Name :-

Subject :- Cyber Security Lab

Class :- B.tech
Year :- 4th
Branch :- Computer Science

Submitted To: Submitted By:

Manish Munjal
 INDEX

S. No. Experiments

1. Implement the following Substitution & Transposition Techniques

concepts: a) Caesar Cipherb) Rail fence row & Column
Transformation.
2. Implement the Diffie-Hellman Key Exchange mechanism using
HTML and JavaScript. Consider the end user as one of the parties
(Alice) and the JavaScript application as other party (bob).
3. Implement the following Attack: a) Dictionary Attack
b) Brute Force Attack
4. Installation of Wire shark, tcpdump, etc and observe data
transferred in client server communication using UDP/TCP and
identify the UDP/TCP datagram.
5. Installation of rootkits and study about the variety of
options.

6. Perform an Experiment to Sniff Traffic using ARP Poisoning.

7. Demonstrate intrusion detection system using any

tool (snort or any other s/w).
 Experiment-1

Implement the following Substitution & Transposition Techniques concepts:

a) Caesar Cipherb) Rail fence row & Column Transformation.

AIM: To implement a program for encrypting a plain text and decrypting a

cipher text using Caesar Cipher (shift cipher) substitution technique.

ALGORITHUM DESCRIPTION:

It is a type of substitution cipher in which each letter in the plaintext is replaced

by a letter some fixed number of positions down the alphabet. For example, with
a left shift of 3, D would be replaced by A, E would become B, and so on.

The method is named after Julius Caesar, who used it in his private
correspondence. The transformation can be represented by aligning two
alphabets; the cipher alphabet is the plain alphabet rotated left or right by some
number of positions.

The encryption can also be represented using modular arithmetic by first

transforming the letters into numbers, according to the scheme, A = 0, B = 1, Z
= 25.

Encryption of a letter x by a shift n can be described mathematically as, En(x) =

(x + n) mod26

Decryption is performed similarly, Dn (x)=(x - n) mod26

RESULTS:

Thus the program was executed and verified successfully.

 Experiment-2

Implement the Diffie-Hellman Key Exchange mechanism using HTML and

JavaScript. Consider the end user as one of the parties (Alice) and the
JavaScript application as other party (bob).

DESCRIPTION:
Diffie–Hellman Key Exchange establishes a shared secret between two parties
that can be used for secret communication for exchanging data over a public
network. It is primarily used as a method of exchanging cryptography keys for
use in symmetric encryption algorithms like AES. The algorithm in itself is very
simple. The process begins by having the two parties, Alice and Bob. Let's
assume that Alice wants to establish a shared secret with Bob.

EXAMPLE:

ALGORITHM:

STEP-1: Both Alice and Bob shares the same public keys g and p.
STEP-2: Alice selects a random public key a.
STEP-3: Alice computes his secret key A as ga mod p.
STEP-4: Then Alice sends A to Bob.
STEP-5: Similarly Bob also selects a public key b and computes his secret key as
B and sends the same back to Alice.
STEP-6: Now both of them compute their common secret key as the other
one’s secret key power of a
mod p.
PROGRAM:
(Diffie Hellman Key Exchange)
#include<stdio.h> #include<conio.h>
long long int power(int a, int b, int mod)
{
long long int t; if(b==1)
return a; t=power(a,b/2,mod); if(b%2==0) return (t*t)%mod; else
return (((t*t)%mod)*a)%mod;
}
long int calculateKey(int a, int x, int n)
{
return power(a,x,n);
}
void main()
{
int n,g,x,a,y,b; clrscr();
printf("Enter the value of n and g : ");
scanf("%d%d",&n,&g); printf("Enter the value of x for the first person : ");
scanf("%d",&x); a=power(g,x,n);
printf("Enter the value of y for the second person : ");
scanf("%d",&y); b=power(g,y,n);
printf("key for the first person is :
%lld\n",power(b,x,n));
printf("key for the second person is :
%lld\n",power(a,y,n)); getch();
}

OUTPUT:

Enter the value of n and g : ?

