CEHV8 - Module 17 - Labs Evading IDS, Firewalls and Honeypots

CEH Lab Manual

Evading IDS, Firewalls, and Honeypots Module 17

Module 17 - Evading IDS, Firewalls and Honeypots

Intrusion Detection System A n intrusion detection system (IDS) is a derice or soft/rare application that monitors netirork and/or system activities fo r malicious activities or policy violations andprod/ices reports to a Management Station. I CON

KEY

[£Z7 Valuable information S

=

m

Test your knowledge Web exercise Workbook review

Lab Scenario Due to a growing number o f intrusions and since the Internet and local networks have become so ubiquitous, organizations increasingly implementing various systems that monitor IT security breaches. Intrusion detection systems (IDSes) are those that have recently gained a considerable amount o f interest. An IDS is a defense system that detects hostile activities 111 a network. The key is then to detect and possibly prevent activities that may compromise system security, 01‫ ־‬a hacking attempt 111 progress including reconnaissance/data collection phases that involve, for example, port scans. One key feature o f intrusion detection systems is their ability to provide a view o f unusual activity and issue alerts notifying administrators and/or block a suspected connection. According to Amoroso, intrusion detection is a “process ot identifying and responding to malicious activity targeted at computing and networking resources.” 111 addition, IDS tools are capable ot distinguishing between insider attacks originating from inside the organization (coming from own employees 01‫ ־‬customers) and external ones (attacks and the threat posed by hackers) (Source: http://www.windowsecurity.com) 111 order to become an expert penetration tester and security administrator, you must possess sound knowledge o f network intrusion prevention system (IPSes), IDSes, malicious network activity, and log information.

Lab Objectives & Tools Demonstrated in this lab are located at D:\CEHTools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots

The objective ot tins lab is to help students learn and detect intrusions 111 a network, log, and view all log tiles. 111 tins lab, you will learn how to: ■ Install and configure Snort IDS ■ Run Snort as a service ■ Log snort log files to Kiwi Syslog server ■ Store snort log files to two output sources simultaneously

Lab Environment To earn‫ ׳‬out tins lab, you need: ■

A computer miming Windows Server 2012 as a host machine

■

A computer running Windows server 2008, Windows 8, 01‫ ־‬Windows 7 as a virtual machine WniPcap drivers installed 011 the host machine

C E H L ab M an u al P ag e 847

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

■

Notepads-+ installed 011 the host macliine

■

Kiwi Svslog Server installed 011 the host machine

■

Active Perl installed 011 the host macliine to mil Perl scnpts

■

Administrative pnvileges to configure settings and run tools

■

A web browser with Internet access

Lab Duration Time: 40 Minutes

Overview of Intrusion Detection Systems An intrusion detection system (IDS) is a device 01‫ ־‬software application that monitors network an d / 01‫ ־‬system activities for malicious activities 01‫ ־‬policv violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but tins is neither required nor expected o f a monitoring system. 111 addition, organizations use intrusion detection and prevention systems (IDPSes) for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the secuntv infrastructure o f nearly even* organization. Many IDPSes can also respond to a detected tlireat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping die attack itself, changing the security environment. IDPSes are primarily focused 011 identifying possible incidents, logging information about diem, attempting to stop them, and reporting them to security administrators.

Overview

Pick an organization diat you feel is worthy o f your attention. Tins could be an educational institution, a commercial company, 01‫ ־‬perhaps a nonprofit charity. Recommended labs to assist you 111 using IDSes: ■

Detecting Intrusions Using Snort

■

Logging Snort Alerts to Kiwi Syslog Server

■

Detecting Intruders and Worms using KFSensor Honeypot IDS

■

HTTP Tunneling Using HTTPort

Lab Analysis Analyze and document the results related to tins lab exercise. Give your opinion 011 your target’s security posture and exposure.

C E H L ab M an u al Page 848

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

PLEASE TALK TO

C E H L ab M an u al Page 849

Y O U R I N S T R U C T O R IF YOU R E L A T E D T O T H I S LAB.

HAVE

QUESTIONS

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Delecting Intrusions using Snort Snort is an open source netnvrk intrusion prevention and detection system (IDS/IPS). I CON

KEY

/ Valuable information Test your knowledge □

Web exercise

m Workbook review

Lab Scenario The trade o f die intrusion detection analyst is to find possible attacks against their network. The past few years have witnessed significant increases 111 D D oS attacks 011 the Internet, prompting network security to become a great concern. Analysts do tins by IDS logs and packet captures while corroborating with firewall logs, known vulnerabilities, and general trending data from the Internet. The IDS attacks are becoming more cultured, automatically reasoning the attack scenarios 111 real time and categorizing those scenarios becomes a critical challenge. These result ni huge amounts o f data and from tins data they must look for some land o f pattern. However, die overwhelming tiows o f events generated by IDS sensors make it hard for security administrators to uncover hidden attack plans. 111 order to become an expert penetration tester and security administrator, you must possess sound knowledge o f network IPSes, IDSes, malicious network activity, and log information.

& Tools Demonstrated in this lab are located at D:\CEHTools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots

Lab Objectives The objective o f tins lab is to familiarize students widi IPSes and IDSes. 111

tliis lab, you need to: ■

Install Snort and verify Snort alerts

■

Configure and validate snortconf file

■

Test the worknig o f Snort by carrying out an attack test

■

Perform intrusion detection

■

Configure Oinkmaster

Lab Environment To earn‫ ־‬out dns lab, you need:

C E H L ab M an u al P ag e 850

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

■

A computer running Windows Server 2012 as a host machine

■

Windows 7 running on virtual maclune as an attacker maclune

■

WinPcap dnvers installed on die host machine

■

N otepad++ installed on the host maclune

■

Kiwi Svslog Server installed on the host maclune

■

Active Perl mstalled on the host macliuie to nui Perl scripts

■

Adnunistrative privileges to configure settings and run tools

Lab Duration Tune: 30 Minutes

You can also download Snort from http:// www.sno1t.org.

Overview of Intrusion Prevention Systems and Intrusion Detection Systems A 11 IPS is a netw ork secu rity appliance that monitors a network and system activities for m alicious activity. Tlie maui functions ot IPSes are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity. An IDS is a device or software application that m onitors network and/or system activities for m alicious activities or policy violations and produces reports to a Management Station. It performs intrusion detection and attempt to stop detected possible incidents.

