DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

ACADEMIC YEAR: 2023-2024

LAB MANUAL

CCS354 - NETWORK SECURITY LABORATORY

(VI SEMESTER)
REGULATION 2021

Prepared By
Mrs. C.Kalaiarasi, AP/CSE
 PERI Institute of Technology
Department of Computer Science and Engineering

VISION AND MISSION OF THE INSTITUTION

Vision:

PERI Institute of Technology visualizes growing in future to an internationally recognized seat of

higher learning in engineering, technology & science. It also visualizes being a research incubator for
academicians, industrialists and researchers from across the world, enabling them to work in an
environment with the sophisticated and state of the art equipment and amenities provided at the institute.

Mission:

In the process of realization of its Vision, PERIIT strives to provide quality technical education at
affordable cost in a challenging & stimulating environment with state-of-the-art facilities and a global
team of dedicated and talented academicians, without compromising in its core values of honesty,
transparency and excellence.

VISSION AND MISSION OF THE DEPARTMENT

Vision:
The vision of the department is to prepare industry-ready competent professionals with moral
values by imparting scientific knowledge and skill-based education.

Mission:

• To provide exposure of latest tools and technologies in the broad area of computing.
• To promoter search-based projects/activities in the emerging area soft technology.
• ToenhanceIndustryInstituteInteractionprogramtogetacquaintedwithcorporatecultureand
to develop entrepreneurship skills.
• To induce ethical values and spirit of social commitment.
PROGRAM OUTCOMES (POs)

1Engineering knowledge: Apply the knowledge of mathematics, science, engineering

fundamentals, and an engineering specialization to the solution of complex engineering
problems.

2 Problem analysis: Identify, formulate, review research literature, and analyze complex
engineering problems reaching substantiated conclusions using first principles of
mathematics, natural sciences, and engineering sciences.

3 Design/development of solutions: Design solutions for complex engineering problems and

design system components or processes that meet the specified needs with appropriate
consideration for the public health and safety, and the cultural, societal, and environmental
considerations.

4 Conduct investigations of complex problems: Use research-based knowledge

and research methods including design of experiments, analysis and interpretation of data,
and synthesis of the information to provide valid conclusions.

5 Modern tool usage: Create, select, and apply appropriate techniques, resources, and
modern engineering and IT tools including prediction and modeling to complex engineering
activities with an understanding of the limitations.

6 The engineer and society: Apply reasoning informed by the contextual knowledge to
assess societal, health, safety, legal and cultural issues and the consequent responsibilities
relevant to the professional engineering practice.

7 Environment and sustainability: Understand the impact of the professional engineering

solutions in societal and environmental contexts, and demonstrate the knowledge of, and need
for sustainable development.

8 Ethics: Apply ethical principles and commit to professional ethics and responsibilities and
norms of the engineering practice.

9 Individual and team work: Function effectively as an individual, and as a member or

leader in diverse teams, and in multidisciplinary settings.

10 Communication: Communicate effectively on complex engineering activities with the

engineering community and with society at large, such as, being able to comprehend and write
effective reports and design documentation, make effective presentations, and give and receive clear
instructions.

11 Project management and finance: Demonstrate knowledge and understanding of the

engineering and management principles and apply these to one’s own work, as a member and
leader in a team, to manage projects and in multidisciplinary environments.

12 Life-long learning: Recognize the need for, and have the preparation and ability to
engage in independent and life-long learning in the broadest context of technological change.
 LIST OF EXPERIMENTS

Ex.
Name of the Experiment
No.
1(a).
Implementingsymmetrickeyalgorithms-DES

1(b)
Implementingsymmetrickeyalgorithms -AES

2(a)
Implementingasymmetrickeyalgorithms

2(b)
ImplementingKeyexchange algorithms

3.
Calculate the message digest of a text using the SHA-1 algorithm.

4.
Implement the SIGNATURESCHEME-DigitalSignature Standard.

5.
Installationof Wireshark,tcp dump and observe data transferred in client-
server communication using UDP/TCP and identify the UDP/TCP
datagram.

6.
Check messag integrity andconfidentiality using SSL

7
Experiment Eavesdropping,Dictionaryattacks,MITMattacks

8
ExperimentwithSniffTrafficusingARP Poisoning

9
Demonstrate intrusion detection systemusing any tool.

10
Explore network monitoring tools

11
Studyto configureFirewall, VPN
Ex.No:1(a) DataEncryptionStandard(DES)Algorithm(
UserMessageEncryption)

AIM:
TouseDataEncryptionStandard(DES)AlgorithmforapracticalapplicationlikeUserMessage Encryption.

ALGORITHM:
1. CreateaDESKey.
2. CreateaCipherinstancefromCipherclass,specifythefollowinginformationandseparatedbya slash
(/).
a. Algorithmname
b. Mode(optional)
c. Paddingscheme(optional)
3. ConvertStringintoByte[] array format.
4. MakeCipher inencryptmode,andencryptitwithCipher.doFinal()method.
5. MakeCipher indecryptmode,anddecryptitwithCipher.doFinal()method.

PROGRAM:

DES.java
importjava.security.InvalidKeyException;
importjava.security.NoSuchAlgorithmException;

importjavax.crypto.BadPaddingException;
import javax.crypto.Cipher;
importjavax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
importjavax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;

publicclass DES
{
publicstaticvoidmain(String[]argv){

try{
System.out.println("MessageEncryptionUsingDESAlgorithm\n --------- ");
KeyGeneratorkeygenerator=KeyGenerator.getInstance("DES"); SecretKey
myDesKey = keygenerator.generateKey();
CipherdesCipher;
desCipher=Cipher.getInstance("DES/ECB/PKCS5Padding");
desCipher.init(Cipher.ENCRYPT_MODE,myDesKey); byte[]
text = "Secret Information ".getBytes();
System.out.println("Message [Byte Format] : " + text);
System.out.println("Message : " + new String(text));
byte[] textEncrypted = desCipher.doFinal(text);
System.out.println("EncryptedMessage:"+textEncrypted);
desCipher.init(Cipher.DECRYPT_MODE, myDesKey);
byte[] textDecrypted = desCipher.doFinal(textEncrypted);

System.out.println("DecryptedMessage:"+newString(textDecrypted));
 }catch(NoSuchAlgorithmExceptione){
e.printStackTrace();
}catch(NoSuchPaddingExceptione){
e.printStackTrace();
}catch(InvalidKeyExceptione){
e.printStackTrace();
}catch(IllegalBlockSizeExceptione){
e.printStackTrace();
}catch(BadPaddingExceptione){
e.printStackTrace();
}

}
}

OUTPUT:
MessageEncryptionUsingDES Algorithm

Message[ByteFormat]:[B@4dcbadb4
Message : Secret InformationEncrypted
Message: [B@504bae78
DecryptedMessage:SecretInformation

RESULT:
Thusthejavaprogramfor DESAlgorithmhasbeenimplementedandtheoutputverified successfully.
Ex.No:1(b)Date:AdvancedEncryptionStandard(AES)Algorithm(URLEncryption)

AIM:
TouseAdvanced EncryptionStandard(AES) Algorithmforapractical application like
URL Encryption.

ALGORITHM:
1. AESisbasedonadesignprinciple knownasa substitution–permutation.
2. AESdoesnot useaFeistelnetworklikeDES,itusesvariantofRijndael.
3. It hasafixedblock size of128bits,andakeysize of128, 192,or256bits.
4. AESoperates ona4×4column-major orderarrayofbytes,termedthe state

PROGRAM:
AES.java
importjava.io.UnsupportedEncodingException;
import java.security.MessageDigest;
importjava.security.NoSuchAlgorithmException;
import java.util.Arrays;
importjava.util.Base64;

importjavax.crypto.Cipher;
importjavax.crypto.spec.SecretKeySpec;

public class AES {

privatestaticSecretKeySpecsecretKey;
private static byte[] key;

publicstaticvoidsetKey(StringmyKey){
MessageDigest sha = null;
try{
key=myKey.getBytes("UTF-8");
sha=MessageDigest.getInstance("SHA-1");
key = sha.digest(key);
key=Arrays.copyOf(key,16);
secretKey=newSecretKeySpec(key,"AES");
}catch(NoSuchAlgorithmExceptione){
e.printStackTrace();
}catch(UnsupportedEncodingExceptione){
e.printStackTrace();
}
}

publicstaticStringencrypt(StringstrToEncrypt,Stringsecret){ try
{
setKey(secret);
Ciphercipher=Cipher.getInstance("AES/ECB/PKCS5Padding");
 cipher.init(Cipher.ENCRYPT_MODE,secretKey);
returnBase64.getEncoder().encodeToString(cipher.doFinal(strToEncrypt.getBytes("UTF-8")));
}catch(Exceptione) {
System.out.println("Error whileencrypting:"+e.toString());
}
returnnull;
}

publicstaticStringdecrypt(StringstrToDecrypt,Stringsecret){ try
{
setKey(secret);
Ciphercipher=Cipher.getInstance("AES/ECB/PKCS5PADDING");
cipher.init(Cipher.DECRYPT_MODE, secretKey);
returnnewString(cipher.doFinal(Base64.getDecoder().decode(strToDecrypt)));
}catch(Exceptione) {
System.out.println("Error whiledecrypting:"+e.toString());
}
returnnull;
}

publicstaticvoidmain(String[]args){
finalStringsecretKey ="annaUniversity";

StringoriginalString="www.annauniv.edu";
String encryptedString = AES.encrypt(originalString, secretKey);
StringdecryptedString=AES.decrypt(encryptedString,secretKey);

System.out.println("URLEncryptionUsingAESAlgorithm\n ---------------");
System.out.println("Original URL : " + originalString);
System.out.println("EncryptedURL:"+encryptedString);
System.out.println("DecryptedURL:"+decryptedString);
}
}

OUTPUT:
URLEncryptionUsingAES Algorithm

Original URL:www.annauniv.edu
EncryptedURL:vibpFJW6Cvs5Y+L7t4N6YWWe07+JzS1d3CU2h3mEvEg=
Decrypted URL : www.annauniv.edu

RESULT:
ThusthejavaprogramforAESAlgorithmhasbeenimplementedforURLEncryptionandtheoutput verified
successfully.
 Ex.No:2(a)
RSAAlgorithm

AIM:
ToimplementRSA(Rivest–Shamir–Adleman)algorithmbyusingHTMLand Javascript.

ALGORITHM:
1. Choosetwoprimenumberpand q
2. Computethevalue ofnand p
3. Findthevalue ofe (public key)
4. Computethevalueofd(privatekey)usinggcd()
5. Dotheencryptionand decryption
a. Encryptionisgivenas,
c=temodn
b. Decryptionisgivenas,
t=cdmodn

PROGRAM:
rsa.html
<html>

<head>
<title>RSAEncryption</title>
<metaname="viewport"content="width=device-width,initial-scale=1.0">
</head>

<body>
<center>
<h1>RSA Algorithm</h1>
<h2>ImplementedUsingHTML&Javascript</h2>
<hr>
<table>
<tr>
<td>Enter FirstPrimeNumber:</td>
<td><inputtype="number"value="53"id="p"></td>
</tr>
<tr>
<td>Enter SecondPrime Number:</td>
<td><inputtype="number"value="59"id="q"></p>
</td>
</tr>
<tr>
<td>EntertheMessage(ciphertext):<br>[A=1,B=2,...]</td>
<td><inputtype="number"value="89"id="msg"></p>
</td>
</tr>
<tr>
<td>PublicKey:</td>
<td>
<p id="publickey"></p>
</td>
 </tr>
<tr>
<td>Exponent:</td>
<td>
<p id="exponent"></p>
</td>
</tr>
<tr>
<td>PrivateKey:</td>
<td>
<p id="privatekey"></p>
</td>
</tr>
<tr>
<td>CipherText:</td>
<td>
<p id="ciphertext"></p>
</td>
</tr>
<tr>
<td><buttononclick="RSA();">ApplyRSA</button></td>
</tr>
</table>
</center>
</body>
<scripttype="text/javascript">
function RSA() {
vargcd,p, q,no, n,t, e, i,x;
gcd=function (a,b){return (!b)?a :gcd(b, a%b);};
p = document.getElementById('p').value;
q = document.getElementById('q').value;
no=document.getElementById('msg').value; n
= p * q;
t= (p - 1) * (q- 1);

for(e=2;e<t;e++){ if
(gcd(e, t) == 1) {
break;
}
}

for(i=0;i<10;i++){ x =
1+i*t
if(x%e==0){ d =
x / e; break;
}
}

ctt=Math.pow(no,e).toFixed(0); ct
= ctt % n;
 dtt=Math.pow(ct,d).toFixed(0); dt
= dtt % n;

document.getElementById('publickey').innerHTML = n;
document.getElementById('exponent').innerHTML = e;
document.getElementById('privatekey').innerHTML=d;
document.getElementById('ciphertext').innerHTML=ct;
}
</script>
</html>

OUTPUT:

RESULT:
ThustheRSAalgorithmhasbeenimplementedusingHTML&CSSandtheoutputhasbeenverified successfully.
Ex.No:2(b)Date: Diffie-Hellmankeyexchangealgorithm

AIM:
Toimplement theDiffie-Hellman KeyExchangealgorithm foragivenproblem.

