B.

E-CSE Chandigarh University

Practical File

Introduction to Information Security Lab

CSC-425/CCC-425

4TH YEAR / 7TH SEMESTER

Submitted by : Shubham Jaswal

Submitted to : Er. Sugandhi

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

EXPERIMENT NO-1
PROBLEM DEFINITION:Familiarization with information Security & write specifications of latest
information related security threats.

OBJECTIVE:The objective of this experiment is to know about Information Security and various security
threats.

INFORMATION SECURITY:
Information security (IS) is designed to protect the confidentiality, integrity and availability of computer
system data from those with malicious intentions. Confidentiality, integrity and availability are sometimes
referred to as the CIA Triad of information security.Information security handles risk management.
Anything can act as a risk or a threat to the CIA triad or Parkerianhexad. Sensitive information must be kept
- it cannot be changed, altered or transferred without permission. For example, a message could be modified
during transmission by someone intercepting it before it reaches the intended recipient. Good cryptography
tools can help mitigate this security threat. Digital signatures can improve information security by enhancing
authenticity processes and prompting individuals to prove their identity before they can gain access to
computer data.

SECURITY THREATS:

Threats can originate from two primary sources: humans and nature. Human threats subsequently can be
broken into two categories: malicious and non-malicious. The non-malicious "attacks" usually come from
users and employees who are not trained on computers or are not aware of various computer security threats.
Malicious attacks usually come from non-employees or disgruntled employees who have a specific goal or
objective to achieve.

Natural Disasters

Nobody can stop nature from taking its course. Earthquakes, hurricanes, floods, lightning, and fire can cause
severe damage to computer systems. Information can be lost, downtime or loss of productivity can occur,
and damage to hardware and other essential services can be disrupted.Riots, wars, and terrorist attacks,
although the result of human activity, fall into this category because they are disasters and are difficult to
protect against with computer security policies and controls.

Insiders or Malicious and Disgruntled Employees

Insiders are likely to have specific goals and objectives, and have legitimate access to the system.
Employees are the group most familiar with their employer's computers and applications, including knowing
Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

what actions might cause the most damage. Insiders can plant viruses, Trojan horses, or worms, or browse
through the file system. This type of attack can be extremely difficult to detect or protect against.

Outside Attackers or 'Crackers'

People often refer to "crackers" as "hackers." The definition of "hacker" has changed over the years. A
hacker was once thought of as any individual who enjoyed getting the most out of the system he or she was
using. A hacker would use a system extensively and study the system until he or she became proficient in all
its nuances. This individual was respected as a source of information for local computer users, someone
referred to as a "guru" or "wizard."

Non-Malicious Employees

Attackers are not the only ones who can harm an organization. The primary threat to data integrity comes
from authorized users who are not aware of the actions they are performing. Errors and omissions can lose,
damage, or alter valuable data.

Motives, Goals, and Objectives of Malicious Attackers

There is a strong overlap between physical security and data privacy and integrity. Indeed, the goal of some
attacks is not the physical destruction of the computer system but the penetration and removal or copying of
sensitive information. Attackers want to achieve these goals either for personal satisfaction or for a reward.

Here are some methods that attackers use:

 Deleting and altering information. Malicious attackers who delete or alter information normally do
this to prove a point or take revenge for something that has happened to them. Inside attackers
normally do this to spite the organization because they are disgruntled about something. Outside
attackers might want to do this to prove that they can get in to the system or for the fun of it.
 Committing information theft and fraud. Information technology is increasingly used to commit
fraud and theft. Computer systems are exploited in numerous ways, both by automating traditional
methods of fraud and by using new methods. Financial systems are not the only one’s subject to
fraud. Other targets are systems that control access to any resources, such as time and attendance
systems, inventory systems, school grading systems, or long-distance telephone systems.
 Disrupting normal business operations. Attackers may want to disrupt normal business operations. In
any circumstance like this, the attacker has a specific goal to achieve. Attackers use various methods
for denial-of-service attacks; the section on methods, tools, and techniques will discuss these.

Methods, Tools, and Techniques for Attacks

The method in this formula exploits the organization's vulnerability in order to launch an attack. Malicious
attackers can gain access or deny services in numerous ways. Here are some of them:

 Viruses. Attackers can develop harmful code known as viruses. Using hacking techniques, they can
break into systems and plant viruses. Viruses in general are a threat to any environment. They come
in different forms and although not always malicious, they always take up time. Viruses can also be
spread via e-mail and disks.
 Trojan horses. These are malicious programs or software code hidden inside what looks like a
normal program. When a user runs the normal program, the hidden code runs as well. It can then
start deleting files and causing other damage to the computer. Trojan horses are normally spread by

