Network Security Lab Manual

Share Embed Donate


Short Description

Government Polytechnic Karwar Department of Computer Science & Engineering Network Security Lab Manual for Sixth S...

Description

NETWORK SECURITY LAB MANUAL Mr. SAYYAN SHAIKH For VI Semester (CS &E) Diploma Engineering

GOVERNMENT POLYTECHNIC, KARWAR 2014-2015

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 1

Date:

___

Date :

Experiment 1:Learn to install Wine/Virtual Box/ or any other equivalent s/w on the host OS. Virtualization is the process of emulating hardware inside a virtual machine. This process of hardware emulation duplicates the physical architecture needed for the program or process to function. Virtualization allows us to create virtual version of something, such as an operating system, a server, a storage device or network resources.

A host operating system (OS) is the original OS installed on a computer. Other operating systems are sometimes installed on a computer.

A guest OS is an operating system that is installed in a virtual machine or disk partition in addition to the host or main OS. In virtualization, a single computer can run more than one OS at the same time. In a virtualization solution, a guest OS can be different from the host OS.

VMware Workstation: One of the first companies to develop a virtual product was VMware, www.vmware.com. VMware lets us to create and run a host of operating systems from one base system. We also gain the ability to drag and drop files into the virtual system and to fully configure the virtual OS. VMware Workstation even supports an option known as snapshots, which means we can set a base point to which we can easily return. To install VMware Workstation, we need to purchase a copy or download an evaluation copy. We need about 25MB to download and install VMware Workstation. Just remember that amount of memory is just to load the program. Each virtual system we install will require much more. On average, we will need 3GB to 8GB for each virtual OS we install. Memory is another important issue. Although the documentation might state that a minimum of 128MB to 256MB of memory is needed, this typically won‘t be enough for anything more than a basic command-line install of Linux. Expect operating systems such as Windows to require much more. Insufficient memory will devastate performance on both the guest (VM) and host OS.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 2

Date:

___

Date :

The basic steps required to install VMware Workstation on the host OS: 1. Log on to our installed Windows XP system as a user with Administrator privileges. 2. Download the newest VMware Workstation distribution from www.vmware.com/download and then click it. we need an email address so that the key can be sent to us. If we do not want to purchase the program at this time, VMware will send us a key that is valid for 30 days. 3. Read the end-user license agreement. This explains the licensing terms. Click Yes to continue. 4. We are now prompted to set the install location. The default is C:\Program Files\VMware. Keep this default unless we have a really good reason to change it. 5. Now, select any folder to install, and click Next. 6. Wait a few minutes while the installer creates all necessary files on our system, as shown in below figure.

7. Because Windows systems use AutoRun for their CD/DVD players, the VMware installer will ask whether we want to turn AutoRun off. We should say yes, because having it on can affect the functionality of the virtual machines. 8. If we have any previous versions of VMware Workstation, we are prompted to remove them. We are also prompted to create a VMware Workstation icon on our Windows desktop. Click Yes when prompted. 9. As with almost all Windows application installs, we are prompted to reboot our computer after the installation process is complete. 10. When the system reboots, VMware Workstation is installed. Opening the program will display a screen similar to that below figure.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 3

Date:

___

Date :

11. Enter a serial number. Remember that we can get a free, temporary evaluation license or buy a full license. 12. From this point forward, it is assumed that we have installed the files in the default location at C:\Program Files\VMware\VMware Workstation. 13. In addition to a few shortcuts to Workstation, online help, and the uninstaller, we will find documentation in a compiled HTML help file for Internet Explorer or our browser located in the Workstation Programs folder: VMware.chm. 14. If we look in the Programs directory, we will see that there are a number of utility programs and auxiliary files such as linux.iso, windows.iso, and freebsd.iso. 15. These ISOs contain the information used to install VMware Tools for Linux and Windows host systems. This will allow us the functionality to do things such as drag and drop files from the host OS to the virtual system. These files don‘t need to be transferred to actual CDs to use them; 16. VMware will automatically attach them to the guest system when we perform a tools installation. 17. At the end Install Backtrack 5 OS into our virtual machine.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 4

Date:

___

Date :

Steps for installing BackTrack OS on the Host OS. Step 1: Open VMWare Workstation and Click on Create a New Virtual machine.

Step 2: Select typical configuration and click on Next.

Step 3: Select Installer disc image file and Click on Next.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 5

Date:

___

Date :

Step 4: Give the guest OS as Other and Select version as other.

Step 5: Give VM name as Backtrack and select the path and Click on Next.

Step 6: Give max disk size as 15GB and select store virtual disk as a single file then Click on Next.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 6

Date:

___

Date :

Step 7: Click on Finish button.

Step 8: Click on Power on this Virtual machine.

Step 9: Now the BackTrack installation will start. Give the command startx and press Enter.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 7

Date:

___

Date :

Step 10: Now select the language default as English and press Forward

Step 12: select the Country as INDIA and click Forward

Step 13: Select the default keyboard layout as USA and click Forward

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 8

Date:

___

Date :

Step 14: Select the Erase the disk space and click Forward

Step 15: Now click on Install and installation will begins.

Step 16: Wait for Backtrack to get installed in VM Ware

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 9

Date:

___

Date :

Step 17: Click on Restart Now.

Step 18: Enter Login as root and Password as toor and press Enter

Step 19: Login to backtrack by typing startx and press Enter

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 10

Date:

___

Date :

Experiment 2:Perform an experiment to grab a banner with telnet and perform the task using Netcat. Banner Grabbing is a technique to determine which application or service is running on the specified port by attempting to make a connection to this host and sending some information. With this request of information a user can be sent back some information about the service such as the name of the service running, the version, the type of system the service is running on as well as other information depending on what the application delivers back to a user. Banner Grabbing is an enumeration technique used to get information about computer systems on a network and the services running its open ports. Administrators can use this to take inventory of the systems and services on their network. An intruder however can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Banner Grabbing can be performed in two ways. 1. ONLINE (Thru Internet connection by connecting to remote websites) 2. OFFLINE (Thru Local LAN or with Virtual Box Guest OS) Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP) -80, File Transfer Protocol (FTP) -21, and Simple Mail Transfer Protocol (SMTP) -25. Tools commonly used to perform banner grabbing are Telnet- which is included with most operating systems and Netcat.