ALGORITHM:

1. AliceandBobpubliclyagreetouseamodulusp=23andbaseg=5 (which is

a primitive root modulo 23).

2. Alicechoosesasecretintegera=4,thensendsBob A=gamodp
o A=54mod 23=4
3. Bobchoosesasecretintegerb=3,thensends AliceB=gbmodp
o B=53mod 23=10
4. Alicecomputess=Bamodp
o s=104mod 23=18
5. Bobcomputes s=Abmodp
o s=43mod 23=18
6. AliceandBob nowshareasecret(thenumber18).

PROGRAM:
DiffieHellman.java
classDiffieHellman{
publicstaticvoidmain(Stringargs[]){
intp=23;/*publiclyknown(primenumber)*/ int g
= 5; /* publicly known (primitive root) */ int x =
4; /* only Alice knows this secret */
int y = 3; /* only Bob knows this secret */
doublealiceSends=(Math.pow(g,x))%p;
doublebobComputes=(Math.pow(aliceSends,y))%p; double
bobSends = (Math.pow(g, y)) % p;
doublealiceComputes=(Math.pow(bobSends,x))%p; double
sharedSecret = (Math.pow(g, (x * y))) % p;
System.out.println("simulationofDiffie-Hellmankeyexchangealgorithm\n-------------------------
");
System.out.println("Alice Sends : " + aliceSends);
System.out.println("Bob Computes : " + bobComputes);
System.out.println("Bob Sends : " + bobSends);
System.out.println("AliceComputes:"+aliceComputes);
System.out.pri ntln("SharedSecret :"+sharedSecret);
 /*sharedsecretsshouldmatchandequality istransitive*/
if((aliceComputes==sharedSecret)&&(aliceComputes==bobComputes))
System.out.println("Success: Shared Secrets Matches! " + sharedSecret);
else
System.out.println("Error:SharedSecretsdoesnot Match");
}
}

OUTPUT:
simulationofDiffie-Hellman keyexchange algorithm

Alice Sends : 4.0

BobComputes:18.0
Bob Sends : 10.0
AliceComputes:18.0 Shared
Secret : 18.0
Success:SharedSecretsMatches!18.0

RESULT:
ThustheDiffie-HellmankeyexchangealgorithmhasbeenimplementedusingJavaProgramandthe output
has been verified successfully.
Ex.No:3
Date: SHA-1Algorithm

AIM:
ToCalculate themessagedigestofatextusing theSHA-1algorithm.

ALGORITHM:
1. AppendPaddingBits
2. AppendLength -64bitsareappendedtothe end
3. PrepareProcessingFunctions
4. PrepareProcessingConstants
5. InitializeBuffers
6. ProcessingMessagein512-bitblocks(Lblocksin totalmessage)

PROGRAM:
sha1.java
importjava.security.*;

publicclasssha1 {
publicstaticvoidmain(String[]a){ try
{
MessageDigest md = MessageDigest.getInstance("SHA1");
System.out.println("Message digest object info:\n ---------------- ");
System.out.println("Algorithm="+md.getAlgorithm());
System.out.println("Provider=" + md.getProvider());
System.out.println("ToString=" + md.toString());
String input = "";
md.update(input.getBytes());
byte[] output = md.digest();
System.out.println();
System.out.println("SHA1(\""+input+"\")="+bytesToHex(output)); input =
"abc";
md.update(input.getBytes());
output = md.digest();
System.out.println();
System.out.println("SHA1(\""+input+"\")="+bytesToHex(output)); input =
"abcdefghijklmnopqrstuvwxyz";
 md.update(input.getBytes());

output=md.digest();
System.out.println();
System.out.println("SHA1(\""+input+"\")="+bytesToHex(output));
System.out.println();
} catch (Exception e) {
System.out.println("Exception:"+e);
}
}

privatestaticStringbytesToHex(byte[]b){
charhexDigit[]={'0','1','2','3','4','5','6','7','8','9', 'A','B','C','D','E','F'};
StringBufferbuf=newStringBuffer();

for(byteaB:b) {
buf.append(hexDigit[(aB>>4)&0x0f]);
buf.append(hexDigit[aB & 0x0f]);
}

returnbuf.toString();
}
}

OUTPUT:
Messagedigestobject info:

Algorithm=SHA1
Provider=SUNversion12
ToString=SHA1 Message Digest from SUN,

<initialized>SHA1("")=DA39A3EE5E6B4B0D3255BFEF95601890AFD80709

SHA1("abc")=A9993E364706816ABA3E25717850C26C9CD0D89D

SHA1("abcdefghijklmnopqrstuvwxyz")=32D10C7B8CF96570CA04CE37F2A19D84240D3A89

RESULT:
ThustheSecureHashAlgorithm(SHA-1)hasbeenimplemented andtheoutputhasbeenverified successfully.
Ex.No:4 DigitalSignatureStandard
Date:

AIM:
To implement the SIGNATURESCHEME-DigitalSignatureStandard.

ALGORITHM:
1. CreateaKeyPairGenerator object.
2. InitializetheKeyPairGeneratorobject.
3. GeneratetheKeyPairGenerator....
4. Getthe private keyfrom thepair.
5. Createasignatureobject.
6. InitializetheSignature object.
7. Adddatato theSignature object
8. CalculatetheSignature

PROGRAM:

importjava.security.KeyPair;
importjava.security.KeyPairGenerator;
importjava.security.PrivateKey; import
java.security.Signature;
importjava.util.Scanner;

publicclassCreatingDigitalSignature{
publicstaticvoidmain(Stringargs[])throwsException{

Scannersc=newScanner(System.in);
System.out.println("Entersometext");
String msg = sc.nextLine();

KeyPairGeneratorkeyPairGen=KeyPairGenerator.getInstance("DSA");

keyPairGen.initialize(2048);

KeyPairpair=keyPairGen.generateKeyPair();

PrivateKey privKey = pair.getPrivate();

Signaturesign=Signature.getInstance("SHA256withDSA");
sign.initSign(privKey);
byte[]bytes="msg".getBytes();

sign.update(bytes);

byte[]signature=sign.sign();

System.out.println("Digitalsignatureforgiventext:"+newString(signature,"UTF8"));
}
}
OUTPUT:
Entersometext
Hihoware you
Digitalsignatureforgiventext:0=@gRD???-?.???? /yGL?i??a!?

RESULT:
ThustheDigitalSignatureStandardSignatureSchemehasbeenimplementedandtheoutputhas been
verified successfully.
 InstallationofWireshark,tcpdumpandobservedatatransferredinclient-server
comm
Ex.No:5
Date:

Aim:
ToinstallationofWireshark,tcpdumpandobservedatatransferredinclient-servercommunicationusing
UDP/TCP and identify the UDP/TCP datagram.

Introduction:
The first part of the lab introduces packet sniffer, Wireshark. Wiresharkis a freeopen-
source network protocol analyzer. It is used for network troubleshooting and
communication protocol analysis. Wireshark captures network packets in real time
and display them in human-readable format. It provides many advanced features
including live captureand offline analysis, three-pane packet browser, coloring rules
for analysis. This document uses Wireshark for the experiments, and it covers
Wireshark installation, packet capturing, and protocol analysis.
Figure1:Wireshark in KaliLinux
Background

TCP/IPNetworkStack

Figure2:Encapsulation ofDatain theTCP/IPNetwork Stack

In the CSC 4190 Introduction to Computer Networking (one of the perquisite courses), TCP/IP
network stack is introduced and studied. This background section briefly explains the concept of
TCP/IP network stack to help you better understand the experiments. TCP/IP is the most
commonly used network model for Internet services. Because its most important protocols, the
Transmission Control Protocol (TCP) and the Internet Protocol (IP) were the first networking
protocols defined in this standard, it is named as TCP/IP. However, it contains multiple layers
including application layer, transport layer, network layer, and data link layer.

- ApplicationLayer:Theapplication layer includestheprotocolsusedbymostapplications for

providing user services. Examples of application layer protocols are Hypertext

Transfer Protocol (HTTP), Secure Shell (SSH), File Transfer Protocol (FTP), and Simple
 Mail Transfer Protocol (SMTP).
- TransportLayer: The transport layer establishes process-to-process connectivity, and it
provides end-to-end services that are independent of underlying user data. To implement
the process-to-process communication, the protocol introduces a concept of port. The
examples of transport layer protocols are Transport Control Protocol (TCP) and User
Datagram Protocol (UDP). The TCP provides flow- control, connection establishment,
and reliable transmission of data, while the UDP is a connectionless transmission model.
- InternetLayer:TheInternetlayer isresponsibleforsendingpackets toacrossnetworks.It has
two functions: 1) Host identification by using IP addressing system (IPv4 and IPv6); and
2) packets routing from source to destination. The examples of Internet layer protocols
are Internet Protocol (IP), Internet Control Message Protocol (ICMP), and Address
Resolution Protocol (ARP).
- LinkLayer: The link layer defines the networking methods within the scope of the local
network link. It is used to move the packets between two hosts on the same link. An
common example of link layer protocols is Ethernet.

PacketSniffer

Packet sniffer is a basic tool for observing network packet exchangesin a computer.As the name
suggests, a packet sniffer captures (“sniffs”) packets being sent/received from/by your computer;
it will also typically store and/or display the contents of the various protocol fields in these
captured packets. A packet sniffer itself is passive. It observes messages being sent and received
by applications and protocolsrunning on your computer, but never sends packets itself.

Figure 3 shows the structure of a packet sniffer. At the right of Figure 3 are the protocols(inthis
case, Internet protocols) and applications (such as a web browser or ftp client) that normally run
on your computer. The packet sniffer, shown within the dashed rectangle in Figure 3 is an
addition to the usual software in your computer, and consists of two parts. The packet capture
library receives a copy of every link-layer frame that is sent from or received by your computer.
Messages exchanged by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all
are eventually encapsulated in link-layer framesthat are transmitted over physical media such as
an Ethernet cable. In Figure 1, the assumed physical media is an Ethernet, and so all upper-layer
protocols are eventually encapsulated within an Ethernet frame. Capturing all link-layer frames

thusgivesyouaccesstoallmessagessent/received from/byallprotocolsand applications

executingin your computer.

The second component of a packet sniffer is the packet analyzer, which displays the contents of
all fields within a protocol message. In order to do so, the packet analyzer

PacketSniffer Structure

must “understand” the structure of all messages exchanged by protocols. For example, suppose
weareinterested indisplayingthevariousfieldsinmessagesexchangedbytheHTTPprotocolin Figure
3. Thepacket analyzer understands the formatof Ethernet frames, and so can identify the IP
datagram within an Ethernet frame. It also understands the IP datagram format, so that it can
extract the TCP segment within the IP datagram. Finally, it understands the TCP segment
structure, so it can extract the HTTP message contained in the TCP segment. Finally, it
understands the HTTP protocol and so, for example, knows that the first bytes of an HTTP
message willcontain the string “GET,” “POST,” or “HEAD”.

We will be using the Wireshark packet sniffer [http://www.wireshark.org/] for these labs,
allowing us to display the contents of messages being sent/received from/by protocolsat different
levels of the protocol stack. (Technically speaking, Wireshark is a packet analyzer that uses a
packet capture library in your computer). Wireshark is a free network protocol analyzer that runs
on Windows, Linux/Unix, and Mac computers.

Getting Wireshark

TheKaiLinuxhasWiresharkinstalled.YoucanjustlaunchtheKaliLinuxVMandopen Wireshark
there.Wireshark can also be downloaded from here:

https://www.wireshark.org/download.html
(DownloadPageofWireshark)

StartingWireshark:
WhenyouruntheWiresharkprogram,theWiresharkgraphicuserinterfacewillbeshownas
Figure5.Currently,theprogramisnotcapturingthe packets.

InitialGraphicUserInterfaceofWireshark
Then, you need to choose an interface. If you are running the Wireshark on your laptop, youneed
to select WiFi interface. If you are at a desktop, you need to select the Ethernet interface being
used. Note that there could be multiple interfaces. In general, you can select any interface but
that does not mean that traffic will flow through that interface. The network interfaces (i.e., the
physical connections) that your computer has to the network are shown. The attached Figure 6
was taken from my computer.

