LORD JEGANNATH COLLEGE OF

ENGINEERING AND TECHNOLOGY

PSN Nagar, Ramanathichanputhur, Kanyakumari District

RECORD NOTE
NETWORK SECURITY LABORATORY

Reg No:

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

 LORD JEGANNATH COLLEGE OF ENGINEERING
AND TECHNOLOGY
PSN Nagar, Ramanathichanputhur, Kanyakumari District

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Certified that this is the bonafied record of work done by

Mr/Ms …………………………………………… of the 6th
semester in NETWORK SECURITY LABORATORY (CCS354)
during the academic year 2023-2024 in partial fulfillment of the
requirements of the B.E degree course of the ANNA
UNIVERSITY, Chennai.

Staff in charge Head of the Department

Reg. No: ………………………………..

University Examination held on: ………………………………

Internal Examiner External Examiner

 INDEX
EX DATE NAME OF THE PROGRAM PAGE SIGN
No: NO
Ex.no: 1
Implement Symmetric Key Algorithms.
Date :

Aim:

To implement Symmetric key algorithms using java code.

Algorithm:

Step 1: Create a class to create symmetric key.

Step 2: In the secret key function, Create a new instance of secure random class.
Step 3: Pass the String to key generator and initialize with 256 bits.
Step 4: After running the program, encoded symmetric key will be displayed.

Program:
import java.security.SecureRandom;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.xml.bind.DatatypeConverter;
public class symmetric
{
public static final String AES= “AES”;
public static SecretKey createAESKey()
throws Exception
{
SecureRandom securerandom= new SecureRandom();
KeyGenerator keygenerator= KeyGenerator.getInstance(AES);
keygenerator.init(256, securerandom);
SecretKey key = keygenerator.generateKey();
return key;
}
public static void main(String args[])
throws Exception
{
SecretKey Symmetrickey= createAESKey();
System.out.println(“Output”);
System.out.print(“The Symmetric Key is:”+
DatatypeConverter.printHexBinary(Symmetrickey.getEncoded()));
}
}

1
Output:

Result:
Thus, the java program for symmetric key algorithms have been executed successfully.

2
Ex.no: 2(a)
Implement Asymmetric Key Algorithms.
Date :

Aim:
To implement Asymmetric key algorithms using java code.
Algorithm:

Step 1: Create a class to create asymmetric key.

Step 2: Generate private and public keys using RSA algorithm.
Step 3: Pass the String to key generator and initialize with 2408 bits.
Step 4: After running the program, encoded asymmetric key will be displayed.

Program:

package java_cryptography;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.SecureRandom;
import javax.xml.bind.DatatypeConverter;
public class Asymmetric
{
private static final String RSA= “RSA”;
public static KeyPair generateRSAKkeyPair()
throws Exception
{
SecureRandom secureRandom = new SecureRandom();
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA);
keyPairGenerator.initialize(2048, secureRandom);
return keyPairGenerator.generateKeyPair();
}
public static void main(String args[])
throws Exception
{ KeyPair keypair = generateRSAKkeyPair();
System.out.println(“Public Key is: “ + DatatypeConverter.printHexBinary(
keypair.getPublic().getEncoded()));
System.out.println(“Private Key is: “ + DatatypeConverter.printHexBinary(
keypair.getPrivate().getEncoded()));
}
}

3
Output:

Result:
Thus, the java program for asymmetric key algorithms have been executed successfully.
4
Ex.no: 2(b)
Implement Key Exchange Algorithms.
Date :

Aim:
To implement key exchange algorithms using java code.

Algorithm:

Step 1: Create a class to implement key exchange and a power function to return value of a,b,p.
Step 2: Use Alice and Bob method for key generation.
Step 3: Both the persons will be agreed upon public keys G,P.
Step 4: Consider a prime number P and primitive root for P, G.
Step 5: Alice will choose private key ‘a’ and ‘b’ for Bob.
Step 6: The secret keys are generated after the exchange of keys.

Program:

class DiffieHellman
{
private static long power(long a, long b, long p)
{
if (b == 1)
return a;
else
return (((long)Math.pow(a, b)) % p);
}
public static void main(String[] args)
{
long P, G, x, a, y, b, ka, kb;
P = 23;
System.out.println(“The value of P:” + P);
G = 9;
System.out.println(“The value of G:” + G);
a = 4;
System.out.println(“The private key a for Alice:” + a);
x = power(G, a, P);
b = 3;
System.out.println(“The private key b for Bob:” + b);
y = power(G, b, P);

5
 ka = power(y, a, P);
kb = power(x, b, P);
System.out.println(“Secret key for the Alice is:” + ka);
System.out.println(“Secret key for the Bob is:” + kb);
}
}

6
Output:

Result:
Thus, the java program for key exchange algorithms have been executed successfully.

7
Ex.no: 3
Implement Digital Signature Schemes.
Date :

Aim:
To implement Digital Signature Schemes using java code.
Algorithm:

Step 1: Create a class, Accept text from the user.

Step 2: Create an object for keypair generator and initialize it.
Step 3: Generate the pair of keys, get the private key from key pair.
Step 4: Create signature objects and initialize.
Step 5: Add data into the signature and calculate.
Step 6: Print the value.

Program:

import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.Signature;
import java.util.Scanner;
public class CreatingDigitalSignature
{ public static void main(String args[])throws Exception
{
Scanner sc = new Scanner(System.in);
System.out.println("Enter some text");
String msg = sc.nextLine();
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("DSA");
keyPairGen.initialize(2048);
KeyPair pair = keyPairGen.generateKeyPair();
PrivateKey privKey = pair.getPrivate();
Signature sign = Signature.getInstance("SHA256withDSA");
sign.initSign(privKey);
byte[] bytes = "msg".getBytes();
sign.update(bytes);
byte[] signature = sign.sign();
System.out.println("Digital signature for given text: "+new String(signature, "UTF8"));
}
}

8
Output:

Result:
Thus, the java program for Digital Signature Schemes have been executed successfully.
9
Ex.no: 4
Installation of Wireshark, TCPdump and observe the data transferred in
Date : client-server communication using UDP/TCP and Identify the UDP/TCP
datagram.

