SIR C R REDDY COLLEGE OF ENGINEERING CNLAB EXPERIMENT No: 13 AIM: Introduction to Wireshark Introduction © Whatis anetwork trace? © What is Wireshark? me of the most useful parts of the UL ¢ Packet Capture How do we capture packets? * Trace Analysis Individual Packet Analysis FiltersSIR CR REDDY COLLEGE OF ENGINEERING Introduction Network Traffic Trace A recordi network packets both receivedby and transmitted from a network interface Whatis apeap file? peap = Packet Capture © File format originally designed for tepdump/ibpcap. Most widely used packet fe format CNLABSIR C R REDDY COLLEGE OF ENGINEERING CNLAB © What is Wireshark? A graphical network packet analys Found at http//www.wireshark.org © The complete manual is located here. What some are it’s uses? Troubleshoot network problems. © Learn network protocol intemals. © Debug protocol/program implementation. Examine network-related security issues,SIR C R REDDY COLLEGE OF ENGINEERING CNLAB te E& fv Ge Get tae Gets Wiony Tok Honor tb WeHKe Faxes Veoot2 (HG fr lenin Tine Souce ‘estnation, Ptah ‘ueogih_ nfo 1 0. (G0000" 332.388,0.2 Sroateart 42 cratittOis A For 192168.0.2 G 1.23059 192,168,060 224,060.22 e Frane 11: 62 bytes on wire G49 bits), 2 bytes captured (496 bits) ie Ethernet 11, sre: 192.168.0.2 (00:0b:5d:20:cd:02), ost: netgear_2d:75:0a (00:09:Sb = Internet protocol, src: 182.168,0.2 (162,168.02), Ost: 192.168.0.1 (102.168.0.1) swurce port: nau-2 (2496) best inatfon poe: hp G0) Iberostar S S— ite tape mee Packet Details Flags: ESM header Tength: 28 byces ‘window s1z2 value: 64260 (0000 00 Ge sb 2d 75 Ga 00 Ob fa 20 cd os Jomo 00 $0 18.48 4) 00 80 05 1 2c CO a8 10020 00 OL Oc 7c 0) $0 3c 35 98 F8 00 00 jon30 fa f0 27 e0 00 00 02 OF OF bs OL 0 tee a 00 00 02 0.38 Lo.ne, 10 90 70 02 08 a Packet Bytes (Ore Cera wreonome acts ape Me ete 00D) (Poe teaSIR C R REDDY COLLEGE OF ENGINEERING CNLAB Basic UI > Open Opens a packet capture file. View > Time Display Format ¢ the format of the packet timestamps in thepacket list pane. Switch between absolute and relative timestamps. © Change level of precision. View -> Name Resolution © Allow wireshark to resolve names from addressesat different protocol layers.SIR C R REDDY COLLEGE OF ENGINEERING Basic UI Capture->Interfaces Available network interfaces forcapture. Totalpacketsperinterface. Packet rate per interface.SIR C R REDDY COLLEGE OF ENGINEERING CNLAB Basic UI Capture -> Options Setvariouscaptureparameters. Promiscous mode . On—recordallpacketsreaching the interface. Off recordonlythosepackets directed to thehost.SIR C R REDDY COLLEGE OF ENGINEERING CNLAB Basic UI Analyze->Follow TCPStream Applies a filter to follow a single tcp conversationwithin the trace. © Displays the reassembiled data section of eachpacket in the conversation. Useful for debugging or analyzing any TCP basedapplication layer protocol. © HTTP, FTP, SSH, LDAP, SMTP, etc.SIR C R REDDY COLLEGE OF ENGINEERING CNLAB Basic UI Statistics -> Protocol Hierarchy © Presents descriptive statistics per protocol. Useful for determining thetypes. amounts. and relative proportions of protocols within a trace, [aspx 10511700003 Tgnooxs) 105117 e900SIR C R REDDY COLLEGE OF ENGINEERING Basic UI tics > Conversa Generates descriptivestatistics about e trace. ‘h conversation for eachprotocol in theSIR C R REDDY COLLEGE OF ENGINEERING CNLAB Statistics-> Flow Graph Generates a sequence graph for the selected traffic. © Useful for understandingseq. and ack. calculations. 192.168.199 — 1731943752 Biswe as X CloseSIR C R REDDY COLLEGE OF ENGINEERING CNLAB Packet Capture ce selection c * Select the interface from which to capture packets. any — captures from all interfaces © 1o~captures from the loopback interface (ie. from localhost) ° Set the desired capture parameters under the optionsmenu. Start Capture Click the start button next to the desired imerface. Captured traffic will be displayed in the packet list pane.SIR C R REDDY COLLEGE OF ENGINEERING Stop Capture * Select Capture -> Stop g Capture Oncethecapturehasbeenstoppedselect File->Save As. From the save dialog you can specify file type andwhich packets to save via the packet range menu. CNLABSIR C R REDDY COLLEGE OF ENGINEERING Wale Be Edt Yin Ge Cokwe Analee Saket Tekphony Tow eal Heb Menu GHRew Saxes|ceoeTF sala 8%/B Fee: (Te Souce Dstnatn Pooch ne 0.000000" 192.168.0:2 proadcast 42 