Shri.

Gopinath Mahadeo Vedak Pratishthan’s

G. M. VEDAK INSTITUTE OF TECHNOLOGY, TALA

Department of Computer Engineering

Academic Year 2022-23 (First Half 2023)

LAB MANUAL

CRYPTOGRAPHY AND SYSTEM SECURITY

SE-VI Semester

Subject Incharge: Asst. Prof. M. K. Nivekar

 List of Experiments

CSL602 Cryptography & System Security Lab

Practical Hours: 2 Hrs/week Marks: Main exam: 80 IA: 20
1. Design and Implementation of a product cipher using Substitution and Transposition ciphers.
2. Implementation and analysis of RSA crypto system.
3. Implementation of Diffie Hellman Key exchange algorithm
4. For varying message sizes, test integrity of message using MD-5, SHA-1, and analyse the
performance of the two protocols. Use crypt APIs.
5. Study the use of network reconnaissance tools like WHOIS, dig, traceroute, ns lookup to gather
information about networks and domain registrars.
6. Study of packet sniffer tools: wireshark,:
a) Download and install wireshark and capture icmp, tcp, and http packets in promiscuous mode.
b) Explore how the packets can be traced based on different filters.
7. Download and install nmap. Use it with different options to scan open ports, perform OS
fingerprinting, do a ping scan, tcp port scan, udp port scan, xmas scan etc.
8. Detect ARP spoofing using nmap and/or open-source tool ARPWATCH and wireshark. Use arping
tool to generate gratuitous arps and monitor using wireshark
9. SQL injection attack, Cross-Cite Scripting attack simulation
10. Case Study /Seminar: Topic beyond syllabus related to topics covered.
 Experiment No.1:
Date of Performance :
Date of Submission :
Aim: Design and Implementation of a product cipher using Substitution and Transposition ciphers.
SOFTWARE REQUIREMENT: C/C++/JAVA, Python
Description:
To encrypt a message with a Caesar cipher, each letter in the message is changed using a simple
rule: shift by three. Each letter is replaced by the letter three letters ahead in the alphabet. A becomes DB
becomes E. and so on. For the last letters, we can think of the alphabet as a circle and "wrap around". W
becomes Z. X becomes A. Y becomes B, and Z becomes C. To change a message back, each letter is
replaced by the one three before it.

Program: (Caesar Cipher)

#include <stdio.h>
#include <string.h>
#include <conio.h>
#include <ctype.h>
void main()
{
PlayFair Cipher:
Output:
Conclusion: Thus, Playfair cipher substitution technique and ceaser cipher transposition technique has
been implemented successfully.

SIGN AND REMARK

DATE
 Experiment No.2:
Date of Performance :
Date of Submission :
Aim: Implementation and analysis of RSA cryptosystem

SOFTWARE REQUIREMENT: C/C++/JAVA, Python

THEORY: RSA was invented by Ron Rivest, Adi Shamir, and Len Adleman and hence, it is termed
as RSA cryptosystem. We will see two aspects of the RSA cryptosystem, firstly generation of key pair
and secondly encryption-decryption algorithms.

Generation of RSA Key Pair

Each person or a party who desires to participate in communication using encryption needs to
generate a pair of keys, namely public key and private key. The process followed in the generation of
keys is described below −
● Generate the RSA modulus (n)
○ Select two large primes, p and q.
○ Calculate n=p*q. For strong unbreakable encryption, let n be a large number, typically a minimum of
512 bits.
● Find Derived Number (e)
○ Number e must be greater than 1 and less than (p − 1)(q − 1).
○ There must be no common factor for e and (p − 1)(q − 1) except for 1. In other words two numbers e
and (p – 1)(q – 1) are coprime.
● Form the public key
○ The pair of numbers (n, e) form the RSA public key and is made public.
○ Interestingly, though n is part of the public key, difficulty in factorizing a large prime number ensures
that attacker cannot find in finite time the two primes (p & q) used to obtain n. This is strength of RSA.
● Generate the private key
○ Private Key d is calculated from p, q, and e. For given n and e, there is unique number d.
○ Number d is the inverse of e modulo (p - 1)(q – 1). This means that d is the number less than (p - 1)(q
- 1) such that when multiplied by e, it is equal to 1 modulo (p - 1)(q- 1).
○ This relationship is written mathematically as follows −
ed = 1 mod (p − 1)(q − 1)
The Extended Euclidean Algorithm takes p, q, and e as input and gives d as output.
○ The pair of numbers (n, e) form the RSA public key and is made public.
○ Interestingly, though n is part of the public key, difficulty in factorizing a large prime
number ensures that attacker cannot find in finite time the two primes (p & q) used to
obtain n. This is strengthof RSA.
● Generate the private key
○ Private Key d is calculated from p, q, and e. For given n and e, there is unique number d.
○ Number d is the inverse of e modulo (p - 1)(q – 1). This means that d is the number
less than (p - 1)(q - 1) such that when multiplied by e, it is equal to 1 modulo (p -
1)(q- 1).
○ This relationship is written mathematically as follows − ed = 1 mod
(p − 1)(q − 1) The Extended Euclidean Algorithm takes p, q, and e as
input and gives d as output. Example
An example of generating RSA Key pair is given below. (For ease of understanding,
the primes p &q taken here are small values. Practically, these values are very high).
● Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 x 13 = 91.
● Select e = 5, which is a valid choice since there is no number that is common
factor of 5 and(p − 1)(q − 1) = 6 × 12 = 72, except for 1.
● The pair of numbers (n, e) = (91, 5) forms the public key and can be made
available to anyonewhom we wish to be able to send us encrypted messages.
● Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will be d
= 29.
● Check that the d calculated is correct by
computing − de = 29 × 5 = 145 = 1 mod
72
● Hence, public key is (91, 5) and private
keys is (91, 29).Encryption and Decryption
Once the key pair has been generated, the process of encryption and decryption are
relativelystraightforward and computationally easy.

