Experiment No.

01
A.1 Aim:
Design and Implementation of a product cipher using Substitution and Transposition
ciphers.

A.2 Prerequisite:
1. Basic Knowledge of Cryptography.
2. Knowledge of Substitution Cipher techniques.

A.3 Outcome:
After the successful completion of this experiment, students will be able to
apply the knowledge of symmetric cryptography to implement simple ciphers.

A.4 Theory:
● Cryptography is the art of achieving security by encoding messages to make
them non-readable.
There are two types of cryptographic algorithms:
● Substitution and
● Transposition.
Product cipher is a combination of both these types to achieve a better effect of
security.
An original message is known as the plaintext, while the coded message is called
the ciphertext.

The process of converting from plaintext to ciphertext is known as enciphering or

encryption; restoring the plaintext from the ciphertext is deciphering or
decryption.

The many schemes used for encryption constitute the area of study known as
cryptography. Such a scheme is known as a cryptographic system or a cipher.

Techniques used for deciphering a message without any knowledge of the

enciphering details fall into the area of cryptanalysis.

Cryptanalysis is what the layperson calls “breaking the code.”The areas of

cryptography and cryptanalysis together are called cryptology.

Name: Saish Parab [Link].: 05 Batch:D1

 PART B
Product_Cipher.py

Output:

Name: Saish Parab [Link].: 05 Batch:D1

 PART C
Substitution cipher

Output:

Name: Saish Parab [Link].: 05 Batch:D1

Transposition Cipher

Name: Saish Parab [Link].: 05 Batch:D1

Output:

Name: Saish Parab [Link].: 05 Batch:D1

Conclusion:
This experiment helped us understand the concept of cryptography and the working
of substitution and transposition ciphers. We learned how plaintext can be converted
into ciphertext using encryption techniques and restored back using decryption. By
combining both methods to form a product cipher, the security of the message is
improved. This experiment also provided practical knowledge of implementing these
techniques using Python.

Name: Saish Parab [Link].: 05 Batch:D1

 Experiment No.02
A.1 Aim:
Write a program to implement the RSA algorithm and Digital Signature scheme using
RSA / ElGamal.

A.2 Prerequisite:
Basic Knowledge of Asymmetric Key Cryptography.

A.3 Outcome:
After the successful completion of this experiment, students will be able to
Analyze the various public-key cryptographic techniques and their applications.

A.4 Theory:

A. RSA Algorithm:

● RSA (Rivest–Shamir–Adleman) is one of the first public-key cryptosystems

and is widely used for secure data transmission. In such a cryptosystem, the
encryption key is public and it is different from the decryption key which is
kept secret (private). In RSA, this asymmetry is based on the practical
difficulty of the factorization of the product of two large prime numbers, the
"factoring problem". The acronym RSA is made of the initial letters of the
surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly
described the algorithm in 1978. Clifford Cocks, an English mathematician
working for the British intelligence agency Government Communications
Headquarters (GCHQ), had developed an equivalent system in 1973, but this
was not declassified until 1997.

● A user of RSA creates and then publishes a public key based on two large
prime numbers, along with an auxiliary value. The prime numbers must be
kept secret. Anyone can use the public key to encrypt a message, but with
currently published methods, and if the public key is large enough, only
someone with knowledge of the prime numbers can decode the message
feasibly.[2] Breaking RSA encryption is known as the RSA problem. Whether it
is as difficult as the factoring problem remains an open question.

● RSA is a relatively slow algorithm, and because of this, it is less commonly

used to directly encrypt user data. More often, RSA passes encrypted shared
keys for symmetric key cryptography which in turn can perform bulk
encryption-decryption operations at a much higher speed.

Name: Saish Parab [Link].:05 Batch :D1

 ▪ ALGORITHM:

1. Accept two prime numbers from the user (say p and q).
2. Calculate n = p * q.
3. Calculate Φ(n) as
Φ (n) = (p - 1) * (q – 1).
4. Considering e * d = Φ(n) + 1, determine e and d where e and d are prime
numbers.
5. To display information at sender as (e, n) and information at receiver as (d,
n).
6. Check whether the user is sender or receiver.
7. If the user is the sender
a. Get message M from the user.
b. C = Me mod n.
c. Send ciphertext C to the receiver.
d. Go to stop.
8. If the user is the receiver
a. Get ciphertext C from the user.
b. M = Cd mod n.
c. Display plain text M to the receiver.
d. Go to stop.
9. Ask whether the user wants to continue (yes or no?)
If yes, go to step 7.
Else go to stop.

▪ EXAMPLE:
● Choose p = 3 and q = 11
● Compute n = p * q = 3 * 11 = 33
● Compute φ(n) = (p - 1) * (q - 1) = 2 * 10 = 20
● Choose e such that 1 < e < φ(n) and e and n are co-prime. Let e = 7
● Compute a value for d such that (d * e) % φ(n) = 1. One solution is d = 3 [(3 *
7) % 20 = 1]
● Public key is (e, n) => (7, 33)

Name: Saish Parab [Link].:05 Batch :D1

 ● Private key is (d, n) => (3, 33)
● The encryption of m = 2 is c = 27 % 33 = 29
● The decryption of c = 29 is m = 293 % 33 = 2

B. Digital Signature RSA :

Traditionally signature with a message is used to give evidence
of identity and intention concerning that message. For years people have been using
various types of signature to associate their identity and intention to the messages.
Wax imprint, seal, and a handwritten signature are common examples. But when
someone needs to sign a digital message, things turn different. In the case of signing a
digital document, one cannot use any classical approach of signing, because it can be
forged easily. Forger just needs to cut the signature and paste it with any other
message. For signing a digital document one uses the digital signature.

Therefore, a digital signature is required not to be separated from the message and
attached to another. That is a digital signature is required to be both message and
signer dependent. For validating the signature anyone can verify the signature, so a
digital signature is supposed to be verified easily.

A digital signature scheme typically consists of three distinct steps:

1. Key generation:- User compute their public key and corresponding private key.
2. Signing:- In this step, the user signs a given message with his/her private key.
3. Verification:- In this step user verify a signature for a given message and public
key.

So the functionality provided by digital signature can be stated as follows:

Authentication:- Digital signature provides authentication of the source of the

messages as a message is signed by the private key of the sender which is only known
to him/her. Authentication is highly desirable in many applications.

Integrity:- Digital signature provides integrity as digital signature uniquely associated

with the corresponding message. i.e. After signing a message cannot be altered if
someone does it will invalidate the signature. There is no efficient method to change a
message and its signature to produce a new message and valid signature without having
a private key. So both sender and receiver don’t have to worry about in transit
alteration.

Non- repudiation:- For a valid signature sender of the message cannot deny having
signed it.