cratuitous AAP For 102,468.0.2 Lsorzorsa oed6e0.1 ——T221680.2_— WIS ane ley NESAT nnn #Frane 11: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) B ethernet Tf, src: 192.168.0.2 (00:0b:54:20:cH:02), Ost: Netgear_1d: B Internet Protocol, src: 192,168.0.2 (192,168,0,2), Ost: 192,168.0.1 (192.168.0.1) Source port: ncu-2 (3196) estination port: http (80) [sereme fader: 8] quence naberi (relative sequence number) 5 adler Tengen: 28 bytes Packet Details Fags: Oxt2 (SYN window size velue: 64240 ul soo 00-09 56 Td 75 m 00 0b 10010 00 30 18 48 40 09 80 06 0020 00 @ Oc 7c 00 $0 3c 36 Joc30 fa f0 27 20 00 00 02 O4 chee Packet Bytes [@ Fie: ‘Cites cap" 14 KB 0:00 Packets: 120Dispayed: 120 Marked: O toad tne: 0:00.00 Profle: Defauk =SIR C R REDDY COLLEGE OF ENGINEERING Trace Analysis Packet list CNLAB Displays all of the packets in the trace in the order they wererecorded, Columns Time — the timestamp at which the packet crossed theint © Source- the or host of the packet. Destination — the host to which the packet was s Protocol — the highest level protocol that Wireshark can detect. Lenght — the lenght in bytes of the packet on the wire. Info —an informational message pertaining to the protocol inthe protocolSIR C R REDDY COLLEGE OF ENGINEERING CNLAB Trace Analysis Packet list Default Col * Gray—TCP packets Black with red letters — TCP Packets with errors Green - HTTP Packets Light Blue— UDP Packets Pale Blue — ARP Packets Lavender — ICMP Packets Black with green letters — ICMP Packets with errors Colorings can be changed under View -> Coloring RulesSIR C R REDDY COLLEGE OF ENGINEERING CNLAB Individual Packet Analysis cap Fie Edt Yew Go Captue dnalyae Statics Telenhny Jools Internals Heb FMaee Faxse|cesaFs ela te es Tee Souce Desiraton Ptocl_ tenth ito 0.000000” 192.168.0.2 Broadcast gap Gratuitous ARP For 100.168.0.2 & L__2.0,293139192.168.0.1 192,268.02 MENS 92 Name query NBSTAT #<00><00> HP_ERM-HP encipsulated remote miron| fede > HPSW -HP switeh Protocol > HPTEAM - HP NIC Teaming Heartbeat > HSRP - Cisco Hot Standby Router Protocol LY HITP -Hypertext Transfer Protocol httpnotifcation - Notification (TRUE # { hetpresponse - Response (TRUE i HT hetprequest - Request (TRUE # HTTP @cancet | {okSIR C R REDDY COLLEGE OF ENGINEERING CNLAB Filters Compound Filters Filters can be composed of multiple tests joined with booleanconnectives. © && - logical conjuction (ie. AND) I disjunction (ie OR) 1 logical negation (i.e. NOT) Supports the onder of operations. © — Regular Expressions Fields can be evaluated against a regular expression us! atches” test. Uses Perl regex syntax,SIR C R REDDY COLLEGE OF ENGINEERING CNLAB Filters © Filter Text Box Green —valid filter Red — invalid filter Yellow — may produce unexpected results Packet based filters Filters can be constructed on the basis of individual packetsby right click! ‘on a packet and selecting either: Prepare as filter — creates a filter © Apply as filter— creates a filter and applies it to the Follow TCP Stream — creates a filter froma TCP packet’sstream number and applies it to the trace.SIR C R REDDY COLLEGE OF ENGINEERING CNLAB Filters > Filter examples © http.request — Display all HTTP requests. http.request || http.response — Display all HTTP request andresponses 27.0.0.1 — Display all IP packets whose source ordestination is tep.en < 100 - Display all TCP packets whose data length isless than 100 bytes http.request.uri matches “(gif)S" - Display all HTTP requestsin which the uri ends with “gif” dns.query.name == “www.google.com” - Display all DNSqueries forSIR CR REDDY COLLEGE OF ENGINEERING CNLAB EXPERIMENT No: 14 AIM: Run the Nmap scan How to start Nmap and run asimplescan ? Nmap is a free and open-source utility which is used to scan networks and security auditing, Nmap can discover hosts and services on a computer network by sending packets and analyzing, the responses. The utility is available on almost every os, it is available for windows, linux and mac. Download Nmap — Download Nmap from the official website. In case of kali Linux and parrot os, it is already available in there so you will not need to download the utility. How to launch Nmap? In Windows hosts you can simply install nmap and run it from the desktop icon using administrator privileges . In linux hosts there are 2 ways of doing it, in case of kali linux and parrot os you