RSA Encryption
● Suppose the sender wish to send some text message to someone whose public key is (n, e).
● The sender then represents the plaintext as a series of numbers less than n.
 DBMS Lab Manual|2023

● To encrypt the first plaintext P, which is a number modulo n. The encryption

process is simplemathematical step as − C = Pe mod n
● In other words, the ciphertext C is equal to the plaintext P multiplied by itself e times and
then
educed modulo n. This means that C is also a number less than n.
● Returning to our Key Generation example with plaintext P = 10, we get
ciphertext C −C = 105 mod 91

RSA Decryption
● The decryption process for RSA is also very straightforward. Suppose that the receiver
of public-keypair (n, e) has received a ciphertext C.
● Receiver raises C to the power of his private key d. The result modulo n will be
the plaintext P.Plaintext = Cd mod n
● Returning again to our numerical example, the ciphertext C = 82 would get decrypted
to number 10using private key 29 −
Plaintext = 8229 mod 91 = 10

Program:

1. #include<stdio.h>
2.
3. #include<conio.h>
4.
5. #include<stdlib.h>
6.
7. #include<math.h>
8.
9. #include<string.h>
10. long int p,q,n,t,flag,e[100],d[100],temp[100],j,m[100],en[100],i;
11.
12. char msg[100];
13.
14. int prime(long int);
15.
16. void ce();
17.
18. long int cd(long int);
19.
20. void encrypt();
21.
M. K. Nivekar, Assistant Prof. GMVIT Tala Page 13
 DBMS Lab Manual|2023

22. void decrypt();

23.
24. void main() {
25.
26. clrscr();
27.
28. printf("\nENTER FIRST PRIME NUMBER\n");
29.
30. scanf("%d",&p);
31.
32. flag=prime(p);
33.
34. if(flag==0) {
35.
36. printf("\nWRONG INPUT\n");
37.
38. getch();
39.
40. exit(1);
41.
42. }
43.
44. printf("\nENTER ANOTHER PRIME NUMBER\n");
45.
46. scanf("%d",&q);
47.
48. flag=prime(q);
49.
50. if(flag==0||p==q) {
51.
52. printf("\nWRONG INPUT\n");
53.
54. getch();
55.
56. exit(1);
57.
58. }
59.
60. printf("\nENTER MESSAGE\n");
61.
62. fflush(stdin);
63.
64. scanf("%s",msg);
65.
66. for (i=0;msg[i]!=NULL;i++)
67.

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 14

 DBMS Lab Manual|2023

68. m[i]=msg[i];
69.
70. n=p*q;
71.
72. t=(p-1)*(q-1);
73.
74. ce();
75.
76. printf("\nPOSSIBLE VALUES OF e AND d ARE\n");
77.
78. for (i=0;i<j-1;i++)
79.
80. printf("\n%ld\t%ld",e[i],d[i]);
81.
82. encrypt();
83.
84. decrypt();
85.
86. getch();
87.
88. }
89.
90. int prime(long int pr) {
91.
92. int i;
93.
94. j=sqrt(pr);
95.
96. for (i=2;i<=j;i++) {
97.
98. if(pr%i==0)
99.
100. return 0;
101.
102. }
103.
104. return 1;
105.
106. }
107.
108. void ce() {
109.
110. int k;
111.
112. k=0;
113.

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 15

 DBMS Lab Manual|2023

114. for (i=2;i<t;i++) {

115.
116. if(t%i==0)
117.
118. continue;
119.
120. flag=prime(i);
121.
122. if(flag==1&&i!=p&&i!=q) {
123.
124. e[k]=i;
125.
126. flag=cd(e[k]);
127.
128. if(flag>0) {
129.
130. d[k]=flag;
131.
132. k++;
133.
134. }
135.
136. if(k==99)
137.
138. break;
139.
140. }
141.
142. }
143.
144. }
145.
146. long int cd(long int x) {
147.
148. long int k=1;
149.
150. while(1) {
151.
152. k=k+t;
153.
154. if(k%x==0)
155.
156. return(k/x);
157.
158. }
159.

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 16

 DBMS Lab Manual|2023

160. }
161.
162. void encrypt() {
163.
164. long int pt,ct,key=e[0],k,len;
165.
166. i=0;
167.
168. len=strlen(msg);
169.
170. while(i!=len) {
171.
172. pt=m[i];
173.
174. pt=pt-96;
175.
176. k=1;
177.
178. for (j=0;j<key;j++) {
179.
180. k=k*pt;
181.
182. k=k%n;
183.
184. }
185.
186. temp[i]=k;
187.
188. ct=k+96;
189.
190. en[i]=ct;
191.
192. i++;
193.
194. }
195.
196. en[i]=-1;
197.
198. printf("\nTHE ENCRYPTED MESSAGE IS\n");
199.
200. for (i=0;en[i]!=-1;i++)
201.
202. printf("%c",en[i]);
203.
204. }
205.

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 17

 DBMS Lab Manual|2023

206. void decrypt() {

207.
208. long int pt,ct,key=d[0],k;
209.
210. i=0;
211.
212. while(en[i]!=-1) {
213.
214. ct=temp[i];
215.
216. k=1;
217.
218. for (j=0;j<key;j++) {
219.
220. k=k*ct;
221.
222. k=k%n;
223.
224. }
225.
226. pt=k+96;
227.
228. m[i]=pt;
229.
230. i++;
231.
232. }
233.
234. m[i]=-1;
235.
236. printf("\nTHE DECRYPTED MESSAGE IS\n");
237.
238. for (i=0;m[i]!=-1;i++)
239.
240. printf("%c",m[i]);
241.
242. }
243.
244.

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 18

 DBMS Lab Manual|2023

Conclusion: RSA is a strong encryption algorithm. RSA implements a public-key

cryptosystem that allows secure communications and digital signatures, and its security rests
in part on the difficulty of factoring large numbers.

SIGN AND REMARK

DATE

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 19

 DBMS Lab Manual|2023

Experiment No.3:
Date of Performance :
Date of Submission :
Aim: Write a program to implement diffie-hellman algorithm.

