual
 ASSESSMENT OF OUTCOMES:-

1. End term Practical exam (Conducted by RTU, KOTA)

2. Daily Lab interaction.
OUTCOMES WILL BE ACHIEVED THROUGH FOLLOWING:-
1. Lab Teaching (through chalk and board).
2. Discussion on website.
INSTRUCTIONS OF LAB

DO’s

• Please switch off the Mobile/Cell phone before entering Lab.

• Enter the Lab with complete source code and data.
• Check whether all peripheral are available at your desktop before proceeding for
program.
• Intimate the Lab In Charge whenever you are incompatible in using the
system or in case software get corrupted/ infected by virus.
• Arrange all the peripheral and seats before leaving the lab.
• Properly shutdown the system before leaving the lab.
• Keep the bag outside in the racks.
• Enter the lab on time and leave at proper time.
• Maintain the decorum of the lab.
• Utilize lab hours in the corresponding experiment.
• Get your CD / Pen Drive checked by lab In charge before using it in the lab.

DON’TS
• Don’t mishandle the system.
• Don’t leave the system on standing for long
• Don’t bring any external material in the lab.
• Don’t make noise in the lab.
• Don’t bring the mobile in the lab. If extremely necessary then keep ringers off.
• Don’t enter in the lab without permission of lab Incharge.
• Don’t litter in the lab.
• Don’t delete or make any modification in system files.
• Don’t carry any lab equipments outside the lab.

We need your full support and cooperation for smooth functioning of the lab.
 INSTRUCTIONS FOR STUDENTS

BEFORE ENTERING IN THE LAB

• All the students are supposed to prepare the theory regarding the next program.
• Students are supposed to bring the practical file and the lab copy.
• Previous programs should be written in the practical file.
• Any student not following these instructions will be denied entry in the lab.

WHILE WORKING IN THE LAB

• Adhere to experimental schedule as instructed by the lab incharge.
• Get the previously executed program signed by the instructor.
• Get the output of the current program checked by the instructor in the lab copy.
• Each student should work on his/her assigned computer at each turn of the lab.
• Take responsibility of valuable accessories.
• Concentrate on the assigned practical and do not play games.
• If anyone caught red handed carrying any equipment of the lab, then he will have to
face serious consequences.
 LIST OF EXPERIMENTS

Experiment No.-1

1(a) Implement the following Substitution & Transposition Techniques concepts:

a) Caesar Cipher
b) Rail fence row & Column Transformation

AIM: To implement a program for encrypting a plain text and decrypting a cipher text using Caesar
Cipher (shift cipher) substitution technique

ALGORITHM DESCRIPTION:
It is a type of substitution cipher in which each letter in the plaintext is replaced
by a letter some fixed number of positions down the alphabet. For example, with a
left shift of 3, D would be replaced by A, E would become B, and so on.
The method is named after Julius Caesar, who used it in his private
correspondence. The transformation can be represented by aligning two
alphabets; the cipher alphabet is the plain alphabet rotated left or right by some
number of positions.
The encryption can also be represented using modular arithmetic by first
transforming the letters into numbers, according to the scheme, A = 0, B = 1, Z =
25.
Encryption of a letter x by a shift n can be described
mathematically as, En(x) = (x + n) mod26
Decryption is performed
similarly, Dn (x)=(x - n)
mod26

PROGRAM:
import java.util.*;
class caesarCipher

public static String encode(String enc, int offset)

offset = offset % 26 + 26;

StringBuilder encoded = new
StringBuilder(); for (char i :
enc.toCharArray())
{

if (Character.isLetter(i))

if (Character.isUpperCase(i))

encoded.append((char) ('A' + (i - 'A' + offset) % 26 ));

else

encoded.append((char) ('a' + (i - 'a' + offset) % 26 ));

else

encoded.append(i);

return encoded.toString();

public static String decode(String enc, int offset)

return encode(enc, 26-offset);

public static void main (String[] args) throws java.lang.Exception

String msg = "Hello welcome to Security Laboratory";

System.out.println("simulation of Caesar Cipher");
System.out.println("input message : " + msg);
System.out.printf( "encoded message : ");
System.out.println(caesarCipher.encode(msg, 12));
System.out.printf( "decoded message : ");

System.out.println(caesarCipher.decode(caesarCipher.encode(msg, 12), 12));

}
 }

stdin:
Standard input is empty

stdout:
simulation of Caesar Cipher

input message : Hello welcome to Security Laboratory

encoded message : Tqxxa iqxoayq fa Eqogdufk

Xmnadmfadk

decoded message : Hello welcome to Security

Laboratory

RESULT:
Thus the program was executed and verified successfully.

Experiment-1

1. What is cryptography?

Cryptography is a specialized area of cybersecurity, but it has a broad array of applications that we will examine later.
Kaspersky Lab has defined it as follows: “Cryptography is the study of secure communications techniques that allow only the
sender and intended recipient of a message to view its contents. In addition, cryptography also covers the obfuscation of
information in images using techniques such as microdots or merging.”

2. What exactly are encryption and decryption?

The terms “scrambling” and “descrambling” are commonly known. In terms of decryption, scrambling and descrambling are
also known as “encryption” and “decryption.”

For example: when the written message “I LOVE YOU” is scrambled by the sending party, it becomes what is known as the
“encrypted message.” This means that the written message has been disguised in such a manner that it would be totally
meaningless, or in the terms of cryptography, it would be undecipherable.

Encryption can also be described as conversion of information from a readable state to apparent nonsense. When the receiving
party receives this encrypted written message, it must be unscrambled into an understandable and comprehensible state of

context. This process of unscrambling is also known as decryption

3. What is plaintext or cleartext?

The decrypted message, when it is returned back into its plain or original state of context which is comprehensible and
decipherable, is also known as cleartext or plaintext.

4. What is ciphertext?

When the message is encrypted into a state which is totally incomprehensible and undecipherable, this is known as the
ciphertext. So, to illustrate all of this, with the previous example, when the sending party creates the written message of “I
LOVE YOU”, this is the plaintext or the cleartext. Once this message is encrypted into the format of “UYO I VEOL” and while
it is in transit, it becomes known as the ciphertext. Then, once the receiving party gets this ciphertext and then decrypts it into a
comprehensible and understandable form of “I LOVE YOU,” this message then becomes the plaintext or the cleartext again.

5. How does the encryption process actually take place?

This is a question in which we will have more specific answers for later on. But generally speaking, in its simplest form, the text
or the written message is encrypted via a special mathematical formula. This formula is specifically known as the “encryption
algorithm.” Because the ciphertext is now encrypted by this special mathematical algorithm, it would be rendered useless to a
third party with malicious intent, because of its totally garbled nature.

1(b) To implement a program for encryption and decryption using rail fence
transposition technique.

