Evading IDS, Firewalls, and Honeypots… · Module 17 - Evading IDS, Firewalls and Honeypots...

CEH Lab Manual

Evading IDS, Firewalls,and Honeypots

Module 17

Module 17 - Evading IDS, Firewalls and Honeypots

Intrusion Detection SystemA n intrusion detection system (IDS) is a derice or soft/rare application that monitors netirork and/or system activities for malicious activities or policy violations andprod/ices reports to a Management Station.

Lab ScenarioDue to a growing number o f intrusions and since the Internet and local networks have become so ubiquitous, organizations increasingly implementing various systems that monitor IT security breaches. Intrusion detection systems (IDSes) are those that have recently gained a considerable amount o f interest. An IDS is a defense system that detects hostile activities 111 a network. The key is then to detect and possibly prevent activities that may compromise system security, 01־ a hacking attempt 111 progress including reconnaissance/data collection phases that involve, for example, port scans. One key feature o f intrusion detection systems is their ability to provide a view o f unusual activity and issue alerts notifying administrators and/or block a suspected connection. According to Amoroso, intrusion detection is a “process ot identifying and responding to malicious activity targeted at computing and networking resources.” 111 addition, IDS tools are capable ot distinguishing between insider attacks originating from inside the organization (coming from own employees 01־ customers) and external ones (attacks and the threat posed by hackers) (Source: http://www.windowsecurity.com)

111 order to become an expert penetration tester and security administrator, you must possess sound knowledge o f network intrusion prevention system (IPSes), IDSes, malicious network activity, and log information.

Lab ObjectivesThe objective ot tins lab is to help students learn and detect intrusions 111 a network, log, and view all log tiles. 111 tins lab, you will learn how to:

■ Install and configure Snort IDS

■ Run Snort as a service

■ Log snort log files to Kiwi Syslog server

■ Store snort log files to two output sources simultaneously

Lab EnvironmentTo earn׳ out tins lab, you need:

■ A computer miming Windows Server 2012 as a host machine

■ A computer running Windows server 2008, Windows 8, 01־ Windows 7 as a virtual machine

I C O N KE Y

[£Z7 Valuableinformation

S Test yourknowledge

= Web exercise

m Workbook review

& Tools Demonstrated in this lab are located at D:\CEH- Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots

WniPcap drivers installed 011 the host machine

C E H Lab M anual Page 847 E th ical H ack ing and C ounterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

http://www.windowsecurity.com


■ Notepads-+ installed 011 the host macliine

■ Kiwi Svslog Server installed 011 the host machine

■ Active Perl installed 011 the host macliine to mil Perl scnpts

■ Administrative pnvileges to configure settings and run tools

■ A web browser with Internet access

Lab DurationTime: 40 Minutes

Overview of Intrusion Detection SystemsAn intrusion detection system (IDS) is a device 01־ software application that monitors network and/01־ system activities for malicious activities 01־ policv violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but tins is neither required nor expected o f a monitoring system. 111 addition, organizations use intrusion detection and prevention systems (IDPSes) for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the secuntv infrastructure o f nearly even* organization. Many IDPSes can also respond to a detected tlireat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping die attack itself, changing the security environment.

IDPSes are primarily focused 011 identifying possible incidents, logging information about diem, attempting to stop them, and reporting them to security administrators.

Overview Pick an organization diat you feel is worthy o f your attention. Tins could be an educational institution, a commercial company, 01־ perhaps a nonprofit charity.

Recommended labs to assist you 111 using IDSes:

■ Detecting Intrusions Using Snort

■ Logging Snort Alerts to Kiwi Syslog Server

■ Detecting Intruders and Worms using KFSensor Honeypot IDS

■ HTTP Tunneling Using HTTPort

Lab AnalysisAnalyze and document the results related to tins lab exercise. Give your opinion 011

your target’s security posture and exposure.

Ethical H ack ing and C ounterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab M anual Page 848

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B .


Ethical H ack ing and C ountenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



Delecting Intrusions using SnortSnort is an open source netnvrk intrusion prevention and detection system

(IDS/IPS).

Lab ScenarioThe trade o f die intrusion detection analyst is to find possible attacks against their network. The past few years have witnessed significant increases 111 D D oS attacks 011 the Internet, prompting network security to become a great concern. Analysts do tins by IDS logs and packet captures while corroborating with firewall logs, known vulnerabilities, and general trending data from the Internet. The IDS attacks are becoming more cultured, automatically reasoning the attack scenarios 111 real time and categorizing those scenarios becomes a critical challenge. These result ni huge amounts o f data and from tins data they must look for some land o f pattern. However, die overwhelming tiows o f events generated by IDS sensors make it hard for security administrators to uncover hidden attack plans.

111 order to become an expert penetration tester and security administrator, you must possess sound knowledge o f network IPSes, IDSes, malicious network activity, and log information.

Lab ObjectivesThe objective o f tins lab is to familiarize students widi IPSes and IDSes.

111 tliis lab, you need to:

■ Install Snort and verify Snort alerts

■ Configure and validate snortconf file

■ Test the worknig o f Snort by carrying out an attack test

■ Perform intrusion detection

■ Configure Oinkmaster

Lab EnvironmentTo earn־ out dns lab, you need:

I C O N K E Y

/ Valuableinformation

Test yourknowledge

□ Web exercise

m Workbook review

& Tools Demonstrated in this lab are located at D:\CEH- Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots

C E H Lab M anual Page 850 E th ical H ack ing and C ountenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.


■ A computer running Windows Server 2012 as a host machine

■ Windows 7 running on virtual maclune as an attacker maclune

■ WinPcap dnvers installed on die host machine

■ Notepad++ installed on the host maclune

■ Kiwi Svslog Server installed on the host maclune

■ Active Perl mstalled on the host macliuie to nui Perl scripts

■ Adnunistrative privileges to configure settings and run tools

Lab DurationTune: 30 Minutes

Overview of Intrusion Prevention Systems and Intrusion Detection SystemsA11 IPS is a network security appliance that monitors a network and system activities for m alicious activity. Tlie maui functions ot IPSes are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity.

An IDS is a device or software application that monitors network and/or system activities for m alicious activities or policy violations and produces reports to a Management Station. It performs intrusion detection and attempt to stop detected possible incidents.

Lab TasksStart Windows Server 2012 on the host maclune. Install Snort.

To uistall Snort, navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort.

Double-click the Snort_2_9_3_1_lnstaller.exe file. The Snort mstallation wizard appears.

Accept the License Agreement and uistall Snort with the default options diat appear step-by-step 111 the wizard.

5. A wuidow appears after successful mstallation o f Snort. Click the Close button.

6. Click OK to exit the Snort Installation wuidow.

1 .

2.

3.

4.

You can also download Snort from http:// www.sno1t.org.

Install Snort

l.__ Snort is an opensource network intrusion prevention and detection system (IDS/IPS).

Ethical H ack ing and C ountenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


http://www.sno1t.org


Snort 2.9.3.1 SetuD ־ ' ° I **(& Snort 2.9.3.1 Setup

Snort has successfully been installed.

Snort also requires WinPcap 4.1.1 to be installed on this machine, r WinPcap can be downloaded from:

http://w w w .w inpcap.org/

It w ould also be wise to tighten the security on the Snort installation directory to prevent any malicious modification of the Snort executable.

Next, you must manually edit the 'snort.conf file to specify proper paths to allow Snort to find the rules files and classification files.

OK

Figure 1.1: Snort Successful Installation Window

7. Snort requires WinPcap to be installed 011 your machine.

8. Install W inPcap by navigating to D:\CEH-T0 0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and HoneypotsMntrusion Detection Tools\Snort, anddouble-clicking WinPcap 4 1 _2.exe.

9. By default, Snort installs itself in C:\Snort (C:\ or D :\ depending upon die disk drive in which OS installed).

10. Register 011 die Snort website https://www.snort.org/signup 111 order to download Snort Rules. After registration comples it will automaticallv redirect to a download page.

11. Click die Get Rules button to download die latest mles. 111 tins lab we have downloaded snortrules-snapshot-2931 ■tar.gz.

12. Extract die downloaded mles and copy die extracted folder 111 diis padi: D:\CEH-T0 0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort.

13. Rename die extracted folder to snortrules.

14. N ow go to die etc folder 111 die specified location D:\CEH-T0 0 ls\CEHv8

Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort\snortrules\etc o f die extracted Snort mles, copy die snort.conf hie, and paste diis hie 111 C:\Snort\etc.

15. The Snort.conf tile is already present 111 C:\Snort\etc; replace diis file with die Snort mles Snort.conf tile.

16. Copv die so_rules folder from D:\CEH-T0 0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort\snortrules and paste it 111 C:\Snort.

V^/ WinPcap is a tool for link-layer network access that allows applications to capture and transmit network packets bypass the protocol stack



http://www.winpcap.org/

https://www.snort.org/signup


17. Replace die preproc rules folder trom D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and HoneypotsMntrusion Detection Tools\Snort\snortrules and paste it 111 C:\Snort.

18. Copy all die tiles from diis location: D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort\snortrules\rules to C:\Snort\rules.

19. N ow navigate to C:\Snort and right-click folder bin, and click CmdHere from die context menu to open it 111 a command prompt.

20. Type snort and press Enter.

y To print out the TCP/IP packet headers to the screen (i.e. sniffer mode), type: snort —v.

21. Tlie Initialization Complete message displays. Press Ctrl+C. Snort exits and comes back to C:\Snort\bin.

22. N ow type snort -W. Tins command lists your machine’s physical address, IP address, and Ediernet Dnvers, but all are disabled by default.

Figure 1.3: Snort -W Command

23. Observe your Ediernet Driver index number and write it down; 111 diis lab, die Ediernet Driver index number is 1.

24. To enable die Ediernet Driver, 111 die command prompt, type snort -dev -i2 and press Enter.

Administrator: C:\Windows\system32\cmd.exe

S n o r t e x i t i n g

C : \ S n o r t \ b i n s נ n o r t -W

- * > S n o r t ! < * —U e r s io n 2 . 9 . 3 .1 - W IN 3 2 GRE < B u i ld 4 0>B y M a r t i n R o e s c h 8r T h e S n o r t T e a m : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t

I n c . , e t a l .

D e u ic e Name D e s c r i p t i o n

\D e u ic e \N P F _ < 0 F B 0 9 8 2 2 - 8 8 B 5 - 4 1 I F -

\ D e ״ ic e \N P F _ < 0 B F D 2 F A 3 -2 E 1 7 -4 6 E 3 -

\ D e u ic e \N P F _ < lD 1 3 B 7 8 A - B 4 1 1 -4 3 2 5 -

\D e u ic e \N P F _ < 2 A 3 E B 4 7 0 -3 9 F B - 4 8 8 0 -

C o p y r ig h t <C> 1 9 9 8 - 2 0 1 2 S o u r c e f i r e , U s in g PCRE v e r s i o n : 8 . 1 0 2 0 1 0 - 0 6 - 2 5 U s in g Z L IB u e r s i o n : 1 . 2 . 3

IP A d d re s sI n d e x P h y s i c a l A d d re s s

1 0 0 : 0 0 : 0 0 : 0 0 : 0 0 : 0 0 d i s a b le dA F D 2 -F E 3 7 3 5 A 9 7 7 B B > M i c r o s o f t C o r p o r a t io n

2 0 0 : 0 0 : 0 0 : 0 0 : 0 0 : 0 0 d i s a b le dB 6 1 4 -0 F C 1 9 B 5 D D A 2 5 >

3 0 0 : 0 0 : 0 0 : 0 0 : 0 0 : 0 0 d i s a b le drQRA<JRFOP?JM ־V M

4 D 4 : B E : D 9 : C 3 : C 3 : CC d i s a b le dR e a l t e k P C Ie GBE F a m i ly C o n t r o l l e r9 A 7 9 -7 7 E 5 A E 2 7 E 5 3 0 >

C : \ S n o r t \ b i n >

Administrator: C:\Windows\system32\cmd.exe - snort

C : \S n o r t \b in / s n o r t Running in p a ck et dunp node

— ■■ I n i t i a l i z i n g S n o rt ■יי—I n i t i a l i z i n g O utput P lu g in s? pcap DAQ c o n f ig u r e d to p a s s i v e .The DAQ u e r s io n d o es n ot su p p o rt r e lo a d .A c q u ir in g n etw ork t r a f f i c f r o n " \D eu ice\N PF_<0FB 09822-88B 5-411F-A FD 2-FE3735A 9?7B B> _D ecod in g E th ern et

— - - I n i t i a l i z a t i o n C o n p le te - - —

—»> S nort? ־*> o U ׳' e rs io n 2 .9 . 3 .1-W IN32 GRE < B uild 4 0 )

״ ״ By M artin R oesch 8r The S n o r t l e a n : h t t p : / /w w w .s n o r t .o r g / s n o r t / s n o r t - t■an

C op yrigh t <C> 1 9 9 8 -2 0 1 2 S o u r c e f ir e , I n c . , e t a l .U sin g PCRE u e r s io n : 8 .1 0 2 0 1 0 -0 6 -2 5 U sin g ZLIB u e r s io n : 1 .2 .3

C onnencing p a ck et p r o c e s s in g < p id 7 <S6־

Figure 1.2: Snort Basic Command

H T A S K 2

Verify Snort Alert

Ethical H ack ing and C ountem ieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab M anual 53

http://www.snort.org/snort/snort-t



25. You see a rapid scroll text 111 die command prompt. It means diat die E 7 To specify a log into Ethernet Driver is enabled and working properly.logging directory, type snort —dev —1 /logdirectorylocationand,Snort automatically knows to go into packet logger mode.

26. Leave die Snort command prompt window open, and launch anodier command prompt window.

27. Li a new command prompt, type ping google.com and press Enter.

£ Q Ping [-t] [-a] [-n count] [-1 size] [-£] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] destination-list

28. Tliis pmg command triggers a Snort alert in the Snort command prompt with rapid scrolling text.

To enable Network Intrusion Detect ion System (NIDS) mode so that you don’t record every single packet sent down the wire, type: snort -dev -1 ./log-h 192.168.1.0/24-c snort.conf.

Figure 1.6: Snort Showing Captured Google Request

TTDAdministrator: C:\Windows\system32\cmd.exe - snort -dev -i 4־'4 .1 2 5 .2 3 6 .8 5 :4 4 3 1 0 .0 .0 .1 0 : 5 1 3 4 5 ־> TCP TTL:56 TOS:0x0 ID :55300 Ip L en:20 DgnLe 95nM.flP.MM• S eq : 0x81047C 40 Ack: 0x4C743C54 Win: 0xFFFF TcpLen: 20 7 03 02 00 32 43 3F 4C 22 B4 01 69 AB 37 FD 34 2C?L״ . . i . 7 . 4IF 3F 70 86 CF B8 97 84 C9 9B 06 D7 11 6F 2C 5B .? p o , [D 8A B0 FF 4C 30 5B 22 F4 B9 6C BD AE E8 0E 5A L 0 ״] . . l ZF F6 7D 55 31 78 EF . .> U lx .

