Galgotias College of Engineering and Technology

Plot no. 1, Knowledge Park -II, Greater Noida, G.B. Nagar, U.P. 201310

Department of Computer Science & Engineering

B.Tech (Session 2018-19)

Even-Semester

Cyber Security Workshop

LAB(BCS-453)

LTP
0 0 2

Department Of Computer Science & Engineering

 Course Outcomes

Subject Name: Cyber Security Workshop Lab Subject code: BCS-453

The students are expected to be able to demonstrate the following knowledge, skills and attitudes
after completing this course:

1. To understand the basic concepts of network devices and connectivity.

2. To analyze network traffic using wireshark tool.

3. To design and configure a network using Cisco Packet Tracer.

 List Of Experiments

S.No Name of the practical Page No.

1 Introduction to Packet Tracer/Packet Sniffer/Wireshark

2 To study of Network connecting devices.
3 Verify the connectivity of your workstation to the internet.
4 To analyze TCP using Wireshark
5 To analyze UDP using Wireshark
6 To analyze IP using Wireshark
7 To analyze NAT using Wireshark

8 To analyze DHCP using Wireshark

9 To analyze ICMP using Wireshark

10 To analyze Ethernet & ARP using Wireshark

11 To study HTTP using Wireshark

12 To analyze DNS using Wireshark

 Program No. 1
Objective: Introduction to Packet Tracer/Packet Sniffer/Wireshark.

PROGRAM DEFINITION: This is an open system interconnection program that transmit

message from sender to receiver through server different layers.

PROGRAM DESCRIPTION:
In this first lab, you’ll get acquainted with Packet Tracer/Packet Sniffer/Wireshark and make some
simple packet captures and observations.
The basic tool for observing the messages exchanged between executing protocol entities is called a packet
sniffer. As the name suggests, a packet sniffer captures (“sniffs”) messages being sent/received from/by
your computer; it will also typically store and/or display the contents of the various protocol fields in these
captured messages. A packet sniffer itself is passive. It observes messages being sent and received by
applications and protocols running on your computer, but never sends packets itself. Similarly, received
packets are never explicitly addressed to the packet sniffer. Instead, a packet sniffer receives a copy of
packets that are sent/received from/by application and protocols executing on your machine.
Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in this case,
Internet protocols) and applications (such as a web browser or ftp client) that normally run on your
computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an addition to the usual
software in your computer, and consists of two parts. The packet capture library receives a copy of every
link-layer frame that is sent from or received by your computer. Recall from the discussion from section
1.5 in the text (Figure 1.241) that messages exchanged by higher layer protocols such as HTTP, FTP, TCP,
UDP, DNS, or IP all are eventually encapsulated in link-layer frames that are transmitted over physical
media such as an Ethernet cable. In Figure 1, the assumed physical media is an Ethernet, and so all upper-
layer protocols are eventually encapsulated within an Ethernet frame. Capturing all link-layer frames thus
gives you all messages sent/received from/by all protocols and applications executing in your computer.

Figure 1: Packet sniffer structure

The second component of a packet sniffer is the packet analyzer, which displays the contents of all fields
within a protocol message. In order to do so, the packet analyzer must “understand” the structure of all
messages exchanged by protocols. For example, suppose we are interested in displaying the various
fields in messages exchanged by the HTTP protocol in Figure 1. The packet analyzer understands the
format of Ethernet frames, and so can identify the IP datagram within an Ethernet frame. It also
understands the IP datagram format, so that it can extract the TCP segment within the IP datagram.
Finally, it understands the TCP segment structure, so it can extract the HTTP message contained in the
TCP segment. Finally, it understands the HTTP protocol and so, for example, knows that the first bytes
of an HTTP message will contain the string “GET,” “POST,” or “HEAD,” as shown in Figure 2.8 in the
text.
We will be using the Wireshark packet sniffer [http://www.wireshark.org/] for these labs, allowing us to
display the contents of messages being sent/received from/by protocols at different levels of the protocol
stack. (Technically speaking, Wireshark is a packet analyzer that uses a packet capture library in your
computer). Wireshark is a free network protocol analyzer that runs on Windows, Linux/Unix, and Mac
computers. It’s an ideal packet analyzer for our labs – it is stable, has a large user base and well-
documented support that includes a user-guide (http://www.wireshark.org/docs/wsug_html_chunked/),
 Practical no. 2

Objective: To study of Network CONNECTING DEVICES.