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

e-mail attachments. The Melissa virus that caused denial-of-service attacks throughout the world in
1999 was a type of Trojan horse.
 Worms. These are programs that run independently and travel from computer to computer across
network connections. Worms may have portions of themselves running on many different computers.
Worms do not change other programs, although they may carry other code that does.
 Password cracking. This is a technique attackers use to surreptitiously gain system access through
another user's account. This is possible because users often select weak passwords. The two major
problems with passwords is when they are easy to guess based on knowledge of the user (for
example, wife's maiden name) and when they are susceptible to dictionary attacks (that is, using a
dictionary as the source of guesses).
 Denial-of-service attacks. This attack exploits the need to have a service available. It is a growing
trend on the Internet because Web sites in general are open doors ready for abuse. People can easily
flood the Web server with communication in order to keep it busy. Therefore, companies connected
to the Internet should prepare for (DoS) attacks. They also are difficult to trace and allow other types
of attacks to be subdued.
 E-mail hacking. Electronic mail is one of the most popular features of the Internet. With access to
Internet e-mail, someone can potentially correspond with any one of millions of people worldwide.
Some of the threats associated with e-mail are:
 Impersonation.The sender address on Internet e-mail cannot be trusted because the sender can
create a false return address. Someone could have modified the header in transit, or the sender could
have connected directly to the Simple Mail Transfer Protocol (SMTP) port on the target computer to
enter the e-mail.
 Eavesdropping.E-mail headers and contents are transmitted in the clear text if no encryption is used.
As a result, the contents of a message can be read or altered in transit. The header can be modified to
hide or change the sender, or to redirect the message.
 Packet replay.This refers to the recording and retransmission of message packets in the network.
Packet replay is a significant threat for programs that require authentication sequences, because an
intruder could replay legitimate authentication sequence messages to gain access to a system. Packet
replay is frequently undetectable, but can be prevented by using packet time stamping and packet
sequence counting.
 Packet modification.This involves one system intercepting and modifying a packet destined for
another system. Packet information may not only be modified, it could also be destroyed.
 Eavesdropping.This allows a cracker (hacker) to make a complete copy of network activity. As a
result, a cracker can obtain sensitive information such as passwords, data, and procedures for
performing functions. It is possible for a cracker to eavesdrop by wiretapping, using radio, or using
auxiliary ports on terminals. It is also possible to eavesdrop using software that monitors packets sent
over the network. In most cases, it is difficult to detect eavesdropping.
 Social engineering.This is a common form of cracking. It can be used by outsiders and by people
within an organization. Social engineering is a hacker term for tricking people into revealing their
password or some form of security information.
 Intrusion attacks.In these attacks, a hacker uses various hacking tools to gain access to systems.
These can range from password-cracking tools to protocol hacking and manipulation tools. Intrusion
detection tools often can help to detect changes and variants that take place within systems and
networks.
 Network spoofing.In network spoofing, a system presents itself to the network as though it were a
different system (computer A impersonates computer B by sending B's address instead of its own). T
Network spoofing occurs in the following manner: if computer A trusts computer B and computer C
spoofs (impersonates) computer B, then computer C can gain otherwise-denied access to computer
A.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

EXPERIMENT NO-2
PROBLEM DEFINITION: Installation Process of various operating systems.

OBJECTIVE: The objective of this experiment is to know about Installation of different operating systems
like Windows, Linux and MacOS.

WINDOWS OPERATING SYSTEM:

Windows, is a metafamily of graphicaloperating systems developed, marketed, and sold by Microsoft. It
consists of several families of operating systems, each of which cater to a certain sector of the computing
industry with the OS typically associated with IBM PC compatible architecture. Microsoft introduced an
operating environment named Windows on November 20, 1985, as a graphical operating system shell for
MS-DOS in response to the growing interest in graphical user interfaces (GUIs). Microsoft Windows came
to dominate the world's personal computer (PC) market with over 90% market share, overtaking Mac OS,
which had been introduced in 1984.

Installation Process of Windows Operating System

1. Enter your computer's BIOS. Turn off the computer that you want to install Windows on then
turn it back on. When the BIOS screen appears or you are prompted to do so, press Del , Esc ,
F2 , F10 , or F9 (depending on your computer’s motherboard) to enter the system BIOS. The
key to enter the BIOS is usually shown on the screen.
2. Find your BIOS's boot options menu. The boot options menu of your BIOS may vary in location
or name from the illustration, but you may eventually find it if you search around.

o If you can't find the boot options menu, search the name of your BIOS (most likely located in
the BIOS menu) online for help.

3. Select the CD-ROM drive as the first boot device of your computer.
a. Although this method may vary among computers, the boot options menu is typically a
menu of movable device names where you should set your CD-ROM drive as the first
boot device. It can also be a list of devices that you can set the order of their boot on.
Consult a manual or the internet for help if you're stuck.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

4. Save the changes of the settings. Press the button indicated on the screen or select the save option
from the BIOS menu to save your configuration.
5. Shut off your computer. Either turn off the computer by choosing the shut-down option in your
current operating system, or hold the power button until the computer powers off.
6. Power on the PC and the insert the Windows 7 disc into your CD/DVD drive.

7. Start your computer from the disc. After you have placed the disc into the disc drive, start your
computer. When the computer starts, press a key if you are asked if you would like to boot from
the disc by pressing any key. After you choose to start from the disc, Windows Setup will begin
loading.
a. If you are not asked to boot from the disc, you may have done something wrong. Retry
the previous steps to solve the problem.

8. Choose your Windows Setup options. Once Windows Setup loads, you'll be presented with a
window. Select your preferred language, keyboard type, and time/currency format, then click
Next.
9. Click the Install Now button.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

10. Accept the License Terms. Read over the Microsoft Software License Terms, check I accept the
license terms, and click Next.
11. Select the Custom installation.

12. Decide on which hard drive and partition you want to install Windows on. A hard drive is a
physical part of your computer that stores data, and partitions "divide" hard drives into separate
parts.
a. If the hard drive has data on it, delete the data off of it, or format it.
i. Select the hard drive from the list of hard drives.
ii. Click Drive options (advanced).
iii. Click Format from Drive options.
b. If your computer doesn't have any partitions yet, create one to install Windows on it.
i. Select the hard drive from the list of hard drives.
ii. Click Drive options (advanced).
iii. Select New from Drive options.
iv. Select the size, and click OK.
13. Install Windows on your preferred hard drive and partition. Once you've decided on where to
install Windows, select it and click Next. Windows will begin installing.