9
Enter the value of x for the first person : 6
Enter the value of y for the second person : 15
key for the first person is : 1
key for the second person is : 1
 Experiment-3

Implement the following Attack: a) Dictionary Attack b) Brute Force Attack

The bruteforce attack is simple enough to understand. It is performed by

entering in every possible password that can be accepted by a system until the
correct password is entered. However, actually writing one is a bit more
complex. There's a complex underlying logic involved simply entering in every
password. This post will cover the logic of programming a sequential bruteforcer
and cap off with writing a sequential ascending bruteforcer in C/C++. Lastly, I
will show a quick trick to turn the sequential ascending bruteforcer into a
sequential descending bruteforcer.

A bruteforcer has three main logical components: A selection where the user
inputs specific location of the attack; Generating the passwords to test; Testing
the password. Having the user input the specific location to attack is arguably
the easiest part of writing a bruteforcer. This part can actually be "hard-coded"
(specified by the programmer so no input is required) so I was thinking of not
even mentioning it. But, I decided to bring it up as any bruteforcer meant to be
used by more then one person will include this. Let's say we've written a
bruteforcer that attacks Yahoo accounts. In this case, the bruteforcer will be
programmed to attack Yahoo accounts, but the user must input the Yahoo
account to specifically attack. This first component of the bruteforcer will handle
thus handles obtaining this information.

Once the bruteforcer knows what it is going to attack, it must generate the
password to try. In a sequential bruteforcer, the password tried each time will
be sequentially one step away from the last password tried. So, in a sequential
ascending bruteforcer, the bruteforcer will try the password 000001 followed
by 000002. This works in reverse in a sequential descending bruteforcer. The
programming of this is generally handled by writing a continuous loop which
breaks only when the password generated is successful. Meanwhile, a handful
of variables constantly increment with each run through the loop. When all of
the possible passwords are tried, the variables are all reset as low as possible,
the number of characters in the password is incremented or decremented, and
the process begins again with checking all of the passwords one character longer
or shorter then the last number of characters in a password. In practice,
this is simpler then it sounds. The last main component of a bruteforcer is
the part in which a bruteforcer checks to see if it's generated the correct
password. In some cases, this can surprisingly be the hardest part of the
bruteforcer to write. Using our Yahoo example again, writing this part of the
bruteforcer requires a knowledge of the Yahoo API. It's really hard for me to
write how to perform the password check as each check will be written
differently. While all checks are simple from a broad perspective, this is liable to
get quite complex depending on what you're trying to bruteforce. My
recommendation is to look for a library to do the check for you so you can do
the least amount of work possible to perform what is really be a trivial step
overall.

Here is the code I wrote to an ascending bruteforcer in C/C++. It's really rather
small code and thus pretty self- explanatory. (The comments should help
explain things too):
 Experiment-4

Installation of Wire shark, tcpdump, etc and observe data transferred in

client server communication using UDP/TCP and identify the UDP/TCP
datagram.

Introduction

The first part of the lab introduces packet sniffer, Wireshark. Wireshark is a free
open- source network protocol analyzer. It is used for network troubleshooting
and communication protocol analysis. Wireshark captures network packets in
real time and display them in human-readable format. It provides many
advanced features including live capture and offline analysis, three-pane packet
browser, coloring rules for analysis. This document uses Wireshark for the
experiments, and it covers Wireshark installation, packet capturing, and
protocol analysis.

TCP/IP Network Stack

Figure 1: Encapsulation of Data in the TCP/IP Network Stack

In the CSC 4190 Introduction to Computer Networking (one of the perquisite

courses), TCP/IP network stack is introduced and studied. This background
section briefly explains the concept of TCP/IP network stack to help you better
understand the experiments. TCP/IP is the most commonly used network model
for Internet services. Because its most important protocols, the Transmission
Control Protocol (TCP) and the Internet Protocol (IP) were the first networking
protocols defined in this standard, it is named as TCP/IP. However, it contains
multiple layers including application layer, transport layer, network layer, and
data link layer.
Application Layer: The application layer includes the protocols used by most
applications for providing user services. Examples of application layer protocols
are Hypertext Transfer Protocol (HTTP), Secure Shell (SSH), File Transfer Protocol
(FTP), and Simple Mail Transfer Protocol (SMTP).
Transport Layer: The transport layer establishes process-to-process
connectivity, and it provides end-to-end services that are independent of
underlying user data. To implement the process-to-process communication, the
protocol introduces a concept of port. The examples of transport layer protocols
are Transport Control Protocol (TCP) and User Datagram Protocol (UDP).
Internet Layer: The Internet layer is responsible for sending packets to across
networks. It has two functions: 1) Host identification by using IP addressing
system (IPv4 and IPv6); and 2) packets routing from source to destination. The
examples of Internet layer protocols are Internet Protocol (IP), Internet Control
Message Protocol (ICMP), and Address Resolution Protocol (ARP).
Link Layer: The link layer defines the networking methods within the scope of
the local network link. It is used to move the packets between two hosts on the
same link. A common example of link layer protocols is Ethernet.