Passive Hubs
A passive hub is just a connector. It connects the wires coming from different
branches. In a star-topology Ethernet LAN, a passive hub is just a point where the
signals coming from different stations collide; the hub is the collision point. This
type of a hub is part of the media; its location in the Internet model is below the
physical layer.
Repeaters
A repeater is a device that operates only in the physical layer. Signals that carry
information within a network can travel a fixed distance before attenuation
endangers the integrity of the data. A repeater receives a signal and, before it
becomes too weak or corrupted, regenerates the original bit pattern. The repeater
then sends the refreshed signal.

Figure : A repeater connecting two segments of a LAN

A repeater does not actually connect two LANs; it connects two segments of the same LAN.
The segments connected are still part of one single LAN. A repeater is not a device that can
connect two LANs of different protocols.

A repeater connects segments of a LAN.

A repeater forwards every frame; it has no filtering capability.
A repeater is a regenerator, not an amplifier.

Active Hubs
An active hub is actually a multipart repeater. It is normally used to create connections
between stations in a physical star topology. We have seen examples of hubs in some
Ethernet implementations (lOBase-T, for example). However, hubs can also be used to
create multiple levels of hierarchy, as shown in Figure. The hierarchical use of hubs
removes the length limitation of 10Base-T (100 m).
Bridges
A bridge operates in both the physical and the data link layer. As a physical layer device, it
regenerates the signal it receives. As a data link layer device, the bridge can check the
physical (MAC) addresses (source and destination) contained in the frame.

Transparent Bridges
A transparent bridge is a bridge in which the stations are completely unaware of the
bridge's existence. If a bridge is added or deleted from the system, reconfiguration of the
stations is unnecessary. According to the IEEE 802.1 d specification, a system equipped
with transparent bridges must meet three criteria:

I. Frames must be forwarded from one station to another.

2. The forwarding table is automatically made by learning frame movements in the

network.

3. Loops in the system must be prevented.

Two-Layer Switches
When we use the term switch, we must be careful because a switch can mean two different
things. We must clarify the term by adding the level at which the device operates. We can
have a two-layer switch or a three-layer switch. A three-layer switch is used at the
network layer; it is a kind of router. The two-layer switch performs at the physical and
data link layers.

A two-layer switch is a bridge, a bridge with many ports and a design that allows better
(faster) performance. A bridge with a few ports can connect a few LANs together. A bridge
with many ports may be able to allocate a unique port to each station, with each station on
its own independent entity. This means no competing traffic (no collision, as we saw in
Ethernet).
A two-layer switch, as a bridge does, makes a filtering decision based on the MAC address
of the frame it received. However, a two-layer switch can be more sophisticated. It can have
a buffer to hold the frames for processing. It can have a switching factor that forwards the
frames faster. Some new two-layer switches, called cut-through switches, have been
designed to forward the frame as soon as they check the MAC addresses in the header of
the frame.
Routers
A router is a three-layer device that routes packets based on their logical addresses (host-
to-host addressing). A router normally connects LANs and WANs in the Internet and has a
routing table that is used for making decisions about the route. The routing tables are
normally dynamic and are updated using routing protocols.

Three-Layer Switches
A three-layer switch is a router, but a faster and more sophisticated. The switching fabric in
a three-layer switch allows faster table lookup and forwarding. In this book, we use the
terms router and three-layer switch interchangeably.

Gateway
A gateway is normally a computer that operates in all five layers of the Internet or seven
layers of OSI model. A gateway takes an application message, reads it, and interprets it.
This means that it can be used as a connecting device between two internetworks that use
different models. For example, a network designed to use the OSI model can be connected
to another network using the Internet model. The gateway connecting the two systems can
take a frame as it arrives from the first system, move it up to the OSI application layer, and
remove the message.
 Practical no. 3
Objective: Verify the connectivity of your workstation to the internet.