LINUX OPERATING SYSTEM:

Linux is a Unix-like computer operating system assembled under the model of free and open-source
software development and distribution. The defining component of Linux is the Linux kernel, an operating
system kernel first released on September 17, 1991 by Linus Torvalds. The Free Software Foundation uses
the name GNU/Linux to describe the operating system, which has led to some controversy.

Linux was originally developed for personal computers based on the Intel x86 architecture, but has since
been ported to more platforms than any other operating system.[ Because of the dominance of the Linux
kernel-based Android OS on smartphones, Linux has the largestinstalled base of all general-purpose
operating systems.[19] Linux is also the leading operating system on servers and other big iron systems such
as mainframe computers, and is used on 99.6% of the TOP500supercomputers.

Installation Process of Linux Operating System

1. Download the Ubuntu ISO file. You can get the ISO file from the Ubuntu website. An ISO file is a
CD image file that will need to be burned before you can use it. There are two options available from
the Ubuntu website (you can also buy official Ubuntu CDs, which come in packs of 10):

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

 16.04 LTS has continuous updates and provides technical support. It is scheduled to be supported
until April 2021. This option will give you the most compatibility with your existing hardware.
 Ubuntu builds (not yet released) 16.10, 17.04, and 17.10 will come with limited support. They will
have the newest features, though they may not work with all hardware. These releases are geared
more towards experienced Linux users.
 If you have a Windows 8 or 10 PC or a PC with UEFI firmware, download the 64-bit version of
Ubuntu. Most older machines should download the 32-bit version.

2. Burn the ISO file.Open up your burning program of choice. There are free and paid programs
available that can burn an ISO to a CD or DVD.

 Windows 7, 8, 10, and Mac OS X can all burn ISO files to a disc without having to download a
separate program.

3. Boot from the disc. Once you have finished burning the disc, restart your computer and choose to
boot from the disc. You may have to change your boot preferences by hitting the Setup key while
your computer is restarting. This is typically F12, F2, or Del.
4. Try Ubuntu before installing. Once you boot from the disc, you will be given the option to try
Ubuntu without installing it. The operating system will run from the disc, and you will have a chance
to explore the layout of the operating system.

 Open the Examples folder to see how Ubuntu handles files and exploring the operating system.
 Once you are done exploring, open the Install file on the desktop.

5. Install Ubuntu. Your computer will need at least 4.5 GB of free space. You will want more than this
if you want to install programs and create files. If you are installing on a laptop, make sure that it is
connected to a power source, as installing can drain the battery faster than normal.

 Check the “Download updates automatically” box, as well as the “Install this third-party software”
box. The third-party software will allow you to play MP3 files as well as watch Flash video (such as
YouTube).

6. Set up the wireless connection. If your computer is not connected to the internet via Ethernet, you
can configure your wireless connection in the next step.

 If you didn’t have an internet connection in the previous step, hit the Back button after setting up the
wireless connection so that you can enable automatic updates.

7. Choose what to do with your existing operating system. If you have Windows installed on your
system, you will be given a couple options on how you’d like to install Ubuntu. You can either
install it alongside your previous Windows installation, or you can replace your Windows installation
with Ubuntu.

 If you install it alongside your old version of Windows, you will be given the option to choose your
operating system each time you reboot your computer. Your Windows files and programs will
remain untouched.
 If you replace your installation of Windows with Ubuntu all of your Windows files, documents, and
programs will be deleted.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

8. Set your partition size. If you are installing Ubuntu alongside Windows, you can use the slider to
adjust how much space you would like to designate for Ubuntu. Remember that Ubuntu will take up
about 4.5 GB when it is installed, so be sure to leave some extra space for programs and files. Once
you are satisfied with your settings, click Install Now.
9. Choose your location. If you are connected to the internet, this should be done automatically. Verify
that the timezone displayed is correct, and then click the Continue button.
10. Set your keyboard layout. You can choose from a list of options, or click the Detect Keyboard
Layout button to have Ubuntu automatically pick the correct option.
11. Enter your login information. Enter your name, the name of the computer (which will be displayed
on the network), choose a username, and come up with a password. You can choose to have Ubuntu
automatically log you in, or require your username and password when it starts.
12. Wait for the installation process to complete. Once you choose your login info, the installation will
begin. During setup, various tips for using Ubuntu will be displayed on the screen. Once it is
finished, you will be prompted to restart the computer and Ubuntu will load.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

EXPERIMENT NO-3
PROBLEM DEFINITION:Study of Host based firewall vs.Network based firewall and deploying
firewall.
OBJECTIVE:
Introduction to Firewall:
A firewall is a network security device that monitors incoming and outgoing network traffic and decides
whether to allow or block specific traffic based on a defined set of security rules.Firewalls have been a first
line of defence in network security for over 25 years. They establish a barrier between secured and
controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.

A firewall can be hardware, software, or both.

Firewall Implementation
A host-based firewall is a firewall installed on each individual server that controls incoming and outgoing
network traffic and determines whether to allow it into a particular device (i.e. the Microsoft firewall that
comes with a Windows-based computer).
Host-based firewalls do offer some advantages over network-based firewalls including;
 Flexibility – applications and VMs (virtual machines) can be moved between cloud environments, taking
their host-based firewalls along with them.
 Customisation – a single device can be configured for individual circumstances using custom firewall
rules.
 Mobility – a laptop or mobile device with a firewall provides security for the device in different physical
locations.
 Internal protection – a customised host-based firewall can prevent attack from within an organisation by
only allowing authorised employee access to particular devices.