Introduction to Telnet:Telnet is a terminal emulation program for TCP/IP networks such as the Internet that operates on port 23. The Telnet program runs on our computer and connects our PC to a server on the network. For banner grabbing, we will be using the Telnet client. The telnet client is more of a legacy piece of command line software that is still installed on most Operating Systems by default. The basic telnet syntax is: telnet [target ip] [port]

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 11

Date:

___

Date :

Introduction to Netcat:Another way of banner grabbing is to use the tool Netcat. This versatile tool is sometimes called the Swiss army knife of hacking tools because it can be used in many different ways. Netcat is one of the most commonly used anti-hacking tool and its features includes port scanning, transferring files, and port listening, and it can be used as a backdoor. Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable ―back-end‖ device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation we would need and has a number of built-in capabilities. The basic netcat syntax is: netcat [target ip] [port] -vv=verbose mode, -n=numerical IP address only.

Steps for Telnet: Step 1: First Enable the TELNET service on our computer by typing the command given: Type the command SERVICES.MSC in run command menu, Click on Telnet service and enable the service, select it automatic and Click Start.

Step 2: Open Command prompt and type the following: telnet www.rediff.com 80 (http port) and press enter key twice. Step 3: After successful connection type following request and press enter twice: Get head /1.0

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 12

Date:

___

Date :

Step 4: Now we can see the rediff website web server‘s information. We can also try it on our local machine connecting to our Guest OS like telnet Guest IP address (example: 192.168.56.101 80) and press enter twice.

Steps for Netcat: Step 1: Go to ApplicationBacktrack  Information gathering Network Analysis Service fingerprinting Ncat Or start the terminal and start Netcat by writing netcat and press enter Step 2: Type the nc command

nc www.rediff.com 80 (http port) and press enter key twice to see the result.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 13

Date:

___

Date :

Experiment 3:Perform an experiment for Port Scanning with nmap, superscan or any other equivalent software. Port scanning is the process of connecting to TCP and UDP ports for the purpose of finding which services and applications are open on the target machine. Port Scanning is one of the most popular techniques attackers use to discover services they can break into. All machines connected to a LAN or connected to Internet via a modem run many services that listen at well-known and not so well-known ports. By port scanning the attacker finds which ports are available (i.e., being listened to by a service). Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed further for weakness. Port :A port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is always associated with an IP address of a host and the protocol type of the communication. It completes the destination or origination address of a communications session. A port is identified for each address and protocol by a 16-bit number, commonly known as the port number. Port Number:The port numbers are unique only within a computer system. Port numbers are 16-bit unsigned numbers. The port numbers are divided into three ranges: the Well Known Ports (0-1023), the Registered Ports (1024-49151), and the Dynamic and/or Private Ports (49152-65535). All the operating systems now honor the tradition of permitting only the super-user open the ports numbered 0 to 1023. Some of the ports are listed below: Echo ftp-data

7/tcp

Echo

20/udp File Transfer [Default Data]

ftp-control 21/tcp

File Transfer [Control]

ssh

22/tcp

SSH Remote Login Protocol

telnet

23/tcp

Telnet

SMTP

25/smtp Simple Mail Transfer Protocol

domain

53/udp Domain Name Server (DNS)

www-http

80/tcp

https

World Wide Web HTTP

443/https Hypertext Transfer Protocol Secure

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 14

Date:

___

Date :

Nmap Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. Nmap is executable in classic command-line and an advanced GUI results viewer Zenmap, a flexible data transfer, redirection, and debugging tool results viewer Ncat. Nmap can recognize five port states such as: Closed, Filtered, Unfiltered, Open-filtered and Closed-Filtered. Open: An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network. Closed: A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state. Filtered: Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or hostbased firewall software. These ports frustrate attackers because they provide so little information. Unfiltered: The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rule sets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 15

Date:

___

Date :

Open|filtered: Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

Closed|filtered: This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

Steps for Nmap/Zenmap: Step 1: Go to ApplicationBacktrack  Information gatheringNetwork AnalysisNetwork Scanner Nmap/Zenmap Or start the terminal and start Nmap/Zenmap by writing nmap/zenmap and press enter. Step 2: Now type the following commands and start the scan. nmap -sS 192.168.1.12

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 16

Date:

___

Date :

Step 3: Scanning range of ip address nmap -sS 192.168.1.10-18

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 17

Date:

___

Date :

Experiment 4: Using nmap 1) Find Open ports on a system 2) Find machines which are active 3) Find the version of remote OS on other systems 4) Find the version of s/w installed on other system (using nmap or any other software). The different scanning methods that network attackers use are: 1. Vanilla scan/SYNC scan: TCP SYN packets are sent to each address port in an attempt to connect to all ports. Port numbers 0 – 65,535 are utilized. 2. Strobe scan: Here, the attacker attempts to connect to a specific range of ports that are typically open on Windows based hosts or UNIX/Linux based hosts. 3. Sweep: A large set of IP addresses are scanned in an attempt to detect a system that has one open port. 4. Passive scan: Here, all network traffic entering or leaving the network is captured and traffic is then analyzed to determine which ports are open on the hosts within the network. 5. User Datagram Protocol (UDP) scan: Empty UDP packets are sent to the different ports of a set of addresses to determine how the operating responds. Closed UDP ports respond with the Port Unreachable message when any empty UDP packets are received. Other operating systems respond with the Internet Control Message Protocol (ICMP) error packet. 6. FTP bounce: To hide the attacker‘s location, the scan is initiated from an intermediary File Transfer Protocol (FTP) server. 7. FIN scan: TCP FIN packets that specify that the sender wants to close a TCP session are sent to each port for a range of IP addresses.

