Lab - Hashing Things Out

Objectives
Part 1: Hashing a Text File with OpenSSL
Part 2: Verifying Hashes

Background / Scenario
Hash functions are mathematical algorithms designed to take data as input and generate a fixed-size, unique
string of characters, also known as the hash. Designed to be fast, hash functions are very hard to reverse; it
is very hard to recover the data that created any given hash, based on the hash alone. Another important
property of hash function is that even the smallest change done to the input data yields a completely different
hash.
While OpenSSL can be used to generate and compare hashes, other tools are available. Some of these tools
are also included in this lab.

Required Resources
• CyberOps Workstation virtual machine

Instructions

Part 1: Hashing a Text File with OpenSSL

OpenSSL can be used as a standalone tool for hashing. To create a hash of a text file, follow the steps below:
a. In the CyberOps Workstation virtual machine, open a terminal window.
b. Because the text file to hash is in the /home/analyst/lab.support.files/ directory, change to that directory:
[analyst@secOps ~]$ cd /home/analyst/lab.support.files/
c. Type the command below to list the contents of the letter_to_grandma.txt text file on the screen:
[analyst@secOps lab.support.files]$ cat letter_to_grandma.txt
Hi Grandma,
I am writing this letter to thank you for the chocolate chip cookies you sent me. I
got them this morning and I have already eaten half of the box! They are absolutely
delicious!

I wish you all the best. Love,

Your cookie-eater grandchild.

© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 3 www.netacad.com
 d. From the terminal window, issue the command below to hash the text file. The command will use SHA-2-
256 as the hashing algorithm to generate a hash of the text file. The hash will be displayed on the screen
after OpenSSL has computed it.
[analyst@secOps lab.support.files]$ openssl sha256 letter_to_grandma.txt
SHA256(letter_to_grandma.txt)=
deff9c9bbece44866796ff6cf21f2612fbb77aa1b2515a900bafb29be118080b

Notice the format of the output. OpenSSL displays the hashing algorithm used, SHA-256, followed by the
name of file used as input data. The SHA-256 hash itself is displayed after the equal (‘=’) sign.

© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com
 e. Hash functions are useful for verifying the integrity of the data regardless of whether it is an image, a song,
or a simple text file. The smallest change results in a completely different hash. Hashes can be calculated
before and after transmission, and then compared. If the hashes do not match, then data was modified
during transmission.
Let’s modify the letter_to_grandma.txt text file and recalculate the MD5 hash. Issue the command below to
open nano, a command-line text editor.
[analyst@secOps lab.support.files]$ nano letter_to_grandma.txt
Using nano, change the first sentence from ‘Hi Grandma’ to ‘Hi Grandpa’. Notice we are changing only
one character, ‘m’ to ‘p’. After the change has been made, press the <CONTROL+X> keys to save the
modified file. Press ‘Y’ to confirm the name and save the file. Press the <Enter> key and you will exit out of
nano to continue onto the next step.
f. Now that the file has been modified and saved, run the same command again to generate a SHA-2-256
hash of the file.
[analyst@secOps lab.support.files]$ openssl sha256 letter_to_grandma.txt
SHA256(letter_to_grandma.txt)=
43302c4500b7c4b8e574ba27a59d83267812493c029fd054c9242f3ac73100bc
Is the new hash different that hash calculated in item (d)? How different?
Yes. The new hash is completely different than the previous hash.

g. A hashing algorithm with longer bit-length, such as SHA-2-512, can also be used. To generate a SHA-2-
512 hash of the letter_to_grandma.txt file, use the command below:
[analyst@secOps lab.support.files]$ openssl sha512 letter_to_grandma.txt
SHA512(letter_to_grandma.txt)=
7c35db79a06aa30ae0f6de33f2322fd419560ee9af9cedeb6e251f2f1c4e99e0bbe5d2fc32ce5
01468891150e3be7e288e3e568450812980c9f8288e3103a1d3
[analyst@secOps lab.support.files]$
h. Use sha256sum and sha512sum to generateSHA-2-256 and SHA-2-512 hash of the
letter_to_grandma.txt file:
[analyst@secOps lab.support.files]$ sha256sum letter_to_grandma.txt
43302c4500b7c4b8e574ba27a59d83267812493c029fd054c9242f3ac73100bc
letter_to_grandma.txt