Lab Tasks 1

Install Snort

l.__ Snort is an open source network intrusion prevention and detection system (IDS/IPS).

C E H L ab M an u al Page 851

.

Start Windows Server 2012 on the host maclune. Install Snort.

2. To uistall Snort, navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort. 3.

Double-click the Snort_2_9_3_1_lnstaller.exe file. The Snort mstallation wizard appears.

4.

Accept the License Agreement and uistall Snort with the default options diat appear step-by-step 111 the wizard.

5.

A wuidow appears after successful mstallation o f Snort. Click the Close button.

6.

Click OK to exit the Snort Installation wuidow.

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Snort 2.9.3.1 SetuD Snort 2.9.3.1 Setup

(&

‫ ' ־‬° I

*

*

Snort has successfully been installed.

Snort also requires W inPcap 4 .1 .1 to be installed on this m achine, r

W inPcap can be dow nloaded from : http ://w w w .w in p c a p .o rg /

It w ould also be wise to tighten th e security on th e Snort installation directory to prevent any m alicious m odification of th e Snort executable.

Next, you m ust m anually edit th e 'sn o rt.co n f file to specify proper paths to allow Snort to find th e rules files and classification files.

OK

Figure 1.1: Snort Successful Installation Window

V^/

WinPcap is a tool for link-layer network access that allows applications to capture and transmit network packets bypass the protocol stack

7.

Snort requires WinPcap to be installed 011 your machine.

8.

Install W inPcap by navigating to D:\CEH-T0 0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and HoneypotsMntrusion Detection Tools\Snort, and double-clicking WinPcap 4 1 _2.exe.

9.

By default, Snort installs itself in C:\Snort (C:\ or D :\ depending upon die disk drive in which OS installed).

10. Register 011 die Snort website https://www.snort.org/signup 111 order to download Snort Rules. After registration comples it will automaticallv redirect to a download page. 11. Click die Get Rules button to download die latest mles. 111 tins lab we have downloaded snortrules-snapshot-2931 ■tar.gz. 12. Extract die downloaded mles and copy die extracted folder 111 diis padi: D:\CEH-T0 0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort. 13. Rename die extracted folder to snortrules. 14. N ow go to die e tc folder 111 die specified location D:\CEH-T0 0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort\snortrules\etc o f die extracted Snort mles, copy die snort.conf hie, and paste diis hie 111 C:\Snort\etc. 15. The Snort.conf tile is already present 111 C:\Snort\etc; replace diis file with die Snort mles Snort.conf tile. 16. Copv die so_rules folder from D:\CEH-T0 0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort\snortrules and paste it 111 C:\Snort.

C E H L ab M an u al Page 852

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

17. Replace die preproc rules folder trom D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and HoneypotsMntrusion Detection Tools\Snort\snortrules and paste it 111 C:\Snort. 18. Copy all die tiles from diis location: D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort\snortrules\rules to C:\Snort\rules.

H

TASK

2

Verify Snort Alert

19. N o w navigate to C:\Snort and right-click folder bin, and click CmdHere from die context menu to open it 111 a command prompt. 20. Type snort and press Enter. Administrator: C:\Windows\system32\cmd.exe - snort C : \S n o r t\b in /s n o r t R unning in p a c k e t dunp node — ■■ I n i t i a l i z i n g S n o r t ■‫—יי‬ I n i t i a l i z i n g O utput P lu g in s ? pcap DAQ c o n f ig u r e d t o p a s s i v e . The DAQ u e r s i o n d o e s n o t s u p p o r t r e l o a d . A c q u ir in g n etw o rk t r a f f i c f r o n " \D eu ice\N P F _< 0F B 09822-88B 5-411F -A F D 2-F E 3735A 9?7B B> _ D e co d in g E th e r n e t — - - I n it ia liz a t io n

y To print out the TCP/IP packet headers to the screen (i.e. sniffer mode), type: snort —v.

C o n p le te - - —

—»> S n o r t? < *‫־‬ U e r s io n 2 . 9 . 3 .1-W IN32 GRE < B u ild 4 0 ) By M artin R oesch 8r The S n o r t l e a n : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t

o '‫׳‬ ‫״ ״‬

■an

C o p y r ig h t 1 9 9 8 -2 0 1 2 S o u r c e f i r e , I n c . , e t a l . U s in g PCRE u e r s i o n : 8 . 1 0 2 0 1 0 -0 6 - 2 5 U s in g ZLIB u e r s i o n : 1 . 2 . 3

C on n en cin g p a c k e t p r o c e s s in g < p i d 7 ‫ ־‬S6>

Figure 1.2: Snort Basic Command

21. Tlie Initialization Complete message displays. Press Ctrl+C. Snort exits and comes back to C:\Snort\bin. 22. N ow type snort -W. Tins command lists your machine’s physical address, IP address, and Ediernet Dnvers, but all are disabled by default. Administrator: C:\Windows\system32\cmd.exe S n o rt

e x itin g

C :\ S n o r t \ b in ‫ נ‬s n o r t

-W

- * > S n o rt! < *— U e r s i o n 2 . 9 . 3 . 1 - W I N 3 2 GRE < B u i l d 4 0 > B y M a r t i n R o e s c h 8r T h e S n o r t T e a m : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t C o p y r i g h t 1 9 9 8 - 2 0 1 2 S o u r c e f i r e , U s i n g PCRE v e r s i o n : 8 . 1 0 2 0 1 0 - 0 6 - 2 5 U s in g Z L IB u e r s i o n : 1 . 2 . 3 In d e x

P h y s ic a l A d d re s s

IP

1 0 0 :0 0 :0 0 :0 0 :0 0 :0 0 A F D 2 -F E 3 7 3 5 A 9 7 7 B B > M ic r o s o 2 0 0 :0 0 :0 0 :0 0 :0 0 :0 0 B 6 1 4 -0 F C 1 9 B 5 D D A 2 5 > 3 0 0 :0 0 :0 0 :0 0 :0 0 :0 0 rQRA R e a lte k

A d d re s s

d is a b le d f t C o r p o r a t io n d is a b le d

In c .,

et

D e u ic e

a l.