1 1 /1 4 -0 9 :5 8 : 1 6 .3 7 4 8 9 6 D4: BE: D9:C3:C3: CC 0 0 : 0 9 :5 ־> B: AE: 24: CC ty p e :0 x 8 0 0 le n :0 x 3 6

1 0 .0 .0 .1 0 : 5 1 3 4 5 -> 7 4 .1 2 5 .2 3 6 .8 5 : 4 4 3 TCP TTL:128 TOS:0x0 ID :20990 Ip L en:20 DgnLe n :4 0 DF

Seq: 0x4C743C54 Ack: 0x81047C 77 Win: 0xFB27 TcpLen: 20

.1 /1 4 -0 9 :5 8 : 1 7 .4 9 6 0 3 5 ARP w ho-has 1 0 .0 .0 .1 3 t e l l 1 0 .0 .0 .1 0

.1 /1 4 -0 9 :5 8 : 1 8 .3 5 2 3 1 5 ARP w ho-has 1 0 .0 .0 .1 3 t e l l 1 0 .0 .0 .1 0

.1 /1 4 -0 9 :5 8 : 1 9 .3 5 2 6 7 5 ARP w ho-has 1 0 .0 .0 .1 3 t e l l 1 0 .0 .0 .1 0

Figure 1.5: Ping googje.com Command

Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4C : \S n o r t \b in ,s n o r t -d e v - i 4 Running in p a ck et dump 11uue

— == I n i t i a l i z i n g S n o rt ==—I n i t i a l i z i n g O utput P lu g in s? pcap DAQ c o n f ig u r e d to p a s s i v e .The DAQ v e r s io n d o es n o t su p p o rt r e lo a d .A c q u ir in g n etw ork t r a f f i c fr o n " \D ev ice\N P F _< 2A 3E B 470-39F B -4880-9A ־7977 E5AE27E53 B> ".D ecod in g E th ern et

— ■■ I n i t i a l i z a t i o n C om plete ■*—

-» > S nort? < * - o U ~< ׳' e rs io n 2 .9 . 3 .1-W IN32 GRE < B uild 40>

By M ״״״״ artin R oesch 8r The S n o rt Tean: h t t p : / /w w w .s n o r t .o r g / s n o r t / s n o r t - tr . u i

C op yrigh t <C> 1 9 9 8 -2 0 1 2 S o u r c e f ir e , I n c . , e t a l .U sin g PCRE v e r s io n : 8 .1 0 2 0 1 0 -0 6 -2 5U sin g ZLIB v e r s io n : 1 .2 .3

C onnencing p a ck et p r o c e s s in g <pid=2852>1 1 /1 4 -0 9 :5 5 : 4 9 .3 5 2 0 7 9 ARP who־ has 1 0 .0 .0 .1 3 t e l l 1 0 .0 .0 .1 0

Figure 1.4: Snort —dev —i 4 Command

Ethical H ack ing and Counterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.




29. Close both command prompt windows. The verification o f Snort installation and triggering alert is complete, and Snort is working correcdy 111 verbose mode.

30. Configure die snort.conf file located at C:\Snort\etc.

31. Open die snort.conf file with Notepad++.

32. Tlie snort.conf file opens 111 Notepad++ as shown 111 the following screenshot

Figure 1.7: Configuring Snortconf File in Notepad++

33. Scroll down to die Step #1: Set the network variables section (Line 41) o f snort.conf file. 111 the HOME_NET line, replace any widi die IP addresses (Line 45) o f die machine where Snort is ranning.

-!□ X '*C:\Sn0ft\etc\$n0rtx0nf - Notepad+Be Edit Search 'iict* Encoding Language Settings Macro Run Plugns frndcw I

E «! ׳?' -J i i l i f l י ^ fe * x* »נ£ >. צ| * o 1 0 e & JS| H

44 Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx41 # Seep #1: Sec che necwork v a r ia b le s . For ito ie m ro ra a c lo n .

» se tu p tn e necwcrx a aa re aaca you a re c rc ce cc 1.no ipve r HOME TOT 110.0.0.10|□

: * c a t s i t u a t i o n s

Cel: 25 Sd 0ygth: 25421 lines :657 ת:45

Figure 1.8: Configuring Snortconf File in Notepad ־־)־1־

34. Leave die EXTERNAL_NET any line as it is.

T A S K 3

Configure snort.conf File

& Make sure to grab the rules for the version you are installing Snort for.

m Log packets in tcpdump format and to produce minimal alerts, type: snort -b -A fast -c snort.conf.

m Notepad־(־ + is a free source code editor and Notepad replacement that supports several languages. It runs in the MS Windows environment.

Etliical H ack ing and C ountenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



35. If you have a DNS Server, dien make changes 111 die DNS_SERVERS line bv replacing $HOME_NET widi yonr D N S Server IP address; otherwise, leave diis line as it is.

36. The same applies to SA1'I P_SER\TERS, HTTP_SER\TERS,SQL_SER\rERS, TELNET_SER\T1RS, and SSH_SER־\T R S.

37. Remember diat if you don’t have any servers running on your machine, leave the line as it is. DO NOT make any changes 111 diat line.

38. Scroll down to RULE_PATH (Line 104). 111 Line 104 replace ../mles widi C:\Snort\rules, 111 Line 105 ../so_rules replace with C:\Snort\so rules, and 111 Line 106 replace ../preproc rules with C:\Snort\preproc rules.

m The element ’any’ can be used to match all IPs, although ’any’ is not allowed. Also, negated IP ranges that are more general than non-negated IP ranges are not allowed.

Ptc\s1xxtconf Notepad♦ ♦ _ | a x ך

Erie Ldit Search !rfiew Encoding Language Settings Macro Ru

M 0 *ף * < e f t f 1 | p c m

Piugnj ftmdow I־. ! [1 ? □ a i l i f l ׳9*

X

H tro t corf |♦ s o te r o r wir.aowa u s e rs : You a re a dv ised to♦ such a s : c : \3 n o r t \ r u l e s

r a r e c m 3 an a ra c iu te p a tn .

var RU1X_PJJH C :\S n o rc \ru le s v a r SO RULE PATH C :\S n o r t\a o ru le a■war PREPROCRtTLEPATH C :\S no rt\p rep roc_ x ru les

10ד

1:9

3*1114

# I f you a re u s in g re p u ta t io n p rep ro ce sso r a c t th e ae# C u rren tly th e re 13 a bug w ith r e l a t i v e p a in s , th e y a re r e l a t i v e co where snore 13# n o t r e l a t i v e co s n o r t .c o n f lilce th e obcve v a r ia b le s4 T h is i s c o a p le te ly in c o n s is te n t w ith how o th e r ▼ars work, BCG 5 9986 t s e t th e a n sciuce p a th a p p ro p r ia te ly v a r HHTTELISTPATH . . / r u l e s va r BUICK_LI5T_PATH . . / r u l e s

t s te p #2: c o n n a u r e th e decoder. For s o re in d o r s a t io n , aee rea im e .decode

119* Stop g e n e r ic decode e v en ts ;eo n fig d i s a b l e d e c o d e a l e r t s

1:4• Stop A le r ts on experim en ta l TCP opciona ccr.riq dl«*bl«_c opopc_exp«rinwmc»!_ • 1 e ic a

12״־4 Stop A lv r ta on obaolwt■ TCP option■ccr .r ia a 1aab ie_c cco p t_ o & so ie te_ a ierz a

1:9 1 Scop A le rc s on T/TCP a le r c s V<1___________________!1___________________ > ן

Ncirrwl Ur! file length: 25439 lines: 657 Ln: 106 Cot :45 S*l:0 UNIX ANSI NS

ua Rule variable names can be modified in several ways. You can define meta- variables using the $ operator. These can be used with the variable modifier operators ? and -

Figure 1.9: Configuring Snoitconf File in Notepad++

39. Li Line 113 and 114 replace ../rules widi C:\Snort\ rules.C:\Snort\etc\snort.conf - Notepad*

file tdit Search View Encoding Longuogc Settings Macro Run Plugre ftmdcvr J! o 1׳MS a 4 * B| ♦» < צ ^ יו * * ^ n!| פ ו? l i i i i B ־9' *1 H nato&rf I 103 f aucn a3: c ! \a n o r t \ r u ie a104 va r RtJLEPATfl C : \3 n o r t \ r u le s105 va r SC_ROLE_PAIH C :\3 n o rt \so _ ru l« »:06 v a r PREPROCRULEPATH C :\S no rtN prep roc_ ru les

108 f z r you a re u a in a re p u ta t io n p rep ro ce sso r a c t tneae*.09 $ C u rren tly th e re i s a bug w ith r e l a t i v e p a th s , th e y a re r e l a t i v e to where anore ia110 f n o t r e la c iv * co •norc.conX l ik e che above v a r ia b le •111 • T h is 1a co n p lee ely in c o n a ia te n t w ith how e th e r v a ra wor*, BUG 899861*.? 4 Smt th • abaoluta path appropria te lyv ־77 a r white LISI PAIH c : \ s n o r t \ r u i e a l 71: Bmcmsi.EAiii ciMaaalmltaJ117 4 Seen #3: Configure Che decoder. For More info rm a tion , 9ee BSASME. decode

angth:25d51 lines:657_______ Ln:1» Col:35 S«l:0

Figure 1.10: Configuring Snort.conf File in Notepad++




40. Navigate to C:\Snort\rules and create two tiles and name them w hitejist.rules and blackjist.rules make sure die two dies extensions are .rules.

41. Scroll down to Step #4: Configure dynamic loaded libraries section (Line 242). Configure dynamic loaded libraries in this section.

42. At padi to dynamic preprocessor libraries (Line 247), replace /usr/local/lib/snort_dynamicpreprocessor/ with your dynamic preprocessor libranes tolder location.

43. 111 tins lab, dynamic preprocessor libraries are located at C:\Snort\lib\snort_dynamicpreprocessor.

־ 7־ C:\Sn0rl\etc\s1xxU 0nf Notepad ♦ ♦ . x ז ן ־ ־

Erie Ld!t Search Vie* Incoding Language Settings Macro Run PK1g<13 ftmdew J

O I M e % l ‘ l| M *a * * [ E 3 VX

H tno*.coti j

2•UStep *4: C onfigure dynamic loaded l i b r a r i e s .70- e o i i in fo rm a tio n , see Snore Manual, C on figu ring Snore - Synacic Modules

245246

♦ e a rn to dynamic p re p ro c e sso r l i b r a r i e s

f p a tn to dynamic p rep ro ce sso r l i b r a r i e sc i-a n ic p re p ro c e a a o r d ir e c to r y C : \S n c r t \ l ib \3 n o r t dynaai p re p ro c ess o r |

24222S0ז־9

2-צ252253

255

* p a th t o base p rep ro ce sso r engineciyr.anlceng 1 ne /u 9 r/1 0 c a l/llb /sn 0 rL _ £ iy n a m lc en g ln e /llb sr_ e r.g ir.e .3 0

t p a th to dynamic r u le s l i b r a r i e sdy n a n lcde tecc lon d i r e c to r y / u s r / l o c a l / 1 lb /anorc_dynam lcr u lea

4 s te p t s : C on tiau re p rep ro ce sso rs4 For more in fo rm a tio n , see th e Snore Manual, C on figuring S n o rt ־ P reprocesso

4 STP C on tro l Channle P re p ro c esso r. For no te in fo rm a tio n , see PFA2ME.OTP V p rep ro ce sso r oeci p o r ta 1 2123 3386 2152 >

»

V

2צ«

2<5i

t Z n lm « packet n o rm a liz a tio n . For moz• in fo rm atio n , see R£A D 2.norm alise4 Does n o tn in a in IDS node3r«pr0c«110r nornm lixe_ip4p rep ro ce sso r r.crmai1 se _ to p 1 1p9 eon sereamp rep ro ce sso r norma l ie e i c m p ip rep ro ce sso r no rm alize lp«

N.mul u»t file length: 2544S linttt: 657 In :247 Col :69 S*i:0 UNIX ANSI 1NS

Figure 1.11: Configuring Snort.couf File in Notepad++

44. At padi to base preprocessor (or dynamic) engine (Line 250), replace /usr/local/lib/snort_dynamicengine/libsf_engine.so witii your base preprocessor engine C:\Snort\lib\snort_dynamicengine\sf_engine.dll.

m The include keyword allows other rule files to be included within the rule file indicated on die Snort command line. It works much like an #include from die C programming language, reading the contents of the named file and adding the contents in the place where die include statement appears in die file.

H U Preprocessors are loaded and configured using the ‘preprocessor’ keyword. The format of die preprocessor directive in the Snort rules file is: preprocessor <name>: <options>.

m Preprocessors allow the functionality of Snort to be extended by allowing users and programmers to drop modular plug-ins into Snort fairly easily.





45. Comment (#) die dynamic mles libraries line as you already configured die libraries 111 dynamic preprocessor libraries (Line 253).

C:\Snort\et*V r c f < •f Notepad♦♦ - o xBe Ldit Search View Encoding Language Settings Macro Run Pfcjgns ftndcvr Z

f] 1 |3^ ,«!׳9• 3 b i s b־ 0^ *•י■ 31 י o ' H e

***************mwm**************************** S tep *4 : C onfinure dynamic loaded l i b r a r i e s .t For c o re ln lc rm ac io n , see Snore Manual, C on figuring S no rt - Dynamic Modules ###*#******#t«MM#####*********M****tM**********

249 * r a th to base p rep ro ce sso r engine250 dyr.anu.ceng in - C : \3n o r t\lib \s n o r t_ d y n s n 1ic e n g in e \s f_ e n g in e .d l l

♦ path to dynamic rules libraries> d y n a c ic d e te c tlo n d ir e c to r y /u » r / lo c a l / 'l l b /s n o r t_ a y n a » ls t . . l e a |

V >te c *M c o n ria u re p rep ro ce sso rs* Por more m form acion , see th e Snore Manual, C on figurir.c S n o rt ־ Preprocesso

4 GTP Control Chmnnlm Preprocessor. For *or. inforwation, י•• RSADME.GTP t p rep ro ce sso r a sp : p o r t s ( 2123 3386 2152 )

I I n l in e packet n o rm a liz a tio n . For more ingozm ation , sea ZZZZXZ. no rm alize♦ Does n o ta in a in IDS modepreprocessor normelize_ip4p rep ro ce sso r r .c rx a l1 ze_־ c p : ip s ecr. streamp re p ro c e sso r ncrm011ze_1cmp4p re p ro c e sso r no rm alize lp 6________________________________________________________

I teal fie length :25*146 ling :557 Ln:253 Col ;3 Sd :0 ________________ I

Note: Preprocessor code is run before the detection engine is called, but after the packet has been decoded. The packet can be modified or analyzed in an out-of-band manner using this mechanism.

Figure 1.13: Configuring Snortconf File in Notepad++

46. Scroll down to Step #5: Configure Preprocessors section (Line 256), die listed preprocessor. D o nothing 111 IDS mode, but generate errors at mntime.

47. Comment all the preprocessors listed 111 diis section by adding # before each preprocessors.

י1*1 ר *C:\Sn0rt\etc\snort conf Notepad־l i t L3t Search View Encoding Language Settings Macro Run Plugre Amdcw I

o י h e ii * ft r!| » e ־ « &׳ < ז- * BQ| s» 2 ® ■ ש י 3 e ^ ! ,״ ־ ?■

l i l t l l t t t t t t t t i t i i t l l l l l t t t t t t t t t t t t t t t t l l l l l t t t t t l

P rep ro cesso r************** * * * * ***************** * * * * **** ********> README.GXP

: in fo rm a tio n , see REAEKE.normalize* I n l in e p acke t n o rm a liz a tio n . For 1* Does nothing in ZDS node♦ p rep ro ce sso r normal1ze_1p4♦ p re p ro c e sso r n o r m a l is e t c p : ip s e!I p rep ro ce sso r normallze_lcmp4* p rep ro ce sso r norm al1 se_1p 6♦ preprocessor norjralire icmpC

• T arg e t-b a se d IP d e frag m en ta tio n . For more inform ation, see RLADME. frag3p rep ro ce sso r £ ragS _global: max_Iraga 6SSS6p rep ro ce sso r tro a3 eng ine: p o l ic y windows d e tec t_ a r .* 1a i 1es cverlap_11m 1t 10 a 1n_ fraom ent_ length 100 tim eout

fo r mere m r o r a t io n , ace h u .'j I'.l . s tre an bV l a r g e t s is e a a e a te c u l in sp e c t io n /o trc a m rcasseeD iy .p rep ro ce sso r s c re o » S _ g lo b a l; t r a c k e c p y es, \

tr*ck_udp yea, \ t r a c k _ 1cnc no, \MX_tcp 362144, \rax_uap 131072, \rax_act1ve_ re3ponses 2, \m in response seconds 5___________________

1:269 Col :3 Sd 0myth: 25456 line. :557


48. Scroll down to Step #6: Configure output plugins (Line 514). 111 tins step, provide die location ol die classification.config and reference.config files.