can find the icon and click to start and later give it root privileges by entering your password The other way is you can simply runSIR CR REDDY COLLEGE OF ENGINEERING CNLAB map —-help You can use it as a manual for using commands, just scroll down and head towards examples. How to do simple scans and be legal? As already mentioned, scanning networks and websites using nmap can be illegal, written permissions to so. So, to do scans that are legal you can use scanme.org, they offer you to perform scans on their website without any issues, but please read their conditions so that you do not harm their website Now lets see a simple example to do a scan. To do so simply use nslookup command following the website url or address. If you do not know the IP address of the website and using the command.SIR CR REDDY COLLEGE OF ENGINEERING CNLAB nslookup scanme.nmap.org will give you its address. Now when you get the address you can use the same for scanning the network by nslookup “address” the address should be written as IP address which you found on the previous scan and without GLETRCrs 156] Rea) Prete eer Cage CE PAC Cee Eee ae es) eee ree Mme Cet) fu eset SCRUM ae re This is how you can do a simple network scan. Now you can also save your scans in a text file for simplicity by using the command nslookup 45.33.32.156 >> result.txt Ce ee) a | oon Tear Fse.32.30.05.inaaer.arpe nate = scanne-omap.org Please note that nmap is a very noisy scanning utility and you need to be anonymous and legal in some cases to do so. Please ensure that you use it for legal and educational purposes.SIR CR REDDY COLLEGE OF ENGINEERING CNLAB EXPERIMENT No: 15, AIM: Operating System Detection using Nmap How to run Nmap scan? OS Detection in Nmap in Kali Linux NMAP stands for Network Mapper which is an open-source tool used for network exploration and security auditing, in comparison to this, a tool named Nessus is used by industry professionals. These tools are mainly used by cybersecurity experts and hackers. Its main purpose is: + Provide the list of the live host. + Find the open Ports. + The real-time information of a network. «© OS and Port scanning. ‘The hackers and the cybersecurity expert need to know the Operating System of the machine. It becomes very easy to access a system if we can know the specific open ports or the security holes of the system. Network Mapper(NMAP) NMAP has a database that helps in Operating systems (OS) but it is not automatically updated. The database to detect an OS is located at “husu/share/nmap/nmap-os-db" Operating Svstem(OS) detection is a very long and hectic process. So, before we get ourhands dirty we should know about the five separate probes being performed to determine the OS. This probe may consist of one or more packets. The response to cach packet (which is sent by the probe) by the target system helps to determine the OS type. The five different probes are: Sequence Generation. ICMP Echo. ‘TCP Explicit Congestion Notification. TCP, upp. 1. Sequence Generation: The Sequence Generation Probe consists of six packets that are sent 100 ms apart and are all TCP SYN packets. The result of all these packets will help in Operating Svstem(OS) detection. 2. ICMP Echo: Two ICMP request packets are sent to the target system with different settings in the packet. The result of all these will help verify the OS type by NMAP. 3. TCP Explicit Congestion Notification: Congestion is a slowdown that occurs when a lot of packets are generated and passed by a single router. The packets which are sent are mainly used to get back the responses from the target system. This helps to detect the OS because a specific (OS returns a specific value and each OS handles a packet differently. 