Name

D e s c r ip tio n

\ D e u ic e \ N P F _ < 0 F B 0 9 8 2 2 - 8 8 B 5 - 4 1 I F \ D e ‫ ״‬ic e \ N P F _ < 0 B F D 2 F A 3 - 2 E 1 7 - 4 6 E 3 -

d is a b le d

\ D e u ic e \ N P F _ < lD 1 3 B 7 8 A - B 4 1 1 - 4 3 2 5 -

d is a b le d P C Ie GBE F a m i l y

\ D e u ic e \ N P F _ < 2 A 3 E B 4 7 0 - 3 9 F B - 4 8 8 0 C o n t r o lle r

C : \ S n o r t \ b in >

Figure 1.3: Snort -W Command

23. Observe your Ediernet Driver index number and write it down; 111 diis lab, die Ediernet Driver index number is 1. 24. To enable die Ediernet Driver, 111 die command prompt, type snort -dev -i 2 and press Enter.

C E H L ab M an u al Page 853

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

25. E 7 To specify a log into logging directory, type snort —dev —1 /logdirectorylocationand, Snort automatically knows to go into packet logger mode.

You see a rapid scroll text 111 die command prompt. It means Ethernet Driver is enabled and working properly. Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4 C : \S n o r t \ b i n , s n o r t -d e v - i 4 Running in p a c k e t dump 11uue — == I n i t i a l i z i n g S n o r t ==— I n i t i a l i z i n g O utpu t P lu g in s ? pcap DAQ c o n f i g u r e d t o p a s s i v e . The DAQ v e r s io n d o e s n o t s u p p o r t r e l o a d . A c q u ir in g n etw o rk t r a f f i c fr o n " \D e v ic e \N P F _ < 2 A 3 E B 4 7 0 -3 9 F B -4 8 8 0 -9 A 7 9 7 7 ‫ ־‬E5AE27E53 B > ".

D e co d in g E th e r n e t — ■■ I n i t i a l i z a t i o n o '‫~> ׳‬ ‫״״״״‬

C om p lete ■*—

-» > S n o r t? < * U e r s io n 2 .9 . 3 .1-W IN32 GRE < B u ild 40> By M artin R oesch 8r The S n o r t T ean : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t

r .u i

C o p y r ig h t 1 9 9 8 -2 0 1 2 S o u r c e f i r e , I n c . , e t a l . U s in g PCRE v e r s i o n : 8 . 1 0 2 0 1 0 -0 6 - 2 5 U s in g ZLIB v e r s i o n : 1 . 2 . 3 C on n en cin g p a c k e t p r o c e s s in g < p id =2852> 1 1 / 1 4 - 0 9 : 5 5 : 4 9 .3 5 2 0 7 9 ARP who‫ ־‬h as 1 0 . 0 . 0 . 1 3 t e l l 1 0 . 0 . 0 . 1 0

Figure 1.4: Snort —dev —i4 Command

26. Leave die Snort command prompt window open, and launch anodier command prompt window. 27. Li a new command prompt, type ping google.com and press Enter.

£ Q Ping [-t] [-a] [-n count] [-1 size] [-£] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] destination-list

Figure 1.5: Ping googje.com Command

28. Tliis pmg command triggers a Snort alert in the Snort command prompt with rapid scrolling text. Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4

To enable Network Intrusion Detect ion System (NIDS) mode so that you don’t record every single packet sent down the wire, type: snort -dev -1 ./log-h 192.168.1.0/24-c snort.conf.

‫־‬TTD

' 4 .1 2 5 .2 3 6 .8 5 : 4 4 3 1 0 . 0 .0 .1 0 : 5 1 3 4 5 U l x .

1 1 / 1 4 - 0 9 : 5 8 : 1 6 .3 7 4 8 9 6 D4: BE: D9:C 3: C 3: CC 0 0 : 0 9 : 5 7 4 .1 2 5 .2 3 6 .8 5 : 4 4 3 TCP TTL:128 TOS:0x0 ID :2 0 9 9 0 Ip L e n :2 0 DgnLe n :4 0 DF S eq : 0x4C743C54 Ack: 0x81047C 77 Win: 0xFB27 T cpLen: 20

.1 / 1 4 - 0 9 : 5 8 : 1 7 .4 9 6 0 3 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3

t e l l 1 0 .0 .0 .1 0

.1 / 1 4 - 0 9 : 5 8 : 1 8 .3 5 2 3 1 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3

t e l l 1 0 .0 .0 .1 0

.1 / 1 4 - 0 9 : 5 8 : 1 9 .3 5 2 6 7 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3

t e l l 1 0 .0 .0 .1 0

Figure 1.6: Snort Showing Captured Google Request

C E H L ab M anual Page 854

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

29. Close both command prompt windows. The verification o f Snort installation and triggering alert is complete, and Snort is working correcdy 111 verbose mode. T A S K

3

Configure snort.conf File

30. Configure die snort.conf file located at C:\Snort\etc. 31. Open die snort.conf file with N otepad++. 32. Tlie snort.conf file opens 111 N otepad++ as shown 111 the following screenshot

& Make sure to grab the rules for the version you are installing Snort for.

m Log packets in tcpdump format and to produce minimal alerts, type: snort -b -A fast -c snort.conf. Figure 1.7: Configuring Snortconf File in Notepad++

33. Scroll down to die Step #1: Set the network variables section (Line 41) o f snort.conf file. 111 the HOME_NET line, replace any widi die IP addresses (Line 45) o f die machine where Snort is ranning. *C:\Sn0ft\etc\$n0rtx0nf - Notepad+ Be Edit Search 'iict* Encoding Language Settings Macro Run Plugns frndcw

o 10 e H | 41

□

-!□

X'

I

& JS * £‫ |נ‬.< »‫ **צ‬x

44Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Seep # 1: Sec che necw ork v a r ia b le s . For ito ie m r o r a a c lo n .

» se tu p tn e n e cwcrx a a a re a aca you a re c rc c e c c 1.no ip v e r HOME TOT 110.0.0.10| : * c a t s it u a t i o n s

m

Notepad‫־)־‬+ is a free source code editor and Notepad replacement that supports several languages. It runs in the MS Windows environment.

ygth: 25421 lines :657

45: ‫ ת‬Cel: 25 Sd 0

Figure 1.8: Configuring Snortconf File in Notepad‫־־(־‬1‫־‬

34. Leave die EXTERNAL_NET any line as it is.

C E H L ab M anual Page 855

Etliical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

m The element ’any’ can be used to match all IPs, although ’any’ is not allowed. Also, negated IP ranges that are more general than non-negated IP ranges are not allowed.