Afteryouselecttheinterface,youcanclickstartto capturethepacketsasshowninFigure7.

CaptureInterfacesin Wireshark

CapturingPacketsinWireshark
 (WiresharkGraphicalUserInterfaceonMicrosoftWindows)

TheWireshark interface hasfivemajor components:

Thecommandmenus arestandardpulldownmenuslocated atthetopofthewindow.Ofinterest to us

now is the File and Capture menus. The File menu allows you to save captured packet data or
open a file containing previously captured packet data, and exit the Wireshark application.The
Capture menu allows you to begin packet capture.

The packet-listingwindow displays a one-line summary for each packet captured, including the
packet number (assigned by Wireshark; this is not a packet number contained in any protocol’s
header), thetime atwhich thepacketwascaptured, thepacket’s sourceand destination addresses, the
protocol type, and protocol-specific information contained in the packet. The packet listing can be
sorted according to any of these categories by clicking on a column name. The protocol type field
lists the highest- level protocol that sent or received this packet, i.e., the protocol that is the source
or ultimate sink for this packet.

The packet-headerdetailswindow provides details about the packet selected (highlighted) in

thepacket-listing window.(Toselect apacketinthepacket-listing window,placethecursorover the
packet’s one- line summary in the packet-listing window and click with the left mouse button.).
These details include information about the Ethernet frame and IP datagram that
 contains this packet. The amount of Ethernet and IP-layer detail displayed can be expanded or
minimized by clicking on the right- pointing or down- pointing arrowhead to the left of the
Ethernet frame or IP datagram line in the packet details window. If the packet has been carried
over TCP or UDP, TCP or UDP details will also be displayed, which can similarly be expanded
or minimized. Finally,details about the highest-level protocol that sent or received this packet are
also provided.

The packet-contentswindow displays the entire contents of the captured frame, in both ASCII
and hexadecimal format.

Towards the top of the Wireshark graphical user interface, is the packetdisplayfilterfield, into
which a protocol name or other information can be entered in order to filter the information
displayed in the packet-listing window (and hence the packet-header and packet-contents
windows). In the examplebelow, we’ll use the packet-display filter field to have Wireshark hide
(not display) packets except those that correspond to HTTP messages.

CapturingPackets
After downloading andinstalling Wireshark, youcan launch itandclick thename ofan interface
under Interface List to start capturing packets on that interface. For example, if you want to
capture traffic on the wireless network, click your wireless interface.

Test Run

Dothefollowing steps:

1. StartuptheWiresharkprogram(selectaninterfaceandpressstarttocapturepackets).
2. Startupyourfavoritebrowser (ceweaselinKaliLinux).
3. Inyourbrowser,goto Wayne Statehomepage bytypingwww.wayne.edu.
4. Afteryourbrowserhasdisplayedthehttp://www.wayne.edupage,stopWiresharkpacket
capturebyselectingstopintheWiresharkcapturewindow.ThiswillcausetheWireshark capture
window to disappear and the main Wireshark window to display all

packetscapturedsinceyoubeganpacketcaptureseeimagebelow:
5. ColorCoding:You’llprobablyseepacketshighlightedingreen,blue,andblack.
Wireshark uses colors to help you identify the types of traffic at a glance. By default,
green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black
identifies TCP packets with problems — for example, they could have been deliveredout-
of-order.
6. Younowhavelivepacketdatathatcontainsallprotocolmessagesexchangedbetween
your computer and other network entities! However, as you will notice the HTTP
messages are not clearly shown because there are many other packets included in the
packetcapture. Even thoughtheonly action youtookwastoopenyourbrowser,thereare many
other programs in your computer that communicate via the network in the
 background. To filter theconnections to theoneswewanttofocus on,wehaveto usethe
filtering functionality ofWiresharkbytyping“http” in thefilteringfield asshown below:
Notice that we now view only the packets that are of protocol HTTP. However, we also still do
not have the exact communication we want to focus on because using HTTP as a filter is not
descriptive enough to allow us to find our connection to http://www.wayne.edu. We need to be
more precise if we want to capture the correct set of packets.

7. TofurtherfilterpacketsinWireshark,weneedtouseamoreprecisefilter.Bysettingthe
http.host www.wayne.edu, we are restricting the view to packets that have as an http host the
www.wayne.edu website. Notice that we need two equal signs to perform the match not just
one. See the screenshot below:

8. Now, wecan try another protocol. Let’suse Domain Name System (DNS) protocol as an
example here.
9. ofthe
Let’strynowtofindoutwhatarethosepacketscontainbyfollowing
conversations (also called network flows), select one of the packets and press the right
mouse button (if you are on a Mac use the command button and click), you should see
something similar to the screen below:

ClickonFollowUDPStream,andthenyouwillseefollowing screen.
10. If we close this window and change the filter back to “http.hos ww.wayne.edu” and then follow a
packetfromthelistofpacketsthatmatchthatfilter,weshouldgetthesomethingsimilartothefollowing screens.
Note that we click on FollowTCPStream this time.
Result:

InstallationofWireshark,tcpdumpandobservedatatransferredinclient-servercommunicationusing
UDP/TCP and identify the UDP/TCP datagram.
 Ex.No:6 CheckmessageintegrityandconfidentialityusingSSL
Date:

Aim

SSLSessioninDetails

Handshaking-CiphersuitNegotiation

Client sends a plaintext Client_Hello message and suggests some cryptographic parameters
(collectively called ciphersuit) to be used for their communication session. The Client_Hello
message also contains a 32-byte random number denoted as client_random. For example,

Client_Hello:
Protocol Version: TLSv1 if you can, else SSLv3.
KeyExchange:RSAifyoucan,elseDiffe-Hellman.
SecretKeyCipherMethod:3DESifyoucan,elseDES.
Message Digest: SHA-1 if you can, else MD5.
DataCompressionMethod:PKZipifyoucan,elsegzip. Client
Random Number: 32 bytes.

The stronger method (in terms of security) shall precede the weaker one, e.g. RSA (1024-bit)
precedes DH, 3DES precedes DES, SHA-1 (160-bit) precedes MD5 (128-bit).

Server responds with a plaintext Server_Helllo to state the ciphersuit of choice (server decides on
the ciphersuit). The message also contains a 32-byte random number denoted as server_random.For
example,

Server_Hello:
ProtocolVersion:TLSv1.
KeyExchange:RSA.
SecretKeyCipherMethod:DES.
Message Digest: SHA-1.
DataCompressionMethod:PKZip.
Server Random Number: 32 bytes.

Handshaking-KeyExchange

The server sends its digital certificate to the client, which is supposedly signed by a root CA. The
client uses the root CA'spublic key to verify the server's certificate (trusted root-CAs' public key are
pre-installed inside the browser). It then retrieves the server's public key from the server's
certificate. (If the server's certificate is signed by a sub-CA, the client has to build a digital
certificate chain, leading to a trusted root CA, to verify the server's certificate.)

The server can optionally request for the client's certificate to authenticate the client. In
practice,server usually does not authenticate the client. This is because:
 • Serverauthenticatesclient bycheckingthecreditcardinane-commercetransaction.
• Mostclients donothaveadigital certificate.
• Authenticationviadigitalcertificate takestimeandtheservermayloseanimpatient client.

Thenextstepisto establish theSession Key:

1. The client generates a 48-byte (384-bit) random number called pre_master_secret, encrypts
it using the verified server's public key and sends it to the server.
2. Server decrypts the pre_master_secret using its own private key. Eavesdroppers cannot
decrypt the pre_master_secret, as they do not possess the server's private key.
3. Client and serverthen independently and simultaneously create the session key, based on the
pre_master_secret, client_random and server_random. Notice that both the server and client
contribute to the session key,through the inclusion of the random number exchange in the
hello messages. Eavesdroppers can intercept client_random and server_random as they are
sent in plaintext, but cannot decrypt the pre_master_secret.
4. In a SSL/TLSsession, the session key consists of 6 secret keys (to thwart crypto-analysis).3
secret keys are used for client-to-server messages, and the other 3 secret keys are used for
server-to-client messages. Among the 3 secret keys, one is used for encryption (e.g., DES
secret key), one is used for message integrity (e.g., HMAC) and one is used for cipher
initialization. (Cipher initialization uses a random plaintext called Initial Vector (IV) to
prime the cipher pump.)
5. Client and server use the pre_master_secret (48-byte random number created by the client
and exchange securely), client_random, server_random, and a pseudo-random function
(PRF) to generate a master_secret. They can use the master_secret, client_random,
server_random, and the pseudo-random function (PRF) to generate all the 6 shared secret
keys. Once the secret keys are generated, the pre_master_secret is no longer needed and
should be deleted.
6. Fromthispointonwards,alltheexchanges areencryptedusingthesessionkey.
7. The client sends Finished handshake message using their newly created session key. Server
responds with a Finished handshake message.

MessageExchange

Clientandservercanusetheagreed-uponsessionkey(consistsof6secretkeys)forsecure exchange of messages.

Sending messages:

1. Thesendercompresses themessage using theagreed-upon compressionmethod(e.g.,

PKZip, gzip).
2. The senderhashes the compresseddataand the secret HMAC keyto make an HMAC,
toassure message integrity.
3. ThesenderencryptsthecompresseddataandHMACusingencryption/decryptionsecret key, to
assure message confidentiality.

Retrievemessages:

1. The receiver decrypts the ciphertext using the encryption/decryption secret key to retrieve
the compressed data and HMAC.
 2. The receiver hashes the compressed data to independently produce the HMAC. It then
verifies the generated HMAC with the HMAC contained in the message to assure message
integrity.
3. The receiver un-compresses the data using the agreed-upon compression method to recover
the plaintext.

Thefollowing diagramshowsthesequenceoftheSSLmessagesforatypical client/serversession.

ASSLSessionTrace

WecoulduseOpenSSL'ss_client(with debugoption)toproduceaSSLsession trace.

> openssls_client?
(Displaytheavailableoptions)

Thefollowing commandturnsonthedebugoptionandforcestheprotocoltobe TLSv1:

> openssls_client-connectlocalhost:443-CAfileca.crt-debug-tls1

Loading'screen'intorandomstate-done
CONNECTED(00000760)

writeto 00988EB0[009952C8](102bytes=>102(0x66))
0000- 16 03 01 00 61 01 00 00-5d 03 01 40 44 35 27 5c....a...]..@D5'\
0010- 5ae8 74 26 e9 49 37 e2-063b1c6d 77 37d1 aeZ.t&.I7..;.mw7..
0020- 44 07 86 47 98 fa84 1a-8d f472 00 00 36 00 39D..G ........... r..6.9
0030 - 00 38 00 35 00 16 00 13-00 0a00 33 00 32 00 2f.8.5.......3.2./
0040 - 00 07 00 66 00 05 00 04-00 63 00 62 00 61 00 15...f.....c.b.a..
0050 - 00 12 00 09 00 65 00 64-00 60 00 14 00 11 00 08.....e.d.`......
0060 - 00 06 00 03 01 .....
0066 - <SPACES/NULS>

readfrom00988EB0[00990AB8](5bytes=>5(0x5))
0000 - 16 03 01 00 2a .......................................*

readfrom00988EB0[00990ABD](42bytes =>42 (0x2A))

0000- 02 00 0026 03 01 40 44-3527 ccef2b51 e1b0...&..@D5'..+Q..
0010- 44 1f ef c48372 df 37-4f 9b 2b dd11 50 13 87D....r.7O.+..P..
0020- 91 0aa2d2 28b9 00 00-16 ....(....
002a- <SPACES/NULS>

readfrom00988EB0[00990AB8](5bytes=>5(0x5))
0000 - 16 03 01 02 05 .....

read from 00988EB0 [00990ABD] (517 bytes => 517 (0x205))