The different types of nmap scans: -sS (TCP SYN scan) SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on specific platforms. It also allows clear, reliable differentiation between the open, closed, and filtered states.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 18

Date:

___

Date :

-sT (TCP connect scan) TCP connect scan is the default TCP scan type when SYN scan is not an option.

-sU (UDP scans) While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports.

-sY (SCTP INIT scan) SCTP is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well.

-sA (TCP ACK scan) This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rule sets, determining whether they are stateful or not and which ports are filtered.

Steps for Nmap: Go to ApplicationBacktrack  Information gatheringNetwork AnalysisNetwork Scanner Nmap/Zenmap Or start the terminal and start Nmap/Zenmap by writing nmap/zenmap and press enter. Now type the following commands:

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 19

Date:

___

Date :

1. Find Open ports on a system nmap -v 192.168.1.16

2. Find machines which are active in network. nmap -sP 192.168.1.10-30

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 20

Date:

___

Date :

3. Service and version detection by Nmap nmap -sV 192.168.1.16

4. Find the version of software‘s installed on other system nmap –A –T4 192.168.1.16

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 21

Date:

___

Date :

Experiment 5: Perform an experiment on Active and Passive finger printing using XProbe2 and Nmap. Fingerprinting is a process in scanning phase in which an attacker tries to identify Operating System (OS) of target system. Fingerprinting can be classified into two types 1. Active Stack Fingerprinting 2. Passive Stack Fingerprinting 1. Active Stack Fingerprinting It involves sending data to the target system and then sees how it responds. Based on the fact that each system will respond differently, the response is compared with database and the OS is identified. It is commonly used method though there are high chances of getting detected. It can be performed by following ways. Using Nmap: Nmap is a port scanning tool that can be used for active stack OS fingerprinting. Syntax: nmap -O IP_address Example: nmap –O 192.168.1.88 Using Xprobe2: It is UNIX only active stack fingerprinting tool. Also runs on Linux, it can not only detect OS but also devices and their version numbers. Syntax: xprobe2 -v IP_address Example: xprobe -v 192.168.1.88

2. Passive Stack Fingerprinting It involves examining traffic on network to determine the operating system. There is no guarantee that the fingerprint will be accurate but usually they are accurate. It generally means sniffing traffic rather than making actual contact and thus this method is stealthier and usually goes undetected. Passive stack fingerprinting can be performed in following ways. For pof terminal: Syntax: p0f -i eth0 -vt Where ―i‖ means interface ―eth0‖ is our communicating card ―v‖ means show results in verbose mode and ―t‖ means add timestamps to output.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 22

Date:

___

Date :

The methods used to fingerprint a network are: Access information publicly available on the company website to gain any useful info. Try to find any anonymous File Transfer Protocol (FTP) sites and intranet sites that are not secured. Gather information on the company‘s domain name and the IP address block used. Test for hosts in the network‘s IP address block. A tool such as Ping is typically used. Using tools such as Nslookup, the intruder attempts to perform Domain Name System (DNS) zone transfers. A tool such as Nmap is used to find out the operating systems are that are being used. Tools such as Tracert are used to find routers and to collect subnet information. Steps for ACTIVE OS FINGERPRINTING: Step 1: Go to ApplicationBacktrack  Information gatheringNetwork AnalysisOS fingerprinting Nmap/Xprobe2 Or start the terminal and start Nmap/Zenmap by writing nmap/zenmap and press enter. Step 2: Now type the following commands and start the scan.

nmap -O 192.168.1.88

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 23

Date:

___

Date :

Step 3: Using xprobe2 –v 192.168.1.88

Step 4: Passive os fingerprinting:

p0f -i eth0 –vt

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 24

Date:

___

Date :

Experiment 6: Performa an experiment to demonstrate how to sniff for router traffic by using the tool Cain and Abel / wireshark / tcpdump. Sniffing refers to the process of capturing and analyzing network traffic. The packets contents on a network are analyzed. The tools that attackers use for sniffing are called sniffers or more correctly, protocol analyzers. While protocol analyzers are really network troubleshooting tools, hackers also use them for malicious purposes. A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Even encapsulated packets can be broken open and read unless they are encrypted and the attacker does not have access to the key. Sniffers monitor, capture, and obtain network information such as passwords and valuable customer information. A packet sniffer, sometimes referred to as a network monitor or network analyzer, can be used by a network or system administrator to monitor and troubleshoot network traffic. Using the information captured by the packet sniffer an administrator can identify erroneous packets and use the data to pinpoint bottlenecks and help maintain efficient network data transmission. In its simple form a packet sniffer simply captures all of the packets of data that pass through a given network interface. By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. What is Wireshark? Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. We could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, all that has changed. Wireshark is perhaps one of the best open source packet analyzers available today. Some intended purposes of Wireshark: Network administrators use it to troubleshoot network problems. Network security engineers use it to examine security problems. Developers use it to debug protocol implementations. People use it to learn network protocol internals.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 25

Date:

___

Date :

Wireshark is used to capture and examine encrypted and unencrypted wireless traffic. Use the Wireshark program that is preinstalled in Backtrack, or we can download the Windows version from www.wireshark.org. 1.

After loading Wireshark, we will see several options across the top of the program. Select Capture  Options to configure the program. Make sure to choose the correct interface (NIC) adapter and set the program to update packets in real time and for automatic scrolling.

2.

Choose the Start Capture option.

3.

After a few packets have been captured, stop Wireshark. We will see information displayed in three different views. The top window shows all packets that were captured. Clicking one of these will display that frame‘s contents in the middle frame; we may also note that the bottom frame displays the actually hex dump. While reading hex is not mandatory, notice the first 16 bytes of the frame. The first 8 bytes are the destination MAC and the second 8 bytes are the source MAC.

4.

Now use Wireshark to capture and analyze some wireless traffic with and without encryption. Note that the MAC addresses will be visible in both.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 26

Date:

___

Date :

When we run the Wireshark program, the Wireshark graphical user interface shown below will be displayed. Initially, no data will be displayed in the various windows.