Packet Sniffer
Packet sniffer is a basic tool for observing network packet exchanges in a
computer. As the name suggests, a packet sniffer captures (“sniffs”) packets
being sent/received from/by your computer; it will also typically store and/or
display the contents of the various protocol fields in these captured packets. A
packet sniffer itself is passive.

Figure 2: Packet Sniffer Structure

Test Run

Do the following steps:

1. Start up the Wireshark program (select an interface and press start to capture
packets).
2. Start up your favorite browser (ceweasel in Kali Linux).
3. In your browser, go to Wayne State homepage by typing www.wayne.edu.
4. After your browser has displayed the http://www.wayne.edu page, stop
Wireshark packet capture by selecting stop in the Wireshark capture window.
5. Color Coding: You’ll probably see packets highlighted in green, blue, and
black. Wireshark uses colors to help you identify the types of traffic at a glance.
6. You now have live packet data that contains all protocol messages exchanged
between your computer and other network entities.
7. To further filter packets in Wireshark, we need to use a more precise filter. By
setting the http.host==www.wayne.edu, we are restricting the view to packets
that have as an http host the www.wayne.edu website.
8. Now, we can try another protocol. Let’s use Domain Name System (DNS)
protocol as an example here.
9. Let’s try now to find out what are those packets contain by following one of
the conversations (also called network flows).
10. If we close this window and change the filter back to
“http.host==www.wayne.edu” and then follow a packet from the list of packets
that match that filter.
 Experiment-5
Installation of rootkits and study about the variety of options.
AIM:
Rootkit is a stealth type of malicious software designed to hide the existence of
certain process from normal methods of detection and enables continued
privileged access to a computer.

INTRODUCTION:
Breaking the term rootkit into the two component words, root and kit, is a useful
way to define it. Root is a UNIX/Linux term that's the equivalent of Administrator
in Windows. The word kit denotes programs that allow someone to obtain
root/admin-level access to the computer by executing the programs in the kit-
all of which is done without end-user consent or knowledge.
A rootkit is a type of malicious software that is activated each time your system
boots up. Rootkits are difficult to detect because they are activated before your
system's Operating System has completely booted up. A rootkit often allows the
installation of hidden files, processes, hidden user accounts, and more in the
systems OS. Rootkits are able to intercept data from terminals network
connections, and the keyboard.

Rootkits have two primary functions: remote command/control (back door) and
software eavesdropping. Rootkits allow someone, legitimate or otherwise, to
administratively control a computer. This means executing files, accessing logs,
monitoring user activity, and even changing the computer's configuration.

The presence of a rootkit on a network was first documented in the early 1990s.
At that time, Sun and Linux operating systems were the primary targets for a
hacker looking to install a rootkit.
PROCEDURE:

STEP-1: Download Rootkit Tool from GMER website www.gmer.net.

STEP-2: This displays the Processes, Modules, Services, Files, Registry, RootKit /
Malwares, Autostart, CMD of local host.
STEP-3: Select Processes menu and kill any unwanted process if any.
STEP-4: Modules menu displays the various system files like .sys, .dll
STEP-5: Services menu displays the complete services running with Autostart,
Enable, Disable, System, Boot.
STEP-6: Files menu displays full files on Hard-Disk volumes.
STEP-7: Registry displays Hkey_Current_user and Hkey_Local_Machine.
STEP-8: Rootkits / Malwares scans the local drives selected.
STEP-9: Autostart displays the registry base Autostart applications.
STEP-10: CMD allows the user to interact with command line utilities or Registry
 Experiment-6
Perform an Experiment to Sniff Traffic using ARP Poisoning.
AIM:

ARP is the acronym for Address Resolution Protocol. It is used to convert IP

address to physical addresses [MAC address] on a switch. The host sends an ARP
broadcast on the network, and the recipient computer responds with its physical
address [MAC Address]. The resolved IP/MAC address is then used to
communicate. ARP poisoning is sending fake MAC addresses to the switch so
that it can associate the fake MAC addresses with the IP address of a genuine
computer on a network and hijack the traffic.