0000 - 0b 00 02 01 00 01 fe 00-01 fb 30 82 01 f7 30 82..........0 ..... 0.
0010 - 01 60 02 01 01 30 0d 06-09 2a86 48 86 f7 0d 01.`...0...*.H....
0020- 01 04 05 00 30 4d 31 0b-30 09 06 03 55 04 06 13....0M1.0...U...
0030-02 5553 3110 300e06-0355 040b 1307 7465.US1.0...U...te
0040- 73 74 31 30 31 31 0c30-0a06 03 55 04 03 13 03st1011.0...U....
0050 - 63 68 63 31 1e30 1c06-09 2a86 48 86 f7 0d 01chc1.0...*.H....
0060 - 09 01 16 0f 63 68 63 40-7465 73 74 31 30 31 2e ....... chc@test101.
0070 - 63 6f 6d 30 1e17 0d 30-34 30 32 32 36 30 36 35com0 ...... 040226065
0080 - 36 35 34 5a17 0d 30 35-3032 32 35 30 36 35 36654Z0502250656
0090- 35 34 5a30 3b 31 0b 30-0906 03 55 04 06 13 0254Z0;1.0...U....
00a0- 55 53 31 0c30 0a06 03-5504 03 13 03 63 68 63US1.0...U ...........chc
00b0- 31 1e30 1c06 09 2a86-4886 f7 0d 01 09 01 161.0...*.H.......
00c0- 0f 63 68 63 40 74 65 73-74 31 30 31 2e63 6f 6d.chc@test101.com
00d0- 30 81 9f 30 0d 06 09 2a-8648 86 f7 0d 01 01 010..0...*.H......
00e0- 05 00 03 81 8d00 30 81-8902 81 8100 cd e49e......0.........
00f0- 7cb6 d2 34 4ed3 53 46-25c753 88 25 60 e6 46|..4N.SF%.S.%`.F
0100- db 643a73 61 92ac23-92cd 2c94 a98fc6 7f.d:sa..#..,.....
0110-4773c0d98d34b72c-ddc986bd826fceacGs...4.,.....o.. 0120 - d8
e2 ba 0f e5 f5 3a 67-2c 89 1a 1b 03 eb 21 85......:g,. ...................... !.
0130-28 e32998 84ed 46 75-82fa 0f 30a3a9a571(.)...Fu...0..q
0140- 46 4cd6 0d 17 c4 19 fd-44 fbe218 46 a69d abFL......D...F...
0150- 91 de6b a17ffe30 06-28 5d d8 d329 00 c3 1d..k...0.(]..)...
0160 - 4c13 00 61 8ff3 85 51-f568 d8 69 25 02 03 01L..a...Q.h.i%...
0170 - 00 01 30 0d 06 09 2a86-4886 f7 0d 01 01 04 05..0...*.H.......
0180- 00 03 81 81 0029 fdbf-5aed70 8f53 a4e914.....)..Z.p.S...
0190- 4c5eba 84 c654 1b f2-c03cc4 300f7f 12 80L^...T...<.0....
01a0- 4e01b7fd 39 50 f1 41-0dd8 aa77 d9 87 25 1aN...9P.A...w..%.
01b0- 1ee297 884f 53 75 c8-70226a01 61 0f 51 3e ............. OSu.p"j.a.Q>
01c0- 13 19 9c 64 f2 76 14 e8-8525 23 a211c48cf8...d.v...%#.....
01d0- 23 2cd1 c3d371 3ae6-7154 10 07dc72 ff ee#,...q:.qT...r..
01e0- e83ecf 8e7773 e9 9f-f59a90 604d a0aa03.>..ws.....`M...
01f0- 32 1f 11 6f 2e9a5f 3c-770522 0c81bf 29 962..o.._ 5 (0x5))
0000 - 16 03 01 01 8d .....

read from 00988EB0 [00990ABD] (397 bytes => 397 (0x18D))

0000 - 0c 00 01 89 00 80 e6 96-9d 3d 49 5b e3 2c 7c f1 ........... =I[.,|.
0010- 80 c3bd d4 79 8e91b7-81 82 51bb 05 5e2a20....y.....Q..^*
0020- 64 904a79 a770 fa15-a259 cbd523 a6 a6 efd.Jy.p...Y..#...
0030- 09 c43048 d5a22f 97-1f 3c 20 12 9b48 00 0e..0H../..<..H..
0040 - 6edd 06 1cbc05 3e37-1d 79 4e53 27 df61 1en ............. >7.yNS'.a.
0050 - bb be 1b ac 9b 5c 60 44-cf 02 3d 76 e0 5e ea 9b .....\`D..=v.^..
0060 - ad 99 1b 13 a6 3c 97 4e-9e f1 83 9e b5 db 12 51.....<.N ......... Q
0070- 36 f7 26 2e56 a8 8715-38dfd8 23 c6 5050 856.&.V...8..#.PP.
0080- e2 1f0dd5 c8 6b 00 01-0200 80 11 3f5f fae4.....k......?_..
0090- 79 9a0bd9 e067 37 c4-2a 88 22b0 95b7 a7bey....g7.*.".....
00a0- 93 79 9d 51 ae31 47 99-df47 dd 80 5e3d 2a4a.y.Q.1G..G..^=*J
00b0- 298b fd c163 5e48e8-e3fdac95 1b3a5f 75)...c^H ................. .:_u
00c0- 98 2d 3c9cba 68 18 7b-be38 2c693d 41b7 c3.-<..h.{.8,i=A..
00d0- 08 a1 da b0 a8 a4fe9a-d61e56 ff4c8c6e6b ..................... V.L.nk
00e0- 18 f1ec9d 22a99027-c1c62c0ebd 0e13 d4...."..'..,.....
00f0- fdb2 c9 8f 6fbb 8e06-e0b5 1f f787 03 5f a8....o.................._.
0100- 12 4fbb cebaf1 76 fb-8008 37 0080 30 99 ad.O....v...7..0..
0110 - 9b fc 3a 14 6b a8 2c c5-fe 7b bd 1c 92 ec 19 a6..:.k.,..{......
0120- 75 2d 69 4ef49f 74 60-5dd4 3e06 97 38bcb5u-iN..t`].>..8..
0130- 0e3c1ff2 99e655 4a-36 42 a8f2b7 32 2a1e.< ............... UJ6B..2*.
0140- a387b3 f379 43 28 d1-7a0d db 7c11 26 f3 68....yC(.z..|.&.h
0150-b173b678 4b f322 20-e4f7 2708 ab7492 92.s.xK."..'..t..
0160- 79 26 6140 1ee990 11-e8 b1 cf99 d9 9fc768y&a@ .................... h
0170- 48 e8f2a5 d5 d70ee1-889abd 0f 40 85af2dH ...................... @..-
0180- da76 3a10 6eb9 38 4d-379c41 c89f .v:.n.8M7.A..

readfrom00988EB0[00990AB8](5bytes=>5(0x5))
0000 - 16 03 01 00 04 .....

readfrom00988EB0[00990ABD](4bytes=>4(0x4))
0000 - 0e .
0004 - <SPACES/NULS>

writeto00988EB0[00999BE0](139bytes=>139(0x8B))
0000- 16 03 01 00 86 10 00 00-82 00 80 63 c23c69 26...........c...dU.....]n..
0030- 05f1 db 44f313 a824-3a76 0e3e1a6e55 0c...D..$:v.>.nU.
0040- 31 9b 04 99 30ff 8f d2-8d 8e0db167 ac43 ee1...0 ............... g.C.
0050-b2 3f d3c7c5 3381 e1-3fd2 47 6f5d 8afb 4c.?...3..?.Go]..L
0060- 62 c723b3 f7ad3ca9-0c87 4a0807 55ba06b.#...<...J..U..
0070- 3418 0c5fd9 35 f02b-90 9a9d6b 87 6241 0f4.._.5.+. .k.bA.
0080-b3 4774 5f 5b b859 5a-b221 dd .Gt_[.YZ.!.

writeto00988EB0[00999BE0](6bytes=>6(0x6))
0000 - 14 03 01 00 01 01 ......

writeto 00988EB0[00999BE0](45bytes=> 45(0x2D))

0000- 16 03 01 00 28 0f 31 83-e0f8 91 fa33 98 68 46....(.1 .......... 3.hF
0010- c060 83 66 28 fed3 a5-00f0 98 d5 df 22 72 2d.`.f( .............. "r-
0020- e4 409b 96 3b4cf9 02-13a7e7 7774 .@..;L .... wt

readfrom00988EB0[00990AB8](5bytes=>5(0x5))
0000 - 14 03 01 00 01 .....

readfrom00988EB0[00990ABD](1bytes=>1(0x1))
0000 - 01 .

readfrom00988EB0[00990AB8](5bytes=>5(0x5))
0000 - 16 03 01 00 28 ....................................... (

readfrom00988EB0[00990ABD](40bytes =>40 (0x28))

0000- d40b a6b7e89109 1e-e41e fc445f 80 cca1...........D_...
0010- 5d 5155 3e62e80f 78-07f62f cdf9bc49 8d]QU>b..x../..I.
0020- 56 5b e8b2 09 2c18 52- V[.,.R
---

Certificatechain
0 s:/C=US/CN=chc/emailAddress=chc@test101.com
 i:/C=US/OU=test101/CN=chc/emailAddress=chc@test101.com
---

Server certificate
-----BEGIN CERTIFICATE-----
MIIB9zCCAWACAQEwDQYJKoZIhvcNAQEEBQAwTTELMAkGA1UEBhMCVVMxEDAOB
gNV
BAsTB3Rlc3QxMDExDDAKBgNVBAMTA2NoYzEeMBwGCSqGSIb3DQEJARYPY2hjQHRl
c3QxMDEuY29tMB4XDTA0MDIyNjA2NTY1NFoXDTA1MDIyNTA2NTY1NFowOzELMAkG
A1UEBhMCVVMxDDAKBgNVBAMTA2NoYzEeMBwGCSqGSIb3DQEJARYPY2hjQHRlc3Q
x
MDEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN5J58ttI0TtNTRiXH
U4glYOZG22Q6c2GSrCOSzSyUqY/Gf0dzwNmNNLcs3cmGvYJvzqzY4roP5fU6ZyyJ
GhsD6yGFKOMpmITtRnWC+g8wo6mlcUZM1g0XxBn9RPviGEamnauR3muhf/4wBihd
2NMpAMMdTBMAYY/zhVH1aNhpJQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBACn9v1rt
cI9TpOkUTF66hMZUG/LAPMQwD38SgE4Bt/05UPFBDdiqd9mHJRoe4peIT1N1yHAi
agFhD1E+ExmcZPJ2FOiFJSOiEcSM+CMs0cPTcTrmcVQQB9xy/+7oPs+Od3Ppn/Wa
kGBNoKoDMh8Rby6aXzx3BSIMgb8plq3LOxiu
-----ENDCERTIFICATE-----

subject=/C=US/CN=chc/emailAddress=chc@test101.comissuer=/C=US/OU=test101/CN=chc/emailAddress=chc
@test101.com
---

Noclient certificateCAnamessent
---

SSLhandshakehasread1031bytesandwritten 292 bytes

---

New,TLSv1/SSLv3,CipherisEDH-RSA-DES-CBC3-SHA
Serverpublickeyis1024bit
SSL-Session:
Protocol:TLSv1
Cipher :EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key:57FDDAF85C7D287F9F9A070E8784A29C75E788DA2757699B
20F3CA50E7EE01A66182A71753B78DA218916136D50861AE
Key-Arg: None
Start Time: 1078211879
Timeout : 7200 (sec)
Verifyreturncode:0(ok)
---

GET/test.htmlHTTP/1.0

writeto 00988EB0[009952C8](82bytes=>82(0x52))
0000- 17 0301 00 1874 fa45-352db1 2459 cf ad96.....t.E5-.$Y...
0010 - 34 30 01 7dbe8e70 f9-41 62 11 f136 17 03 0140.}..p.Ab..6...
0020- 00 30 56 61ba2d d3 58-5de6 6a8378 07 87 7a.0Va.-.X].j.x..z
0030-db b2a740c76dc14a-203b 827daa15e865...@.m.J ;.}...e
0040- 3b 92bd c8 20e99d 41-f177 51 d9ae31 c4 2c;.....A.wQ..1.,
0050 - 32 5a 2Z

writeto 00988EB0[009952C8](58bytes=>58(0x3A))
0000- 17 03 01 00 18 39 2f df-4375 91 13 34 1b 12 04.....9/.Cu..4...
0010- 7d ef8d e186 544f 67-c81dcd 07a41703 01}....TOg........
0020- 00 1853 d9 22 9deb 6e-8b79f8 e482 2fbaea..S."..n.y.../..
0030- 03 a5 3f 12 85 2e9f 64-ffdc ..?.... d..

readfrom00988EB0[00990AB8](5bytes=>5(0x5))
0000 - 17 03 01 01 48 ....................................... H

readfrom00988EB0[00990ABD](328bytes =>328 (0x148))

0000 - bd eb 8b 9c 01 ac 73 30-8f ca a4 8b 2a 6f bd 02 ......s0....*o..
0010- d7 fc71 18 61 47 f2 1d-708b 10 7d 98 28 a450..q.aG..p..}.(.P
0020- f3 0f42 e8 c5e1 3e53-34bd c7 62 34 1b 5e 8c..B...>S4..b4.^.
0030- 99 2d 89 c6b3f019 96-22 97 43b8 8f9d 76 42.-......".C..vB
0040- 95 a5 7cdb 3b22dd 57-29 8d e8d428 3e89 d8..|.;".W)...(>..
0050- 46 e5 dc35 5156 f8 44-d182 44 a065b0 93 22F..5QV.D..D.e.."
0060- 4b 0aeb07 26 c92ae2-45 4cde 07 0cbb 3ec6K...&.*.EL............... >.
0070-bc37 94 cdec94 2f35-7637 13 4d 0f 88 9cb1.7..../5v7.M....
0080- d7 1c58 8a35 5b32 bc-122b 9ce65b d4 86bd..X.5[2..+..[...
0090- 39 fc99 18 79 ecf7 53-db59 74 49 da07 69 549...y..S.YtI..iT
00a0-f466aa363439f9 0b-87509e 76 db9fd044.f.649...P.v. .D
00b0-0c0de765809bb851-563dd0dbaa55ffca...e...QV=...U.. 00c0 - 74
38 24 c1 8c d7 32 cf-ab 03 b3 59 29 0f 80 18t8$...2....Y)...
00d0- 6ad4 e07efd41 8cf7-1d81 12 a700b3 71 39j..~.A ................... q9
00e0- 78 1e3c17 42d4 99 22-69 7b 2d 09efd8 6ef4x.<.B.."i{ ..............n.
00f0- 64 f661 34 72 8c89 f5-a8ea1cb1 0d 08 ff 17d.a4r...........
0100- 51 3e46 2b 38 75 61 6a-1e34 f4 14 14 38 0d 5eQ>F+8uaj.4 ........ 8.^
0110- 6eba db ef83 88eea5-2c185a0c27 e3 d9 19n.......,.Z.'...
0120- 6ca312 c0 a1 3d e114-96d3 1af9c9 f2aa d6l....=..........
0130- 12 d5 36ae36 f2 18 f5-dfc6ef34 d7 7d2b 70..6.6................4.}+p
0140 - 99 88 47 93 91 09 56b1- ..G .. V.