Aim:
To install wireshark, TCPdump and observe the data transferred in client-server
communication using UDP/TCP and Identify the UDP/TCP datagram.
Wireshark:
Wireshark is an open-source tool for profiling network traffic and analyzing packets.
Such tool is often referred as a network analyzer, network protocol analyzer or sniffer.
It is used to understand how communication takes place across a network and to analyze
what went wrong when an issue in communication arises.
It captures network traffic from ethernet, Bluetooth, wireless (IEEE.802.11), token ring,
and frame relay connections, among others, and stores that data for offline analysis.
Wireshark allows you to filter the log before the capture starts or during analysis, For
example, you can set a filter to see TCP traffic between two IP addresses, or you can set it only to
show you the packets sent from one computer. The filters in Wireshark are one of the primary
reasons it has become the standard tool for packet analysis.
Installation of Wireshark:
Step 1: Your first step is to head to the Wireshark download page
https://www.wireshark.org/download.html and locate the Windows installer.

Step 2: You will be presented with the Wireshark wizard to guide you through the
installation. Click “Next.”
Step 3: Next, you can review, agree to the license agreement, and click “Noted” to continue.
Step 4: You will be asked what components you want to install. You can make your choice
and then click “Next.”

10
 Step 5: Choose a directory to install Wireshark in, showing you the space required to install it.
Step 6: Install Ncap.
Ncap is an open-source library for packet capture and network analysis which
allows Wireshark to capture and analyze network traffic effectively. It enhances Wireshark’s
capabilities by providing optimized packet capture.

Step 7: The next screen will ask if you want to install USBPcap, an open-source USB packet
capture utility that lets you capture raw USB traffic, helping analyze and troubleshoot USB
devices, this is not mandatory.
Click “Install” to begin the installation.
Step 8: Wireshark will now begin the installation process. A window will pop up during
installation to install cap.
Step 9: Ncap will begin the Installation; click “Next” once complete.
Step 10: Wireshark will now complete its installation. Once complete, you can click “Next.”
Step 11: On the last window, click “Finish” to complete the setup.
Step 12: Wireshark will now be installed, and you can begin packet capturing.

11
 When you install the wireshark program, the wireshark GUI with no data will be displayed.
Select one of the wireshark interface, eth0, eth1 will be displayed. Click “Start”for interface
eth0 to begin the Packet capture.
All packets being sent/received from/by the computer are now being captured by wireshark.
Click ”Start”.
Wireshark User Interface:
The wireshark interface has 5 major components;
▪ The Command menus are the standard pulldown menus located at top.
▪ The Packet listing window displays a one-line summary for each packet captured, it
includes Packet number, Packet captured time, Packet’s source & destination address,
Protocol type, Protocol specific information.
▪ The Packet header details window provides about packet selected in the packet listing
window. It includes details about Ethernet frame and IP datagram of the packet. If the
packet has been carried over by TCP/UDP, that details will also be displayed.
▪ Packet contents window display entire contents of the captured frame in both ASCII
and hexadecimal format.
▪ In the Packet display filter field, the protocol name or other information can be entered
to filter the information displayed in packet listing window.
Capturing Packets:
After installing and downloading wireshark, Launch it and click the name of an interface
under Inyerface List to start capturing packets.
Test Run:
Start any browser→ Start the wireshark software → Select an interface → Stop wireshark
packet capture once the browser has been displayed.

12
Colour coding:
Packets will be highlighted in blue, green, black which helps to identify the types of
traffic.
Green→ TCP traffic, Dark Blue → DNS traffic, Light Blue → UDP traffic, Black →
TCP packets with problems.
Inspecting Packets:
Click on any packet and go to the bottom pane.
Inspecting Packet flow:
We have a live packet data that contains all protocol message exchanged
between your computer and other network entities.
To filter the connection and to get a clear data type “http” in the filtering field.
Note that directly typing the destination will not work as wireshark doesn’t have ability to
discern the protocols field.
To get more precise data set http.host==www.netwoksecurity.edu
Right click on any packet → Select “Follow UDP Stream”.
Close the window, change filter back to “http.host==www.networksecurity.edu”
follow a packet from the list that matches the filter.Use “Contains with other protocols.”
TCPdump:
TCP (Transmission Control Protocol) facilitates the transmission of packets from source
to destination.
Tcpdump is a command line utility that allows you to capture and analyze network
traffic going through your system. It is often used to help troubleshoot network issues, as well as
a security tool.
It is a network monitoring and management utility that captures and records TCP/IP data
on the run time. Tcpdump is designed to provide statistics about the number of packets received
and captured at the operating node for network performance analysis, debugging and diagnosing
network bottlenecks and other network-oriented tasks.
Identifying UDP/TCP datagram:
IP packets have 8-bit header (Protocol for v4 and Next Header in v6) which determines
which transport-layer protocol is used in the payload. For example, if it’s 6, the payload is a TCP
segment, and if it’s 17 then that is an UDP.
TCP is connection-oriented while UDP is connectionless.
TCP sends data in a particular sequence, whereas there is no fixed order for UDP
protocol.

Result:
Thus, the installation of Wireshark, TCPdump and observing the data transferred in
client-server communication using UDP/TCP and Identifying the UDP/TCP datagram has been
executed successfully.

13
Ex.no: 5
Check message Integrity and Confidentiality using SSL.
Date :

Aim:
To check message Integrity and Confidentiality using SSL with java code.

Algorithm:

Step 1: Create a class and Load the keystore.