SOFTWARE REQUIREMENT: c/c++/java, Python

THEORY: Diffie-Hellman key exchange is a cryptographic protocol that allows two parties
that have no prior Knowledge of each other to jointly establish a shared secret key over an
insecure communications Channel. This key can then be used to encrypt subsequent
communications using a symmetric key Cipher. The diffie–hellman key exchange algorithm
solves the following dilemma. Alice and bob want to Share a secret key for use in a
symmetric cipher, but their only means of communication is insecure. Every piece of
information that they exchange is observed by their adversary eve. How is it possible For
alice and bob to share a key without making it available to eve? At first glance it appears that
Alice and bob face an impossible task. It was a brilliant insight of diffie and hellman that the
Difficulty of the discrete logarithm problem for f*p provides a possible solution. The
simplest, and original, implementation of the protocol uses the multiplicative group of
integers Modulo p, where p is prime and g is primitive root mod p. Here is an example of the
protocol: 1. Alice and bob agree to use a prime number p=23 and base g=5. 2. Alice chooses
a secret integer xa=6, then sends bob (g^xa) mod p. 56 mod 23 = 8. 3. Bob chooses a secret
integer xb=15, then sends alice (g^xb) mod p. 515 mod 3 = 19. 4. Alice computes ya = (g^xa)
mod p. 196 mod 23 = 2. 5. Bob computes yb = (g^xb) mod p. 815 mod 23 = 2 2 In the
original description, the diffie-hellman exchange by itself does not provide authentication of
The communicating parties and is thus vulnerable to a man-in-the-middle attack. A person in
the Middle may establish two distinct diffie-hellman key exchanges, one with alice and the
other with Bob, effectively masquerading as alice to bob, and vice versa, allowing the
attacker to decrypt (and Read or store) then re-encrypt the messages passed between them. A
method to authenticate the Communicating parties to each other is generally needed to
prevent this type of attack.
The Diffie-Hellman algorithm is used to establish a shared secret between two parties that
can be used for secret communication to exchange data over a public network.

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 20

 DBMS Lab Manual|2023

/* this program calculates the Key for two persons using the Diffie Hellman Key exchange
algorithm */
#include<stdio.h>
long int power(int a,int b,int mod)
{
long long int t;
if(b==1)
return a;
t=power(a,b/2,mod);
if(b%2==0)
return (t*t)%mod;
else
return (((t*t)%mod)*a)%mod;
}
long long int calculateKey(int a,int x,int n)
{
return power(a,x,n);
}
int main()
{
int n,g,x,a,y,b;
// both the persons will be agreed upon the common n and g
printf("Enter the value of n and g : ");

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 21

 DBMS Lab Manual|2023

scanf("%d%d",&n,&g);
// first person will choose the x
printf("Enter the value of x for the first person : ");
scanf("%d",&x); a=power(g,x,n);
// second person will choose the y
printf("Enter the value of y for the second person : ");
scanf("%d",&y); b=power(g,y,n);
printf("key for the first person is : %lld\n",power(b,x,n));
printf("key for the second person is : %lld\n",power(a,y,n));
return 0;
}

Output:

Conclusion: The Diffie-Hellman key exchange algorithm is used to make secure channel to
share secret key between sender and receiver.

SIGN AND REMARK

DATE

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 22

 DBMS Lab Manual|2023

Experiment No 4:
Date of Performance :
Date of Submission :

AIM : For varying message sizes, test integrity of message using MD-5, SHA-1, and analyse
the performance of the two protocols. Use crypt APIs

SOFTWARE REQUIREMENT: Python

THEORY:
MD5 (Message Digest algorithm 5) is a widely used cryptographic hash function with
a 128 bit hash value. An MD5 hash is typically expressed as a 32 digit hexadecimal number.
MD5 processes a variable length message into a fixed length output of 128 bits. The input
message is broken up into chunks of 512 bit blocks (sixteen 32bit little endian integers) ; The
message is padded so that its length is divisible by 512. The padding works as follows: first a
single bit, 1, is appended to the end of the message. This is followed by as many zeros as are
required to bring the length of the message up to 64 bits less than a multiple of 512. The
remaining bits are filled up with a 64bit integer representing the length of the original
message, in bits.

Figure 1: One MD5 operation. MD5 consists of 64 of these operations, grouped in four
rounds of 16 operations. F is a nonlinear function; one function is used in each round. Mi
denotes a 32bit block of the message input, and Ki denotes a 32bit constant, different for each
operation. The main MD5 algorithm operates on a 128bit state, divided into four 32bit words,
denoted A, B, C and D. These are initialized to certain fixed constants. The main algorithm
then operates on each 512bit message block in turn, each block modifying the state. The
processing of a message block consists of four similar stages, termed rounds; each round is
composed of 16 similar operations based on a nonlinear function F, modular addition, and left
M. K. Nivekar, Assistant Prof. GMVIT Tala Page 23
 DBMS Lab Manual|2023

rotation. Figure 1 illustrates one operation within a round. There are four possible functions
F; a different one is used in each round:

Algorithm:
1. Append Padding Bits
The message is "padded" (extended) so that its length (in bits) is congruent to 448,
modulo 512. That is, the message is extended so that it is just 64 bits shy of being a multiple
of 512 bits long. Padding is always performed, even if the length of the message is already
congruent to 448, modulo 512. Padding is performed as follows: a single "1" bit is appended
to the message, and then "0" bits are appended so that the length in bits of the padded
message becomes congruent to 448, modulo 512. In all, at least one bit and at most 512 bits
are appended.
2. Append Length
A 64 bit representation of b (the length of the message before the padding bits were added) is
appended to the result of the previous step. In the unlikely event that b is greater than 2^64,
then only the low order 64 bits of b are used. (These bits are appended as two 32bit words
and appended low order word first in accordance with the previous conventions.) At this
point the resulting message (after padding with bits and with b) has a length that is an exact
multiple of 512 bits. Equivalently, this message has a length that is an exact multiple of 16
(32 bit) words. Let M[0 ... N1] denote the words of the resulting message, where N is a
multiple of 16.

3. Initialize MD Buffer
A fourword buffer (A,B,C,D) is used to compute the message digest. Here each of A, B, C, D
is a 32bit register. These registers are initialized to the following values in hexadecimal,
loworder bytes first).