4. TCP: Six packets are sent during this probe, and some packets are sent to open or closed ports with specific packet settings by using the corresponding result we can determine the type of Operating System(OS). The TCP Packets which are sent with varying flags are as follows + no flags. + SYN. FIN, URG, and PSHSIR CR REDDY COLLEGE OF ENGINEERING CNLAB ACK. SYN. ACK. + FIN, PSH, and URG. 5. UDP: UDP probe consists of a single packet that is sent to a closed port. If the port used on the target system is closed and an ICMP Port Unreachable message is returned it specifies that there is no Firewall. OS detection using NMAP Now we need to run the actual commands to perform OS detection using NMAP, and at first, we will get the IP address of the host system, and then will perform a scan to get all active devices on the network, Step 1: Getting the IP of the System ifconfig, ;SIR CR REDDY COLLEGE OF ENGINEERING Step 2: List of active devices in the Network map -sa 192.168.232.128/24 Let’s do an SYN scan with OS detection in one of the active IPs Let's select IP: 192.168.232.2 amap -s$ 192.168.232.2 -OSIR CR REDDY COLLEGE OF ENGINEERING LT jah) pe en ape at OBC) i 0S details Running: VMvare Player OS det: 'Mware Player virtual NAT device. Let’s now perform an Aggressive sean To guess the OS + -sV stands for Service version. + -A stands for Aggressive 1t will only display the chance of Operation System (OS) on the host computer with the help of Probability and Percentage map -sV 192.168.232.2 -ASIR CR REDDY COLLEGE OF ENGINEERING CNLAB obit) of running OSSIR CR REDDY COLLEGE OF ENGINEERING CNLAB EXPERIMENT No: 16 AIM: Introduction to NS2 Simulator Network Simulator 2 (NS2) : Features & Basic Architecture Of NS2 @ 1. What is NS2 NS2 stands for Network Simulator Version 2. Itis an open-source event-driven s specifically for research in computer communication networks. 2. Features of NS2 1. Itis adiscrete event simulator for networking research. 2. It provides substantial support to simulate bunch of protocols like TCP, FTP, UDP, https and DSR. 3. Itsimulates wired and wireless network. 4. Itis primarily Unix based. 5. Uses TCL as its scripting language. 6. Otel: Object oriented support 7. Telel: C++ and otcl linkage 8, Discrete event scheduler 3. Basic Architecture NS2 consists of two key languages: C++ and Object-oriented Tool Command Language (OTel). While the C+ defines the internal mechanism (.e., a backend) of the simulation objects, the OTel sets up simulation by assembling and configuring the objects as well as scheduling discrete events. The C+ and the OTel are linked together using TelCL ii) /* The Routing Agent */ class AODY: public Agent {SIR CR REDDY COLLEGE OF ENGINEERING CNLAB * History management + double PerHopTime(aodv_rt_entry *rt); add following line bool mali With this variable we are trying to define if the node is malicious or not. In aodv.ce after + AODV::AODV(nsaddr_t id) : Agent(PT_AODV), btimer(this), htimer(this), ntimer(this), rtimer(this), Irtimer(this), rqueue() { index = id; seqno =2: bid = add following line malicious = false; ‘The above code is needed to ize, and all nodes are initially not malicious. Then we will write a code to catch which node is set as malicious. In aodv.ce after iffange == 2) { ‘Tel& tel = Tel::instance(: iff(strncasecmp(argv{1], "id",2 tcLresultf("“ed", index)SIR CR REDDY COLLEGE OF ENGINEERING CNLAB retum TCL_OK; } add following line if(stremp(argy[], "hacker") ==0) { malicious = true: return TCL_OK; } Now we will do some work in TCL to set a malicious node. Using script in my post , we add following line to set node 5 as malicious node. Sns at 0.0 "[Smnode_(5) set ragent_} hacker" You may add this line after for {set iO} (Si elt; $val(nn)} ( incr i } { Sns initial_node_pos Smnode_(Si) 10 4 Alright, we have set malicious node but we did not tell malicious node what to do. As it is known, rt_resolve(Packet *p) function is used to select next hop node when routing data packets. So, we tell malicious node just drop any packet when it receives. To do that after e Route Handling Functions 7 void AODV::rt_resolve(Packet *p) { struct hdr_emn *ch= HDR_CMN(p);SIR CR REDDY COLLEGE OF ENGINEERING CNLAB struct hdr_ip *ih= HDR_IP(p); aody_tt_entry *rt; We add a few lines if] am malicious node if (malicious == true ) [ drop(p, DROP_RTR_ROUTE_LOOP); //DROP_RTR_ROUTE_LOOPis added forno reason. ii) Simulate to Find the Number of Packets Dropped by TCP/UDP We can simulate a TCP/UDP client using a useful tool called Neteat — so you can establish connection using your computer’s own terminal. ‘So.how does the client-server model work within the Internet of things? The client is the device that initiates communication. The server is Ubidots (or any other server connection). which will accept connections and manage data transfers over a simple protocol like TCP or upp. To learn more about managing your data with Ubidots, find out how to send data to Ubidots over TCP or UDP.