A network-based firewall is a firewall that is built into the infrastructure of the cloud (i.e. Amazon’s
firewall in AWS environments) or a virtual firewall service such as those offered by Cisco, VMware and
Check Point.
However, network-based firewalls offer a number of significant advantages over host-based firewalls which
include;
 Greater security – if an attacker circumvents a host-based firewall, they can gain direct access to the host
(i.e. via a Trojan) and could then use administrator privileges to turn off the firewall or install malicious
code undetected by the IT department. However, the detection and prevention systems operating on a
network-based firewall would be more likely to notice suspicious traffic generated by a Trojan as it
crosses the network barrier.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

 Scalability – unlike host-based firewalls that must be replaced when bandwidth exceeds firewall
throughput, network-based firewalls can be scaled up as client bandwidth demands increase.
 Availability – network-based firewall providers offer high availability (uptime) through fully redundant
power, HVAC, and network services, while host-based firewalls are only as reliable as your existing IT
infrastructure.
 Reach – thanks to interconnection agreements between network-based firewall providers, protection can
extend well beyond the boundaries of a single service provider network.
 Affordability – network-based firewalls offer much better value for money as they do not require the
labour-intensive IT involvement of host-based firewalls, such as individual installation and maintenance
on every server.

Installation of Comodo Firewall

Download the installer from the download pagesof Comodo Firewall. Once we have begun the installation,
we are asked to choose one of three install types: Firewall Only, Firewall with Optimum Proactive Defense
and Firewall with Maximum Proactive Defense. Each offers and additional level of protection for your
computer. If you have never worked with a Firewall before, choosing the Firewall Only installation method
is the best way to go. The Optimum and Maximum Proactive Defenses offer more protection against threats,
such as malware, spyware and more. If you have found yourself the victim of malicious attacks, spyware,
viruses and more, using a higher level of protection with Comodo is the way to go.

During installation we will first see a screen which asks you whether you want two options to be enabled. It
would recommended to leaving the box to "enable 'Cloud Based Behavior Analysis'..." checked. It would be
strongly advised that we leave this option checked. This will upload all active unrecognized programs to
Comodo for analysis. These files will then either be added to the whitelist or added to the definitions for the
antivirus. This will make Comodo Internet Security both easier to use and more powerful against
threats. The other box, to "Send anonymous program usage...", we can uncheck if we desire, or we can leave
it checked. It's entirely up to us.
Before going to the next screen select the option in the lower left-corner called "Customize Installation". In
additionwe should select the small option near the bottom of the window that says "Customize Installer".
This will give us the option to choose which components, and additional programs, we would like to install.
We may wish to consider leaving the option to install Comodo GeekBuddy checked. This is a free trial
program through which Comodo technicians can remotely diagnose, but not fix, problems with

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

ourcomputer. This trial period will only start once you first use it. If at a later date you decide to purchase
the product then the technicians can also remotely fix any problems with our computer.
Comodo Firewall also offers the opportunity to take advantage of DNS routing for optimal protection.

We can choose to opt into Comodo SecureDNS or opt out.

Comodo Secure DNS Servers will automatically block any websites that Comodo knows to be dangerous.
However, we have noticed that Comodo DNS sometimes tends to block legitimate sites.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

EXPERIMENT NO-4
PROBLEM DEFINITION: Explain steps for sniffing network traffic.
OBJECTIVE: This experiment aims to illustrate different steps to sniff network traffic using pictures.

Why Sniffing?
As a security professional, there are two important reasons to sniff network traffic. First, peering into the
details of packets can prove invaluable when dissecting a network attack and designing countermeasures.
For example, if a denial of service occurs, Wireshark can be used to identify the specific type of attack. The
tool can then craft upstream firewall rules that block the unwanted traffic. The second major use of
Wireshark is to troubleshoot security devices. Specifically, I regularly use it to troubleshoot firewall rules. If
systems running Wireshark are connected to either side of a firewall, it's easy to see which packets
successfully traverse the device and identify whether the firewall is the cause of connectivity problems.

Steps for sniffing network traffic:

1. Choose Packet Sniffing Software:

1.1. Determine what your operating system and network structure are to narrow down choices of what
kind of packet sniffer to use. Some packet sniffers work across various platforms, but most are
written for a specific operating system.

1.2. Decide whether you can capture the traffic that you want to, based on your network structure. On
wired networks, you can sniff packets across the network, depending on the hub or switch that’s
being used. Check your switch and network setup, since some switches may prevent sniffing from
another network subnet. On wireless LANs, you can only monitor traffic on a specified channel.

1.3. Find out whether the sniffer supports promiscuous mode. It’s necessary to set the network adapter
on the computer that will doing the sniffing to promiscuous mode. This will capture all types of
network traffic – not just traffic being sent to the machine or a group that the machine belongs to.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

1.4. Decide how much you want to spend on a packet sniffer. There are several choices in packet
sniffing software. They include free shareware versions like Ethereal; sniffers that are bundled with
other software, like Microsoft Network Monitor, and fee-based systems like LAN watch.

1.5. Check out screenshots, product literature, and user reviews before choosing a product. Make sure
they have documentation, manuals, FAQs and other types of support to meet your needs.

2. Install Packet Sniffing Software:

2.1.Download the packet sniffing software and install it according to the manufacturer’s instructions.

