EXPERIMENT NO. 1 PDF

Preview

Summary

Batch No : B2 Roll No : 78 EXPERIMENT NO. 1 Aim : To study how to gather information about the networks by using different n/w reconnaissance tools. Tools required : Ubuntu 14.10, WHOIS, traceroute, nslookup Theory : traceroute: The traceroute, tracert, or tracepath command is similar to ping, but p...

Description

Batch No : B2

Roll No : 78

EXPERIMENT NO. 1 Aim : To study how to gather information about the networks by using different n/w reconnaissance tools.

Tools required : Ubuntu 14.10, WHOIS, traceroute, nslookup Theory : traceroute: The traceroute, tracert, or tracepath command is similar to ping, but provides information about the path a packet takes. traceroute sends packets to a destination, asking each Internet router along the way to reply when it passes on the packet. This will show you the path packets take when you send them between your location and a destination. In computing, traceroute is a computer network diagnostic tool for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network. The history of the route is recorded as the round-trip times of the packets received from each successive host (remote node) in the route (path); the sum of the mean times in each hop indicates the total time spent to establish the connection. Traceroute proceeds unless all (three) sent packets are lost more than twice, then the connection is lost and the route cannot be evaluated. Installation: sudo apt-get install traceroute Commands: traceroute google.com whois: The whois command looks up the registration record associated with a domain name. This can show you more information about who registered and owns a domain name, including their contact information. Installation: :sudo apt-get install whois Commands: whois google.com The WHOIS protocol had its origin in the ARPANET NICNAME protocol and was based on the NAME/FINGER Protocol, described in RFC 742 (1977). The NICNAME/WHOIS protocol was first described in RFC 812 in 1982 by Ken Harrenstien and Vic White of the Network Information Centre at SRI International. WHOIS was originally implemented on the Network Control Program (NCP) but found its major use when the TCP/IP suite was standardized across the ARPANET and later the Internet.

Batch No : B2

Roll No : 78

nslookup The nslookup command will look up the IP addresses associated with a domain name. For example, you can run nslookup howtogeek.com to see the IP address of How-To Geek’s server Installation: :sudo apt-get install nslookup Commands: nslookup google.com

Batch No : B2

Roll No : 78

dig Dig is a networking tool that can query DNS servers for information. It can be very helpful for diagnosing problems with domain pointing and is a good way to verify that your configuration is working. Installation: :sudo apt-get install dig Commands: dig google.com

The dig command output has the following sections:  

Header: This displays the dig command version number, the global options used by the dig command, and few additional header information. QUESTION SECTION: This displays the question it asked the DNS. i.e This is your input. Since we said ‘dig redhat.com’, and the default type dig command uses is A record, it indicates in this section that we asked for the A record of the redhat.com

   

website ANSWER SECTION: This displays the answer it receives from the DNS. i.e This is your output. This displays the A record of redhat.com AUTHORITY SECTION: This displays the DNS name server that has the authority to respond to this query. Basically this displays available name servers of redhat.com ADDITIONAL SECTION: This displays the ip address of the name servers listed in the AUTHORITY SECTION. Stats section at the bottom displays few dig command statistics including how much time it took to execute this query.

Batch No : B2

Roll No : 78

To view all the record types (A, MX, NS, etc.), use ANY as the record type as shown below.

Conclusion: Hence we have studied network reconnaissance tools.

Batch No : B2

Roll No : 78

EXPERIMENT NO : 2 Aim : To study packet sniffer tools like wireshark, tcpdump, etc. and observe the performance in promiscuous as well as non-promiscuous mode and to find packets based on different filters.

Tools Required : Ubuntu 14.10, wireshark, tcpdump Theory : Wireshark :Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues. Wireshark is cross-platform, using the GTK+ widget toolkit in current releases, and Qt in the development version, to implement its user interface, and using pcap to capture packets; it runs on Linux, OS X, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License. Functionality of wireshark:Wireshark lets the user put network interface controllers that support promiscuous mode into that mode, so they can see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all traffic through the switch is necessarily sent to the port where the capture is done, so capturing in promiscuous mode is not necessarily sufficient to see all network traffic. Port mirroring or various network taps extend capture to any point on the network. Simple passive taps are extremely resistant to tampering If a remote machine captures packets and sends the captured packets to a machine running Wireshark using the TZSP protocol or the protocol used by OmniPeek, Wireshark dissects those packets, so it can analyze packets captured on a remote machine at the time that they are captured Features of wireshark:Wireshark is software that "understands" the structure (encapsulation) of different networking protocols. It can parse and display the fields, along with their meanings as specified by different networking protocols.