HTTP/1.1200OK
Date:Tue,02Mar200407:18:08GMT
Server:Apache/1.3.29(Win32)mod_ssl/2.8.16OpenSSL/0.9.7c
Last-Modified: Sat, 07 Feb 2004 10:53:25 GMT
ETag:"0-23-4024c3a5"
Accept-Ranges: bytes
Content-Length: 35
Connection: close
Content-Type:text/html

<h1>Homepageonmain server</h1>

readfrom00988EB0[00990AB8](5bytes=>5(0x5))
0000 - 15 03 01 00 18 .....

readfrom00988EB0[00990ABD](24bytes =>24 (0x18))

0000-a54751bdaa0f9be4-ac d428f2d0a0c8fa.GQ.......(..... 0010 - 2c
d4 e5 e4 be c5 01 85- ,.......

closed

writeto 00988EB0[009952C8](29bytes=>29(0x1D))
0000- 15 03 01 00 18d4 19b9-59 88 88 c0 c9 38 ab5c........Y .......... 8.\
0010 - 98 8c43 fdb8 9e14 3d-77 5e4c68 03 ..C ... =w^Lh.

TraceAnalysis

Thedatatobetransmitted isbrokenupintoseriesoffragments.Eachfragmentisprotectedfor integrity

using HMAC. (more)

EachSSLrecordbeginswith a5-byte header:

• Byte0:RecordContent Type.FourContentTypesaredefined,asfollows:

ContentType HexCode Description

Handshake 0x16 The record carries a handshaking message
Application_Data 0x17 Encrypted Application Data
Change_Cipher_Spec 0x14 Toindicateachangeinencryptionmethods.
Alert 0x15 To signal various types of errors

• Byte 1&2: SSL version (0x0301forTLSv1,0x0300for SSLv3).

• Byte3&4: Therecordlength,excludingthe5-byte header.

Letusbeginlookinginto thehandshakemessagecontainedwithinaSSLrecord (ofContentType

0x16).Thehandshakemessagehasa4-byteheader:

• Byte0:Handshake Type,asfollows:

HandshakeType HexCode
hello_request 0x00
client_hello 0x01
server_hello 0x02
certificate 0x0b
server_key_exchange 0x0c
certificate_request 0x0d
server_hello_done 0x0e
certificate_verify 0x0f
client_key_exchange 0x10
finished 0x14

• Byte1 -3:The messagelength, excluding the3-byte header.

Hence,aclient_hellorecordwillbeginwitha5-byterecordheader,followedbya4-byte handshake
message header. For example,

Client_Hello

The first handshake message is always sent by the client, called client_hellomessage. In this
message, the client tells the server its preferences in terms of protocol version, ciphersuit, and
compression method. The client also includes a 32-byte random number (client_random) in the
message, which is made up of a 4-byte GMT Unix time (seconds since 1970), plus another 28
random bytes.

YoumustrefertoRFC2246forthestructureoftheClient_Hellomessage.

Bytes Len Value Description

00 1 16 RecordContentType-HandshakeMessage
01-02 2 03 01 SSLversion-TLSv1
03-04 2 00 61 RecordLength
05 1 01 HandshakeType- Client_Hello
06-08 3 00 00 5d MessageLength (0x61-4=0x5d)
09-0A 2 03 01 Clientpreferredversion(client_version) -TLSv1

0B-0E4 4044 3527 GMTTime

0C-2A28 5c... 72 28randombytes Client_Random

2B 1 00 SessionIDLength0 (forresumingthe session)

2C-2D 2 00 36 CiphersuitLength -27choices (2-byteeach)
2E-63 54 .... The27Ciphersuits (SeeTable)
64 1 01 CompressionMethod Length -1
65 1 00 CompressionMethod:NULL.

CiphersuitCodeusedinClient_HelloandServer_Hellomessagesistabulatedasfollows:

Aut Has
CipherSuite KeyExchange Encryption Cod
h h e
MD
RSA_WITH_NULL_MD5 RSARSA NULL
5 0001
RSA_WITH_NULL_SHA RSA RSA NULL SHA0002
MD
RSA_EXPORT_WITH_RC4_40_MD5 RSA RSA_EXPORT RC4_40
5 0003
MD
RSA_WITH_RC4_128_MD5 RSARSA RC4_128
5 0004
RSA_WITH_RC4_128_SHA RSA RSA RC4_128 SHA0005
MD
RSA_EXPORT_WITH_RC2_CBC_40_MD5 RSA RSA_EXPORT RC2_40_CBC
5 0006
RSA_WITH_IDEA_CBC_SHA RSARSA IDEA_CBC SHA0007
RSA_EXPORT_WITH_DES40_CBC_SHA RSARSA_EXPORT DES40_CBC SHA0008
RSA_WITH_DES_CBC_SHA RSARSA DES_CBC SHA0009

3DES_EDE_CB
RSA_WITH_3DES_EDE_CBC_SHA RSARSA 000
C SHAA
000
DH_DSS_EXPORT_WITH_DES40_CBC_SH DH_DSS_EXP DES_40_CBC SHA
A RSA T B
000
DH_DSS_WITH_DES_CBC_SHA DSSDH DES_CBC SHA
C
3DES_EDE_CB
DH_DSS_WITH_3DES_EDE_CBC_SHA DSSDH 000
C SHAD
DH_RSA_EXPORT_WITH_DES40_CBC_SH 000
RSADH_EXPORTDES_40_CBC SHA E
A
DH_RSA_WITH_DES_CBC_SHA RSA DH DES_CBC SHA000F
3DES_EDE_CB
DH_RSA_WITH_3DES_EDE_CBC_SHA DSSDH
C SHA0010
DHE_DSS_EXPORT_WITH_DES40_CBC_S
HA DSS DH_EXPORT RC4_40 SHA0011
DHE_DSS_WITH_DES_CBC_SHA DSS DHE RC4_128 SHA0012
DHE_DSS_WITH_3DES_EDE_CBC_SHA DSS DHE DES_40_CBC SHA0013

DHE_RSA_EXPORT_WITH_DES40_CBC_S DHE_EXPOR
RSA T DES_CBC SHA0014
HA
DHE_RSA_WITH_DES_CBC_SHA RSA DH DES_CBC SHA0015
3DES_EDE_CB
DHE_RSA_WITH_3DES_EDE_CBC_SHA RSA DHE
C SHA0016
MD
DH_anon_EXPORT_WITH_RC4_40_MD5 - DH_EXPORTRC4_40
5 0017
MD
DH_anon_WITH_RC4_128_MD5 - DH RC4_128
5 0018
DH_anon_EXPORT_WITH_DES40_CBC_SH
A - DH_EXPORTDES_40_CBC SHA0019
001
DH_anon_WITH_DES_CBC_SHA - DH DES_CBC SHA
A
3DES_EDE_CB
DH_anon_WITH_3DES_EDE_CBC_SHA - DH 001
C SHAB

Server_Hello

Inresponsetothe client_hellomessage, theserver returns a server_hellomessageto tell the

clientitschoiceofprotocolversion,ciphersuitandcompressionmethod.Theserveralsoincludesa 32-byte
random number (server_random) in the message.
Bytes Len Value Description
00 1 16 RecordContentType-HandshakeMessage
01-02 2 03 01 SSLversion -TLSv1
03-04 2 00 2a RecordLength
05 1 02 HandshakeType-Server_Hello
06-08 3 00 00 26 MessageLength
09-0A 2 03 01 ProtocolVersionChosen- TLSv1

0B-0E 4 40443527GMTTime(secsince1970) 0C-

2A 28 cc ... b9 28 random bytes Server_Random
2B 1 00 SessionIDLength0(forresumingthe session)
Ciphersuit Chosen:
2C-2D2 00 16
DHE_RSA_WITH_3DES_EDE_CBC_SHA
2E 1 00 CompressionMethodChosen: NULL.

Certificate

The certificate message consists of a chain of X.509 certificates in the correct order. The first
certificate belongs to the server, and the next certificate contains the key that certifies the first
certificate (i.e., theserver'scertificate), andsoon.The client usestheserver'spublic key(contained
inside the server's certificate) to either encrypt the pre_master_secret or verify the
server_key_exchange, depending on which ciphersuit is used.

BytesLenValue Description

00 1 16 RecordContentType-HandshakeMessage
01-02 2 03 01 SSLversion -TLSv1
03-04 2 02 05 RecordLength
05 1 0b HandshakeType-certificate
06-08 3 00 02 01 MessageLength
09-0B 3 00 01 fe CertificateLength
Certificates(tobetraced)

TheX.509certificatestructurecanbefoundfromtheITUrecommendationX.509"Thedirectory- Authentication
Framework".

Server_Key_ExchangeServer_Hello_D

one

This is an empty message indicating that the server has sent all the handshaking messages. This is
needed because the server can send some optional messages after the certificate message.
BytesLen Value Description
00 1 16 RecordContentType-HandshakeMessage
01-02 2 03 01 SSLversion -TLSv1
03-04 2 00 04 RecordLength
05 1 0e HandshakeType-Server_Hello_Done
(checkthelast3 bytes)

Client_Key_Exchange

The client_key_exchangemessage contains the pre_master_secretwhen RSA key exchange is used.

The pre_master_secretis 48-byte, consists of protocol version (2 bytes) and 46 random bytes.

BytesLen Value Description

00 1 16 RecordContentType-HandshakeMessage
01-02 2 03 01 SSLversion -TLSv1
03-04 2 00 86 RecordLength
05 1 10 HandshakeType-Client_Key_Exchange
06-08 3 00 00 82 MessageLength
pre_master_secret(130bytes):encryptedusingserver'spublickey extracted
from the server's certificate

Change_Cipher_Spec

BytesLen Value Description

00 1 14 RecordContentType-Change_Cipher_Spec
01-02 2 03 01 SSLversion -TLSv1
03-04 2 00 01 RecordLength
05 1 01 ??

Certificate_VerifyChange_Cipher_Sp

ec
UnknownHandshakingMessage(D4)-tocheck
Application_Data

Client-to-Server-theHTTPrequestmessage:GET/test.htmlHTTP/1.0

Server-to-Client -theHTTPresponsemessage

Alert

ComparisonofTLSv1,SSLv3andSSLv2
TheTLSv1specification stated,"TLS v1andSSLv3areverysimilar".Someofminordifferences include
minor changes in HMAC calculation, ciphersuit support, and pseudo-random number generation.
TLS v1 can be regarded as SSL v3.1.

SSL v2 has a big security hole in the negotiation of the ciphersuit (and should not be used). The
attackercanconvincetheclientandservertouseaweakerencryption thanwhattheyarecapableof. This is
called "ciphersuit rollback" attack.

Result:

ThustheconfidentialityandIntegrity usingSSLwas verified.

 Ex.No:7 ExperimentEavesdropping,Dictionaryattacks,MITMattacks
Date:

Aim:
Toexperimenteavesdropping,Dictionaryattacks,MIMTattacks

VisualObjective:

Introduction

Password cracking is a term used to describe the penetration of a network, system, or resource
with or without the use of tools to unlock a resource that has been secured with a password.
Password cracking tools may seem like powerful decryptors, but in reality are little more than
fast, sophisticated guessing machines.