RSA digital signature scheme

Name: Saish Parab [Link].:05 Batch :D1

 PART B
(Roll No. 05 Name: Saish Parab

Class: TE AIML Batch: D1

Date of Experiment: Date of Submission:

Grade:

B.2 Source Code of RSA Algorithm with Digital Signature:

1. [Link]

Name: Saish Parab [Link].:05 Batch :D1

OUTPUT:

2. RSA_2.PY

Name: Saish Parab [Link].:05 Batch :D1

OUTPUT:

3. RSA_math.py

Name: Saish Parab [Link].:05 Batch :D1

OUTPUT:

Conclusion:
This experiment helped us understand the working of the RSA algorithm and its
mathematical foundations such as prime numbers, modular arithmetic, and the concept
of public and private keys. We learned how encryption and decryption are performed
using key pairs, ensuring secure communication. The experiment also demonstrated
how digital signatures and public key cryptography enhance data security and
authentication. Overall, it provided practical knowledge of implementing RSA using
Python

Name: Saish Parab [Link].:05 Batch :D1

 Experiment No.03
A.1 Aim:

For varying message sizes, test the integrity of the message using MD-5, SHA-
1, and analyze the performance of the two protocols. Use crypt APIs.

A.2 Prerequisite:

Basic Knowledge of MD5 and SHA 1.

A.3 Outcome:
After the successful completion of this experiment, students will be able to
analyze and evaluate the performance of hashing algorithms.

A.4 Theory:
MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash
function with a 128-bit hash value. An MD5 hash is typically expressed as a 32 digit
hexadecimal number. MD5 processes a variable-length message into a fixed-length
output of 128 bits. The input message is broken up into chunks of 512-bit blocks
(sixteen 32bit little-endian integers) ; The message is padded so that its length is
divisible by 512. The padding works as follows: first, a single bit, 1, is appended to
the end of the message. This is followed by as many zeros as are required to bring
the length of the message up to 64 bits less than a multiple of 512. The remaining
bits are filled up with a 64bit integer representing the length of the original message,
in bits.

Name: Saish Parab Roll No:05 Branch:D1

 Figure 1: One MD5 operation.

MD5 consists of 64 of these operations, grouped in four rounds of 16

operations. F is a nonlinear function; one function is used in each round. Mi denotes
a 32bit block of the message input and Denotes a 32bit constant, different for each
operation.

The main MD5 algorithm operates on a 128bit state, divided into four 32bit
words, denoted A, B, C and D. These are initialized to certain fixed constants. The
main algorithm then operates on each 512bit message block, in turn, each block
modifying the state. The processing of a message block consists of our similar
stages, termed rounds; each round is composed of 16 similar operations based on a
nonlinear function F, modular addition, and left rotation.

Figure 1 illustrates one operation within one round. There are four possible
functions F; a different one is used in each round:
F(X ,Y, Z) = (X˄Y ) ˅ (¬ X ˄ Z)
G(X ,Y, Z) = ( X ˄ Z) ˅ (Y ˄¬Z)
H (X ,Y, Z) = X ⊕ Y ⊕ Z
I(X ,Y , Z) =Y ⊕ (X ˅ ¬Z)

⊕ , ∧ , ∨ , ¬ denote the XOR, AND, OR and NOT operations respectively.

Name: Saish Parab Roll No:05 Branch:D1

Algorithm:

1. Append Padding Bits

The message is "padded" (extended) so that its length (in bits) is congruent to 448,
modulo512. That is, the message is extended so that it is just 64 bits shy of being a
multiple of 512 bits long. Padding is always performed, even if the length of the
message is already congruent to 448, modulo512. Padding is performed as follows:
a single "1" bit is appended to the message, and then "0" bits are appended so that
the length in bits of the padded message becomes congruent to 448, modulo 512. In
all, at least one bit and at most 512 bits are appended.

2. Append Length
A 64-bit representation of b (the length of the message before the padding bits were
added) is appended to the result of the previous step. In the unlikely event that b is
greater than 2^64, then only the low order 64 bits of b are used. (These bits are
appended as two 32bit words and appended low- order word first following the
previous conventions.) At this point, the resulting message (after padding with bits
and with b) has a length that is an exact multiple of 512 bits. Equivalently, this
message has a length that is an exact multiple of 16 (32 bit) words. Let M[0 ... N1]
denote the words of the resulting message, where N is a multiple of16.

3. Initialize MD Buffer
A four-word buffer (A, B, C, D) is used to compute the message digest. Here each of
A, B, C, D is a 32bit register. These registers are initialized to the following values in
hexadecimal, low-order bytes first):

4. Process Message in 16 Word Blocks

We first define four auxiliary functions that each take an input of three 32 bit words
and produce as output one 32 bit word.

Note: Don’t write code for MD5 or SHA1. Analyze the performance using crypt APIs.

Name: Saish Parab Roll No:05 Branch:D1

 PART B

Roll No. 05 Name: Saish Parab

Class: AIML-D Batch: D1

Date of Experiment: Date of Submission:

Grade:

B.1 Output / Observations:

● MD5 and SHA1 Hashing

INPUT:

OUTPUT:

Name: Saish Parab Roll No:05 Branch:D1

 ● MD5

INPUT:

Name: Saish Parab Roll No:05 Branch:D1

OUTPUT:

● SHA1

Name: Saish Parab Roll No:05 Branch:D1

INPUT:

OUTPUT:

Name: Saish Parab Roll No:05 Branch:D1

OBSERVATION:

MD5 codes any stream of bytes into a 128-bit value while SHA1 codes any
stream of bytes into a 160-bit value. Therefore the SHA1 will provide more security
compared to MD5. The MD5 algorithm is cheaper to compute, however, MD5 is found
to be more vulnerable to collision attacks. Comparison of both algorithms in terms of
output length, memory usage, processing time, variance and time to brute force can
be seen in more detail can be seen in Table.

Analyzing MD5 SHA-1 Better

Subject Algorithm

Output length 128 bit 160 bit SHA-1

Memory usage 30060 byte 30267,6 byte MD5

Processing time 17,233 ms 17,633 ms MD5

Variance 0,9013 x 10-3 0,4857 x 10-3 SHA-1

Time for brute 6,8841x1029 2,8825x1029 SHA-1

force years years

For passwords of length 6, 7, 8, and 9 characters, indicating that the algorithm

SHA-1 algorithm is stronger than MD5. The brute force attack time for 6 characters
in SHA-1 was 9.71 minutes on average while in MD5 was 8.65 minutes. The
estimated time of brute force attack for SHA-1 for 7, 8, and 9 characters passwords
was 18.92 days, 974.06 hours, and 8397.8 hours each, while for MD5 was 16.34
hours, 860.51 hours, and 8229.95 hours.