ARP Poisoning Countermeasures:

Static ARP entries: these can be defined in the local ARP cache and the switch
configured to ignore all auto ARP reply packets. The disadvantage of this method
is, it’s difficult to maintain on large networks. IP/MAC address mapping has to
be distributed to all the computers on the network.

ARP poisoning detection software: these systems can be used to cross check
the IP/MAC address resolution and certify them if they are authenticated.
Uncertified IP/MAC address resolutions can then be blocked.

Operating System Security: this measure is dependent on the operating system

been used. The following are the basic techniques used by various operating
systems.

• Linux based: these work by ignoring unsolicited ARP reply packets.

• Microsoft Windows: the ARP cache behavior can be configured via the
registry.
• AntiARP: provides protection against both passive and active sniffing.
• Agnitum: Outpost Firewall–provides protection against passive sniffing.
• XArp: provides protection against both passive and active sniffing.
• Mac OS: ArpGuard can be used to provide protection. It protects against
both active and passive sniffing.
• Computers communicate using networks. These networks could be on a local
area network LAN or exposed to the internet. Network Sniffers are programs
that capture low-level package data that is transmitted over a network. An
attacker can analyze this information to discover valuable information such as
user ids and passwords.
• In this article, we will introduce you to common network sniffing techniques
and tools used to sniff networks.

What is network sniffing?

Computers communicate by broadcasting messages on a network using IP

addresses. Once a message has been sent on a network, the recipient computer
with the matching IP address responds with its MAC address.

• Capture sensitive data such as login credentials

• Eavesdrop on chat messages
• Capture files have been transmitted over a network

The following are protocols that are vulnerable to sniffing

• Telnet
• Rlogin
• HTTP
• SMTP
• NNTP
• POP
• FTP
• IMAP

The above protocols are vulnerable if login details are sent in plain text
Passive and Active Sniffing

Before we look at passive and active sniffing, let’s look at two major devices used
to network computers; hubs and switches.

A hub works by sending broadcast messages to all output ports on it except

the one that has sent the broadcast. The recipient computer responds to the
broadcast message if the IP address matches. This means when using a hub, all
the computers on a network can see the broadcast message. It operates at the
physical layer (layer 1) of the OSI Model.

The diagram below illustrates how the hub works.

A switch works differently; it maps IP/MAC addresses to physical ports on it.

Broadcast messages are sent to the physical ports that match the IP/MAC
address configurations for the recipient computer. This means broadcast
messages are only seen by the recipient computer. Switches operate at the data
link layer (layer 2) and network layer (layer 3).

The diagram below illustrates how the switch works.

Passive sniffing is intercepting packages transmitted over a network that uses

a hub. It is called passive sniffing because it is difficult to detect. It is also easy
to perform as the hub sends broadcast messages to all the computers on the
network.
Active sniffing is intercepting packages transmitted over a network that uses
a switch. There are two main methods used to sniff switch linked networks,
ARP Poisoning, and MAC flooding.

Sniffing the network using Wireshark

The illustration below shows you the steps that you will carry out to complete
this exercise without confusion

Download Wireshark from this link http://www.wireshark.org/download.html

• Open Wireshark
• You will get the following screen
• Select the network interface you want to sniff. Note for this demonstration,
we are using a wireless network connection. If you are on a local area network,
then you should select the local area network interface.
• Click on start button as shown above.
• Open your web browser and type in http://www.techpanda.org/
• The login email is [email protected] and the password is Password2010
• Click on submit button
• A successful logon should give you the following dashboard
• Go back to Wireshark and stop the live capture
• Filter for HTTP protocol results only using the filter textbox
• Locate the Info column and look for entries with the HTTP verb POST and
click on it
• Just below the log entries, there is a panel with a summary of captured data.
Look for the summary that says Line-based text data: application/x-www-form-
urlencoded
• You should be able to view the plaintext values of all the POST variables
submitted to the server via HTTP protocol.
 Experiment-7
Demonstrate intrusion detection system using any tool (snort or any other
s/w).
AIM:

Snort is an open source network intrusion detection system (NIDS) and it is a

packet sniffer that monitors network traffic in real time.