ALGORITHM DESCRIPTION:

In the rail fence cipher, the plaintext is written downwards and diagonally on
successive "rails" of an imaginary fence, then moving up when we reach the
bottom rail.
When we reach the top rail, the message is written downwards again until the
whole plaintext is written out.
The message is then read off in rows.

PROGRAM :
import java.util.*;

class railfenceCipherHelper

int depth;

String encode(String msg, int depth) throws Exception

int r = depth;
int l =
msg.lengt
h(); int c

= l/depth;
int k = 0;

char mat[][] = new char[r][c]; String enc = "";

for (int i=0; i<c; i++)

for (int j=0; j<r; j++)

if (k != l)

mat[j][i] = msg.charAt(k++);

Else

mat[j][i] = 'X';

for (int i=0; i<r; i++)

for (int j=0; j<c; j++)

enc += mat[i][j];

return enc;

String decode(String encmsg, int depth) throws Exception

int r = depth;
int l = encmsg.length(); int c = l/depth;
int k = 0;

char mat[][] = new char[r][c];

String dec = "";

for (int i=0; i<r; i++)

for (int j=0; j< c; j++)

mat[i][j] = encmsg.charAt(k++);

for (int i=0; i<c; i++)

for (int j=0; j< r; j++)

dec += mat[j][i];

return dec;

class railfenceCipher

public static void main (String[] args) throws java.lang.Exception

railfenceCipherHelper rf = new
railfenceCipherHelper(); String msg, enc, dec;
msg="hellorailfen

cipher"; int depth =

2;

enc =
rf.encode(msg,
depth); dec =
 rf.decode(enc,
depth);
System.out.println(
"simulation of
Railfence
Cipher");
System.out.println(
"input message : "

+ msg);
System.out.println(
"encoded message

: " + enc);
System.out.printf(
"decoded message

: " + dec);

stdin:
Standard input is empty

stdout:
simulation of Railfence Cipher

Input message :
hellorailfencecipher

Encoded message :
hloaleccpeelrifneihr

Decoded message :
hellorailfencecipher

RESULT:
Thus the program was executed and verified successfully.
Experiment-2

1. What is the Rail Fence Row & Column Transformation?

The Rail Fence Row & Column Transformation is a transposition cipher technique used to encrypt and decrypt messages. It
involves rearranging the characters in a message in a specific pattern before transmission and then reversing the pattern for
decryption.

2. How does the Rail Fence Row Transformation work?

In the Rail Fence Row Transformation, characters in the message are written in a zigzag pattern, forming a series of "rails" or
rows. Then, the characters are read off row by row to create the encrypted message.

3. What is the Rail Fence Column Transformation?

The Rail Fence Column Transformation is similar to the Row Transformation, but instead of reading the message row by row, it
is read column by column in a zigzag pattern, and then the columns are rearranged to form the encrypted message.

4. Is the Rail Fence Cipher secure for encrypting sensitive information?

No, the Rail Fence Cipher is not considered secure for encrypting sensitive information because it is relatively easy to break
using various cryptanalysis techniques. It is more suitable for educational purposes and simple puzzles.

5. Can you explain the decryption process for the Rail Fence Row & Column Transformation?

To decrypt a message encrypted using the Rail Fence Row Transformation, you recreate the zigzag pattern with the correct
number of rows, then fill in the characters from the encrypted message row by row. For the Column Transformation, you
recreate the zigzag pattern with the correct number of rows, then fill in the characters from the encrypted message column by
column.

Experiment-3

Implementation of Diffie Hellman key Exchange Algorithm

DESCRIPTION:

Diffie–Hellman Key Exchange establishes a shared secret between two parties that can be used
for secret communication for exchanging data over a public network. It is primarily used as a
method of exchanging cryptography keys for use in symmetric encryption algorithms like AES.
The algorithm in itself is very simple. The process begins by having the two parties, Alice and
Bob. Let's assume that Alice wants to establish a shared secret with Bob.
EXAMPLE:
ALGORITHM:

STEP-1: Both Alice and Bob shares the same public keys g
and p. STEP-2: Alice selects a random public key a.
STEP-3: Alice computes his secret key A as ga mod
p. STEP-4: Then Alice sends A to Bob.
STEP-5: Similarly Bob also selects a public key b and computes his secret key as B and sends
the same back to Alice.
STEP-6: Now both of them compute their common secret key as the other one’s secret key
power of a mod p.

PROGRAM: (Diffie Hellman Key

Exchange) #include<stdio.h>

#include<conio.h>

long long int power(int a, int b, int mod)

{
long long int t; if(b==1)
return a; t=power(a,b/2,mod); if(b
%2==0) return (t*t)%mod; else
return (((t*t)%mod)*a)%mod;
}
long int calculateKey(int a, int x, int n)
 {
return power(a,x,n);
}
void main()
{
int n,g,x,a,y,b; clrscr();
printf("Enter the value of n and g : "); scanf("%d
%d",&n,&g); printf("Enter the value of x for the first person :
"); scanf("%d",&x); a=power(g,x,n);
printf("Enter the value of y for the second person : ");
scanf("%d",&y); b=power(g,y,n);
printf("key for the first person is :
%lld\n",power(b,x,n));
printf("key for the second person is :
%lld\n",power(a,y,n)); getch();
}

OUTPUT:

1. What is the Diffie-Hellman key exchange algorithm?

The Diffie-Hellman key exchange algorithm is a method for two parties to securely agree upon a shared secret key over an
insecure communication channel. It allows two parties to establish a common secret key without sharing any secret information
beforehand.

2. Who are the inventors of the Diffie-Hellman key exchange algorithm?

The algorithm was independently developed by Whitfield Diffie and Martin Hellman in 1976.
3. What is the fundamental problem that the Diffie-Hellman key exchange algorithm addresses?

The Diffie-Hellman key exchange addresses the problem of secure key distribution over an untrusted network. It allows two
parties to exchange information in such a way that an eavesdropper cannot easily compute the shared secret key.

4. Can you explain the basic steps involved in the Diffie-Hellman key exchange?

1. Parties agree on two public values: a prime number (p) and a primitive root modulo p (g).
2. Each party selects a private key (a and b).
3. Both parties calculate and exchange public keys: A = g^a mod p and B = g^b mod p.
4. Finally, both parties can calculate the shared secret key using each other's public keys: shared_key = g^(a*b) mod p.

5. Why is it difficult for an eavesdropper to compute the shared secret key in the Diffie-Hellman key exchange?

Answer: The difficulty arises from the computational problem known as the Discrete Logarithm Problem, which is challenging
to solve when large prime numbers are used. Even if an eavesdropper intercepts the public values and the public keys
exchanged between the parties, computing the shared secret key without knowing the private keys is computationally
infeasible.