SHA-1 has a processing time that is not much different than MD5, even
relatively the same. The MD5 algorithm has a processing time of 0.029 seconds for
each variation of the password length (8, 9, 10 characters), MD5 + salt for 0.028
seconds, SHA-1 for 0.029 seconds, while SHA-1 + salt has 0.03 seconds. While for the
use of CPU resources, SHA-1 uses more resources than MD5, but the differences were
not so big. The MD5 algorithm used 9.56%, 9.96%, and 10.57% CPU resources for a
password length of 8, 9, and 10 characters respectively. While MD5 + salt used 9.85%,
10.29%, and 10.96%, SHA-1 used 10.36%, 10.96%, and 12.4%, and SHA1 + salt used
10.39%, 11.27%, and 12.65 % respectively. From the three testings conducted, we
can conclude that SHA-1 + salt gives better security for password protection in

Name: Saish Parab Roll No:05 Branch:D1

Simple-O compared to MD5 + salt while not overload the performance of existing
systems, and the use of SHA-1 for securing authentication system hopefully can be
used widely in the future to replace the use of MD5.

B.3 Conclusion:
This experiment helped us understand the working of the MD5 hashing algorithm
and its ability to convert input data into a fixed-length 128-bit hash value. We
observed that even small changes in input produce completely different hash
outputs, demonstrating the avalanche effect. The experiment also showed how
hashing ensures data integrity by generating unique digests for different inputs.
Overall, it provided practical insight into how MD5 is used for data verification,
although it is less secure compared to modern hashing algorithms.

Name: Saish Parab Roll No:05 Branch:D1

 Experiment No.04

A.1 Aim:

Study the use of network reconnaissance tools like WHOIS, dig, traceroute,
nslookup to gather information about networks and domain registrars.
A.2 Prerequisite:
Basic Knowledge of IP addresses, DNS.
A.3 Outcome:
After the successful completion of this experiment, students will be able to
apply basic network commands to gather basic network information.

A.4 Theory:
Network Reconnaissance:
● Act of reconnoitring ---explore to find something(especially to gain
information about enemy)
● In the world of hacking, reconnaissance begins with “Footprinting”
● i.e accumulating data about the target’s environment, and finding
vulnerabilities.
● The attacker gathers information in two phases viz: passive attacks and
active attacks

Passive attacks:
● Gathering information about a target without his/her
knowledge….Eavesdropping
● Yahoo or google search
● Surfing online community groups
● Gathering information from websites of organisations. e.g. contact details,
email address etc.
● Blogs, newsgroups, press releases etc.
● Going through job posting in particular job profiles

Reconnaissance Tools:
● WHOIS, dig, traceroute, nslookup
● WHOIS: WHOIS is the Linux utility for searching an object in a WHOIS
1

Name: Saish Parab [Link].: 05 Batch:D1

 database. The WHOIS database of a domain is the publicly displayed

Name: Saish Parab [Link].: 05 Batch:D1

 information about a domain's ownership, billing, technical, administrative,
and nameserver information. Running a WHOIS on your domain will look the
domain up at the registrar for the domain information. All domains have
WHOIS information. WHOIS database can be queried to obtain the following
information via WHOIS:
○ Administrative contact details, including names, email addresses, and
telephone numbers
○ Mailing addresses for office locations relating to the target organization
○ Details of authoritative name servers for each given domain

Example: Querying [Link]

ssc@ssc-OptiPlex-380:~$ whois [Link]

For more information on Whois status codes, please visit
[Link]

● Domain Name: [Link]

● Registry Domain ID: 2320948_DOMAIN_COM-VRSN
● Registrar WHOIS Server: [Link] Registrar URL:
[Link]
● Updated Date: 2014-10-28T[Link]-0700
● Creation Date: 1997-03-28T[Link]-0800
● Registrar Registration Expiration Date: 2020-03-29T[Link]-0700
Registrar: MarkMonitor, Inc.
● Registrar IANA ID: 292
● Registrar Abuse Contact Email: abusecomplaints@[Link]
Registrar Abuse Contact Phone: +1.2083895740
● Domain Status: clientUpdateProhibited
([Link]
● Domain Status: clientTransferProhibited
([Link]
● Domain Status: clientDeleteProhibited
([Link]
● Registry Registrant ID:
● Registrant Name: Domain Administrator Registrant Organization: Facebook,
Inc.
● Registrant Street: 1601 Willow Road, Registrant City: Menlo Park
● Registrant State/Province: CA Registrant Postal Code: 94025
● Registrant Country: US
● Registrant Phone: +1.6505434800
● Registrant PhoneExt:
● Registrant Fax: +1.6505434800

Name: Saish Parab [Link].: 05 Batch:D1

 ● Registrant Fax Ext:
● Registrant Email: domain@[Link] Registry Admin ID:
● Admin Name: Domain Administrator Admin Organization: Facebook, Inc.
● Admin Street: 1601 Willow Road, Admin City: Menlo Park
● Admin State/Province: CA
● Admin Postal Code: 94025
● Admin Country: US
● Admin Phone: +1.6505434800
● Admin Phone Ext:
● Admin Fax: +1.6505434800
● Admin Fax Ext:
● Admin Email: domain@[Link] Registry Tech ID:
● Tech Name: Domain Administrator
● Tech Organization: Facebook, Inc. Tech Street: 1601 Willow Road, Tech City:
Menlo Park
● Tech State/Province: CA
● Tech Postal Code: 94025
● Tech Country: US
● Tech Phone: +1.6505434800
● Tech Phone Ext:
● Tech Fax: +1.6505434800
● Tech Fax Ext:
● Tech Email: domain@[Link]
● Name Server: [Link]
● Name Server: [Link]
● DNSSEC: unsigned
● URL of the ICANN WHOIS Data Problem Reporting System:
[Link]
>>> Last update of WHOIS database: 2015-07-16T[Link]-0700 <<<

The Data in Mark [Link]'s WHOIS database is provided by [Link] for

information purposes, and to assist persons in obtaining information about or related
to a domain name registration record. [Link] does not guarantee its
accuracy. By submitting a WHOIS query, you agree that you will use this Data only
for lawful purposes and that, under no circumstances will you use this Data to:
● allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail (spam); or
● Enable high volume, automated, electronic processes that apply to
[Link] (or its systems).
[Link] reserves the right to modify these terms at any time. By submitting
this query, you agree to abide by this policy.

Name: Saish Parab [Link].: 05 Batch:D1

MarkMonitor is the Global Leader in Online Brand Protection. MarkMonitor Domain
Management(TM)

MarkMonitor Brand Protection(TM) MarkMonitorAntiPiracy(TM)

MarkMonitorAntiFraud(TM) Professional and Managed Services

Visit MarkMonitor at [Link] Contact us at +1.8007459229

In Europe, at +44.02032062220 ssc@ssc-OptiPlex-380:~$

● Dig - Dig is a networking tool that can query DNS servers for information. It
can be beneficial for diagnosing problems with domain pointing and is a good
way to verify that your configuration is working. The most basic way to use
dig is to specify the domain we wish to query:

Example:

$ dig [Link]

● Traceroute - traceroute prints the route that packets take to a network host.
Traceroute utility uses the TTL field in the IP header to achieve its operation.
For users who are new to the TTL field, this field describes how much hops a
particular packet will take while travelling on the network. So, this effectively
outlines the lifetime of the packet on the network. This field is usually set to
32 or 64. Each time the packet is held on an intermediate router, it decreases
the TTL value by 1. When a router finds the TTL value of 1 in a received
packet then that packet is not forwarded but instead discarded. After
discarding the packet, the router sends an ICMP error message of ― Time
exceededǁ back to the source from where the packet generated. The ICMP
packet that is sent back contains the IP address of the router. So now it can
be easily understood that traceroute operates by sending packets with TTL
value starting from 1 and then incrementing by one each time. Each time a
router receives the packet, it checks the TTL field, if the TTL field is 1 then it
discards the packet and sends the ICMP error packet containing its IP address
and this is what the traceroute requires. So traceroute incrementally fetches
the IP of all the routers between the source and the destination.

Example:

$traceroute [Link]

Name: Saish Parab [Link].: 05 Batch:D1

 PART B

Roll No. 02 Name: Hariom Pandey

Class: TE AIML Batch:D1

Date of Experiment: Date of Submission:

Grade:

B.1 Output of Reconnaissance Tools

● WHOIS ([Link])
# 1. WHOIS
print_separator(f"1. WHOIS ({target_domain})")
[Link](f"whois {target_domain}")

OUTPUT:

Name: Saish Parab [Link].: 05 Batch:D1

 ● NSLOOKUP ([Link])

# 2. NSLOOKUP
print_separator(f"2. NSLOOKUP ({target_domain})")
[Link](f"nslookup {target_domain}")

OUTPUT:

● TRACERT ([Link])

OUTPUT:

● DIG ([Link])
# 4. DIG
print_separator(f"4. DIG ({target_domain})")
[Link](f"dig {target_domain}")

Name: Saish Parab [Link].: 05 Batch:D1

OUTPUT:

NETWORK RECONNISSANCE COMPLETED

print("\n" + "="*60)
print(" Network Reconnaissance Completed")
print("="*60 + "\n")

OUTPUT:

B.2 Commands/tools used with the syntax:

1. WHOIS : [Link]

2. NSLOOKUP : [Link]

3. TRACERT : [Link]

4. DIG : [Link]

B.3 Question of Curiosity:

1. What information is grabbed from Whois?
Ans:
➔ When you register a domain name, ICANN requires that you provide personal
details that include your name, address, phone number, etc. All of this
information is automatically added to a publicly-available database that
catalogues the owners of every domain name that is registered. This massive
database of information is called Whois.
➔ A Whois record contains all of the contact information associated with the
person, group, or company that registers a particular domain name. Typically,
each Whois record will contain information such as the name and contact
information of the Registrant (who owns the domain), the name and contact
information of the registrar Registrar (the organization or commercial entity

Name: Saish Parab [Link].: 05 Batch:D1

 that registered the domain name), the registration dates, the name servers,
the most recent update, and the expiration date. Whois records may also
provide the administrative and technical contact information (which is often,
but not always, the registrant).
➔ WHOIS information includes standard details such as your email address,
telephone number, address, city and country. It also includes your
registration, update, expiration date and name servers.

B.4 Conclusion:

In this experiment, we successfully studied and utilized network reconnaissance

tools such as WHOIS, NSLOOKUP, TRACEROUTE, and DIG to gather information about
networks and domain registrars. We observed how these tools help in extracting
important details like domain ownership, DNS records, and network routing paths.
This experiment highlighted the importance of reconnaissance in cybersecurity, as
it is the first step in identifying potential vulnerabilities. Overall, it provided
practical knowledge of how these tools are used both by security professionals and
attackers during the initial phase of network analysis.

Name: Saish Parab [Link].: 05 Batch:D1

 Experiment No.05

A.1 Aim:
Design a network and implement packet sniffing on telnet traffic using
Wireshark.
A.2 Prerequisite:
Basic Knowledge of IP addresses, port numbers, TCP and UDP Protocols.
A.3 Outcome:
After the successful completion of this experiment, students will be able to
apply basic network commands to gather basic network information.

A.4 Theory:
Wireshark, a network analysis tool formerly known as Ethereal, captures
packets in real-time and display them in a human-readable format. Wireshark
includes filters, colour-coding and other features that let you dig deep into network
traffic and inspect individual packets.

Features of Wireshark :

● Available for UNIX and Windows.

● Capture live packet data from a network interface.
● Open files containing packet data captured with tcpdump/WinDump,
Wireshark, and several other packet capture programs.
● Import packets from text files containing hex dumps of packet data.
● Display packets with very detailed protocol information.
● Export some or all packets in several capture file formats.
● Filter packets on many criteria.
● Search for packets on many criteria.
● Colourize packet display based on filters.
● Create various statistics.

Capturing Packets

After downloading and installing Wireshark, you can launch it and click the
name of an interface under Interface List to start capturing packets on that
interface. For example, if you want to capture traffic on the wireless network, click
your wireless interface. You can configure advanced features by clicking Capture
Options.

1
Name: Saish Parab [Link].: 05 Batch:D1
Filtering Packets

If you‘re trying to inspect something specific, such as the traffic a program

sends when phoning home, it helps to close down all other applications using the
network so you can narrow down the traffic. Still, you‘ll likely have a large number of
packets to sift through. That‘s where Wireshark‘s filters come in. The most basic
way to apply a filter is by typing it into the filter box at the top of the window and
clicking Apply (or pressing Enter). For example, type ―dnsǁ and you‘ll see only DNS
packets. When you start typing, Wireshark will help you autocomplete your filter.

A5. Interface Configuration table

SNO. NAME INTERFACE IP ADDRESS Subnet Mask Default

OF THE Gateway
DEVICE

1. Router 0 g0/0 [Link] [Link] --------

2. PC Fast [Link] [Link] [Link]

Ethernet

A6. Design

2
Name: Saish Parab [Link].: 05 Batch:D1
 PART B

Roll No. 05 Name: Saish parab

Class: TE-D Batch: D1

Date of Experiment: 30/03/2021 Date of Submission: 30/03/2021

Grade:

IMPLEMENTATION :
import sys
from [Link] import sniff, IP, TCP

def packet_callback(packet):
"""
Callback function to process each captured packet.
"""
# Check if the packet has an IP layer
if [Link](IP):
src_ip = packet[IP].src
dst_ip = packet[IP].dst
protocol = packet[IP].proto

# Check for TCP packets

if [Link](TCP):
src_port = packet[TCP].sport
dst_port = packet[TCP].dport

# Filter for Telnet traffic (Port 23)

# Note: Telnet is unencrypted, so payloads are visible.
if src_port == 23 or dst_port == 23:
print(f"[+] Telnet Packet: {src_ip}:{src_port} ->
{dst_ip}:{dst_port}")

# Print Payload if present

3
Name: Saish Parab [Link].: 05 Batch:D1
 if [Link](TCP) and packet[TCP].playload:
print(f" Payload: {bytes(packet[TCP].payload)}")

else:
# General TCP Packet
print(f"[*] TCP Packet: {src_ip}:{src_port} ->
{dst_ip}:{dst_port}")

def start_sniffer(interface=None, count=10):

"""
Starts the packet sniffer.
"""
print("[-] Starting Packet Sniffer...")
print(f"[-] Capturing {count} packets...")
if interface:
print(f"[-] Interface: {interface}")

# Sniff packets
# filter="tcp" restricts capture to TCP protocol
# prn specifies the callback function
# count stops after N packets (remove for infinite loop)
try:
sniff(iface=interface, filter="tcp", prn=packet_callback,
count=count)
print("[-] Sniffing finished.")
except Exception as e:
print(f"[!] Error: {e}")
print("[!] Ensure you are running as Administrator/Root.")

if name == " main ":

# Optional: Allow user to specify interface via command line
# simple usage for demonstration
start_sniffer(count=20)

4
Name: Saish Parab [Link].: 05 Batch:D1
B.1 Output

5
Name: Saish Parab [Link].: 05 Batch:D1
Filtering of packets(ARP):
import sys
from [Link] import sniff, ARP

def packet_callback(packet):
# Check specifically for ARP layer (Address Resolution Protocol)
if [Link](ARP):
src_ip = packet[ARP].psrc
dst_ip = packet[ARP].pdst
hw_src = packet[ARP].hwsrc

if packet[ARP].op == 1:
print(f"[?] ARP Request: {src_ip} is asking who has
{dst_ip}")
elif packet[ARP].op == 2:
print(f"[*] ARP Reply: {src_ip} is at {hw_src}")

6
Name: Saish Parab [Link].: 05 Batch:D1
def start_sniffer(interface=None, count=20):
print("[-] Starting ARP Sniffer...")
print(f"[-] Capturing {count} packets...")

try:
sniff(iface=interface, filter="arp", prn=packet_callback,
count=count)
print("[-] Sniffing finished.")
except Exception as e:
print(f"[!] Error: {e}")

if name == " main ":

start_sniffer(count=20)

OUTPUT:

7
Name: Saish Parab [Link].: 05 Batch:D1
Filtering packets (LLMNR):
import sys
from [Link] import sniff, IP, UDP # Added UDP to imports

def packet_callback(packet):
# LLMNR sits on top of IP and UDP
if [Link](IP) and [Link](UDP):
src_ip = packet[IP].src
dst_ip = packet[IP].dst

# Filter for LLMNR Port (5355)

if packet[UDP].dport == 5355 or packet[UDP].sport == 5355:
print(f"[!] LLMNR Packet: {src_ip} -> {dst_ip} (Port
5355)")

# Print Payload/Raw data if present (common in LLMNR

queries)
if packet[UDP].payload:
print(f" Payload: {bytes(packet[UDP].payload)}")

def start_sniffer(interface=None, count=20):

print("[-] Starting LLMNR Sniffer...")
print(f"[-] Capturing {count} packets...")

try:
# filter="udp port 5355" targets LLMNR specifically
sniff(iface=interface, filter="udp port 5355",
prn=packet_callback, count=20 , timeout=60)
print("[-] Sniffing finished.")
except Exception as e:
print(f"[!] Error: {e}")

if name == " main ":

start_sniffer(count=20)

8
Name: Saish Parab [Link].: 05 Batch:D1
OUTPUT:

B.2 Commands/tools used with the syntax:

➔ WIFI PACKET SNIFFING

➔ arp
➔ llmnr

B.3 Conclusion:
This experiment helped us understand how network packet sniffing works using the
Scapy library in Python. We were able to capture and analyze network packets,
specifically identifying protocols such as IP, TCP, and ARP. The experiment
demonstrated how specific traffic, like Telnet and ARP requests/replies, can be
monitored in real time. It highlighted the importance of packet analysis in network
security, as it helps in detecting vulnerabilities, unauthorized access, and
suspicious activities. Overall, this experiment provided practical knowledge of
network monitoring and traffic analysis techniques.

9
Name: Saish Parab [Link].: 05 Batch:D1
 Experiment No.06

A.1 Aim:
Implement ARP Spoofing using Ettercap.
A.2 Prerequisite:
Basic Knowledge of IP addresses, port numbers, ARP.
A.3 Outcome:
After successful completion of this experiment, students will be able to
explore and use tools like sniffers, port scanners and other related tools for analyzing
packets in a network.
A.4 Theory:

ARP spoofing is an attack against an Ethernet or Wi-Fi network to get

between the router and the target user. In an ARP spoofing attack, messages meant
for the target are sent to the attacker instead, allowing the attacker to spy on, deny
service to, or man-in-the-middle a target. One of the most popular tools for
performing this attack is Ettercap, which comes pre-installed on Kali Linux.

On a regular network, messages are routed over Ethernet or Wi-Fi by

associating the MAC address of a connected device with the IP address used to
identify it by the router. Usually, this happens via an address resolution protocol
(ARP) message indicating which device's MAC address goes with which IP address. It
lets the rest of the network know where to send traffic — but it can be easily spoofed
to change the way traffic is routed.

In an ARP spoofing attack, a program like Ettercap will send spoofed messages
attempting to get nearby devices to associate the hacker's MAC address with the IP
address of the target. When successful, they're stored temporarily in a configuration
setting on other network devices. If the rest of the network starts delivering packets
intended for the target to the attacker instead, the attacker effectively controls the
target's data connection.

Types of ARP Spoofing Attacks

There can be three primary outcomes after an attacker gains initial success in
poisoning the ARP cache of other hosts on the network:

● The attacker can spy on traffic. They can lurk in the shadows, seeing everything
that the target user does on the network. It's pretty self-explanatory.

Name: Saish Parab [Link].:05 Batch:D1

 ● The attacker can intercept and modify the packets in a man-in-the-middle
attack. They can intercept passwords typed into an HTTP website, see DNS
requests, and resolve IP addresses the target is navigating to see what
websites the target is visiting. In a man-in-the-middle attack, the attacker has
the opportunity to not only see what's happening on the network but
manipulate it as well. For instance, they can attempt to downgrade the
encryption the connection is using by deliberately requesting insecure versions
of web pages to make the attacker's job of sniffing passwords easier. Also, a
hacker can simply be a nuisance. For example, they can replace words in the
text of a website, flip or replace images, or modify other types of data flowing
to and from the target.
● The attacker can drop the packets meant for the target to create a denial-of-
service attack. This is possibly the most frustrating to a target. While a Wi-Fi
authentication attack is by far the more common cause of a Wi-Fi network
being attacked, ARP spoofing can be much more difficult to figure out. If the
attacker chooses not to forward the packets now being sent to it instead of
the target, the target will never receive them. The Wi-Fi network can be
jammed from the inside, getting between the target and the router and then
dropping the packets flowing between.

A5. Procedure

Steps to perform ARP spoofing

Ettercap Graphical

One of the most intriguing programs installed by default in Kali Linux is

Ettercap. Unlike many of the programs that are command-line only, Ettercap features
a graphical interface that's very beginner-friendly. While the results may sometimes
vary, Ettercap is a great tool for newbies to get the hang of network attacks like ARP
spoofing. If you don't already have it (like if you downloaded a light version of Kali),
you can get it by typing the following into a terminal window.

apt install ettercap-graphical

Reading package lists... Done

Building dependency tree

Reading state information... Done

ettercap-graphical is already the newest version (1:0.8.2-10+b2).

Name: Saish Parab [Link].:05 Batch:D1

 Ettercap isn't the only tool for this, nor is it the most modern. Other tools, such as
Bettercap, claim to do what Ettercap does but more effectively. However, Ettercap
proves effective enough to feature for our demonstration. The general workflow of
an Ettercap ARP spoofing attack is to join a network you want to attack, locate hosts
on the network, assign targets to a "targets" file, and then execute the attack on the
targets.

Once we do all of that, we can figuratively watch over the target's shoulder as they
browse the internet, and we can even kill the connection from websites we want to
steer them away from. We can also run various payloads, like isolating a host from
the rest of the network, denying them service by dropping all packets sent to them,
or running scripts to attempt to downgrade the security of the connection.

Step 1Connect to the Network

The first step of ARP spoofing is to connect to the network you want to attack. If
you're attacking an encrypted WEP, WPA, or WPA2 network, you'll need to know the
password. This is because we're attacking the network internally, so we need to be
able to see some information about the other hosts on the network and the data
passing within it.

You can connect to a network for ARP spoofing in two ways. The first is to connect
via Ethernet, which is very effective but may not always be practical and is rarely
subtle. Instead, many people prefer to use a wireless network adapter and perform
the ARP spoofing over Wi-Fi.

Step 2: Start Ettercap

In Kali, click on "Applications," then "Sniffing & Spoofing," followed by "ettercap-

graphical." Alternatively, click on the "Show Applications" option in the dock, then
search for and select "Ettercap."

Once it starts up, you should find yourself on the Ettercap main screen. You'll see the
spooky Ettercap logo, and a few drop-down menus to start the attack from. In the
next step, we'll start exploring the "Sniff" menu.

At this point, make sure you have an active connection to the network before you
continue.

Step 3: Select Network Interface to Sniff On

Name: Saish Parab [Link].:05 Batch:D1

 Click on the "Sniff" menu item, and then select "Unified sniffing." A new window will
open asking you to select which network interface you want to sniff on. You should
select the network interface that is currently connected to the network you're
attacking.

Now, you'll see some text confirming that sniffing has started, and you'll be able to
access more advanced menu options such as Targets, Hosts, Mitm, Plugins, etc.
Before we get started using any of them, we'll need to identify our target on the
network.

Step 4: Identify Hosts on a Network

To find the device we want to attack the network, Ettercap has a few tricks up its
sleeve. First, we can do a simple scan for hosts by clicking "Hosts," then "Scan for
hosts." A scan will execute, and after it finishes, you can see the resulting hosts
Ettercap has identified on the network by clicking "Hosts," then "Hosts list."

We can now see a list of targets we've discovered on the network. Want to see what
they're doing or narrow down the targets? Click on "View," then "Connections" to
start snooping on connections.

Once in the Connections view, you can filter the connections by IP address, type of
connection, and whether the connection is open, closed, active, or killed. This gives
you a lot of snooping power, which can be augmented by clicking the "View," then
"Resolve IP addresses." This means Ettercap will try to resolve the IP addresses it
sees other devices on the network connecting to.

If you want to identify a target on a network and know what they're browsing, look
over their shoulder at what website they're on, and match the website to an IP
address with an active connection to the same website. Otherwise, you can usually
tell by the MAC address, as you can look it up online to see the manufacturer.

Step 5: Select Hosts to Target with ARP Spoofing

Now that we've identified our target's IP address, it's time to add them to a target
list. Once we do this, we'll be telling Ettercap that we want to designate that IP
address as one we want to pretend to be, so that we're receiving messages from the
router that were meant to be sent to the target.

Go back to the "Hosts" screen, and select the IP address of the target you want to
target. Click the IP address to highlight it, then click on"Targets," followed by "Target
list," to see a list of devices that have been targeted for ARP spoofing.

Name: Saish Parab [Link].:05 Batch:D1

 Now, we can go to the "Mitm" menu to start our attack on this target.

Step 6: Launch Attack on Targets

Click on the "Mitm" menu, and select "ARP poisoning." A popup will open, and you'll
select "Sniff remote connections" to begin the sniffing attack.

Once this attack has begun, you'll be able to intercept login credentials if the user
you're targeting enters them into a website that doesn't use HTTPS. This could be a
router or a device on the network or even a website that uses poor security.

To try another attack, you can click on "Plugins," then "Load plugins," to show the
plugin menu. If you select the DOS attack, it will begin dropping the packets sent to
this target, cutting off their internet access.

Step 7: Try Intercepting a Password

Now, let's try intercepting a password. A website that's great for testing is
[Link], which deliberately uses bad security so that you can intercept
credentials. On the target device, navigate to [Link]. Once it loads, you'll see a
login screen you can enter a fake login and password into.

Enter a username and password, then hit "Submit." If Ettercap is successful, you
should see the login and password you typed appear on the attacker's screen!

In this result above, we can see that Ettercap successfully ARP poisoned the target
and intercepted an HTTP login request the target was sending to an insecure
website.

ARP Poisoning Is a Powerful Tool with Some Limitations

The major obvious limitation of ARP spoofing is that it only works if you're connected
to a Wi-Fi network. This means it works on open networks but may not work well
against networks that have more sophisticated monitoring or firewalls that may
detect this sort of behaviour.

ARP spoofing attacks is another example of why it's so important to pick strong
passwords for your networks and limit access to those you trust. You're giving away
a lot of trusts when you give someone your network password or an Ethernet
connection, so remember to carefully pick your passwords and who you share them
with.

Name: Saish Parab [Link].:05 Batch:D1

Name: Saish Parab [Link].:05 Batch:D1
 PART B
(Students must submit the soft copy as per the following segments within two hours of
the practical. The soft copy must be uploaded on the Blackboard or emailed to the
concerned lab in charge faculties at the end of the practical in case there is no Blackboard
access available)

Roll No. 05 Name: Saish Parab

Class: TE-D Batch: D1

Date of Experiment: Date of Submission:

Grade:

B.1 Output

Name: Saish Parab [Link].:05 Batch:D1

 B.2 Commands/tools used with the syntax:

➔ Unified Sniffing
➔ Network Interface: eth0
➔ Current Targets: 1. Default Gateway, 2. IPv4 Address
➔ ARP Poisoning
➔ Sniff Remote Connection
➔ tcpdump -i eth0 -n port 80 and host [Link]

B.3 Question of Curiosity:

1. What is ARP?

Ans:
➔ Address Resolution Protocol (ARP) is an important protocol of the network
layer in the OSI model, which helps find the MAC (Media Access Control)

Name: Saish Parab [Link].:05 Batch:D1

 address given the system's IP address. The ARP's main task is to convert the
32-bit IP address (for IPv4) to a 48-bit MAC address.
➔ This protocol is mostly used to determine the hardware (MAC) address of a
device from an IP address. It is also used when one device wants to
communicate with some other device on a local network. The full form of ARP
is Address Resolution Protocol.

2. What is the MAC address?

Ans:
➔ MAC address is a unique identifier that is assigned to a NIC (Network Interface
Controller/ Card). It consists of a 48 bit or 64-bit address, which is associated
with the network adapter. MAC address can be in hexadecimal format. The full
form of MAC address is the Media Access Control address.
➔ media access control address is a unique identifier assigned to a network
interface controller for use as a network address in communications within a
network segment. This use is common in most IEEE 802 networking
technologies, including Ethernet, Wi-Fi, and Bluetooth.

B.4 Conclusion:

This experiment helped us understand the concept of ARP spoofing and how it can
be performed using tools like Ettercap. We observed how an attacker can intercept
and manipulate network traffic by sending fake ARP messages, thereby positioning
themselves between communicating devices. This demonstrated the vulnerability of
ARP protocol in local networks and highlighted the importance of security measures
such as encryption and network monitoring. Overall, the experiment provided
practical insight into man-in-the-middle attacks and their impact on network
security. Hence, we successfully implemented ARP Spoofing using the Ettercap GUI
tool.

Name: Saish Parab [Link].:05 Batch:D1

 Experiment No.07

A.1 Aim:
Download and install Nmap. Use it with different options to scan open ports,
perform OSfingerprinting, do a ping scan, TCP port scan, UDP port scan, Xmas scan etc.

A.2 Prerequisite:
Basic Knowledge of Ports, TCP, UDP, Ping

A.3 Outcome:
After successful completion of this experiment, students will be able to Install and
use Nmap and use it for gathering detailed network and remote host information.

A.4 Theory:
➔ Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon
(also known by his pseudonym Fyodor Vaskovich) used to discover hosts and
services on a computer network, thus creating a "map" of the network. To
accomplish its goal, Nmap sends specially crafted packets to the target host and
then analyzes the responses. Unlike many simple port scanners that just send
packets at some predefined constant rate, Nmap accounts for the network
conditions (latency fluctuations, network congestion, the target interference
with the scan) during the run. Also, owing to the large and active user community
providing feedback and contributing to its features, Nmap has been able to
extend its discovery capabilities beyond simply figuring out whether a host is up
or down and which ports are open and closed; it can determine the operating
system of the target, names and versions of the listening services, estimated
uptime, type of device, and presence of a firewall.

Nmap features include:

● Host Discovery – Identifying hosts on a network. For example, listing the hosts
which respond to pings or have a particular port open.
● Port Scanning – Enumerating the open ports on one or more target hosts.
● Version Detection – Interrogating listening network services listening on remote
devices to determine the application name and version number.
● OS Detection –Remotely determining the operating system and some hardware
characteristics of network devices.

Name: Saish Parab Roll No: 05 Bratch :D1

Basic commands working in Nmap:

● For target specifications: Nmap <target‘s URL or IP with spaces between them>
● For OS detection: Nmap -O <target-host's URL or IP>
● For version detection: Nmap -SV <target-host's URL or IP>

SYN scan is the default and most popular scan option for good reasons. It can be
performed quickly, scanning thousands of ports per second on a fast network not
hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it
never completes TCP connections.

[Link]:
Installation of Nmap:

$ sudo apt-get install nmap

Commands:

● nmap -sP <[Link]/24>

Ping scans the network, listing machines that respond to ping.

● FIN scan (-SF)

Sets just the TCP FIN bit.

● -sV (Version detection) .

Enables version detection, as discussed above. Alternatively, can use -A,

which enables version detection among other things.

● -sO (IP protocol scan).

IP protocol scan allows you to determine which IP protocols (TCP, ICMP,

IGMP, etc.) are supported by target machines. This isn´t technically a port scan,
since it cycles through IP protocol numbers rather than TCP or UDP port numbers.

● -O (Enable OS detection).

Name: Saish Parab Roll No: 05 Bratch :D1

 Enables OS detection, as discussed above. Alternatively, you can use -A to
enable OS detection along with other things.

● -p port ranges (Only scan specified ports).

This option specifies which ports you want to scan and overrides the
default. Individual port numbers are OK, as are ranges separated by a hyphen (e.g.
1-1023). The beginning and/or end values of a range may be omitted, causing
Nmap to use 1 and 65535, respectively.

● --top-ports <integer of 1 or greater>

Scans the N highest-ratio ports found in the Nmap-services file.

● Nmap –-iflist

host interface and route information with nmap by using ―–iflist‖ option.

Name: Saish Parab Roll No: 05 Bratch :D1

 PART B

Roll No. 05 Name: Saish Parab

Class: TE-D Batch: D1

Date of Experiment: Date of Submission:

Grade:

B.1 Output
1. nmap [Link]

2. nmap -sn [Link]/24

Name: Saish Parab Roll No: 05 Bratch :D1

3. nmap -O [Link]

4. nmap -sS [Link]

5. nmap -sU [Link]

Name: Saish Parab Roll No: 05 Bratch :D1

B.2 Commands/tools used with the syntax:
1. nmap [Link]
→ Used to perform a basic scan and find open ports on the target.

2. nmap -sn [Link]

→ Used for ping scan to check if the host is active.

3. nmap -O [Link]
→ Used for operating system detection of the target.

4. nmap -sV [Link]

→ Used for service/version detection running on open ports.

5. nmap -sS [Link]

→ Used for TCP SYN scan to detect open ports in a stealthy way.

B.3 Question of Curiosity:

1. What is SQL injection?
Ans:
➔ SQL injection is a web security vulnerability that allows an attacker to interfere
with the queries that an application makes to its database. It generally allows an
attacker to view data that they are not normally able to retrieve. This might
include data belonging to other users, or any other data that the application itself
can access. In many cases, an attacker can modify or delete this data, causing
persistent changes to the application's content or behaviour.

Name: Saish Parab Roll No: 05 Bratch :D1

 ➔ In some situations, an attacker can escalate an SQL injection attack to
compromise the underlying server or other back-end infrastructure or perform a
denial-of-service attack.

2. What is the query that makes SQL injection possible?

Ans:
➔ It is a simple example of authenticating with a username and a password. The
example database has a table named users with the following columns:
username and password.