49. These two files are 111 C:\Snort\etc. Provide diis location ol files 111 configure output plugins (111 Lines 540 and 541).

m IPs may be specified individually, in a list, as a CIDR block, or any combination of die duee.

m Many configuration and command line options of Snort can be specified in the configuration file. Format: config <directive> [: <value>]




CASnort\ett\snmconf Notepad* ♦ ' - I ם

l i t idit Search view Encoding language Settings Macro Run Plugns ftmdcw I

djae s i s c e י־ -־ ז , hh« a|! ס e m% < * י & * * r0 יB •ncCcorf)"

—j r=" <il

step 46: cor.rioure cutput plugins ף- j ?or more information, see Snort Manual, Configuring Snort׳* 5 4 Output Modules[

5!«

51fl * unified?519 4 aeeonsenaaa rcr !cost installs520 4 cutput unified2: filename merged.log, lim it 128, nosts3«r, wpls_eTrent_types, vlon_event_type3521Si'i4 ־ A d d itio n a l c o n f ig u ra tio n f o r s p e c i f ic t j p e s o f i n s t a l l s523 # cutput alert_uni£ied2: filename snort.alert, liiait 125, nosCaap524 f o u tp u t lo g un1r1ed2: r ilenarae s n a re . lo o , l im i t 123, n c s ta sp

4 o a ta ta s e4 ou tp u t d a tab a se : a l e r t , <db_type>, us?r«<usernan!> pa9 9wsrd~<pass«10rdV cutput aatacasci 100, <dto_type>, u9er־<uacma&e> passvsr3^<paaswo?d>

» *e tadati rercrcr.ee aata. do not *e a itv t£e-• include C:\Snarc\ece\elass1f1eat1on.e0nf10l

l i i_________laclud# C; \Sac r \ « cc \r»C«r«nc«. eonti g_|

length :25482 lina:6S7________In :541 Co) :22 S*l:0

c a Tlie frag3 preprocessor is a target- based IP defragmentation module for Snort.

Figure 1.15: Configuring SnorT.coiif File in Notepad++

lrigure 1. i כ: V_on11gunng snort.coni rile in !Notepad1 ־!־-

5 0 . 111 t h i s step #6, a d d th e l in e output alert_fast: alerts.ids. f o r S n o r t to

d u m p a ll lo g s 111 d i e alerts.ids d ie .

*C:\Soon\elc\snoM-conf - Notepad *file £d!t Search Ukw Encoding Language Settings Macro Run PHigns ftmdcvr I

o ׳ ₪ ^ ־ * e &| * % d 9 c » ף8 4 < 139 ו?״ \Wz2 ו «׳ ׳ י $ ו ! ן ?*H «nc< corf ן

6 .1 4 s te p t e : c o n n o u re o u tp u t p lu g in s515 4 For more information, see Snort Manual, Configuring Snort ־ Cutput Modules

517'*.fi 4 u n if ie d :519 V ftccoescnaca cor !coat i n s t a l l sS?0 4 c u tp u t u n if ie d 2 : f ilenam e merged. 100, l im i t 128, nosta*p» * p ls_ e 'ren t_ ty p es , v lan_even t_ types521

4 A d d itio n a l c o n f ig u ra tio n f o r s p e c i f ic ty p e s o f i n s t a l l s 525 4 c u tp u t a lo r t_ u n if i» d 2 : filananw a n o rt . a l . r t , l im i t 129, r.o>ca>p524 4 c u tp u t lo g un1E1ed2: r ilenarae s n o r t . is o , l im i t 126, r.: י־ axt

- - - 4 catafcase533 4 cutput database: alert, <db_type>, uaer-<useman-> pea3*:rc־<fa3sword534 4 cutput dataoa3e: loo, <db type>, u3er=<u3emaEe> pa33w:ro=<pa33word> ׳

|c-;־.p u t a l e r t _ f a 3 t : a l e r t s . id s |539 f m etada ta r e fe re n c e d a ta , do no t modify tc e s e l i n e s540 include C:\Snort\ecc\cla331f1cat1on.c0nf10541 ln c lu d • C :\3 n Q rt\8 cc \reC e ren c e .c o n f lq

׳|hc«nwl U*t file Itngth: 25511 lin»:657 1 6 ?5: מ CoJ:30 S«l:0

m Note: ’ipvar’s are enabled only with IPv6 support. Without IPv6 support, use a regular ’var.’


5 1 . B y d e f a u l t , d i e C:\Snort\log f o ld e r is e m p ty , w i d i o u t a n y f ile s 111 it. G o to d ie

C:\Snort\log f o ld e r , a n d c r e a te a n e w te x t file w i t h d ie n a m e alerts.ids.Ii=yj Frag3 is intended as areplacement for die &ag2 5 2 . E n s u r e d i a t e x t e n s io n o f d i a t f ile is .ids.defragmentation module and was designed with the following goals:1. Faster execution than frag2 with less complex data management.2. Target-based host modeling anti-evasion techniques.




log_ ם

Search log Pv C

alerts.idsFavorites

■ Desktop

£ Downloads

Mi Recent places

Librariesיז=( ״

1 item


53. 111 die snort.conf tile, find and replace die ipvar string widi var. By default die string is ipvar, which is not recognized by Snort, so replace it widi die var string.

Note: Snort now supports multiple configurations based on VLAN Id or IP subnet widiui a single instance o f Snort. Tins allows administrators to specify multiple snort configuration files and bind each configuration to one or more VLANs or subnets radier dian running one Snort for each configuration required.

Replaceש

Find Replace Find in Files | Mark

| ■ S v l Find Next

|var Replace

□ in selection Replace A|l

Replace All in All Opened Documents

I I Match rase @ Wrae around

Search Mode Direction 0 Transparency(•> Normal O u > (§) On losing focus

C Extended Op, V, \t, VO, \x...) ® Dawn O AlwaysO Regular expression Q L matches newline = 0 =

m Three types of variables may be defined in Snoit:

Var ־

■ Portvar

■ ipvar


54. Save die snort.conf file.

55. Before running Snort you need to enable detection mles 111 die Snort mles tile; for diis lab we have enabled ICMP mle so diat Snort can detect any host discovery ping probes to die system running Snort.

56. Navigate to C:\Snort\rules and open die icmp-info.rules file widi Notepad + + .

57. Uncomment the Line number 47 and save and close die file.




C:\Srxwi\rules\icrnp info.rules Nofepad♦E*e Edit Search View Encoding Language SetDngs Macro Run Plugns ftndcw J >0- > H « o ־a 4m P ורו * c* f t *ta -t -ז r |״ פ , T,[ | כ S i l i f l « >

Pi—!<■1 H trp+Tfo 1ute« | a ♦ נ l e r t isrsp $ EXI ERNAL_NET any -> $H0KE_NET any cnsj:"ICXE-INFC I REP r o u te r a d v er tise m en t" ; 1 ty p e :9 ; r e r e r e n ׳ --29 * a l e r t le a p SEXTERNAL_NET any ־ > SHOMEKET any (msg:־ ICXP-IKyC IRDP r o u te r s e le c t io n " ; ity p e :1 0 ; re fe re n c e ו: 30 # a l e r t leap $SXIERNA1_NET any -> $HOKE_NET any (nsg: ■־I-XP-IKFC FUJG *HIX•; lc y p e :S ; c o n te n t: 1 ■״110 11 12 13 31 * a l e r t lc n p SEXTERNAL_NET any -> SH0HE_KET any (r\sg:״ ICMP־ INF0 PING BSDtype"; 1ty p e :8; c o n te n t ״: |O0 09 0A 0132 * a l e r t i=r^> SEXTERNALNET any -> SH0KE_NET any (o sg : "IS 'P -IN TC PING BayRS R o u ter"; i t y p e :8; c o n te n t :■ | 01 0233 * alert res© S EXIERNAL_NET any -> $H0KE_NET any (m3?:"XCXP-lNFO rIUG SeOSI.x"; ltype:8; content:"|QQ 00 00 0׳34 # a l e r t icnj? SEXTERNAL_NET any -> £H0KE_NET any (n sg ״: ICM?-IK7C ?IUG C isco Type. x " ; i t y p e :8; c o n ten t:" |A B CD35 # a l e r t le a p $EXTERNAL_NET any -> $HOKE_NET any (n sg ־: irxP-IKFC PING D elpiH -PiecLe Windows"; l ty p e :S ; conien36 * a l e r t ic n p SEXTERNAL~NET any -> SHOHEJJET any (n sg ״: ICMP-INF0 PIHG F lo*pom t2200 o r Networlc Management Sof־ ■•alert icnp SEXTERNALNET any -> SHOKENET any (xasg: "ICXP-IK7C PIHG IP HetMonitor Macintosh"; itype:B; cont ־ 3438 t alert 1st® $exiernal_net any -> Shoke_nei any (n3g:1״cxp-lKFC pibg li2i־jx/35״d״; a31ze:8; 1a:13170; 1type:8

♦ a l e r t ic n p SEXTERNAL_NET any -> SH0XE_NET any (msg:*ICKP-IK7C PIHG M ic ro so ft Windows"; i t y p e :8; c o n te n t :"040 I a l e r t le a p $EXIERNA1_NET any -> $HOXE_KET any (n sg :" I3 (? ־ XKFC POTG netw ork Toolbox 3 Windows"; 1type : 8; coi

* a l e r t ic n p SEXTERNAL_NET any ־ > SH0KE_NET any (msg:"ICMP-INF0 PIHG Pmg-O-HeterW indows"; lty p e :9 * c o n ten t:42 « alert SEXTERNAL~NET any ־> SH0KE~NET any (rasg:״ICKP-IKFC PIHG Pinger Windows"; itype:8; content:"Oata43 * alert 1cnp cexiernal_net any ־> Shoxe_nei any (n93:”1cxff-iKF0 pihg seer wmdowa״; ltypese; content«18״a 0444 • a l e r t 1a 1p SEXTERNAL NET any ־ > SHOKE NET any (msg:״ ICXP-INF0 PING O racle S o l a n s " ; d s 1 s e : 8; 1type« 0j c la s .45 f a l e r t le a p $EXTERNAL_NET any -> $H0XE_KIT any ( n » g :2 CXff-IKFC PIHG Window•": lc״ y p e :8; c o n te n t : "abcdergfcljk .9 a l e r t icrap SEXIERNAI_NEI any > SH0KE_KEI any !naa:*1atP-lNfC t r a c e r o u te " ; 1 s v c c :8; t t l i l ; claaat!tt: a t t c n

“ alert icnp SFXTRRXAL NFT any -> SH0XE KET any (mag: •׳:CMP-IKFC PIKG"; icode:0; itype:8; classtyp-:»iac-activ1|» a l e r t isno Sm oxejjet any -> CEXTERNAL_NET any i.src Aaareaa mask Rcpiv"> ic o d c io ; l t v p e u s ; cia®.

49 • a l e r t 1cr«p SEXTERNALNET any ־ > SH0KE_NET any (msg:״ ICKP-INF0 A ddress Maslr Reply undefined code"* 1 eode:>050 t a l e r t le a p $SXTERKAL_NET any -> $K0KE_KET any (e s g :”Z:X9-X):FC Add:««« Ka»k R vquest"; lc o d « :0 ; lty p e :1 7 ; cl•51 ♦ a l e r t 1 ־ SEXIERNAL_NET any סגמ > SH0XE_NET any (ns3 :"ICJ4P־ lNfO A ddress Mask R eauest u n d e tin ed code"; !code::52 « alert SEXTERNAL~NET any -> $HOKE~NET any (Mgr-ICVP-INFC Alternate Ho«t Addre״״"; icode:0; itype:6; c

f alert isnp «exiernal_net any ־> «hoxe_net any (nss:1״cxp-1NFC Alternate Host ״aareaa undermed code״; iced•>4 * a l e r t 1cnp SEXTERNAL_NET any -> SH0KE_NET any (e1sj:*IC H P־ INF0 D atagrati C onversion E rro r" ; lcodesO ; 1ty p e :3

55 f a l e r t le a p fEXTERNAL NET any -> <H0KE NET any (tasg: "ZCXr-IKFC S a ta g ra a Converalon E rro r undefined code"? 1■ v< | 111 >NcinwlUxlfile length: 17357 lines: 123 Ln:47 Cc4:1 S«1:0 UMX ANSI IMS

Figure 1.19: Configuring Snort.coiif File iti N’otepad++

58. N ow navigate to C:\Snort and nght-click folder bin, select CmdHere from die context menu to open it 111 die command prompt.

59. Type snort -iX -A console -c C:\Snort\etc\snort.conf -I C:\Snort\log -Kascii and press Enter to start Snort (replace X with your device index number; 111 diis lab: X is 1).

60. If you enter all the command information correctly, you receive a graceful exit as shown 111 the following figure.

61. If you receive a fatal error, you should first verify diat you have typed all modifications correcdy into the snort.conf tile and then search dirough the tile for entries matching your fatal error message.

62. If you receive an error stating “Could not create the registry key,” then run the command prompt as an Administrator.

Administrator: C:\Windows\system32\cmd.exe

ValidateConfigurations

y ’To run Snort as a daemon, add -D switch to any combination. Notice that if you want to be able to restart Snort by sending a SIGHUP signal to die daemon, specify the full path to die Snort binary when you start it, for example:/usr/local/bin/snort -d -11 192.168.1.0/24 \ - l /var/log/snordogs -c /usr/local/etc/snort.conf - s-D

C : \ S n o r t \ b i r O s n o r t - i 4 -A c o n s o le - c C : \ S n o r t \ e t c \ s n o r t . c o n f - 1 C : \S n o 1* t \ l o g -K a s c i i

Figure 2.18: Snort Successfully Validated Configuration W indow

t a s k s 63. Start Snort in IDS mode, 111 the command prompt type snortC:\Snort\etc\snort.conf -I C:\Snort\log -i 2 and dien press Enter.

Start Snort

Ethical H ack ing and Counterm easures Copynght © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



Figure 2.19: Start Snort in IDS Mode Command

64. Snort starts running in IDS mode. It first initializes output plug-ins, preprocessors, plug-ins, load dynamic preprocessors libranes, rale chains o f Snort, and dien logs all signatures.

65. After initializing interface and logged signatures, Snort starts and waits for an attack and tngger alert when attacks occur on the machine.

- *> S n o r t T < * -Uersion 2.9.3.1-UIN32 GRE <Build 40>By Martin Roesch 8r The Snort Team: http://www.snort.org/snort/snort-tCopyright <C> 1998-2012 Sourcefire, Inc., et al.Using PCRE version: 8.10 2010-06-25 Using ZLIB version: 1.2.3Rules Engine: S F_S NORT _DET ECTION_ENGI HE Uersion 1.16 <Build 18>SF_SSLPP Uersion 1.1 <Build 4> SF_SSH Uersion 1.1 <Build 3>SF.SMTP Uersion 1.1 <Build 9>SF_SIP Uersion 1.1 <Build 1>SF.SDF Uersion 1.1 <Build 1>SF_REPUTATION Uersion 1.1 <Build 1> SF_POP Uersion 1.0 <Build 1>SF_T10DBUS Uersion 1.1 <Build 1>SF_IMAP Uersion 1.0 <Build 1>SF_GTP Uersion 1.1 <Build 1>SFJFTPTELNET Uersion 1.2 <Build 13> SF_DNS Uersion 1.1 <Build 4>SF_DNP3 Uersion 1.1 <Build 1>SF_PCERPC2 Uersion 1.0 <Build 3>

Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor ObjectCommencing packet processing <pid=6664>

Figure 1.20: Initializing Snort Rule Chains Window

66. After initializing the interface and logged signatures. Snort starts and waits for an attack and trigger alert when attacks occur on the maclune.

67. Leave die Snort command prompt mnning.

68. Attack your own machine and check whedier Snort detects it or not.

69. Launch your Windows 8 Virtual ]Maclune (Attacker Machine).

70. Open die command prompt and type ping XXX.XXX.XXX.XXX -t from die Attacker Machine (XXX.XXX.XXX.XX is your Windows Server 2012 IP address;.