Step 2: Initialize the SSL context.
Step 3: Create SSL server socket and Accept the client connection.
Step 4: Create I/O streams to receive and send messages → Close the connection.
Step 5: In the client side, load the truststore.
Step 6: Create and initialize SSL socket, SSL factory
Step 7: Create I/O streams to receive and send messages → Close the connection.

Program:

Server:
import javax.net.ssl.*;
import java.io.*;
import java.security.*;
public class SSLServer
{
public static void main(String[] args) throws Exception
{
int port = 12345;
char[] passphrase = “password”.toCharArray();
KeyStore keyStore = KeyStore.getInstance(“JKS”);
keyStore.load(new FileInputStream(“server_keystore.jks”), passphrase);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(“SunX509”);
keyManagerFactory.init(keyStore, passphrase);

SSLContext context = SSLContext.getInstance(“TLS”);

KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
context.init(keyManagers, null, null);
SSLServerSocketFactory sslServerSocketFactory = context.getServerSocketFactory();
SSLServerSocket serverSocket = (SSLServerSocket)
sslServerSocketFactory.createServerSocket(port);

14
 System.out.println(“Server started. Waiting for clients…”);
SSLSocket clientSocket = (SSLSocket) serverSocket.accept();
System.out.println(“Client connected.”);
BufferedReader reader = new BufferedReader(new
InputStreamReader(clientSocket.getInputStream()));
PrintWriter writer = new PrintWriter(clientSocket.getOutputStream(), true);
String message;
while ((message = reader.readLine()) != null)
{
System.out.println(“Received: “ + message);
writer.println(“Server acknowledges: “ + message);
}
reader.close();
writer.close();
clientSocket.close();
serverSocket.close();
}
}

Client:
import javax.net.ssl.*;
import java.io.*;
import java.security.*;
public class SSLClient
{
public static void main(String[] args) throws Exception
{
String serverHost = “localhost”;
int serverPort = 12345;
char[] passphrase = “password”.toCharArray();
KeyStore trustStore = KeyStore.getInstance(“JKS”);
trustStore.load(new FileInputStream(“client_truststore.jks”), passphrase);
TrustManagerFactory trustManagerFactory =TrustManagerFactory.getInstance(“SunX509”);
trustManagerFactory.init(trustStore);
SSLContext context = SSLContext.getInstance(“TLS”);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();

context.init(null, trustManagers, null);

SSLSocketFactory sslSocketFactory = context.getSocketFactory();
SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(serverHost, serverPort);

15
 BufferedReader reader = new BufferedReader(new
InputStreamReader(socket.getInputStream()));
PrintWriter writer = new PrintWriter(socket.getOutputStream(), true);
writer.println(“Hello, server!”);
String response = reader.readLine();
System.out.println(“Server response: “ + response);
reader.close();
writer.close();
socket.close();
}
}
Output:

Result:
Thus, the java program to check message Integrity and Confidentiality using SSL have
been executed successfully.

16
Ex.no: 6
Experiment Eavesdropping, Dictionary Attack, MITM Attacks.
Date :

Aim:
To experiment Eavesdropping, Dictionary Attack, MITM Attacks.
EAVESDROPPING:
Eavesdropping refers to the unauthorised and unseen intervention of a private, live
conversation.
Sniffing or Eavesdropping pertains to the act of acquiring or intercepting data by capturing the
communication flow within a network using a packet sniffer tool.
This technique involves monitoring the packets of information passing through the network,
allowing unauthorized access to sensitive data, akin to theft or unauthorized interception of
information.
During the transmission of data across networks, if the data packets lack encryption, they
become vulnerable to interception, enabling unauthorized parties to read the contents of these
network packets with the use of a sniffer.

Categories of Network Sniffing:

Active and Passive Sniffing attacks are two distinct categories of network sniffing
techniques used by attackers to intercept and analyze data traffic.
1. Active Sniffing:
Active Sniffing is performed through a Switch and it is easy to detect.
It involves more direct interaction with the network traffic. Instead of just observing and
capturing data, the attacker actively injects or modifies packets within the communication flow.
2.Passive Sniffing:
Passive Sniffing is performed through a Hub which is difficult to detect.
It involves silently capturing and monitoring network traffic without altering or
modifying the data being transmitted. The attacker’s presence is relatively discreet, as they do
not actively participate in the communication process.

17
 They just observe the data that flows through the network, looking for sensitive/crucial
information that is not encrypted.
Experimenting Eavesdropping:
Step 1: Launch the Wireshark software on your computer and choose the ‘eth0’ option, In your
web browser, input the URL we want to capture login credentials from.

Step 2: Input the login credentials, which are ‘test’, and then click on the login button.
Step 3: Then by entering ‘http’ in the filter section, the captured packets using the HTTP
protocol will be shown. Choose ‘Follow’ to access additional options, then select ‘http stream’
from the available choices.

Step 4: Explore the provided information, and you will uncover the login credentials.

18
Output:

DICTIONARY ATTACK:
A Dictionary Attack is an attack vector used by the attacker to break in a system, which is
password protected, by putting technically every word in a dictionary as a form of password for
that system. This attack vector is a form of Brute Force Attack.
Like the brute force attack, the dictionary attack aims to break in by logging in using
username and password combinations. It is only inefficient as far as its overall success rate:
automated scripts can do this in a matter of seconds.
A hacker will look for applications and websites that don’t lock a user out quickly for
incorrect username and password combinations and don’t require other forms of authentication
when signing in. Sites that allow simple passwords are especially vulnerable.
Suppose the target website or application does not adequately monitor suspicious
behavior like this or has lax password rules. In that case, the website runs a high risk of data
disclosure resulting from a dictionary attack.
Leaked password databases have become a common feature of modern dictionary attacks.
Attempting to log in with username and password combinations used multiple times elsewhere
makes these dictionary attacks much more successful and potentially harder to detect on the
application or website’s end.