35. If you have a DNS Server, dien make changes 111 die DNS_SERVERS line bv replacing $HOME_NET widi yonr D N S Server IP address; otherwise, leave diis line as it is. 36. The same applies to SA1'I P_SER\TERS, HTTP_SER\TERS, SQL_SER\rERS, TELNET_SER\T 1 RS, and SSH_SER‫ \־‬T R S . 37. Remember diat if you don’t have any servers running on your machine, leave the line as it is. DO NOT make any changes 111 diat line. 38. Scroll down to RULE_PATH (Line 104). 111 Line 104 replace ../mles widi C:\Snort\rules, 111 Line 105 ../so_rules replace with C:\Snort\so rules, and 111 Line 106 replace ../preproc rules with C:\Snort\preproc rules. _ |a

Ptc\s1xxtconf Notepad♦ ♦ Erie Ldit Search !rfiew Encoding Language Settings M e

f t f1 | p

c

m

Macro Ru

0 ‫*ף‬

*

>

Piugnj

x ‫ך‬

ftmdow I 1] ! .‫□ ? ־‬

X a

i l i f l

*9‫׳‬

H tr o t corf | ♦ s o t e r o r wir.aowa u s e r s : You a re a d v ise d to r a r e c m 3 an a r a c iu t e p a tn . ♦ su ch a s : c : \ 3 n o r t \ r u l e s v a r RU1X_PJJH C :\S n o r c \ru le s v a r SO RULE PATH C :\S n o r t\a o r u le a ■war PREPROCRtTLEPATH C :\S n o rt\p re p ro c _ x ru le s

ua Rule variable names can be modified in several ways. You can define metavariables using the $ operator. These can be used with the variable modifier operators ? and -

10‫ד‬

1:9

1 *3

114

# I f you a r e u s in g r e p u ta tio n p r e p r o c e s s o r a c t th e a e # C u r r e n tly th e r e 13 a bug w ith r e l a t i v e p a in s , th e y a r e r e l a t i v e co where sn o re 13 # n o t r e l a t i v e co s n o r t.c o n f lilc e th e obcve v a r ia b le s 4 T h is i s c o a p le te l y i n c o n s is te n t w ith how o th e r ▼ars w ork, BCG 5 9986 t s e t th e a n sc iu c e p a th a p p r o p r ia te ly v a r HHTTELISTPATH . . / r u l e s v a r BUICK_LI5T_PATH . . / r u l e s

t s te p #2: c o n n a u r e th e d e co d e r.

For s o r e in d o r s a tio n , aee re a im e . decode

119 * Sto p g e n e r ic decode e v e n ts ; e o n fig d i s a b l e d e c o d e a l e r t s

1:4

• Sto p A le r ts on e x p e rim e n ta l TCP opc iona c c r.riq d l« * b l« _ c opopc_exp«rinwmc» !_ • 1e ic a

12 ‫״־‬

4 Sto p A lv r ta on obaolw t■ TCP option■ c c r .ria a 1 aab ie _ c c co p t_ o & s o ie te _ a ie r z a

1:9

1 Scop A le rc s on T/TCP a le r c s

V

> 1___________________ !1___________________ Ncirrwl Ur! file

length: 25439 lines: 657

< Ln: 106 Cot :45 S*l:0

UNIX

ANSI

‫ן‬

NS

Figure 1.9: Configuring Snoitconf File in Notepad++

39. Li Line 113 and 114 replace ../rules widi C:\Snort\ rules. C:\Snort\etc\snort.conf - Notepad* file tdit Search View Encoding Longuogc Settings Macro Run Plugre ftmdcvr J

! o 1‫ ׳‬MS a

4 * B| ♦» d y n a c ic d e te c tlo n d ir e c to r y /u » r /lo c a l /'ll b /s n o r t_ a y n a » ls t..l e a |

V >t e c *M c o n ria u r e p r e p r o c e s s o r s * Por more m fo rm ac io n , se e th e Snore M anual, C o n fig u rir.c S n o rt ‫ ־‬P rep ro c esso

4 GTP Control Chmnnlm Preprocessor. For *or. inforwation, ‫ ••י‬RSADME.GTP t p r e p r o c e s s o r a sp : p o r t s ( 2123 3386 2152 ) I I n lin e p a ck e t n o r m a liz a tio n . For more ing o z m atio n , se a ZZZZXZ. n o rm alize ♦ Does n o ta in a in IDS mode preprocessor normelize_ip4 p r e p r o c e s s o r r .c r x a l1 ze_‫ ־‬c p : ip s ecr. stream p r e p r o c e s s o r ncrm011ze_1 cmp4 p r e p r o c e s s o r n o rm a liz e l p 6________________________________________________________ I teal fie

length :25*146 ling :557

Ln:253 Col ;3 Sd :0

________________ I

Figure 1.13: Configuring Snortconf File in Notepad++

46. Scroll down to Step #5: Configure Preprocessors section (Line 256), die listed preprocessor. D o nothing 111 IDS mode, but generate errors at mntime.

m IPs may be specified individually, in a list, as a CIDR block, or any combination of die duee.