2.2.Configure the software. This varies by application. Generally, you’ll need to set up addresses to
capture and choose an interface from the menu. For wireless networks, you’ll have to set the channel
to be monitored.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

2.3.Hit the “start” button or command to start monitoring. Choose advanced options to filter incoming
results.

2.4.Select “stop” to stop the session and “save” to save the results.

2.5.View the results. You’ll see each packet’s time, source, destination, protocol used and general
information.

2.6.Filter the display or select individual entries. This varies by the type of software, but usually shows
the results on part of the screen while the entry is highlighted, or in full screen by double-clicking the
entry. Most systems will allow you to filter results based on values in fields, comparisons between
fields and other options.

2.7.Get help from books, online resources, or user forums to learn more about how to sniff packets and
interpret the results. The results you see onscreen may not be immediately clear until you have some
experience in learning to decipher them.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

EXPERIMENT NO-5
PROBLEM DEFINITION:Implement and simulate Password cracking method.

OBJECTIVE: This experiment aims to illustrate implementation, experimentation and simulation of

various password cracking methods and applications in practical life.

Introduction:

Password cracking is the process of either guessing or recovering a password from stored locations or from a
data transmission system. Since the introduction of a computer password, hackers have tried to crack
passwords, but it has only become popular and practical within the last ten years. The typical way password
cracking works is to get a file containing user hashed passwords and then run a cracker against the file to try
to get matches for all the hashes, thus revealingall the passwords in the file. While the latter part is typically
uncomfortably fast, the first can be very difficult and many approaches may need to be taken to penetrate a
system’s security to obtain a password file. However, using simple, targeted Google searches it has become
easier to gather unprotected hashes of users.

Password Cracking Applications:

The way password cracking usually works is either to pull passwords out of dictionary files or generate
them, then run them through a has h algorithm or to lookup the hashes in a rainbow table and compare them.
This section aims to cover some of the more popular password cracking tools that are used today both by
attackers and system administrators to test the security of their system.

1. JohnTheRipper
2. RainbowCrack
3. Cain and Abel
4. LOphtCrack
5. Aircrack-NG
6. Hashcat

Program Implementation Details:

The program written for this project demonstrates password cracking. It performs two different types of
attacks and supports two different hashes. The application is written in C# and has a GUI which lets a user
enter a password, choose an attack, hashing algorithm, and a character set. Then the user clicks the crack

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

button to initiate the attack on the single password. Results are displayed on how many attempts were made
to crack the password successfully and how long the attack took.

In the application there is a checkbox section which allows the user to choose which characters are in the
character set that they want to use to try to crack the password. The options are lowercase alphabet
characters (a-z), upper case alphabet characters (A-Z) and numeric characters (0-9). Any combination of
them may be chosen for consideration.

Experimentation:

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

EXPERIMENT NO-6
PROBLEM DEFINITION: Creation and explanation of Denial of Service.

OBJECTIVE: This experiment aims to illustrate the creation and explanation of Denial of Service attack.

Introduction:

A denial-of-service attack is a security event that occurs when an attacker takes action that prevents
legitimate users from accessing targeted computer systems, devices or other network resources. Denial-of-
service (DoS) attacks typically flood servers, systems or networks with traffic in order to overwhelm the
victim resources and make it difficult or impossible for legitimate users to use them. While an attack that
crashes a server can often be dealt with successfully by simply rebooting the system, flooding attacks can be
more difficult to recover from.

The United States Computer Emergency Readiness Team (US-CERT) provides some guidelines for
determining when a DoS attack may be underway. US-CERT suggests the following may indicate such an
attack:

 Degradation in network performance, especially when attempting to open files stored on the network
or accessing websites;
 Inability to reach a particular website;
 Difficulty in accessing any website; and
 A higher than usual volume of spam email.

Creation and Explanation:

 Experts recommend a number of strategies for enterprises to defend against a denial-of-service

attack, starting with preparing an incident response plan well in advance of any attack. Once there is
suspicion that a DoS attack is underway, enterprises should contact their internet service provider
(ISP) to determine whether the incident is an actual DoS attack or degradation of performance
caused by some other factor. The ISP can help mitigate the attack by rerouting or throttling malicious
traffic and using load balancers to reduce the effect of the attack.
 Enterprises may also want to explore the possibility of using denial-of-service attack detection
products; some intrusion detection systems, intrusion prevention systems and firewalls offer DoS
detection functions. Other strategies include contracting with a backup ISP and using cloud-based
anti-DoS services.

Types of DoS attacks

In addition to differentiating between a single-source denial-of-service attack and a distributed denial-of-

service (DDoS) attack, DoS attacks can also be categorized by the methods the attack uses.

In an amplified DNS denial-of-service attack, the attacker generates crafted domain name system (DNS)
requests that appear to have originated at the victim's network and sends them to misconfigured DNS servers
managed by third parties. The amplification occurs as the intermediate DNS servers respond to the faked
DNS requests. The responses from intermediate DNS servers to the crafted attack requests may contain far
greater volume of data than ordinary DNS responses, requiring more resources to process, with the result
being to deny legitimate users access to the service.
Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

Application layer attacks generate fake traffic to internet application servers, especially DNS servers or
HTTP servers. While some application-layer denial-of-service attacks rely simply on flooding the
application servers with network data, others depend on exploiting weaknesses or vulnerabilities in the
victim's application server or in the application protocol itself.