19
Working of Dictionary attack:
Like the brute force attack, the dictionary attack aims to break in by logging in using
username and password combinations. It is only inefficient as far as its overall success rate:
automated scripts can do this in a matter of seconds.
A hacker will look for applications and websites that don’t lock a user out quickly for
incorrect username and password combinations and don’t require other forms of authentication
when signing in. Sites that allow simple passwords are especially vulnerable.
Leaked password databases have become a common feature of modern dictionary attacks.
MITM ATTACKS:
A man-in-the-middle attack (MitM) is a form of data eavesdropping and theft where an
attacker intercepts data from a sender to the recipient, and then from the recipient back to the
sender.
It’s called a “man in the middle” because the attacker’s device sits between the sender
and recipient and relays messages silently without making either party aware of the
eavesdropping.
The attacker is typically situated on the same network as the targeted user, but
eavesdropping can be done on a remote network if data crosses the path where an attacker is
located.
The goal of an attack is to steal personal information, such as login credentials, account
details and credit card numbers. Targets are typically the users of financial applications, SaaS
businesses, e-commerce sites and other websites where logging in is required.

20
Types of Man-in-the-Middle Attacks:

● Email Hijacking → attackers gain access to a user’s email account and watch
transactions to and from the account.
● Wi-Fi Eavesdropping→ a passive way to deploy MITM attacks, Wi-Fi eavesdropping
involves cyber hackers setting up public Wi-Fi connections, typically with an unsuspecting
name.
● Session Hijacking → session hijacking is when an attacker gains access to an online
session via a stolen session key or stolen browser cookies.
● DNS Spoofing →an attacker engages in DNS spoofing by altering a website’s address
record within a DNS (domain name server) server.
● IP Spoofing → similar to DNS spoofing, IP Spoofing sees an attacker attempt to divert
traffic to a fraudulent website with malicious intent.

Defence and Detection of MITM attack:

MITM attacks can be prevented or detected by two means:
Authentication and Tamper Detection.
→Authentication provides some degree of certainty that a given message has come
from a legitimate source.
→Tamper detection merely shows evidence that a message may have been altered.

Working of MITM attack:

The man-in-the-middle attack process has a two-stage approach: interception and decryption.

(i)Interception:
During the interception step, the cybercriminal attempts to put themselves between the
client and server, typically a user and web application. Depending on the type of man-in-the-
middle attack, there are a few ways the attacker could approach this:
● Creating a non-secure Wi-Fi network or hotspot in a crowded area for people to
connect and view their information.
● Accessing a Wi-Fi network, typically by taking advantage of a weak password or by
installing a packet sniffer to analyze traffic and scan for vulnerabilities, points of entry, and ideal
targets.
● Creating a fake website with spoofed DNS and routing the user through phishing or
redirecting them from the intended HTTPS site.
● Manipulating IP protocols to persuade users to change passwords or log in to an app.

21
(ii)Decryption:
After targets are determined and fall for the bait, cybercriminals use data capture tools to
transmit any login information and web activity back to them and decrypt it into readable text.
During the decryption phase, the intercepted data becomes usable to the criminal.
For example, the cybercriminal will take login credentials captured from the fake
website and use them on the actual one. From there, they could change the user’s password, steal
vital financial information, or use the credentials for longer-term initiatives such as a company
network or a more severe attack.
Man in the middle attack prevention:
Blocking MITM attacks requires several practical steps on the part of users, as well as a
combination of encryption and verification methods for applications.
✦ Avoiding WiFi connections that aren’t password protected.
✦ Paying attention to browser notifications reporting a website as being unsecured.
✦ Immediately logging out of a secure application when it’s not in use.
✦ Not using public networks (e.g., coffee shops, hotels) when conducting sensitive
transactions.

Result:
Thus, Eavesdropping, Dictionary Attack, MITM Attacks have been implemented
successfully.
22
Ex.no: 7
Experiment with Sniff Traffic using ARP Poisoning.
Date :

Aim:
To Experiment Sniff Traffic using ARP Poisoning.
ARP Poisoning:
Address Resolution Protocol (ARP) poisoning is an attack that involves sending spoofed
ARP messages over a local area network. It’s also known as ARP spoofing, ARP poison routing
and ARP cache poisoning.
ARP poisoning is a type of man-in-the-middle attack that can be used to stop network
traffic, change it, or intercept it. The technique is often used to initiate further offensives, such as
session hijacking or denial-of-service.
The relationship between a given MAC address and its IP address is kept in a table
known as the ARP cache. When a packet heading towards a host on a LAN gets to the gateway,
the gateway uses ARP to associate the MAC or physical host address with its correlating IP
address.
The host then searches through its ARP cache. If it locates the corresponding address, it is
used to convert the format and packet length. Otherwise, ARP will send out a request packet that
asks other machines on the local network if they know the correct address. When a machine
replies with the address, the ARP cache is updated.

ARP Poisoning Countermeasures:

We can use several methods to prevent ARP poisoning, each with its own positives and
negatives. These include static ARP entries, encryption, VPNs, packet sniffing, Poisoning
detection software, OS security,etc.

Static ARP entries: This solution involves a lot of administrative overhead and is only
recommended for smaller networks. It involves adding an ARP entry for every machine on a
network into each individual computer.
Mapping the machines with sets of static IP and MAC addresses helps to prevent
spoofing attacks, because the machines can ignore ARP replies.

Encryption: Protocols such as HTTPS and SSH can also help to reduce the chances
of a successful ARP poisoning attack. When traffic is encrypted, the attacker would have to go to
the additional step of tricking the target’s browser into accepting an illegitimate certificate.