Experiment
1. Verify the connectivity of your workstation to the internet.
2. Open the Command Prompt of the operating system using either of the following
methods:
Click on Start > All Programs > Accessories > Command Prompt or
Click on Start > Run, enter cmd (short for command) and click on ok.
A Command Prompt screen should open.
3. Gather TCP/IP configuration information: Type ipconfig (short for IP configuration)
and press Enter. The screen will show the IP address, subnet mask, and default
gateway for your computer’s connection.
Notice the values in the Command Prompt. The IP address and the default gateway should
be in the same network or subnet, otherwise this host would not be able to communicate
outside the network. In Fig. 3, the subnet mask tells us that the first three octets of the IP
address and the default gateway must be the same in order to be in the same network.

Figure 3. The TCP/IP configuration information of a workstation

4. Check more detailed TCP/IP configuration information: Type ipconfig /all and
press Enter. What are the DNS and DHCP server addresses? What are their
functions? What is the MAC of the network interface card?
5. Ping the IP address of another computer. Note that for the ping and tracert
commands to work the PC firewalls have to be disabled. Why do you think this is so?
Ask the IP address of the workstation that is being used by another group of
students. Then type ping, space, and the IP address that you received, then press
 Enter. Notice the outputs. Fig. 4 shows a successful result of a ping to a given IP
address.

Figure 4. A successful result of a ping to a certain IP address

6. Ping the IP address of the gateway router from the details that have been observed
in the output of step 4 above. If the ping is successful, it means that there is a
physical connectivity to the router on the local network and probably the rest of the
world.
7. Ping the Loopback IP address of your computer. Type the following command: ping
127.0.0.1. The IP address 127.0.0.1 is reserved for loopback testing. If the ping is
successful, then TCP/IP is properly installed and functioning on this computer.
8. You can also ping using names like websites. Ping the IP address of the cisco
website. Type ping, space and www.cisco.com, then press Enter. Notice the
outputs. A DNS server will resolve the name to an IP address and the ping will be
successful only in the existence of the DNS server.
9. Ping www.ee.uct.ac.za and observe the results. Is there a difference in time between
the results shown by pinging www.cisco.com and www.ee.uct.ac.za. If so why and if
not why?
10. Trace the route to the Cisco website. Type tracert www.cisco.com and press enter.
In a successful output, you will see listings of all routers the tracert requests had to
pass through to get to the destination.
11. Trace the route to the website of the Department of Electrical Engineering. Type
tracert www.ee.uct.ac.za and press enter. The output should take less time than
that of step 9.

Figure 5. A traceroute output

 Program No.4
Ojective: Implementation of the IPCONFIG network command
Configure IP (internet protocol configuration)
Syntax:
IPCONFIG /all:
Display full configuration information.
IPCONFIG /release [adapter]:
Release the IP address for the specified adapter.
IPCONFIG /renew [adapter]:
Renew the IP address for the specified adapter.
IPCONFIG /flushdns:
Purge the DNS Resolver cache.
IPCONFIG /registerdns:
Refresh all DHCP leases and re-register DNS names.
IPCONFIG /displaydns:
Display the contents of the DNS Resolver Cache.
IPCONFIG /showclassid adapter:
Display all the DHCP class IDs allowed for adapter.
IPCONFIG /setclassid adapter [classid]:
Modify the dhcp class id.
If the Adapter name contains spaces, use quotes: "Adapter Name" wildcard characters *
and ? allowed, see the examples below The default is to display only the IP address, subnet
mask and default gateway for each adapter bound to TCP/IP.
For Release and Renew, if no adapter name is specified, then the IP address leases for all

For Setclassid, if no ClassId is specified, then the ClassId is removed.

Examples:

ipconfig ... Show information.

ipconfig /all ... Show detailed information
ipconfig /renew ... renew all adapters
ipconfig /renew EL* ... renew any connection that has its name starting with EL
ipconfig /release *Con* ... release all matching connections, e.g. "Local Area
Connection 1" or "Local Area Connection 2"
ipconfig /setclassid "Local Area Connection" TEST ... set the DHCP class ID for
the named adapter to = TEST
 Program No.5

OBJECTIVE: To implement a network using Cisco Packet Tracer.