The Wireshark interface has five major components: The command menus are standard pull-down menus located at the top of the window. Of interest to us now is the File and Capture menus. The File menu allow us to save captured packet data or open a file containing previously captured packet data, and exit the Wireshark application. The Capture menu allows us to begin packet capture. The packet-listing window displays a one-line summary for each packet captured, including the packet number (assigned by Wireshark; this is not a packet number contained in any protocol‘s header), the time at which the packet was captured, the packet‘s source and destination addresses, the protocol type, and protocol-specific information contained in the packet. The packet listing can be sorted according to any of these categories by clicking on a column name. The protocol type field lists the highest level protocol that sent or received this packet, i.e., the protocol that is the source or ultimate sink for this packet.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 27

Date:

___

Date :

The packet-header details window provides details about the packet selected (highlighted) in the packet listing window. (To select a packet in the packet listing window, place the cursor over the packet‘s one-line summary in the packet listing window and click with the left mouse button.). These details include information about the Ethernet frame (assuming the packet was sent/received over an Ethernet interface) and IP datagram that contains this packet. The amount of Ethernet and IP-layer detail displayed can be expanded or minimized by clicking on the plus-or-minus boxes to the left of the Ethernet frame or IP datagram line in the packet details window. If the packet has been carried over TCP or UDP, TCP or UDP details will also be displayed, which can similarly be expanded or minimized. Finally, details about the highest level protocol that sent or received this packet are also provided. The packet-contents window displays the entire contents of the captured frame, in both ASCII and hexadecimal format. Towards the top of the Wireshark graphical user interface, is the packet display filter field, into which a protocol name or other information can be entered in order to filter the information displayed in the packet-listing window (and hence the packet-header and packetcontents windows). In the example below, we‘ll use the packet-display filter field to have Wireshark

Capturing Packets After downloading and installing Wireshark, we can launch it and click the name of an interface under Interface List to start capturing packets on that interface. For example, if we want to capture traffic on the wireless network, click our wireless interface. We can configure advanced features by clicking Capture Options.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 28

Date:

___

Date :

As soon as we click the interface‘s name, we will see the packets start to appear in real time. Wireshark captures each packet sent to or from our system. If we are capturing on a wireless interface and have promiscuous mode enabled in our capture options, we will also see other the other packets on the network.

Click the stop capture button near the top left corner of the window when we want to stop capturing traffic.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 29

Date:

___

Date :

Color Coding Observe the packets highlighted in green, blue, and black. Wireshark uses colors to help us to identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems.

Sample Captures If there‘s nothing interesting on our own network to inspect, Wireshark‘s wiki has we covered. The wiki contains a page of sample capture files that we can load and inspect. Opening a capture file is easy; just click Open on the main screen and browse for a file. We can also save our own captures in Wireshark and open them later.

Filtering Packets If we are trying to inspect something specific, such as the traffic a program sends when phoning home, it helps to close down all other applications using the network so we can narrow down the traffic. Still, we will likely have a large amount of packets to sift through. That‘s where Wireshark‘s filters come in. The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type ―dns‖ and we will see only DNS packets. When we start typing, Wireshark will help us autocomplete our filter. Example: ip.addr == 192.168.1.77

ip.src == 192.168.1.77 ip.dst == 192.168.1.77 TCP.Port == 80

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 30

Date:

___

Date :

You can also click the Analyze menu and select Display Filters to create a new filter.

Another interesting thing we can do is right-click a packet and select Follow TCP Stream.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 31

Date:

___

Date :

You‘ll see the full conversation between the client and the server.

Close the window and we will find a filter has been applied automatically — Wireshark is showing us the packets that make up the conversation.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 32

Date:

___

Date :

Experiment 7:

Perform an experiment how to use DumpSec. DumpSec is a Windows-based GUI enumeration tool from SomarSoft and is available from www.systemtools.com/somarsoft/. It enables us to remotely connect to Windows machines and dump account details, share permissions, and user information.

DumpSec‘s GUI-based format makes it

easy to take the results and port them into a spreadsheet so that holes in system security are readily apparent and easily tracked. It can provide us with usernames, SIDs, RIDs, account comments, account policies, and dial-in information. DumpSec allow us to dump the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable listbox format, so that holes in system security are readily apparent. You click on the Report tab, Select Computer (enter IP number) and select what items we want in the report. We will receive the output. It allows users to remotely connect to any computer and dump permissions, audit settings, and ownership for the Windows NT/2000 file system into a format that is easily converted to Microsoft Excel for editing. Hackers can choose to dump either NTFS or share permissions. It can also dump permissions for printers and the registry. The user can also get password information such as 'Password Last Set Time' and 'Password Expires Time'. To summarize, Dumpsec can pull a list of users, groups, and the NT system's policies and user rights. Steps for DumpSec: 1. Download and install DumpSec from www.somarsoft.com. 2. Once it‘s installed, open a command prompt and establish a null session to a local host. The command syntax for doing so is as follows: 3. net use //IP address/IPC$ "" \u:"" 4. Now open DumpSec and select Report ➪ Select Computer. 5. Now select Report ➪ Dump Users as Table, and click OK. 6. You need to select all items to the left of the screen and move them to the right screen so that all fields will be selected. 7. Click the OK button, and all the open fields will be populated. Notice that we now have a complete list of users and related information.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 33

Date:

___

Date :

STEPS for Dump Sec:Step1: Download & install dumpsec.

Step 2: Open dumpsec and select computer.

Step 3: Now select report  dump users as table and click ok.

o

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 34

Date:

___

Date :

Step 4: Permission for printer:

Step 5: Permissions and shares:

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 35

Date:

___

Date :

Experiment 9:Perform an experiment to sniff traffic using ARP poisoning. ARP (address resolution protocol) operates by broadcasting a message across a network, to determine the Layer 2 address (MAC address) of a host with a predefined Layer 3 address (IP address). The host at the destination IP address sends a reply packet containing its MAC address. Once the initial ARP transaction is complete, the originating device then caches the ARP response, which is used within the Layer 2 header of packets that are sent to a specified IP address.