VPN: If it is just a single person making a potentially dangerous connection, such as

using public wifi at an airport, then a VPN will encrypt all of the data that travels between the
client and the exit server

23
Operating System Security:

This measure is dependent on the OS been used. The following are the basic
techniques used by various operating systems.
❖ Linux: These work by ignoring unsolicited ARP reply packets.
❖ Microsoft Windows: The ARP cache behavior can be configured via the registry. The
following list includes some of the software that can be used to protect networks against sniffing;
AntiARP- provides protection against both passive and active sniffing
Agnitum Outpost Firewall-provides protection against passive sniffing
XArp- provides protection against both passive and active sniffing
❖ Mac OS: ArpGuard can be used to provide protection. It protects against both active
and passive sniffing.

Sniff Traffic:
Network sniffing is the process of intercepting data packets sent over a network. This
can be done by the specialized software program or hardware equipment. Sniffing can be used
to;
• Capture sensitive data such as login credentials
• Eavesdrop on chat messages
• Capture files have been transmitted over a network.

Types of Sniffing:

Passive sniffing is intercepting packages transmitted over a network that uses a hub. It is
called passive sniffing because it is difficult to detect. It is also easy to perform as the hub sends
broadcast messages to all the computers on the network.
Active sniffing is intercepting packages transmitted over a network that uses a switch.
There are two main methods used to sniff switch linked networks, ARP Poisoning, and MAC
flooding.

Sniff Traffic using ARP Poisoning:

Step 1: Open the command prompt and Enter the command.

Ipconfig /all
Detailed information about all the network connections available on your computer will
be displayed. The results shown below are for a broadband modem to show the MAC address
and IPv4 format and wireless network to show IPv6 format.

24
Step 2: apr command calls the ARP configure program located in Windows/System32 directory
-a is the parameter to display to contents of the ARP cache.

Arp –a

Step 3: Static entries are added manually and are deleted when the computer is restarted.

Step 4: After getting the IP/MAC address, enter the following command.
Arp –s 192.168.1.38 60-36-DD-A6-C5-43

25
Step 5: To view the ARP cache

arp –a

The IP address has been resolved to the MAC address we provided and it is of a static type.

Step 6: Command to remove an entry.

Arp –d 192.168.1.38

ARP poisoning works by sending fake MAC addresses to the switch.

Result:
Thus, the Sniff Traffic using ARP Poisoning have been executed successfully.

26
Ex.no: 8
Demonstrate Intrusion Detection system using any tool.
Date :

Aim:
To implement Intrusion Detection System using Snort tool.

Intrusion Detection System:

An intrusion detection system (IDS) is a network security tool that monitors network
traffic and devices for known malicious activity, suspicious activity or security policy violations.
It observes network traffic for malicious transactions and sends immediate alerts when it
is observed.
Each illegal activity or violation is often recorded either centrally using a SIEM system or
notified to an administration.

Working of an IDS:
➢ An IDS (Intrusion Detection System) monitors the traffic on a computer network
to detect any suspicious activity.
➢ It analyzes the data flowing through the network to look for patterns and signs of
abnormal behavior.
➢ The IDS compares the network activity to a set of predefined rules and patterns to
identify any activity that might indicate an attack or intrusion.
➢ If the IDS detects something that matches one of these rules or patterns, it sends
an alert to the system administrator.
➢ The system administrator can then investigate the alert and take action to prevent
any damage or further intrusion.
IDS Detection Methods:

• Signature-based detection system: A signature-based IDS monitors inbound network

traffic, looking for specific patterns and sequences that match known attack signatures. While it
is effective for this purpose, it is incapable of detecting unidentified attacks with no known
patterns.
• Anomaly-based detection system: The anomaly-based IDS is a relatively newer
technology designed to detect unknown attacks, going beyond the identification of attack
signatures. This type of detection instead uses machine learning to analyze large amounts of
network data and traffic. Anomaly-based IDS creates a defined model of normal activity and uses
it to identify anomalous behavior. However, it is prone to false positives.
Types of IDS:
1)Network-based intrusion detection system (NIDS):

27
 A network IDS monitors a complete protected network. It is deployed across the
infrastructure at strategic points, such as the most vulnerable subnets. The NIDS monitors all
traffic flowing to and from devices on the network, making determinations based on packet
contents and metadata.
2)Host-based intrusion detection system (HIDS):
A host-based IDS monitors the computer infrastructure on which it is installed. It
is deployed on a specific endpoint to protect it against internal and external threats. The
IDS accomplishes this by analyzing traffic, logging malicious activity and notifying
designated authorities.
3) Protocol-based (PIDS):
A protocol-based intrusion detection system is usually installed on a web server. It
monitors and analyzes the protocol between a user/device and the server.
4)Application protocol-based (APIDS)
An APIDS is a system or agent that usually sits inside the server party. It tracks
and interprets correspondence on application-specific protocols.
5)Hybrid intrusion detection system
A hybrid intrusion detection system combines two or more intrusion detection
approaches. This detection system is more powerful compared to other systems.
Snort:
Snort is based on libpcap(library packet capture), a tool widely used in TCP/IPtraffic
sniffers and analyzers. Through protocol analysis, content searching and matching, Snort detects
attack methods, including denial of service, buffer overflow, CGI attacks, stealthport scans, and
SMB probes.
When suspicious behavior is detected, Snort sends a real-time alert to syslog, a separate
‘alerts’ file, or to a pop-up window.
Snort is currently the most popular free network intrusion detection software.
It is ease of configuration. Rules are very flexible, easily written, and easily inserted into
the rule base. Another advantage of snort is that it allows for raw packet data analysis.
Installation of Snort:
Step 1: Visit the website https://www.snort.org/downloads and download Snort tool.
Step 2: Select “I agree” → Select Snort, Dynamic modules, Documentation → Next.
Step 3: Choose a destination folder by clicking on Browse button, the default path is
“C:/Snort”
Step 4: In command prompt, type the snort path. “cd \snort”

28
 Step 5: Type “snort –V” in command prompt to check the version of Snort tool.
Step 6: Download the Snort rules from https://www.snort.org/downloads ,Click sign in.
A compressed folder “snortrules-snapshot- 29161.tar.gz” will be downloaded.
Step 7: Open the “snortrules-snapshot-29161.tar” folder and find “rules” folder. Open the
“rules” folder and copy all the rules present inside it.
Step 8: Go to “C:\Snort\rules” and paste all the rules files.
Step 9: To edit the snort.conf file, Go to “C:\Snort\etc” to open the snort.conf file
Step 10: Open the command prompt and type “ipconfig”.