THEORY: Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team
at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the
various protocols used in networking, in either Real Time or Simulation mode. This
includes layer 2 protocols such as Ethernet and PPP, layer 3 protocols such as IP, ICMP, and
ARP, and layer 4 protocols such as TCP and UDP. Routing protocols can also be traced.

Steps to simulate a network:

Step 1: Start Packet Tracer You will see the start screen as shown below.

Step 2: Choose “Hub” and then select “Generic”

Step 3: After selecting “Generic” click on the main area. You will see a Hub.

Step 4: Select “End Devices” and then click at “Generic” Choosing Devices and Connections
We will begin building our network topology by selecting devices and the media in which
to connect them. Several types of devices and network connections can be used.

Step 6: Select “Connections” from Power Cycle Devices and click on “Automatically choose
Connection Type”

Step 7: Draw connections from Hub to PCs

Step 8: Double click on a PC, a box will appear. Click on the “Desktop” tab.

Step 9: Then select “IP configuration”

Step 10: Write the IP address of your network and click at the Subnet mask filed. Subnet
Mask will appear automatically.

Step11: Repeat Step 10 to set the IPs for all the PCs.

Step 12: Select “Add simple message”

Step 13: Drag and Drop the message to the source device and then to the Destination device
In this case my source device is PC1 and destination device is PC4.

Step 14: Select the Simulation Mode at the bottom right corner.
Step15: Click at “Auto Capture / Play” Conclusion: Connection established successfully
between Source and Destination.

Step 16: Observe the path of the Message from source to Hub, then to all devices. And then
from Destination to Hub then back to the source.

Step 17: Finally observe the marks. If the source PC is marked correct it means you have
successfully established the connection.

Screenshots:

Fig1: Step 1

Fig2: Step 2
Fig3:Step3

Fig4:Step4

Fig5:Step5
Fig6:Step6

Fig7:step7

Fig8:Step8
Fig9:Step9

Fig10:Step10

Fig12:Step12
Fig14:Step14

Fig15:Step15
Fig16:Step16

Fig17:Step17
 Program No.6

OBJECTIVE: To Study packet’s information through Wireshark Simulator.

THEORY
Wireshark is a tool that allows packet traces to be sniffed, captured and analysed. Before
Wireshark (or in general, any packet capture tool) is used, careful consideration should be
given to where in the network packets are to be captured. Refer to the capture setup pages
in the wireshark.org wiki for technical details on various deployment scenarios. If it is
unclear which deployment scenario should be used to capture traces for a particular
problem, consider opening a service request with Novell Technical Services for assistance.

Obtain appropriate Wireshark package

Obtain a Wireshark package or installer for the operating system running on the system
which is to be used for packet capture.

Wireshark is included in Novell's SUSE Linux products (for some products, under its old
name, Ethereal). For other platforms, download a binary or installer from
http://www.wireshark.org. With installers, ensure all product components are selected for
installation.