TypesofpasswordbreakingD
ictionaryattack
A simple dictionary attack is usually the fastest way to break into a machine. A dictionaryfile
(a text file full of dictionary words) is loaded into a cracking application, which is run against
user accounts located by the application.

Bruteforceattack
Abruteforce attackisaverypowerfulformofattack, thoughitmayoftentakealongtime to work
depending on the complexity of the password. The program will begin trying any and every
combination of numbers and letters and running them against the hashed passwords.
Passwords that are composed of random letters numbers and characters are most vulnerableto this
type of attack.

Hybridattack
Another well-known form of attack is the hybrid attack. A hybrid attack will add numbers or
symbols to the search words to successfully crack a password. Many people change their
passwords by simply adding a number to the end of their current password. Therefore, this
type of attack is the most versatile, while it takes longer then a standard dictionary attack it
does not take as long as a brute force attack.

CrackingProcess
Since a brute force attack is the most time consuming and is not likely to break any passwords
that are not composed of random characters, the best plan is to use techniques that are
computationally efficient compared to untargeted and unspecific techniques.By applying what is
known about how users select passwords, an intruder can tremendously increase the odds in their
favor of finding passwords. With the right techniques, some poorpasswordscanbe cracked in
under a second.

The real power of dictionary attacks come from understanding the ways in which most people
vary names and dictionary words when attempting to create a password. By applying all the
common transformations to every word in the electronic list and encrypting each result the
number tested passwords multiplies rapidly. Cracking tools can often detect “clever” ways of
manipulating words to hide their origin. For example, such cracking programs often subject each
word to a list of rules. A rule could be anything, any manner in which a word might appear.
Typical rules might include

Alternateupper-andlowercase lettering.
Spell the word forward and then backward, and then fuse the two results (for
example:cannac).
Addthe number1to thebeginningand/orendofeachword.

Naturally, the more rules one applies to the words, the longer the cracking process takes.
However, more rules also guarantee a higher likelihood of success.
Task1–MicrosoftOfficePasswordRecovery
Many applications require you to establish an ID and password that may be saved and
automatically substituted for future authentication. The password will usually appear on the
screen as a series of asterisks. This is fine as long as your system remembers the password for
you but what if it "forgets" or you need it for use on another system. Fortunately, many utilities
have been written to recover such passwords. In this task, you will use OfficeKey to recover the
password for a MS word document.

Step1:Findthefolder“Lab1” onyourdesktop,andopen it.

YouwillfindOfficeKeyandaMS documentin the folder.

Step2:OpentheOfficeKey–PasswordRecoverytool

Step3:Pressthe “Recover”buttoninthe upperleft corner, orselectFileRecover

Step4:Choosethepassword protectedMS Office Fileyouhavesavedto the Desktop.

Step5: After running the first password auditing session, check to see if Office key has cracked
the password.If the password has not been cracked press the Settings button on the upper
tool bar.
Step6:OnceintheSettingsmenuyouwillbeabletomodifythesearchparametersand customize a
more targeted search

Step7:Repeat steps3and4untilthepassword hasbeencrackedand openstheMS Office File.

Step8:Writedown the contents oftheMS word document and the password intoyour lab report and
submit it to your TA.
Task2–PasswordAuditing(Windowsplatform):
The purpose of this task is to familiarize you with act of password cracking/recovery. Password
cracking software uses a variety of approaches, including intelligent guessing, dictionary attacks
and automation that tries every possible combination of characters. Given enough time the
automated method can crack anypassword,butmoreeffective passwords willlastmonths before
breaking.

When a password is entered and saved on a computer it is encrypted, the encrypted password
becomes a string of characters called a “hash” and is saved to a password file.A password cannot
be reverse-decrypted. So a cracking program encrypts words and characters given to it (wordlist
or randomly generated strings of characters) and compares the results with hashed passwords. If
the hashes match then the password has successfully been guessed or “cracked”. This process is
usually performed offline against a captured password file so that being locked out of the account
is not an issue, and guessing can go on continuously. Thus, revealing the passwords is simply a
mater of CPU time and dictionary size

1. You obtain a dictionaryfile, which is no more than a flat file (plain text) list of words
(commonly referred to as wordlists).
2. These words are fed through any number of programs that encrypt each word.Such
encryption conforms to the DES standard.
3. Eachresultingencryptedwordiscomparedwiththetargetpassword. If amatch
occurs, there is better than a 90 percent chance that the password was cracked.

Step1:Goto Lab1folder, andopen LC4toaudit thepasswordsonyourWindowssystem.

SelectFile New Session

Select Import ImportfromPWDUMPFile(inthesamefolder)

Select the “Passwords” file that has been provided to you.
Objectives
This password file has been retrieved from a system that we must gain access to. To do this you
must crack as many passwords as possible as quickly as possible. We have captured the user
names and encrypted passwords for ten users. The user names follow a standard pattern of first
initial and last name, but the passwords have no set standards. We do know that users of this
system are encouraged to add numbers and other characters to the words they chose for
passwords.

To aid you in cracking these passwordswe have managed to collect some basic information about
the users.This personal information may help you target your searches as to what the user’s
password may be.

Kmiller KenMillerisanavidflyfisherandhisrecordnumberofcatchesis
justunder30
Smacman StevenMacManhasafiancéwho’snameis4letterslongandstarts
witha“K”
Gkoch GinaKochgrewupwithherGermangrandmother,whousedtocall
 her‘LittlePrecious’*

Mjones MattJoneswasbornin1979. Hecompareshimselftoa

ShakespeareancharacterwhowasbornviaCsection
Tgriffin TimGriffinlovesfunky‘70’sand‘80smusic. Andsongsabout
‘Love’
Rklatt RyanKlattisabigStarTrekfanandhasmostlikelychosenan
obscurereferenceforhispassword *
Nboyle NancyBoyleisanafanofthebooksofBritish writer DouglasAdams
Esmith EdwardSmithwasveryclosetohisgrandfatherwhodiedin1968.
We knowhis grandfather’s name wasa less common namestarting with
‘L’
Jcollins JimCollins keepsa copyofthe book“ThePrince” *
Hharris AlanHarrishasa wifenamedSueandadaughter named Megan
AlanwasmarriedonMay3rd.Hisdaughterwasborn onAugust6th

Step2:Select Session SessionOptions

Use this menu to customize your password search. Here you can add different word list
for Dictionary attacks, change Hybrid attack features.Keep in mind you are working with
a short dead line and more in depth searches will take longer then you have. You must
use the information given to you to target your search most specifically at more likely
passwords.
Step3:Select SessionBegin “Audit” or Press the blue play button on the upper toolbar to start the
password search.

Step4:Afterthefirstsearchhasruncheckyourprogress.Havesomeofthepasswordsbeencracked all the

way though or have some only been partially cracked. Use what you’ve learned from this
first search to target your next few searches.You will need to search the internet and use the
information you have been given about each user to find words they may have used as their
password.

Note: The question marks in the partially cracked passwords do not necessarily representthe number
of remaining undiscovered characters.

Step5: Add words to your wordlist

SessionSession Options

Press the ‘Dictionary List’ button in the Dictionary crack section. Here you can edit your
currentwordlistandaddwordsbyselectingthe‘EDIT’buttonandenteringeachwordon a new
line.You can also add multiple dictionaries and wordlist.
 Step6: Youmaychosetoconductdictionaryattackswithotherwordlists. You canfind
additional wordlist to use here: ftp://ftp.cerias.purdue.edu/pub/dict

Step7:Continuesearchingforpossiblepasswordsduringtheremainderofthelab.Repeatingsteps3 and 4
each time you modify your search.

Step8:Onceyouhavecrackedallthepasswordsinthefile,writethemdowninyourlabreportor once the lab

time has ended, submit the passwords you were able to crack.

Result:
Thustheexperiment forEavesdropping,Dictionaryattacks,MITMattackswasdone succefully.
 Ex.No:8 PerformanExperimenttoSniffTrafficusingARPPoisoning.ExperimenttoS
Date:

AIM
PerformanExperimenttoSniffTrafficusingARPPoisoning.

Description:

ARPistheacronymforAddressResolutionProtocol. It is used to convert IP address to physical

addresses [MAC address] on a switch. The host sends an ARP broadcast on the network, and the

recipient computer responds with its physical address [MAC Address]. The resolved IP/MACaddress

is then used to communicate.

ARPpoisoningissendingfakeMACaddressestotheswitchsothatitcanassociatethefakeMACaddress

eswiththeIPaddressofagenuinecomputeronanetworkandhijackthetraffic.

ARPPoisoningCountermeasures

StaticARPentries: these can be defined in the local ARP cache and the switch configured to

ignoreall auto ARP reply packets. The disadvantage of this method is, it’s difficult to maintain on

large networks. IP/MAC address mapping has to be distributed to all the computers on thenetwork.

ARPpoisoningdetectionsoftware: these systems can be used to cross check the IP/MACaddress

resolution andcertify them ifthey areauthenticated. Uncertified IP/MACaddress resolutions can

then be blocked.

OperatingSystemSecurity: this measure is dependent on the operating system been used. The

following are the basic techniques used by various operating systems.

• Linuxbased:theseworkbyignoringunsolicitedARPreplypackets.

• MicrosoftWindows: the ARP cache behavior can be configured via the registry. The

followinglistincludessomeofthesoftwarethatcanbeusedtoprotectnetworks against
 sniffing;

• AntiARP–providesprotection againstbothpassiveandactivesniffing

• AgnitumOutpostFirewall–providesprotectionagainstpassivesniffing

• XArp–providesprotection againstbothpassiveandactivesniffing

• MacOS: ArpGuard can be used toprovide protection. It protects against

both active andpassive sniffing.

• Computers communicate using networks. These networks could be on a local areanetwork

LAN or exposed to the internet. NetworkSniffersareprogramsthatcapturelow-

levelpackagedatathatistransmittedoveranetwork. Anattackercananalyzethis

informationto discover valuable information such as user ids and passwords.

• Inthisarticle,wewillintroduceyoutocommonnetworksniffingtechniquesandtools used to

sniff networks.

Whatisnetworksniffing?

ComputerscommunicatebybroadcastingmessagesonanetworkusingIPaddresses.Oncea message

has been sent on a network, the recipient computer with the matching IP address responds

with its MAC address.

Networksniffingistheprocessofinterceptingdatapacketssentoveranetwork. Thiscanbe done by

the specialized software program or hardware equipment. Sniffing can be used to;

• Capturesensitive datasuchaslogin credentials

• Eavesdroponchatmessages

• CapturefileshavebeentransmittedoveranetworkThefollowingareprotocolsthat are

vulnerable to sniffing

• Telnet
 • Rlogin

• HTTP

• SMTP

• NNTP

• POP

• FTP

• IMAP

Theaboveprotocolsarevulnerableif login detailsaresentinplaintext

PassiveandActiveSniffing

Beforewelookatpassiveandactivesniffing, let’slookattwomajordevicesusedtonetwork computers;

hubs and switches.

Ahubworksbysendingbroadcastmessagestoalloutputportsonitexcepttheonethathassentthebroad

cast.TherecipientcomputerrespondstothebroadcastmessageiftheIPaddress
matches.Thismeanswhenusingahub,allthecomputersonanetworkcanseethebroadcast message. It operates

at the physical layer (layer 1) of the OSI Model.

Thediagrambelowillustrates howthehub works.

Aswitchworksdifferently;itmapsIP/MACaddressestophysicalportsonit.Broadcast

messagesaresenttothephysicalportsthatmatchtheIP/MACaddressconfigurationsforthe recipient

computer. This means broadcast messages are only seen by the recipient computer. Switches

operate at the data link layer (layer 2) and network layer (layer 3).

Thediagrambelowillustrateshowtheswitchworks.

Passivesniffingisinterceptingpackagestransmittedoveranetworkthatusesahub. It is

calledpassivesniffing becauseitisdifficulttodetect.Itisalsoeasytoperformasthehubsends
 broadcastmessagestoallthecomputers onthenetwork.

Activesniffingisinterceptingpackagestransmittedoveranetworkthatusesaswitch.There are two

main methods used to sniff switch linked networks, ARP Poisoning, and MAC flooding.

Sniffingthenetworkusing Wireshark

Theillustration belowshowsyouthestepsthatyouwillcarryouttocompletethis exercise

withoutconfusion

DownloadWiresharkfromthislinkhttp://www.wireshark.org/download.html

• Open Wireshark

• Youwillgetthefollowing screen

• Select the network interface you want to sniff. Note for this demonstration, we are using

awireless network connection.Ifyouare on a localarea network, thenyou should select the

 localareanetwork interface.