A buffer overflow attack is a catchall description most commonly applied to DoS attacks that send more
traffic to a network resource than was ever anticipated by the developers who designed the resource. One
example of such an attack sent, as email attachments, files that have 256-character file names to recipients
using Netscape or Microsoft email clients; the longer-than-anticipated file names were sufficient to crash
those applications.

In a DDoS attack, the attacker may use computers or other network-connected devices that have been
infected by malware and made part of a botnet. Distributed denial-of-service attacks, especially those using
botnets, use command-and-control (C&C) servers to direct the actions of the botnet members. The C&C
servers dictate what kind of attack to launch, what types of data to transmit and what systems or network
resources are to be targeted in the attack.

The ping-of-death attack abuses the Packet Inter-Network Groper (ping) protocol by sending request
messages with oversized payloads, causing targeted systems to become overwhelmed, stop responding to
legitimate requests for service and possibly crashing the victim systems.

A SYN flooding attack abuses TCP's handshake protocol by which a client establishes a TCP connection
with a server. In a SYN flooding attack, the attacker directs a high-volume stream of requests to open TCP
connections with the victim server, with no intention of actually completing the circuits. The cost of
generating the stream of SYN requests is relatively low, but responding to such requests is resource-
intensive for the victim. The result is a successful attacker is able to deny legitimate users access to the
targeted server.

TCP, or Transmission Control Protocol, -- also called state exhaustion attacks-- occur when an attacker
targets the state tables held in firewalls, routers and other network devices by filling them with attack data.
When these devices incorporate stateful inspection of network circuits, attackers may be able to fill state
tables by opening more TCP circuits than the victim system can handle at once, preventing legitimate users
from accessing the network resource.

The teardrop attack exploits flaws in the way older operating systems handled fragmented Internet
Protocol (IP) packets. The IP specification allows packet fragmentation when the packets are too large to be
handled by intermediary routers, and it requires packet fragments specify fragment offsets; in teardrop
attacks, the fragment offsets are set to overlap each other. Hosts running affected OSes are unable to
reassemble the fragments and the attack may also crash the system.

Volumetric DoS attacks aim to interfere with legitimate access to network resources by using up all the
bandwidth available to reach those resources. In order to do this, attackers must direct a high volume of
network traffic against the victim's systems. Volumetric DoS attacks flood victim devices with network
packets using the User Datagram Protocol or the Internet Control Message Protocol, in large part because
those protocols require relatively little overhead to generate large volumes of traffic, while, at the same time,
requiring nontrivial computation on the part of the victim's network devices to process the incoming
malicious datagrams.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

EXPERIMENT NO-7
PROBLEM DEFINITION:List various step to identify website’s identity.

OBJECTIVE: The objective of this experiment is to know how to identify the identity of a website.

Identifying Website’s Identity:

Have you ever noticed that your browser sometimes displays a website’s organization name on an encrypted
website? This is a sign that the website has an extended validation certificate, indicating that the website’s
identity has been verified.

How Browsers Display Extended Validation Certificates

On an encrypted website that doesn’t use an extended validation certificate, Firefox says that the website is
“run by (unknown).”

Chrome doesn’t display anything differently and says that the website’s identity was verified by the
certificate authority that issued the website’s certificate.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

When you’re connected to a website that uses an extended validation certificate, Firefox tells you it’s run by
a specific organization. According to this dialog, VeriSign has verified that we’re connected to the real
PayPal website, which is run by PayPal, Inc.

When you’re connected to a site that uses an EV certificate in Chrome, the organization’s name appears in
your address bar. The information dialog tells us that PayPal’s identity has been verified by VeriSign using
an extended validation certificate.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

The Problem with SSL Certificates

Years ago, certificate authorities used to verify a website’s identity before issuing a certificate. The
certificate authority would check that the business requesting the certificate was registered, call the phone
number, and verify that the business was a legitimate operation that matched the website.

Eventually, certificate authorities began offering “domain-only” certificates. These were cheaper, as it was
less work for the certificate authority to quickly check that the requester owned a specific domain (website).

Phishers eventually began taking advantage of this. A phisher could register the domain paypall.com and
purchase a domain-only certificate. When a user connected to paypall.com, the user’s browser would display
the standard lock icon, providing a false sense of security. Browsers didn’t display the difference between a
domain-only certificate and a certificate that involved more extensive verification of the website’s identity.

Public trust in certificate authorities to verify websites has fallen – this is just one example of certificate
authorities failing to do their due diligence. In 2011, the Electronic Frontier Foundation found that certificate
authorities had issued over 2000 certificates for “localhost” – a name that always refers to your current
computer. (Source) In the wrong hands, such a certificate could make man-in-the-middle attacks easier.

How Extended Validation Certificates Are Different

An EV certificate indicates that a certificate authority has verified that the website is run by a specific
organization. For example, if a phisher tried to get an EV certificate for paypall.com, the request would be
turned down.

Unlike standard SSL certificates, only certificate authorities that pass an independent audit are allowed to
issue EV certificates. The Certification Authority/Browser Forum (CA/Browser Forum), a voluntary
organization of certification authorities and browser vendors such as Mozilla, Google, Apple, and Microsoft
issues strict guidelines that all certificate authorities issuing extended validation certificates must follow.
This ideally prevents the certificate authorities from engaging in another “race to the bottom,” where they
use lax verification practices to offer cheaper certificates.