47. Comment all the preprocessors listed 111 diis section by adding # before each preprocessors. ‫־ רי‬

C:\Sn0rt\etc\snort conf Notepad* lit

1

*1

L3t Search View Encoding Language Settings Macro Run Plugre Amdcw I

o ‫ י‬h e » ‫ ־‬ii * ft r!| » e * ‫ > &׳‬-‫ ז‬BQ| s» ‫ י‬2 3 ® ■ ‫ ש‬e ^ !‫״‬, ‫■?־‬ lilt llt t t t t t t t it iit lllllt t t t t t t t t t t t t t t t lllllt t t t t l P re p ro c e ss o r

***************************************************

> README.GXP

* * ♦ ♦ I * ♦

I n lin e p a c k e t n o r m a liz a tio n . For 1 Does nothing in ZDS node p r e p r o c e s s o r normal1ze_1p4 p r e p r o c e s s o r n o r m a l is e t c p : ip s e! p re p r o c e s s o r norm allze_lcm p4 p r e p r o c e s s o r norm al1 s e _ 1p 6 preprocessor norjralire icmpC

: in f o r m a tio n , se e REAEKE.normalize

• T a rg e t-b a se d IP d e fra g m e n ta tio n . For more inform ation, see RLADME. fra g 3 p r e p r o c e s s o r £ ra g S _ g lo b al: m ax_Iraga 6SSS6 p r e p r o c e s s o r tr o a 3 e n g in e: p o lic y windows d e te c t_ a r .* 1a i 1es c verlap_11m 1t 10 a 1 n _ fra o m e n t_ len g th 100 tim eo u t

m

Many configuration and command line options of Snort can be specified in the configuration file. Format: config [: ]

V l a r g e t s is e a a e a te c u l in s p e c tio n /o tr c a m rca sse e D iy . p r e p r o c e s s o r s c re o » S _ g lo b a l; t r a c k e c p y e s, \ tr* ck _ u d p y e a, \ t r a c k _ 1cnc no, \ MX_tcp 362144, \ rax_uap 131072, \ rax _ a c t1 v e _ re 3 p o n se s 2, \ m in re sp o n se seconds 5___________________ myth:25456 line.:557

f o r mere m r o r a tio n , ace h u .'j I'.l . s tr e a n b

1:269 Col :3 Sd 0

Figure 1.14: Configuring Snort.conf File in Notepad++

48. Scroll down to Step #6: Configure output plugins (Line 514). 111 tins step, provide die location ol die classification.config and reference.config files. 49. These two files are 111 C:\Snort\etc. Provide diis location o l files 111 configure output plugins (111 Lines 540 and 541).

C E H L ab M an u al Page 858

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

CASnort\ett\snm conf Notepad* ♦ lit

'-

I‫ם‬

idit Search view Encoding language Settings Macro Run Plugns ftmdcw I

0 ‫ י‬hh«

a , & * * r !| ‫ ס‬e m % > * ‫־ ־ י י‬- ‫ ז‬djae s i s c e

)"B •ncCcorf ‫ ף‬step 46: cor.rioure cutput plugins 4 5 *‫׳‬j ?or more information, see Snort Manual, Configuring Snort - Output Modules[ 5!«

=j r — il 1 0.0.0.1 0 ICMP TTL:128 TOS:0x0 ID:31479 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:198 ECHO

[ * * ] ICHP-INFO PING [ * * ] 11/14-12:24:18.146991 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0 ICMP TTL:128 TOS:0x0 ID :31480 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:199 ECHO

[ • • ] ICMP-INFO PING [ * * ] 11/14-12:24:19.162664 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0 ICMP TTL:128 TOS:0x0 ID :31481 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:200 ECHO

[ • • ] ICMP-INFO PING [ * * ] 11/14-12:24:20.178236 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0 ICMP TTL:128 TOS:0x0 ID:31482 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:201 ECHO

[ * * ] ICMP-INFO PING [ * * ] 11/14-12:24:21.193933 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0 ICMP TTL:128 TOS:0X0 ID :31483 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:202 ECHO

[ * * ] ICMP-INFO PING [ * * ] 11/14-12:24:22.209548 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0 ICMP TTL:128 TOS:0x0 ID :31484 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:203 ECHO

Figure 1.21:Snort Alertsids Window Listing Snort Alerts

73. You see that all the log entries are saved 111 die ICMP_ECHO.ids die. Tins means diat your Snort is working correcdy to trigger alert when attacks occur 011 your maclune.

Lab Analysis Analyze and document die results related to dus lab exercise. Give your opinion 011 yoiu‫ ־‬target’s security posture and exposure.

PLEASE TALK TO

T o o l/U tility Snort

Y O U R I N S T R U C T O R IF YOU R E L A T E D T O T H I S LAB.

HAVE

QUESTIONS

Information C o llected /O b jectives Achieved Output: victim maclune log are capuired

Questions 1.

C E H L ab M anual Page 863

Determine and analyze die process to identify and monitor network ports after intnision detection. Etliical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

2.

Evaluate how you process Snort logs to generate reports.

Internet Connection Required

□ Yes

0 No

Platform Supported 0 Classroom

C E H L ab M an u al Page 864

0 !Labs

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Lab

Logging Snort Alerts to Kiwi Syslog Server Sno/t is an open source network intrusionprevention and detection system (IDS/IPS). I CON

KEY

_ Valuable information Test your knowledge Web exercise m

Workbook review

Lab Scenario Increased connectivity and the use ot the Internet have exposed organizations to subversion, thereby necessitating the use ot mtnision detection systems to protect information systems and communication networks from malicious attacks and unauthorized access. An intrusion detection system (IDS) is a security system diat monitors computer systems and network traffic, analyzes that traffic to identity possible security breaches, and raises alerts. An IDS tnggers thousands o f alerts per day, making it difficult for human users to analyze them and take appropriate actions. It is important to reduce the redundancy of alerts, mtelligendy integrate and correlate diem, and present high-level view of the detected security issues to the administrator. An IDS is used to inspect data for malicious 01‫ ־‬anomalous activities and detect attacks 01‫ ־‬unaudiorized use of system, networks, and related resources. 111 order to become an expert penetration tester and security administrator, you must possess sound knowledge ot network mtnision prevention system (IPSes), IDSes, identify network malicious activity, and log information, stop, or block malicious network activity.