71. Go to Windows Server 2012, open die Snort command prompt, and press Ctrl+C to stop Snort. Snort exits.

72. N ow go to die C:\Snort\log\10.0.0.12 folder and open the ICMP_ECHO.ids text file.

GOC:\Snort\etc\snort.conf is the location of the configuration file

■ Option: -l to log the output to C:\Snort\log folder

י Option: -i 2 to specify the interface

m Run Snort as a Daemon syntax: /usr/local/bin/snort -d -h 192.168.1.0/24 \ -1 /var/log/snortlogs -c /usr/local/etc/snort.conf - s -D .

£ 0 1 When Snort is run as a Daemon, the daemon creates a PID file in the log directory.

^ T A S K 6

Attack Host Machine

m Note that to view the snort log file, always stop snort and dien open snort log file.





ICMP.ECHO.idT- Notepad ! ם ־ ’ ' x

File Edit Format View Help

| [ * * ] ICM P-INFO PING [ * * ]11/14-12:24:17.131365 10.0.0.12 -> 10.0.0.10 ICMP TTL:128 TOS:0x0 ID:31479 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:198 ECHO

[ * * ] ICHP-INFO PING [ * * ]11/14-12:24:18.146991 10.0.0.12 -> 10.0.0.10 ICMP TTL:128 TOS:0x0 ID :31480 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:199 ECHO

[ • • ] ICMP-INFO PING [ * * ]11/14-12:24:19.162664 10.0.0.12 -> 10.0.0.10 ICMP TTL:128 TOS:0x0 ID :31481 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:200 ECHO

[ • • ] ICMP-INFO PING [ * * ]11/14-12:24:20.178236 10.0.0.12 -> 10.0.0.10 ICMP TTL:128 TOS:0x0 ID:31482 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:201 ECHO

[ * * ] ICMP-INFO PING [ * * ]11/14-12:24:21.193933 10.0.0.12 -> 10.0.0.10 ICMP TTL:128 TOS:0X0 ID :31483 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:202 ECHO

[ * * ] ICMP-INFO PING [ * * ]11/14-12:24:22.209548 10.0.0.12 -> 10.0.0.10 ICMP TTL:128 TOS:0x0 ID :31484 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:203 ECHO

Figure 1.21: Snort Alerts ids Window Listing Snort Alerts

73. You see that all the log entries are saved 111 die ICMP_ECHO.ids die. Tins means diat your Snort is working correcdy to trigger alert when attacks occur 011 your maclune.

Lab AnalysisAnalyze and document die results related to dus lab exercise. Give your opinion 011

yoiu־ target’s security posture and exposure.


T ool/U tility Information Collected/O bjectives Achieved

Snort Output: victim maclune log are capuired

Questions1. Determine and analyze die process to identify and monitor network ports

after intnision detection.




2. Evaluate how you process Snort logs to generate reports.

Internet Connection Required

□ Yes

Platform Supported

0 Classroom

0 No

0 !Labs

Ethical H ack ing and C ountem ieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



Lab

Logging Snort Alerts to Kiwi Syslog ServerSno/t is an open source network intrusion prevention and detection system

(IDS/IPS).

Lab ScenarioIncreased connectivity and the use ot the Internet have exposed organizations to subversion, thereby necessitating the use ot mtnision detection systems to protect information systems and communication networks from malicious attacks and unauthorized access. An intrusion detection system (IDS) is a security system diat monitors computer systems and network traffic, analyzes that traffic to identity possible security breaches, and raises alerts. An IDS tnggers thousands of alerts per day, making it difficult for human users to analyze them and take appropriate actions. It is important to reduce the redundancy of alerts, mtelligendy integrate and correlate diem, and present high-level view of the detected security issues to the administrator. An IDS is used to inspect data for malicious 01־ anomalous activities and detect attacks 01־ unaudiorized use of system, networks, and related resources.

111 order to become an expert penetration tester and security administrator, you must possess sound knowledge ot network mtnision prevention system (IPSes), IDSes, identify network malicious activity, and log information, stop, or block malicious network activity.

Lab ObjectivesTlie objective of tins lab is to help students learn and understand IPSes and IDSes.

111 tins lab, vou need to:

■ Install Snort and configure snortconf file

■ Validate configuration settings

■ Perform an attack 011 the Host Machine

■ Perform an intrusion detection

■ Attempt to stop detected possible incidents

I C O N KE Y

_ Valuableinformation

Test yourknowledge

Web exercise

m Workbook review

H Tools demonstrated in this lab are located at D:\CEH- Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots




Lab EnvironmentTo carry-out tins lab, you need:

■ A computer running Windows Server 2012 as a host macliine

■ Windows 8 running on virtual machine as an attacker macliine

■ WinPcap drivers installed on die host macliine

■ Kiwi Syslog Server installed on die host macliine

■ Admniistrative privileges to configure settings and mil tools


Overview of of IPSes and IDSesAn intrusion detection system (IDS) is a device or software application diat monitors network and/or system activities for malicious activities or polio,’ violations and produces reports to a management station.

Intrusion detection and prevention systems (IDPS) are primarily tocused on identifying possible incidents, logging information about them, attempting to stop diem, and reporting diem to security administrators.

Lab Tasks1. Navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and

Honeypots\lntrusion Detection Tools\Kiwi Syslog Server double click on Kiwi_Syslog_Server_9.3.4.Eval.setup.exe and install Kiwi Syslog Serveron die Windows Server 2012 host machine.

2. The License Agreement window appears, Click I Agree.

Figure 2.1: kiwi syslog server installation

£ 7 You can also download Kiwi Syslog Server fromhttp://www.kiwisyslog.co m

™ TASK 1

Log Snort Alerts to Syslog Server



http://www.kiwisyslog.co


3. 111 die Choose Operating Mode wizard, check die Install Kiwi SyslogServer as an Application check box and click Next >.

־ ן ° ז xKiwi Syslog Server 9.3.4 Installer

C h o o s e O p e r a t in g M o d e

The program can be run as a Service or Applicationsolarwinds ־׳

O In s ta l l K iw i S y s lo g S e iv e i a s a S e iv ic e

This option installs Kiwi Syslog Server as a Windows service, alowing the program to run without the need for a user to logn to Windows. This option also retails the Kiwi Syslog Server Manager which is used to control the service.

| ( * In s ta l l K iw i S y s lo g S e iv e i a s a n A p p l ic a t io n |

This op bon retails Kiwi Syslog Server as a typical Windows appkcabon, requrng a user to login to Windows before r im ng the application.

SolarWinds, Inc.

Figure 22: Kiwi Syslog server installation

4. 111 die Install Kiwi Syslog Web A ccess wizard, uncheck die optionselected and click Next >.

XKiwi Syslog Server 9.3.4 Installer

In s ta l l K iw i S y s lo g W e b A c c e s s

Remote viewing, filtering and highlighting of Syslog events...solarwinds

I I In s ta l l K iw i S y s lo g W e b A c c e s s

V C re a te a n e w W e b A c c e s s lo g g in g ■ule in K iw i S y s lo g S e iv e i

Kiwi Syslog Web Access can be enabled in the licensed or evaluation versions of Kiwi Syslog Server.

SolarWinds, Inc.

Figure 23: kiwi syslog server

5. Leave die settings as their defaults in the Choose Components wizard and click Next >.

& Tools demonstrated in this lab are located at D:\CEH■ Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots



Kiwi Syslog Server 9.3.4 Installer I ־־ I


C h o o s e C o m p o n e n ts

s o l a r w i n d s Choose which features of Kiwi Syslog Server 9.3.4 youwanttoinstall.

This wll install Kiwi Syslog Server version 9.3.4

Select the type of install:

Or, select the optional components you wish to instal:

Space requred: 89.5MB

Solar Winds, Inc.--------------------------------------------------------------------------------------------------

< Back | Next > | | Cancel |

Normal V

Program files (required)0 Shortcuts apply to all users0 Add Start menu shortcutb J Add Desktop shortcutp i Add QuickLaunch shortcutO Add Start-up shortcut

Desa1ptx>n

Position your mouse over a component to see its description.

Figure 2.4: adding components

6. 111 die Choose Install Location wizard, leave the settings as their defaultsand click Install to continue.

Kiwi Syslog Server 9.3.4 Installer

C h o o s e In s ta l l L o c a t io n

Choose the folder n whkh to nstal Kiwi Syslog Server 9.3.4 .solarwinds ׳׳

Setup w! nstal Kiwi Syslog Server 9.3.4 n the folowng folder. To nstal in a different folder, dick Browse and select another folder, dick Instal to start the installation.

Destination Folder

41'

Space requred: 89.5MB Space available: 50.1GB

SolarWinds, Inc.

1

Figure 2.5: Give destination folder

7. Click Finish to complete the installation.

You should see a test message appear, which indicates Kiwi is working.




Kiwi Syslog Server 9.3.4 Installer [_“ I 1 ם x

C om p leting th e Kiwi Syslog Server 9.3 .4 S e tup W izard

Kiwi Syslog Server 9.3.4 has been installed on your computer.

Click Finish to dose this wizard.

@ Run Kiwi Syslog Server 9.3.4

Visit the SotorWmds website

< Back | Ftnoh | Cancel j

Figure 2.6: kiwi syslog server finish window

8. Click OK ill the Kiwi Syslog Server - Default Settings Applied dialog box.

TUKiwi Syslog Server - Default settings applied

Thank you for choosing Kiwi Syslog Server.

This is the first tim e the program has been run on this machine.

The follow ing default 'Action' settings have been applied...

’ Display all messages

* Log all messages to file: SyslogCatchAll.txt

These settings can be changed from the File | Setup menu.

Happy Syslogging...

OK

Figure 2.7: Default setting applied window

9. To launch die Kiwi Syslog Server Console move your mouse cursor to lower-left corner o f your desktop and click Start.

Q j Yiiwi Syslog Server is Figure 2.8: starting menu in windows server 2012a free syslog server for 10. 111 die Start menu apps click Kiwi Syslog Server Console to launch dieWindows. It receives logs. r r J JWindows. It receives logs, displays and forwards appsyslog messages from hosts such as routers, switches,UNIX hosts and other syslog-enabled devices.




' ״ י י ״ ׳ MojiB* GoogleChiomo S i 51* 9

* © • x ' ■Control?artel E/ykxef

Command Notepad• Jnmtdl5 ^ r >,Sl09 |

V O p rR a 5

M)pw-YManage!

Ne!aus web Client

a . h ■ V

C*׳ T־- I

KKlPackage

1

Figure 2.9: click kkvi syslog server application

11. Configure Syslog alerts 111 die snort.conf file.

12. To contigiire Syslog alerts, first exit from the Snort command prompt (press Ctrl+C).

13. Go to C:\Snort\etc and open die snort.conf file widi Notepad++.

14. Scroll down to Step #6: Configure output plugins, in the syslog section (Line 527), remove # and modify die line to output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG ALERT.

Snort.conf before modification SyslogC\Sn0rt\«c\srx>ftc<y»f Notewd-

Hr [<*t SmtHi yicw tvcMq fectng* Marre Run Pluglni Window J■ *131 w ■ bj w a a@ 75! 11 ן ן• י qj > •יו r 3c ׳■ > mc . >a ׳«

t Step te: Coaflgrare output plugins

* Additional configuration for 9E«c1r1c typea or lnatalla* output al*rt_unlfled2: filename snort.alert. U n it 128, n08ta*p* output log_«UT1ea2: niecaae 9rtort.log, u n i t 128, rostairp

flo g ; LOO AJIg 100 ALERT|

»t-<B03tnaa1e>

I output log.topdja

I output aaratase:I output aataease:

Figiue 2.10: Snortconfig before modification

Snort.conf after modification Syslog

ט The reason why you have to run snortstart.bat batch file as an administrator is that, in your current configuration, you need to maintain rights to not only output your alerts to Kiwi, but to write them to a log file.

Ethical H ack ing and Counterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



C:\Sn0rt\etcVsrxyt cof't Notepad-• ן - g ־ flnqi Mam Run Pluqin Window^ .־י.1ץ׳ל Filf fdt Search View f׳weSrf»g ן

13H • « .־ .|& * fe| 3 c • י י-| (S ייCv 3 י (§](3

iC<5 preprocessor reputation: \

013 **#**#**«**«#*»*#*«##**#*«*#•*#*«****#»**#•*#»*#**pi4 # Step *€: Coaflarare output pluginspis * For *ore Infomatlon, see Snort Manual, Conflouring Snore - Output Modules5

l output un iiie a i: £ile:;«*e se;aec.ica, lu u t 128. nostanp, npls_e5

Additional configuration for specific ז types of in s ta lls 1 output a lert_unlfled2: filename s n o r t.a le r t. U n it 128, nostajip » output log_unlfled?: fllenaae sn o r t. log, l l j t l t 128, nostaxp

» databaseI output database! a le r t , <db_t/pe>, users<usernan«> pa8avford=<pa»sv0rd> te s t dbnaa!e-<r.a1*e> h0st*<S10atname3 I output databasei log. <db_typ«>, usera<usernane> password»<passv׳ord> te s t dbna»es<naae> bo»t*<ho*tnaae>

׳U. Ca . li M:l»

Figure 2.11: Snortconfig after configuration

15. Save die die and close it.

16. Open Kiwi Syslog Server Console and press Ctrl+T. Tins is to test Kiwi Syslog Server alert logs.

R* Kiwi Syslog Server (14 Day evaluation - Version 93) 1״ - ' - 1File Edit Vic* Hdp

E ׳1■ '1 i t © Di.pl., 00 |Drf״Jl] H Day* luttin wsluelion

Dale Tun* P-o״ly lla*ln«m-11 14 2012 1621 30 Lwal7.D»U1g 127.0.01 Kiwi Sytloy S*1vv1 • T*t< latfttayw nuaibei 0001

11

J100% 1 MPH 1621 11142012 1

Figure 2.12: Kiwi Syslog Service Manager window

17. Leave die Kiwi Syslog Server Console. Do not close die window.

18. Now open a command prompt with Snort and type diis command: snort - iX -A console -c C:\Snort\etc\snort.conf -I C:\Snort\log -K ascii - s and press Enter (here X is index number o f your Ediernet card) .




_ □ xAdministrator: C:\Windows\system32\cmd.exe

Figure 2.13: Snort Alerts-ids Window Listing Snort Alerts

19. Open a command prom pt 111 your Windows 8 virtual machine and type tins command: ping 10 .0.0.10 (IP address o f your host machine where Kiwi Svslog Server Console is running).

20. Go to Kiwi Syslog Service Manager window (diat is already open) and observe die triggered alert logs.

ua Kiwi Syslog Server filtering options:■ Filter on IP address,

hostname, or message text

■ Filter out unwanted host messages or take a different logging action depending on the host name

■ Perform an action when a message contains specific keywords.

Kiwi Syslog Server (14 Day evaluation - Ve׳ s»on 93) n 1 x '

File Edit Help \י1€

£ ׳1- A 88 D.tpk* 00 (Dvfdull) 14 Days left in evDluotun

I Dale Time P. m.4. lloilnmne He 11 age J11-14-2012 184012 Autf. Aleil 127.0.01 Nvv 14 18 40.12 WIN-2N9STOSGIEN w.ort |1 384 6| ICMP INF: PING |CU«*i»c*tion. Hhc activity) [Piiuiily. 3] {ICHP) 10.0.0.12

10001011 14 ?01? 104011 Autf. Alril 127 001 Nov 14 111 411 11 WIN 2N9!iTOSGI( N inort |1 104 K| II Ml'INI 11 I1NG [ClauArahor Mur. nohv1(y| U״־n..ty- 3] (ICHP) 111 II 111?