Batch No : B2

Roll No : 78

Wireshark uses pcap to capture packets, so it can only capture packets on the types of networks that pcap supports. 1. Data can be captured "from the wire" from a live network connection or read from a file of already-captured packets. 2. Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback. 3. Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, TShark. 4. Captured files can be programmatically edited or converted via command-line switches to the "editcap" program. 5. Data display can be refined using a display filter. 6. Plug-ins can be created for dissecting new protocols. 7. VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the media flow can even be played. 8. Raw USB traffic can be captured. 9. Wireless connections can also be filtered as long as they transverse the monitored Ethernet. 10. Various settings, timers, and filters can be set that ensure only triggered traffic appear. Packets captured in promiscuous mode.(Packets are captured in promiscuous mode by default.)

Batch No : B2

Settings for applying filter and to set the mode:

Packets captured in non-promiscuous mode and with http filter :

Tcpdump :

Roll No : 78

Batch No : B2

Roll No : 78

tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. Tcpdump works on most Unix-like operating systems: Linux, Solaris, BSD, OS X, HPUX, Android and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets. The port of tcpdump for Windows is called WinDump; it uses WinPcap, the Windows port of libpcap. Command : tcpdump

Tcpdump done on a port range : Command : tcpdump port range 50-500

Batch No : B2

Tcpdump using filters : Command :

Tcpdump in non-promiscuous mode : Command : tcpdump -p

Roll No : 78

Batch No : B2

Roll No : 78

Conclusion : Hence, we have studied packet sniffer tools like wireshark and tcpdump and learned to implement them.

Batch No : B2

Roll No : 78

EXPERIMENT NO 3 Aim: To study and implement various scanning techniques using Nmap. Materials required: Ubuntu 14.10, Nmap, Internet. Theory: Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses. The software provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap is also capable of adapting to network conditions including latency and congestion during a scan. Nmap is under development and refinement by its user community. Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping). Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum. Features: Nmap features include:  

Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open. Port scanning – Enumerating the open ports on target hosts.

Batch No : B2

  

Roll No : 78

Version detection – Interrogating network services on remote devices to determine application name and version number. OS detection – Determining the operating system and hardware characteristics of network devices. Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua programming language.

Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses. Uses of Nmap:      

Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it. Identifying open ports on a target host in preparation for auditing. Network inventory, network mapping, and maintenance and asset management. Auditing the security of a network by identifying new servers. Generating traffic to hosts on a network. Find and exploit vulnerabilities in a network.

Port scanning: A port scan or port scanning can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploiting a known vulnerability of that service, however the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine.

Fig.: PORT SCANNING.

Os fingerprinting: TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote machine's operating system (aka, OS fingerprinting), or incorporated into a device fingerprint.

Batch No : B2

Roll No : 78

Certain parameters within the TCP protocol definition are left up to the implementation. Different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP. The TCP/IP fields that may vary include the following:        

Initial packet size (16 bits) Initial TTL (8 bits) Window size (16 bits) Max segment size (16 bits) Window scaling value (8 bits) "don't fragment" flag (1 bit) "sackOK" flag (1 bit) "nop" flag (1 bit)

These values may be combined to form a 67-bit signature, or fingerprint, for the target machine. Just inspecting the Initial TTL and window size fields is often enough in order to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.

Fig.: OS Fingerprinting. Actual text of OS Fingerprinting: root@kali:~# nmap -v -O scanme.nmap.org

Batch No : B2

Roll No : 78

Starting Nmap 6.47 ( http://nmap.org ) at 2015-10-08 08:03 IST Initiating Ping Scan at 08:03 Scanning scanme.nmap.org (45.33.32.156) [4 ports] Completed Ping Scan at 08:03, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 08:03 Completed Parallel DNS resolution of 1 host. at 08:03, 0.28s elapsed Initiating SYN Stealth Scan at 08:03 Scanning scanme.nmap.org (45.33.32.156) [1000 ports] Discovered open port 22/tcp on 45.33.32.156 Discovered open port 80/tcp on 45.33.32.156 Discovered open port 31337/tcp on 45.33.32.156 Increasing send delay for 45.33.32.156 from 0 to 5 due to 30 out of 98 dropped probes since last increase. Increasing send delay for 45.33.32.156 from 5 to 10 due to 78 out of 258 dropped probes since last increase. Increasing send delay for 45.33.32.156 from 10 to 20 due to max_successful_tryno increase to 4 Increasing send delay for 45.33.32.156 from 20 to 40 due to 17 out of 56 dropped probes since last increase. Increasing send delay for 45.33.32.156 from 40 to 80 due to max_successful_tryno increase to 5 Increasing send delay for 45.33.32.156 from 80 to 160 due to max_successful_tryno increase to 6 Increasing send delay for 45.33.32.156 from 160 to 320 due to 11 out of 32 dropped probes since last increase. Increasing send delay for 45.33.32.156 from 320 to 640 due to max_successful_tryno increase to 7 SYN Stealth Scan Timing: About 21.28% done; ETC: 08:05 (0:01:55 remaining) Increasing send delay for 45.33.32.156 from 640 to 1000 due to max_successful_tryno increase to 8 SYN Stealth Scan Timing: About 21.18% done; ETC: 08:07 (0:03:47 remaining) Discovered open port 9929/tcp on 45.33.32.156 adjust_timeouts2: packet supposedly had rtt of 8188816 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of 8188816 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of 8188899 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of 8188899 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of 8185364 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of 8185364 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of 8185422 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of 8185422 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of 8190982 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of 8190982 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of 8185374 microseconds. Ignoring time.