Experiment No.- 4 & 5

Implement the following Attack:

(a) Dictionary Attack

(b) Brute Force Attack

The bruteforce attack is simple enough to understand. It is performed by entering in every possible password that can
be accepted by a system until the correct password is entered. However, actually writing one is a bit more complex.
There's a complex underlying logic involved simply entering in every password. This post will cover the logic of
programming a sequential bruteforcer and cap off with writing a sequential ascending bruteforcer in C/C++. Lastly, I
will show a quick trick to turn the sequential ascending bruteforcer into a sequential descending bruteforcer.

A bruteforcer has three main logical components: A selection where the user inputs specific location of the attack;
Generating the passwords to test; Testing the password. Having the user input the specific location to attack is
arguably the easiest part of writing a bruteforcer. This part can actually be "hard-coded" (specified by the
programmer so no input is required) so I was thinking of not even mentioning it. But, I decided to bring it up as
any bruteforcer meant to be used by more then one person will include this. Let's say we've written a bruteforcer that
attacks Yahoo accounts. In this case, the bruteforcer will be programmed to attack Yahoo accounts, but the user must
input the Yahoo account to specifically attack. This first component of the bruteforcer. will handle thus handles
obtaining this information.

Once the bruteforcer knows what it is going to attack, it must generate the password to try. In a sequential
bruteforcer, the password tried each time will be sequentially one step away from the last password tried. So, in a
sequential ascending bruteforcer, the bruteforcer will try the password 000001 followed by 000002. This works in
reverse in a sequential descending bruteforcer. The programming of this is generally handled by writing a continuous
loop which breaks only when the password generated is successful. Meanwhile, a handful of variables constantly
increment with each run through the loop. When all of the possible passwords are tried, the variables are all reset as
low as possible, the number of characters in the password is incremented or decremented, and the process begins
again with checking all of the passwords one character longer or shorter then the last number of characters in
a password. In practice, this is simpler then it sounds. The last main component of a bruteforcer is the part
in which a bruteforcer checks to see if it's generated the correct password. In some cases, this can surprisingly be the
hardest part of the bruteforcer to write. Using our Yahoo example again, writing this part of the bruteforcer requires
a knowledge of the Yahoo API. It's really hard for me to write how to perform the password check as each check will
be written differently. While all checks are simple from a broad perspective, this is liable to get quite complex
depending on what you're trying to bruteforce. My recommendation is to look for a library to do the check for you so
you can do the least amount of work possible to perform what is really be a trivial step overall.

Here is the code I wrote to an ascending bruteforcer in C/C++. It's really rather small code and thus pretty self-
explanatory. (The comments should help explain things too):

/*Change "(" to "<" and change ")" to ">" */

#include (iostream)

#include (string)

using namespace std;

/*Prototypes*/

void checkPassword(string password);

void recurse(int width, int position, string baseString);

/*Global Variables*/

char

chars[]={'z','y','x','w','v','u','t','s','r','q','p','o','n','m','l','k','j','i','h','g','f','e','d','c','b','a','9','8','7','6','5','4','3','2','1','0'};

string t;

/*This function generates the password*/

void recurse(int width, int position, string baseString)

for(int i=0;i<35;i++)

if (position < width-1)

recurse(width, position + 1, baseString+chars[i]);

}

checkPassword(baseString+chars[i]);

/*This function checks to see if the generated password is correct*/ void checkPassword(string password)

cout << "Trying this password: " << password << endl; if (password==t) {

cout << "match [" << password << "]" << endl; int pause;

cin >> pause; exit(1);

int main()

cout << "Enter a string (No more then 10 characters for demonstration purposes): " << endl;
cin >> t;

int maxChars = 10;

for(int i = maxChars; i >0; i++)

cout << "Checking passwords width [" << i << "]..." << endl;
recurse(i,0,"");

return 0;

(a) Dictionary Attack

1. Can you explain the basic process of a dictionary attack?

The basic process involves the following steps: a. Obtain or create a password dictionary. b. Select a target account or
system to attack. c. Iteratively try each word or phrase from the dictionary as the password. d. If a match is found, the
attacker gains access to the account or system.

2. What are the motivations behind using a dictionary attack for password cracking?
 Attackers use dictionary attacks because they are faster and more efficient than brute force methods. They are often used to
crack passwords for unauthorized access, data theft, or malicious purposes.

3. How can organizations defend against dictionary attacks?

Organizations can defend against dictionary attacks by implementing strong password policies, using multi-factor
authentication, rate limiting login attempts, and salting passwords. Salting passwords involves adding a unique value to each
password before hashing it, making dictionary attacks much less effective.

4. Are dictionary attacks limited to online systems, or can they be used offline as well? Explain.

Dictionary attacks can be used both online and offline. Online attacks target live systems, such as websites, where an
attacker can try a dictionary of passwords through login pages. Offline attacks often involve cracking hashed password
databases, such as those obtained from a data breach.

5. What is a rainbow table, and how is it related to dictionary attacks?

A rainbow table is a precomputed table used to crack password hashes quickly. While not the same as a dictionary attack,
rainbow tables are related because they are used to crack passwords obtained from hashed databases. They are a more
efficient way to attack hashed passwords compared to traditional dictionary attacks.

(b) Brute Force Attack

1. What are the different types of Brute Force Attacks?

There are two main types:

 Simple Brute Force: Trying every possible combination, starting with the shortest passwords.

 Reverse Brute Force: Trying one password against multiple usernames or accounts.

2. Explain the basic process of a Brute Force Attack.

The process involves systematically trying every possible character combination until the correct password is found. It
usually begins with shorter and simpler passwords and gradually moves on to longer, more complex ones.

3. What are the motivations behind using a Brute Force Attack for password cracking?

Attackers use Brute Force Attacks when they have no information about the password and need to try all possibilities. It's
often used when other methods like dictionary attacks or social engineering fail.

4. How can organizations defend against Brute Force Attacks?

Organizations can defend against Brute Force Attacks by implementing several measures, including account lockouts after a
certain number of failed attempts, rate limiting login requests, and using complex and lengthy passwords.

5. Are Brute Force Attacks limited to online systems, or can they be used offline as well? Explain.

Brute Force Attacks can be used both online and offline. Online attacks target live systems, while offline attacks often
involve cracking hashed password databases, such as those obtained from data breaches.
Experiment No. -6

Installation of Wire shark, tcpdump, etc and observe data transferred in client server
communication using UDP/TCP and identify the UDP/TCP datagram.

Introduction
The first part of the lab introduces packet sniffer, Wireshark. Wireshark is a free open- source network
protocol analyzer. It is used for network troubleshooting and communication protocol analysis. Wireshark
captures network packets in real time and display them in human-readable format. It provides many
advanced features including live capture and offline analysis, three-pane packet browser, coloring rules
for analysis. This document uses Wireshark for the experiments, and it covers Wireshark installation,
packet capturing, and protocol analysis.