4. Process Message in 16Word Blocks

We first define four auxiliary functions that each take as input three 32bit words and produce
as output one 32bit word.

5. Output
The message digest produced as output is A, B, C, D. That is, we begin with the low order
byte of A, and end with the highorder byte of D.

Output:

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
public class SimpleMD5Example
M. K. Nivekar, Assistant Prof. GMVIT Tala Page 24
 DBMS Lab Manual|2023

{
public static void main(String[] args)
{
String passwordToHash = "password";
String generatedPassword = null;
try {
// Create MessageDigest instance for MD5
// for hashing using MD5 can be replaced by SHA1 in following line
MessageDigest md = MessageDigest.getInstance("MD5");
//Add password bytes to digest
md.update(passwordToHash.getBytes());
//Get the hash's bytes
byte[] bytes = md.digest();
//This bytes[] has bytes in decimal format;
//Convert it to hexadecimal format
StringBuilder sb = new StringBuilder();
for(int i=0; i< bytes.length ;i++)
{
sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
}
//Get complete hashed password in hex format
generatedPassword = sb.toString();
}
catch (NoSuchAlgorithmException e)
{
e.printStackTrace();
}
System.out.println(generatedPassword);
}
}

Output:

5f4dcc3b5aa765d61d8327deb882cf99

CONCLUSION: The main aim of message digest algorithm is to ensure integrity of

message. The strength of MD5 and SHA 1 algorithm lies in the chaining function, because of
which integrity of message cannot be compromised.

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 25

 DBMS Lab Manual|2023

SIGN AND REMARK

DATE

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 26

 DBMS Lab Manual|2023

EXPERIMENT NO: 5
Date of Performance :
Date of Submission :

AIM : Study the use of network reconnaissance tools like WHOIS, dig, traceroute, NSlookup
to gather information about networks and domain registrars.

SOFTWARE REQUIREMENT: Unix/Linux

THEORY:

1. WHOIS : WHOIS is the Linux utility for searching an object in a WHOIS database. The
WHOIS database of a domain is the publicly displayed information about a domains
ownership, billing, technical, administrative, and nameserver information. Running a WHOIS
on your domain will look the domain up at the registrar for the domain information. All
domains have WHOIS information.
WHOIS database can be queried to obtain the following information via WHOIS:
• Administrative contact details, including names, email addresses, and telephone numbers
• Mailing addresses for office locations relating to the target organization
• Details of authoritative name servers for each given domain
Example
Querying Facebook.com
ssc@ssc-OptiPlex-380:~$ whois facebook.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered with many different
competing registrars.
Go to http://www.internic.net
for detailed information.
Server Name: FACEBOOK.COM.BRETLANDTRUSTMERCHANDISINGDEPART.COM
IP Address: 69.63.176.11
Registrar: GOOGLE INC.

LAB MANUAL [SSL]

Whois Server: whois.rrpproxy.net
Referral URL: http://domains.google.com
Server Name:

FACEBOOK.COM.DISABLE.YOUR.TIMELINE.NOW.WITH.THE.ORIGINAL.TIMELIN
E REMOVE.NET
IP Address: 8.8.8.8
Registrar: ENOM, INC.

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 27

 DBMS Lab Manual|2023

Whois Server: whois.enom.com

Referral URL: http://www.enom.com
Server Name:
FACEBOOK.COM.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM
IP Address: 209.126.190.70
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Server Name: FACEBOOK.COM.LOVED.BY.WWW.SHQIPHOST.COM
IP Address: 46.4.210.254
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Server Name: FACEBOOK.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
IP Address: 203.36.226.2
Registrar: INSTRA CORPORATION PTY, LTD.
Whois Server: whois.instra.net
Referral URL: http://www.instra.com
Server Name:
FACEBOOK.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
IP Address: 69.41.185.229
Registrar: TUCOWS DOMAINS INC.
Whois Server: whois.tucows.com
Referral URL: http://www.tucowsdomains.com
Domain Name: FACEBOOK.COM
Registrar: MARKMONITOR INC.
Sponsoring Registrar IANA ID: 292
Whois Server: whois.markmonitor.com
Referral URL: http://www.markmonitor.com
Name Server: A.NS.FACEBOOK.COM
Name Server: B.NS.FACEBOOK.COM
Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Status:clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Status:clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Status:serverDeleteProhibited
http://www.icann.org/epp#serverDeleteProhibited
Status:serverTransferProhibited http://www.icann.org/epp#serverTransferProhibited
Status:serverUpdateProhibited http://www.icann.org/epp#serverUpdateProhibited
Updated Date: 28-sep-2012
Creation Date: 29-mar-1997
Expiration Date: 30-mar-2020
M. K. Nivekar, Assistant Prof. GMVIT Tala Page 28
 DBMS Lab Manual|2023

>>> Last update of whois database: Fri, 17 Jul 2015 04:12:12 GMT <<<
The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars.
LAB MANUAL [SSL]
For more information on Whois status codes, please visit
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en.
Domain Name: facebook.com
Registry Domain ID: 2320948_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2014-10-28T12:38:28-0700
reation Date: 1997-03-28T21:00:00-0800
Registrar Registration Expiration Date: 2020-03-29T21:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited
(https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: Facebook, Inc.
Registrant Street: 1601 Willow Road,
Registrant City: Menlo Park
Registrant State/Province: CA
Registrant Postal Code: 94025
Registrant Country: US
Registrant Phone: +1.6505434800
Registrant Phone Ext:
Registrant Fax: +1.6505434800
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: Facebook, Inc.
Admin Street: 1601 Willow Road,
Admin City: Menlo Park
Admin State/Province: CA
Admin Postal Code: 94025
M. K. Nivekar, Assistant Prof. GMVIT Tala Page 29
 DBMS Lab Manual|2023

Admin Country: US
Admin Phone: +1.6505434800
Admin Phone Ext:
Admin Fax: +1.6505434800
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: Facebook, Inc.
Tech Street: 1601 Willow Road,
Tech City: Menlo Park
Tech State/Province: CA