Batch No : B2

adjust_timeouts2: packet supposedly had rtt of 8185374 microseconds. adjust_timeouts2: packet supposedly had rtt of 8193759 microseconds. adjust_timeouts2: packet supposedly had rtt of 8193759 microseconds. adjust_timeouts2: packet supposedly had rtt of 8201747 microseconds. adjust_timeouts2: packet supposedly had rtt of 8201747 microseconds. adjust_timeouts2: packet supposedly had rtt of 8201055 microseconds. adjust_timeouts2: packet supposedly had rtt of 8201055 microseconds. adjust_timeouts2: packet supposedly had rtt of 8196226 microseconds. adjust_timeouts2: packet supposedly had rtt of 8196226 microseconds. adjust_timeouts2: packet supposedly had rtt of 8195860 microseconds. adjust_timeouts2: packet supposedly had rtt of 8195860 microseconds. adjust_timeouts2: packet supposedly had rtt of 8200530 microseconds. adjust_timeouts2: packet supposedly had rtt of 8200530 microseconds. adjust_timeouts2: packet supposedly had rtt of 8195913 microseconds. adjust_timeouts2: packet supposedly had rtt of 8195913 microseconds. adjust_timeouts2: packet supposedly had rtt of 8198251 microseconds. adjust_timeouts2: packet supposedly had rtt of 8198251 microseconds. adjust_timeouts2: packet supposedly had rtt of 8198263 microseconds. adjust_timeouts2: packet supposedly had rtt of 8198263 microseconds. adjust_timeouts2: packet supposedly had rtt of 8198237 microseconds. adjust_timeouts2: packet supposedly had rtt of 8198237 microseconds. adjust_timeouts2: packet supposedly had rtt of 8200544 microseconds. adjust_timeouts2: packet supposedly had rtt of 8200544 microseconds. adjust_timeouts2: packet supposedly had rtt of 9270472 microseconds. adjust_timeouts2: packet supposedly had rtt of 9270472 microseconds. adjust_timeouts2: packet supposedly had rtt of 9270873 microseconds. adjust_timeouts2: packet supposedly had rtt of 9270873 microseconds. adjust_timeouts2: packet supposedly had rtt of 9270866 microseconds. adjust_timeouts2: packet supposedly had rtt of 9270866 microseconds. adjust_timeouts2: packet supposedly had rtt of 9271003 microseconds. adjust_timeouts2: packet supposedly had rtt of 9271003 microseconds. adjust_timeouts2: packet supposedly had rtt of 9271484 microseconds. adjust_timeouts2: packet supposedly had rtt of 9271484 microseconds. adjust_timeouts2: packet supposedly had rtt of 9274522 microseconds. adjust_timeouts2: packet supposedly had rtt of 9274522 microseconds. adjust_timeouts2: packet supposedly had rtt of 9275293 microseconds. adjust_timeouts2: packet supposedly had rtt of 9275293 microseconds. adjust_timeouts2: packet supposedly had rtt of 9275665 microseconds. adjust_timeouts2: packet supposedly had rtt of 9275665 microseconds. adjust_timeouts2: packet supposedly had rtt of 9276091 microseconds. adjust_timeouts2: packet supposedly had rtt of 9276091 microseconds. adjust_timeouts2: packet supposedly had rtt of 9276356 microseconds. adjust_timeouts2: packet supposedly had rtt of 9276356 microseconds. adjust_timeouts2: packet supposedly had rtt of 9276170 microseconds.

Roll No : 78

Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring time. Ignoring t...