Step 11: Set the network variables of snort.conf file by typing the IP address (10.0.0.2).
Set up the external network address as home network ($HOME_NET).
Step 12: Set up the network address to be protected.
Ipvar HOME_NET 10.0.0.2
Step 13: Set up the External Network Address as HOME_NET.
Ipvar EXTERNAL_NET $HOME_NET
Step 14: Set the path of the rules files as “C:\Snort\rules” and “C:\Snort\preproc_rules”.
Set the white list and black list path as to “C:\Snort\rules”.

29
 Step 15: Configure the decoder of snort.conf file by setting the path of the log directory
as “C:\Snort\log”
Configure dynamic loaded libraries by setting the path of the dynamic
preprocessor libraries as “C:\Snort\lib\snort_dynamicpreprocessor”,base preprocessor engine as
“C:\Snort\lib\snort_dynamicengine\sf_engine.dll”.
Step 16: Configure preprocessors by removing the “\” and putting decompress_swf and
decompress_pdf in comments. Also, edit the preprocessor bo in comments. Delete comment
from preprocessor sfportscan.

Step 17: Set path to white list and black list, Create new, Save files in directory.
Step 18: Customize the forward slash “/” with backslash “\”.

30
 Step 19: Customize preprocessor and decoder alerts by replacing the forward slash “/”
with backslash “\”.

Step 20: Open the command prompt and go to “C:\Snort\bin” and type “snort –W” to
check the available interface.

Step 21: Execute the Snort tool in the command prompt by typing “snort –I 2 –c
C:\Snort\etc\snort.conf” .
I – interface ; c – configuration file.

31
 Step 22: Rules to detect scanning attacks. After running Snort in IDS mode, the next step
is to write rules in “local.rules” file, the following rules can be added to detect SYN attack, UDP
scan, PINK scan, FIN scan, NULL scan, XMAS scan, and TCP scan.
❖ alert tcp any any -> any any (msg: “SYN attack”; flags: S,12; sid: 10000005;)
❖ alert udp any any -> 192.168.43.160 any (msg: “UDP Scan”; sid: 10001;rev: 1;)
❖ alert icmp any any -> 192.168.43.160 any (msg: “PING Scan”; dsize:0;sid:10002; rev:
1;)
❖ alert tcp any any -> $HOME_NET any (msg: “FIN Scan”; flags: F; sid: 10003;rev: 1;)
❖ alert tcp any any -> $HOME_NET any (msg: “NULL Scan”; flags: 0; sid: 10004;rev: 1;)
❖ alert tcp 192.168.43.160 any -> $HOME_NET 22 (msg: “XMAS Scan”; flags: FPU; sid:
10005;rev: 1;)
❖ alert tcp 192.168.43.160 any -> 192.168.43.160 any (msg: “TCP Scan”; flags: S,12; sid:
10006;rev: 1;)

Step 23: Execute Snort in IDS mode by typing “snort –I 1 –c C:\Snort\etc\snort.conf –A

console” in the command prompt and press Enter.
Step 24: Perform network scanning attacks with nmap by typing “nmap –p 1-65535 –v
10.0.0.2” in the command prompt where p is the port number and v is the verbose mode. The
network scanning attacks can be performed with Zenmap tool.

32
Step 25: The network scanning attacks are detected by Snort IDS as shown.

33
Result:
Thus, the Intrusion Detection System using Snort tool has been implemented
successfully.

34
Ex.no: 9
Explore Network Monitoring tools.
Date :

Aim:
To explore the network monitoring tools.

Network Monitoring:
Network monitoring tools gather and analyze network data to provide network
administrators with information related to the status of network appliances, link saturation, the
most active devices, the structure of network traffic or the sources of network problems and
traffic anomalies. Working of Network monitoring tools: Network monitoring tools collect data
in some form from active network devices, such as routers, switches, load balancers, servers,
firewalls, or dedicated probes, which they analyze to paint a picture of the network’s condition.
Both collection and analysis are equally important functions of network monitoring tools
– network admins need data that is detailed enough for their purposes, and they need
comprehensible output.
With this information in hand, network administrators can act with certainty and resolve
network problems hindering business operations due to degraded service or outages.
When using a network monitoring tool, the first step is to determine which network
devices should be monitored and establish performance metrics. Then, decide on a monitoring
interval that makes sense for your situation.
Once in place, network monitoring tools scan for network issues. Methods can be as
simple as a ping to ensure a host Is available. They can also be more extensive, such as
monitoring firewall access, bandwidth usage, resource consumption, uptime, and unexpected
changes in network traffic; making sure switches, routers, servers, firewalls and other endpoints
have an acceptable level of throughput; performing load balancing; and monitoring for high error
rates.
These tools offer visualization of the entire network infrastructure with customizable
dashboards that provide real-time performance graphs and other reports showing how the
components look and whether there are unusual parameters that require further investigation.
Network monitoring solutions send email or SMS notifications to network administrators
when they find problems needing attention. They also share alert notifications with various IT
operational tools, such as AIOps systems.