LAB MANUAL [SSL] Page 27

Tech Postal Code: 94025
Tech Country: US
Tech Phone: +1.6505434800
Tech Phone Ext:
Tech Fax: +1.6505434800
Tech Fax Ext:
Tech Email: [email protected]
Name Server: b.ns.facebook.com
Name Server: a.ns.facebook.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2015-07-16T21:08:30-0700 <<<
The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for
information purposes, and to assist persons in obtaining information about or
related to a domain name registration record. MarkMonitor.com does not guarantee
its accuracy. By submitting a WHOIS query, you agree that you will use this Data
only for lawful purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail (spam); or
(2) enable high volume, automated, electronic processes that apply to
MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.
MarkMonitor is the Global Leader in Online Brand Protection.
MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiPiracy(TM)
M. K. Nivekar, Assistant Prof. GMVIT Tala Page 30
 DBMS Lab Manual|2023

MarkMonitor AntiFraud(TM)
Professional and Managed Services
Visit MarkMonitor at http://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220
ssc@ssc-OptiPlex-380:~$

2. Dig - Dig is a networking tool that can query DNS servers for information. It can be very
helpful for diagnosing problems with domain pointing and is a good way to verify that your
configuration is working. The most basic way to use dig is to specify the domain we wish to
query:
Example
$ dig duckduckgo.com
; <<>> DiG 9.8.1-P1 <<>> duckduckgo.com
;; global options: +cmd
;; Got answer:
LAB MANUAL [SSL]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64399
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;duckduckgo.com. IN A
;; ANSWER SECTION:
duckduckgo.com. 99 IN A 107.21.1.61
duckduckgo.com. 99 IN A 184.72.106.253
duckduckgo.com. 99 IN A 184.72.106.52
duckduckgo.com. 99 IN A 184.72.115.86
;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 23 14:26:17 2013
;; MSG SIZE rcvd: 96
The lines above act as a header for the query performed. It is possible to run dig in batch
mode,
so proper labeling of the output is essential to allow for correct analysis.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64399
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
The next section gives us a technical summary of our query results. We can see that the query
was successful, certain flags were used, and that 4 "answers" were received.

;; QUESTION SECTION:
;duckduckgo.com. IN A
M. K. Nivekar, Assistant Prof. GMVIT Tala Page 31
 DBMS Lab Manual|2023

;; ANSWER SECTION:
duckduckgo.com. 99 IN A 107.21.1.61
duckduckgo.com. 99 IN A 184.72.106.253
duckduckgo.com. 99 IN A 184.72.106.52
duckduckgo.com. 99 IN A 184.72.115.86

LAB MANUAL [SSL]

The above section of the output contains the actual results we were looking for. It restates the
query and then returns the matching DNS records for that domain name.
Here, we can see that there are four "A" records for "duckduckgo.com". By default, "A"
records are returned. This gives us the IP addresses that the domain name resolves to.
The "99" is the TTL (time to live) before the DNS server rechecks the association between
the domain name and the IP address. The "IN" means the class of the record is a standard
internet class.
;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 23 14:26:17 2013
;; MSG SIZE rcvd: 96

These lines simply provide some statistics about the actual query results. The query time can
be indicative of problems with the DNS servers.

3. Traceroute - traceroute prints the route that packets take to a network host. Traceroute
utility uses the TTL field in the IP header to achieve its operation. For users who are new to
TTL field, this field describes how much hops a particular packet will take while traveling on
network. So, this effectively outlines the lifetime of the packet on network. This field is
usually set to 32 or 64. Each time the packet is held on an intermediate router, it decreases the
TTL value by 1. When a router finds the TTL value of 1 in a received packet then that packet
is not forwarded but instead discarded. After discarding the packet, router sends an ICMP
error message of ―Time exceeded‖ back to the source from where packet generated. The
ICMP packet that is sent back contains the IP address of the router.

So now it can be easily understood that traceroute operates by sending packets with TTL
value starting from 1 and then incrementing by one each time. Each time a router receives the
packet, it checks the TTL field, if TTL field is 1 then it discards the packet and sends the
ICMP error packet containing its IP address and this is what traceroute requires. So traceroute
incrementally fetches the IP of all the routers between the source and the destination.
Example:
$traceroute example.com
traceroute to example.com (64.13.192.208), 64 hops max, 40 byte packets
1 72.10.62.1 (72.10.62.1) 1.000 ms 0.739 ms 0.702 ms
M. K. Nivekar, Assistant Prof. GMVIT Tala Page 32
 DBMS Lab Manual|2023

2 10.101.248.1 (10.101.248.1) 0.683 ms 0.385 ms 0.315 ms

LAB MANUAL [SSL] Page 30
3 10.104.65.161 (10.104.65.161) 0.791 ms 0.703 ms 0.686 ms
4 10.104.65.161 (10.104.65.161) 0.791 ms 0.703 ms 0.686 ms
5 10.0.10.33 (10.0.10.33) 2.652 ms 2.260 ms 5.353 ms
6 acmkokeaig.gs01.gridserver.com (64.13.192.208) 3.384 ms 8.001 ms 2.439 ms

4. Nslookup - The nslookup command is used to query internet name servers interactively for
information. nslookup, which stands for "name server lookup", is a useful tool for finding out
information about a named domain. By default, nslookup will translate a domain name to an
IP address (or vice versa). For instance, to find out what the IP address of microsoft.com is,
you could run the command:
Example:
$nslookup microsoft.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name:
microsoft.com
Address: 134.170.185.46
Name:
microsoft.com
Address: 134.170.188.221

Here, 8.8.8.8 is the address of our system's Domain Name Server. This is the server our
system is configured to use to translate domain names into IP addresses. "#53" indicates that
we are communicating with it on port 53, which is the standard port number domain name
servers use to accept queries. Below this, we have our lookup information for microsoft.com.
Our name server returned two entries, 134.170.185.46and 134.170.188.221. This indicates
that microsoft.com uses a round robin setup to distribute server load. When you
accessmicrsoft.com, you may be directed to either of these servers and your packets will be
routed to the correct destination. You can see that we have received a "Non-authoritative
answer" to our query. An answer is "authoritative" only if our DNS has the complete zone
file information for the domain in question. More often, our DNS will have a cache of
information representing the last authoritative answer it received when it made a similar
query, this information is passed on to you, but the server qualifies it as "non- authoritative":
he information was recently received from an authoritative source, but the DNS server is not
itself that authority.