[analyst@secOps lab.support.files]$ sha512sum letter_to_grandma.txt

7c35db79a06aa30ae0f6de33f2322fd419560ee9af9cedeb6e251f2f1c4e99e0bbe5d2fc32ce5
01468891150e3be7e288e3e568450812980c9f8288e3103a1d3 letter_to_grandma.txt
Do the hashes generated with sha256sum and sha512sum match the hashes generated in items (f) and
© 2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 3 www.netacad.com
 (g), respectively? Explain.
Yes. While different tools are used, they use the same hashing algorithm and input data.

Note: SHA-2 is the recommended standard for hashing. While SHA-2 has not yet been effectively
compromised, computers are becoming more and more powerful. It is expected that this natural evolution
will soon make it possible for attackers to break SHA-2.

SHA-3 is the newest hashing algorithm and eventually be the replacement for SHA-2 family of hashes.
Note: The CyberOPS Workstation VM only includes support for SHA-2-224, SHA-2-256, and SHA-2-512
(sha224sum, sha256sum, and sha512sum, respectively).

Part 2: Verifying Hashes

As mentioned before, a common use for hashes is to verify file integrity. Follow the steps below to use SHA-
2-256 hashes to verify the integrity of sample.img, a file downloaded from the Internet.
a. Along with sample.img, sample.img_SHA256.sig was also downloaded. sample.img_SHA256.sig is a file
containing the SHA-2-256 hash that wascomputed by the website. First, use the cat command to display
the contents of the sample.img_SHA256.sig file:
[analyst@secOps lab.support.files]$ cat sample.img_SHA256.sig
c56c4724c26eb0157963c0d62b76422116be31804a39c82fd44ddf0ca5013e6a
b. Use SHA256sum to calculate the SHA-2-256 hash of the sample.img file:
[analyst@secOps lab.support.files]$ sha256sum sample.img
c56c4724c26eb0157963c0d62b76422116be31804a39c82fd44ddf0ca5013e6a sample.img
Was the sample.img downloaded without errors? Explain.
Yes. Because both hashes match, the hash calculated before download and the one calculated after,
it is correct to state that no errors were introduced during download.

Note: While comparing hashes is a relatively robust method to detect transmission errors, there are better
ways to ensure the file has not been tampered with. Tools, such as gpg, provide a much better method
for ensuring the downloaded file has not been modified by third parties and is in fact the file the publisher
meant to publish.

© 2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com
Lab - Encrypting and Decrypting Data Using OpenSSL
Objectives
Part 1: Encrypting Messages with OpenSSL
Part 2: Decrypting Messages with OpenSSL

Background / Scenario
OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose
cryptography library. In this lab, you will use OpenSSL to encrypt and decrypt text messages.
Note: While OpenSSL is the de facto cryptography library today, the use presented in this lab is NOT
recommended for robust protection. Below are two security problems with this lab:
1) The method described in this lab uses a weak key derivation function. The ONLY security is
introduced by a very strong password.
2) The method described in this lab does not guarantee the integrity of the text file.
This lab should be used for instructional purposes only. The methods presented here should NOT be used to
secure truly sensitive data.

