Professional Documents
Culture Documents
Lab - Hashing Things Out: Objectives
Lab - Hashing Things Out: Objectives
Lab - Hashing Things Out: Objectives
Objectives
Part 1: Hashing a Text File with OpenSSL
Part 2: Verifying Hashes
Background / Scenario
Hash functions are mathematical algorithms designed to take data as input and generate a fixed-size, unique
string of characters, also known as the hash. Designed to be fast, hash functions are very hard to reverse; it
is very hard to recover the data that created any given hash, based on the hash alone. Another important
property of hash function is that even the smallest change done to the input data yields a completely different
hash.
While OpenSSL can be used to generate and compare hashes, other tools are available. Some of these tools
are also included in this lab.
Required Resources
• CyberOps Workstation virtual machine
Instructions
© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 3 www.netacad.com
d. From the terminal window, issue the command below to hash the text file. The command will use SHA-2-
256 as the hashing algorithm to generate a hash of the text file. The hash will be displayed on the screen
after OpenSSL has computed it.
[analyst@secOps lab.support.files]$ openssl sha256 letter_to_grandma.txt
SHA256(letter_to_grandma.txt)=
deff9c9bbece44866796ff6cf21f2612fbb77aa1b2515a900bafb29be118080b
Notice the format of the output. OpenSSL displays the hashing algorithm used, SHA-256, followed by the
name of file used as input data. The SHA-256 hash itself is displayed after the equal (‘=’) sign.
© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com
e. Hash functions are useful for verifying the integrity of the data regardless of whether it is an image, a song,
or a simple text file. The smallest change results in a completely different hash. Hashes can be calculated
before and after transmission, and then compared. If the hashes do not match, then data was modified
during transmission.
Let’s modify the letter_to_grandma.txt text file and recalculate the MD5 hash. Issue the command below to
open nano, a command-line text editor.
[analyst@secOps lab.support.files]$ nano letter_to_grandma.txt
Using nano, change the first sentence from ‘Hi Grandma’ to ‘Hi Grandpa’. Notice we are changing only
one character, ‘m’ to ‘p’. After the change has been made, press the <CONTROL+X> keys to save the
modified file. Press ‘Y’ to confirm the name and save the file. Press the <Enter> key and you will exit out of
nano to continue onto the next step.
f. Now that the file has been modified and saved, run the same command again to generate a SHA-2-256
hash of the file.
[analyst@secOps lab.support.files]$ openssl sha256 letter_to_grandma.txt
SHA256(letter_to_grandma.txt)=
43302c4500b7c4b8e574ba27a59d83267812493c029fd054c9242f3ac73100bc
Is the new hash different that hash calculated in item (d)? How different?
Yes. The new hash is completely different than the previous hash.
g. A hashing algorithm with longer bit-length, such as SHA-2-512, can also be used. To generate a SHA-2-
512 hash of the letter_to_grandma.txt file, use the command below:
[analyst@secOps lab.support.files]$ openssl sha512 letter_to_grandma.txt
SHA512(letter_to_grandma.txt)=
7c35db79a06aa30ae0f6de33f2322fd419560ee9af9cedeb6e251f2f1c4e99e0bbe5d2fc32ce5
01468891150e3be7e288e3e568450812980c9f8288e3103a1d3
[analyst@secOps lab.support.files]$
h. Use sha256sum and sha512sum to generateSHA-2-256 and SHA-2-512 hash of the
letter_to_grandma.txt file:
[analyst@secOps lab.support.files]$ sha256sum letter_to_grandma.txt
43302c4500b7c4b8e574ba27a59d83267812493c029fd054c9242f3ac73100bc
letter_to_grandma.txt
Note: SHA-2 is the recommended standard for hashing. While SHA-2 has not yet been effectively
compromised, computers are becoming more and more powerful. It is expected that this natural evolution
will soon make it possible for attackers to break SHA-2.
SHA-3 is the newest hashing algorithm and eventually be the replacement for SHA-2 family of hashes.
Note: The CyberOPS Workstation VM only includes support for SHA-2-224, SHA-2-256, and SHA-2-512
(sha224sum, sha256sum, and sha512sum, respectively).
Note: While comparing hashes is a relatively robust method to detect transmission errors, there are better
ways to ensure the file has not been tampered with. Tools, such as gpg, provide a much better method
for ensuring the downloaded file has not been modified by third parties and is in fact the file the publisher
meant to publish.
© 2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com
Lab - Encrypting and Decrypting Data Using OpenSSL
Objectives
Part 1: Encrypting Messages with OpenSSL
Part 2: Decrypting Messages with OpenSSL
Background / Scenario
OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose
cryptography library. In this lab, you will use OpenSSL to encrypt and decrypt text messages.