1u.au.1uII 14 2012 18 4010 Autf. Alert 127.0.0 1 Nov 14 18:40:10 WIN 2N9SIOSGIEN •nort |1 384 6| ICMP INFO PING fCIJMtficdtion: H.sc 0ct1vi(y| (Piioiity: 3) (ICMP) 10.0.0 12

10.0.0.10 * II11-14-201? 18 40 09 Autf. AW-ll 12700 1 Nuv 14 18 40 O') WIN ?NSSTOSGIFN tnurt |1 384 6| ICMP INFO PING (rianii! 4l<ar• Mac adivi(•) [PiNiiity 3] {IPHP) 10 0 0 1?

1000 1011 14 ?01? 1840110 AuHt Alrit 127 001 Nov 14 111 411 Oil WIN 2N9!:TOSUK N •nort |1 104 K| II Ml־ INI II I1NG (Claurfirahor. Mur. nchv1ty| IPimirijr 3) IICHP) 10 0 111?

IU.0.U.IU11-14-2012 184007 Autf. Ale 11 127.0.0.1 Nov 14 18:40:07 WIN 2N9STOSGIEN *nort |1 384 6| ICMP4NF0 PING (ClMtiffcatiwi: Hite activity (Plioiity: 3] (ICHP) 10.0.012

10.0.0.1011-14-201? 18 40 0C Autf. Air,I 1270 0 1 Nov 14 1 0 40 on WIN-?N9r.1nSG1rN tnatl |1 384 G| ICMP-INFO PING (CtasiKcalian Mbc n«:tivil*| [PiKnityr 3] (irMPJ 10 0 01?

1000.1011 14 ?012 10.40.Ub Autfi Alcit 127.0.0 1 Nov 14 10:40:0b WIN 2N91>1USGILN *nort: |l. J84:b| ILMI־ INI U I1NG ILIautfication: Hue nctivitvl H'noiity: 31 (ICMP) 10.0.0.12

10.0.0.1011-14-2012 18:4004 Autf. A leu 127.0.01 Nov 14 18:40:04 WIN-2N9STOSGIEN tnort |1:384 6| ICMP-1NF0 PING ICIattificalion: Hite activity [Piioiity: 3] {ICMP) 10.0.0.12

10.0.0.10 111-14201? 18 40 03 Autf. Air.1 12700 1 Nov 14 1 0 40 01 WIN-?N9r.TnSGIFN mart |1 384 C| ICMP-INTO PING (CUsiKcalian Mbc activity] [Piiaifty: 3] (IPMP) 10 0 01?

10 00.1011-14 2012 18:4002 Autf. Alcit 127.0.0.1 Nov 14 18:40:02 WIN 2N9S1USGIEN *nort: |1:384:6) ICMP INF (J PING (Ua3*tf1cat10n: Mac acbvitrl [Pnonty: 3] {ICHP) 10.0.0.12

10.0.0.1011-14-2012 18.40.01 Autfi Ale. J 127.0.0.1 Nov 14 18.40:01 WIN-2N9STOSGIEN w.ort. [1.384.6] ICMP-1NF0 PING |CU«*c*tion: H״c activity) [Piioiily: 3) {ICHP) 10.0.0.12

10 00.1011-14-201? 18 40 (10 AutfiAlril 127 0.01 Nov 14 1 8 40:00 WIN-2N9STOSGIEN snort |1 384 6| ICMP-INF0 PIHG IClasirtcahan Mbc activity) [Piioiily: 3J ilCHP110 0 0 12

10 0 0.1011 14 2012 18:39:59 Autf* Alert 127.0.0.1 Nov 14 18:39:53 WIN 2N9510SGIEN *nort |1:384:61 ICMP INFU PING [CIroiication: Mnc acbvitrl [PrioiKy: 3) {ICHP) 10.0.0.12

10.0.0.1011-14-701? 1839 58 Autf. Aletl 1270 0 1 Nov 14 18 39:58 WIN-7N9STC1SGIFN tnort [1 384 6| ICMP-INFO PING [CLmificatian Mbc activity) [Pifciiily: 3] {ICHP) 10 0 012

1000.1011 14 201? 103*57 Autf. Alert 127 001 Nov 14 10•39:57 WIN 2N9S10SGICN *nort |1 304 K| ICMP INFO PIHG U:U»1*r,ahon Mmc cebvitj׳) [Pnoiiljr 3] IICMP110 0 0 12

10.0.0.1011 14 2012 18:3958 Autfi Alcil 127.0.0.1 Nov 14 18:39:56 WIN 2N9STOSGIEN *nort )1:384:6) ICMP INFO PING )□***ification: Mbc activitrl [Piioiity: 31 {ICMP) 10.0.0.12 jfsiw 5/jloo Web Acc«3 ■־ol m oled 100* OMFH 18:40 11 142D12 |

Figure 2.14: Kiwi Syslog Service Manager widi Snort Logs

21. 111 Kiwi Syslog, you see the Snort alerts outputs listed 111 Kiwi Syslog Service Manager.

22. You have successfully output Snort Alerts to two sources.

Lab AnalysisAnalyze and document die results related to diis lab exercise. Give your opinion on your target’s security posture and exposure.





T o o l/U tility Inform ation C ollected /O bjec tives Achieved

Kiwi Syslog Server

O utput: The Snort alerts outputs listed 111 Kiwi Svslog Service Manager.

Questions1. Evaluate how you can capture a memory dump to confirm a leak using

Kiwi Svslog Server.

2. Determine how you can move Kiwi Svslog Daemon to another machine.

3. Each Svslog message includes a priority value at die beginning ot the text. Evaluate die priority o f each Kiwi Syslog message and on what basis messages are prioritized.

In ternet C onnection R equired

□ Yes 0 No

Platform Supported

0 C lassroom 0 !Labs




3

Detecting Intruders and Worms Using KFSensor Honeypot IDSKFSensor is n Windows based honeypot Intrusion Detection System (IDS).

Lab ScenarioIntrusion detection systems are designed to search network activity (we are considering both host and network IDS detection) for evidence of malicious abuse. When an IDS algontlmi “detects” some sort o f activity and the activity is not malicious or suspicious, tliis detection is known as a false positive. It is important to realize that from the IDS’s perspective, it is not doing anything incorrect. Its algontlmi is not making a mistake. The algontlmi is just not perfect. IDS designers make many assumptions about how to detect network attacks.

A11 example assumption could be to look for extremely long URLs. Typically, a URL may be only 500 bytes long. Telling an IDS to look for URLs longer than 2000 bytes may indicate a denial of service attack. A false positive could result from some complex e-conmierce web sites that store a wide variety of information 111 the URL and exceed 2000 bvtes.

111 order to become an expert penetration tester and security administrator, you must possess sound knowledge of network intrusion prevention systems (IPSes), intrusion detection systems (IDSes), identify network malicious activity and log information, and stop or block malicious network activity.

Lab ObjectivesThe objective of tins lab is to make students learn and understand IPSes and IDSes.

111 tins lab, you need to:

■ Detect hackers and worms 111 a network

■ Provide network security

Lab EnvironmentTo carry-out tins lab, you need:

C E H Lab M anual Page 874 E thical H ack ing and C ountenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

H Tools demonstrated in this lab are located at D:\CEH- Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots

I CON KEY

l ~/ Valuableinformation

Test yourknowledge

mm W eb exercise

c a W orkbook review


■ KF Sensor located at D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\Honeypot Tools\KFSensor

■ Install KF Sensor 111 Windows 8

■ MegaPing located at D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Scanning Tools\MegaPing

■ Install Mega ping 111 Windows Server 2012

■ It you have decided to download latest of version ot these tools, then screen shots would be differ

■ Administrative privileges to configure settings and m n tools

Lab DurationTime: 10 Minutes

Overview of IPSes and IDSesAn intrusion prevention system (IPS) is a network security appliance that monitors network and system activities tor m alicious activity. Tlie main functions ot IPSes are to identify malicious activity, log related information, attempt to block/stop activity, and report activity.

An IDS is a software device or application that monitors network and/or system activities for m alicious activities or policy violations and delivers reports to a Management Station. It performs intrusion detection and attempts to stop detected possible incidents.

Lab Tasks1. Launch Windows 8 virtual maclune and follow the wizard-driven

installation steps to install KFSensor.

2. After installation it will prompt to reboot die system. Reboot the system.

3. 111 Windows 8 launch KFSensor. To Launch KFSensor move your mouse cursor to the lower-left corner of your desktop and click Start.

_ You can alsodownload KFSensor from http://www.keyfocus.net

^ TASK 1

ConfigureKFSensor



http://www.keyfocus.net


u

►.'crla

€C*׳e~s

,Windows 8 Release Previev. Evaluation copy. Build WOO

־= m 1 י י m o «.

____ .FIGURE 3.1: KFSensor Window with Setup Wizard

4. In die Start menu apps, right click die KFSensor app, and click Run as Administrator at die bottom.

S t a r t Admin ^

mVriro

mCamera

Google p Chrome

o

Messaging

mיזל׳Weaiha

1 Mozilla 1 Firefox

I ®

services

HCalendar

& aInterne* Stw

CommandPrompt

FI

KFSensor

m

%V\«\as;

® @ ® (S)edminh*f«©r Iccsoon

m To set up common ports KFSensor lias a set of pre-defined listen definitions. They are:■ Windows Workstation■ Windows Server■ Windows Internet

Services■ Windows Applications■ Linux (services not

usually in Windows)* Trojans and worms

FIGURE 3.2: KFSensor Window with Setup Wizard

5. At die first-time launch o f die KFSensor Set Up Wizard, click Next.




Visitor

)atagram.. WindowsS)atagram.. WIN-ULY358K)atagram.. WIN-D39MR5I)atagram.. WIN-LXQN3W)atagram.. WIN-MSSELG)atagram.. WIN-2N9STO?)atagram.. WIN-2N9STO?)atagram.. WIN-ULY358K)atagram.. Windows^)atagram.. WINDOWS8

KFSensor Professional - Evaluation Trial

Settings Help____________________________________File View Scenario Signatures

i l ?t!l U-L

The KFSensor Set Up Wizard will take you through a number of steps to Donfigure you systen.All of these can configurations can be mcdfied later using the menj option.

You might like to read the rrarwal at this port to team how KFSenso־ works and the concepts behind t.

n the options in th& Set Up Wizard.

Wizard Heb

i 593 CIS j j j 1028 MS Cl!5 1080 SOCK!

3( 1433 SQL S< g 2234 Direct! j § 3128 IIS Pro g 3268 Global Calal

a , kfsensor - localhosz ta tcp ^ q * icccd TC

g 21 FTP . !j S 25 SMTP

I j. J 53 DNS I L § 63 DHCP

i J § 80 IIS 110 POP3

g 119 NMTP, 135 M i RPC ־

g 139 NET Se & 339 LDAP $ 443 HTTPS ,i| .US-MBT-SE

Server: Status Visitors: 0

.._ Tlie Set up Wizard isused to perform the initial configuration of KFSensor.

FIGURE 3.3: KFSensor main Wuidow

6. Check all die port c la sses to include and click Next.

Set Up Wizard - Port Classes

Port classes to include:

/ j Windows Workstation@ Windows Applications @ Windows Server @ Windows Internet Services0 Linux (services not usually in Windows) @ Trojans and woims

Wizard Help

KFSensor can detect irrtiusions on many many different ports and simulate different types of services.These ports are grouped by class.Checked classes will be added to the scenario.Unchecked classes will be removed the scenario.

CancelNext >< Back

m Domain Name is die domain name used to identify the server to a visitor. It is used in several Sim Servers.


7. Live die domain name Held as default and click Next.

Etliical H ack ing and C ountenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



Set Up Wizard - Domain D

Domain Name: [networksfonj.com|

This is the domain name used to identify the server to a visitor.This could be the real domain name of the machine or a fictious one.

If you pick a fictious one. try not to use a real domain belonging somebody else.

Wizard Help

< Back | Next > Cancel

-

e=yi KFSensor can send alerts by email. The settings in the wizard are the minimum needed to enable this feature.


It you want to send KFSensor alerts by email and dien specify die email address details and click Next.

Set Up Wizard - EMail Alerts

Send to: [I

Send from:

If you want KFSensor to send alerts by email then fill in the email address details

Wizard Help

CancelNext >< Back

systems service is a special type of application that Windows runs in the background and is similar in concept to a UNIX daemon.

FIGURE 3.6: KFSensor Window with Setup Wizard-email alerts

9. Choose options for Denial of Service. Port activity. Proxy Emulation, and Network Protocol Analyzer and click Next.m The KFSensor Server

becomes independent of the logged on user, so the user can log off and another person can log on without affecting the server.




Set Up Wizard - Options D

Denial Of Service Options

Cautious v

Controls how many events are recorded before the server locks up

Port Activity

1 Hour v

How long a port should indicate activity after after an event

Proxy Emulation

Allow banner grabs and loop backs v

Controls if KFSensor is allowed to make limited external connections

Network Protocol Analyzer

!Enable packet dump files j vDump files are useful for detailed analysis but take up a lot of disk space

Wizard Help

< Back Next > Cancel

.FIGURE 3.7: KFSensor Window with Setup Wizard-options

10. Check die Install as system service opdon and click Next.

m The KFSensor Monitor is a module that provides the user interface to the KFSensor system. With it you can configure the KFSensor Server and examine die events diat it generates.

Set Up Wizard - Systems Service

[7| Install as systems service

A systems service is a special type of application that Windows runs in thebackground and is similar in concept to a UNIX daemon

The KFSensor Server becomes independent of the logged on user, so you canlog off and another person can log on without affecting the serverThe KFSensor Server can be configured to start automatically when the systemsstarts, even before you log on.You must be logged in a the Administrator to install a systems service

Wizard Help

Cancel< Back

FIGURE 3.8: KFSensor Window with Setup Wizard-system service

11. Click Finish to complete the Set Up wizard.

m The Ports View is displayed on the left panel of the main window. It comprises of a tree structure that displays the name and status of the KFSensor Server and the ports on which it is listening.




Set Up Wizard - Finishו0ו

The KFSensor Set Up Wizard has now got all the information it needs to configure your system.

To read up on where to go from here dick the button below

Getting Started

Note on the Evaluation VersionIThere are a number of restrictions set for the ten day duration of the evaluation periodThe export functionality is unavailable and the details of some events are deliberately obscured

CancelFinish< B a c k

I The Ports View can be displayed by selecting the Ports option from the ViewT menu.

FIGURE 3.9: KFSensor finish installation

12. The KFSensor main window appears. It displays list ol ID protocols. Visitor, and Received automatically when it starts. 111 the following window, all die nodes 111 die left block crossed out with blue lines are die ports that are being used.


Help

° i @ 1 5 1 a a ! מ ש

Settings

1 ־3ID

Start Duration Pro... Sens... Name Visitor

! ״ 9/27/2012 5:27:41 PM... 0.000 UDP 138 NBT Datagram... WIN-ULY358K

|§ 1 4 9/27/2012 S:27:3S PM.״ 0.000 UDP 138 NBT Datagram... WIN-LXQN3\*

1י3 9/27/2012 5:27:36 PM... 0.000 UDP 138 NBT Datagram... WIN-MSSELCI

g '2 9/27/2012 5:27:3C PM... 0.000 UDP 138 NBT Datagram... WIN-D39MR5I

1 1 1 9/27/2012 5:27:15 PM... 0.000 UDP 138 NBT Datagram... Windows3§ 1 0 ___ 9/27/2012 5:16:15 PM... 0.000 UDP 138 NBT Datagram... Windows^

U 9 9/27/2012 5:15:4 PM... 0.000 UDP 138 NBT Datagram... WIN-ULY358K]

1 8 9/27/2012 5:15:35 PM... 0.000 UDP 138 NBT Datagram... WIN-D39MR5I1 7 9/27/2012 5:15:3£ PM... 0.000 UDP 138 NBT Datagram... WINLXQN3'A

1 6 9/27/2012 5:15:35 PM... 0.000 UDP 138 NBT Datagram... WIN-MSSELCI

1 5 9/27/2012 5:15:31 PM... 0.000 UDP 138 NBT Datagram... WIN-2N9STO<

1 4 9/26/2012 3:41:32 PM... 0.000 UDP 138 NBT Datagram... WIN-2N9STO!