Types of network monitoring tools:

There are three primary types of network monitoring tools.
1. SNMP-based tools use Simple Network Management Protocol (SNMP) to interact
with network hardware and track the real-time status and use of resources, such as CPU stats,
memory

35
 Consumption, bytes transmitted and received, and other metrics. SNMP is one of the
most widely used monitoring protocols, along with Microsoft Windows Management
Instrumentation (WMI) for Windows servers and Secure Shell (SSH) for Unix and Linux servers.
2. Flow-based tools monitors traffic flow to provide statistics about protocols and users.
Some also inspect packet sequences to identify performance issues between two IP addresses.
These flow tools capture traffic flow data and send them to a central collector for processing and
storage.
3. Active network monitoring solutions inject packets into the network and measure end-
to-end reachability, round-trip time, bandwidth, packet loss, link utilization and more. By
conducting and measuring real-time transactions from a user’s perspective, these solutions
enable faster and more reliable detection of outages and performance degradation. There are also
both agent and agentless network monitoring methods.
• Agent-based monitoring involves installing an agent, a small application or piece of
software, onto the monitored device.
• Agent-less monitoring (using SNMP and SSH protocols) requires no installation;
instead, network monitoring software logs directly into the monitored device.

Purpose of Network monitoring tools:

Network failures can lead to business disruptions, which can mean a loss of customers,
employee productivity and money.
Investing in network monitoring software, whether commercial or open-source, means
taking a proactive approach to keeping your network infrastructure healthy and maximizing
uptime instead of waiting until an end user reports network problems. Because infrastructure
monitoring lets you know precisely where a network problem occurs, there’s time for
troubleshooting before the situation leads to an outage.

Benefits of network monitoring software:

The primary benefit of network monitoring tools is straightforward and easy-to-
understand visibility into an entire network’s connected devices and how data moves between
them.
Modern network performance monitoring systems provide baseline information that lets
you automatically compare data and identify any network performance degradation.
An NPM solution requires less time to fix network performance problems. By detecting
an issue earlier we can troubleshoot and fix it much faster, saving time and money.
Network performance monitoring also provides historical data and allows the
troubleshooting of past network problems so you can avoid similar issues in the future. Network
monitoring solutions give you reliable and flexible management tools and capabilities, including
pre-configured templates for specific vendors—such as Cisco, Juniper, Arista and Aruba, among
others to ensure working. They help you comply with industry standards and government
regulations.

36
 Monitoring tools can also help you track and benchmark your network’s performance
metrics.
Network performance monitoring also lets you keep track of networks that are changing,
growing and becoming more complex over time.

Parameters of a network monitoring tool:

1) Map Generation:

Network Maps are utilized by the monitoring tools for the ease of visualization of the
entire network of an organization either as a centralized network system or as a distributed
network where the maps are divided according to the logical separations of the network.
Network device discovery further aids the process of map generation by identifying the devices
present in the network.
There are various approaches used for network mapping: route analysis, SNMP based
approaches and active probing.
2) Network Configuration:
Network configuration is a very important function for precise functioning of the network

infrastructure of any organization.

Administrators ought to be capable of configuring IP addresses of various types of
devices along with other types of configurations like setting up routing protocols for layer 3
devices, updating existing configuration, adding dynamic manual routes on the fly, etc.
3) Fault Detection And Alerting:
Fault detection include finding, pinpointing and notifying the fault that can occur
anywhere in the network. The fault can be in the device itself which may again be device specific
such as a memory segmentation fault in a router or it can be a common occurrence such as a link
failure/node failure.
Alerting encompasses smart alerts that reduces unnecessary network alerts.
4) Device Discovery:
Device discovery is done using the SNMP protocol. The devices are scanned, added to
the database and imported into the monitoring tool.
Device discovery identifies the type of device along with other details such as the layer in
which it works, average response time, packet loss, operating-system, memory processing
power, etc.
5) Network Traffic Trend Prediction:
It is a proactive approach to ensure the security is not compromised within the network.
Trend prediction is beneficial as it can be used for dynamic bandwidth allocation
and network planning.
It also avoids congestion, identify the core links of the network and notify the user
so that a high alert can be placed over that link.

37
Top 5 network monitoring tools:
1) SuperOps.ai :
With SuperOps.ai, you get an AI-powered RMM and PSA solution in one tool.
Once deployed, the tool will grant you complete visibility over your clients’ entire asset
network. You can use this to view, track, and manage all of these assets from a single,
intuitive dashboard.

2) Atera:
Atera is a cloud-based, Remote IT Management platform that provides a powerful
and integrated solution, for MSPs, IT consultants, and IT departments. With Atera you
can monitor unlimited devices and Networks for a flat low rate.

38
3) NinjaOne (Formerly NinjaRMM):
With Ninja, you get a complete set of tools to monitor, manage, secure, and
improve all of your network devices, Windows, Mac workstations, laptops, and servers
regardless of their location.

4) Auvik:
Auvik is a cloud-based solution for network management and monitoring. It is
easy to use and helps you with preventing, detecting, and resolving issues faster. The
traffic analysis tools detect anomalies faster. It provides automated security and
performance updates and encrypts network data with AES-256.

39
 5)SolarWinds Network Performance Monitor:
SolarWinds provides the Network Performance monitor that can reduce network
outages and improve performance. It is a scalable solution with smarter scalability for
large environments.

Result:
Thus, the network monitoring tools have been explored successfully.

40
Ex.no: 10
Study to Configure Firewall, VPN.
Date :

Aim:
To study the role of firewalls and virtual private networks (VPNs) in providing security to
shared public networks such as the Internet.
Firewall:
A network security device that observes and filters incoming and outgoing network
traffic, adhering to the security policies defined by an organization. Essentially, it acts as a
protective wall between a private internal network and the public Internet.
Firewalls are network security systems that prevent unauthorized access to a network. It
can be a hardware or software unit that filters the incoming and outgoing traffic within a private
network, according to a set of rules to spot and prevent cyberattacks.
A firewall router is a specially programmed router that sits between a site and the rest of
the network. It is a router in the sense that it is connected to two or more physical networks, and
it forwards packets from one network to another, but it also filters the packets that flow through
it.
Types of Firewalls:
There are multiple types of firewalls based on their traffic filtering methods, structure,
and functionality. A few of the types of firewalls are:
➢ Software Firewall
➢ Hardware Firewall
➢ Packet Filters
➢ Stateful Inspection Firewall
➢ Application Layer Firewall
➢ Next-generation Firewall
➢ Circuit-level gateways
➢ Cloud Firewall
Functions of Firewall:
The most important function of a firewall is that it creates a border between an external
network and the guarded network where the firewall inspects all packets (pieces of data for
internet transfer) entering and leaving the guarded network.
Once the inspection is completed, a firewall can differentiate between benign and
malicious packets with the help of a set of pre-configured rules.
This packet form information includes the information source, its destination, and the
content.