INTRUSION DETECTION SYSTEM : Intrusion detection is a set of techniques and

methods that are used to detect suspicious activity both at the network and host
level. Intrusion detection systems fall into two basic categories:
Signature-based intrusion detection systems Anomaly detection systems.
Intruders have signatures, like computer viruses, that can be detected using
software. You try to find data packets that contain any known intrusion-related
signatures or anomalies related to Internet protocols.
Anomaly-based intrusion detection usually depends on packet anomalies
present in protocol header parts. In some cases these methods produce better
results compared to signature-based IDS.

SNORT TOOL:

Snort is based on libpcap (for library packet capture), a tool that is widely used
in TCP/IP traffic sniffers and analyzers. Through protocol analysis and content
searching and matching, Snort detects attack methods, including denial of
service, buffer overflow, CGI attacks, stealth port scans, and SMB probes.
Snort is currently the most popular free network intrusion detection software.
The advantages of Snort are numerous. According to the snort web site, “It can
perform protocol analysis, content searching/matching, and can be used to
detect a variety of attacks and probes, such as buffer overflow, stealth port
scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more”
(Caswell).

SNORT can be configured to run in three modes:

Sniffer mode
Packet Logger mode
Network Intrusion Detection System mode Sniffer mode
Snort-v Print out the TCP/IP packets header on the screen
Snort-vd show the TCP/IP ICMP header with application data in transmit Packet
Logger mode
snort-dev-l c:\log [create this directory in the C drive] and snort will
automatically know to go into packet logger mode, it collects every packet it
sees and places it in log directory.
snort-dev-l c: \log –h ipaddress/24: This rule tells snort that you want to print
out the data link and TCP/IP headers as well as application data into the log
directory. snort –l c:\log –b This is binary mode logs everything into a single file.
Network Intrusion Detection System mode

snort-d c:\log –h ipaddress/24 –c snort.conf This is a configuration file applies

rule to each packet to decide it an action based upon the rule type in the file.
Snort-d-h ipaddress/24 –l c: \log –c snort.conf This will cnfigure snort to run in
its most basic NIDS form, logging packets that trigger rules specifies in the
snort.conf.

PROCEDURE:

STEP-1: Sniffer mode€ snort –v € Print out the TCP/IP packets header on the
screen.

STEP-2: Snort –vd € Show the TCP/IP ICMP header with application data in
transit.

STEP-3: Packet Logger mode € snort –dev –l c:\log [create this directory in the C
drive] and snort will automatically know to go into packet logger mode, it
collects every packet it sees and places it in log directory.

STEP-4: snort –dev –l c:\log –h ipaddress/24 € This rule tells snort that you want
to print out the data link and TCP/IP headers as well as application data into the
log directory.

STEP-5: snort –l c:\log –b € this binary mode logs everything into a single file.
STEP-6: Network Intrusion Detection System mode € snort –d c:\log –h
ipaddress/24 –c snort.conf € This is a configuration file that applies rule to each
packet to decide it an action based upon the rule type in the file.

STEP-7: snort –d –h ip address/24 –l c:\log –c snort.conf € This will configure

snort to run in its most basic NIDS form, logging packets that trigger rules
specifies in the snort.conf.

STEP-8: Download SNORT from snort.org. Install snort with or without database
support.

STEP-9: Select all the components and Click Next. Install and Close.

STEP-10: Skip the Win cap driver installation.

STEP-11: Add the path variable in windows environment variable by selecting

new class path.

STEP-12: Create a path variable and point it at snort.exe variable name € path
and variable value € c:\snort\bin.

STEP-13: Click OK button and then close all dialog boxes. Open command
prompt and type the following commands: