MVPS’s KBTCOE, Nashik Department of Information Technology

Assignment No: 01
Title: Implementation of Packet Sniffer

Computer Lab – VII (BE 2015) 1

 MVPS’s KBTCOE, Nashik Department of Information Technology

Assignment No: 01

Aim: Write a program to sniff packet sent over the local network and analyze it
Objectives: 1) To sniff the packet over the local network.
2) To analyze the sniffed packets.
Theory:
When any data has to be transmitted over the computer network, it is broken down into smaller units at
the sender’s node called data packets and reassembled at receiver’s node in original format. It is the
smallest unit of communication over a computer network. It is also called a block, a segment, a
datagram or a cell. The act of capturing data packet across the computer network is called packet
sniffing. It is similar to as wiretapping to a telephone network. It is mostly used by crackers and
hackers to collect information illegally about network. It is also used by ISP, advertisers and
governments.

Packet sniffing is done by using tools called packet sniffer. It can be either filtered or unfiltered.
Filtered is used when only specific data packets have to be captured and Unfiltered is used when all
the packets have to be captured. WireShark, SmartSniff are examples of packet sniffing tools. A
packet analyzer used for intercepting traffic on wireless networks is known as a wireless analyzer or
WiFi analyzer. While a packet analyzer can also be referred to as a network analyzer or protocol
analyzer these terms can also have other meanings.

Types of packet sniffers:

1. Hardware packet sniffer: A hardware packet sniffer is designed to be plugged into a network and
to examine it. A hardware packet sniffer is particularly useful when attempting to see traffic of a
specific network segment.
2. Software packet sniffer: Most packet sniffers these days are of the software variety. While any
network interface attached to a network can receive every bit of network traffic that flows by, most are
configured not to do so. A software packet sniffer changes this configuration so that the network
interface passes all network traffic up the stack. This configuration is known as promiscuous mode for
most network adapters.

Computer Lab – VII (BE 2015) 2

 MVPS’s KBTCOE, Nashik Department of Information Technology

Unpacking buffers: Extracting information from a buffer like this one may seem quite tedious, as we
must parse the pertinent information from the buffer. In order to deal with buffered data like this one
with a defined structured, Python provides the function unpack ().The table below provides a mapping
of each of the format characters related to the IPv4 header. The meaning of each of the characters in
the format string “!BBHHHBBH4s4s”

Format Python Type Bytes

! Big Endian
B Integer 1
H Integer 2
s String n

Size
Format Mapping to IPv4 Definition
(Bytes)
4-bit version field (this will be 4, for IPv4)
B 1 Version and IHL 4-bit Internet Header Length representing the number of 32
bit words contained in the header
7-bit Differentiated Services Code Point
B 1 DSCP and ECN
1-bit Congestion Notification
H 2 Total length 16 bits defines the entire packet size
H 2 Identification 16 bits identifier for a group of IP fragments
Flags and fragment 3-bit fragmentation flag
H 2
offset 13-bit fragment offset value
B 1 Time to live (TTL) 8-bit TTL value to prevent packet looping
8-bit value identifying the protocol used in the data portion of
B 1 Protocol
the packet
Header Checksum
H 2 16-bit checksum value for error detection
value
4s 4 Source IP address 4-byte source IP address
Destination IP
4s 4 4-byte destination IP address
address

Algorithm to implement sniffing in python:

1. Create a new file called basic-packet-sniffer-linux.py and open it in your editor.
2. Import the required modules: import socket
3. Create an INET raw socket:

Computer Lab – VII (BE 2015) 3

 MVPS’s KBTCOE, Nashik Department of Information Technology

s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)

4. Start an infinite loop to receive data from the socket:
while True:
print(s.recvfrom(65565))
5. run the program with Python:
sudo -E python3 script_name.py

Conclusion: Thus we have studied and implemented packet sniffer algorithm to sniff packet sent over
the local network and analyze it.

Computer Lab – VII (BE 2015) 4

 MVPS’s KBTCOE, Nashik Department of Information Technology

Assignment No: 02
Title: Implementation and analysis the effect of attack.
a) DDOS Attack
b) IP spoofing
c) DNS Attack

Computer Lab – VII (BE 2015) 5

 MVPS’s KBTCOE, Nashik Department of Information Technology

Assignment No: 02

Aim: Create an attack using python script and implement attack and analyze the effect of attack.
a) DDOS Attack
b) IP spoofing
c) DNS Attack

Objectives: 1) To create and implement attack using Python script

2) To analyze the effect of attack

DDOS attack:

Distributed denial of service (DDoS) attacks is a subclass of denial of service (DoS) attacks. A DDoS
attack involves multiple connected online devices, collectively known as a botnet, which are used to
overwhelm a target website with fake traffic.

Unlike other kinds of cyber-attacks, DDoS assaults don’t attempt to breach your security perimeter.
Rather, a DDoS attack aims to make your website and servers unavailable to legitimate users. DDoS
can also be used as a smokescreen for other malicious activities and to take down security appliances,
breaching the target’s security perimeter.

How DDOS attack works?

Cybercriminals carry out DDoS attacks by gaining unauthorized control of a network of computers.
With the help of specially designed malware, cybercriminals turn those computers, and other systems
(such as IoT devices) into a bot (or zombie). A group of such bot systems is known as a botnet.
Cybercriminals will remotely control the botnet to carry out DDoS attacks.

Cybercriminals can direct the devices in the botnet by sending instructions to each bot via a method of
remote control. When the botnet targets the IP address of a victim (a website, server or other network
resources), each bot will respond by sending repeated connection requests to the target, potentially
causing the targeted machine to overflow capacity, resulting in a denial-of-service to normal traffic.

Computer Lab – VII (BE 2015) 6

 MVPS’s KBTCOE, Nashik Department of Information Technology

Botnets can be of any size; botnets with tens or hundreds of thousands of compromised machines have
become increasingly common, and there are no upper limits to their size. Once a botnet is created, the
attacker can use the traffic generated by those compromised devices to attack the targeted website or
computer with overwhelming connection requests.

Types of DDOS attack:

1. HTTP Flood

HTTP Flood is a type of DDoS attack which appears to be legitimate GET or POST requests that are
exploited by a cybercriminal. This type of attack uses lesser bandwidth than other types of DDoS
attacks, but it can force the server (target machine) to use maximum resources.

2. UDP Flood

A UDP flood type of attack targets random ports on a computer system or network with UDP (User
Datagram Protocol) packets. It involves sending high volumes of UDP packets to the target machine.

3. SYN Flood

SYN Flood type of attack exploits vulnerabilities in the TCP connection sequence (in a server), known
as a three-way handshake. The attacker sends repeated SYN requests (a TCP connection) to the target
machine (server). Usually, the server replies with an SYN-ACK response, and then the client system
follows up with an ACK signal to establish the connection. In an SYN flood, the ACK is never sent.
This leads to the buildup of incomplete connections, leading to the server (target machine) slow down
or even crash.

IP spoofing:

Internet Protocol (IP) spoofing is a type of malicious attack where the threat actor hides the true source
of IP packets to make it difficult to know where they came from. The attacker creates packets,
changing the source IP address to impersonate a different computer system, disguise the sender's
identity or both. The spoofed packet's header field for the source IP address contains an address that is
different from the actual source IP address. IP spoofing is a technique often used by attackers to
launch distributed denial of service (DDoS) attacks and man-in-the-middle attacks against targeted

Computer Lab – VII (BE 2015) 7

 MVPS’s KBTCOE, Nashik Department of Information Technology

devices or the surrounding infrastructures. The goal of DDoS attacks is to overwhelm a target with
traffic while hiding the identity of the malicious source, preventing mitigation efforts.

How IP spoofing works?

Internet traffic is sent in units referred to as packets. Packets contain IP headers that have routing
information about the packet. This information includes the source IP address and the destination IP
address. Think of the packet as a package in the mail and the source IP address as the return address on
that package.

In IP address spoofing, the attacker changes the source address in the outgoing packet header. That
way, the des-tination computer sees the packet as coming from a trusted source -- such as a computer
on an enterprise network -- and accepts it.

Attackers may generate fraudulent packet headers by falsifying and continuously randomizing the
source address using a tool. They may also use the IP address of another existing device so that
responses to the spoofed packet go there instead.

To carry out IP spoofing, attackers need the following:

• A trusted IP address that the receiving device would permit to enter the network. There are
numerous ways to find device IPs. One way is Shodan, an online database of IP address-to-device
mappings.
• The ability to intercept the packet and swap out the real IP header for the fraudulent one. A
network sniffing tool or an Address Resolution Protocol (ARP) scan can be used to intercept
packets on a network and gather IP addresses to spoof.

DNS attack:

A DNS attack is when a hacker exploits vulnerabilities in the DNS service. The focus of the attack is
on the DNS infrastructure itself with either attempting to make the DNS service unavailable or corrupt
answers that are usually provided by the DNS server.

There are two general types of attacks on DNS:

Computer Lab – VII (BE 2015) 8

 MVPS’s KBTCOE, Nashik Department of Information Technology

1. Attacks with the goal of disabling DNS

2. Attacks affecting the DNS response

Types of DNS attack:

1. DoS and DDoS Attacks

2. DNS Hijacking/DNS Redirection
3. DNS Poisoning/DNS Spoofing
4. DNS Tunneling

How DNS attack works?

When a user types a domain name in the browser, a program available in the operating system known
as ‘DNSresolver‘ searches for the IP address of that domain name.The DNS resolver searches its own
local cache and check if it already has the IP address for that domain. If it does not find it in the local
cache, It queries a DNS server to check if it knows the accurate IP address for that domain. DNS
servers work in a loop which means they are able to query each other to find the DNS server that
knows the correct IP address of the domain name. As soon as the DNS resolver locates the IP address,
it returns the IP address to requesting program. DNS caches domain addresses for future use as well.

Though Domain Name System is quite powerful yet it seems less focused on security. Maybe that’s
why we are noticing different types of DNS attacks. To minimize the possibilities of DNS attacks,
server administrators must take some necessary steps. They can use an upgraded version of DNS
software and regularly configure servers to duplicate. At a personal level, users can flush their DNS
cache to avoid security risks. If you don’t know how to flush DNS, read a resourceful post at
hostinger.com.

Conclusion:

Thus DDOS, IP spoofing and DNS attacks are implemented and analyzed successfully.

Computer Lab – VII (BE 2015) 9

 MVPS’s KBTCOE, Nashik Department of Information Technology

Assignment No: 03
Title: Implementation of Spam Filtering Implementation

Computer Lab – VII (BE 2015) 10

 MVPS’s KBTCOE, Nashik Department of Information Technology

Assignment No: 03

Aim: Write a program in python script for Spam Mail Detection (Spam Filtering Implementation).

Objectives: 1) To implement spam mail filtering using machine learning algorithms

2) To evaluate machine learning model
Theory:
Naive Bayes algorithm is an extremely fast relative to other classification algorithms. It works on
Bayes theorem of probability to predict the class of unknown data set. It is a classification technique
based on Bayes‟ Theorem with an assumption of independence among predictors. In simple terms, a
Naive Bayes classifier assumes that the presence of a particular feature in a class is unrelated to the
presence of any other feature. For example, a fruit may be considered to be an apple if it is red, round,
and about 3 inches in diameter. Even if these features depend on each other or upon the existence of
the other features, all of these properties independently contribute to the probability that this fruit is an
apple and that is why it is known as „Naive‟. Naive Bayes model is easy to build and particularly
useful for very large data sets. Along with simplicity, Naive Bayes is known to outperform even
highly sophisticated classification methods. Bayes theorem provides a way of calculating posterior
probability P(c|x) from P(c), P(x) and P(x|c). Look at the equation below:

Above,
 P(c|x) is the posterior probability of class (c, target) given predictor (x, attributes).
 P(c) is the prior probability of class.
 P(x|c) is the likelihood which is the probability of predictor given class.
 P(x) is the prior probability of predictor.

Computer Lab – VII (BE 2015) 11

 MVPS’s KBTCOE, Nashik Department of Information Technology

Below we have a training data set of weather and corresponding target variable Play (suggesting
possibilities of playing). Now, we need to classify whether players will play or not based on
weather condition.

Step 1: Convert the data set into a frequency table

Step 2: Create Likelihood table by finding the probabilities like Overcast probability = 0.29 and
probability of playing is 0.64.

Step 3: Now, use Naive Bayesian equation to calculate the posterior

probability for each class. A class with the highest posterior
probability is the outcome of prediction.

Problem: Players will play if weather is sunny?

We can solve it using method of posterior

probability. P(Yes | Sunny) = P( Sunny |

Yes) * P(Yes) / P (Sunny)

Here we have P (Sunny |Yes) = 3/9 = 0.33, P(Sunny) = 5/14 = 0.36, P( Yes)=

9/14 = 0.64 Now, P (Yes | Sunny) = 0.33 * 0.64 / 0.36 = 0.60, which has

higher probability.

Computer Lab – VII (BE 2015) 12

 MVPS’s KBTCOE, Nashik Department of Information Technology

Naive Bayes is used to predict the probability of different class based on various attributes. This
algorithm is mostly used in text classification and with problems having multiple classes. Naive
Bayes classifiers mostly used in text classification (due to better result in multi class problems and
independence rule) have higher success rate as compared to other algorithms. As a result, it is
widely used in Spam filtering (identify spam e- mail) and Sentiment Analysis (in social media
analysis, to identify positive and negative customer sentiments).

Conclusion: Thus we had studied and implanted Naïve Bayes Classifier for Spam Mail Detection

Computer Lab – VII (BE 2015) 13

 MVPS’s KBTCOE, Nashik Department of Information Technology

Assignment No: 04
Title: IDS Use Distributed IDS Attack Information to gathers log files from users
around the network and prepares reports to determine if their networks have
encountered intrusion attempts.

Computer Lab – VII (BE 2015) 14

 MVPS’s KBTCOE, Nashik Department of Information Technology

Assignment No: 04

Aim: IDS Use Distributed IDS Attack Information to gathers log files from users around the network
and prepares reports to determine if their networks have encountered intrusion attempts.

Objectives: 1)

Theory:

Conclusion:

Computer Lab – VII (BE 2015) 15