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 33

 DBMS Lab Manual|2023

CONCLUSION: Various reconnaissance tools are studied and used to gather primary
network information.

SIGN AND REMARK

DATE

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 34

 DBMS Lab Manual|2023

EXPERIMENT NO: 6
Date of Performance :
Date of Submission :
AIM : Study of packet sniffer tools : Wireshark

SOFTWARE REQUIREMENT: Wireshark

THEORY:
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time
and display them in human-readable format. Wireshark includes filters, color-coding and
other features that let you dig deep into network traffic and inspect individual packets.

Features of Wireshark :

• Available for UNIX and Windows.

• Capture live packet data from a network interface.
• Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a
number of other packet capture programs.
• Import packets from text files containing hex dumps of packet data.
• Display packets with very detailed protocol information.
• Export some or all packets in a number of capture file formats.
• Filter packets on many criteria.
• Search for packets on many criteria.
• Colorize packet display based on filters.
•Create various statistics.

Capturing Packets
After downloading and installing wireshark, you can launch it and click the name of an
interface under Interface List to start capturing packets on that interface. For example, if you
want to capture traffic on the wireless network, click your wireless interface. You can
configure advanced features by clicking Capture Options.

Filtering Packets
If you‘re trying to inspect something specific, such as the traffic a program sends when
phoning home, it helps to close down all other applications using the network so you can
narrow down the traffic. Still, you‘ll likely have a large amount of packets to sift through.
That‘s where Wireshark‘s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the window
and clicking Apply (or pressing Enter). For example, type ―dns‖ and you‘ll see only DNS
packets. When you start typing, Wireshark will help you autocomplete your filter.

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 35

 DBMS Lab Manual|2023

Outputs:

1)Home screen:

2) Main screen:

3) Packets and filter:

http:

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 36

 DBMS Lab Manual|2023

http.request:

tcp.port==443:

!(arp or icmp or dns):

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 37

 DBMS Lab Manual|2023

CONCLUSION: Wireshark installation and network traffic analysis using Packet sniffing is
done. Detailed information about packets are explored by applying filters.

SIGN AND REMARK DATE

DATE:

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 38

 DBMS Lab Manual|2023

EXPERIMENT NO: 7
Date of Performance :
Date of Submission :

AIM : Download and install NMAP. Use it with different options to scan open ports, perform
OS fingerprinting, do a ping scan, TCP port scan, UDP port scan.

SOFTWARE REQUIREMENT: NMAP

THEORY:
Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also
known by his pseudonym Fyodor Vaskovich) used to discover hosts and services on a
computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends
specially crafted packets to the target host and then analyzes the responses. Unlike many
simple port scanners that just send packets at some predefined constant rate, Nmap accounts
for the network conditions (latency fluctuations, network congestion, the target interference
with the scan) during the run. Also, owing to the large and active user community providing
feedback and contributing to its features, Nmap has been able to extend its discovery
capabilities beyond simply figuring out whether a host is up or down and which ports are
open and closed; it can determine the operating system of the target, names and versions of
the listening services, estimated uptime, type of device, and presence of a firewall.

Nmap features include:

• Host Discovery – Identifying hosts on a network. For example, listing the hosts which
respond to pings or have a particular port open.
• Port Scanning – Enumerating the open ports on one or more target hosts.
• Version Detection – Interrogating listening network services listening on remote devices to
determine the application name and version number.
• OS Detection – Remotely determining the operating system and some hardware
characteristics of network devices.

Basic commands working in Nmap:

• For target specifications: nmap <target‘s URL or IP with spaces between them>
• For OS detection: nmap -O <target-host's URL or IP>
• For version detection: nmap -sV <target-host's URL or IP>
SYN scan is the default and most popular scan option for good reasons. It can be performed
quickly, scanning thousands of ports per second on a fast network not hampered by restrictive

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 39

 DBMS Lab Manual|2023

firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP
connections
OUTPUT:
Intense Scan : nmap -T4 -A 192.168.21.141

Host Details :

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 40

 DBMS Lab Manual|2023

Ping Scan : nmap -sn 192.168.21.1/24

Port scan : nmap -F -n -Pn 192.168.21.1/24

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 41

 DBMS Lab Manual|2023

Quick Traceroute : nmap -sn --traceroute www.youtube.com

Quick Traceroute : TOPOLOGY

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 42

 DBMS Lab Manual|2023

CONCLUSION: NMAP is studied and different types of nmap scans are used to gather host
and network related information.

SIGN AND REMARK

DATE

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 43

 DBMS Lab Manual|2023

EXPERIMENT NO: 8
Date of Performance :
Date of Submission :

AIM : To implement a program in Java for password cracking using Brute Force.

SOFTWARE REQUIREMENT: Java

THEORY:
A brute-force attack is a cryptanalytic attack that can, in theory, be used to attempt to decrypt
any encrypted data (except for data encrypted in an information-theoretically secure manner.
Such an attack might be used when it is not possible to take advantage of other weaknesses in
an encryption system (if any exist) that would make the task easier.
We assume the input to be a password to be of length 4 and having only lowercase letters.
We try all possible combinations of lower-case letters to try and decode the password.