Figure 1: Wireshark in Kali Linux

Background

TCP/IP Network Stack

Figure 2: Encapsulation of Data in the TCP/IP Network Stack

In the CSC 4190 Introduction to Computer Networking (one of the perquisite courses), TCP/IP network
stack is introduced and studied. This background section briefly explains the concept of TCP/IP network
stack to help you better understand the experiments. TCP/IP is the most commonly used network model
for Internet services. Because its most important protocols, the Transmission Control Protocol (TCP) and
the Internet Protocol (IP) were the first networking protocols defined in this standard, it is named as
TCP/IP. However, it contains multiple layers including application layer, transport layer, network layer,
and data link layer.

- Application Layer: The application layer includes the protocols used by most applications
for providing user services. Examples of application layer protocols are Hypertext
Transfer Protocol (HTTP), Secure Shell (SSH), File Transfer Protocol (FTP), and Simple
Mail Transfer Protocol (SMTP).
- Transport Layer: The transport layer establishes process-to-process connectivity, and it
provides end-to-end services that are independent of underlying user data. To implement
the process-to-process communication, the protocol introduces a concept of port. The
examples of transport layer protocols are Transport Control Protocol (TCP) and User
Datagram Protocol (UDP). The TCP provides flow- control, connection establishment,
and reliable transmission of data, while the UDP is a connectionless transmission model.
 - Internet Layer: The Internet layer is responsible for sending packets to across networks. It
has two functions: 1) Host identification by using IP addressing system (IPv4 and IPv6);
and 2) packets routing from source to destination. The examples of Internet layer
protocols are Internet Protocol (IP), Internet Control Message Protocol (ICMP), and
Address Resolution Protocol (ARP).
- Link Layer: The link layer defines the networking methods within the scope of the local
network link. It is used to move the packets between two hosts on the same link. An
common example of link layer protocols is Ethernet.

Packet Sniffer

Packet sniffer is a basic tool for observing network packet exchanges in a computer. As the name
suggests, a packet sniffer captures (“sniffs”) packets being sent/received from/by your computer; it will
also typically store and/or display the contents of the various protocol fields in these captured packets. A
packet sniffer itself is passive. It observes messages being sent and received by applications and protocols
running on your computer, but never sends packets itself.

Figure 3 shows the structure of a packet sniffer. At the right of Figure 3 are the protocols (in this case,
Internet protocols) and applications (such as a web browser or ftp client) that normally run on your
computer. The packet sniffer, shown within the dashed rectangle in Figure 3 is an addition to the usual
software in your computer, and consists of two parts. The packet capture library receives a copy of every
link-layer frame that is sent from or received by your computer. Messages exchanged by higher layer
protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually encapsulated in link-layer frames
that are transmitted over physical media such as an Ethernet cable. In Figure 1, the assumed physical
media is an Ethernet, and so all upper-layer protocols are eventually encapsulated within an Ethernet
frame. Capturing all link-layer frames thus gives you access to all messages sent/received from/by all
protocols and applications executing in your computer.

The second component of a packet sniffer is the packet analyzer, which displays the contents of all fields
within a protocol message. In order to do so, the packet analyzer

Figure 3: Packet Sniffer Structure

must “understand” the structure of all messages exchanged by protocols. For example, suppose we are
interested in displaying the various fields in messages exchanged by the HTTP protocol in Figure 3. The
packet analyzer understands the format of Ethernet frames, and so can identify the IP datagram within an
Ethernet frame. It also understands the IP datagram format, so that it can extract the TCP segment within
 the IP datagram. Finally, it understands the TCP segment structure, so it can extract the HTTP message
contained in the TCP segment. Finally, it understands the HTTP protocol and so, for example, knows that
the first bytes of an HTTP message will contain the string “GET,” “POST,” or “HEAD”.

We will be using the Wireshark packet sniffer [http://www.wireshark.org/] for these labs, allowing us to
display the contents of messages being sent/received from/by protocols at different levels of the protocol
stack. (Technically speaking, Wireshark is a packet analyzer that uses a packet capture library in your
computer). Wireshark is a free network protocol analyzer that runs on Windows, Linux/Unix, and Mac
computers.

Getting Wireshark
The Kai Linux has Wireshark installed. You can just launch the Kali Linux VM and open Wireshark there.
Wireshark can also be downloaded from here:

https://www.wireshark.org/download.html

Figure 4: Download Page of Wireshark

Starting Wireshark
When you run the Wireshark program, the Wireshark graphic user interface will be shown as Figure 5.
Currently, the program is not capturing the packets.
 Figure 5: Initial Graphic User Interface of Wireshark

Then, you need to choose an interface. If you are running the Wireshark on your laptop, you need to
select WiFi interface. If you are at a desktop, you need to select the Ethernet interface being used. Note
that there could be multiple interfaces. In general, you can select any interface but that does not mean that
traffic will flow through that interface. The network interfaces (i.e., the physical connections) that your
computer has to the network are shown. The attached Figure 6 was taken from my computer.

After you select the interface, you can click start to capture the packets as shown in Figure 7.

Figure 6: Capture Interfaces in Wireshark

 Figure 7: Capturing Packets in Wireshark

Figure 8: Wireshark Graphical User Interface on Microsoft Windows

 The Wireshark interface has five major components:

The command menus are standard pulldown menus located at the top of the window. Of interest to us
now is the File and Capture menus. The File menu allows you to save captured packet data or open a file
containing previously captured packet data, and exit the Wireshark application. The Capture menu allows
you to begin packet capture.

The packet-listing window displays a one-line summary for each packet captured, including the packet
number (assigned by Wireshark; this is not a packet number contained in any protocol’s header), the time
at which the packet was captured, the packet’s source and destination addresses, the protocol type, and
protocol-specific information contained in the packet. The packet listing can be sorted according to any of
these categories by clicking on a column name. The protocol type field lists the highest- level protocol
that sent or received this packet, i.e., the protocol that is the source or ultimate sink for this packet.

The packet-header details window provides details about the packet selected (highlighted) in the packet-
listing window. (To select a packet in the packet-listing window, place the cursor over the packet’s one-
line summary in the packet-listing window and click with the left mouse button.). These details include
information about the Ethernet frame and IP datagram that contains this packet. The amount of Ethernet
and IP-layer detail displayed can be expanded or minimized by clicking on the right- pointing or down-
pointing arrowhead to the left of the Ethernet frame or IP datagram line in the packet details window. If
the packet has been carried over TCP or UDP, TCP or UDP details will also be displayed, which can
similarly be expanded or minimized. Finally, details about the highest-level protocol that sent or received
this packet are also provided.