• Clickonstartbuttonas shown above

• Openyourwebbrowser andtypeinhttp://www.techpanda.org/

• Theloginemail isadmin@google.comandthepassword isPassword2010

• Clickonsubmit button

• Asuccessfullogonshould giveyouthefollowingdashboard
• GobacktoWiresharkandstopthelive capture

• FilterforHTTPprotocolresultsonly using thefiltertextbox

 • LocatetheInfocolumnand lookforentries withtheHTTPverbPOSTandclickonit

• Justbelowthelogentries, thereisapanelwithasummary ofcaptureddata. Lookfor the

summary that says Line-based text data: application/x-www-form-url encoded

• YoushouldbeabletoviewtheplaintextvaluesofallthePOSTvariables submittedto the

server via HTTP protocol.

Result:

ThustheexperimenttoSniffTrafficusingARPPoisoningwas performed.
Ex.No:9 Demonstration of Intrusion Detection System(IDS)

Date:

AIM:
TodemonstrateIntrusionDetectionSystem(IDS)usingSnortsoftware tool.

STEPSONCONFIGURINGANDINTRUSIONDETECTION:

1. DownloadSnortfromtheSnort.orgwebsite.(http://www.snort.org/snort-downloads)
2. DownloadRules(https://www.snort.org/snort-rules).Youmustregistertogettherules.(Youshould
download these often)
3. Doubleclickonthe.exetoinstallsnort.Thiswillinstallsnortinthe“C:\Snort”folder.Itis
important to have WinPcap (https://www.winpcap.org/install/) installed
4. ExtracttheRulesfile.You willneedWinRARforthe.gz file.
5. Copyallfiles fromthe“rules”folderofthe extractedfolder.Nowpastetherulesinto
“C:\Snort\rules”folder.
6. Copy “snort.conf” file from the “etc” folder of the extracted folder. You must paste it into “C:\
Snort\etc” folder. Overwrite any existingfile.Rememberifyoumodifyyoursnort.conffile and
download a new file, you must modify it for Snort to work.
7. Openacommandprompt(cmd.exe)andnavigatetofolder“C:\Snort\bin”folder.(atthePrompt, type
cd\snort\bin)
8. Tostart(execute)snortinsniffer modeusefollowing command:
snort -dev-i 3
-iindicatestheinterfacenumber.Youmustpickthecorrectinterface number.Inmycase,itis3.
-devisused torunsnort tocapture packets onyournetwork.

Tochecktheinterfacelist,usefollowingcommand: snort-W
Findingan interface

Youcantell whichinterface tousebylookingattheIndexnumberandfindingMicrosoft.Asyoucan see in the

above example, the other interfaces are for VMWare.
TorunsnortinIDSmode,youwillneedtoconfigurethefile“snort.conf”accordingtoyournetwork environment.
Tospecifythenetworkaddressthatyouwanttoprotectinsnort.conffile,lookforthefollowingline. var
HOME_NET 192.168.1.0/24(You will normally see any here)
Youmayalsowanttosetthe addressesofDNS_SERVERS,ifyouhavesomeonyournetwork.

Example:

examplesnort
ChangetheRULE_PATHvariabletothepathofrulesfolder. var
RULE_PATH c:\snort\rules

pathtorules
Changethepathofalllibraryfileswiththenameandpathonyoursystem.andyoumustchangethe path
of snort_dynamicpreprocessorvariable.
C:\Snort\lib\snort_dynamiccpreprocessor
You need to do this to all library files in the “C:\Snort\lib” folder. The old path might be:
“/usr/local/lib/…”. you will need to replacethatpathwithyoursystempath.UsingC:\Snort\lib
Change the path of the “dynamicengine” variable value in the “snort.conf” file..
Example:
dynamicengineC:\Snort\lib\snort_dynamicengine\sf_engine.dll

Addthepathsfor“includeclassification.config”and“includereference.config”files. include
c:\snort\etc\classification.config
include c:\snort\etc\reference.config
Removethecomment (#)onthelinetoallowICMPrules,ifitiscommented witha#. include
$RULE_PATH/icmp.rules
YoucanalsoremovethecommentofICMP-inforulescomment,ifitis commented.
include $RULE_PATH/icmp-info.rules
Toaddlogfilestostorealertsgenerated bysnort,searchforthe“outputlog”testinsnort.confand add the
following line:
outputalert_fast:snort-alerts.ids
Comment(adda#)thewhitelist $WHITE_LIST_PATH/white_list.rulesandtheblacklist

Changethenested_ipinner,\tonested_ipinner#,\ Comment out

(#) following lines:
#preprocessornormalize_ip4
#preprocessornormalize_tcp:ipsecnstream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessornormalize_icmp6

Savethe“snort.conf” file.
TostartsnortinIDS mode,runthefollowingcommand:

snort-cc:\snort\etc\snort.conf-lc:\snort\log-i3
(Note: 3 is used for my interface card)

Ifalogiscreated, selecttheappropriateprogramtoopenit.YoucanuseWordPardorNotePad++to read the

file.

TogenerateLogfilesinASCII mode,youcanusefollowingcommandwhilerunningsnortinIDS mode:

snort-Aconsole-i3-cc:\Snort\etc\snort.conf-lc:\Snort\log-Kascii

Scanthecomputerthatisrunning snortfromanothercomputer byusing PINGorNMap(ZenMap).

Afterscanningorduringthescanyoucancheckthesnort-alerts.idsfileinthelogfoldertoinsureitis logging
properly. You will see IP address folders appear.

Snortmonitoring traffic–
RESULT:
ThustheIntrusionDetectionSystem(IDS)hasbeendemonstratedbyusingtheOpenSource Snort
Intrusion Detection Tool.
 Ex.No:10 NetworkMonitoringTools
Date:

Aim:

ToexploreaboutNetworkmonitoringtools

Network monitoring is an essential part of network management. It involves using various tools to
monitor a system network and determine slowness and weak connections, among other issues.
Knowing more about these tools can help you understand them better and use the right ones that suit
your requirements. In this article, we define what network monitoring tools are, provide details about
varioustools anddiscuss aboutsome tipsthatcanhelpyouchoosetherighttoolforyourrequirements.

WhatAreNetworkMonitoringTools?

Network monitoring tools are software that you can use to evaluate network connections. These
softwareprogramscan helpyoumonitor anetworkconnection andidentify networkissues,which may
include failing network components, slow connection speed, network outage or unidentifiable
connections. Network management and monitoring tools can also help you resolve these issues or
establish solutions that prevent specific issues from occurring in the future.

NetworkMonitoringTools

Hereareeightmonitoringtoolsalongwiththeir descriptionsand features:

1. SolarWindsNetworkPerformanceMonitor

SolarWinds Network Performance Monitor is a multi-vendor monitoring tool. It allows users to

monitor multiple vendors' networks at the same time. It also provides network insights for thorough
visibility into the health of the networks. Some prominent features include network availability
monitoring, intelligent network mapping, critical path visualisation, performance analysisand
advancedalerting.SolarWindsalsoallowsuserstotrackVPNtunnelstatus.ItpromptswhenaVPN
tunnel is available to help users ensure a stable connection between sites. SolarWinds provides aseven-
day free trial, after which users can choose a preferred subscription plan.

2. Auvik

Auvik is a network monitoring and management tool. It offers a quick implementation process that
helps users to set up the tool easily. It also has a clean user interface that makes it easy to navigate and
use. The tool provides in-depth network visibility that enables faster troubleshooting for network
issues. Users can automate network visibility using Auvik. It provides real-time updates on network
issues and configuration changes.

3. DatadogNetworkMonitoring

Datadog Network Monitoring offers services for on-premises devices and cloud networks. A
highlighting feature of this tool is the visualisations. It offers various graphical representationsof all the
network connections on a system. It also allows users to track key metrics like network latency,
connection churn and transmission control protocol (TCP) retransmits. Users can monitor the health of
a network connection at different endpoints at the application, IP address, port or process ID layers.
Other prominent features include automated log collection and user interface monitoring.

4. PaesslerPRTGNetworkMonitor

Paessler's networkconnection monitoring toolprovides acleanuserinterface andnetworkvisibility on

multiple devices. Users can track the health of different connection types like local area networks
(LAN), wide area network (WAN), servers, websites, applications and services. The toolsalso
integratewithvarioustechnologies,whichmakesiteasiertouseitfordifferenttypesofapplications.It provides
distribute monitoring, allowing users to track network connections on devices in different locations.
The tool also provides apps for mobile platforms that can help users to track network health on mobile
phones.

5. ManageEngineOpManager

ManageEngine OpManager is a good network monitoring and managing tool for users that prefer in-
depth view of network health and issues. This tool provides over 2000 network performance monitors
that allow users to track and monitor their connections and perform detailed analyses on issues. It also
provides over 200 dashboard widgets that can help users customise their dashboard to their own
suitability. Other features include CPU, memory and disk utilisation monitoring on local and virtual
machines. It also allows setting network performance threshold and notifies the user in case of a
violation.

6. Domotz

Domotz is an expansive tool that provides a list of features for monitoring network connections. It
allows users tocustomise their network monitoring preferences. Users can writescripts theretrieve the
data they wish to evaluate. It also allows connection to open ports on remote devices while ensuring
network security. Users can also scan and monitor network connections globally. Domotz also allows
to backup and restore network configuration for switches, firewalls and access points and alerts when
there is a change in the configuration.

7. Checkmk

Checkmk is a tool that allows users to automate it completely. You can customise its operations and
enableittoperformtasksautomatically. Italsoidentifies networkandsecuritycomponentswithoutthe user
requiring manual setup.Forexample, the toolcan identify afirewall evenifthe userhas notsetit up. Its
Agent Bakery feature enables users to manage agents and automate agentupdating. This reduces
manual effort to monitor network connections. The tool also includes over 2000 plug-ins for enhancing
network monitoring.

8. ProgressWhatsupGold

Progress Whatsup Gold is a basic network monitoring software. It provides a minimal user interface
with essential features like device monitoring, application monitoring, analysing network traffic and
managing configurations. The tool allows users to monitor cloud devices, inspect suspicious
connections, automate configuration backups and identify, and resolve bandwidth issues.

OtherToolsForNetworkMonitoring

Herearethreeadditionaltools fornetworkmonitoring:
 • Fortra Intermapper: This tool enables users to monitor network connections using network
maps, allowing them to get a holistic view of all the connections. Italso provides various colour
codes for different network status, along with real-time notifications through text, email and
sound.
• Nagios Core: Nagios Core is a monitoring engine that works as the primary application for all
Nagios projects, including the Nagios Network Analyser. It integrates with other Nagios
applications and provides users with features like a visual dashboard, custom application
monitoring, automated alert system, advanced user management and network security
monitoring.
• Zabbix: Zabbix provides a thorough network monitoring solution with features like server
monitoring, cloud monitoring, application monitoring and service monitoring. The tool also
includesfeatureslikemetriccollection,businessmonitoringandrootcauseanalysesofnetwork issues,
and allows users to establish a threshold for connection anomalies.

TipsToChooseANetworkMonitoringAndManagementTool

Herearesomeusefultipsthatyoucanconsiderwhile selectingatoolfornetwork monitoring:

Understandtherequirements

Understanding why you require network monitoring software is important in the process. Define what
feature you want and for what purpose. This can help you identify the right tool for your use. It may
also help you choose the correct subscription plan on paid tools.

Browsemultipletools

Once you identify the requirements, consider browsing multiple tools. Visit the websites of the tools
andlookforthefeaturesyourequire.Spendtimestudyingthefeaturesandunderstandhowtheycanbe
usefultoyourrequirements.Youcanalsoidentify afewtoolsandcomparetheir featurestoeachother.

Considerthebudget

Sometools may be free to use, while some may require you to purchaseasubscription plan. Paid tools
typicallyofferafreetrialperiodofupto30days.Onceyouidentifywhichtoolyoumayliketouse,
see if it is free or requires payment. If it is a paid tool, try exploring its features and efficiency during
thetrial period.Considerkeepingabackuptoolincasethetoolthatyouchoosedoesnotfityourusage.

Result:

Thusthenetwork monitoring tools was explored

 Ex.No:11 StudytoconfigureFirewall,VPN
Date:

AIM:

Tostudythefeaturesoffirewallinprovidingnetworksecurityandtoset Firewall Security

in windows.