In short, the guidelines demand that certificate authorities verify the organization requesting the certificate is
officially registered, that it owns the domain in question, and that the person requesting the certificate is
acting on behalf of the organization. This involves checking government records, contacting the domain’s
owner, and contacting the organization to verify that the person requesting the certificate works for the
organization.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

In contrast, a domain-only certificate verification might only involve a glance at the domain’s whois records
to verify that the registrant is using the same information. The issuing of certificates for domains like
“localhost” implies that some certificate authorities aren’t even doing that much verification. EV certificates
are, fundamentally, an attempt to restore public trust in certificate authorities and restore their role as
gatekeepers against imposters.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

EXPERIMENT NO-8
PROBLEM DEFINITION:Understand phishing using NMAP, NETCAP, using TCP dump and wire
shark.

OBJECTIVE: The objective of this experiment is Understand phishing using NMAP, NETCAP, using TCP
dump and wire shark.

Introduction to phishing:

Phishing is a form of identity theft. Individuals attempt to steal your identity and personal information to
gain access to your accounts or commit other crimes using your credentials. Some of the basic types of KEY
information that Phishers are looking for include:

Information Theft Phishers want items like your Employee ID number and Bank account numbers. In
addition, they especially want credit card numbers and social security numbers. These are the pieces of gold
that allow for:

Identity Theft Once your ID has been stolen, it may be used for these activities.

 Financial Theft
 Medical Theft
 Character identity theft

Unlike spam, phishing attacks can be targeted. These are referred to as Spear-Phishing. Example: If you
were a past 4-H member and somehow a list of 4-H members was available on the Internet, they could craft
an E-mail targeted to you.

Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or
account information by masquerading as a reputable entity or person in email, IM or other communication
channels.

Typically, a victim receives a message that appears to have been sent by a known contact or organization.
An attachment or links in the message may install malware on the user’s device or direct them to a malicious
website set up to trick them into divulging personal and financial information, such as passwords, account
IDs or credit card details. Phishing is a homophone of fishing, which involves using lures to catch fish.

NMAP:

NMAP has been around since September 1997 - and is STILL in very active development. In fact, NMAP
has been used in a quite a few Hollywood movies such as Diehard 4, The Bourne Ultimatum and The Matrix
Reloaded. NMAP is a "network-mapper", hence the name, and in my opinion, is the KING of mapping
networks. The most recent version 5.00, sports many features such ability to map out each device on a target
network with uncanny accuracy, identify the OS, other devices and more. Scanning a target server or device
will tell you a wealth of other information such as which ports are open, closed or filtered. It can provide in
many cases a very good topology of your network. NMAP can provide you the information about services
running on a server or network.

NMAP is a diagnostic and administrative tool. It however can be used for ill gain as easily as it can be used
for good. The reason I like NMAP is it gives me a good picture of my servers, from the inside and from the
Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

outside. I can see if a port has been left open or should be open and is not open. I can determine quickly if a
nasty root kit or RAT (Trojan) has been placed on a server by the opening of certain ports and much more.

This tool can help quickly determine if you have MALWARE on your server, it can help you sort out DNS
issues, look for HTTP-OPEN-PROXY issues. I love the fact that it will read back to you in many cases, the
equipment sitting behind the firewall - such as temperature sensors, various routers, Printers, Wi-Fi gear and
on and on.

Wireshark:

Wireshark is a tool that anyone running a dedicated server should have. This is essentially a wire sniffer. It
"Sniffs" packets on the wire and will tell you everything from where a browser is going or coming from all
the way to showing you all clear-text passwords. If it is running on the inside (behind the firewall) of a
server, it can report on every single packet on the network that it sees. This quickly becomes information
overload and thus it offers many methods to filter. One use of this for security is to determine if there is
unauthorized activity on your server. Working a few months ago with a client, I used Wireshark to
determine there was unauthorized activity (FTP) in progress. Which of course allowed us to shut down the
perpetrators quickly. Wireshark is powerful and in the wrong hands - dangerous. Other uses for Wireshark
include finding weak or bad cables or physical ports in your network, bad drivers, etc. Anything that is ON
the wire. Again - sniffing without permission is illegal in many places and should not be done.

NETCAP:

By far one of the best tools out there - and one of the ones used to open 'back doors' by hackers. This tool
can Open Backdoor Shells, Conduct File Transfers (the infamous "Captain Crunch" team from Russia uses a
similar function in their C99 Shell), offers port scanning, creates a variety of relays, can grab the TCP
banner and more. Over all this a strong and powerful tool that if you run a dedicated server you should now
all about.

TCP dump:

Tcpdump is a commandline network analyzer tool or more technically a packet sniffer. It can be thought of
as the commandline version of wireshark (only to a certain extent, since wireshark is much more powerful
and capable).As a commandline tool tcpdump is quite powerful for network analysis as filter expressions
can be passed in and tcpdump would pick up only the matching packets and dump them.

Tcpdump gives output in rather a raw way compared to other network analyzer tools. And, it is always better
to do the analysis by humans than by some other tools. So, if someone can utilize tcpdump properly, it
would prove to be much more powerful.

Installing tcpdump:

tcpdump can be easily installed in a system.

For example, in Ubuntu, one can install tcpdumpusing:

# sudo apt-get install tcpdump

Some basic tcpdumpcommands:

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

tcpdump outputs contents of selected network packets. The output is typically preceded by a timestamp
which is printed by default as:

<hours>:<minutes> : <seconds> . <fractions of a second>

By default, tcpdump keeps printing outputs until a SIGINT signal is received. On terminating, it prints :

 Number of packets captured

 Number of packets received by filter used in tcpdump command
 Number of packets dropped by the kernel, i.e. number of packets dropped mainly because of lack of
bufferspace.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

EXPERIMENT NO-9
PROBLEM DEFINITION:Generating digital certificates and understanding CAs.