The packet-contents window displays the entire contents of the captured frame, in both ASCII and
hexadecimal format.

Towards the top of the Wireshark graphical user interface, is the packet display filter field, into which a
protocol name or other information can be entered in order to filter the information displayed in the
packet-listing window (and hence the packet-header and packet-contents windows). In the example
below, we’ll use the packet-display filter field to have Wireshark hide (not display) packets except those
that correspond to HTTP messages.

Capturing Packets
After downloading and installing Wireshark, you can launch it and click the name of an interface under
Interface List to start capturing packets on that interface. For example, if you want to capture traffic on
the wireless network, click your wireless interface.

Test Run
Do the following steps:

1. Start up the Wireshark program (select an interface and press start to capture packets).
2. Start up your favorite browser (ceweasel in Kali Linux).
3. In your browser, go to Wayne State homepage by typing www.wayne.edu.
4. After your browser has displayed the http://www.wayne.edu page, stop Wireshark packet
capture by selecting stop in the Wireshark capture window. This will cause the Wireshark
capture window to disappear and the main Wireshark window to display all
 packets captured since you began packet capture see image below:

5. Color Coding: You’ll probably see packets highlighted in green, blue, and black.
Wireshark uses colors to help you identify the types of traffic at a glance. By default,
green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black
identifies TCP packets with problems — for example, they could have been delivered
out-of-order.
6. You now have live packet data that contains all protocol messages exchanged between
your computer and other network entities! However, as you will notice the HTTP
messages are not clearly shown because there are many other packets included in the
packet capture. Even though the only action you took was to open your browser, there are
many other programs in your computer that communicate via the network in the
background. To filter the connections to the ones we want to focus on, we have to use the
filtering functionality of Wireshark by typing “http” in the filtering field as shown below:
Notice that we now view only the packets that are of protocol HTTP. However, we also still do not have
the exact communication we want to focus on because using HTTP as a filter is not descriptive enough to
allow us to find our connection to http://www.wayne.edu. We need to be more precise if we want to
capture the correct set of packets.

7. To further filter packets in Wireshark, we need to use a more precise filter. By setting the
http.host==www.wayne.edu, we are restricting the view to packets that have as an http
host the www.wayne.edu website. Notice that we need two equal signs to perform the
match “==” not just one. See the screenshot below:

8. Now, we can try another protocol. Let’s use Domain Name System (DNS) protocol as an
example here.
9. Let’s try now to find out what are those packets contain by following one of the
conversations (also called network flows), select one of the packets and press the right
mouse button (if you are on a Mac use the command button and click), you should see
something similar to the screen below:

Click on Follow UDP Stream, and then you will see following screen.
 10. If we close this window and change the filter back to “http.host==www.wayne.edu” and
then follow a packet from the list of packets that match that filter, we should get the
something similar to the following screens. Note that we click on Follow TCP Stream
this time.

1. What is the purpose of Wireshark?

Wireshark is a network protocol analyzer that allows users to capture, analyze, and inspect network traffic, making it a
valuable tool for network troubleshooting and security analysis.

2. What is the difference between TCP and UDP?

 TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are both transport layer protocols, but TCP
provides reliable, connection-oriented communication with error checking and flow control, while UDP offers
connectionless, unreliable communication with no error recovery or flow control.

3. How can you filter and view only TCP packets in Wireshark?

You can use the display filter tcp to view only TCP packets in Wireshark.

4. What kind of information can you find in a TCP packet captured by Wireshark?

In a TCP packet, you can find information such as source and destination ports, sequence numbers, acknowledgment
numbers, flags (e.g., SYN, ACK, FIN), and the actual data payload.

5. How can you distinguish between UDP and TCP packets in Wireshark?

You can distinguish UDP and TCP packets by examining the protocol field in the packet details. Wireshark will indicate
whether it's a UDP or TCP packet in this field.

Experiment No.-7

Installation of rootkits and study about the variety of options.

AIM:
Rootkit is a stealth type of malicious software designed to hide the existence of certain process from normal
methods of detection and enables continued privileged access to a computer.

INTRODUCTION:

Breaking the term rootkit into the two component words, root and kit, is a useful way to define it. Root is a
UNIX/Linux term that's the equivalent ofAdministrator in Windows. The word kit denotes programs that
allow someone to obtain root/admin-level access to the computer by executing the programs in the kit — all
of which is done without end-user consent or knowledge.

A rootkit is a type of malicious software that is activated each time your system boots up. Rootkits are
difficult to detect because they are activated before your system's Operating System has completely booted
up. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the
systems OS. Rootkits are able to intercept data from terminals,network connections, and the keyboard.

Rootkits have two primary functions: remote command/control (back door) and software eavesdropping.
Rootkits allow someone, legitimate or otherwise, to administratively control a computer. This means
executing files, accessing logs, monitoring user activity, and even changing the computer's configuration.
Therefore, in the strictest sense, even versions of VNC are rootkits. This surprises most people, as they
consider rootkits to be solely malware, but in of themselves they aren't malicious at all.

The presence of a rootkit on a network was first documented in the early 1990s. At that time, Sun and Linux
operating systems were the primary targets for a hacker looking to install a rootkit. Today, rootkits are
available for a number of operating systems, including Windows, and are increasingly difficult to detect on
any network.

PROCEDURE:

STEP-1: Download Rootkit Tool from GMER website www.gmer.net.

STEP-2: This displays the Processes, Modules, Services, Files, Registry, RootKit / Malwares,
Autostart, CMD of local host.
STEP-3: Select Processes menu and kill any unwanted process if any.
STEP-4: Modules menu displays the various system files like .sys, .dll
STEP-5: Services menu displays the complete services running with Autostart, Enable, Disable, System,
Boot.
STEP-6: Files menu displays full files on Hard-Disk volumes.
STEP-7: Registry displays Hkey_Current_user and Hkey_Local_Machine.
STEP-8: Rootkits / Malwares scans the local drives selected.
STEP-9: Autostart displays the registry base Autostart applications.
STEP-10:CMD allows the user to interact with command line utilities or Registry
SCREENSHOTS:
1. What is a Rootkit?

A rootkit is software, basically malicious that permits unapproved users to gain access to software or computer, which is
otherwise not permissible, and it also hides from the software. Rootkit hides in the computer system and gains unauthorized
access to the system without anyone knowing the same. A rootkit is a compound word made up of ‘root’ and ‘kit’. ‘Root’ is the
traditional connotation of the administrator account in UNIX, and similar operating system ‘kit’ is associated with the malware
and the program to allow unauthorized access to the computer and restricted areas.