1 3 9/26/2012 3:37:16 PM... 0.000 UDP 138 NBT Datagram... WIN-ULY358K

m ? 9/26/2012 3:36:57 PM... 0.000 UDP 138 NBT Datagram... Windows^

1 1 9/26/2012 3:36:57 PM... 0.000 UDP 138 NBT Datagram... WINDOWS8

i ■i 2 4 1 Jt ;1, kfsensor - local host - M...

TCP^ & Ctos«lICP Por...g 21 FTP

25 SMTP

3 53 DNS3 63 DHCP- g 80 IIS

110 POP3j § 119 NNTPg 155 MS RPC— Bm5 } 139 NBT Session ...j j 339 LDAPg 443 HTTPS■ j 4.15 NBT SM8— E~g 593 CISg 1028 MS CIS5 1080 SOCKS§ 1433 SQL Server

^ 2234 Dircctplay^ 3128 IIS ProxyJ 3268 Gtobdl Catal..

FC

Ser/en Running Visitors: 8

FIGURE 3.10: KFSensor Main Window

Open a command prompt from the Start menu apps.13.




The top level item is the server. The IP address of the KFSensor Server and the name of the currently active Scenario are displayed. The server icon indicates the state of the server:

14. 111 die command prompt window, type netstat -an.

Command PromptM ic ro so ft Windows CUersion 6.2 8400]l<c> 2012 M icrosoft Corporation A l l r ig h ts reserved.|C:MJsers\Adnin)netstat -an

R c tive Connections

Proto Local Address Foreign Address StateTCP 0 .0 .0 .0 :2 0 .0 .0 .0 :0 LISTENINGTCP 0.0.0 .017 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :9 0 .0 .0 .0 :0 LISTENINGTCP 0.0 .0 .0 :13 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :17 0 .0 .0 .0 :0 LISTENINGTCP 0.0 .0 .0 :19 0 .0 .0 .0 :0 LISTENINGTCP 0.0 .0 .0 :21 0 .0 .0 .0 :0 LISTENINGTCP 0.0 .0 .0 :22 0 .0 .0 .0 :0 LISTENINGTCP 0.0 .0 .0 :23 0 .0 .0 .0 :0 LISTENINGTCP 0.0 .0 .0 :25 0 .0 .0 .0 :0 LISTENINGTCP 0.0 .0 .0 :42 0 .0 .0 .0 :0 LISTENINGTCP 0.0 .0 .0 :53 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :57 0 .0 .0 .0 :0 LISTENINGTCP 0.0 .0 .0 :68 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :80 0 .0 .0 .0 :0 LISTENINGTCP 0.0 .0 .0 :81 0 .0 .0 .0 :0 LISTENINGTCP 0.0 .0 .0 :82 0 .0 .0 .0 :0 LISTENING

FIGURE 3.11: Command Prompt with netstat -an

15. Tins will display a list of listening ports.

I35 Command Prompt E 3 |TCP 0 .0 .0 .0 :8 2 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :8 3 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :8 8 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :9 8 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :1 1 0 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :1 1 1 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :1 1 3 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :1 1 9 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :1 3 5 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :1 3 9 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :1 4 3 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :3 8 9 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :4 4 3 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :4 4 5 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :4 6 4 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :5 2 2 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :5 4 3 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :5 6 3 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :5 9 3 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :6 3 6 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :9 9 9 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :1024 0 .0 .0 .0 :0 LISTENINGTCP 0.0 .0 .0 :1028 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :1 0 8 0 0 .0 .0 .0 :0 LISTENINGTCP 0 .0 .0 .0 :1 2 1 4 0 .0 .0 .0 :0 LISTENING

m The protocol level of KFSensor is used to group the ports based on their protocol; either TCP or UDP.

FIGURE 3.12: Command Prompt with netstat -an




16. Leave die KF Sensor tool running.

17. Follow die wizard-driven installation steps to install MegaPing in Windows Server 2012 (Host Machine).

18. To launch MegaPing move your mouse cursor to die lower-left corner of your desktop and click Start.

FIGURE 3.13: startup windows in windows server 2012

19. Click die MegaPing app 111 die Start menu apps.

Start Administrator £

Mo/11 la Googfc Firefox awane

ג* * © 6

£HTTPort Conmand 3.SNFM Prompt

1* ף״יAdmnktr... Hyper• V ktogaPng Notepad*Tools Manager

»י *S B

FIGURE 3.14: click on megaping

20. The main window of MegaPing appears as shown in die following screenshot.

m The Visitors View is displayed on the left panel of the main window. It comprises of a tree structure that displays the name and status of the KFSensor Server and the visitors who have connected to die server.

m Each visitor detected by the KFSensor Server is listed. The visitor's IP address and domain name are displayed.




I - n ' x2* MegaPirvg (Unregistered)File View Tools Help

A A f l a l A A 4 =5 4 * * ■ * * ע H ©® DNS List HodsA,______

^ DNS List Hosts SettingsDNS Ust Hosts

Destnabon:<None>

□ Select Al

I Add

DNS Lookup Name J ? Finger

Network Time

A Pin9| | Traceroute

^ Whois^ 5 Network Resources

% Process Info ^ System Info

f IP Scanner '4^ NetBIOS Scanner V Share Scanner ^ Security Scanner J Port Scanner ^ Host Monitor

FIGURE 3.15: MegaPing on Windows Server 2012

21. Select Port Scanner Irom left side of die list.

22. Enter die IP address ot Windows 8 (111 diis kb IP address is 10 .0.0.12 machine 111 which IvFSensor is running 111 Destination Address List and click Add.

n ^ i7־ MegaPing (Unregistered)file Yiew Tools Help

A a S a) A A o 3 % 4 4 ©A DNS List Hosts

י3Port ScannerJ׳

Port Scanner Settings>$ Port Scanner

Destnabon: Protocob TCP and UDP v

10.0.0.12 Scan Type Range of Ports ♦ Custom Ports L v | Start

Destnabon Address List

□ Select Pi

Type Keyword Description

| »Vw.

* DNS Lookup Name FingerNetwork Time

A Pin92 2 Traceroute ^ Whois3 Network Resources

<$> Process Info .J | System Info ^ IP Scanner

NetBIOS Scanner Share Scanner

£ Security Scanner

Host Monitor

FIGURE 3.16: MegaPing: Select 10.0.0.12 from Host, Press Start button

23. Check die IP address and click die Start button to start listening to die traffic 0 1110.0.0.12,

c a The Visitors View can be displayed by selecting the Visitors option from the View menu.




ry MegaPing (Unregistered) l - ' » F *1 File yiew Tools Help

3 >יז< 4 < £ v i .y ^ 0

Port Scanner Settings$ Port Scanner

Protocob TCP and UDP v

10.0.0.12 Scan Type: Range of Ports ♦ Custom Ports L v 1 a t 1Destnation Address List

J Select AI

Add

Delete

Host₪al 10.0.0.12

Type Keyword Description

DNS List Hosts

^5, DNS Lookup Name FingerNetwork Time

f t pin9 gg Traceroute

Whols

1 3 Network Resources % Process Info ^ System Info

$ IP ScannerNetBIOS Scanner Share Scanner

£ Security Scanner

Host Monitor

ca Visitor is obtained by a reverse DNS lookup on the visitor's IP address. An icon is displayed indicating the last time the visitor connected to the server:

FIGURE 3.17: MegaPing Data of die packets recieved

24. The following image displays die identification of Telnet on port 23.

MegaPing (Unregistered)File yiew Jools Help

i. A S Oi 1*i A #

I F Port Scanner Settings

TCP and UDP v

Range of Ports ♦ Custom Ports L v ס a־p כProtocols

Scan Type

Port Scanner

Destnabon:10.0.0.12Destination Address bat

□ Select AI

I Add

Host0S 10.0.0.12

Type Keyword Descnption RiskTCP High

123-< ׳ TCP telnet Telnet Elevated |

ג י ׳ ע TCP smtp Simple Mail Transfer Elevated

ע 42 TCP nameser... Host Name Server Lowf 53 TCP domain Domain Name Serv... Low

DNS List Hosts

Jj, DNS Lookup Name £ Finger J i Network Time

t i p'"9 f f Traceroute

Whols " 3 Network Resources

<3> Process Info ^ System Info

f IP Scanner ^ NetBIOS Scanner

^ Share Scanner £ Security Scanner

£ } Host Monitor

/ The Visitors View is linked to the Events View and acts as a filter to it. If you select a visitor then only diose events related to that visitor will be displayed in die Events View.

FIGURE 3.18: MegaPing: Telnet port data

25. The following image displays die ldentihcation of Socks on port 1080.




rST MegaPing (Unregistered)file View Tools Help

| 4. A S a j it t i 4 % 3 3 ־ •t t i V 3 y י3 44

Port Scanner Settings

Destnabon: Protocob: TCP and UDP v

10.0.0.12 Scan Type Range of Ports + Custom Ports L v Sop

Destination Address List

□ Select fll

I *A[ Delete

Host01S1O.O.O.12

Ports Type Keyvwrd Descnption080 | גו / TCP socks Socks

' [ Bepoit

£ 1214 TCP Low£ 1433 TCP ms-sql-s M 1crosoft-SQL־Ser... Low£ 1494 TCP ica Citrix ICA Client Low

JT 1801 TCP Low

DNS List Hosts

jS, DNS Lookup Name ^ Finger

a i Network TimeA Pin9gg Traceroute

^ Whols

Network Resources ־13Process Info

^ System Info

$ IP ScannerNetBIOS Scanner

j j* Share Scanner <0 Security Scanner

EEJgj Host Monitor

! The events are sorted in eitlier ascending or descending chronological order. This is controlled by options on the View Menu.

FIGURE 3.19: MegaPing: Blackjack virus

26. Now come back to Windows 8 virtual machine and look for Telnet data.KFSensor Professional - Evaluation Trial

File View Scenario Signatures Settings Help

e|1 °I ° i @ I 5 » a ! d a > a a l f c t * I־| J 9 a TDuration Pro... Sens... Name

•1 31 9/27/2012 6:24:13 PM. ״ 0.000 TCP 23 Telnet

J kfsensor - localhost - M... • B *-J TCP

^ 0 Closed TCP Per■■ 0 2 Death, Trojan ...

7 Echo - Recent... *I 9 Discard - Rec...

^ 13 Daytime - R... ^ 17 Quote of the.. ^ 19 chergcn R c .

21 FTP - Recent.. ^ 22 SSH - Recen... A 123 Telnet - Reel] j § 25 SMTP - Rece.. g 42 WINS • Rece.. g 53 DNS • Recen.. ^ 57 Mail Transfer.. g 68 DHCP • Rece...

80 IIS • Recent... j§ 8 1 IIS 81 - Rece..

82 IIS 82 ■ Rece..83 IIS 83 - Rece..

J 88 Keiberos - R... ^


/ The events that are displayed are filtered by the currently selected item in the Ports View or the Visitors View.

FIGURE 3.20: Telnet data on KFSensor

27. The following image displays die data of a Death Trojan.





File View Scenario Signatures Settings Help

j a a if ]a ifrtln TpiliDuration Pro... Sens... Name

9/27/2012 624:12 PM...

0 - kfsensor - localhost - M... <״<TCP

j- ^ Q Closed TCP-PofTr Q 12 Death, Trojan ...|

I £ 7 Echo - Recent... U £ 9 Discard - Rec...

& 13 Daytime - R...^ 17 Quote of the.. ^ 19 chargcn - Rc...

21 FTP - Recent... £ 22 SSH - Recen... ^ 23 Telnet ־ Rec...

25 SMTP - Rece.. r=| 42 WINS - Rece.. g 53 DNS - Recen..^ 57 Mail Transfer.. g 68 DHCP - Rece..

80 IIS - Recent... j § 8 1 IIS 81 - Rece.. ^ 82 IIS 82 - Rece.. j § 83 IIS 83 - Rece..= j 88 Kerberos - R... y


Exit: Shuts down the KFSensor Monitor. If the KFSensor Server if not installed as a systems service then it will be shut down as well.

FIGURE 3.21: Deadi Trojan data on KFSensor

Lab AnalysisAnalyze and document die results related to die lab exercise. Give your opinion on your target’s security־ posture and exposure.



KFSensor Honeypot IDS

Output:Infected Port number: 1080 Number ot Detected Trojans: 2


□ Yes

Platform Supported

0 Classroom

0 No

0 !Labs




HTTP Tunneling Using HTTPortHTTPo/f is a program from HTTHost that creates a transparent tunnel through a proxy server or firewall.

Lab ScenarioAttackers are always in a hunt for clients that can be easily compromised and they can enter your network by IP spoofing to damage or steal your data. Tlie attacker can get packets through a firewall by spoofing the IP address. It attackers are able to capture network traffic as you have learned to do in the previous lab, they can perform Trojan attacks, registry attacks, password hijacking attacks, etc., which can prove to be disastrous for an organization’s network. A11 attacker may use a network probe to capture raw packet data and then use tins raw packet data to retrieve packet information such as source and destination IP address, source and destination ports, flags, header length, checksum. Time to Live (TTL), and protocol type.

Hence, as a network administrator you should be able to identity attacks by extracting information from capuired traffic such as source and destination IP addresses, protocol type, header length, source and destination ports, etc. and compare these details with modeled attack signatures to determine if an attack has occurred. You can also check the attack logs tor the list ot attacks and take evasive actions.

Also, you should be familiar with the HTTP tunneling technique by which you can identity additional security risks that may not be readily visible by conducting simple network and vulnerability scanning and determine the extent to which a network IDS can identify malicious traffic widiin a communication channel. 111 tins lab, you will learn HTTP Uuineling using HTTPort.

Lab ObjectivesTins lab will show you how networks can be scanned and how to use HTTPort and HTTHost.

Lab Environment111 the lab, you need die HTTPort tool.

I C O N K E Y

/ Valuableinformation

S Test toutknowledge

W eb exercise

eaW orkbook review




■ HTTPort is located at D:\CEH-Tools\CEHv8 Module 16 Evading IDS, Firewalls and Honeypots\HTTPort

■ You can also download the latest version o f HTTPort from the link h ttp :/ Avww.targeted.org

■ If you decide to download the latest version, then screenshots shown 111 the lab might differ

■ Install HTTH ost on Windows 8 Virtual Machine

■ Install HTTPort on Windows Server 2012 Host Machine

■ Follow the wizard-driven installation steps and install it

■ Administrative privileges are required to run tins tool


Overview of HTTPortHTTPort creates a transparent tunnel through a proxy server or firewall. HTTPortallows usmg all sorts of Internet software from behind die proxy. It bypasses HTTPproxies and HTTP, firewalls, and transparent accelerators.

Lab Tasks1. Before running tool you need to stop IIS Admin Service and World Wide

Web services on Windows Server 2008 virtual machine.

Select Administrative Privileges ־־ Services ־־ IIS Admin Service, nght- click and select Stop.

^File A*on View Help

₪ Cff ₪ e■ d? HD

Local Syste Local Syste ILocal 5yste 1Local Syste ILocal SysteI or al 5y<t<*

Local Syste Local SysteLocal Syste__ILocal Syste Local Syste Local Syste jNetworks, jLocal Syste Local Syste jLocal Syste Local Syste Local Syste Local Servic jLocal Syste jLocal Syste ▼ I

_ J j J

1 Description | Status I Startup Type 1DisabledAutomaticAutomaticAutomaticAutomaticAntnmahr

DisabledDisabledDisabledAutomaticDisabledManualDisabledAutomaticManualDisabledManualManualDisabledDisabledManual

Enables ge...Provides a ... StartedProvides a ... StartedMonitors th. . StartedSynchronc... Started

" P"PauseResumeRestart

Al Tasks

Refresh

Properties

Help

Maintainsa. .Provides a...Enables an... Manageso... Started

^HumaT Interface D.. ^jHypet-V Data Exch.. ^jHyper-V Guest !hu.. %Hyper־V Heartbeat... *^Hyper-V Time Sync...t^Hypw-V Volume Sh%BME3ESH■4 IM APl CD'Burnirtg ... ^Indexng Service ^ Inter site Messagng %IPSEC Services ^Kerberos Key Distri... 4 JJLC Remote Agent

License Logging % Logical Disk Manager % Logical Disk Manag... ^Messenger ^Microsoft Software ... ^t&Net Looon ^Net.Tcp Port Sharin... ^ NetMeeting Rerrot... ^Network Connections

IIS Admin Service

Stco the service Pan“;* the service Restart the service

Description:Enoblcs this uorvor to administer Web and FTP servces. If this service is stepped, the server will be unable to run Web, FTP, NNTP, or SNTP sites cr configure 115. If this service is disced, anv services chat expliatly depend on it will fail to start.