Address Resolution Protocol (ARP) poisoning is a type of attack where the Media Access Control (MAC) address is changed by the attacker. Also, called an ARP spoofing attacks, it is effective against both wired and wireless local networks. Some of the things an attacker could perform from ARP poisoning attacks include stealing data from the compromised computers and prevent legitimate access to services, such as Internet service. Thus MAN in MIDDLE watches the traffic between Source and Target machines. MAC address is a unique identifier for network nodes, such as computers, printers, and other devices on a LAN. MAC addresses are associated to network adapter that connects devices to networks. The MAC address is critical to locating networked hardware devices because it ensures that data packets go to the correct place. ARP tables, or cache, are used to correlate network devices‘ IP addresses to their MAC addresses. When a device to be able to communicate with another device with a known IP Address but an unknown MAC address the sender sends out an ARP packet to all computers on the network. The ARP packet requests the MAC address from the intended recipient with the known IP address. When the sender receives the correct MAC address then is able to send data to the correct location and the IP address and corresponding MAC address are store in the ARP table for later use. ARP poisoning is when an attacker is able to compromise the ARP table and changes the MAC address so that the IP address points to another machine. If the attacker makes the compromised device‘s IP address point to his own MAC address then he would be able to steal the information, or simply eavesdrop and forward on communications meant for the victim. Additionally, if the attacker changed the MAC address of the device that is used to connect the network to Internet then he could effectively disable access to the web and other external networks.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 36

Date:

___

Date :

Cain & Abel: It is a nifty program that deals with recovering lost passwords using the most powerful and tough decryption algorithms. It is capable to quickly and efficiently retrieve Outlook and network passwords and to display passwords underneath asterisks. Most encrypted passwords are breakable using this program via Dictionary, Brute-Force and Cryptanalysis attacks. Decrypting scrambled passwords or wireless network keys is not a challenge either. Besides the ability to record VoIP conversations, the application also features the possibility to analyze route protocols.

Working with Cain& Abel: 1. Go to the web site http://www.oxid.it/cain.html 2. Click on download option and support path to save the setup file. 3. Double click on ca_setup.exe icon to run setup. 4. Accept License agreement and Click on Next button. 5. Specify the destination folder to install Cain & Abel click on ―Next‖. 6. It asks WinPcap to install if not installed earlier. 7. Accept the License agreement and Click on Next button to install WinPcap. 8. Double Click on Cain icon on desktop to run the tool. 9. Click on Sniffer menu. 10. Click on hosts on the button portion window. 11. Click Start sniffer and APR service from Standard toolbar menu. 12. Right Click on the hosts window and click on Scan MAC address. 13. Select all hosts in my subnet or range FROM and TO IP address and Click OK. 14. Now we view the MAC and IP address of Remote / Local machines. 15. Click on APR button on toolbar menu. 16. Left Click on right pane of APR window and then Click on ‗+‘ symbol on standard toolbar. 17. APR enables us to poison IP traffic between the selected host. 18. Click on any IP address on the left side list and the other IP selected on the right side. 19. Left Click on Right side on the IP address and Click OK. 20. Watch the poisoning effect FROM and TO IP address.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 37

Date:

___

Date :

Steps for Cain and Abel:Step 1: First, download and Install the Cain & Abel program, then run it. Step 2: Select configure and make sure we see the list of all network adapters. Step 3: At main screen, select Configure, then click our network adapter, then Apply and Ok.

Step 4: Click to enable both Sniffer and APR(Left of the +).

Step 5: Next go to the sniffer tab and right click anywhere inside the tab. we should see a "Scan MAC addresses" option. Click it.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 38

Date:

___

Date :

Step 6: Select the IP range accordingly to our local area network and click on ―OK‖.

Step 7: The Progress bar scans and list all the MAC address present on the subnet.

Step 8: After the scan, click on the APR sub-tab at the bottom of the window. Then click on the + icon on the top of the window to add host to attack. A following dialog box appears on the screen.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 39

Date:

___

Date :

Step 9: Click the '+' button and add which host we want to sniff the passwords. Then click the radioactive button ☢ to activate the ARP Poisoning Process.

Step 10: Wait for the victim host to enter his credentials. To see the password captured, just go to the "Passwords" tab beside the APR tab.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 40

Date:

___

Date :

Experiment 10:Install IPCop on a Linux system and learn all the function available on the software. IPCOP Linux is a complete Linux distribution. Its sole purpose is to protect the network. Its main features are: IP table network filter, All types of Drive Support and Quad Network support such as GREEN (Internal Trusted Network), BLUE (Wireless Semi-Trusted Network, ORANGE (Demilitarized Zone for internet Access Servers, RED (The Internet). Before starting the installation, let us go over the basics of IPCop. The default IPCop installation supports up to 4 Ethernet interfaces, which are color-coded according to trust levels (refer to the following table). Interface color Green Blue Orange Red

Trust level

Typical function

1 — Most trusted 2 — Semi-trusted 3 — DMZ (Demilitarized zone) 4 — Non-trusted

The internal network (or protected network) Wireless network in separate subnet For resources being accessed from internal systems as well as from the Internet The Internet connection

System Requirements for IPCop Installation:

Pentium Processor with 32MB RAM, 300MB hard disk and 2 Network Cards 2 x 5 port 10/100/1000 switch or a Layer 3 switch Network Cables Burned ISO CD VM Ware Installation of IPCOP: 1. Download IPCOP 2.0.2.iso from www.ipcop.org. 2. Run Virtual Box on Host PC and add IPCOP.ISO file and Start the Installation. 3. The Bootup Screen appears hit enter key. 4. Select Default English Language and Press Enter-Key 5. Select default US layout Keyboard and Press Enter-Key. 6. Select Asia/Calcutta and Press OK to proceed. 7. Change the Date and Time if required and Press OK. 8. Select the disk installation default HDD and Press OK.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 41