Lab Objectives H Tools dem onstrated in this lab are located at D:\CEHTools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots

Tlie objective of tins lab is to help students learn and understand IPSes and IDSes. 111

tins lab, vou need to: ■

Install Snort and configure snortconf file

■ Validate configuration settings ■ Perform an attack 011 the Host Machine ■ Perform an intrusion detection ■ Attempt to stop detected possible incidents

C E H L ab M an u al Page 865

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Lab Environment To carry-out tins lab, you need:

£ 7 You can also download Kiwi Syslog Server from http://www.kiwisyslog.co m

■

A computer running Windows Server 2012 as a host macliine

■

Windows 8 running on virtual machine as an attacker macliine

■

WinPcap drivers installed on die host macliine

■

Kiwi Syslog Server installed on die host macliine

■

Admniistrative privileges to configure settings and mil tools

Lab Duration Tune: 10 Minutes

Overview of of IPSes and IDSes An intrusion detection system (IDS) is a device or softw are application diat monitors network and/or system activities for m alicious activities or polio,’ violations and produces reports to a management station. Intrusion detection and prevention systems (IDPS) are primarily tocused on identifying possible incidents, logging information about them, attempting to stop diem, and reporting diem to security administrators. ™ TASK 1 Log Snort Alerts to Syslog Server

Lab Tasks 1. Navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Kiwi Syslog Server double click on Kiwi_Syslog_Server_9.3.4.Eval.setup.exe and install Kiwi Syslog Server on die Windows Server 2012 host machine. 2. The L icense Agreement window appears, Click I Agree.

Figure 2.1: kiwi syslogserverinstallation

C E H L ab M anual Page 866

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

3.

111 die Choose Operating Mode wizard, check die Install Kiwi Syslog Server a s an Application check box and click Next >. Kiwi Syslog Server 9.3.4 Installer

‫ן ־‬° ‫ ז‬x

C h o o s e O p e r a t in g M o d e

solarwinds ‫־׳‬ O

The program can be run as a Service or Application

I n s t a l l K iw i S y s lo g S e i v e i a s a S e i v ic e

This option installs Kiwi Syslog Server as a Windows service, alowing the program to run without the need for a user to logn to Windows. This option also retails the Kiwi Syslog Server Manager which is used to control the service.

| ( * I n s t a l l K iw i S y s lo g S e i v e i a s a n A p p l i c a t io n |

This op bon retails Kiwi Syslog Server as a typical Windows appkcabon, requrng a user to login to Windows before rim n g the application.

& Tools dem onstrated in this lab are located at D:\CEH■ Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots

SolarWinds, Inc.

Figure22: Kiwi Syslogserverinstallation 4.

111 die Install Kiwi Syslog Web A c c e ss wizard, uncheck die option selected and click Next >. Kiwi Syslog Server 9.3.4 Installer

X

I n s ta ll K iw i S y s lo g W e b A c c e s s

solarwinds I

Remote viewing, filtering and highlighting of Syslog events...

I I n s t a l l K iw i S y s lo g W e b A c c e s s V

C r e a t e a n e w W e b A c c e s s lo g g in g ■ u le in K iw i S y s lo g S e i v e i

Kiwi Syslog Web Access can be enabled in the licensed or evaluation versions of Kiwi Syslog Server.

SolarWinds, Inc.

Figure 23: kiwi syslogserver 5. Leave die settings as their defaults in the Choose Components wizard and click Next >.

C E H L ab M anual Page 867

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Kiwi Syslog Server 9.3.4 Installer

I ‫ ־־‬I

C h o o s e C o m p o n e n ts

s o la r w in d s

Choose which features of Kiwi Syslog Server 9.3.4 youwantto install.

This wll install Kiwi Syslog Server version 9.3.4

Select the type of install:

Normal

Or, select the optional components you wish to instal:

Program files (required) 0 Shortcuts apply to all users 0 Add Start menu shortcut b^J Add Desktop shortcut p i Add QuickLaunch shortcut O Add Start-up shortcut

V

Desa 1ptx>n Space requred: 89.5MB

Position your mouse over a component to see its description.

SolarWinds, In c .-------------------------------------------------------------------------------------------------< Back

|

Next >

| |

Cancel

|

Figure 2.4: addingcomponents 6. 111 die Choose Install Location wizard, leave the settings as their defaults and click Install to continue. Kiwi Syslog Server 9.3.4 Installer C h o o s e In s ta ll L o c a t io n

solarwinds ‫׳׳‬

Choose the folder n whkh to nstal Kiwi Syslog Server 9.3.4 .

Setup w! nstal Kiwi Syslog Server 9.3.4 n the folowng folder. To nstal in a different folder, dick Browse and select another folder, dick Instal to start the installation.

Destination Folder

41' Space requred: 89.5MB Space available: 50.1GB SolarWinds, Inc.

1 Figure2.5: Givedestinationfolder 7.

Click Finish to complete the installation.

You should see a test message appear, which indicates Kiwi is working.

C E H L ab M anual Page 868

Etliical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Kiwi Syslog Server 9.3.4 Installer

[_“ I 1 ‫ם‬

x

C o m p le tin g th e Kiwi S yslo g S e rve r 9 .3 .4 S e tu p W iza rd Kiwi Syslog Server 9.3.4 has been installed on your computer. Click Finish to dose this wizard. @ Run Kiwi Syslog Server 9.3.4

Visit the SotorWmds website

< Back

|

Ftnoh

|

Cancel

j

Figure 2.6: kiwi syslogserverfinishwindow 8.

Click OK ill the Kiwi Syslog Server - Default Settings Applied dialog box.

TU

Kiwi Syslog Server - Default settings applied Thank you fo r choosing Kiwi Syslog Server. This is the first tim e the program has been run on this machine. The follow ing default 'A ction' settings have been applied... ’ Display all messages * Log all messages to file: SyslogCatchAll.txt These settings can be changed fro m the File | Setup menu.

Happy Syslogging...

OK Figure2.7: Default settingappliedwindow 9. To launch die Kiwi Syslog Server Console move your mouse cursor to lower-left corner o f your desktop and click Start.

Q j Yiiwi Syslog Server is a free syslog server forlogs. indow s. It receives Windows. logs, displays and forwards syslogmessages fromhosts such as routers, switches, UNIX hosts and other syslog-enabled devices. C E H L ab M anual Page 869

Figure2.8: startingmenuinwindows server 2012 10. 111 die Start menu apps r r click Kiwi Syslog J J Server Console to launch die app

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

'‫׳ ״ יי ״‬ *

MojiB*

Google Chiomo

©

•

x

Command

Notepad•

Jnmtdl

R

a

Control ?artel

E/ykxef

V

O

pr

M)pw-Y Manage!

Ne!aus web Client

h

■

a.