2. How does a rootkit work?

A rootkit can be used for several purposes. One of the most common is for improving stealth capabilities. This increase stealth
lets the rootkit be hidden while they perform their functions like data destruction from the network. Mainly unauthorized users,
hackers get backdoor access into the systems. The computer which is compromised is used as a bot for distributed-denial-of-
service attacks (DDoS attacks). The attack would be traced not to the attacker’s system but to the compromised computer.

3. What is a Rootkit Scan?

Rootkit scan, as the name suggests, are the tool used for detecting and identifying the rootkit infection. If there is any suspicion
of a rootkit virus, then it’s better to switch off the computer and execute the scan from trusted systems. Behavior analysis is one
of the best ways to understand behavior analysis. Various patterns of behavior should be carefully dealt with. Target scanning
can be used in case of suspicion. This is done even before human realizes of the attack.

4. How to remove a Rootkit?

Few toolkits operate on a high level than the rest, which makes it difficult to detect them. To detect such rootkits, a highly
advanced anti-malware tool with multiple features will be required. With the increase in the information technology sector,
highly advanced toolkit scanners and remover allow to detect and eliminate such threats easily. If there is any suspicion on the
rootkit, then indications would include the slower performance of the system and RAM, different times, and date display.

It can also cause disability of the anti-virus or anti-malware installed. They start affecting software installation and later on pass
on to hardware. Hence, the best advice would be to use the best software for antivirus. Such protection would be on a real-time
basis against threats of rootkits, malware, and viruses. Regular updating of the software and scanning can also help in early
detection.

5. Probable Rootkit Symptoms?

Identifying a rootkit is challenging without the aid of specialized tools since various malware exhibit similar destructive
behavior. However, certain situations may indicate the presence of a rootkit in the system. Here are some examples:

 Difficulty in Detection.
 Unclear Network Activity.
 Unusual System Behavior.
 Slow Performance.
 Disabled Security Software.
 Unexpected System Modifications.
Experiment No.- 8

Perform an Experiment to Sniff Traffic using ARP Poisoning.

AIM

Description:

ARP is the acronym for Address Resolution Protocol. It is used to convert IP address to physical addresses
[MAC address] on a switch. The host sends an ARP broadcast on the network, and the recipient computer
responds with its physical address [MAC Address]. The resolved IP/MAC address is then used to
communicate. ARP poisoning is sending fake MAC addresses to the switch so that it can associate the fake
MAC addresses with the IP address of a genuine computer on a network and hijack the traffic.

ARP Poisoning Countermeasures

Static ARP entries: these can be defined in the local ARP cache and the switch configured to ignore all auto
ARP reply packets. The disadvantage of this method is, it’s difficult to maintain on large networks. IP/MAC
address mapping has to be distributed to all the computers on the network.

ARP poisoning detection software: these systems can be used to cross check the IP/MAC address resolution
and certify them if they are authenticated. Uncertified IP/MAC address resolutions can then be blocked.

Operating System Security: this measure is dependent on the operating system been used. The following are
the basic techniques used by various operating systems.

 Linux based: these work by ignoring unsolicited ARP reply packets.

 Microsoft Windows: the ARP cache behavior can be configured via the registry. The following
list includes some of the software that can be used to protect networks against sniffing;

 AntiARP– provides protection against both passive and active sniffing

 Agnitum Outpost Firewall–provides protection against passive sniffing
 XArp– provides protection against both passive and active sniffing
 Mac OS: ArpGuard can be used to provide protection. It protects against both active and passive
sniffing.
 Computers communicate using networks. These networks could be on a local area network LAN or
exposed to the internet. Network Sniffers are programs that capture low-level package data that is
transmitted over a network. An attacker can analyze this information to discover valuable
information such as user ids and passwords.
 In this article, we will introduce you to common network sniffing techniques and tools used to sniff
networks.

What is network sniffing?

Computers communicate by broadcasting messages on a network using IP addresses. Once a message has
been sent on a network, the recipient computer with the matching IP address responds with its MAC
address.
Network sniffing is the process of intercepting data packets sent over a network. This can be done by the
specialized software program or hardware equipment. Sniffing can be used to;

 Capture sensitive data such as login credentials

 Eavesdrop on chat messages
 Capture files have been transmitted over a network The

following are protocols that are vulnerable to sniffing

 Telnet
 Rlogin
 HTTP
 SMTP
 NNTP
 POP
 FTP
 IMAP

The above protocols are vulnerable if login details are sent in plain text

Passive and Active Sniffing

Before we look at passive and active sniffing, let’s look at two major devices used to network
computers; hubs and switches.

A hub works by sending broadcast messages to all output ports on it except the one that has sent the
broadcast. The recipient computer responds to the broadcast message if the IP address matches. This
means when using a hub, all the computers on a network can see the broadcast message. It operates
at the physical layer (layer 1) of the OSI Model.
The diagram below illustrates how the hub works.

A switch works differently; it maps IP/MAC addresses to physical ports on it. Broadcast
messages are sent to the physical ports that match the IP/MAC address configurations for the
recipient computer. This means broadcast messages are only seen by the recipient computer.
Switches operate at the data link layer (layer 2) and network layer (layer 3).

The diagram below illustrates how the switch works.

Passive sniffing is intercepting packages transmitted over a network that uses a hub. It is called
passive sniffing because it is difficult to detect. It is also easy to perform as the hub sends broadcast
messages to all the computers on the network.

Active sniffing is intercepting packages transmitted over a network that uses a switch. There
are two main methods used to sniff switch linked networks, ARP Poisoning, and MAC flooding.
Sniffing the network using Wireshark

The illustration below shows you the steps that you will carry out to complete this exercise
without confusion

Download Wireshark from this link http://www.wireshark.org/download.html

 Open Wireshark
 You will get the following screen

 Select the network interface you want to sniff. Note for this demonstration, we are using a
wireless network connection. If you are on a local area network, then you should select
the local area network interface.
 Click on start button as shown above

 Open your web browser and type in http://www.techpanda.org/

 The login email is [email protected] and the password is Password2010
 Click on submit button
 A successful logon should give you the following dashboard

 Go back to Wireshark and stop the live capture

 Filter for HTTP protocol results only using the filter textbox
 Locate the Info column and look for entries with the HTTP verb POST and click on it

 Just below the log entries, there is a panel with a summary of captured data. Look for
the summary that says Line-based text data: application/x-www-form-urlencoded

 You should be able to view the plaintext values of all the POST variables submitted to the
server via HTTP protocol.
Q1: How does ARP poisoning work?

ARP poisoning exploits the weakness in the ARP protocol, which lacks authentication. The attacker sends false ARP messages
to the target devices, falsely associating their own MAC address with the IP addresses of other devices on the network. As a
result, network traffic destined for those devices is diverted to the attacker’s machine.

Q2: What are the motivations behind ARP poisoning attacks?