OBJECTIVE: The objective of this experiment is to understand digital certificates and CAs.

Introduction to Digital Certificates:

A digital certificate is a digital form of identification, much like a passport or driver's license. A digital
certificate is a digital credential that provides information about the identity of an entity as well as other
supporting information. A digital certificate is issued by an authority, referred to as a certification authority
(CA). Because a digital certificate is issued by a certification authority, that authority guarantees the validity
of the information in the certificate. Also, a digital certificate is valid for only a specific period of time.
Digital certificates provide support for public key cryptography because digital certificates contain the
public key of the entity identified in the certificate. Because the certificate matches a public key to a
particular individual, and that certificate's authenticity is guaranteed by the issuer, the digital certificate
provides a solution to the problem of how to find a user's public key and know that it is valid. These
problems are solved by a user obtaining another user's public key from the digital certificate. The user
knows it is valid because a trusted certification authority has issued the certificate.

Understanding How Digital Certificates Are Structured:

Version number The version of the X.509 standard to which the certificate conforms.
 Serial number A number that uniquely identifies the certificate and is issued by the certification
authority.
 Certificate algorithm identifier The names of the specific public key algorithms that the certification
authority has used to sign the digital certificate.
 Issuer name The identity of the certification authority who actually issued the certificate.
 Validity period The period of time for which a digital certificate is valid and contains both a start
date and an expiration date.
 Subject name The name of the owner of the digital certificate.
 Subject public key information The public key that is associated with the owner of the digital
certificate and the specific public key algorithms associated with the public key.
 Issuer unique identifier Information that can be used to uniquely identify the issuer of the digital
certificate.
 Subject unique identifier Information that can be used to uniquely identify the owner of the digital
certificate.
 Extensions Additional information that is related to the use and handling of the certificate.
 Certification authority's digital signature The actual digital signature made with the certification
authority's private key using the algorithm specified in the certificate algorithm identifier field.

How Digital Certificates Are Used for Digital Signatures:

As discussed in "Public Key Cryptography and Digital Signatures" in Understanding Public Key
Cryptography, the relationship of a public key to a user's private key allows a recipient to authenticate and
validate a sender's message. Digital certificates provide support to public key cryptography by providing a
Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

reliable means to distribute and access public keys. When a sender is signing a message, the sender provides
the private key that is associated with the public key available on the digital certificate. In turn, when the
recipient is validating a digital signature on a message, the recipient is obtaining the public key to perform
that operation from the sender's digital certificate. The following figure shows the sequence of signing with
the addition of the supporting elements of digital certificates.

Digital certificates and digital signing of an e-mail message

1. Message is captured.
2. Hash value of the message is calculated.
3. Sender's private key is retrieved from the sender's digital certificate.
4. Hash value is encrypted with the sender's private key.
5. Encrypted hash value is appended to the message as a digital signature.
6. Message is sent.
The following figure shows the sequence of verifying with the addition of the supporting elements of digital
certificates.

Digital certificates and verifying a digital signature of an e-mail message

1. Message is received.
2. Digital signature containing encrypted hash value is retrieved from the message.
3. Message is retrieved.
4. Hash value of the message is calculated.
5. Sender's public key is retrieved from the sender's digital certificate.
6. Encrypted hash value is decrypted with the sender's public key.
7. Decrypted hash value is compared against the hash value produced on receipt.
8. If the values match, the message is valid.

Certification Authorities:

A certificate authority (CA) is a trusted third-party organization or company that issues digital certificates
used to create digital signatures and encryption keys. The role of the CA in this process is to guarantee the
identity of the party granted the certificate. Usually, this means that the CA has an arrangement with a
financial institution that provides information to validate the grantee's identity.

Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

To install digital certificates for secure messaging, you must select a CA from whom to obtain the
certificates. There are many CAs to choose from, and most of them do business on the World Wide Web.
Some of the best known are:
 Verisign, Inc.
 Entrust Technologies.
 Baltimore Technologies.
 Thawte.
There are also numerous lesser known CAs, which might be appropriate if they are well known in a
particular geographical region or industry. One of the systems participating in a secure integration might
even serve as CA for the other participants. Each CA provides a unique set of security services and has its
own way of handling digital certificates.
Before you implement secure messaging with PeopleSoft Integration Broker, investigate the available
CAs, select one or more from whom you will obtain digital certificates, and familiarize yourself with their
policies and procedures.
An SSL Certificate is a popular type of Digital Certificate that binds the ownership details of a web server
(and website) to cryptographic keys. These keys are used in the SSL/TLS protocol to activate a secure
session between a browser and the web server hosting the SSL Certificate. In order for a browser to trust an
SSL Certificate, and establish an SSL/TLS session without security warnings, the SSL Certificate must
contain the domain name of website using it, be issued by a trusted CA, and not have expired.

What goes into running a CA?

As a trust anchor for the Internet, CAs have significant responsibility. As such running a CA within the
auditable requirements is a complex task. A CA’s infrastructure consists of considerable operational
elements, hardware, software, policy frameworks and practice statements, auditing, security infrastructure
and personnel. Collectively the elements are referred to as a trusted PKI (Public Key Infrastructure).

Certificates come in many different formats to support not just SSL, but also authenticate people and
devices, and add legitimacy to code and documents. Visit the GlobalSign Products section for more
information.
Shubham Jaswal(16BCS2626)
B.E-CSE Chandigarh University

Shubham Jaswal(16BCS2626)