S i 51* 9 '

■ 5 ^ r >,Sl09 | 5

V KKl Package

I

C*‫ ׳‬-‫־‬T

1

Figure2.9: clickkkvi syslogserver application 11. Configure Syslog alerts 111 die snort.conf file. 12. To contigiire Syslog alerts, first exit from the Snort command prompt (press Ctrl+C). 13. Go to C:\Snort\etc and open die snort.conf file widi Notepad++. 14. Scroll down to Step #6: Configure output plugins, in the syslog section (Line 527), remove # and modify die line to output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG ALERT.

Snort.conf before modification Syslog

0

C\Sn rt\«c\srx>ftc‫■׳‬r 3c •‫ > יו‬qj75!11‫@ י ן•ן‬w■bj wa a 131*

t Step te: Coaflgrare output plugins

* Additional configuration for 9E«c1r1c typea or lnatalla * output al*rt_unlfled2: filename snort.alert. U n it 128, n08ta*p * output log_«UT ea : niecaae 9rtort.log, u n i t , rostairp

12

128

flo g ; LOO AJIg 100 ALERT| I output log.topdja

‫ ט‬The reasonwhy you have to run snortstart.bat batch file as an administrator is that, in your current configuration, you need to maintain rights to not only output your alerts to Kiwi, but to write themto a log file.

C E H L ab M anual Page 870

I output aaratase: I output aataease:

»t-

Figiue 2.10: Snortconfigbeforemodification Snort.conf after modification Syslog

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

C:\Sn0rt\etcVsrxyt cof't Notepad-•

‫ן‬- ‫־‬g

Filf fdt Search View f‫׳‬weSrf»g .‫ ן ־י‬1.‫ ^ ץ׳ל‬flnqi Mam Run Pluqin Window

13H • » ‫־‬. . &| *

fe| 3 c •

‫ י‬-‫) | י‬S ‫יי‬Cv 3 ‫)§[) י‬3

iC

Port Scanner Settings

Protocob

TCP and UDP

Scan Type

Range of Ports ♦ Custom Ports L v

v |

Start

Process Info .J | System Info ^

□ Select P i

IP Scanner NetBIOS Scanner Share Scanner

£

Security Scanner Host Monitor Type

Keyword

Description

|

»Vw.

FIGURE3.16: MegaPing: Select 10.0.0.12fromHost, Press Start button 23. Check die IP address and click die Start button to start listening to die traffic 0 11 10.0.0.12,

C E H L ab M an u al Page 883

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

ry 1File

l-'» F *

MegaPing (Unregistered) yiew

Tools

Help 3

< £ v i .y ^ 0

>‫ on Sea*1ty Rues F % r‫־‬ioni1a i‫׳‬x)

Outbound Rules

KFat21Bkxked © EI"S 3eeriocing (WSD‫־‬Out) © Client f y N=S CTCP-Out) Q Client for M=S (UDP-Out) Ccrc Ner//crbng - DUS (UDP-Out) Cere Networklno ‫ ־‬Dynamic hostConfiecrat... © C ere Networking - Grouo Palcy (LSASS-Out) Cere Netvcrbng GrousPolcy (UP‫־‬Cut) © Cere Ner/.-orfcing • Gicud Polcy fTCP-Out) Q Cere Networking • Internet Group Yanagerr. . Ccre Networking ■IPv6 ( I P v 0 6‫׳‬ut) Cae Networking ■Multicast Listenei D01‫־‬e (I... ( ‫־׳‬re Networking • Multicast Listener Query (... Q ccre Netwcrbng Multicast Listener Repo‫׳‬t ... © C a e Networking • Multicast Listenei Reixrt... Q cere Netv‫׳‬crkmg • Neighbor Qscovery Adve. . ©Cere Netwcrbng Neighbor Oocovery Soleit... Q C a c Neiworbng ‫ ־‬Packct TooBg {ICMPvfi•... Cere Networking • P*r*m#t*‫ ־‬Pretolem (ICMP... © C ereNetwcrbng Rotter Adverbccment :1C... Coe Netwcrbng * Router Sokiletbn (JCNP... Ccre Me?/‫׳‬ortano • Teredo (UOP‫־‬Out) Cere Netwcrbng Time Exceeded (IC M \6‫׳‬. .. ©Distributed Transaction Cooidnatoi (TCP•Out) © File and *inter Shwng (Echo Request ■ICM... © File and *inter Sharing (Edno Request - !CM... © n e and *inter Sharing (NB-Dalagrair-Out) © File and Winter shjrng (NB-Name-Out) © File and *inter Sharing (NE-Sesson-Out) © File and *inter Sherhg (SMB-Out) ©Hype‫־׳‬/ *V/MI acp-out) © Hyper-v Vsn3gernert Gierts ‫' ־‬/WI (TCP-Out) © iSCSI Se‫\־‬ice (TCP-Cut)

B e

Q)

Q

g Q HTTP is the basis for Web surfing, soif you can freely surf die Web from where you are, HTTPort will bringyou die rest of the Internet applications.

a

I

BrS 5eer:scnrg BI” S ^ccrcccnrg Client ft)‫ ׳‬NFS Client fo‫ ׳‬NFS Core Nc:wa‫־‬king Cae Netwafcino Core Ne:warbng Core ■,Jer/'orbng Cae Netwabng Core Networking Core Networking Core Networking Core Networking Core Networking Core Netwaking Core Networking C ae Networking Core Networking Cor# Merwortang Core Networking Cor e Networking Core Networking Core Networking Distributed Trensocton Coord... File and *irter $h#rng File and * r te r Sharng File and *inter Sherhg File and ^irter sharng File and * r te r Sharng File and *irter Sherhg Hype‫׳‬-v Hype‫ ־׳‬/ Vanagerriert Cierts iSCSI Se‫־‬vioe

Any Any Any Any Any Any Any Domain Domain Domain Any Any Any Any Any Any Any Any Any Any Any Any Any Any Any Donai.. Domai... Domai... Dom*.. Domai.. Donai... Any Any Any

No No Yes Yes Yes Yes Y‫־‬K Yes Yes Yes Yes Yes Yes Yes Yes Y#S Yea Yes Y#« Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes No

AIc‫׳‬a AIoa AlOA AIoa AIoa AIoa AIoa AIoa AIoa Alow AIoa AIg‫׳‬a AIoa AIoa AIoa AIoa AIoa AIoa AIoa Alovs AIoa AIoa AIoa AIoa AIoa Alovs AIoa AlOA AIoa AIoa AlOA AIoa AIoa

-

New Rule... S\ % % % % Vc % °‫׳‬c

V

Piter by Profile

"\7 FiterbySta:e *7 Fiter by Group view

> ► ►

[($] Refresh |3» Export List... Q

Heb

Port 21 Bbckcd

Ai Ar

(♦ Disable Rjle

Ai Ar

lal PlOUCI t o

Ai Ai Ar Ai % Ar ‫*י‬ Ar Ar 5\ 5\ Sy 5\ °c

►

x Q

-

Delete

Heto

1

FIGURE 4.17: Windows Firewall New rale

37. Right-click the newly created rale and select Properties.

C E H L ab M anual Page 897

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

|

B HTTPort then

intercepts that connection and runs it through a tunnel through the proxy.