Date:

___

Date :

9. Skip the restore windows by pressing skip option button. 10. Now Disk installation is complete press on congratulation button. 11. Enter HOST name ipcop and Press OK. 12. Domain Name local domain and Press OK. 13. Select DHCP by pressing space bar key and Press OK. 14. Select card assignment first as GREEN and second as RED and Press DONE. 15. Press OK on DHCP server by Default. 16. Type the Password for root minimum 6 characters and Press OK 17. Type the Password for admin minimum 6 characters and Press OK. 18. Type the Password for backup minimum 6 characters and Press OK. 19. Our IPCOP Virtual Box Reboots. 20. Type the username as root and enter the password, Press Enter-Key. 21. Now open our Internet Explorer Web Browser and type the following in the

address bar: https://192.168.1.1:8443/ and Press Enter-Key. 22.Certificate error is obtained Click on continue which displays as not recommended anyway. 23. IPCOP begins and enter the username as admin and type the password, click OK. 24. The Full Fledge IPCOP firewall is now ready. 25. Practice the basic options of IPCOP firewall

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 42

Date:

___

Date :

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 43

Date:

___

Date :

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 44

Date:

___

Date :

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 45

Date:

___

Date :

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 46

Date:

___

Date :

Experiment 11:Install JCrypt tool (or any other equivalent) and demonstrate Asymmetric, Symmetric crypto algorithm, Hash and Digital/PKI signatures studied in theory Network Security and Management. Public-key

cryptography,

also

known

as asymmetric

cryptography,

is

a

class

of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and one of which is public. The public key is used to encrypt plaintext or to verify a digital signature; whereas the private key is used to decrypt cipher text or to create a digital signature. The term "asymmetric" stems from the use of different keys to perform these opposite functions. Example: Diffie–Hellman key exchange, digital signatures and RSA Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of cipher text. The keys may be identical or there may be a simple transformation to go between the two keys. This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption Example: AES (Rijndael), Blowfish, CAST5, RC4, 3DES A cryptographic hash function takes a group of characters (called a key) and maps it to a value of a certain length (called a hash value or hash). The hash value is representative of the original string of characters, but is normally smaller than the original. Example: SHA1 Hashing is done for indexing and locating items in databases because it is easier to find the shorter hash value than the longer string. Hashing is also used in encryption. This term is also known as a hashing algorithm or message digest function. The input data is often called the message, and the hash value is often called the message digest or simply the digest. The ideal cryptographic hash function has four main properties: It is easy to compute the hash value for any given message. It is infeasible to generate a message from its hash. It is infeasible to modify a message without changing the hash. It is infeasible to find two different messages with the same hash. Digital Signature is a digital code (generated and authenticated by public key encryption) which is attached to an electronically transmitted document to verify its contents and the sender's identity. A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or document.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 47

Date:

___

Date :

Steps for Jcrypt:Step 1: Download and install jcryptool and open.

Step 2: Open the text editor in jcryptool & write the message which we want to encrypt.

Step 3: Select asymmetric algorithm RSA

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 48

Date:

___

Date :

Step 4: Create a new pair of key by providing password for encryption.

Step 5: Following encrypted O/P will appear on screen.

Step 6: Decrypt the same text by selecting decrypt and provide the same password which provided during encryption.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 49

Date:

___

Date :

Step 7: Output will look like this.

Encryption using symmetric algorithms Step 1: Select symmetric AES algorithm. Steps2: Now Encrypt and Decrypt the message by creating a new pair of key using a common password. (Same as above procedure)

Hash code generation using MD5 algorithm Step 1: Select Hash algorithm MD5 Steps2: Now generate the hash code for the message.

MAC code generation using HMAC algorithm Step 1: Select MAC algorithm HMAC Steps2: Now generate the MAC code for the message.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 50

Date:

___

Date :

Experiment 12:Demonstrate Intrusion Detection System (IDS) using any tool e.g. Snort or any other s/w. With the development of network technologies and applications, network attacks are greatly increasing both in number and severity. As a key technique in network security domain, Intrusion Detection System (IDS) plays vital role of detecting various kinds of attacks and secures the networks. Main purpose of IDS is to find out intrusions among normal audit data and this can be considered as classification problem. Intrusion detection systems (IDS) are an effective security technology, which can detect, prevent and possibly react to the attack. It performs monitoring of target sources of activities, such as audit and network traffic data in computer or network systems, requiring security measures, and employs various techniques for providing security services. With the tremendous growth of network-based services and sensitive information on networks, network security is becoming more and more important than ever before.

Intrusion: Attempting to break into or misuse our system. Intruders may be from outside the network or legitimate users of the network. Intrusion can be a physical, system or remote intrusion. Intrusion Detection Systems look for attack signatures, which are specific patterns that usually indicate malicious or suspicious intent.

Snort is an open source network intrusion prevention system, capable of performing real time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has three primary uses: It can be used as a straight packet sniffer like tcp dump, a packet logger (useful for network traffic debugging, etc.), or as a full blown network intrusion prevention system. The privacy of the Snort community is very important to Sourcefire. If we choose to opt out, the information collected at the time of registration will not be used for any Sourcefire marketing efforts. In addition, Sourcefire will not sell or distribute any personal information to 3rd party companies. SNORT can be configured to run in three modes: 1. Sniffer mode 2. Packet Logger mode

Sniffer mode: snort –v

3. Network Intrusion Detection System mode

Print out the TCP/IP packets header on the screen

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 51

Date:

___

Date :

Packet Logger mode: snort –dev –l c:\snort\log [create this directory in the C drive] and snort will automatically know to go into packet logger mode, it collects every packet it sees and places it in log directory.

Network Intrusion Detection System mode: snort –d c:\log –h ipaddress/24 –c nort.conf This is a configuration file applies rule to each packet to decide it an action based upon the rule type in the file.