# Define POST variables

uname = [Link]['username']

passwd = [Link]['password']

# SQL query vulnerable to SQLi

sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND

password=’” + passwd + “’”

# Execute the SQL statement

[Link](sql)

➔ These input fields are vulnerable to SQL Injection. An attacker could use SQL
commands in the input in a way that would alter the SQL statement executed by
the database server. For example, they could use a trick involving a single quote
and set the password field to password' OR 1=1
3. Explain “ OR 1 = 1” and what happens to SQL when this condition is used in the
query.
Ans:
➔ As a result, the database server runs the following SQL query:

SELECT id FROM users WHERE username='username' AND

password='password' OR 1=1'

➔ Because of the OR 1=1 statement, the WHERE clause returns the first id from the
user’s table no matter what the username and password are. The first user id in

Name: Saish Parab Roll No: 05 Bratch :D1

 a database is very often the administrator. In this way, the attacker not only
bypasses authentication but also gains administrator privileges. They can also
comment out the rest of the SQL statement to control the execution of the SQL
query further.

B.4 Conclusion:
After successful completion of this experiment, we have Installed and used Nmap for
gathering detailed network and remote host information. This experiment helped us
understand the use of Nmap as a powerful network reconnaissance tool. We performed
various types of scans such as basic scan, ping scan, TCP scan, OS detection, and service
version detection to gather information about a target system. Through this
experiment, we learned how to identify open ports, active hosts, and system details,
which are essential in network security analysis. Overall, it provided practical knowledge
of how reconnaissance is performed to detect vulnerabilities and analyze network
infrastructure.

Name: Saish Parab Roll No: 05 Bratch :D1

 Experiment No.08

A.1 Aim:
Perform SQL injection on a vulnerable website.
A.2 Prerequisite:
Basic Knowledge of SQL queries, HTML/PHP.

A.3 Outcome:
After successful completion of this experiment, students will be able to set up
firewalls and intrusion detection systems using open source technologies and explore
email security and explore various attacks like buffer overflow, SQL injection and web
application attacks.

A.4 Theory:
➔ SQL Injection (SQLi) is a type of injection attack that makes it possible to execute
malicious SQL statements. These statements control a database server behind a
web application. Attackers can use SQL Injection vulnerabilities to bypass
application security measures. They can go around authentication and
authorization of a web page or web application and retrieve the content of the
entire SQL database. They can also use SQL Injection to add, modify, and delete
records in the database.
➔ An SQL Injection vulnerability may affect any website or web application that uses
an SQL database such as MySQL, Oracle, SQL Server, or others. Criminals may use
it to gain unauthorized access to your sensitive data: customer information,
personal data, trade secrets, intellectual property, and more. SQL Injection
attacks are one of the oldest, most prevalent, and most dangerous web
application vulnerabilities.
➔ To make an SQL Injection attack, an attacker must first find vulnerable user
inputs within the web page or web application. A web page or web application
that has an SQL Injection vulnerability uses such user input directly in an SQL
query. The attacker can create input content. Such content is often called a
malicious payload and is the key part of the attack. After the attacker sends this
content, malicious SQL commands are executed in the database.
➔ SQL is a query language that was designed to manage data stored in relational
databases. You can use it to access, modify, and delete data. Many web
applications and websites store all the data in SQL databases. In some cases, you
can also use SQL commands to run operating system commands. Therefore, a
successful SQL Injection attack can have very serious consequences.

1
Name: Saish Parab [Link].: 05 Batch:D1
 ● Attackers can use SQL Injections to find the credentials of other users in
the database. They can then impersonate these users. The impersonated
user may be a database administrator with all database privileges.

● SQL lets you select and output data from the database. An SQL Injection
vulnerability could allow the attacker to gain complete access to all data in
a database server.

● SQL also lets you alter data in a database and add new data. For example,
in a financial application, an attacker could use SQL Injection to alter
balances, void transactions, or transfer money to their account.

● You can use SQL to delete records from a database, even drop tables. Even
if the administrator makes database backups, deletion of data could affect
application availability until the database is restored. Also, backups may
not cover the most recent data.

● In some database servers, you can access the operating system using the
database server. This may be intentional or accidental. In such a case, an
attacker could use an SQL Injection as the initial vector and then attack the
internal network behind a firewall.

2
Name: Saish Parab [Link].: 05 Batch:D1
 PART B

Roll No. 05 Name: Saish Parab

Class:TE-D Batch:D1

Date of Experiment: Date of Submission:

Grade:

B.1 Output

3
Name: Saish Parab [Link].: 05 Batch:D1
 OUTPUT:

B.2 Commands/tools used with the syntax:

Tool Used: sqlmap (SQL Injection Testing Tool)

1. python [Link] -u "[Link] --dbs --

batch
→ Used to enumerate all available databases from the target URL.

2. python [Link] -u "[Link] -D manavi -

-tables --batch
→ Used to list all tables present in the selected database.

4
Name: Saish Parab [Link].: 05 Batch:D1
 3. python [Link] -u "[Link] -D manavi -
T hello --columns --batch
→ Used to extract column names from the selected table.

4. python [Link] -u "[Link] -D manavi -

T hello --dump --batch
→ Used to retrieve (dump) data from the selected table.

B.3 Question of Curiosity:

1. What is SQL injection?

Ans:

➔ SQL Injection (SQLi) is a type of injection attack that makes it possible to execute
malicious SQL statements. These statements control a database server behind a
web application. Attackers can use SQL Injection vulnerabilities to bypass
application security measures. They can go around authentication and
authorization of a web page or web application and retrieve the content of the
entire SQL database. They can also use SQL Injection to add, modify, and delete
records in the database.

2. What is the query that makes SQL injection possible?

Ans:

➔ In SQL Injection, the UNION operator is commonly used to attach a malicious SQL
query to the original query intended to be run by the web application. The result
of the injected query will be joined with the result of the original query. This allows
the attacker to obtain column values from other tables.

3. Explain “ OR 1 = 1” and what happens to SQL when this condition is used in the
query.

Ans:

➔ We are selecting the password from the table where the user name is admin. We
are also pulling the password from the table where ever 1=1 - which is always
true. Each row is evaluated to true, thus all passwords are returned. A hacker

5
5 Parab
Name: Saish [Link].: 05 Batch:D1
 might get access to all the user names and passwords in a database, by simply
inserting 105 OR 1=1 into the input field.

B.4 Conclusion:
This experiment helped us understand the concept of SQL Injection and how
vulnerabilities in web applications can be exploited using tools like sqlmap. We
performed database enumeration, table extraction, and data retrieval, which
demonstrated how attackers can gain unauthorized access to sensitive information. The
experiment highlighted the importance of secure coding practices and input validation
to prevent such attacks. Overall, it provided practical knowledge of web security
vulnerabilities and their impact on data protection successful execution of this
experiment, we can set up firewalls and intrusion detection systems using opensource
technologies and explore email security and explore various attacks like buffer overflow,
SQL injection and web-application attacks.

6
5 Parab
Name: Saish [Link].: 05 Batch:D1