Note: While OpenSSL is the de facto cryptography library today, the use presented in this lab is NOT
recommended for robust protection. Below are two security problems with this lab:
1) The method described in this lab uses a weak key derivation function. The ONLY security is
introduced by a very strong password.
2) The method described in this lab does not guarantee the integrity of the text file.
This lab should be used for instructional purposes only. The methods presented here should NOT be used to
secure truly sensitive data.
Required Resources
• CyberOps Workstation virtual machine
Instructions
© 2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 3 www.netacad.com
I wish you all the best. Love, Your
cookie-eater grandchild.
[analyst@secOps lab.support.files]$
e. From the same terminal window, issue the command below to encrypt the text file. The command will use
AES-256 to encrypt the text file and save the encrypted version as message.enc. OpenSSL will ask for a
password and for password confirmation. Provide the password as requested and be sure to remember the
password.
[analyst@secOps lab.support.files]$ openssl aes-256-cbc -in
letter_to_grandma.txt -out message.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
[analyst@secOps lab.support.files]$
f. When the process is finished, use the cat command again to display the contents of the message.enc
file.
[analyst@secOps lab.support.files]$ cat message.enc
Did the contents of the message.enc file display correctly? What does it look like? Explain.
No. The file seems broken as just symbols are displayed. The symbols are shown because OpenSSL
has generated a binary file.
© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 8 www.netacad.com
g. To make the file readable, run the OpenSSL command again, but this time add the -a option. The -a
option tells OpenSSL to encode the encrypted message using a different encoding method of Base64
before storing the results in a file.
Note: Base64 is a group of similar binary-to-text encoding schemes used to represent binary data in an
ASCII string format.
[analyst@secOps lab.support.files]$ openssl aes-256-cbc -a -in
letter_to_grandma.txt -out message.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption pascdsword:
h. Once again, use the cat command to display the contents of the, now re-generated, message.enc file:
Note: The contents of message.enc will vary.
[analyst@secOps lab.support.files]$ cat message.enc
U2FsdGVkX19ApWyrn8RD5zNp0RPCuMGZ98wDc26u/vmj1zyDXobGQhm/dDRZasG7
rfnth5Q8NHValEw8vipKGM66dNFyyr9/hJUzCoqhFpRHgNn+Xs5+TOtz/QCPN1bi
08LGTSzOpfkg76XDCk8uPy1hl/+Ng92sM5rgMzLXfEXtaYe5UgwOD42U/U6q73pj
a1ksQrTWsv5mtN7y6mh02Wobo3A1ooHrM7niOwK1a3YKrSp+ZhYzVTrtksWDl6Ci
XMufkv+FOGn+SoEEuh7l4fk0LIPEfGsExVFB4TGdTiZQApRw74rTAZaE/dopaJn0
sJmR3+3C+dmgzZIKEHWsJ2pgLvj2Sme79J/XxwQVNpw=
[analyst@secOps lab.support.files]$
© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 8 www.netacad.com
[analyst@secOps lab.support.files]$ cat decrypted_letter.txt
The command used to decrypt also contains -a option. Can you explain?
Because message.enc was Base64 encoded after the encryption process took place, message.enc
must be Base64 decoded before OpenSSL can decrypt it.
© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 8 www.netacad.com
Lab - Certificate Authority Stores
Objectives
Part 1: Certificates Trusted by Your Browser
Part 2: Checking for Man-In-Middle
Background / Scenario
As the web evolved, so did the need for security. HTTPS (where the ‘S’ stands for security) along with the
concept of a Certificate Authority was introduced by Netscape back in 1994 and is still used today. In this lab,
you will:
• List all the certificates trusted by your browser (completed on your computer)
• Use hashes to detect if your internet connection is being intercepted (completed in the CyberOps
Workstation virtual machine)
Required Resources
• CyberOps Workstation virtual machine
• Internet access
Instructions
© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 8 www.netacad.com
Lab - Certificate Authority Stores
b. Click the three-dot icon on the far right of the address bar to display Chrome’s options. Click Settings.
© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 8 www.netacad.com
Lab - Certificate Authority Stores
© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 8 www.netacad.com
Lab - Hashing Things Out
d. A window opens that shows the certificates and certification authorities trusted by Firefox.
Reflection Question
What would be necessary for the HTTPS proxy to work?
The local machine would have to trust the HTTPS proxy blindly. Companies and organizations that wish
to monitor HTTPS traffic achieve this trust by installing the HTTPS proxy’s certificate into the local
machine’s root certificate store. In this scenario, the local machines will trust the HTTPS proxy,
allowing it to decrypt the traffic without any warnings.
© 2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 8 www.netacad.com