Input:

1. Enter password of length 4

2. Convert it into string
3. Find length of the string
4. Starting at each iteration: Guess the string
5. If it matches then print the string and no. of iterations
Code:

import java.util.Scanner;
import java.util.concurrent.TimeUnit;
public class Main {
static String newPass = "";
static String chars =
"0123456789aABbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyzZ";
public static void main(String[] args) {
Scanner userIn = new Scanner(System.in);
String password = userIn.nextLine();
System.out.println("Is using symbols an option? if so type in [Y] if not type in [N]");
String choose = userIn.nextLine();
boolean decideSymb = true;
boolean again = true;
while (again == true) {
if (choose.equalsIgnoreCase("y")) {
again = false;
M. K. Nivekar, Assistant Prof. GMVIT Tala Page 44
 DBMS Lab Manual|2023

} else if (choose.equalsIgnoreCase("n")) {
again = false;
decideSymb = false;
} else {
System.out.println("Try again! \nIs using symbols an option? if so type in [Y] if not type
in [N]");
}
}
choose = userIn.nextLine();
mins
long start = System.currentTimeMillis();
crack(password, decideSymb);
long end = System.currentTimeMillis();
long milliSecs = TimeUnit.MILLISECONDS.toSeconds(end - start);
;
long secs = milliSecs / 1000;
long mins = secs / 60;
long hours = mins / 60;
long days = hours / 24;
long years = days / 365;
days -= (years * 365);
hours -= (days * 24);
mins -= (hours * 60);
secs -= (mins * 60);
milliSecs -= (secs * 1000);
System.out.println("The password is: " + newPass);
if (years > 0) {
if (years == 1) {
System.out.println("it took\n" + years + "year\n" + days + " days\n" + hours + " hours\n" +
+ " mins\n" + secs + " secs\n" + milliSecs + " milliseconds\nto find the password");
} else {
System.out.println("it took\n" + years + "years\n" + days + " days\n" + hours + " hours\n"
+ mins
}
+ " mins\n" + secs + " secs\n" + milliSecs + " milliseconds\nto find the password");
secs
} else if (days > 0) {
if (days == 1) {
System.out.println("it took\n" + days + " day\n" + hours + " hours\n" + mins + " mins\n" +
+ " secs\n" + milliSecs + " milliseconds\nto find the password");
} else {
M. K. Nivekar, Assistant Prof. GMVIT Tala Page 45
 DBMS Lab Manual|2023

System.out.println("it took\n" + days + " days\n" + hours + " hours\n" + mins + " mins\n"
+ secs
+ " secs\n" + milliSecs + " milliseconds\nto find the password");
}
} else if (hours > 0) {
if (hours == 1) {
System.out.println("it took\n" + hours + " hour\n" + mins + " mins\n" + secs + " secs\n" +
milliSecs
+ " milliseconds\nto find the password");
} else {
System.out.println("it took\n" + hours + " hours\n" + mins + " mins\n" + secs + " secs\n" +
milliSecs
}
+ " milliseconds\nto find the password");
} else if (mins > 0) {
if (mins == 1) {
System.out.println("it took\n" + mins + " min\n" + secs + " secs\n" + milliSecs
+ " milliseconds\nto find the password");
} else {
System.out.println("it took\n" + mins + " mins\n" + secs + " secs\n" + milliSecs
+ " milliseconds\nto find the password");
}
} else if (secs > 0) {
if (secs == 1) {
System.out.println("it took\n" + secs + " sec\n" + milliSecs + " milliseconds\nto find the
password");
} else {
System.out.println("it took\n" + secs + " secs\n" + milliSecs + " milliseconds\nto find the
password");
}
} else {
System.out.println("it took\n" + milliSecs + " milliseconds\nto find the password");
}
System.exit(0);
}
private static void crack(String password, boolean decideSymb) {
if (decideSymb == true) {
chars =
"1234567890#%&@aABbCcDdEeFfGgHh!IiJjKkLlMmNnOoPpQqRr$SsTtUuVvWwXxYy
zZ";
}
M. K. Nivekar, Assistant Prof. GMVIT Tala Page 46
 DBMS Lab Manual|2023

for (int length = 2; length <= 15; length++) {

newPass = "";
for (int n = 0; n < length; n++) {
newPass += "0";
}
int lastInd = length - 1;
while (!newPass.equals(password)) {
String end = "";
for (int n = 0; n < newPass.length(); n++) {
end += "Z";
}
if (newPass.equals(end)) {
break;
}
int indInChars = chars.indexOf(newPass.charAt(lastInd));
if (indInChars < chars.length() && indInChars >= 0) {
boolean t = true;
int howManyZs = 0;
while (t == true) {
if (newPass.charAt(newPass.length() - 1 - howManyZs) == 'Z') {
howManyZs++;
} else {
t = false;
}
}
String reset0s = "";
for (int l = 0; l < howManyZs; l++) {
reset0s += "0";
}
if (lastInd < newPass.length() - 1 && lastInd > 0) {
lastInd--;
indInChars = chars.indexOf(newPass.charAt(lastInd)) + 1;
newPass = newPass.substring(0, lastInd) + chars.charAt(indInChars)
+ newPass.substring(lastInd + 1);
} else if (newPass.length() - howManyZs == 1) {
newPass = chars.substring(chars.indexOf(newPass.charAt(0)) + 1,
chars.indexOf(newPass.charAt(0)) + 2) + reset0s;
} else if (newPass.length() - howManyZs > 1 && howManyZs != 0) {
newPass = newPass.substring(0, newPass.length() - 1 - howManyZs)
+ chars.substring(chars.indexOf(newPass.charAt(newPass.length() - 1 -
howManyZs)) + 1,
M. K. Nivekar, Assistant Prof. GMVIT Tala Page 47
 DBMS Lab Manual|2023

chars.indexOf(newPass.charAt(newPass.length() - 1 - howManyZs)) + 2)
+ reset0s;
} else {
indInChars = chars.indexOf(newPass.charAt(lastInd)) + 1;
newPass = newPass.substring(0, lastInd) + chars.charAt(indInChars);
}
System.out.println(newPass);
}
}
if (newPass.equals(password)) {
break;
}
}
}
}
Output:
1. Print the password
2. Print the iteration number in which the password was cracked successfully

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 48

 DBMS Lab Manual|2023

CONCLUSION: Program for password cracking using Brute Force is implemented

successfully.