The motives behind ARP poisoning attacks can vary. Some common motivations include eavesdropping on network traffic to
collect sensitive information, performing man-in-the-middle attacks for interception or modification of data, or causing network
disruptions and denial of service.

Q3: How can ARP poisoning attacks be detected?

Detection of ARP poisoning attacks can be challenging since the ARP protocol itself does not provide a built-in mechanism for
detecting spoofed or manipulated ARP messages. However, there are some techniques to detect ARP poisoning, such as
monitoring ARP caches, using network intrusion detection systems (IDS), or employing tools specifically designed for ARP
poisoning detection.

Q4: What are the preventive measures against ARP poisoning attacks?

Several strategies can help prevent ARP poisoning attacks, including:

• Implementing network segmentation to isolate critical devices.

• Configuring static ARP entries to bind IP addresses with MAC addresses.
• Employing cryptographic protocols (e.g., IPsec) for secure communication.
• Monitoring network traffic and analyzing ARP activity for anomalies.
• Implementing network access control mechanisms, such as 802.1X authentication.
Q5: Can ARP poisoning attacks be executed over wireless networks?

Yes, ARP poisoning attacks can be performed on wireless networks. In a Wi-Fi network, the attacker must be within range and
connected to the same network as the target devices to execute ARP poisoning.
Experiment No.- 9

Demonstrate intrusion detection system using any tool (snort or any other s/w).
AIM:

Snort is an open source network intrusion detection system (NIDS) and it is a packet sniffer that
monitors network traffic in real time.

INTRODUCTION:

INTRUSION DETECTION SYSTEM :Intrusion detection is a set of techniques and methods that are used
to detect suspicious activity both at the network and host level. Intrusion detection systems fall into two
basic categories:

Signature-based intrusion detection systems

Anomaly detection systems.

Intruders have signatures, like computer viruses, that can be detected using software. You try to find data
packets that contain any known intrusion-related signatures or anomalies related to Internet protocols. Based
upon a set of signatures and rules, the detection system is able to find and log suspicious activity and generate
alerts.

Anomaly-based intrusion detection usually depends on packet anomalies present in protocol header parts. In
some cases these methods produce better results compared to signature-based IDS. Usually an intrusion
detection system captures data from the network and applies its rules to that data or detects anomalies in it.
Snort is primarily a rule-based IDS, however input plug-ins are present to detect anomalies in protocol
headers.

SNORT TOOL:

Snort is based on libpcap (for library packet capture), a tool that is widely used in TCP/IPtraffic sniffers and
analyzers. Through protocolanalysis and content searching and matching, Snort detects attack methods,
including denial of service, buffer overflow, CGI attacks, stealthport scans, and SMB probes. When
suspicious behavior is detected, Snort sends a real-time alert to syslog, a separate 'alerts' file, or to apop-up
window.

Snort is currently the most popular free network intrusion detection software. The advantages of Snort are
numerous. According to the snort web site, “It can perform protocol analysis, content searching/matching, and
can be used to detect a variety of attacks and probes, such as buffer overflow, stealth port scans, CGI attacks,
SMB probes, OS fingerprinting attempts, and much more” (Caswell).
One of the advantages of Snort is its ease of configuration. Rules are very flexible, easily written, and
easily inserted into the rule base. If a new exploit or attack is found a rule for the attack can be added to the
rule base in a matter of seconds. Another advantage of snort is that it allows for raw packet data analysis.

SNORT can be configured to run in three modes:

Sniffer mode
Packet Logger mode
Network Intrusion Detection System mode
Sniffer mode
Snort –v Print out the TCP/IP packets header on the screen
Snort –vd show the TCP/IP ICMP header with application data in transmit
Packet Logger mode
snort –dev –l c:\log [create this directory in the C drive] and snort will automatically know to go into packet
logger mode, it collects every packet it sees and places it in log directory.

snort –dev –l c:\log –h ipaddress/24:This rule tells snort that you want to print out the data link and TCP/IP
headers as well as application data into the log directory. snort –l c:\log –b This is binary mode logs
everything into a single file.

Network Intrusion Detection System mode

snort –d c:\log –h ipaddress/24 –c snort.conf This is a configuration file applies rule to each packet to decide
it an action based upon the rule type in the file.

Snort –d –h ipaddress/24 –l c:\log –c snort.conf This will cnfigure snort to run in its most basic NIDS
form, logging packets that trigger rules specifies in the snort.conf.

PROCEDURE:

STEP-1: Sniffer mode€ snort –v € Print out the TCP/IP packets header on the screen. STEP-
2: Snort –vd € Show the TCP/IP ICMP header with application data in transit.
STEP-3: Packet Logger mode € snort –dev –l c:\log [create this directory in the C drive] and snort
will automatically know to go into packet logger mode, it collects every packet it sees and places it in log
directory.
STEP-4: snort –dev –l c:\log –h ipaddress/24 € This rule tells snort that you want to print out the data link
and TCP/IP headers as well as application data into the log directory.
STEP-5: snort –l c:\log –b € this binary mode logs everything into a single file.
STEP-6: Network Intrusion Detection System mode € snort –d c:\log –h ipaddress/24 –c snort.conf € This is a
configuration file that applies rule to each packet to decide it an action based upon the rule type in the file.
STEP-7: snort –d –h ip address/24 –l c:\log –c snort.conf € This will configure snort to run in its most
basic NIDS form, logging packets that trigger rules specifies in the snort.conf.
STEP-8: Download SNORT from snort.org. Install snort with or without database support. STEP-
9: Select all the components and Click Next. Install and Close.
STEP-10: Skip the WinPcap driver installation.
STEP-11: Add the path variable in windows environment variable by selecting new classpath. STEP-12:
Create a path variable and point it at snort.exe variable name € path and variable value € c:\snort\bin.
STEP-13: Click OK button and then close all dialog boxes. Open command prompt and type the
following commands:

INSTALLATION PROCESS :
RESULT: Thus the demonstration of the instruction detection using Snort tool was done
successfully.
Q1: What Is an Intrusion Detection System?

An intrusion detection device (IDS) is a device or software program software that monitors a community or structures for
malicious activity or policy violations. The maximum commonplace classifications are community intrusion detection structures
(NIDS) and host-primarily based intrusion detection systems (HIDS).

Q2. What Is Ips and Ids?

If an IPS is a manipulate tool, then an IDS is a visibility device. Intrusion Detection Systems sit off to the facet of the
community, monitoring visitors at many distinctive points, and provide visibility into the security posture of the community.

Q3. What Are the Functions of Intrusion Detection?

Intrusion detection capabilities encompass:

• Monitoring and analyzing both user and gadget sports.