\ Extended X Standard /top servce IIS Adrm Service on Local Computer

FIGURE 4.1: Stopping IIS Admin Service in Windows Server 2008

& Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 16 Evading IDS, Firewalls and Honeypots

TASK 1

Stopping IIS Services

KJ HTTPortcreates a transparent tunnel through a proxy server or firewall. This allows you to use all sorts of Internet software from behind the proxy.




3. Select Administrative Privileges Services World Wide Web Services, right-click and select Stop.

File Action View Help

J J 3 J x f

ן« - -► H g ? B [ S i ► ■ וו

Ser/ices (Local) % Services (Local)

Name | Description | Status | Startup Type 1 LoqOnAs

Stop the service Pause the service Restart the service

Descript on:Provides Web connectivity and administration through the Internet Information Services Manager

T ermiial Services Alows user %Termhal Services S... Enables a. ^Themes Provides u. ^jUnintcrruptiblcPow... Manages a. ^ Virtual Disk Service Provides s.

Volurre Shadow Copy Manages a, 4kwebCI1ent -nabtes W1,

Windows Autk Manages a, ^Windows CardSpace Securely e. ^Windows Firewal/I... Provides n.

Started

Started

Started

ManualDisabledDisabledManualManualManualDisabledAutomaticManualAutomatic

Local Syste Local Syste Local Syste Local Servic i] Local Syste Local Syste Local Servic Local Syste Local Syste Local Syste

^Windows ImaiWindows I n s t | ^ ^ ^ ^ ^ ^

Started

DisabledManualAutomaticManualManual

Local Servic Local Syste

^ Windows Man r1 c. ^Windows Pres Kesta't

Local Syste Local Servic j

^ Windows Tim*% Windows Usei *

Started AutomaticManual

Local Servic Local Servic 1

%w.nHTTPWet Refre* Manual Local Servic Local Syste Local Syste Local Syste

Wireless Conf ־% W M I Perform* Properties ^ Workstation .. Started

AutomaticManualAutomatic

.. Started Automatic Local SysteHl

<1 ______1 ע\ Extencfcd / Standard /

|Rop ser/ice Worid Wide Web Publishing Service on Local Computer JFIGURE 4.2: Stopping World Wide Web Services in Windows Server 2008

4. Log in to Windows Server 2008 virtual machine.

5. Open Mapped Network Drive CEH-Tools at Z:\CEH-Tools\CEHv8 Module 16 Evading IDS, Firewalls and Honeypots.

6. Open the HTTHost folder and double-click htthost.exe.

7. A HTTHost wizard will open; select die Options tab.

8. On die Options tab leave all die settings as their defaults except die Personal Password held, which should be tilled widi any odier password, hi diis Lab die Personal Password is “magic.”

9. Check die Log Connections option and click Apply.

& it bypasses HTTPS and HTTPproxies, transparent accelerators, and firewalls. It has a built-in SOCKS4 server.

£9 It supports strong traffic encryption, which makes proxy logging useless, and supports NTLM and other authentication schem es.




Tools demonstrated in this lab are available in Z:\ Mapped Network Drive

10. Now leave HTTHost intact, and don’t turn oil Windows Server 2008 Virtual Machine.

11. Now switch to Windows Server 2008 Host Machine, and install HTTPort trom D:\CEH-Tools\CEHv7 Module 16 Evading IDS, Firewalls and Honeypots.

12. Follow die wizard-driven installation steps.

13. Now open HTTPort from Start ־־ All Programs ־) HTTPort 35NFM ־־ HTTPort 35NFM.

14. The HTTPort window appears as shown 111 die following figure.

& To set up HTTPort need to point your browser to 127.0.0.1

FIGURE 4.4: HTTPort Main Window

H TTPort 3.SNFM

S ystem Proxy j Port m ap p in g | A b ou t ) R e g is te r j

HTTP p ־־ roxy to bypass (b la n k = d irec t o r firew a ll)

Host nam e o r IP add ress ! Port:

I P roxy requ ires a u th e n tica tio n

U se rna m e ! Password:

־31Bypass m o d e :

ו פ r R e m ote hos t

־ Misc. op tio ns

U se r-A gen t:

Use persona l re m o te hos t a t (b la n k = use pub lic)

H ost nam e o r IP add ress : Port: Password:

|5----- I-----------

<— This b u tto n helps

: HTTHost 1.8.5

Bind external to:— Network

Bind listening to:|0.0.0.0 |80 |0,0,0.0Allow access from: Personal password:|0.0.0.0 n*****

Passthrough unrecognized requests to:Host name or IP: Port: Original IP header fiel|127.0.0.1 | S1 |x-Original-IP

Timeouts:|0:1:2 ]־

Max. local buffer:1256K

ApplyReualidate DNS names

1✓ Log connections

Statistics | Application log :|security ) Send a Gift )

FIGURE 4.3: HTTHost Options tab




15. Select the Proxy tab and enter the Host name or IP address of die targeted machine.

16. Here, as an example, enter die Windows Server 2008 virtual machine IP address, and enter Port number 80.

17. You cannot set die Usem am e and Password fields.

18. 111 User personal remote host at section, enter die targeted Host machine IP address and die port should be 80.

19. Here any password could be chosen. Here as an example the password is magic.

I E ! * ]HTTPort 3.SNFM

System Proxy j p 0 rt m ap p in g | A bou t | R e g is te r j

HTTP p roxy to bypass (b la n k = d irect or f ire b a ll)

Port:

180Host nam e or IP add ress:

I Proxy requ ires a u th e n tica tio n

U se rna m e : Password:

ו פBypass m o d e :

ו פ [ R e m ote hos t

Misc. op ־־ tio ns

U se r-A gen t:

IE 6.0

Use persona l re m o te h o s t a t !.b lank = use pub lic)

H ost nam e o r IP add ress : Port: Password:* * * * *80110.0.0.31

j j ^— This b u tto n helps

FIGURE 4.5: HTIPort Proxy settings window

20. Select die Port Mapping tab and click Add to create New Mapping.

& HTTPort goes with the predefined mapping "External HTTP proxy" of local port

n For each software to create custom, given all the addresses from which it operates. For applications that are dynamically changing the ports there Socks4-proxy mode, in which tlie software will create a local server Socks (127.0.0.1)

In real world environment, people som etim es use password protected proxy to make company em ployees to a c c e ss the Internet.




W ' J s j x fSystem | Proxy Port m ap p in g j About j R e g is te r j

S ־־ tatic T C P /IP po rt m a p p in g s ( tu n n e ls )

0• New m ap p in g 0 Local po rt| !.... 00 R ׳ e m ote hos t

re m o te .h o s t.n a m e 0• R e m ote port

I.... 0

IIf...A'dtJ... !|

R e m ove |

LEDs:Se lect a m a p p in g to see s ta tis tics :

No s ta ts inactive ־ n /a x n /a B /sec n /a K

□□□םO Proxy

B ־־ u ilt- in S0CKS4 server

[7 Run SOCKS server (p o rt 1080)

A va ila b le in "R e m o te H ost" m o d e :

V Full SOCKS4 su p p o rt (B IND)

*— This b u tto n helps

■* HTTPort 3.SNFM

FIGURE 4.6: HTIPort creating a New Mapping

21. Select New Mapping Node, and right-click New Mapping, and select Edit.

System | Proxy Port m ap p in g j About j R e g is te r j

p S ta tic T C P /IP p o rt m a p p in g s (tu n n e ls )

*------------------------------------ז

[ 0 L o c a l p o r I Edit ■ HI-----------------------1 J

0 • R e m ote hostre m o te .h o s t.n a m e

0 R em ote portI.... 0

Select a m ap p in g to see s ta tis tics : LEDs:

No s ta ts - inactiven /a x n /a B /sec n /a K

□□□םO Proxy

B ־־ u ilt- in SOCKS4 server

[7 Run SOCKS se rve r (p o rt 1080)


I- Full SOCKS4 su p p o rt (BIND)

*— This b u tto n helps

FIGURE 4.7: HTTPort Editing to assign a mapping

22. Rename it to ftp certified hacker, and select Local port node, right-click to Edit and enter a Port value to 80.

23. Now Hght-click Remote host node to Edit and rename it as ftp.certifiedhacker.com.

24. Now right click Remote port node to Edit and enter die port value of 21.

Q HTTHost supports the registration, but it is free and password-free - you will be issued a unique ID, which you can contact the support team and ask your questions.



ftp://ftp.certifiedhacker.com


> HTTPort 3.SNFM

S ystem | Proxy Port m ap p in g | A b ou t | R e g is te r |

S ta tic T C P /IP p o rt m a p p in g s (tu n n e ls )

Local po ׳•|E־31 rt 1-21

g R e m ote hos tI— ftp .ce rtifie d h a cke r.co m

0 R e m ote port !.... 21

Select a m a p p in g to see s ta tis tics :

□ □□□O Proxy

No s ta ts - inactiven /a x n /a E/sec n /a K

E u ilt־ in SOCKS4 server

W Run SOCKS se rve r (p o rt 1080)


Full SOCKS4 su p p o rt (B IND)

*— Th is b u tto n helps

FIGURE 4.8: HTIPort Static TCP/IP port mapping

25. Click Start 011 die Proxy tab o f HTTPort to run die HTTP tunneling.

]□ T x iH TTPort 3.SNFM

S ystem Proxy | Port m ap p in g | A b o u t) R e g is te r)

r־ HTTP p roxy to bypass (b la n k = d irect o r firew a ll)

H ost nam e o r IP add ress : Port:

jio .o.o.:

I- Proxy requ ires a u th e n tica tio n

U se rna m e : Password:

־ פBypass m o d e :

־ פ [ R e m ote hos t

— Misc. op tio ns

U se r-A gen t:

Use persona ־־ l re m o te h o s t a t (b la n k = use pub lic ) —

H ost nam e o r IP add ress : Port: Password:

1 1 0 .0 .0 .3 [80 I״ * * * *110.0.0.:

j J <— This b u tto n helps

FIGURE 4.9: HTTPort to start tunneling

26. Now switch to Windows Server 2008 virtual machine and click die Applications log tab.

27. Check die last line. If Listener: listening at 0.0.0.0:80, then it is running properly.

Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 16 Evading IDS, Firewalls and Honeypots

H In this kind of environment, the federated search webpart of Microsoft Search Server 2008 will not work out-of- the-box because w e only support non-password protected proxy.





: : HTTHost 1.8.5

Application log:HTTHOST 1,8,5 PERSONAL GIFTWARE DEMO starting Project codename: 99 red balloons Written by Dmitry Dvoinikov (c) 1999-2004, Dmitry Dvornikov 64 total available connection(s) network started RSA keys initialized loading security filters...loaded filter "grant.dM" (allows all connections within loaded filter "block,dll" (denies all connections withir done, total 2 filter(s) loadedusing transfer encoding: PrimeScrambler64/SevenT־

grant.dll: filters conections block,dll,:_£iIters conection.s--------

MAINMAINMAINMAINMAINMAINMAINMAINMAINMAINMAINMAIN

LISTENER: listening at 0,0,0.0:80]

I 1 dS ta t is t ic s A p p lic a t io n lo q [ O p t io n s S e c u r ity S e n d a G if t |

1 FIGURE 4.10: HTTHost Application log section

28. Now switch to Windows Server 2008 host machine and turn ON die Windows Firewall.

29. Go to Windows Firewall with Advanced Security.

30. Select Outbound rules from die left pane o f die window, then click New Rule 111 die right pane of die window.

Fib Anon View ■tec

« י ־ M I B[hOutbound Rules

[ jg NeARic■■■ ]

V Fiterbv P0־fifc

V Fiterbv Sate

7 Fitr■־ bv 5 quo

£$ Re'resr

Export Lie

Q Hep

ire | G'Oup - 1 n־ofle 1 Enabled 1 ■actt״' 1 p-~©EIT5 Peer c an r־c (Content-Out] BITS see־ceding fir T No 4110a S\<91BITS Pee1ccc־irg 0,',SC-Cut) BITS 3ee'CBching fr y No *JlOft Vt® aertfcrN FSr^-O ut} dent far NFS firy ves *JI0A S׳t

* 1C le t for NFS (UZP-OjtJ Cient 'or NFS tr y ves AIIoa %<9 Core Networking - DNS (LDP■Out) ca׳e \etA0r<re cry ves allaA %

core Networking - Dynamic Most Configuratl... Co׳e ־setAorxrc try ve? Albft %0 1 Core Networking - Group Poky (LSASS-Out) Co־e f>ctA0rM־c Conor ves aJIoA %©Core Networking ־ Group Pokv (NP-Out) C9׳e 'ctAorxrc Ccnar ves AIIoailCore Networking - Group ^oicy £ ז0י* -Out) Co׳e '■ct׳ .or<rc Ccnar v« AIIoa a:

* Core Networking - lrte׳net Group Managen .. Ca׳e \* t s־or<1\׳ tr y ’« AIIoa $\Core Networbng • IPv6 (P*5-Out) Ca׳e ■ tAcryrg try AIIoa 5\

©Co*e Networking ־ Metcast istener Co־e (I... C0׳e MftAOhcrc Or ץ ve5 AIIoa Ai© Core Networking • MultttBt Latener Query (... Co־e Nfct»wrxrc Arr ves AIIoa A1O Core Networbng • M jtaot Latene׳ Report... C0־e tr y yea AIIoa Ar©Core Networking ■ Mjtcaot Lotcnc׳ Report... C0'C ־sctAOrxr^ fir y ve* AIIoa Ar© Cor• Networking • Neighbor Discovery Adv׳e .. C0״e \#tworxrg fir y ve« AIIoa Ar

* cor# Networking • Negroy Dlteovery Solat. . CO־• •\et1־.orvr<; fir y ״ » AllOA Ar<3 Co*e Networking • Packet Too Bo 0CMPv6•״ . CD't NttAOrHrc fir ץ AIIoa Ar__|© c« f« N.tws- tung • p.. P. ou4«r< aC'-T... C»׳« M ivow e firy v«t AIIoa AiCf Core Networking • Router Adverfcjement (IC... C»׳e Net^orxrg firy Ve3 AIIoa Ar&Core Networking • Router Solctator !ICMP... Ca׳e NetAorcrg firy ve« AIIoa Ar

Core Networking ■ 'ereco (UDP-Out) C0׳e NetAorxr^ tr y , M AIIoa V,core Networking • ׳־ire Exceeded (!CVP1/&• .. Ca׳e ־ TAcr<rc try ־ א AIIoa Ar

©Distrbctec Transaction Cootdinaioi (TCP-Out) Dstilbutec T׳ ansae tor cocrA f in NO AIIoa %© Fife and Pr r te ...ICM ־ Sharhj (Edo Reg jest ־ Fie and Pnrter Shorrc Cono... Yea AIIoa Aif il 'fe and Frrte׳ Sharng (Ec־o Reqjest - ICM... Fie and Prrter Sl־«rrg Ccna... vea AJIoa Ar

File and Prrte׳ Snarng (NB -06t3g־am-0ut) Fie and Prrter Sfarrg Ccn3... ves AIIoa s>File and Prrte׳ i׳na־ng (NBAsme-Out) Fie and Prrter Sf־arrc Ccna... ves AIIoa s>Fite and Frrts׳ Snarrg (NB-Sesscr-Cut) Fie and Prrter st-arrc Ccna. . ves AIIoa s\

@ Fife and Frrte׳ SharhQ (SMBOut) Fie and Prrter Sfcarrc Cons... Yes AIIoa Sia Hvper־/ - WM: (TCP־Out) Hyset-V firy VC5 AIIoa®Hyper-v' Managerent Clients ־ \VNI (TCP •Out) H/ac'-V Kfarogen*ent Cients firy VC5 aJI0A H׳

€ iSCSI Ser/ce (TCP-Out) SCSI Sen׳ oe firy No *JI0A

« ilietwock Dea)׳/ery (LLMNR-UDP-CUt) Network scc«w«r/ Ccna... No AIIoa

► r 1‘ ■ ■ ■ f ....