Snort Installation and Configuration:

Go to the web site www.snort.org/start/download Click on download option and support path to save the setup file and rules. Double click on Snort Installation icon to run setup. Accept License agreement and Specify path for installation, and then Click on Next. 5. Install snort with or without database support. 6. Skip the WinPcap driver installation 7. Select all the components and Click Next. 8. Install and Close. 9. Now Extract rules and copy them in snort folder.(Where it is installed in drive) 10. Add the path variable in windows environment variable by selecting new classpath. 1. 2. 3. 4.

11. Create a path variable and point it at snort.exe variable name : path and variable

value as c:\snort\bin

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 52

Date:

___

Date :

12. Click OK button and then close all dialog boxes. 13. To start, we need to configure the Snort.conf file. It can be found at

C:\snort\etc\snort.conf.we will want to open the .conf file with a basic text editor, such as Edit or Notepad. 14. Go to command prompt and get into Snort/bin directory and run Snort.exe file. 15. An editor window displays the complete details of packets flowing across the system, the IP Address of packet generator, date &Time, length of Packet, Time to live (TTL) Etc. at Real time. 16. By analyzing these details Intruders can be traced at real time. 17. These details can be documents by using a print screen option. Steps for Snort:Snort can operate in three different modes: Sniffer mode, Packet Logger mode and Network Intrusion mode.

Sniffer Mode: Sniffer mode works just as the name implies. It configures Snort to sniff traffic. Let‘s take a moment as this point to verify Sniffer mode: 1. Reboot our machine and log back on to Windows. To check whether Snort was properly configured, open two command prompts. 2. At one of the command prompts, navigate to the C:\snort\bin folder, and enter snort –W. We should see a list of possible adapters on which we can install the sensor. The adapters are numbered 1, 2, 3, and so forth. C:\Snort\bin›snort -W

3. At the c:\snort\bin› prompt, enter snort –v –ix, where x is the number of the NIC to place our Snort sensor on. 4. Switch to the second command prompt and ping another computer.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 53

Date:

___

Date :

5. When ping is complete, switch back to the command prompt window running Snort, and press Ctrl+C to stop Snort.

Packet Logger Mode: Packet logger mode allows Snort to capture and log traffic. For this we will use the –l (log) switch: 1. From the command line, change to the directory wherewe installed Snort. Then from the command prompt, enter snort –ix –dev –l c:\snort \log. This will start Snort and instruct it to record headers in the C:\snort \log folder. 2. Now ping the system that Snort is installed on from another system. 3. As soon as the ping is complete, press Ctrl+C to stop the packet capture. 4. Use Windows Explorer to navigate to the snort\log folder. 5. Examine the contents of the log folder. Use Notepad to examine the contents of the capture. The individual packets are filed in hierarchical directories based on the IP address from where the packet was received

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 54

Date:

___

Date :

Experiment 13:Install RootKits and study variety of options. Rootkit is a stealth type of malicious software program, used to gain elevated access to a computer while it remains hidden from the owner of the computer and installed security software. Rootkits typically run at a low level and load before the computer's operating system to remain hidden. The rootkit can then divert any OS functions that would reveal its presence and display manipulated results to the user. Malicious users or software often install a rootkit once they have gained access to a computer, through vulnerabilities in the computer's software or through gaining the password by social engineering, for example. The rootkit allows them continued access to the computer, but it leaves no trace of their activity, as it would if they were logged in through a normal user account. WHY ROOTKITS ARE USED Root kits are used by criminals for a variety of purposes, usually to turn a computer into part of a botnet, which can then, in turn, go on to infect other computers or send spam email messages. The rootkit owner can install keyloggers to capture user-entered passwords for online banking and similar activities, or steal the user‘s personal details to use for identity fraud. If the rootkit owner uses the computer for criminal acts, such as breaking into other computers, it will appear as if the computer owner is responsible if authorities trace the connection. HOW ROOTKITS STAY UNDETECTED Many root kits infect the boot sectors of the computer‘s hard disk, allowing them to load before the computers operating system. The rootkit then patches the operating system and changes common functions to hide its existence. For example, the root kit could intercept calls for a list of files in a directory, removing its own file names before showing the results to the user, so it would appear as if the directory is clean. Both anti-virus and security software programs are vulnerable to the effects of a root kit, which runs at a lower level, ensuring the anti-virus software cannot detect or remove it. This leads the anti-virus software into believing the system is clean, when it is actually infected and running malicious software. Current Rootkit Capabilities: Root kits Hide processes, Hide files, Hide registry entries, Hide services, Completely bypass personal firewalls, Undetectable by antivirus, Remotely undetectable, Covert channels - undetectable on the network, Defeat cryptographic hash checking, Install silently, All capabilities ever used by viruses or worms

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 55

Date:

___

Date :

There are two software applications installed in Backtrack 5 designed to find possible rootkits on the operating system. chkrootkit (Check Rootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits. It is a shell script using common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures and for comparing a traversal of the /proc file system with the output of the ps (process status) command to look for discrepancies. rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. Chkrootkit takes only a few moments to run while rkhunter takes about 20 minutes to analyze our computer. There is no full proof way to guarantee that our computer is not infected with a rootkit.

Steps for Chkrootkit:Step 1: Navigate to Applications  BackTrack  Forensics  Anti-Virus Forensics Tools  chkrootkit

Step 2: Alternatively, we can enter the following commands to run chkrootkit cd /pentest/forensics/chkrootkit ./chkrootkit chkrootkit will begin execution immediately, and we will be provided with an output on our screen as the checks are processed

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 56

Date:

___

Date :

The following is a list of useful commands to select when running chkrootkit: -h: Displays the help file -V: Displays the current running version of chkrootkit -l: Displays a list of available tests The following is a list of useful commands to select when running rkhunter: --update: Allow us to update the rkhunter database rkhunter --update

--list: Displays a list of Perl modules, rootkits available for checking, and tests that will be performed rkhunter --list