• Analyzing machine configurations and vulnerabilities.
• Assessing system and file integrity.
• Ability to apprehend styles typical of attacks.
• Analysis of extraordinary activity patterns.
• Tracking consumer policy violations.
Q4. What Do Ids Detect?

Anomaly detection: Activity that deviates from the ordinary behavior.

Misuse detection: Execution of code that results in ruin-ins.
Specification based totally detection: Activity concerning privileged software this is inconsistent with respect to a
coverage/specification.

Q5. Why Intrusion Detection Systems Are Important?

Modern networked business environments require a high level of security to ensure safe and trusted communication of
information between various organizations. An intrusion detection system acts as an adaptable safeguard technology for system
security after traditional technologies fail. Cyber-attacks will only become more sophisticated, so it is important that protection
technologies adapt along with their threats.
Experiment No.- 10

Demonstrate how to provide secure data storage, secure data transmission and
for creating digital signatures.
AIM:
Demonstrate how to provide secure data storage, secure data transmission and for creating digital
signatures (GnuPG).

INTRODUCTION:
Here’s the final guide in my PGP basics series, this time focusing on Windows The OS in question will be
Windows 7, but it should work for Win8 and Win8.1 as well Obviously it’s not recommended to be using
Windows to access the DNM, but I won’t go into the reasons here. The tool well be using is GPG4Win

INSTALLING THE SOFTWARE:

Visit www.gpg4win.org. Click on the “Gpg4win 2.3.0” button On the
following screen, click the “Download Gpg4win” button. When the
“Welcome” screen is displayed, click the “Next” button
When the “License Agreement” page is displayed, click the “Next” button

Set the check box values as specified below, then click the “Next” button

Set the location where you want the software to be installed. The default location is fine. Then, click
the “Next” button.
Specify where you want shortcuts to the software placed, then click the “Next” button.

If you selected to have a GPG shortcut in your Start Menu, specify the folder in which it will be placed.
The default “Gpg4win” is OK. Click the “Install” button to continue
A warning will be displayed if you have Outlook or Explorer opened. If this occurs, click the “OK” button.

The installation process will tell you when it is complete. Click the “Next” button

Once the Gpg4win setup wizard is complete, the following screen will be displayed. Click the
“Finish” button
If you do not uncheck the “Show the README file” check box, the README file will be
displayed. The window can be closed after you’ve reviewed it.
CREATING YOUR PUBLIC AND PRIVATE KEYS
GPG encryption and decryption is based upon the keys of the person who will be receiving the encrypted file
or message. Any individual who wants to send the person an encrypted file or message must possess the
recipient’s public key certificate to encrypt the message. The recipient must have the associated private key,
which is different than the public key, to be able to decrypt the file. The public and private key pair for an
individual is usually generated by the individual on his or her computer using the installed GPG program,
called “Kleopatra” and the following procedure:

From your start bar, select the “Kleopatra” icon to start the Kleopatra certificate management
software

The following screen will be displayed From the “File” dropdown, click on the “New Certificate”
Option
The following screen will be displayed. Click on “Create a personal OpenGPG key pair” and the
“Next” button
The Certificate Creation Wizard will start and display the following:

Enter your name and e-mail address. You may also enter an optional comment. Then, click the
“Next” button
Review your entered values. If OK, click the “Create Key” button

You will be asked to enter a passphrase

The passphrase should follow strong password standards. After you’ve entered your passphrase, click the
“OK” button.

You will be asked to re-enter the passphrase Re-enter the passphrase value. Then click the “OK” button. If the
passphrases match, the certificate will be created.
Once the certificate is created, the following screen will be displayed. You can save a backup of your public and
private keys by clicking the “Make a backup Of Your Key Pair” button. This backup can be used to copy
certificates onto other authorized computers.
If you choose to backup your key pair, you will be presented with the following screen:
Specify the folder and name the file. Then click the “OK” button.
After the key is exported, the following will be displayed. Click the “OK” button.
You will be returned to the “Key Pair Successfully Created” screen. Click the “Finish” button.

Before the program closes, you will need to confirm that you want to close the program by clicking on the
“Quit Kleopatra” button
DECRYPTING AN ENCRYPTED E-MAIL THAT HAS BEEN SENT TO YOU:

Open the e-mail message

Select the GpgOL tab
Click the “Decrypt” button
A command window will open along with a window that asks for the Passphrase to your private key that will
be used to decrypt the incoming message.
Enter your passphrase and click the “OK” button
The results window will tell you if the decryption succeeded. Click the “Finish” button top close the window
Your unencrypted e-mail message body will be displayed.

When you close the e-mail you will be asked if you want to save the e-mail message in its unencrypted form. For
maximum security, click the “No” button. This will keep the message encrypted within the e-mail system and will
require you to enter your passphrase each time you reopen the e-mail message
 RESULT:
Thus the secure data storage, secure data transmission and for creating digital
signatures (GnuPG) was developed successfully.

Q1: How can you ensure secure data storage in a database?

To ensure secure data storage in a database, several measures can be implemented. First, encryption of
sensitive data at rest is crucial. This involves using strong encryption algorithms to protect data stored on
disk. Additionally, access controls and authentication mechanisms should be in place to restrict
unauthorized access. Regular database audits, monitoring, and logging are also essential to detect and
respond to any suspicious activities promptly.

Q2: What protocols can be used for secure data transmission over the? internet

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are commonly used
protocols for securing data transmission over the internet. These protocols provide encryption and
authentication to ensure that data is transmitted securely between a client and a server. HTTPS (HTTP
Secure) is an example of a protocol that uses TLS to secure the communication between a web browser
and a web server.

Q3: How does end-to-end encryption contribute to secure data transmission?

End-to-end encryption ensures that data is encrypted on the sender's device and decrypted only on the
recipient's device. This means that even if the data is intercepted during transmission, it remains
encrypted and unreadable without the appropriate decryption keys. This method provides a high level of
security, as even service providers facilitating the communication cannot access the content in a readable
form.

Q4: What is the purpose of digital signatures in ensuring data integrity and authenticity?

Digital signatures play a crucial role in ensuring data integrity and authenticity. When a sender signs a
message or document with a digital signature, it provides a unique identifier that verifies the sender's
identity and ensures that the content has not been tampered with during transmission. Digital signatures
use asymmetric cryptography, where a private key is used to sign the data, and a corresponding public
key is used for verification.

Q5: How can a digital signature be revoked if a private key is compromised?

In the event of a compromised private key, it is necessary to revoke the digital signature associated with
that key. This is typically done through a process called key revocation. The entity that issued the digital
signature (such as a Certificate Authority) maintains a Certificate Revocation List (CRL) or uses Online
Certificate Status Protocol (OCSP) to inform users and systems that the associated private key should no
longer be trusted. This ensures that even if the private key is compromised, the digital signature cannot be
used for malicious purposes.