N?Ce--g:-Cr- !B Moniwing

31. 111 the New Outbound Rule Wizard, check die Port option in die Rule Typesecdon and click Next.

FIGURE 4.11: Windows Firewall with Advanced Security window it! Windows Server 2008

& Tools demonstrated in this lab are available in Z:\ Mapped Network Drive in Virtual Machines




£H HTTPort doesn't really care for die prosy as such, it works perfecdy widi firewalls, transparent accelerators, NATs and basically anything diat lets HTTP protocol through.

FIGURE 4.12: Windows Firewall selecting a Rule Type

32. Now select All local ports in the Protocol and Ports section.

S Y ou need to install htthost on a PC , who is generally accessible on the Internet ־ typically your "home" PC. This means that i f you started a Webserver on the home PC , everyone else must be able to connect to it. There are two shows toppers for htthost on home PCs

33. 111 the Action section, select Block the connection and click Next.

* New Outbound Rule Wizard

P ro to c o l and Ports

Specify the protocol and ports that this rule matches.

Steps:

« Rule Type Does this lule apply to TCP or UDP^

Example: 80.443.1

Leam more about protocol and ports

< Back || Next > | Cancel |

<* Protocol and Ports ז> t c p

* Action r u d p

« Profile

# NameDoes this rule apply to all local ports or specific local ports'’

[<• A ll lo c a l p o r ts jC S p e c i f ic lo c a l p o r ts : |

FIGURE 4.13: Windows Firewall assigning Protocols and Ports

פר

9 New Outbound Rule Wizard

R u le Typ e

Select the type of fiewal rule to create.

Steps:

r P r e d e f in e d :

Rule that controls connections for a Windows experience.

C CustomCustom lule.

Leam more about rule types

Next >

Rule Type What type of njle would you like to create’’

* Protocol and Ports

* Action C P rog ram

* Profile Rule that controls connections for a program

* Name (ff port ]




m NAT/firewall issues: You need to enable an incoming port. For HTThost it will typically be 80(http) or 443(https), but any port can be used ■ IF the HTTP proxy at work supports it - som e proxy’s are configured to allow only 80 and 443.

34. 111 die Profile section, select all the three options. The mle will apply to: Domain. Public, Private and click Next.

& Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 16 Evading IDS, Firewalls and Honeypots

35. Type Port 21 Blocked 111 die Name held, and click Finish.

** New Outbound Rule Wizard

Pro file

Specify the profiles for wf»ch this rule applies

When does this rule apply 7

17 Domain.Applies wh< n a computer is connected to its corporate domain

17 PrivateApplies win n a computer is connected to a private network location.

17 PublicApplies win n a computer is connected to a public network location.

Leam more about profiles

I Cancel ג Back Next ־

Steps:

<• Rule Type

* Protocol and Ports

« Action

* PrnfJe

FIGURE 4.15: Windows Firewall Profile settings

1 ■** N ew Outbound Rule Wizard _x]

1 A c t io n

1 Specify the action thatistaken when a connection matches the conditions specified n the rule.

Steps:

# Rule Type '//hat action should be taken when a connection matches the specified conditionsל

«# Protocol and Ports

ction®/ י• C A llo w th e c o n n e c t io n

<# Pnofie Alow connections that have been protected with IPsec as well as those that have not.

1# Name C A llo w th e c o n n e c t io n i f i t is s e c u re

Aflow only connections that have been authenticated and integnty ■protected through the useof IPsec. Connections w i be secured usmg the settings m IPsec properties and rules in theConnection Security Rule node

V Require the connections to be encyptedRequire pnvacy m addtion to rtegnty and authentication

(• B lo c k th e c o n n e c t io n

Leam more about actions

< Back || Next־ | | Cancel |

FIGURE 4.14: Windows Firewall setting an Action




Q The default TCP port for FTP connection is port 21. Sometimes the local Internet Service Provider blocks this port and this will result in FTP connection issues.

36. New Rule Port 21 Blocked is created as shown in die following tigure.

HTTPort doesn't really care for die proxy as such: it works perfectly with firewalls, transparent accelerators, NATs and basically anything diat lets the HTTP protocol through.

Q HTTP is the basis for Web surfing, so if you can freely surf die Web from where you are, HTTPort will bring you die rest of the Internet applications.

37. Right-click the newly created rale and select Properties.

j=iir

Outbound Rules -

New Rule...

V Piter by Profile ►"\7 FiterbySta:e >

*7 Fiter by Group ►

view ►

[($] Refresh

|3» Export List...

Q Heb

Port 21 Bbckcd -

(♦ Disable Rjle

x Delete

lal PlOUCI to

Q Heto

AnyBrS 5eer:scnrg Any No AIc׳a S\BI”S ^ccrcccnrg Any No AIoa %Client ft)׳ NFS Any Yes AlOA %Client fo׳ NFS Any Yes AIoa %Core Nc:wa־king Any Yes AIoa %Cae Netwafcino Any Yes AIoa VcCore Ne:warbng Domain Y־K AIoa %Core ■,Jer/'orbng Domain Yes AIoa

Cae Netwabng Domain Yes AIoa c׳°Core Networking Any Yes AlowCore Networking Any Yes AIoa

Core Networking Any Yes AIg׳a AiCore Networking Any Yes AIoa ArCore Networking Any Yes AIoa

Core Netwaking Any Yes AIoa AiCore Networking Any Y#S AIoa ArCae Networking Any Yea AIoa

Core Networking Any Yes AIoa AiCor# Merwortang Any Y#« AIoa Ai

Core Networking Any Yes Alovs ArCor e Networking Any Yes AIoa AiCore Networking Any Yes AIoa %Core Networking Any Yes AIoa ArDistributed Trensocton Coord... Any No AIoa *יFile and *irter $h#rng Donai.. Yes AIoa ArFile and * r te r Sharng Domai... Yes Alovs ArFile and *inter Sherhg Domai... Yes AIoa 5\File and ^irter sharng Dom*.. Yes AlOA 5\File and * r te r Sharng Domai.. Yes AIoa SyFile and *irter Sherhg Donai... Yes AIoa 5\Hype׳-v Any Yes AlOA °cHype־׳ / Vanagerriert Cierts Any Yes AIoa

iSCSI Se־vioe Any No AIoa

1

KFat21Bkxked© EI"S 3eeriocing (WSD־Out)©Client f y N=S CTCP-Out)Q Client for M=S (UDP-Out)

BCcrc Ner//crbng - DUS (UDP-Out)Cere Networklno ־ Dynamic hostConfiecrat...

© Cere Networking - Grouo Palcy (LSASS-Out) Cere Netvcrbng GrousPolcy (UP־Cut)

© Cere Ner/.-orfcing • Gicud Polcy fTCP-Out)Q C ere Networking • Internet Group Yanagerr. .

e Ccre Networking ■ IPv6 ( I Pv 0 (ut׳6 Cae Networking ■ Multicast Listenei D01־e (I... Q) ( ...) re Networking • Multicast Listener Query־׳

Qccre Netwcrbng Multicast Listener Repo׳t ... © C ae Networking • Multicast Listenei Reixrt... Qcere Netv׳crkmg • Neighbor Qscovery Adve. . ©Cere Netwcrbng Neighbor Oocovery Soleit... Q C ac Neiworbng ־ Packct TooBg {ICMPvfi•... QCere Networking • P*r*m#t*־ Pretolem (ICMP... ©C ereNetwcrbng Rotter Adverbccment :1C...

Coe Netwcrbng * Router Sokiletbn (JCNP...

gCcre Me?/׳ortano • Teredo (UOP־Out)Cere Netwcrbng Time Exceeded (IC M .׳6\ ..

©Distributed Transaction Cooidnatoi (TCP •Out) © File and *inter Shwng (Echo Request ■ ICM... © File and *inter Sharing (Edno Request - !CM... © n e and *inter Sharing (NB-Dalagrair-Out) © File and Winter shjrng (NB-Name-Out)© File and *inter Sharing (NE-Sesson-Out)©File and *inter Sherhg (SMB-Out)©Hype־׳/ *V/MI acp-out)© Hyper-v Vsn3gernert Gierts ־ '/WI (TCP-Out) © iSCSI Se־\ice (TCP-Cut)

a I

Fie Acaor View Help

^ i׳V1nco/ts Freival Advanced S t 3 Iroourc RuJes

; ־ . ::Come:t>on Sea*1ty Rues

F % r־ioni1a i׳x)

FIGURE 4.17: Windows Firewall New rale

N a m e

Specify the name and description of this rule

S teps:

* Riie Type

Protocol and Ports

Action

Profie

* Name

Name:

|Port 21 Blocked

Description (optional):

< Back | Finish Cancel |

FIGURE 4.16: Windows Firewall assigning a name to Port




| * WVuwkyws h r m t l vwtti /Utvitnrrd Sfninry

Pile Acoor Ve« ndp* ■»! » [P1U ם TT_

Outbound Rules

New Rule...

?י, FI ter by P־cfie

V Fiter by State

V Piter by Grouo

vew id ReYesh

© Export bst...

Q tisb

Pori 21 Dbckcd

(♦' D»ablc Rule

*te־D אp׳cPCtt)C3

U H־b

Mom

Mom

Mom

Mom

Mom

Mom

DarenDcmanDorian

Ary

Ary

Core WL\*K1־ 'Core NetAOikng core NetAOrtcng core NetAOrtcng core NetAoricno core NetAorkno core NetAOrtTKJ Core NetAOrtaTO Core MetAOrtcng Core NJetAortcng Core MetAortcno Core MetAortcno Core SJetAOrtcnoCore VJetAorteng Core VletAortcng Cor* MetAOficng Cor# VletAorkng Cor# MetAoricng Di!t׳ib1.tec Trareactoor Coord. File anc Prn:er Shares File anc Prn:er Shanng Fite anc Prn:er Sharing Fite anc Prn:e־ Sharing Fite anc Prr>:e־ Sharing Fite 3nc Prn•jet Sharing Hyper-VHvper-V MDrogcncn: Cle־tis SCSI Ssrvce

®SITS Peercecihg (Content-Out)®BIT5 Pcer^ecihg (WSD-Out)® C ien t St TS (TCP-Out)־1 © C fent *6־ NFS (UDP-Out)©CCKer\e:v׳crkirg -CNS (UDP-Out)®Core he:v׳crkirg - Dynanic host ConflQu־ati... ®Core r1e»׳akirg -Gouo Poky (LSASS-Out) Q c x e networking - Grouo Polcy (I'P-Out) ®core hecwcrlarg - Grouo poIcy (TCP*Ou:) ©core 1ser/>crk]ra - internet Group r anacen. ״ ®cofefcewcrkira - ipvO OPVft-OuO ® coreher/׳ak1ra -M j0:as: Listener Done a... ®Core 1se:vcrlurQ •Miticas: Listener Query (... ®Coretserv׳crk1rg •Miticast Listener Ret»rt... ®Coreiserv׳crk1rg • Miticas; listener Recort... ®CoreNe;v׳crk1rg •Neghto׳ Discovery Adve... ®CoreNerv׳erk1r0־ •Nefchbof Discovery Solicit... ®Core IServ׳crk1rg ־ Packet Too 80 QCMPv6-... ®Car# N#rv׳erk1ng •P»r*^#t»f Problem (ICMP... ®Car# Nerv<erk1rg •Ranter Aev#rticem»M (IC. . ®Car# N#rv!erk1rg •Ranter Solicitation (ICVP... CJ Cv# Nerv/erkirg • Teredo (UDP ■Out)^ C o re Ne?׳־״crlurg • Tire Exceeded (ICNP6/ ..•׳® D crbuted Transa:ton Coordinator (TCP-Out) (J =le and 3rirter Sharrg (Ecno Request - ICM...

Fie 3rd ^rirter Siarrg (Ecno Request - ICM... =le 3rd 3rirter Siarrg (NE-DatagramOut)

(J - ie 3rd 3rir ter Sharng (MB-Name-Out'® F ie 3rd 3rirter Sharng (MB־Session־Out ׳ ® F ie 3rd 3rirter Sharng (SMB-Out;® H yper-V - VYNI (TCP-Out}(J -typer-V Ncnogc-ncnt Clients ־ V/MI (TCP -Out) ®!SCSI Service (TCP-Out)

ע_______;_______

P Whdovts Frevrdl ■vth Ad.oxed S KQ !rbourdRjbs g g Outbound RjtesJiu Correcton Secjrity 3_ies

3 Monito'irg

.cnרe current selec־or i־־ cperbes c&iog box5־ p!

FIGURE 4.18: Windows Firewall new rule properties

38. Select tlie Protocols and Ports tab. Change die Remote Port option to Specific Ports and enter die Port number as 21.

39. Leave die odier settings as dieir defaults and Select Apply ־־ OK.

B HTTPort then intercepts that connection and runs it through a tunnel through the proxy.

& Enables you to bypass your HTTP proxy in c a se it blocks you from the Internet

& With HTTPort, you can use various Internet software from behind the proxy, e.g., e-mail, instantm essengers, P2P file sharing, ICQ, News, FTP, IRC etc. The basic idea is that you set up your Internet software

40. Tvpe ftp 127.0.0.1 111 the command prompt and press Enter. Tlie connection is blocked at die local host 111 Windows Server 2008.

G enera l Program s a n d S erv ices C om pu tes

P rotoco ls and Ports | S cope j A d va n ce d

Protocols and ports

r Protocol type: ■ עProtocol number: l

local port: |.AII Ports

1FMmn1« an m anan

zi

Remote port: ]Specific Ports

I21Example: 80.445. 8080

d

Internet Control Message Protocol(ICMP) settings: ------

Leam more about protocol and ports

OK | Cancel | fipply

FIGURE 4.19: Firewall Port 21 Blocked Properties




Q HTTPort does neither freeze nor hang. What you are experiencing is known as "blocking operations"

FIGURE 4.20: ftp connection is blocked

41. Now open a command prompt 111 Windows Server 2008 host machine and type ftp ftp.certifiedhacker.com and Press Enter

c\. Admmrstrator Command Prompt - ftp ftp.certmedhacker.com

IC :\U s e rs \A d n in is tra to r> ftp f tp . c e r t if ie d h a cke r.co n C o n n e c te d t o f t p . c e r t i f i e d h a c k e r . c o n .2 2 0 -h ic ro s o ft FTP Seruice220 We leone TO FTP AccountUser < ftp .ce rtifie d h a cke r.co n :< n o n e > > : _

27 HTTPort makes it possible to open a client side of a TCP/IP connection and provide it to any software. The keywords here are: "client" and "any software".

FIGURE 4.21: Executing ftp command

Lab AnalysisDocument all die IP addresses, open ports and running applications, and protocols you discovered during the lab.



H T T P o rt

Proxy server U sed: 10.0.0.4

Port scanned: 80

Result: ftp 127.0.0.1 connected to 127.0.0.1




ftp://ftp.certmedhacker.com

ftp://ftp.cert

ftp://ftp.certifiedhacker.con


Questions1. How would you set up an HTTPort to use an email client (Outlook,

Messenger, etc.)?

2. Examine if the software does not allow editing the address to connect to.

□ N o


0 Yes

Platform Supported

□ iLabs



Evading IDS, Firewalls, and Honeypots… · Module 17 - Evading IDS, Firewalls and Honeypots...

Documents

Transcript of Evading IDS, Firewalls, and Honeypots… · Module 17 - Evading IDS, Firewalls and Honeypots...