Required Resources
• CyberOps Workstation virtual machine

Instructions

Part 1: Encrypting Messages with OpenSSL

OpenSSL can be used as a standalone tool for encryption. While many encryption algorithms can be used,
this lab focuses on AES. To use AES to encrypt a text file directly from the command line using OpenSSL,
follow the steps below:

Step 1: Encrypting a Text File

a. Log into CyberOPS Workstation VM.
b. Open a terminal window.
c. Because the text file to be encrypted is in the /home/analyst/lab.support.files/ directory, change to that
directory:
[analyst@secOps ~]$ cd ./lab.support.files/
[analyst@secOps lab.support.files]$
d. Type the command below to list the contents of the encrypted letter_to_grandma.txt text file on the
screen:
[analyst@secOps lab.support.files]$ cat letter_to_grandma.txt
Hi Grandma,
I am writing this letter to thank you for the chocolate chip cookies you sent
me. I got them this morning and I have already eaten half of the box! They
are absolutely delicious!

© 2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 3 www.netacad.com
 I wish you all the best. Love, Your
cookie-eater grandchild.
[analyst@secOps lab.support.files]$
e. From the same terminal window, issue the command below to encrypt the text file. The command will use
AES-256 to encrypt the text file and save the encrypted version as message.enc. OpenSSL will ask for a
password and for password confirmation. Provide the password as requested and be sure to remember the
password.
[analyst@secOps lab.support.files]$ openssl aes-256-cbc -in
letter_to_grandma.txt -out message.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
[analyst@secOps lab.support.files]$

Document the password.

Rahasia

f. When the process is finished, use the cat command again to display the contents of the message.enc
file.
[analyst@secOps lab.support.files]$ cat message.enc
Did the contents of the message.enc file display correctly? What does it look like? Explain.
No. The file seems broken as just symbols are displayed. The symbols are shown because OpenSSL
has generated a binary file.

© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 8 www.netacad.com
 g. To make the file readable, run the OpenSSL command again, but this time add the -a option. The -a
option tells OpenSSL to encode the encrypted message using a different encoding method of Base64
before storing the results in a file.
Note: Base64 is a group of similar binary-to-text encoding schemes used to represent binary data in an
ASCII string format.
[analyst@secOps lab.support.files]$ openssl aes-256-cbc -a -in
letter_to_grandma.txt -out message.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption pascdsword:
h. Once again, use the cat command to display the contents of the, now re-generated, message.enc file:
Note: The contents of message.enc will vary.
[analyst@secOps lab.support.files]$ cat message.enc
U2FsdGVkX19ApWyrn8RD5zNp0RPCuMGZ98wDc26u/vmj1zyDXobGQhm/dDRZasG7
rfnth5Q8NHValEw8vipKGM66dNFyyr9/hJUzCoqhFpRHgNn+Xs5+TOtz/QCPN1bi
08LGTSzOpfkg76XDCk8uPy1hl/+Ng92sM5rgMzLXfEXtaYe5UgwOD42U/U6q73pj
a1ksQrTWsv5mtN7y6mh02Wobo3A1ooHrM7niOwK1a3YKrSp+ZhYzVTrtksWDl6Ci
XMufkv+FOGn+SoEEuh7l4fk0LIPEfGsExVFB4TGdTiZQApRw74rTAZaE/dopaJn0
sJmR3+3C+dmgzZIKEHWsJ2pgLvj2Sme79J/XxwQVNpw=
[analyst@secOps lab.support.files]$

Is message.enc displayed correctly now? Explain.

Yes. While message.enc is encrypted, it is now correctly displayed because it has been converted
from binary to text and encoded with Base64.

Can you think of a benefit of having message.enc Base64-encoded?

The encrypted message can now be copied and pasted in an email message, for example.

Part 2: Decrypting Messages with OpenSSL

With a similar OpenSSL command, it is possible to decrypt message.enc. a.
Use the command below to decrypt message.enc:
[analyst@secOps lab.support.files]$ openssl aes-256-cbc –a -d -in message.enc
-out decrypted_letter.txt
b. OpenSSL will ask for the password used to encrypt the file. Enter the same password again.
c. When OpenSSL finishes decrypting the message.enc file, it saves the decrypted message in a text file
called decrypted_letter.txt. Use the cat display the contents of decrypted_letter.txt:

© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 8 www.netacad.com
 [analyst@secOps lab.support.files]$ cat decrypted_letter.txt

Was the letter decrypted correctly?