Start Wireshark
Start Wireshark. On a Linux or Unix environment, select the Wireshark or Ethereal entry in
the desktop environment's menu, or run "wireshark" (or "ethereal") from a root shell in a
terminal emulator. In a Microsoft Windows environment, launch wireshark.exe from
C:\Program Files\Wireshark.
Note that on Un*x systems, a non-GUI version of Wireshark called "tshark" (or "tethereal")
may be available as well, but its use is beyond the scope of this document.
Configure Wireshark
After starting Wireshark, do the following:
1. Select Capture | Interfaces
2. Select the interface on which packets need to be captured.
3. If capture options need to be configured, click the Options button for the chosen
interface. Note the following recommendations for traces that are to be analysed by
Novell Technical Services:
 Capture packet in promiscuous mode: This option allows the adapter to
capture all traffic not just traffic destined for this workstation. It should be
enabled.
 Limit each packet to: Leave this option unset. Novell Support will always
want to see full frames.
  Filters: Generally, Novell Support prefers an unfiltered trace. For
documentation on filters, please refer to TID 10084702 - How to configure a
capture filter for Ethereal (formerly NOVL90720).
 Capture file(s): This allows a file to be specified to be used for the packet
capture. By default Wireshark will use temporary files and memory to
capture traffic. Specify a file for reliability.
 Use multiple files, Ring buffer with: These options should be used when
Wireshark needs to be left running capturing data data for a long period of
time. The number of files is configurable. When a file fills up, it it will wrap to
the next file. The file name should be specified if the ring buffer is to be used.
 Stop capture after xxx packet(s) captured: Novell Technical Support
would most likely never use this option. Leave disabled.
 Stop capture after xxx kilobyte(s) captured: Novell Technical Support
would most likely never use this option. Leave disabled.
 Stop capture after xxx second(s): Novell Technical Support would most
likely never use this option. Leave disabled.
 Update list of packets in real time: Disable this option if the problem that's
being investigated is occuring on the same workstation as where Wireshark
is running.
 Automatic scrolling in live capture: Wireshark will scroll the window so
that the most current packet is displayed.
 Hide capture info dialog: Disable this option so that you can view the count
of packets being captured for each protocol.
 Enable MAC name resolution: Wireshark contains a table to resolve MAC
addresses to vendors. Leave enabled.
 Enable network name resolution: Wireshark will issue DNS queries to
resolve IP host names. Also will attempt to resolve network network names
for other protocols. Leave disabled.
 Enable transport name resolution: Wireshark will attempt to resolve
transport names. Leave disabled.
4. Now click the Start button to start the capture.
5. Recreate the problem. The capture dialog should show the number of packets
increasing. If not, then stop the capture. Examine the interface list and pick the one
that is not associated with the WANIP. It will probably be a long alpha-numeric
string. If packets are still not being captured, try removing any filters that have been
defined.
6. Once the problem which is to be analyzed has been reproduced, click on Stop. It
might take a few seconds for Wireshark to display the packets captured.

If the destination address is always displayed as FFFFFFFF (IPX) or always ends in

 .255 (IP) then all that has been captured is broadcast traffic. This is a useless trace.
This usually occurs when another machine is being traced (to start the trace while
the target machine is powered off, in order to capture the bootup process). The
capture setup needs to be reconsidered - port mirroring on the switch may need to
be set up, or a dumb hub may need to be used to make the traffic reach the sniffing
system. (Some devices advertised as "hubs" are in fact switches that may have the
intelligence to prevent the workstations from seeing each other's packets; with
these, getting a good trace may not be possible)
The Wireshark website has a good FAQ on this subject. Please refer to
http://www.wireshark.org/faq.html#q7.1
7. Save the packet trace in any supported format. Just click on the File menu option
and select Save As. By default Wireshark will save the packet trace in libpcap
format. This is a filename with a.pcap extension. Use this default for files sent to
Novell.
8. Create a trace_info.txt file with the IP and MAC address of the machines that are
being traced as well as any pertinent information, such as:
 What is the problem? (when did it start? steps to reproduce? any other
pertinent information)
 What steps were traced?
 Give names of the servers and files being accessed.
 If analysis of the trace has already been attempted, please provide Novell
Support with analysis notes.

For example: Packets 1-30 are boot. Packets 31-500 are login. Packets 501 to
1,000 is my application loading. Packet 1,001 to 1,500 is me saving my file.
The error occurred at approximately packet 1,480.
 Give the MAC addresses of hardware involved? (Workstation, servers,
printers ...)
 What is the workstation OS and configuration?
 What version of client software is running?
 If it works with one version of the client (or a particular server patch), then
get a trace of it working, and a trace of it not working.
 For Novell Client issues: Are there any client patches loaded?
 For Novell servers: What version of NetWare/OES (and other relevant
products i.e. ZEN or NDPS) are running on the server?
 What patches have been applied?
 What is the configuration of the network? Are there routers involved? If so,
what kind of routers?
Assignment Questions:
Part 1
1. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server
running?
2. What languages (if any) does your browser indicate that it can accept to the server?
3. What is the IP address of your computer?
4. What is the status code returned from the server to your browser?
5. When was the HTML file that you are retrieving last modified at the server?
6. How many bytes of content are being returned to your browser?
7. By inspecting the raw data in the packet content window, do you see any headers within
the data that are not displayed in the packet-listing window? If so, name one.