SIGN AND REMARK

DATE

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 49

 DBMS Lab Manual|2023

EXPERIMENT NO: 9
Date of Performance :
Date of Submission :

AIM : SQL injection attack, Cross-Cite Scripting attack simulation

THEORY:

1. SQL injection attack

SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute
malicious SQL statements. These statements control a database server behind a web
application. Attackers can use SQL Injection vulnerabilities to bypass application security
measures. They can go around authentication and authorization of a web page or web
application and retrieve the content of the entire SQL database. They can also use SQL
Injection to add, modify, and delete records in the database.
An SQL Injection vulnerability may affect any website or web application that uses an SQL
database such as MySQL, Oracle, SQL Server, or others. Criminals may use it to gain
unauthorized access to your sensitive data: customer information, personal data, trade secrets,
intellectual property, and more. SQL Injection attacks are one of the oldest, most prevalent,
and most dangerous web application vulnerabilities. The OWASP organization (Open Web
Application Security Project) lists injections in their OWASP Top 10 2017 document as the
number one threat to web application security.

How and Why Is an SQL Injection Attack Performed

To make an SQL Injection attack, an attacker must first find vulnerable user inputs within the
web page or web application. A web page or web application that has an SQL Injection
vulnerability uses such user input directly in an SQL query. The attacker can create input
content. Such content is often called a malicious payload and is the key part of the attack.
After the attacker sends this content, malicious SQL commands are executed in the database.
SQL is a query language that was designed to manage data stored in relational databases. You
can use it to access, modify, and delete data. Many web applications and websites store all
the data in SQL databases. In some cases, you can also use SQL commands to run operating
system commands. Therefore, a successful SQL Injection attack can have very serious
consequences.

 Attackers can use SQL Injections to find the credentials of other users in the database.
They can then impersonate these users. The impersonated user may be a database
administrator with all database privileges.
 SQL lets you select and output data from the database. An SQL Injection vulnerability
could allow the attacker to gain complete access to all data in a database server.

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 50

 DBMS Lab Manual|2023

 SQL also lets you alter data in a database and add new data. For example, in a
financial application, an attacker could use SQL Injection to alter balances, void
transactions, or transfer money to their account.
 You can use SQL to delete records from a database, even drop tables. Even if the
administrator makes database backups, deletion of data could affect application
availability until the database is restored. Also, backups may not cover the most
recent data.
 In some database servers, you can access the operating system using the database
server. This may be intentional or accidental. In such case, an attacker could use an
SQL Injection as the initial vector and then attack the internal network behind a
firewall.
There are several types of SQL Injection attacks: in-band SQLi (using database errors or
UNION commands), blind SQLi, and out-of-band SQLi. You can read more about them in
the following articles: Types of SQL Injection (SQLi), Blind SQL Injection: What is it.
To follow step-by-step how an SQL Injection attack is performed and what serious
consequences it may have, see: Exploiting SQL Injection: a Hands-on Example.

Simple SQL Injection Example

The first example is very simple. It shows, how an attacker can use an SQL Injection
vulnerability to go around application security and authenticate as the administrator.
The following script is pseudocode executed on a web server. It is a simple example of
authenticating with a username and a password. The example database has a table
named users with the following columns: username and password.

# Define POST variables

uname = request.POST['username']
passwd = request.POST['password']

# SQL query vulnerable to SQLi

sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” +
passwd + “’”

# Execute the SQL statement

database.execute(sql

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 51

 DBMS Lab Manual|2023

1.http://mysite.com is site vulnerable to xss

2. http://mysite.com admin panel

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 52

 DBMS Lab Manual|2023

3.Authenticated page valn.php is vulnerable to sql injection

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 53

 DBMS Lab Manual|2023

4. http://malicious.com is a attacker site which holds 3 files

Evil.js is maliciaous javascript which used ajax call

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 54

 DBMS Lab Manual|2023

Attacker steps:
1. Attacker include evil.js in xss payload & send it to admin
2. When admin is logged in admin panel & clicks on the xss payload, the sql injection request
sent to the authenticated vulnerable page
3. the returned data from sql injection is posted back to attacker site i.e. malicious.com is
logged in user_pass.html

2.Cross-Cite Scripting attack simulation

A Complete Guide to Cross-Site Scripting (XSS) Attack, how to prevent it, and XSS testing.

Cross-Site Scripting (XSS) is one of the most popular and vulnerable attacks which is known
by every advanced tester. It is considered one of the riskiest attacks for web applications and
can bring harmful consequences too.

XSS is often compared with similar client-side attacks, as client-side languages are mostly
being used during this attack. However, an XSS attack is considered riskier, because of its
ability to damage even less vulnerable technologies.

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 55

 DBMS Lab Manual|2023

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 56

 DBMS Lab Manual|2023

Attacker can type the malicious script instead of the correct username or email address:

#1) Reflected XSS

This occurs when the malicious results are being returned after entering the malicious code.
Reflected XSS code is not being saved permanently. In this case, the malicious code is being
reflected in any website result. The attack code can be included in the faked URL or HTTP
parameters.

when wrong credentials are typed, an error message like “Sorry your username or your
credentials are wrong” will be displayed.

the username is a parameter that is typed by the user in the login form. Including the
username parameter in the output is a mistake. This way an attacker can type the malicious
script instead of the correct username or email address.

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 57

 DBMS Lab Manual|2023

#2) Stored XSS

This attack can be considered riskier and it provides more damage.
Consider, A page where the latest user opinion is being loaded. Therefore, in the opinion or
comment field would be typed with the script as shown below.

<script>alert(document.cookie)</script>

#3) DOM XSS

This type of attack occurs when the DOM environment is being changed, but the client-side
code does not change. When the DOM environment is being modified in the victim’s
browser, then the client side code executes differently.
http://testing.com/book.html?default=<script>alert(document.cookie)</script>
Firstly, in order to test against XSS attack, black box testing can be performed.
<script>alert(document.cookie)</script>
Also while testing manually for possible Cross Site Scripting attacks, it is important to
remember, that encoded brackets should also be tried.

For Example:
%3cscript%3ealert(document.cookie)%3c/script%3e

For Example, we have a request:

http://www.testing.com/test.asp?pageid=2&title=Testing%20Title

CONCLUSION: SQL injection attack, Cross-Cite Scripting attack simulation implemented

successfully.

SIGN AND REMARK

DATE

M. K. Nivekar, Assistant Prof. GMVIT Tala Page 58