41
VPN:
A virtual private network (VPN) adds security and anonymity to users when they connect
to web-based services and sites, it hides the user’s actual public IP address and “tunnels” traffic
between the user’s device and the remote server.
This makes it more difficult for third parties to track the activities online and steal data.
The encryption takes place in real time.

Working of VPN:
A VPN hides your IP address by letting the network redirect it through a specially
configured remote server run by a VPN host.
This means that if you surf online with a VPN, the VPN server becomes the source of
your data. This means your Internet Service Provider (ISP) and other third parties cannot see
which websites you visit or what data you send and receive online.
VPNs utilize a concept called an IP tunnel, a virtual point-to-point link between a pair of
nodes that are actually separated by an arbitrary number of networks.
The virtual link is created within the router at the entrance of the tunnel by providing it
with the IP address of the router at the far end of the tunnel.
Whenever the router at the entrance of the tunnel wants to send a packet over this virtual
link, it encapsulates the packet inside an IP datagram. The destination address in the IP header is
the address of the router at the far end of the tunnel, whereas the source address is that of the
encapsulating router.
Procedure:
1) Create a New Project:
• Start OPNET IT → File → New → Select Project → Name the project <name >_VPN, then
NoFirewall.
• Click Quit on the Startup Wizard.
2) Create and Configure the Network:
Initialize the network:
➢ Open the Object Palette dialog box. Make sure that the internet_toolbox item is
selected from the pull-down menu on the object palette.
➢ Add the following objects from the palette to the project workspace. Application
Config, Profile Config, an ip32_cloud, one ppp_ server, three
thernet4_slip8_gtwy routers, and two ppp_wkstn hosts.
➢ Rename the objects you added and connect them using PPP_DS1 links.
Configure the nodes:
1.Right-click on the Applications node → Edit Attributes → Assign Default to
Application Definitions attribute.
2.Right-click on the Profiles node → Assign Sample Profiles to Profile Configuration
attribute.

42
 3.Right-click on the Server node → Assign All to the Application: Supported Services
attribute.
4.Right-click on the Sales A node → Select Similar Nodes.
a.Right-click on the Sales A node →Check the Apply Changes to Selected Objects
check-box.
b.Expand the Application: Supported Profiles attribute → Set rows to 1 →
Expand the row 0 hierarchy → Profile Name = Sales Person .

Choose the Statistics:

1.Right-click anywhere in the project workspace and select Choose Individual Statistics.
2.In the Choose Results dialog box, check the following statistics:
a.Global Statistics → DB Query → Response Time (sec).
b.Global Statistics→HTTP → Page Response Time (seconds).
3.Right-click on Sales A, B nodes, and select Choose Individual Statistics. In the Choose
Results dialog box, check the following statistics:
a.Client DB → Traffic Received (bytes/sec).
b.Client Http → Traffic Received (bytes/sec).
The Firewall scenario:
In the network we created, the Sales Person profile allows access to apps like db access,
email, web browsing from server.
Select Duplicate scenarios → name it as Firewall → Edit the attributes in Router C.
Assign ethernet_2_slip8_firewall to model attribute.
Expand the hierarchy of proxy server information → Assign No to Deployed.

43
44
The Firewall scenario:
In the Firewall scenario, we protected the databases in the server from “any” external
access using a firewall router. Assume that we want to allow the people in the Sales A site to
have access to the databases in the server. Since the firewall filters all database-related traffic
regardless of the source of the traffic, we need to consider the VPN solution.
A virtual tunnel can be used by Sales A to send database requests to the server. The
firewall will not filter the traffic created by Sales A because the IP packets in the tunnel will be
encapsulated inside an IP datagram.
1. In the Firewall scenario, select Duplicate Scenario, name it as Firewall_VPN → Click
OK.
2. Remove the link between Router C and the Server.
3. Open the Object Palette dialog box, check the internet_toolbox.
a.Add to the project workspace one ethernet4_slip8_gtwy and one IP VPN
Config.

b.From the Object palette, use two PPP_DS1 links to connect the new router to
the Router C (the firewall) and to the Server.
4. Rename the IP VPN Config object to VPN.

Configure the VPN:

Right-click on the VPN node →Edit Attributes.
i.Expand the VPN Configuration hierarchy →Set rows to 1 →Expand
row 0 hierarchy →Edit the value of Tunnel Source Name and write down Router
A →Edit the value of Tunnel Destination Name and write down Router D.
ii. Expand the Remote Client List hierarchy →Set rows to 1 →Expand row
hierarchy →Edit the value of Client Node Name and write down Sales A.
iii. Click OK and then save your project.

45
Run the Simulation:
To run the simulation for the three scenarios simultaneously:
1. Go to the Scenarios menu → Select Manage Scenarios.
2. Change the values under the Results column to <collect> (or <recollect>) for the three
scenarios.
Configured Firewall VPN:
To view and analyze the results:
1. Select Compare Results from the Results menu.
2. Expand the Sales A hierarchy → Expand the Client DB hierarchy → Select the Traffic
Received statistic.
3. Change the drop-down menu in the middle-lower part of the Compare Results dialog
box from As Is to time_average.
4. Press Show and the resulting graph displays.

46
Result:
Thus, the role of firewalls and virtual private networks (VPNs) in providing security to
shared public networks such as the Internet have been configured successfully.

47