Yes, the letter was decrypted correctly.

The command used to decrypt also contains -a option. Can you explain?
Because message.enc was Base64 encoded after the encryption process took place, message.enc
must be Base64 decoded before OpenSSL can decrypt it.

© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 8 www.netacad.com
Lab - Certificate Authority Stores
Objectives
Part 1: Certificates Trusted by Your Browser
Part 2: Checking for Man-In-Middle

Background / Scenario
As the web evolved, so did the need for security. HTTPS (where the ‘S’ stands for security) along with the
concept of a Certificate Authority was introduced by Netscape back in 1994 and is still used today. In this lab,
you will:
• List all the certificates trusted by your browser (completed on your computer)
• Use hashes to detect if your internet connection is being intercepted (completed in the CyberOps
Workstation virtual machine)

Required Resources
• CyberOps Workstation virtual machine
• Internet access

Instructions

Part 1: Certificates Trusted by Your Browser

HTTPS relies on a third-party entity for validation. Known as Certification Authority (CA), this third-party entity
verifies if a domain name really belongs to the organization claiming its ownership. If the verification checks,
the CA creates a digitally signed certificate containing an information about the organization, including its
public key.
The entire system is based on the fact that web browsers and operating systems ship with a list of CAs they
trust. Any certificates signed by any of the CAs in the list will be seen by the browser as legitimate and be
automatically trusted. To make the system more secure and more scalable, CAs often spread the task of
creating and signing certificates among many child CAs. The parent CA is known as the Root CA. If a
browser trusts a Root CA, it also trusts all of its children CAs.
Note: While the certificate stores are similar across browsers, this lab focuses on Chrome 81 and Firefox 75.
The menu and graphics may be different for other versions of the web browser.
Follow the steps to display the CA store in your browser:

Step 1: Display the Root Certificates in Chrome.

You can do this step on your local machine or use FireFox in the CyberOps Workstation VM. If you use
Firefox, proceed to Step 2. If you use a browser other than Chrome or Firefox, search the internet for the
steps to display your root certificates.
Note: The menu and graphics may be different for other versions of the Chrome browser.
a. Open the Chrome web browser on your PC.

© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 8 www.netacad.com
Lab - Certificate Authority Stores

b. Click the three-dot icon on the far right of the address bar to display Chrome’s options. Click Settings.

c. Scroll down to Privacy and security and click More.

d. Scroll down and select Manage certificates.
e. In the Certificate window, select Trusted Root Certification Authorities tab to show all certificates and
certificate authorities trusted by Chrome.

© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 8 www.netacad.com
Lab - Certificate Authority Stores

Step 2: Display the Certificates in the CA Store in Firefox.

Note: The menu and graphics may be different for other versions of the Firefox browser and between different
operating systems. Firefox 75 on the CyberOps Workstation VM is shown in this step.
a. Open Firefox and click the Menu icon. The Menu icon is located on the far right of the Firefox window,
next to the address bar. Click Preferences.

b. Click Privacy & Security in the left panel.

c. Scroll down to the Security section and click View Certificates.

© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 8 www.netacad.com
Lab - Hashing Things Out

d. A window opens that shows the certificates and certification authorities trusted by Firefox.

Reflection Question
What would be necessary for the HTTPS proxy to work?
The local machine would have to trust the HTTPS proxy blindly. Companies and organizations that wish
to monitor HTTPS traffic achieve this trust by installing the HTTPS proxy’s certificate into the local
machine’s root certificate store. In this scenario, the local machines will trust the HTTPS proxy,
allowing it to decrypt the traffic without any warnings.

© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 8 www.netacad.com