FirewallinWindows7

Windows 7 comes with two firewalls that work together. One istheWindowsFirewall, andtheother is
WindowsFirewallwithAdvancedSecurity(WFAS).Themaindifferencebetweenthem
isthecomplexityoftherules configuration. Windows Firewall uses simplerules thatdirectlyrelate to a
program or a service. The rules in WFAS can be configured based on protocols, ports, addresses and
authentication. By default, both firewalls come with predefined set of rules that allow us to utilize
network resources. This includes things like browsing the web, receiving e-mails, etc. Other standard
firewallexceptionsareFileandPrinterSharing,NetworkDiscovery,PerformanceLogsand Alerts, Remote
Administration, Windows Remote Management, RemoteAssistance,RemoteDesktop, Windows Media
Player, Windows Media Player Network Sharing Service

With firewall in Windows 7 we can configure inbound and outbound rules. By default, all outbound
traffic is allowed, and inbound responses to that traffic are also allowed. Inbound trafficinitiated from
external sources is automatically blocked.

When we first connect to some network, we are prompted toselecta network location. This feature is
known as Network Location Awareness(NLA). This feature enables us to assign a network profile to
the connection based on the location. Different network profiles contain different collections of
firewallrules. In Windows7, differentnetwork profiles can be configured on differentinterfaces. For
example, our wired interface can have different profile than our wireless interface. There are three
different network profiles available:

• Public
• Home/Work-privatenetwork
• Domain-usedwithinadomain

ConfiguringWindowsFirewall
 ToopenWindowsFirewallwecangotoStart>ControlPanel>Windows

Firewall.

Bydefault,Windows Firewallisenabledfor bothprivate(home or work)and public networks. It is also

configured to block all connectionsto programs that are not on the list of allowed programs. To
configure exceptions we can go to the menu on the left and select "Allow a program or feature trough
Windows Firewall" option.

Exceptions
 To change settings in this window we have to click the "Change settings" button. As you cansee, here
we have a list of predefined programs and features that can be allowed to communicate on private or
public networks. For example, notice that the Core Networking feature is allowed on both private and
public networks, while the File and Printer Sharing is only allowed on private networks. We can also
see the details of the items in the list by selecting it and then clicking the Details button.

Details

If we have a program on our computer that is not in this list, we canmanually add it by clicking on
the "Allow another program" button.

AddaProgram
Here we have to browse to the executable of our program and then click the Add button. Notice that
we can also choose location types on which this program will be allowed to communicate byclicking
on the"Network location types" button.
NetworkLocations
Many applications will automatically configure properexceptionsin Windows Firewall when we run
them. For example, if we enable streaming from Media Player, it will automatically configure
firewallsettings toallowstreaming. ThesamethingisifweenableRemoteDesktopfeaturefromthe system
properties window. By enabling Remote Desktop feature we actually create an exception in
Windows Firewall.

Windows Firewall can be turned off completely. To do that we can select the "Turn Windows
Firewall on or off" option from the menu on the left.

FirewallCustomization

Note that we can modify settings for each type of network location (private or public). Interesting
thing here is that we can block all incoming connections, including those in the list of allowed
programs.

WindowsFirewallisactually aWindowsservice.Asyouknow,servicescanbestoppedandstarted. If the

Windows Firewall service is stopped, the Windows Firewall will not work.

FirewallService

Inourcasetheserviceisrunning.Ifwestopit,wewillgetawarningthatwe should turn on our

Windows Firewall.
Warning

Remember that with Windows Firewall we can only configure basic firewall settings, and this is
enough for most day-to-day users. However, we can't configure exceptions based on portsin Windows
Firewall any more. For that we have to use Windows Firewall with Advanced Security.

HowtoStart&UsetheWindowsFirewallwithAdvancedSecurity
The WindowsFirewallwithAdvancedSecurity is a tool which gives you detailed control over the rules
that are applied by the WindowsFirewall. You can view all the rules that are used by the
WindowsFirewall, change their properties, create new rules or disable existing ones. In this tutorial
we will share how to open the WindowsFirewallwithAdvancedSecurity, how to find your way around
it and talk about the types of rules that are available and what kind of traffic they filter.

HowtoAccesstheWindowsFirewallwithAdvancedSecurity

YouhaveseveralalternativestoopeningtheWindowsFirewallwithAdvancedSecurity:

One is to open the standard Windows Firewall window, by going to "ControlPanel-

>SystemandSecurity->WindowsFirewall".Then,click or tap Advancedsettings.

In Windows 7, another method is to search for the word firewall in the StartMenu search box and
click the "WindowsFirewallwithAdvancedSecurity" result.
 In Windows 8.1, WindowsFirewallwithAdvancedSecurityis not returned in search results
and you need to use the first method shared aboveforopening it.

The WindowsFirewallwithAdvancedSecurity looks and works the samebothin Windows 7

and Windows 8.1. To continue our tutorial, we will use screenshots that were made in
Windows 8.1.

WhatAreTheInbound&OutboundRules?

In order to provide the security you need, the WindowsFirewall has a standard set of
inbound and outbound rules, which are enabled depending on the location of the network
you are connected to.

Inbound rules are applied to the traffic that is coming fromthe network andthe Internet to
your computer or device. Outbound rules apply to the traffic from your computer to the
network or the Internet.

These rules can be configured so that they are specific to: computers, users, programs,
services, ports or protocols. You can also specify to which type of network adapter (e.g.
wireless, cable, virtual private network) or user profileit is applied to.
In the WindowsFirewallwithAdvancedSecurity, you can access all rulesandedit their
properties. All youhaveto do is clickor tap the appropriate unit in the left-side panel.

The rules used by the WindowsFirewall can be enabled or disabled. The ones which are
enabled or active are marked with a green check-box in the Name column. The onesthat are
disabled are marked with a gray check-box.

Ifyou want toknow more about aspecific rule and learn its properties, right click on it and
select Properties or select it and press Properties in thecolumn on right, which lists the
actions that are available for your selection.
WhatAreTheConnectionSecurityRules?

Connection security rules are used to secure traffic between two computers whileit crosses
the network. One example would be a rulewhich defines thatconnections between two
specific computers must be encrypted.

Unlike the inbound or outbound rules, which are applied only toonecomputer, connection
security rules require that both computers have the same rules defined and enabled.

If you want to see if there are any such rules on your computer, click or tap
"ConnectionSecurityRules" on the panel on the left. By default, there are no such rules
defined on Windows computers and devices. They are generally used in business
environments and such rules aresetbythe network administrator.
 WhatDoestheWindowsFirewallwithAdvancedSecurityMonitor
?

The WindowsFirewallwithAdvancedSecurity includes some monitoringfeatures as well. In

the Monitoring section you can find the following information: the firewall rulesthat are
active (both inbound and outbound),the connection security rules that are active and
whether there are any active security associations.

Youshouldnote that the Monitoring section shows onlythe active rules forthe current
network location.
used to determine the operating system running on the host machine. Another feature is
"boot-time filtering". This feature ensures that the firewall is working at the same time
when the network interface becomes active, which was not the case in previous versions of
Windows.

When we first connect to some network, we are prompted toselecta network location. This
feature is known as Network Location Awareness (NLA). This feature enables us to assign
a network profile to the connection based on the location.Differentnetworkprofiles contain
different collections of firewall rules. In Windows 7, different network profiles can be
configured on different interfaces. For example, our wired interface can have different
profile than our wireless interface. There are three different network profiles available:

• Public
• Home/Work-privatenetwork
• Domain-usedwithinadomain
We choose those locations when we connect to a network. We can always change the
location intheNetworkandSharing Center,inControl Panel. The Domain profile canbe
automatically assigned by the NLA service when we log on to an Active Directory domain.
Note that we must have administrative rights in order to configure firewall in Windows 7.

ConfiguringWindowsFirewall

Toopen WindowsFirewall wecangotoStart>ControlPanel>

 WindowsFirewall.

By default, Windows Firewall is enabled for both private (home or work) and public
networks. It is also configured to block all connections to programs that are not on the list
of allowed programs. Toconfigureexceptions we can goto the menu on the left andselect
"Allow a program or feature trough Windows Firewall" option.

Exceptions

To change settings in this window we have to click the "Change settings" button. As you
can see, here we have a list of predefined programs and features that can be allowed to
communicate on private or public networks. For example, notice thattheCore Networking
feature is allowed on both private and public networks, while the File and Printer Sharing
is only allowed on private networks. We can also see the details of the items in the list by
selecting it and then clicking the Details button.
Details
Ifwehaveaprogramonourcomputerthatisnotinthislist,wecan

manually additbyclickingonthe"Allowanotherprogram"button.
AddaProgram
Here we have to browse to the executable of our program and then click the Add button.
Notice that we can also choose location types on which this program will be allowed to
communicate by clicking on the"Network location types" button.
NetworkLocations
Many applications will automatically configure proper exceptions in Windows Firewall
when we run them. For example, if we enable streaming from Media Player, it will
automatically configure firewall settings to allow streaming. The same thing is if we
enable Remote Desktop feature from the system properties window. By enabling Remote
Desktop feature we actually create an exception in Windows Firewall.

Windows Firewall can be turned off completely. To do that we can select the "Turn
Windows Firewall on or off" option from the menu on the left.

FirewallCustomization

Note that we can modify settings for each type of network location (private or public).
Interesting thing here is that we can block all incoming connections, including those in the
list of allowed programs.

Windows Firewall is actually a Windows service. As you know, services can be stopped
and started. If the Windows Firewall service is stopped, the Windows Firewall will not
work.
FirewallService

In our case the service is running.Ifwestop it, wewillgeta warningthatwe should turn on our
Windows Firewall.

Warning

Remember that with Windows Firewall we can only configure basic firewall settings, and
this is enough for most day-to-day users. However, we can't configure exceptions based on
ports in Windows Firewall any more. For that we have to use Windows Firewall with
Advanced Security.

HowtoStart&UsetheWindowsFirewallwithAdvancedSecurity
The WindowsFirewallwithAdvancedSecurity is a tool which gives you detailed control
overtherulesthatareappliedbythe WindowsFirewall.You can view all therulesthat are used
by the WindowsFirewall, change their properties, create new rules or disable existing ones.
In this tutorial we will share how to open the WindowsFirewallwithAdvancedSecurity,
howto find your way around it and talk about the types of rules that are available and what
kind of traffic they filter. How to Access the Windows Firewall with Advanced Security

YouhaveseveralalternativestoopeningtheWindowsFirewallwithAdvancedSecurity:
One is to open the standard Windows Firewall window, by going to "ControlPanel-
>SystemandSecurity->WindowsFirewall".Then,click or tap Advancedsettings.

In Windows 7, another method is to search for the word firewall in the StartMenu search
box and click the "WindowsFirewallwithAdvancedSecurity" result.
In Windows 8.1, WindowsFirewallwithAdvancedSecurity is not returned in search results
and you need to use the first method shared aboveforopening it.

The WindowsFirewallwithAdvancedSecurity looks and works the samebothin Windows 7

and Windows 8.1. To continue our tutorial, we will use screenshots that were made in
Windows 8.1.

WhatAreTheInbound&OutboundRules?

In order to provide the security you need, the WindowsFirewall has a standard set of
inbound and outbound rules, which are enabled depending on the location of the network
you are connected to.
Inbound rules are applied to the traffic that is coming from the network and the Internet to
your computer or device. Outbound rules apply to the traffic from your computer to the
network or the Internet.
These rules can be configured so that they are specific to: computers, users, programs,
services, ports or protocols. You can also specify to which type of network adapter (e.g.
wireless, cable, virtual private network) or user profileit is applied to.
In the WindowsFirewallwithAdvancedSecurity,youcanaccessallrules and edittheir
properties. All you have to do is clickor tap the appropriate unit in the left-side panel.
The rules used by the WindowsFirewall can be enabledor disabled.The ones which are
enabled or active are marked with a green check-box in the Name column. The onesthatare
disabled are marked with a gray check-box.If you want to know more about a specific
ruleandlearnitsproperties,rightclickonitandselectPropertiesorselectitandpress
Propertiesinthecolumnonright,whichliststheactionsthatareavailableforyourselection.
 WhatAreTheConnectionSecurityRules?

Connection security rules are used to secure traffic between two computers while it
crosses the network. One example would be a rule which defines that connections
between two specific computers must be encrypted.
Unlike the inbound or outbound rules, which are applied only to one computer,
connection security rules require that both computers have thesame rules defined and
enabled.
If you want to see if there are any such rules on your computer, click ortap
"ConnectionSecurityRules"on the panel on the left.By default,there are no such rules
definedon Windows computersanddevices.Theyaregenerallyusedin business
environments and such rules aresetbythe network administrator.
WhatDoestheWindowsFirewallwithAdvancedSecurityMonitor?

The WindowsFirewallwithAdvancedSecurity includes some monitoring features aswell. In the

Monitoring section you can find the following information: the firewallrulesthatareactive (both
inbound and outbound), the connection security rules that are active and whether there are any
active security associations.

You should note that the Monitoring section shows only the activerules for the current network
location.

Result:
studyofthefeaturesoffirewallinprovidingnetworksecurity and toset
Firewall Security in windows .