Part 2
8. Inspect the contents of the first HTTP GET request from your browser to the server.
Do you see an “IF-MODIFIED-SINCE” line in the HTTP GET?
9. Inspect the contents of the server response. Did the server explicitly return the Contents
of the file? How can you tell?
10. Now inspect the contents of the second HTTP GET request from your browser to the
server. Do you see an “IF-MODIFIED-SINCE:” line in the HTTP GET? If so, what information
follows the “IF-MODIFIED-SINCE:” header?
11. What is the HTTP status code and phrase returned from the server in response to this
second HTTP GET? Did the server explicitly return the contents of the file? Explain.

Part 3
12. How many HTTP GET request messages did your browser send? Which packet number
in the trace contains the GET message for the Bill or Rights?
13. Which packet number in the trace contains the status code and phrase associated with
the response to the HTTP GET request?
14. What is the status code and Phrase in the response?
15. How many data-containing TCP segments were needed to carry the single HTTP
response and the text of the Bill of Rights?
Part 4
16. How many HTTP GET request messages did your browser send? To which
Internet addresses were these GET requests sent?
17. Can you tell whether your browser downloaded the two images serially, or whether
they were downloaded from the two web sites in parallel? Explain.
Part 5
Let’s try visiting a web site that is password-protected and examine the sequence of HTTP
message exchanged for such a site. The URL http://gaia.cs.umass.edu/wireshark-
labs/protected_pages/HTTP-wireshark-file5.html is password protected. The username is
“wireshark-students” (without the quotes), and the password is “network” (again, without
the quotes). So let’s access this “secure”
Password-protected site. Do the following:
•Make sure your browser’s cache is cleared, as discussed above, and close down
your browser. Then, start up your browser
•Start up the Wireshark packet sniffer
•Enter the following URL into your browser
http://gaia.cs.umass.edu/wireshark-labs/protected_pages/HTTP-wiresharkfile5.
Html Type the requested user name and password into the pop up box.
•Stop Wireshark packet capture, and enter “http” in the display-filter-specification
window, so that only captured HTTP messages will be displayed later in the
packet-listing window.
•(Note: If you are unable to run Wireshark on a live network connection, you can
use the http-ethereal-trace-5 packet trace to answer the questions below; see
footnote 2. This trace file was gathered while performing the steps above on one
of the author’s computers.)
Now let’s examine the Wireshark output. You might want to first read up on HTTP
authentication by reviewing the easy-to-read material on “HTTP Access Authentication
Framework” at http://frontier.userland.com/stories/storyReader$2159
18. What is the server’s response (status code and phrase) in response to the initial HTTP
GET message from your browser?
19. When your browser’s sends the HTTP GET message for the second time, what new field
is included in the HTTP GET message?

OUTPUT
Answers:

1. Version 1.1

2. Languages supported en-us and en

3. 192.168.1.102

4.200 Ok

5.73 bytes

6. Last-Modified: Tue, 23 Sep 2003 05:29:00 GMT

7.No

8. NO

9. Yes, because it return’s text/html on the webpage

10. yes, it tells the last modification date and time

11. Status code: 304 No it does not return any information explicitly as we cannot see any
line based text data or any other return type.

12. one, packet no. 8

13.Packet no: 14

14. status code : 200 phrase: OK

15. 4 TCP segments

16. 3 HTTP GET request

IP1: 128.119.245.12 IP2: 165.193.1.102 IP3: 134.241.6.82

17. The browser downloaded the images serially as the arrival times of both the images are
different and they are in separate tcp packet.

18. STATUS CODE: 401 PHRASES: Authorization Required

19. Authorization field

 Figure1: Snapshot of question 1,2

Figure2: Snapshot of question 3,4,16

Figure3: Snapshot of question 5,6,7,8,12,13,14.

Figure4: Snapshot of question 9,10,11.

Figure 5: Snapshot of question 15.

Figure6: Snapshot of question 17.

Figure7: Snapshot of question 18.

Figure7: Snapshot of question 19.