*WVuwkyws h r m t l vwtti /U tvitnrrd Sfninry Pile Acoor Ve« ndp

* ■»! » [P1U ‫ ם‬TT_ P Whdovts Frevrdl ■vth Ad.oxed S KQ !rbourdRjbs g g Outbound Rjtes Jiu Correcton Secjrity 3_ies ® SITS Peercecihg (Content-Out) 3 Monito'irg ®BIT5 Pcer^ecihg (WSD-Out) ® C ie n t St 1‫־‬TS (TCP-Out) © C fen t *6‫ ־‬NFS (UDP-Out) ©CCKer\e:v‫׳‬crkirg -CNS (UDP-Out) ®Core he:v‫׳‬crkirg - Dynanic host ConflQu‫־‬ati... ®Core r1e»‫׳‬akirg -Gouo Poky (LSASS-Out) Q c x e networking - GrouoPolcy (I'P-Out) ® core hecwcrlarg - Grouo poIcy (TCP*Ou:) © core 1ser/>crk]ra - internet Group r^anacen. ‫״‬ ®cofefcewcrkira - ipvO OPVft-OuO ® c o re her/‫׳‬ak 1ra -M j 0:as: Listener Done ®Core 1se:vcrlurQ •Miticas: Listener Query (... ®Coretserv‫׳‬crk1rg •Miticast Listener Ret»rt... ®Coreiserv‫׳‬crk1rg • Miticas; listener Recort... ®CoreNe;v‫׳‬crk1rg •Neghto‫ ׳‬Discovery Adve... ® C o reNerv‫׳‬erk1r0‫• ־‬Nefchbof Discovery Solicit... ®Core IServ‫׳‬crk1rg ‫־‬Packet Too 80 QCMPv6-... ® Car# N#rv‫׳‬erk1ng •P»r*^#t»f Problem (ICMP... ®Car# Nerv:e‫ ־‬Sharing Fite 3nc Prn•jet Sharing Hyper-V Hvper-V MDrogcncn: Cle‫־‬tis SCSI Ssrvce

!p

V

Daren Dcman Dorian

id ReYesh ©

Export bst...

Q

tisb

Pori 21 Dbckcd (♦' D»ablc Rule

‫ א‬D‫־‬te* p‫׳‬cPCtt)C3 U

H‫־‬b

Ary

Mom Mom Mom Mom Mom Mom

Ary

5‫־‬cperbes c&iogbox ‫־־‬or i ‫־‬e current selec‫ר‬cn.

FIGURE4.18: Windows Firewall newruleproperties 38. Select tlie Protocols and Ports tab. Change die Remote Port option to Specific Ports and enter die Port number as 21. 39. Leave die odier settings as dieir defaults and Select Apply ‫ ^־־‬OK. & With HTTPort, you can use various Internet softw are from behind th e proxy, e.g., e-mail, instant m essen gers, P2P file sharing, ICQ, N ew s, FTP, IRC etc. The basic idea is that you se t up your Internet softw are

G e ne ra l

P rogram s a n d S e rv ic e s

P ro to co ls a n d Ports

|

C o m p u te s

j

S cope

Advanced

Protocols and ports

r

■‫ע‬

Protocol type: Protocol number:

l

local port:

|.AII Ports

zi

1 FMmn1« an m Remote port:

anan

d

]Specific Ports

I21 Example: 80.445. 8080 Internet Control Message Protocol (ICMP) settings:

------

Leam more about protocol and ports OK

|

Cancel

|

fipply

FIGURE4.19: Firewall Port 21BlockedProperties 40. Tvpe ftp 127.0.0.1 111 the command prompt and press Enter. Tlie connection is blocked at die local host 111 Windows Server 2008.

C E H L ab M anual Page 898

Etliical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Q HTTPort does neither freeze nor hang. What you are experiencingis known as "blocking operations" FIGURE4.20: ftpconnectionisblocked 41. Now open a command prompt 111 Windows Server 2008 host machine and type ftp ftp.certifiedhacker.com and Press Enter

c\.Admmrstrator Command Prompt - ftp ftp.certmedhacker.com IC :\U s e rs \A d n in is tr a to r> ftp f t p . c e r t ifie d h a c k e r.c o n C o n n e c te d

to

f tp .c e r tifie d h a c k e r .c o n .

2 2 0 -h ic ro s o ft FTP S eruice 220 We leone TO FTP Account User < ftp .c e rtifie d h a c k e r.c o n :< n o n e > > : _

2^7 HTTPort makes it possible to open a client side of a TCP/IP connection and provide it to any software. The keywords here are: "client" and "any software".

FIGURE4.21: Executingftpcommand

Lab Analysis Document all die IP addresses, open ports and running applications, and protocols you discovered during the lab.

PLEASE TALK TO

T o o l/U tility

Y O U R I N S T R U C T O R IF YOU R E L A T E D T O T H I S LAB.

HAVE

QUESTIONS

In fo rm atio n C o lle c te d /O b je c tiv e s A chieved Proxy server U sed: 10.0.0.4

H T T P o rt

P o rt scanned: 80 R esult: ftp 127.0.0.1 connected to 127.0.0.1

C E H L ab M anual Page 899

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Questions 1.

How would you set up an HTTPort to use an email client (Outlook, Messenger, etc.)?

2. Examine if the software does not allow editing the address to connect to.

In te rn e t C o n n ectio n R eq u ired 0 Yes

□No

P latform S upported □ iLabs

C E H L ab M an u al Page 900

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.