--sk: Allow us to skip pressing the Enter key after each test runs rkhunter --check --sk

rkhunter is a similar tool to chkrootkit, it also scans the system for rootkits, but it is capable a bit more. Let's see, what we can do with it. It will do scans like: MD5 hash compare Look for default files used by rootkits Wrong file permissions for binaries Look for suspected strings in LKM and KLD modules Look for hidden files Optional scan within plaintext and binary files

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 57

Date:

___

Date :

Steps for Rkhunter:-: Step 1: Navigate to Applications  BackTrack  ForensicsAnti-Virus Forensics Tools  rkhunter Step 2: Alternatively, we can enter rkhunter at a terminal window will display the help file: rkhunter

Step 3: First we can check the version, and also check if there is a newer one: rkhunter -V - display current version rkhunter --versioncheck - check if there is an update

Step 4: Then make an update to the current database: rkhunter --update

Step 5: Starting the scan is very simple: rkhunter -c It will run for about 20-30 minutes, and a couple of times we need to press enter to move forward.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 58

Date:

___

Date :

The scan logs (what it printed on the screen, and much more) will be at /var/log/rkhunter.log. Step 6: There is one more useful task: we can do a list of SHA1 hashes of some common system files, rkhunter will save it for later, and when it runs the scan, will compare the actual hash with the stored one. If there is a change, it will drop a warning. This can be done with running: rkhunter –propupd

The hashes are stored in /var/lib/rkhunter/db/rkhunter.dat

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 59

Date:

___

Date :

Experiment 14:Generate minimum 10 passwords of length 12 characters using OpenSSL command OpenSSL is an open source tool for using the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols for Web authentication. OpenSSL is a general purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The library includes tools for generating RSA private keys and Certificate Signing Requests (CSRs), checksums, managing certificates and performing encryption/decryption. The openssl program provides a rich variety of commands, each of which often has a wealth of options and arguments. The pseudo-commands list-standard-commands, list-message-digestcommands, and list-cipher commands output a list (one entry per line) of the names of all standard commands, message digest commands, or cipher commands, respectively, that are available in the present openssl utility.

STANDARD COMMANDS openssl - OpenSSL command line tool passwd -Generation of hashed passwords. pkey -Public and private key management. rand -Generate pseudo-random bytes. ts -Time Stamping Authority tool (client/server) version -OpenSSL Version Information.

ENCODING AND CIPHER COMMANDS base64 -Base64 Encoding rsa -RSA key management. genrsa -Generation of RSA Private Key. Superseded by genpkey. genpkey -Generation of Private Key or Parameters. Syntax: openssl command [ command_options ] [ command_arguments ]

Working with openssl on windows Step 1: Install Open SSL setup file on to the default location. Step 2: Perform Full installation and Click Next to complete the installation.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 60

Date:

___

Date :

Step 3: Execute the Open SSL from command prompt available at C:\ProgramFiles\GnuWin32\OpenSSL\openssl.exe Step 4: Go to openssl> (This is the Open SSL prompt) and execute the command as follows for password generation. Step 5: Alternatively, we can run OpenSSL at Backtrack by entering OpenSSL in in terminal window and execute the same commands #OpenSSL Step 6: Passwd –crypt [type our password] This is limited to 8 characters password generator. Step 7: Passwd -1 [our password] This allows us to insert password length beyond 8characters. Step 8: Type this command to generate 10-12 characters passwords of TEN numbers.

Step 9: genrsa 1024 This will generate RSA Private key of size 1024.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 61

Date:

___

Date :

Experiment 15:Setup a honeypot and monitor the honey pot on network. A honeypot is a device placed on a computer network specifically designed to capture malicious network traffic. The logging capability of a honeypot is far greater than any other network security tool and captures raw packet level data even including the keystrokes and mistakes made by hackers. The captured information is highly valuable as it contains only malicious traffic with little to no false positives. Honeypots are becoming one of the leading security tools used to monitor the latest tricks and exploits of hackers by recording their every move so that the security community can more quickly respond to new exploits. HoneyBOT works by opening over 1000 UDP and TCP listening sockets on our computer and these sockets are designed to mimic vulnerable services. When an attacker connects to these services they are fooled into thinking they are attacking a real server. The honeypot safely captures all communications with the attacker and logs these results for future analysis. Should an attacker attempt an exploit or upload a rootkit or trojan to the server the honeypot environment will safely store these files on our computer for analysis and submission to antivirus vendors. Our test servers have captured several thousand trojans and rootkits from some simulated services.

Steps for HoneyBOT Step 1: HoneyBOT can be downloaded from our web site at: http://www.atomicsoftwaresolutions.com/honeybot.php Step 2: After clicking the download link save HoneyBOT_010.exe to a location on our hard drive. Step 3: Double click the HoneyBOT_010.exe installation file to begin the setup process. Step 4: Follow the prompts in the setup process. The default installation folder for setup is c:\honeybot\ Step 5: Setup will create a shortcut in the Start Menu folder and an option is available to create a desktop icon. Step 6: Now we can launch HoneyBOT using the programs shortcut icon. Step 7: Click on the blue play button to start the HoneyBOT listening engine. Step 8: Using a Web Browser try to access various network systems by providing their IP Addresses. Step 9: Double clicking a record in the list view of the main window will open the Packet Log viewer window. On the upper left hand side of the window is the Connection Details which displays basic information about the selected hit including the total number of bytes sent and bytes received for that

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 62

Date:

___

Date :

hit. In the upper right hand side the application displays the Packet History list view of all transmitted and received IP packets associated with the hit. Step 10: By clicking on a record in the Packet History box. we can view the complete Packet data in the lower window. Step 11: All log files are saved by default to c:\honeybot\logs folder. Log files store information relating to the hits on the system and also store all data received and sent to the attacking computer. Step 12: Click on the red stop button to shut down all listening services and terminate all existing open sockets.

Uninstalling HoneyBOT Click the Uninstall HoneyBOT icon in the programs start menu to uninstall HoneyBOT and follow the prompts.

GOVERNMENT POLYTECHNIC, KARWAR Page No.: 63

Date:

___

Date :

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF