Ceh v8 labs module 17 evading ids, firewalls and honeypots

C E H L a b M a n u a l

Evading IDS, Firewalls,and Honeypots

M o d u l e 1 7

Module 17 - Evading ID S, Firew alls and Honeypots

I n t r u s i o n D e t e c t i o n S y s t e mA n in tr u s io n d e te c tio n sys te m ( ID S ) is a d e ric e o r s o ftw a re a p p lic a tio n th a t

m o n ito rs n e tiro rk a n d /o r sys te m a c tiv itie s f o r m a lic io u s a c tiv itie s o r p o lic y

v io la tio n s a n d p ro d u c e s re p o rts to a M a n a g e m e n t S ta tio n .

L a b S c e n a r i o

Due to a growing number of intrusions and since the Internet and local networks have become so ubiquitous, organizations increasingly implementing various systems that monitor IT security breaches. Intrusion detection systems (IDSes) are those diat have recently gained a considerable amount of interest. An IDS is a defense system that detects hostile activities 111 a network. The key is then to detect and possibly prevent activities that may compromise system security, 01־ a hacking attempt 111 progress including reconnaissance/data collection phases that involve, for example, port scans. One key feature of intrusion detection systems is their ability to provide a view of unusual activity and issue alerts notifying administrators and/or block a suspected connection. According to Amoroso, intrusion detection is a “process ot identifying and responding to malicious activity targeted at computing and networking resources.” 111 addition, IDS tools are capable ot distinguishing between insider attacks originating from inside the organization (coming from own employees or customers) and external ones (attacks and the threat posed by hackers) (Source: http://www.windowsecurity.com)

111 order to become an expert penetration tester and security administrator, you must possess sound knowledge of network intrusion prevention system (IPSes), IDSes, malicious network activity, and log information.

L a b O b j e c t i v e s

The objective ot tins lab is to help students learn and detect intrusions 111 a network, log, and view all log tiles. In tins lab, you will learn how to:

■ Install and configure Snort IDS

■ Run Snort as a service

■ Log snort log files to Kiwi Syslog server

■ Store snort log files to two output sources simultaneously

L a b E n v i r o n m e n t

To earn׳ out tins lab, you need:

■ A computer mnning Windows Seiver 2012 as a host machine

■ A computer running Windows server 2008, Windows 8, 01־ Windows 7 as a virtual maclnne

I CON KEY

[£ Z 7 V a l u a b l e

i n f o r m a t i o n

S T e s t y o u r

k n o w l e d g e

= W e b e x e r c i s e

m W o r k b o o k r e v i e w

& Tools Dem onstrated in th is lab are located a t D:\CEH- Tools\CEHv8 M odule 17 Evading IDS, Firew alls, and Honeypots

WniPcap drivers nistalled 011 the host maclinie

C EH Lab Manual Page 847 Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

http://www.windowsecurity.com


■ Notepads-+ installed 011 the host machine

■ Kiwi Svslog Server installed 011 the host machine

■ Active Perl installed 011 the host machine to mil Perl scnpts

■ Administrative pnvileges to configure settings and run tools

■ A web browser with Internet access

L a b D u r a t i o n

Time: 40 Minutes

O v e r v i e w o f I n t r u s i o n D e t e c t i o n S y s t e m s

An intrusion detection system (IDS) is a device 01־ software application that monitors network and/01־ system activities for malicious activities 01־ policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but tins is neither required 1101־ expected of a monitoring system. 111 addition, organizations use intrusion detection and prevention systems (IDPSes) for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly even* organization. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping die attack itself, changing the security environment.

IDPSes are primarily focused 011 identifying possible incidents, logging information about diem, attempting to stop them, and reporting them to security administrators.

O verview Pick an organization diat you feel is worthy of your attention. Tins could be an educational institution, a commercial company, 01־ perhaps a nonprofit charity.

Recommended labs to assist you 111 using IDSes:

■ Detecting Intrusions Using Snort

■ Logging Snort Alerts to Kiwi Svslog Server

■ Detecting Intruders and Worms using KFSensor Honeypot IDS

■ HTTP Tunneling Using HTTPort

L a b A n a l y s i s

Analyze and document the results related to tins lab exercise. Give your opinion 011 your target’s security posture and exposure.

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

C EH Lab Manual Page 848

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B .

Module 17 - Evading ID S, F irew alls and Honeypots




D e l e c t i n g I n t r u s i o n s u s i n g S n o r tS n o r t is a n o p e n so u rce n e tiro rk in tru s io n p re v e n tio n a n d d e te c tio n sys te m

( ID S / IP S ) .


The trade of die intrusion detection analyst is to find possible attacks against their network. The past few years have witnessed significant increases in DDoS attacks 011 the Internet, prompting network security to become a great concern. Analysts do tins by IDS logs and packet captures while corroborating with firewall logs, known vulnerabilities, and general trencUng data from the Internet. The IDS attacks are becoming more culuired, automatically reasoning the attack scenarios ni real time and categorizing those scenarios becomes a critical challenge. These result ni huge amounts of data and from tins data they must look for some land of pattern. However, die overwhelmnig dows of events generated by IDS sensors make it hard for security adnnnistrators to uncover hidden attack plans.

111 order to become an expert penetration tester and security administrator, you must possess sound knowledge of network IPSes, IDSes, malicious network activity, and log information.


The objective of tins lab is to familiarize students widi IPSes and IDSes.

111 tliis lab, you need to:

■ Install Snort and verify Snort alerts

■ Configure and validate snort.conf file

■ Test the worknig of Snort by carrying out an attack test

■ Perform mtmsion detection

■ Configure Omkmaster


To earn־ out dns lab, you need:

I CON K E Y

/ V a l u a b l e


T e s t y o u r

k n o w l e d g e

□ W e b e x e r c i s e


& Tools Dem onstrated in th is lab are located a t D:\CEH- Tools\CEHv8 M odule 17 Evading IDS, Firew alls, and Honeypots

C EH Lab Manual Page 850 Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


■ A computer running Windows Server 2012 as a host machine

■ Windows 7 running on virtual macliuie as an attacker macliuie

■ WmPcap dnvers installed on die host machine

■ Notepad++ installed on the host macliuie

■ Kiwi Svslog Server installed on the host macliuie

■ Active Perl installed on the host machine to nui Perl scripts

■ Administrative privileges to configure settings and run tools


Time: 30 Minutes

O v e r v i e w o f I n t r u s i o n P r e v e n t i o n S y s t e m s a n d

I n t r u s i o n D e t e c t i o n S y s t e m s

A11 IPS is a n e tw o rk se c u rity appliance that m onitors a network and system activities for m alic io us activity. The main functions of IPSes are to iden tify malicious activity, log in fo rm ation about said activity, attempt to b lock/s top activity, and report activity.

A11 IDS is a device or software application that m onito rs network and/or system activities for m alic io u s activities or policy v io la tio n s and produces repo rts to a Management Station. It performs intrusion detection and attempt to stop detected possible inc iden ts .

L a b T a s k s

Start W indow s Server 2012 on the host machine. Install Snort.

To uistall Snort, navigate to D:\CEH-Tools\CEHv8 M odule 17 Evading IDS, Firew alls, and Honeypots\lntrusion Detection Tools\Snort.

Double-click the Snort_2_9_3_1_lnstaller.exe file. The Snort mstallation wizard appears.

Accept the License A greem ent and install Snort with the defau lt options diat appear step-by-step 111 the wizard.

5. A window appears after successful installation of Snort. Click the Close button.

6. Click OK to exit the Snort Installa tion window.

1.

2.

3.

4.

You can also download Snort from http://www.s110rt.01g.

Install Snort

l.__ Snort is an opensource network intrusion prevention and detection system (ID S/IPS).

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


http://www.s110rt.01g


Snort 2.9.3.1 SetuD ־ ' ° I **(& Snort 2.9.3.1 Setup

Snort has successfully been installed.

Snort also requires WinPcap 4.1.1 to be installed on this machine, r WinPcap can be downloaded from:

http://www.winpcap.org/

It would also be wise to tighten the security on the Snort installation directory to prevent any malicious modification of the Snort executable.

Next, you must manually edit the 'snort.conf file to specify proper paths to allow Snort to find the rules files and classification files.

OK

Figure 1.1: Snort Successful Installation Window

7. Snort requires W inPcap to be installed on your machine.8. Install W inPcap by navigating to D:\CEH-Tools\CEHv8 M odule 17 Evading

IDS, F irew alls, and HoneypotsMntrusion Detection Tools\Snort, anddouble-clicking W inPcap 4 1 _2.exe.

9. By default, Snort installs itself in C:\Snort (C:\ or D:\ depending upon die disk drive in which OS installed).

10. Register on die Snort website https://www.snort.org/signup 111 order to download Snort Rules. After registration comples it will automaticallv redirect to a download page.

11. Click die G et Rules button to download die latest mles. 111 tins lab we have downloaded snortrules-snapshot-2931 ■tar.gz.

12. Extract die downloaded rales and copy die extracted folder 111 tins padi: D:\CEH-Tools\CEHv8 Module 17 Evading IDS, F irew alls, and Honeypots\lntrusion D etection Tools\Snort.

13. Rename die extracted folder to snortrules.

14. Now go to die e tc folder 111 die specified location D:\CEH-Tools\CEHv8 Module 17 Evading IDS, F irew alls, and Honeypots\lntrusion Detection Tools\Snort\snortrules\etc of die extracted Snort rales, copy die snort.conf tile, and paste diis tile 111 C:\Snort\etc.

15. The Snort.conf file is already present 111 C:\Snort\etc; replace diis file with die Snort rales Snort.conf file.

16. Copv die so_rules folder from D:\CEH-Tools\CEHv8 Module 17 Evading IDS, F irew alls, and Honeypots\lntrusion Detection Tools\Snort\snortrules and paste it 111 C:\Snort.

V / WinPcap is a tool for link-layer network access that allows applications to capture and transmit network packets bypass the protocol stack



http://www.winpcap.org/

https://www.snort.org/signup


17. Replace die preproc ru le s folder trom D:\CEH-Tools\CEHv8 Module 17 Evading IDS, F irew alls, and HoneypotsMntrusion Detection Tools\Snort\snortrules and paste it 111 C:\Snort.

18. Copy all die tiles from dus location: D:\CEH-Tools\CEHv8 Module 17 Evading IDS, F irew alls, and Honeypots\lntrusion Detection Tools\Snort\snortrules\rules to C:\Snort\rules.

19. Now navigate to C:\Snort and right-click folder bin, and click Cm dHere trom die context menu to open it 111 a command prompt.

20. Type snort and press Enter.

y To print out the T C P/IP packet headers to the screen (i.e. sniffer mode), type: snort —v.

21. The In itia lization Com plete message displays. Press Ctrl+C. Snort exits and comes back to C:\Snort\bin.

22. Now type snort -W . Tins command lists your machine’s physical address, IP address, and Ediernet Dnvers, but all are disabled by default.

Figure 1.3: Snort -W Command

23. Observe your Ediernet Driver index num ber and write it down; 111 dus lab, die Ediernet Driver index number is 1 .

24. To enable die Ediernet Driver, 111 die command prompt, type snort -d e v - i 2 and press Enter.

Administrator: C:\Windows\system32\cmd.exe

Snort exiting C:\Snort\binנ snort -W

-*> Snort! <*—Uersion 2.9.3.1-WIN32 GRE (Build 40>By Martin Roesch 8r The Snort Team: http://www.snort.org/snort/snort-t

Inc., et al.

Deuice Name Description\Deuice\NPF_<0FB09822-88B5-41IF- \De״ice\NPF_<0BFD2FA3-2E17-46E3- \Deuice\NPF_<lD13B78A-B411-4325- \Deuice\NPF_<2A3EB470-39FB-4880-

Copyright <C> 1998-2012 Sourcefire, Using PCRE version: 8.10 2010-06-25 Using ZLIB uersion: 1.2.3

IP AddressIndex Physical Address1 00:00:00:00:00:00 disabled

AFD2-FE3735A977BB> Microsoft Corporation2 00:00:00:00:00:00 disabledB614-0FC19B5DDA25>3 00:00:00:00:00:00 disabled

rQRA<JRFOP?JM ־V M4 D4:BE:D9:C3:C3:CC disabled

Realtek PCIe GBE Family Controller9A79-77E5AE27E530>C:\Snort\bin>

Administrator: C:\Windows\system32\cmd.exe - snort

C:\Snort\bin/snort Running in packet dunp node

— ■■ In it ia liz in g Snort ■יי—In it ia liz in g Output Plugins? pcap DAQ configured to passive.The DAQ uersion does not support reload.Acquiring network t ra f f ic fron "\Deuice\NPF_<0FB09822-88B5-411F-AFD2-FE3735A9?7B B> _Decoding Ethernet

— -- In it ia liz a tio n Conplete --——»> Snort? <*־

o'׳ Uersion 2.9 .3 .1-WIN32 GRE <Build 40)״ ״ By Martin Roesch 8r The Snort Tean: http://www.snort.org/snort/snort-t

■anCopyright <C> 1998-2012 Sourcefire, In c ., et a l.Using PCRE uersion: 8.10 2010-06-25 Using ZLIB uersion: 1.2.3

Connencing packet processing <pid-756>

Figure 1.2: Snort Basic Command

H T AS K 2

V erify Snort A lert

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


http://www.snort.org/snort/snort-t



25. You see a rapid scroll text 111 die command prompt. It means diat die E 7 To specify a log into Ethernet Driver is enabled and working properly.logging directory, type snort —dev —1 /logdirectorylocationand,Snort automatically knows to go into packet logger mode.

26. Leave die Snort command prompt window open, and launch anodier command prompt window.

27. Li a new command prompt, type ping google.com and press Enter.

£ Q Ping [-t] [-a] [-n count] [-1 size] [-£] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] destination-list

28. Tliis pmg command triggers a Snort alert in the Snort command prompt with rapid scrolling text.

To enable Network Intrusion Detect ion System (N ID S) mode so that you don’t record every single packet sent down the wire, type: snort -dev -1 ./log-h 192.168.1.0/24-c snort.conf.

Figure 1.6: Snort Showing Captured Google Request

TTDAdministrator: C:\Windows\system32\cmd.exe - snort -dev -i 4־־> 10.0.0.10:51345 4.125.236.85:443' TCP TTL:56 TOS:0x0 ID:55300 IpLen:20 DgnLe 95nM.flP.MM• Seq: 0x81047C40 Ack: 0x4C743C54 Win: 0xFFFF TcpLen: 20 7 03 02 00 32 43 3F 4C 22 B4 01 69 AB 37 FD 34 2C?L״ .. i.7 .4IF 3F 70 86 CF B8 97 84 C9 9B 06 D7 11 6F 2C 5B .?p o ,[D 8A B0 FF 4C 30 5B 22 F4 B9 6C BD AE E8 0E 5A L0[״ . . l ZF F6 7D 55 31 78 EF ..>Ulx.

11/14-09:58:16.374896 D4:BE:D9:C3:C3:CC 00:09:5 <־ B:AE:24:CC type:0x800 len:0x3610.0.0.10:51345 -> 74.125.236.85:443 TCP TTL:128 TOS:0x0 ID:20990 IpLen:20 DgnLe n:40 DF

Seq: 0x4C743C54 Ack: 0x81047C77 Win: 0xFB27 TcpLen: 20

.1/14-09:58:17.496035 ARP who-has 10.0.0.13 t e l l 10.0.0.10

.1/14-09:58:18.352315 ARP who-has 10.0.0.13 t e l l 10.0.0.10

.1/14-09:58:19.352675 ARP who-has 10.0.0.13 t e l l 10.0.0.10

Figure 1.5: Ping googje.com Command

Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4C:\Snort\bin,snort -dev - i 4 Running in packet uu11׳p 1'iuut;

— == In it ia liz in g Snort ==—In it ia liz in g Output Plugins? pcap DAQ configured to passive.The DAQ version does not support reload.Acquiring network t ra ff ic fron "\Device\NPF_<2A3EB470-39FB-4880-9A7977־E5AE27E53 B>".Decoding Ethernet

— ■■ In it ia liz a tio n Conplete ■*—-»> Snort? <*-

o'׳ >~ Uersion 2 .9 .3 .1-WIN32 GRE <Build 40>By Martin Roesch 8r The Snort Tean: http://www.snort.org/snort/snort-t ״״״״

r .u iCopyright <C> 1998-2012 Sourcefire, In c ., et a l.Using PCRE version: 8.10 2010-06-25Using ZLIB version: 1.2.3

Connencing packet processing <pid=2852>11/14-09:55:49.352079 ARP who־has 10.0.0.13 t e l l 10.0.0.10

Figure 1.4: Snort —dev —i 4 Command





29. Close both command prompt windows. The verification of Snort installation and triggering alert is complete, and Snort is working correcdy 111 verbose mode.

30. Configure die snort.conf file located at C:\Snort\etc.

31. Open die snort.conf file widi Notepad++.

32. The snort.conf file opens 111 Notepad++ as shown 111 the following screenshot.

Figure 1.7: Configuring Snortconf File in Notepad++

33. Scroll down to die Step #1: S et the netw ork variables section (Line 41) of snort.conf file. 111 the HOME_NET line, replace any widi die IP addresses (Line 45) of die machine where Snort is mnning.

-!□ X '*C:\Sn0ft\etc\$n0rtx0nf - Notepad+Be Edit Search 'iict* Encoding Language Settings Macro Run Plugns frndcw I

* fe| «!׳?' x 33 5 | H J □ I I I i* » »9 צ |JS * C & » 1 0 % »ד o

| H molcwf

44 Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx41 # Seep #1: Sec che network variables. Fox itoie mroraaclon.

» setup tne necvcrx aaarcaaca you are crotectino i rv a r HOME_»ET 110.0.0.101□

: *cat situations

Cel: 25 Sd 0ygth: 25421 lines :657 ת:45


34. Leave die EXTERNAL_NET any line as it is.

T A S K 3

Configure snort.conf File

& Make sure to grab the rules for the version you are installing Snort for.

m Log packets in tcpdump format and to produce minimal alerts, type: snort -b -A fast -c snort.conf

m Notepad++ is a free source code editor and Notepad replacement that supports several languages. It runs in the MS Windows environment.

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



35. If you have a DNS Server, then make changes 111 the DNS_SERVERS line bv replacing $HOM E_NET with your DNS Server IP address; otherwise, leave diis line as it is.

36. The same applies to SAITP_SER\TE,RS, HTTP_SER\TE.RS, SQL_SER\rERS, TELNET_SERVERS, and SSH_SER\TRS.

37. Remember diat if you don’t have any servers running on your machine, leave the line as it is. DO NOT make any changes 111 diat line.

38. Scroll down to RULE_PATH (Line 104). 111 Line 104 replace ../rales widi C:\Snort\rules, 111 Line 105 ../so_rules replace with C:\Snort\so rules, and 111 Line 106 replace ../preproc rules with C:\Snort\preproc rules.

m The element ’any’ can be used to match all IPs, aldiough ’any’ is not allowed. Also, negated IP ranges diat are more general dian non-negated IP ranges are not allowed.

Ptc\s1xx tco n f Notepad♦ ♦ _ | a x ך

Erie Ldit Search *1 e« Encoding Language SetDngi Macro Ru0 M e s a i i J f f t f l | P C

Piugnj ftmdow I־ . ! [ I F □ a i l i f l ׳9*

X

H cnoccorf |♦ Kote ro r Wir.dowa usera: You are aavisea to♦ such as: c : \3 n o r t\ru le s

ra re tm a ar. absolute patn.

var RU1X_PUH C :\S no rt\ru les var SO RULE PATH C :\S nort\ao ru lea■war PRrPROC R^LE PATH C: \S n o rt\p r־pro=_xrule3

10ד

1:9

l - l1*3114

# I f you are using reputa tion preprocessor ac t these# C urren tly tiie re is a bug w ith re la t iv e paths, they are re la t iv e to where snort i3# no t re la t iv e to sno rt.co n f lilce the above va riab les4 Thia is caaplecely inco ns is te n t w ith how other ▼ars work, BCG 5 9986 t se t the anaciute patn ap p ropria te ly var HHTTELISTPATH . . / ru le s var BUICK_LI5T_PAIK . . / ru le s

t step #2: connaure tr.c decoder. For sore ind o rsa tio n , see rta im e .decode

11?* Stop generic decode events;con fig disable_decod«_alerts

:;4• Stop A le rta on experimental TCP optiona ccr.Tlg dl**ble_copopt_experim ent»!_• 1 * 1 *.־

12״־ 4 Stop A lc r ta on obaolet■ TCP option■ ccr.ria d19anie_t cpopt_cbaolete_aiert ג

1:9 1 Stop A le rts on T/TCP a le rts V<i______________________ !1______________________ > I

Ncirrwl Ltil file length: 25439 lines: 657 Ln: 106 Cot :iS S*1:0 UNIX ANSI NS

ua Rule variable names can be modified in several ways. You can define meta- variables using die $ operator. These can be used with the variable modifier operators ? and -


39. 111 Line 113 and 114 replace ../rules widi C:\Snort\ rules.

C:\Snort\etc\snort.conf - Notepad*file tdit Search View Encoding Longuogc Settings Macro Run Plugre ftmdcvr J! o 1׳MS d 83 4 * B| ♦» <צ ft *a -* -3 ז nil S* 1 l i i i i f l »י H noco&rf I 103 f aucn a3: c1 \an o rt\ru ie a104 var RtJLEPATfl C :\3 no rt\ru lea105 var SC_ROLE_PAIH C :\3nort\so_ru l«»:06 var PREPROCRULEPATH C:\SnortNpreproc_rulea

108 f z r you are uaina reputa tion preprocessor act tneae*.09 $ C urren tly there ia a bug w ith re la t iv e paths, they are re la t iv e to where anort ia1 10 f no t re la t iv e co •nort.conX l ik « the above variab les111 • Thia 1 a completely ineonaia ten t w ith hew ether vara werlr, BUG 89986t*.? 4 Smt th • absolute path appropria te lyvar white L דלל IS I PAIH c :\s n o r t \ ru ie a l 71: Bmcmsi.EAiii ciMaaalmltal117 4 Seen #3: Configure the decoder. Foe ״־ore information, 9 .. BSirME. decade

angth:25d51 lines:657_______ Ln:1» Col:35 S«l:0

Figure 1.10: Configuring Snort.conf File in Notepad++

Etliical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



40. Navigate to C:\Snort\rules and create two tiles and name them w h ite jis t .ru le s and b la c k jis t.ru le s make sure die two tiles extensions are .rules.

41. Scroll down to Step #4: Configure dynam ic loaded libraries section (Line 242). Configure dynam ic loaded libraries in this section.

42. At padi to dynamic preprocessor libraries (Line 247), replace /usr/local/lib/snort_dynam icpreprocessor/ with your dynamic preprocessor libranes tolder location.

43. 111 tins lab, dynamic preprocessor libraries are located at C:\Snort\lib\snort_dynam icpreprocessor.

־ 7־ C:\Sn0rl\etc\s1xxU0nf Notepad ♦ ♦ . x ז ן ־ ־

Erie Ld!t Search Vie* Incoding Language Settings Macro Run PK1g<13 ftmdew JO I M e % l ‘l| M *a * * [ E 3 V

X

H tno*.coti j

2•U Step *4: Configure dynamic loaded lib raries.70- e o ii Info !station, see Snore Manual, Configuring 5r.cn - Dynamic Modules

245246

♦ pat& to dynamic preprocessor lib ra ries

f patn to dynamic preprocessor lib ra riesdytlMacpreprocessor directory C:\Sncrt\lib\3nort dynaai preprocessor|

2422ז־9

2502-צ

252253

255

?5־

* path to base preprocessor engineciyr.anlceng 1 ne /u9r/10cal/llb/sn0rL_£iyna»lcer.glne/ilbsr_er.gir.e.30

t path to dynamic rules lib ra riesdynamlcdetecclon directory /usr/local/1 lb/anort_dynamlcr ulea

4 step fs: Contiaure preprocessors4 For more information, see the Snort Manual, Configuring Snort ־ Preprocesso

4 GTP Control Channle Preprocessor. For note information, see RFA2ME.OTP V preprocessor aces porta 1 2123 3386 2152 >

»

V

2צ«

2<5i

f In line packet normalization. For mozt information, see R£AD2. normalize4 Does notfting in IOS node3r«pr0c«110r nornmlixe_ip4preprocessor r.crmai1 se_top1 1p9 eon screampreprocessor norma lieeicm p iczeproceaaor normalize lp«

N.mul u»t file length: 2544S linttt: 657 In :247 Col :69 S*i:0 UNIX ANSI 1NS

Figure 1.11: Configuring Snort.coiif File in Notepad++

44. At padi to base preprocessor (or dvnamic) engine (Line 250), replace /usr/local/lib/snort_dynam icengine/libsf_engine.so witii your base preprocessor engine C:\Snort\lib\snort_dynamicengine\sf_engine.dll.

m The include keyword allows other rule files to be included within the rule file indicated on die Snort command line. It works much like an #include from die C programming language, reading the contents of the named file and adding the contents in the place where die include statement appears in die file.

H U Preprocessors are loaded and configured using the ‘preprocessor’ keyword. The format of die preprocessor directive in the Snort rules file is: preprocessor <name>: <options>.

m Preprocessors allow the functionality of Snort to be extended by allowing users and programmers to drop modular plug-ins into Snort fairly easily.





45. Com m ent (#) die dynamic rules libraries line as you already configured die libraries 111 dynamic preprocessor libraries (Line 253).

C:\Snort\et*V r c f < •f Notepad♦♦ - o xBe Ldit Scorch View Encoding Language Settings Macro Run Piugns ftndcvr Zo 'He 1 !3 *• ־ 0 י■ g| 1 [f3 b i s b •׳9,»! ^

***************mwm**************************** Step *4 : Confinure dynamic loaded lib r a r ie s .t For core ln lcrm acion, see Snore Manual, C onfiguring Snort - Dynanlc Modules #***# # *******tM M # # # # # # # **# # **M ****M M *# # t******

249 * ra th to base preprocessor engine250 dyr.anu.ceng in - C :\3no rt\lib \snort_dynsn1iceng ine\s f_eng ine .d ll

♦ path to dynamic ru les lib ra r ie s> dynagu.c׳;l«c«cclon d lr« c to ry /u s r/lo ca l/'llb /sno rtâ yna .-v l::!. 1««1

V step *M Conriaurc preprocessors* Por more m fonkaeion, see the Snore Manual, C onfigurir.c Snort ־ Preprocesso

* GTP Control C h.nnl• Preprocessor. For * o r . in fo rw a tion י , • • RZASME.OTP* preprocessor 0 -c : po rts ( 2123 3386 2152 )

I In lin e packet norm a liza tion . For store in£onaatlon, sec ?*1 ג! ב .normalize* Does notm na in IDS mode preprocessor normelize_ip4 preprocessor r.c rxa l1 ze_־ cp: ips ecr. 3־ rear: preprocessor nc r» o l1 ze_1 cmp1preprocessor normalize lp 6

I teal fie length :25446 ling :557 Ln:253 Col ;3 Sd :0 I

.-*r Note: Preprocessor code is nrn before the detection engine is called, but after the packet has been decoded. The packet can be modified or analyzed in an out-of-band manner using this mechanism.

Figure 1.13: Configuring Snortconf File in Notepad !־—1־

46. Scroll down to Step #5: Configure Preprocessors section (Line 256), die listed preprocessor. Do nothing 111 IDS mode, but generate errors at mntime.

47. Comment all the preprocessors listed 111 diis section by adding # before each preprocessors.

רי1*1 *C:\Sn0rt\etc\snort conf Notepad־l i t L3t Search View Encoding Language Settings Macro Run Plugre Aatdcw Io י h e » ־ ii * ft r!| » e * -׳ < ז& BQ| s»י ffl■ s ■ ש e a>

liltllttttttttitiitlllllttttttttttttttttllllltttttlPreprocessor*t¥¥¥¥¥¥*¥¥TfWTWWWWTfT¥¥¥¥¥¥¥r¥¥fT*TTTT¥¥¥¥W¥¥¥T¥Tr-

> REAnJE.GTP

: in fo rm a tion , see R£AI»׳E. normalize♦ In lin e packet norm a liza tion . For 1 4 Does noth ing in ZDS node♦ preprocessor normal1ze_1p4♦ preprocessor no rm a lise tcp : ips e! I preprocessor normalize_lcmp4♦ preprocessor normal1 se_1 p6♦ preprocessor norjralire icmpC• Target-based IP defragmentation. For more information, see BLADME. frag3preprocessor trag5_globa l: max_Irags 6SSS6preprocessor troa3 engine: p o lic y windows detect_ar.*1 a i 1 es cverlap_1 1 a n t 10 ann_fra01r.cnt_length 100 timeout

fo r xcrc m ro ra tio n , ace RLADKt.streanbV la rg c t s isca scacecul inspection/o trcam reassembly.preprocessor serea»S_global; tra c k e c p yes, \

tr*ck_udp yaa, \ track_ 1 cnc no, \MX_tcp 362144, \rax_uap 131072, \max_act1 ve_responses 2, \min response aaconda 5_________________

1:269 Col:3 Sd 0myth: 25456 line. :557

Figure 1.14: Configuring Snort.conf File in Notepad־l—1־

48. Scroll down to Step #6: Configure output plugins (Line 514). 111 tins step, provide die location of die classification.config and reference.config files.

49. These two files are 111 C:\Snort\etc. Provide diis location of files 111 configure output plugins (111 Lines 540 and 541).

m IPs may be specified individually, in a list, as a C ID R block, or any combination of die duee.

m Many configuration and command line options o f Snort can be specified in the configuration file. Format: config <directive> [: <value>]

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



CASnort\ett\snmconf Notepad* ♦ ' - I םlit idit Jjcareh view Incoding Language Settings Macro Run Plugns ftmdcw I

djae s i s c e י־ -־ ז , hh« a|! ס e m% < * י & * * r0 יB •ncCcorf)"

—j r=" <i l

step 46: cor.rioure cutpu ף t p lugins j׳* 5 4 ?or more in fo rm a tion , see Snort Manual, C onfiguring Snort - Output Modules[

5!«

51fl * un ified?519 4 aeeonsenaaa rc r !cost in s ta l ls520 4 cutpu t u n ifie d 2 : filename merged.log, l im i t 128, nosts3«r, wpl3_CTrent_type3, vlan_event_type3521Si'i4 ־ A d d itio na l con figu ra tio n fo r s p e c if ic t jp e s o f in s ta l ls523 # cutput a le rt_u n i£ ie d2 : filename s n o r t .a le r t , l i ia i t 125, nosCaap524 f output log un1r1ed2: rilenarae sna re .loo , l im i t 123, ncatamp

4 oatafcass4 output database: a le r t , <db_type>, us?r«<usernan!> pa3 3w=rd“ <pa3svordV cutput aatacasei 100, <dto_typ«>, u9er־ <uacma&e> paaav:rs־ <Eaaavord>

» *c ta d a ti rercrcr.ee aata. do not *e a itv t£e-• include C:\Snarc\ece\elas31f1eat1on.e0nt10l

l i i laclud# C; \Sac r \ « c c \r»C«r«nc«. con fi g_|

length :25482 lina:6S7________In :541 Co) :22 S*l:0

ca Tlie frag3preprocessor is a target- based IP defragmentation module for Snort.

Figure 1.15: Configuring Snort.coiif File in Notepad++

lrigure 1. i כ: Uonngunng inort.com rile in !Notepad^ ־1־

50. 111 this step #6, add the line output alert_fast: alerts.ids. for Snort to dump all logs 111 die alerts.ids file.

*C:\S00fl\elc\snoM-conf - Notepad *file £d!t Search Ukw Encoding Language Settings Macro Run PHigns ftmdcvr I

o 0 * ׳ ₪ ^ ־ &| * % C)| 9 c » ?״ ף8 4 < 139 ו \Wz2 ו «׳ ׳ י $ ו ! ן ?*H «nc< corf ן b.A 4 step te : connoure output p lugins515 4 For more info rm a tion , see Snort Manual, C onfiguring Snort ־ Cutput Modules

517'*.fi 4 u n if ie d :519 V ;■ccorr.cr.ici cor !coat in s ta l lsS?0 4 output u n ifie d 2 : filename merged. 100, l im i t 128, n03ta*p» «p ls_e ^n t_ type s , vlan_event_types521 4 A d d itio na l con figu ra tio n fo r s p e c if ic types o f in s ta l ls 525 4 cutput a lo rt_ u n ifi» d 2 : filan aa » a n o rc .a le r t, l im i t 129, r.oxaap524 4 cutpu t log un1E1ed2: rilenarae sn o rt. is o , l im i t 126, r.: י־ axt

- - - 4 oatafcass533 4 cutput database: a le r t , <db_type>, uaer-<usemane> pea3*:rc־<fa3sword534 4 cutpu t ia ta£33e: loo , <db type>, u3er=<uaemaEe> pa33wcr2=<pa33word> ׳

|c-;־.put « le r t_ fa 3 t : a le r ts . ids |539 4 metadata reference data, do not m odify tcese lin e s540 include C :\Snort\ecc\cla331f1cat1on.c0nf10541 lnc luda C:\3nQrt\8cc\reCarenca.conf lq

׳|hc«nwl U*t fil« Itngth: 25511 lin»:657 1 6 ?5: מ Co<:30 S«l:0

m Note: ’ipvar’s are enabled only with IPv6 support. Without IPv6 support, use a regular ’var.’


51. By default, die C:\Snort\log folder is empty, widiout any files 111 it. Go to die C:\Snort\log folder, and create a new text file with die name alerts.ids.

Ii=yj Frag3 is intended as areplacement for die &ag2 52. Ensure diat extension of diat file is .ids.defragmentation module and was designed with the following goals:1. Faster execution than frag2 with less complex data management.2. Target-based host modeling anti-evasion techniques.




log_ ם

Search log Pv C

alerts.idsFavorites ■ Desktop

Downloads Mi Recent places

Librariesיז=( ״

1 item


53. 111 die snort.conf tile, find and replace die ipvar string widi var. By default die string is ipvar, which is not recognized by Snort, so replace it widi die var string.

Note: Snort now supports multiple configurations based 011 VLAN Id 01־ IP subnet widiui a single instance of Snort. Tins allows administrators to specify multiple snort configuration files and bind each configuration to one 01־ more VLANs or subnets radier dian ninning one Snort for each configuration required.

ReplaceשFind Replace Find in Files | Mark

| ■ S v l Find Next

|v a r Replace

□ in selection Replace A|l

Replace All in All Opened Documents

I I Match rase

@ W rae around

Search Mode Direction 0 Transparency

(•> Normal O u > (§) On losing focus

C Extended Op, V, \t, VO, \x ...) ® Dawn O Always

O Regular expression Q L matches newline = 0=

m Three types of variables may be defined in Snoit:

Var ־

■ Portvar

■ ipvar


54. Save die snort.conf file.

55. Before running Snort you need to enable detection niles 111 die Snort niles file; for diis lab we have enabled ICMP mle so diat Snort can detect any host discovery ping probes to die system running Snort.

56. Navigate to C:\Snort\rules and open die icm p-info.rules file widi Notepad ++ .

57. Uncom m ent the Line number 47 and save and close die file.




C:\5nort\rules\icmp info.rules Nofepad♦E*e Edit Search View Encoding Language SetDngs Macro Run Plugns I >

0 ■1H « ft 4m* r!| P c* ft *ta -t -ז r |״ פ , T,[ | כ S i l i f l « >P i— !<■1 H trp+Tfo 1ute« |--׳ICXE-INFC I REP router advertisement"; 1type:9; rereren״:alert isrsp $ EXI ERNAL_NET any -> $H0KE_NET any cnsj ♦ נ29 * a le r t leap SEXTERNAL_NET any ־ > SHOMEKET any (msg:־ ICXP-IKyC IRDP rou te r se le c tio n "; ityp e :1 0 ; reference :ו30 # a le r t leap $SXIERNA1_NET any -> $HOKE_NET any (nsg:'I-X^-IKFC FUJG *HIX•; lcype:S; con tent: 1 13 12 1 1 ■״110 31 * a le r t lcnp SEXTERNAL_NET any -> SH0HE_KET any (r\sg:״ ICMP־ INF0 PING BSDtype"; 1 ty p e :8 ; con te n t:״ |O0 09 OA 0132 * a le r t i=r^> SEXTERNALNET any -> SH0KE_NET any (osg: ״ IS 'P-INTC PING BayR3 R outer"; i ty p e :8 ; con tent:■ | 01 0233 * alert res© S EXIERNAL_NET any -> $H0KE_NET any (m3?:"XCXP-lNFO rIUG SeOSI.x"; ltype:8; content:"|QQ 00 00 0׳34 # a le r t icnj? SEXTERNAL_NET any -> £H0KE_NET any (nsg:״ ICM?-IK7C ?IUG Cisco Type. x " ; ity p e :8 ; content:"|AB CD35 # alert leap $EXTERNAL_NET any -> $H0KE_KET any (nsg:־irxP-IKFC PING DelpiH-PieLte Windowsltype:8; conien36 * a le r t icnp SEXTERNAL~NET any -> SH0HE~NET any (msg:״ ICHP-INF0 PIHG Flo*pomt2200 or Network Management Scf־ 34־ alert icnp SEXTERNALNET any -> SHOKENET any (xasg: ״ICXP-IK7C PING IP HetMonitor Macintosh״; itype:B; cont•■ 38 t alert 1st® $exiernal_net any -> Shoke_nei any cn3g:1״cxp-lKF0 pibg li2tjx/35״d״; d31ze:8; 1d:13170; 1type:8

♦ a le r t icnp SEXTERNAL_NET any -> SH0XE_NET any (msg:*ICKP-IK?C PIHG M icrosoft X indovs"; i ty p e :8; con te nt:"040 I a le r t leap $EXIERNA1_NET any -> $HOXE_KET any (nsg:״ I3 (P ־ XKFC POTG network Toolbox 3 Window*״ ; l type: 8; coi

* a le r t icnp SEXTERNAL_NET any ־> SH0KE_NET any (msg:״ ICMP-INF0 PIHG Pmg-O-HeterWindows"; i ty p e :0 ; content:42 « a le r t ict*> SEXTERNAL~NET any ־ > SH0KE~NET any (rasg:״ ICKP-IKFC PIHG Pinger Windows"; ity p e :8; con tent: "Oata43 * a le r t 1 cnp cexie rnal_net any ־> Shoke_nei any (cs3 : 1 ״ cxp-1 k fo pihc seer windows"; 1 ty p e i8 ; cont ent ״18» a 0444 • a le r t 1 a 1p SEXTERNAL NET any ־> SHOKE NET any (msg:״ ICKP-INF0 PING Oracle S o la n s "; ds18e :8; 1 type«8 ; clas.45 f a le r t leap $EXTERNAL_NET any -> $H0XE_KIT any (n » g :2 ״•CXff-IKFC PIHG Window״ ; lcype :8 ; con tent: ״ abcdergfcljk.

9 a le r t !;rap SEXIERNAI_NEI any > SH0KE_KEI any !f»a:*1a tP-lN fC trace route 1 ״; svce:8 ; t t l i l ; c la a a t ! t t :a t tc n“ a le r t icnp SFXTERXAL NFT any -> SHOXR _KET any (mag:״ TCMP-IKFC PINO״ ; icode:0 ; ity p e :8 ; e la s s ty p -:» ia c -a c tiv 1 |

» a le r t isno SHOKEJJET any -> CEXTERNAL_NET any (n a a i- io t f - 1K5C Address mask R « ly "> icod c io ; l tv p e u s ; cia®.49 • a le r t 1 cnp SEXTERNAL_NET any ־> SH0KE_NET any (msg:״ ICKP-INF0 Address Maslr Reply undefined code"* 1 eode:>050 t a le r t leap $SXTERKAL_NET any -> $K0XE_KET any ( e * g :2 P-Z>:FC Add:««a Ka»k Rvquaat"; lcod«:0)^״ ; ltyp e :1 7 ; cl•51 ♦ a le r t 1 H0KE_NET any (ns3$ <־ SEXIERNAL_NET any סגמ : ״ ICJ4P־IN f0 Address Mask Reaucst undetined code״ ; !code::52 « alert SEXTERNAL~NET any -> $HOKE~NET any (Mgr-ICVP-IKFC Alternate Ho«t Addre״״״; icode:0; itype:6; c

f alert isnp «exiernal_net any ־> «hoke_net any (nsg:1״cxp-1NFC Alternate Host Adaress undermed code״; iced•>4 * a le r t 1 cnp SEXTERNAL_NET any -> 8H0KE_NET any (e1sj:*ICHP־ INF0 Dataarati Conversion E rro r"; icodesO; 1 typ e :355 f a le r t leap fEXTERNAL NET any -> <H0KE NET any (tasg:״ZCXP-IKFC Satagraa Converalon E rror undefined code"; i■ v

< | 111 >

NcinwlUxlfile length: 17357 lines: 123 Ln:47 Cc4:1 SeJ:0 UMX ANSI IMS

Figure 1.19: Configuring Snort.coiif File iti N’otepad+־f־

58. Now navigate to C:\Snort and nght-click folder bin, select Cm dH ere from die context menu to open it in die command prompt.

59. Type snort -iX -A console -c C:\Snort\etc\snort.conf -I C:\Snort\log -Kascii and press Enter to start Snort (replace X with your device index number; 111 dus lab: X is 1).

60. If you enter all the command information correctly , you receive a graceful ex it as shown 111 the following figure.

61. If you receive a fa ta l error, you should first verify diat you have typed all modifications correcdy into the snort.conf tile and then search dirough the tile for entries matching your fatal error message.

62. If you receive an error stating “Could not c rea te the registry key,” then run the command prompt as an Adm inistrator.

Administrator: C:\Windows\system32\cmd.exe

V alida teConfigurations

y ’To run Snort as a daemon, add -D switch to any combination. Notice that if you want to be able to restart Snort by sending a S IG H U P signal to die daemon, specify the full path to die Snort binary when you start it, for example:/usr/local/bin/snort -d -11 192.168.1.0/24 \-l /var/log/snordogs -c /usr/local/etc/snort.conf - s-D

C:\Snort\birOsnort -i4 -A console -c C:\Snort\etc\snort.conf -1 C:\Sno1*t\log -K ascii

Figure 2.18: Snort Successfully Validated Configuration W indow

t a s k s 63. Start Snort in IDS mode, 111 the command prompt type snortC:\Snort\etc\snort.conf - I C:\Snort\log - i 2 and dien press Enter.

S tart Snort

Ethical Hacking and Countenneasures Copynght © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



Figure 2.19: Start Snort in ID S Mode Command

64. Snort starts rumung in IDS mode. It first initializes output plug-ins, preprocessors, plug-ins, load dynamic preprocessors libranes, nile chains of Snort, and dien logs all signatures.

65. After initializing interface and logged signauires, Snort starts and waits for an attack and tngger alert when attacks occur on the machine.

-* > Snort T <*-Uersion 2.9.3.1-UIN32 GRE <Build 40>By Martin Roesch 8r The Snort Team: http://www.snort.org/snort/snort-tCopyright <C> 1998-2012 Sourcefire, Inc., et al.Using PCRE version: 8.10 2010-06-25 Using ZLIB version: 1.2.3Rules Engine: S F_S NORT _DET ECTION_ENGI HE Uersion 1.16 <Build 18>SF_SSLPP Uersion 1.1 <Build 4> SF_SSH Uersion 1.1 <Build 3>SF.SMTP Uersion 1.1 <Build 9>SF_SIP Uersion 1.1 <Build 1>SF.SDF Uersion 1.1 <Build 1>SF_REPUTATION Uersion 1.1 <Build 1> SF_POP Uersion 1.0 <Build 1>SF_T10DBUS Uersion 1.1 <Build 1>SF_IMAP Uersion 1.0 <Build 1>SF_GTP Uersion 1.1 <Build 1>SFJFTPTELNET Uersion 1.2 <Build 13> SF_DNS Uersion 1.1 <Build 4>SF_DNP3 Uersion 1.1 <Build 1>SF_PCERPC2 Uersion 1.0 <Build 3>

Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor Object Preprocessor ObjectCommencing packet processing <pid=6664>

Figure 1.20: Initializing Snort Rule Chains Window

66. After initializing the interface and logged signatures. Snort starts and waits for an attack and trigger alert when attacks occur on the macliuie.

67. Leave die Snort command prompt running.

68. Attack your own machine and check whedier Snort detects it or not.

69. Launch your Windows 8 Virtual Macliuie (A ttacker M achine).

70. Open die command prompt and type ping X X X .X X X .X X X .X X X -t from die A tta cke r M achine (XXX.XXX.XXX.XX is your Windows Server 2012 IP address;.

71. Go to W indows Server 2012 , open die Snort command prompt, and press Ctrl+C to stop Snort. Snort exits.

72. Now go to die C:\Snort\log\10.0.0.12 folder and open the ICMP_ECHO.ids text file.

GOC:\Snort\etc\snort.conf is the location of the configuration file

■ Option: -l to log the output to C:\Snort\log folder

י Option: -i 2 to specify die interface

m Run Snort as a Daemon syntax: /usr/local/bin/snort -d -h 192.168.1.0/24 \ -1 /var/log/snortlogs -c /usr/local/etc/snort.conf - s-D .

£01 When Snort is run as a Daemon, the daemon creates a P ID file in the log directory.

^ T A S K 6

A tta c k Host M achine

m Note that to view the snort log file, always stop snort and dien open snort log file.





ICMP.ECHO.idT- Notepad ! ־ ’ ם ' xFile Edit Format View Help

|[* * ] ICMP-INFO PING [* * ]11/14-12:24:17.131365 10.0.0.12 -> 10.0.0.10 ICMP TTL:128 TOS:0x0 ID:31479 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:198 ECHO

[**] ICHP-INFO PING [**]11/14-12:24:18.146991 10.0.0.12 -> 10.0.0.10 ICMP TTL:128 TOS:0x0 ID:31480 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:199 ECHO

[••] ICMP-INFO PING [**]11/14-12:24:19.162664 10.0.0.12 -> 10.0.0.10 ICMP TTL:128 TOS:0x0 ID:31481 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:200 ECHO

[••] ICMP-INFO PING [**]11/14-12:24:20.178236 10.0.0.12 -> 10.0.0.10 ICMP TTL:128 TOS:0x0 ID:31482 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:201 ECHO

[**] ICMP-INFO PING [**]11/14-12:24:21.193933 10.0.0.12 -> 10.0.0.10 ICMP TTL:128 TOS:0X 0 ID:31483 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:202 ECHO

[**] ICMP-INFO PING [**]11/14-12:24:22.209548 10.0.0.12 -> 10.0.0.10 ICMP TTL:128 TOS:0x0 ID:31484 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:203 ECHO

Figure 1.21: Snort Alerts ids Window Listing Snort Alerts

73. You see that all the log entries are saved 111 die ICMP_ECHO.ids hie. Tins means that your Snort is working correctly to trigger alert when attacks occur 011 your machine.


Analyze and document die results related to diis lab exercise. Give your opinion 011 your target’s security posture and exposure.


Tool/Utility Information Collected/Objectives Achieved

Snort Output: victim machine log are capuired

Q u e s t i o n s

1. Determine and analyze die process to identify and monitor network ports after intnision detection.




2. Evaluate how you process Snort logs to generate reports.

Internet Connection Required

□ Yes

Platform Supported

0 Classroom 0 !Labs




Lab

L o g g i n g S n o r t A l e r t s t o K i w i

S y s l o g S e r v e rS n o / t is a n op en sou rce n e tw o rk in tru s io n p re v e n tio n a n d d e te c tio n sys te m

( ID S / IP S ) .


Increased connectivity and the use ot the Internet have exposed organizations to subversion, thereby necessitating the use ot mtnision detection systems to protect information systems and communication networks from malicious attacks and unauthorized access. An intrusion detection system (IDS) is a security system diat monitors computer systems and network traffic, analyzes that traffic to identity possible security breaches, and raises alerts. A11 IDS tnggers thousands of alerts per day, malting it difficult for human users to analyze them and take appropriate actions. It is important to reduce the redundancy of alerts, uitelligendy integrate and correlate diem, and present lugh-level view of the detected security issues to the administrator. A11 IDS is used to inspect data for malicious 01־ anomalous activities and detect attacks 01־ unaudionzed use of system, networks, and related resources.

111 order to become an expert penetration tester and security administrator, you must possess sound knowledge ot network intrusion prevention system (IPSes), IDSes, identify network malicious activity, and log information, stop, or block malicious network activity.


The objective of tins lab is to help smdents learn and understand IPSes and IDSes.

111 tins lab, you need to:

■ Install Snort and configure snort.conf file

■ Validate configuration settings

■ Perform an attack 011 the Host Machine

■ Perform an intrusion detection

■ Attempt to stop detected possible incidents

I CON KEY

___ V a lu a b l e


T e s t y o u r

k n o w l e d g e

W e b e x e r c i s e


H Tools dem onstrated in th is lab are located a t D:\CEH- Tools\CEHv8 Module 17 Evading IDS, Firew alls, and Honeypots

Ethical Hacking and Countenneasures Copyright © by EC-ComicilAll Rights Reserved. Reproduction is Stricdy Prohibited.




To carry-out tins lab, you need:

■ A computer running Windows Server 2012 as a host machine

■ Windows 8 running on virtual machine as an attacker machine

■ WinPcap drivers installed on die host machine

■ Kiwi Svslog Server installed on die host machine

■ Admnnstrative privileges to configure settings and nin tools


Tune: 10 Minutes

O v e r v i e w o f o f I P S e s a n d I D S e s

An intrusion detection system (IDS) is a device or so ftw are application diat monitors network and/or system activities for m alicious activities or polio,’ violations and produces reports to a management station.

Intrusion detection and prevention systems (IDPS) are primarily tocused on identifying possible incidents, logging information about them, attempting to stop diem, and reporting diem to security administrators.

L a b T a s k s

1. Navigate to D:\CEH-Tools\CEHv8 M odule 17 Evading IDS, F irew alls, and

Honeypots\lntrusion D etection Tools\K iw i Syslog Server double click on Kiw i_Syslog_Server_9.3.4.Eval.setup.exe and install K iw i Syslog Serveron die Windows Server 2012 host machine.

2. The License A greem ent window appears, Click I Agree.

Figure 2.1: kiwi syslog server installation

£ 7 You can also download K iw i Syslog Server fromhttp://www.kiwisyslog.co m

S TASK 1Log Snort A lerts to Syslog Server



http://www.kiwisyslog.co


3. 111 die Choose O perating M ode wizard, check the Install K iw i SyslogServer as an Application check box and click N ext >.

־ ן ° ז xKiwi Syslog Server 9.3.4 InstallerC h o o se O perating M ode

The program can be run as a Service or Applicationsolarwinds ־׳

O Install Kiwi S yslog S e iv e i a s a S e iv ic e

This option installs Kiwi Syslog Server as a Windows service, alowing the program to run without the need for a user to logn to Windows. This option also retails the Kiwi Syslog Server Manager which is used to control the service.

|(* Install Kiwi S yslog S e iv e r a s a n A pplication |

This op bon retails Kiwi Syslog Server as a typical Windows appkcabon, requnng a user to login to Windows before r im n g the application.

SolarWinds, Inc.

Figure 22: Krai Syslog seiver installation

4. 111 die Install K iw i Syslog W eb A ccess wizard, uncheck die optionselected and click N ext >.

XKiwi Syslog Server 9.3.4 Installer

Install Kiwi Syslog W eb A c cessRemote viewing, filtering and highlighting of Syslog events...solarwinds

I I Install Kiwi S yslog W eb A c c e ss

V C rea te a new W eb A c c e ss logging ■ule in Kiwi S yslog S e iv e i

Kiwi Syslog Web Access can be enabled in the licensed or evaluation versions of Kiwi Syslog Server.

SolarWinds, Inc.

Figure 23: kiwi syslog seiver

5. Leave die settings as their defaults in the Choose Com ponents wizard and click N ext >.

& Tools dem onstrated in th is lab are located a t D:\CEH■ Tools\CEHv8 M odule 17 Evading IDS, Firew alls, and Honeypots



Kiwi Syslog Server 9.3.4 Installer I ־־ I


C h o o se C om ponentssolarwinds Choose which features of Kiwi Syslog Server 9 .3 .4 you a ant to

install.

This wll install Kiwi Syslog Server version 9.3.4

Select the type of install:

Or, select the optional components you wish to instal:

Space requred: 89.5MB

Solar Winds, In c .-----------------------------------------------------------------------------------------------------------

< Back | Next > | [ Cancel |

Normal V

Program files (required)0 Shortcuts apply to all users0 Add Start menu shortcutb^J Add Desktop shortcutp i Add QuickLaunch shortcutO Add Start-up shortcut

Description

Position your mouse over a component to see its description.

Figure 2.4: adding components

6. 111 die Choose Install Location wizard, leave die settings as dieir defaultsand click Install to continue.

Kiwi Syslog Server 9.3.4 Installer

C h o o se Install LocationChoose the folder n whkh to n s ta l Kiwi Syslog Server 9.3 .4 .solarwinds ׳׳

Setup w l n s ta l Kiwi Syslog Server 9.3.4 n the folowng folder. To n s ta l in a different folder, dick Browse and select another folder, dick Instal to start the installation.

Destination Folder

Space requred: 89.5MB Space available: 50.1GB

SolarWinds, Inc.

1

Figure 2.5: Give destination folder

7. Click Finish to complete the installation.You should see a test

message appear, which indicates K iw i is working.




Kiwi Syslog Server 9.3.4 Installer [_“ I 1 ם x

Completing the Kiwi Syslog Server 9.3.4 Setup Wizard

Kiwi Syslog Server 9 .3 .4 has been installed on your computer.

Click Finish to dose this wizard.

@ Run Kiwi Syslog Server 9 .3.4

Visit the SotorWmds website

< Back | Ftnoh | Cancel j

Figure 2.6: kiwi syslog server finish window

8. Click OK ill the Kiw i Syslog Server - Default Settings Applied dialog box.

T UKiwi Syslog Server - Default settings applied

Thank you for choosing Kiwi Syslog Server.

This is the first time the program has been run on this machine.

The following default 'Action' settings have been applied...

’ Display all messages

* Log all messages to file: SyslogCatchAll.txt

These settings can be changed from the File | Setup menu.

Happy Syslogging...

OK

Figure 2.7: Default setting applied window

9. To launch die Kiw i Syslog Server Console move your mouse cursor to lower-left corner of your desktop and click Start.

Q j Yiiwi Syslog Server is Figure 2.8: starting menu in windows server 2012

a free syslog server for 10. 111 die S tart menu apps click Kiw i Syslog Server Console to launch dieWindows. It receives logs. r r J JWindows. It receives logs, displays and forwards a p psyslog messages from hosts such as routers, switches,U N IX hosts and other syslog-enabled devices.




׳״יי״' MojiB* tangleChiomo S i51*9* © • x ' ■

ControlPanel E/ykxef Command Notepad• Jnmtdl s^r1091V O pr R a 5

M)pw-YManage! Ne!aus web Client<k h ■ V

C*׳ T־- I

KKlPackage

1

Figure 2.9: click kkvi syslog server application

11. Configure Syslog alerts 111 die snort.conf file.

12. To configure Syslog a lerts, first exit from die Snort command prompt (press Ctrl+C).

13. Go to C:\Snort\etc and open die snort.conf file widi Notepad++.

14. Scroll down to Step #6: Configure output plugins, in the syslog section (Line 527), remove # and modify die line to output alert_syslog: host=127 .0 .0 .1 :514 , LOG_AUTH LOG ALERT.

Snort.conf before modification SyslogC\Sn0rt\«c\srx>ftc<y»f Notewd-

Hr [<*t Seawti yicw tvcMq fectng* Marre Run Pluglni Window J■ *131 w ■ bj w a a@ 75! 11 ן ן• י qj > •יו r 3c ׳■ > mc . >a ׳«

t Step te: Coaflgrare output plugins

* Additional configuration for s!:eclflc types or Insta lls* output alert_unlfled2: filename snort.a le rt. U n it 128, n09ta*p* output loc_3n1 r1ea2: niecaae snort. I09, luut 128, rostairp

flog; LOO AJIg 100 ALERT|

»t-<B03tnaa1e>

I output log.topdja

I output aatarase:I output aatanse:

Figiue 2.10: Snortconfig before modification

Snort.conf after modification Syslog

m The reason why you have to run snortstart.bat batch file as an administrator is that, in your current configuration, you need to maintain rights to not only output your alerts to Kiw i, but to write them to a log file.




C:\Sn0rt\etcVsrxyt cof't Notepad-• ן - g ־ flnqi Mam Run Pluqin Window^ .ן־י.1ץ׳ל weSrf»g׳Filf fdt Search View f -| (S ייCv 3 י (§](3 fe| 3 • י י c * & 13H • « .־ .|

iC<5 preprocessor reputation: \

013 **#**#**«**«#*»*#*«##*«#*«*#•*#*«****#»**#•*#»*#**pi4 # Step *€: Coaflarare output pluginspis * For *ore information, see Snort Manual, Conflouring Snore - Output Modules5

l output uniiieai: £ile:;«*e se;aec.ica, lu u t 128. nostanp, npls_e5

Additional configuration for specific types 0C installs ז1 output alert_unlfled2: filename snort.alert. Un it 128, nostajip » output log_unlfled?: fllenaae snort.log, lljtlt 128, nostaxp

» databaseI output database! alert, <db_typ«>, users<usernane> pa8avford=<pa»sv0rd> test dbnaa!e-<r.a1*e> h0st*<S10atname3 I output databasei log. <db_typ«>. usera<usernane> password»<passv׳ord> test dbnas>es<naae> bo»t*<hostnaae>

«U. Ca.li M:l׳

Figure 2.11: Snortconfig after configuration

15. Save die tile and close it.

16. Open Kiw i Syslog Server Console and press Ctrl+T. Tlus is to test Kiwi Syslog Server alert logs.

R* Kiwi Syslog Server (14 Day evaluation - Version 93) 1״ - ' - 1File Edit Vic* Hdp1' ■1׳ E i t © Di.pl., 00 |Drf״Jl] H Day* luttin wsluslion

Dale Tun* P-o״ly lla*ln«m-11 14 2012 1621 30 Lwal7.D»U1g 127.0.01 Kiwi Sytloy S*1vv1 • T*t< latfTtayw nuaibei 0001

11

J100% 1 MPH 1621 11142012 1

Figure 2.12: Kiwi Syslog Service Manager window

17. Leave die Kiwi Syslog Server Console. Do not close die window.

18. Now open a command prompt with Snort and type diis command: snort - iX -A console -c C:\Snort\etc\snort.conf - I C:\Snort\log -K ascii -s and press Enter (here X is index number of vour Ediernet card) .

Etliical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



_ □ xAdministrator: C:\Windows\system32\cmd.exe

Figure 2.13: Snort Alerts-ids Window Listing Snort Alerts

19. Open a command prompt 111 your Windows 8 virtual machine and type tins command: ping 1 0 .0 .0 .1 0 (IP address of your host machine where Kiwi Svslog Server Console is running).

20. Go to Kiw i Syslog S ervice M anager window (diat is already open) and observe die triggered alert logs.

ua K iw i Syslog Server filtering options:

■ Filter on IP address, hostname, or message text

■ Filter out unwanted host messages or take a different logging action depending on the host name

■ Perform an action when a message contains specific keywords.

Kiwi Syslog Server (14 Day evaluation - Ve'sion 93) n 1 x '

File Edit Help \י1€£ ׳1- A 88 D.tpk* 00 (Dvfdull) 14 Days left in ev־Dluotun

I Dale l,mr P. m.4. llo1ln1׳rw Menage J11-14-2012 184012 Auth Ale.! 127.0.01 Nvv 14 18 40.12 W1N-2N9SIOSGIEN w.ort |1 384 6| ICMP INF: PING |CU«ti»calion. Mbc activitf) [Piiuiily. 3] (ICMP) 10.0.0.12

1000.1011 14 ?01? 104011 AuHt Air.1 127 001 Nnv 14 111 4(1 11 WIN 2N9!iTOSGI( N mart |1 304 C| II Ml' INI 11 I1NG [ClauArahor Mur. nohvilyl U1־.n..ly- 3] (ICHP) 111 II 111?

10.0.0.10II 14 2012 18 4010 Auth Alcit 127.0.0 1 Nov 14 18:40:10 WIN 2N9STOSGIEN mort |1 384 6| ICMP INFO PING (ClMstficd'ion: M.sc 0ct1vity| (Piioiily: 3) (ICHP) 10.0.0 12

10.0.0.10 * II11-14-201? 18 40 09 Auth Alrll 12700 1 Nuv 14 18 40 O') WIN ?NSS10SGIFN tnurt |1 384 6| ICMP INFO PING (n«nii.:4l<ar• Mac adivi(•) (Piimily 3] (ICMP) 10 0 0 1?

100n 1 n11 14 ?01? 104*00 AuHt Alr.l 127 001 Nov 14 111411■Oil WIN 2N9!:TOSUK N •no* |1 304 C| 1( Ml־ INI II I1NG (Clou *ration Mur. nr.hvityl [1'imtrijr 3) IIIMPI 10 0 111?

I0.0.U.IU11-14-2012 184007 Auth Ale 11 127.0.0.1 Nov 14 18:40:07 WIN 2N9STOSGIEN tnort |1 384 6| ICMP4NF0 PING (ClMtWcatiwi: Hite activity (Plioiity: 3] (ICHP) 10.0.0 12

10.0.0.1011-14-201? 18 40 nc Auth Alr.l 1270 0 1 Nuv 14 1 0 40 on WIN-?N9r.1nSG1rN tnatl |1 384 G| IfMP INm PING (CUsifirolian Mbc activity) [Piitxily: 3] IICMP) 10 0 01?

1000.1011 14 ?012 10.40.Ub Auth Alcit 127.0.0 1 Nov 14 10:40:0b WIN 2N91>1USGILN *noit: |l. J84:b| ILMI־ INI U I1NG (Llasiiication: Hue nctivitvl H'noiity: 31 (ICHP) 10.0.0.12

10.0.0.1011-14-2012 18:4004 Auth A leu 127.0.0.1 Nov 14 18:40:04 WIN-2N9STOSGIEN tnort |1:384 6| ICMP-INF0 PING (Clact«cation: Hite activity [Plioiity: 31 {ICHP) 10.0.0.12

10.0.0.10 111-14201? 18 40 03 Auth Alr.l 12700 1 Nov 14 1 0 40 01 WIN-2N9r.TOSGIFN mart |1 384 C| ICMP-INFO PING [Claxiilicatian Mbc activity] [Pliaiity: 3] (ICHP) 10 0 01?

10 00.1011-14 2012 18:4002 Auth Alcit 127.0.0.1 Nov 14 18:40:02 WIN 2N9S1USGIEN tnort: |l:384:6| ICMP INFO PING [Lla**41cat10n: Mac actovitrl [Pnonty: 3] (ICHP) 10.0.0.12

10.0.0.1011-14-2012 18.40.01 Auth Ale.l 127.0.0.1 Nov 14 18.40:01 WIN-2N9STOSGIEN tr.ort. [1.384.6] ICMP-INF0 PING [Cla*t«cation. Mbc activity] [Piioiily: 3) (ICHP) 10.0.0.12

10 00.1011-14-201? 18 40 (10 AulhAlril 127 0.01 Nov 14 1 8 40:00 WIN-2N9STOSGIEN snort [1 384 6j ICMP-INFO PIHG IClasirtcahon Mbc activity! [Piioiily: 3j ilCHP110 0 0 12

10 0 0.1011 14 2012 18:39:59 Auth Alcit 127.0.0.1 Nov 14 18:39:53 WIN 2N9510SGIEN snort |1:384:61 ICMP INFU PING [Clat*Scati«n: Mnc acbvitrl [Prioiity: 3) (ICHP) 10.0.0.12

10.0.0.1011-14-701? 1839 58 Auth Alr.l 1270 0 1 Nov 14 18 39:58 WIN-7N9STC1SGIFN tnort [1 384 6| ICMP-INFO PING [CLmificalian Mbc activity] [Plioiity: 3] (ICMP) 10 0 012

1000.1011 14 201? 103*57 Aulh Alr.l 127 001 Nov 14 10•39:57 WIN 2N9S10SGICN *nort |1 304 K| ICMP INFO PIHG ICUmrfirafiorv Mur. activityl [Pnoiitjr 3] IICMP110 0 0 12

10.0.0.1011 14 2012 18:3958 Auth Alcit 127.0.0.1 Nov 14 18:39:56 WIN 2N9STOSGIEN *nort [1:384:6| ICMP INFO PING [□***ificalior: Mbc activilrl [Plioiity: 3] (ICMP) 10.0.0.12 jfsiw 5/jloo Web Acc«5 ■־ol m oled 100* OMFH 18:40 11 142D12 |

Figure 2.14: Kiwi Syslog Service Manager widi Snort Logs

21. 111 Kiw i Syslog, you see the Snort alerts outputs listed 111 Kiwi Syslog Service Manager.

22. You have successfully output Snort Alerts to two sources.


Analyze and document die results related to diis lab exercise. Give your opinion on your target’s security posture and exposure.





Tool/Utility Information Collected/Objectives Achieved

Kiwi Syslog Server

Output: The Snort alerts outputs listed 111 Kiwi Syslog Service Manager.

Q u e s t i o n s

1. Evaluate how you can capture a memory dump to confirm a leak using Kiwi Syslog Server.

2. Determine how you can move Kiwi Syslog Daemon to another machine.

3. Each Syslog message includes a priority value at die beginning of the text. Evaluate die priority of each Kiwi Syslog message and on what basis messages are prioritized.

Internet Connection Required

□ Yes 0 No

Platform Supported

0 Classroom 0 !Labs




3

D e t e c t i n g I n t r u d e r s a n d W o r m s

U s i n g K F S e n s o r H o n e y p o t I D SK F S e n s o r is a W in d o w s b a se d h o n e y p o t In tru s io n D e te c tio n S y s te m ( ID S ) .


Intrusion detection systems are designed to search network activity (we are considering both host and network IDS detection) for evidence ot malicious abuse. When an IDS algontlmi “detects” some sort of activity and the activity is not malicious or suspicious, tliis detection is known as a false positive. It is important to realize diat from the IDS’s perspective, it is not doing anything incorrect. Its algoridim is not making a mistake. The algontlmi is just not perfect. IDS designers make many assumptions about how to detect network attacks.

A11 example assumption could be to look for extremely long URLs. Typically, a URL may be onlv 500 bytes long. Telling an IDS to look for URLs longer dian 2000 bytes may indicate a denial of service attack. A false positive could result from some complex e-commerce web sites that store a wide variety of information 111 the URL and exceed 2000 bvtes.

111 order to become an expert penetration tester and security administrator, you must possess sound knowledge of network intrusion prevention systems (IPSes), intrusion detection systems (IDSes), identity network malicious activity and log information, and stop or block malicious network activity.


The objective of tins lab is to make students learn and understand IPSes and IDSes.

111 tins lab, you need to:

■ Detect hackers and worms 111 a network

■ Provide network security


To carry-out tins lab, you need:

C EH Lab Manual Page 874 Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

H Tools dem onstrated in th is lab are located a t D:\CEH- Tools\CEHv8 Module 17 Evading IDS, Firew alls, and Honeypots

I CON K E Y

l~/ V a l u a b l e


T e s t y o u r

k n o w l e d g e

mm W e b e x e r c i s e

ca W o r k b o o k r e v i e w


■ KF Sensor located at D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firew alls, and Honeypots\Honeypot Tools\KFSensor

■ Install KF Sensor 111 W indows 8

■ MegaPing located at D:\CEH-Tools\CEHv8 M odule 03 Scanning Netw orks\Scanning Tools\M egaPing

■ Install Mega ping 111 W indows Server 2012

■ It vou have decided to download latest of version ol these tools, then screen shots would be differ

■ Administrative privileges to configure settings and run tools


Time: 10 Minutes

O v e r v i e w o f I P S e s a n d I D S e s

An intrusion prevention system (IPS) is a n e tw o rk s e c u rity appliance that m onito rs network and system activities tor m alic io us activity. The main functions ot IPSes are to id e n tify malicious activity, log re la ted in fo rm ation , attempt to b lo ck /s top activity, and report activity.

An IDS is a software device or application that m onitors network and/or system activities for m alic io u s activities or policy v io la tio n s and delivers repo rts to a Management Station. It performs intrusion detection and attempts to stop detected possible inc idents.

L a b T a s k s

1. Launch W indows 8 virtual machine and follow the wizard-driven installation steps to install KFSensor.

2. After installation it will prompt to reboot die system. Reboot the system.

3. 111 Windows 8 launch KFSensor. To Launch KFSensor move your mouse cursor to the lower-left corner of your desktop and click Start.

__ You can alsodownload KFSensor from http://www.keyfocus.net

^ T A S K 1

ConfigureKFSensor



http://www.keyfocus.net


u

►.'crla

€C*׳e~s

,Windows 8 Release Previev. Evaluation copy. Build WOO

m ־= 1 י י m o «.

____ .FIG U R E 3.1: KFSensor Window with Setup Wizard

4. In die S tart menu apps, right click die KFSensor app, and click Run as A dm inistrator at die bottom.

Start Admin ^

mVriro

mCamara

Google p Chrome

o

Messaging

mל׳ יזWeather

1 Mozilla 1 Firefox

I ®services

HCalfrdar

& aInternet F«pfcvr׳ Store

CommandPrompt

FI

KFSensor

m

%V\V»as;

® @ ® (S)edminh*r«t©r tasoon

m To set up common ports KFSensor lias a set of pre-defined listen definitions. They are:

■ Windows Workstation

■ Windows Server

■ Windows Internet Services

■ Windows Applications

■ Linux (services not usually in Windows)

* Trojans and worms

FIG U R E 3.2: KFSensor Window with Setup Wizard

5. At die first-time launch of die KFSensor Set Up W izard, click Next.




Visitor)atagram.. WindowsS)atagram.. WIN-ULY358K)atagram.. WIN-D39MR5J)atagram.. WIN-LXQN3W)atagram.. WIN-MSSELG)atagram.. WIN-2N9STO?)atagram.. WIN-2N9STO?)atagram.. WIN-ULY358K)atagram.. Windows^)atagram.. WINDOWS8

KFSensor Professional - Evaluation TrialSettings Help_______________________________________File View Scenario Signatures

i l ?t!l U-L

The KFSensor Set Up Wizard will take you through a number of steps to Donfigure you systen.All of these can configurations can be modfied later using the menj option.

You might like to read the rrenual at this port to team how KFSenso־ works and the concepts behind t.

n the options in th& Set Up Wizard.

Wizard Heb

i 593 CIS jjj 1028 MS Cl!5 1080 SOCKi 3( 1433 SQL S<

g 2234 Direct! j§ 3128 IIS Pro g 3268 Global Calal

a , kfsensor - iocalhosz ta tcp ^ q *icccd TC

g 21 FTP . !j S 25 SMTP

I j. J 53 DNS I L § 63 DHCP

SO IIS 110 POP3

g 119 NNTP, 135 M i RPC ־

g 139 NET Se ^ 339 LDAP $ 443 HTTPS

<i | J4.5-NB.T-St

Ser/en Status Visitors: 0

..__ Tlie Set up Wizard isused to perform the initial configuration of KFSensor.

FIG U R E 3.3: KFSensor main Window

6. Check all die port c lasses to include and click Next.

Set Up Wizard - Port Classes

Port classes to include:/j Windows Workstation@ Windows Applications @ Windows Server @ Windows Internet Services 0 Linux (services not usually in Windows) @ Trojans and woims

Wizard Help

KFSensor can detect irrtiusions on many many different ports and simulate different types of services.These ports are grouped by class.Checked classes will be added to the scenario.Unchecked classes will be removed the scenario.

CancelNext >< Back

m Domain Name is tlie domain name used to identify the server to a visitor. It is used in several Sim Servers.

F IG U R E 3.4: KFSensor Window with Setup Wizard

7. Live die domain name Held as default and click Next.




Set Up Wizard - Domain D

Domain Name: [networksfonj.com|

This is the domain name used to identify the server to a visitor.This could be the real domain name of the machine or a fictious one. If you pick a fictious one. try not to use a real domain belonging somebody else.

Wizard Help

< Back | Next > Cancel

-

e=yi KFSensor can send alerts by email. The settings in the wizard are the minimum needed to enable this feature.

FIG U R E 3.5: KFSensor Window with Setup Wizard

It you want to send KFSensor a le rts by email and then specify die email address details and click Next.

Set Up Wizard - EMail Alerts

Send to: [ISend from:

If you want KFSensor to send alerts by email then fill in the email address details

Wizard Help

CancelNext >< Back

systems service is a special type of application that Windows runs in the background and is similar in concept to a U N IX daemon.

F IG U R E 3.6: KFSensor Window with Setup Wizard-email alerts

9. Choose options for Denial of Service. Port activ ity . Proxy Em ulation, and N etw o rk Protocol Analyzer and click Next.m The KFSensor Server

becomes independent of the logged on user, so the user can log off and another person can log on without affecting the server.




Set Up Wizard - Options D

Denial Of Service OptionsCautious v

Controls how many events are recorded before the server locks upPort Activity1 Hour v

How long a port should indicate activity after after an eventProxy EmulationAllow banner grabs and loop backs v

Controls if KFSensor is allowed to make limited external connectionsNetwork Protocol Analyzer!Enable packet dump files j vDump files are useful for detailed analysis but take up a lot of disk space

Wizard Help

< Back Next > Cancel

.FIG U R E 3.7: KFSensor Window with Setup Wizard-options

10. Check die Install as system serv ice opdon and click Next.

m The KFSensor Monitor is a module that provides the user interface to the KFSensor system. W ith it you can configure the KFSensor Server and examine die events that it generates.

Set Up Wizard - Systems Service

[v ] Install as systems serviceA systems service is a special type of application that Windows runs in thebackground and is similar in concept to a UNIX daemonThe KFSensor Server becomes independent of the logged on user, so you canlog off and another person can log on without affecting the serverThe KFSensor Server can be configured to start automatically when the systemsstarts, even before you log on.You must be logged in a the Administrator to install a systems service

Wizard Help

Cancel< Back

F IG U R E 3.8: KFSensor Window with Setup Wizard-system service

11. Click Finish to complete the Set Up wizard.

m The Ports View is displayed on the left panel of the main window. It comprises of a tree structure that displays the name and status o f the KFSensor Server and the ports on which it is listening.




Set Up Wizard - Finishו0ו

The KFSensor Set Up Wizard has now got all the information it needs to configure your system.To read up on where to go from here dick the button below

Getting Started

Note on the Evaluation VersionIThere are a number of restrictions set for the ten day duration of the evaluation periodThe export functionality is unavailable and the details of some events are deliberately obscured

CancelFinish< Back/ The Ports View can

be displayed by selecting the Ports option from the ViewT menu.

F IG U R E 3.9: KFSensor finish installation

12. Tlie KFSensor main window appears. It displays list ol ID protocols. V is ito r and Received automatically when it starts. 111 the following window, all die nodes 111 die left block crossed out with blue lines are die ports that are being used.

KFSensor Professional - Evaluation TrialHelp

° i @ 1 5 1 a ^ a ! מ ש ^

Settings

1 ־3ID Start Duration Pro... Sens... Name Visitor

1י5 9/27/2012 5:27:41 PM... 0.000 UDP 138 NBT Datagram... WIN-ULY358K|§14 9/27/2012 S:27:3S PM.״ 0.000 UDP 138 NBT Datagram... WIN-LXQN3\*

1י3 9/27/2012 5:27:36 PM... 0.000 UDP 138 NBT Datagram... WIN-MSSELCIg '2 9/27/2012 5:27:3C PM... 0.000 UDP 138 NBT Datagram... WIN-D39MR5I111 9/27/2012 5:27:15 PM... 0.000 UDP 138 NBT Datagram... Window^§10__ 9/27/2012 5:16:15 PM... 0.000 UDP 138 NBT Datagram... WindowsÛ 9 9/27/2012 5:15:4 PM... 0.000 UDP 138 NBT Datagram... WIN-ULY358K]1 8 9/27/2012 5:15:35 PM... 0.000 UDP 138 NBT Datagram... WIN-D39MR5I1 7 9/27/2012 5:15:3£ PM... 0.000 UDP 138 NBT Datagram... WINLXQN3'A

1 6 9/27/2012 5:15:35 PM... 0.000 UDP 138 NBT Datagram... WIN-MSSELCI15 9/27/2012 5:15:31 PM... 0.000 UDP 138 NBT Datagram... WIN-2N9STO<14 9/26/2012 3:41:32 PM... 0.000 UDP 138 NBT Datagram... WIN-2N9STO!13 9/26/2012 3:37:16 PM... 0.000 UDP 138 NBT Datagram... WIN-ULY358Km? 9/26/2012 3:36:57 PM... 0.000 UDP 138 NBT Datagram... Windows^1 1 9/26/2012 3:36:57 PM... 0.000 UDP 138 NBT Datagram... WINDOWS8

i ■i2 4 1 tt ;1, kfsensor - local host - M...

TCP^ & Ctos«lICP Por...g 21 FTP

25 SMTP3 53 DNS3 63 DHCP-g 80 IIS

110 POP3j§ 119 NNTPg 155 MSRPC— Bm5 } 139 NBT Session ...j j 339 LDAPg 443 HTTPS■j 4.15 NBT SM8—g 593 CISg 1028 MS CIS5 1080 SOCKS§ 1433 SQL Server

^ 2234 Dircctplay^ 3128 IIS ProxyJ 3268 Gtobdl Catal..

FC

Ser/en Running Visitors: 8

FIG U R E 3.10: KFSensor Main Window

Open a command prompt from the S tart menu apps.13.




The top level item is the server. The IP address of the KFSensor Server and the name of the currently active Scenario are displayed. The server icon indicates the state of the server:

14. 111 die command prompt window, type n ets ta t -an.

Command PromptMicrosoft Windows CUersion 6.2 8400]l<c> 2012 Microsoft Corporation All rights reserved.|C:MJsers\Adnin)netstat -anRctive Connections

Proto Local Address Foreign Address StateTCP 0.0.0.0:2 0.0.0.0:0 LISTENINGTCP 0.0.0.017 0.0.0.0:0 LISTENINGTCP 0.0.0.0:9 0.0.0.0:0 LISTENINGTCP 0.0.0.0:13 0.0.0.0:0 LISTENINGTCP 0.0.0.0:17 0.0.0.0:0 LISTENINGTCP 0.0.0.0:19 0.0.0.0:0 LISTENINGTCP 0.0.0.0:21 0.0.0.0:0 LISTENINGTCP 0.0.0.0:22 0.0.0.0:0 LISTENINGTCP 0.0.0.0:23 0.0.0.0:0 LISTENINGTCP 0.0.0.0:25 0.0.0.0:0 LISTENINGTCP 0.0.0.0:42 0.0.0.0:0 LISTENINGTCP 0.0.0.0:53 0.0.0.0:0 LISTENINGTCP 0.0.0.0:57 0.0.0.0:0 LISTENINGTCP 0.0.0.0:68 0.0.0.0:0 LISTENINGTCP 0.0.0.0:80 0.0.0.0:0 LISTENINGTCP 0.0.0.0:81 0.0.0.0:0 LISTENINGTCP 0.0.0.0:82 0.0.0.0:0 LISTENING

FIG U R E 3.11: Command Prompt with netstat -an

15. Tins will display a list ol listening ports.

I 35Command Prompt E 3 |

TCP 0.0.0.0:82 0.0.0.0:0 LISTENINGTCP 0.0.0.0:83 0.0.0.0:0 LISTENINGTCP 0.0.0.0:88 0.0.0.0:0 LISTENINGTCP 0.0.0.0:98 0.0.0.0:0 LISTENINGTCP 0.0.0.0:110 0.0.0.0:0 LISTENINGTCP 0.0.0.0:111 0.0.0.0:0 LISTENINGTCP 0.0.0.0:113 0.0.0.0:0 LISTENINGTCP 0.0.0.0:119 0.0.0.0:0 LISTENINGTCP 0.0.0.0:135 0.0.0.0:0 LISTENINGTCP 0.0.0.0:139 0.0.0.0:0 LISTENINGTCP 0.0.0.0:143 0.0.0.0:0 LISTENINGTCP 0.0.0.0:389 0.0.0.0:0 LISTENINGTCP 0.0.0.0:443 0.0.0.0:0 LISTENINGTCP 0.0.0.0:445 0.0.0.0:0 LISTENINGTCP 0.0.0.0:464 0.0.0.0:0 LISTENINGTCP 0.0.0.0:522 0.0.0.0:0 LISTENINGTCP 0.0.0.0:543 0.0.0.0:0 LISTENINGTCP 0.0.0.0:563 0.0.0.0:0 LISTENINGTCP 0.0.0.0:593 0.0.0.0:0 LISTENINGTCP 0.0.0.0:636 0.0.0.0:0 LISTENINGTCP 0.0.0.0:999 0.0.0.0:0 LISTENINGTCP 0.0.0.0:1024 0.0.0.0:0 LISTENINGTCP 0.0.0.0:1028 0.0.0.0:0 LISTENINGTCP 0.0.0.0:1080 0.0.0.0:0 LISTENINGTCP 0.0.0.0:1214 0.0.0.0:0 LISTENING

m The protocol level of KFSensor is used to group the ports based on their protocol; either TCP or UD P.

FIG U R E 3.12: Command Prompt with netstat -an




1 6 . L e a v e d i e KF S ensor t o o l r u n n i n g .

1 7 . F o l l o w d i e w i z a r d - d r i v e n i n s t a l l a t i o n s t e p s t o i n s t a l l M e g a P i n g i n Windows Server 2012 (Host Machine).

1 8 . T o l a u n c h MegaPing m o v e y o u r m o u s e c u r s o r t o d i e l o w e r - l e f t c o r n e r o f

y o u r d e s k t o p a n d c l i c k Start.

FIG U R E 3.13: starting windows in windows server 2012

1 9 . C l i c k d i e MegaPing a p p 1 1 1 d i e S tart m e n u a p p s .

Start Administrator £

Mo/11 la Googfc Firefox awane

ג* * © 6

£HTTPort Conmand 3.SNFM Promp*

1* ף״יAdmnktr... Hyper• V v/ogaPrv; Notepad*Tools Manager

»י *S B

F IG U R E 3.14: click on megaping

2 0 . T h e m a i n w i n d o w o f MegaPing a p p e a r s a s s h o w n i n d i e f o l l o w i n g

s c r e e n s h o t .

m The V is ito rs V iew is displayed on the le ft panel o f the m ain w indow . I t comprises o f a tree structure that displays the name and status o f the KFSensor Server and the visito rs w h o have connected to the server.

m Each v is ito r detected by the KFSensor Server is listed. The visito r's IP address and dom ain name are displayed.




I- n ' x2* MegaPirvg (Unregistered)File View Tools Help

A A fl (3J A A =5 <3> 4 * * ■ * * ע n ©® DNS List HodsA,______

^ DNS List Hosts SettingsDNS Ust Hosts

Destnabon:<None>

□ Select Al

I Add

DNS Lookup Name J ? Finger

Network Time

A Pin9| | Traceroute ^ Whois^5 Network Resources % Process Info ^ System Info f IP Scanner '4^ NetBIOS Scanner V Share Scanner ^ Security Scanner J Port Scanner

Host Monitor

F IG U R E 3.15: MegaPing on W indows Server 2012

2 1 . S e le c t Port S canner f r o m l e f t s id e o f d i e l i s t .

2 2 . E n t e r d i e I P a d d r e s s o f Windows 8 ( 1 1 1 d i i s l a b I P a d d r e s s is 10 .0.0.12 m a c h in e 1 1 1 w h i c h I v F S e n s o r is r u n n i n g 1 1 1 D e s t i n a t i o n A d d r e s s L i s t a n d

c l i c k Add.

n ^ i7־ MegaPing (Unregistered)file Yiew Tools Help

A a g ai A A o 3 % 4 4 ©A DNS List Hosts

י3Po»l ScannerJ ׳

Port Scanner Settings>J2f Port Scanner

Destnabon: Protocob TCP and UDP v10.0.0.12 Scan Type Range of Ports ♦ Custom Ports L v | StartDestnabon Address List

□ Seiect Al

Type Keyword Description

| »Vw.

* DNS Lookup Name FingerNetwork Time

A Pin922 Traceroute ^ Whois3 Network Resources <$> Process Info .J | System Info ^ IP Scanner

NetBIOS Scanner Share Scanner

£ Security Scanner

Host Monitor

F IG U R E 3.16: MegaPing: Select 10.0.0.12 from Host, Press Start button

2 3 . C h e c k d i e I P a d d r e s s a n d c l i c k d i e S tart b u t t o n t o s t a r t l i s t e n i n g t o d i e

t r a f f i c 0 1 1 1 0 . 0 . 0 . 1 2 .

ca The V is ito rs V iewcan be displayed by selecting the V is ito rs o p tio n fro m the V iew menu.



Module 17 - Evading IDS, F irew alls and Honeypots

r y MegaPing (Unregistered) ו * - י ״ ז1 File yiew Tools Help

3 >יז< 4 i ti V <$ 0 צ *>■

Port Scanner Settings$ Port Scanner

Protocols TCP and UDP v10.0.0.12 Scan Type: Range of Ports ♦ Custom Ports L v 1 a t 1Dest nation Address List

J Select Al

Add

Delete

Ho*₪al 10.0.0.12

Type Keyword Description

DNS List Hosts 5, DNS Lookup Name

FingerNetwork Time

f t pin9 gg Traceroute

Whols 13 Network Resources % Process Info ^ System Info $ IP Scanner

NetBIOS Scanner Share Scanner

£ Security Scanner

Host Monitor

ca V is ito r is obtained by a reverse D N S lookup on the vis ito r's IP address. A n icon is displayed indicating the last tim e the v is ito r connected to the server:

F IG U R E 3.17: MegaPing: Data o f die packets recieved

2 4 . T h e f o l l o w i n g im a g e d i s p la y s d i e i d e n t i f i c a t i o n o f T e l n e t o n p o r t 2 3 .

MegaPing (Unregistered)File yiew Jools Help

i. A S al 1*1 A #

I F Port Scanner Settings

TCP and UDP vRange of Ports ♦ Custom Ports L v ס a־p כ

Protocols Scan Type

Port Scanner

Destnabon:10.0.0.12Destination Address bat

□ Select Al

I Add

Host0 S 10.0.0.12

Type Keyword Descnption Risk£ 2 2 TCP High

צ 123 TCP telnet Telnet Elevated |TCP smtp Simple Mail Transfer Elevated

^ 4 2 TCP nameser... Host Name Server Lowf 53 TCP domain Domain Name Serv... Low

DNS List Hosts Jj, DNS Lookup Name £ Finger J i Network Timet i p'"9 f f Traceroute

Whols " 3 Network Resources <3> Process Info ^ System Info f IP Scanner ^ NetBIOS Scanner ^ Share Scanner £ Security Scanner

£} Host Monitor

/ The V is ito rs V ie w is linked to the Events V iew and acts as a f ilte r to it. I f you select a v is ito r then on ly diose events related to tha t v is ito r w ill be displayed in d ie Events V iew.

F IG U R E 3.18: MegaPing: Telnet port data

2 5 . T h e f o l l o w i n g im a g e d i s p la y s d i e i d e n t i f i c a t i o n o f S o c k s o n p o r t 1 0 8 0 .



Module 17 - Evading IDS, F irew alls and Honeypots

r<$ MegaPing (Unregistered) l-T0■*file View Tools Help

| 4. A S aj it ti 4 % 3 ־3 •t ti V 3 y י3 44

Port Scanner Settings

Destnabon: Protocob: TCP and UDP v10.0.0.12 Scan Type Range of Ports + Custom Ports L v SopDestination Address List

□ Select fll

I *A[ Delete

Host0S1O.O.O.12

Ports Type Keyvwrd Descnption080 גו| / TCP socks Socks

' [ Bepoit

£ 1214 TCP Low£ 1433 TCP ms-sql-s M1crosoft-SQL־Ser... Low£ 1494 TCP ica Citrix ICA Client LowJT 1801 TCP Low

DNS List Hosts jS, DNS Lookup Name ^ Finger a i Network TimeA Pin9gg Traceroute ^ Whols Network Resources ־13

Process Info ^ System Info $ IP Scanner

NetBIOS Scanner jj* Share Scanner <0 Security Scanner

EEJgj Host Monitor

T he events are sorted in e itlie r ascending or descending chronological order. Th is is contro lled by options on the V ie w Menu.

F IG U R E 3.19: MegaPing: Blackjack virus

2 6 . N o w c o m e b a c k t o Windows 8 v i r t u a l m a c l i u i e a n d l o o k f o r T e l n e t d a t a .

KFSensor Professional - Evaluation TrialFile View Scenario Signatures Settings Help

e|1 ° I ° i @ I 5 » a ! d a > a a l f c t * I־| J 9 a TDuration Pro... Sens... Name

•1 31 9/27/2012 6:24:13 PM.0.000 ״ TCP 23 Telnet

J kfsensor - localhost - M... • B *-J TCP

^ 0 Closed TCP Per■■ 0 2 Death, Trojan ...

7 Echo - Recent... *I 9 Discard - Rec...

^ 15 Daytime - R... ^ 17 Quote of the.. ^ 19 chergcn Rc.

21 FTP - Recent.. ^ 22 SSH - Recen... A 123 Telnet - Reel] j § 25 SMTP - Rece.. g 42 WINS • Rece.. g 53 DNS • Recen.. ^ 57 Mail Transfer.. g 68 DHCP • Rece...

80 IIS • Recent... j§ 8 1 IIS 81 - Rece..

82 IIS 82 ■ Rece..83 IIS 83 - Rece..

J 88 Keiberos - R... ^

Ser/er Running Visitors: 8

/ The events that are displayed are filte red by the currently selected item in the Ports V ie w o r the V is ito rs V iew.

F IG U R E 3.20: Telnet data on KFSensor

2 7 . T h e t o l l o w u i g im a g e d i s p la y s d i e d a t a o f a D e a d i T r o j a n .




KFSensor Professional - Evaluation TrialFile View Scenario Signatures Settings Help

j a a if ]a ifrtln TpiliDuration Pro... Sens... Name

9/27/2012 624:12 PM...

0- kfsensor - localhost - M... <״<TCP

j- ^ Q Closed TCP-PofTr Q 12 Death, Trojan ...|

I £ 7 Echo - Recent... U £ 9 Discard - Rec...

& 13 Daytime - R...^ 17 Quote of the.. ^ 19 chargcn - Rc...

21 FTP - Recent... £ 22 SSH - Recen... ^ 23 Telnet ־ Rec...

25 SMTP - Rece.. r=| 42 WINS - Rece.. g 53 DNS - Recen..^ 57 Mail Transfer.. g 68 DHCP - Rece..

80 IIS - Recent... j§ 8 1 IIS 81 - Rece.. ^ 82 IIS 82 - Rece.. j § 83 IIS 83 - Rece..=j 88 Kerberos - R... y

Ser/en Running Visitors: 8

E x it: Shuts dow n the KFSensor M on ito r. I f the KFSensor Server i f n o t installed as a systems service then i t w ill be shut dow n as well.

F IG U R E 3.21: Death Trojan data on KFSensor

Lab AnalysisA n a l y z e a n d d o c u m e n t d i e r e s u l t s r e la t e d t o d i e l a b e x e r c is e . G i v e y o u r o p i n i o n o n

y o u r t a r g e t ’ s s e c u r i t y p ־ o s t u r e a n d e x p o s u r e .


T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d

K F S e n s o r

H o n e y p o t I D S

O u t p u t :

I n f e c t e d P o r t n u m b e r : 1 0 8 0

N u m b e r o t D e t e c t e d T r o j a n s : 2

I n t e r n e t C o n n e c t i o n R e q u i r e d

□ Y e s

P l a t f o r m S u p p o r t e d

0 C l a s s r o o m

0 N o

0 ! L a b s




H T T P T u n n e l i n g U s i n g H T T P o r t

HTTPo/f is a program from HTTHost that creates a transparent tunnel through a proxy server or firewall.Lab ScenarioA t t a c k e r s a r e a l w a y s i n a h u n t f o r c l i e n t s t h a t c a n b e e a s i l y c o m p r o m i s e d a n d

t h e y c a n e n t e r y o u r n e t w o r k b y I P s p o o f i n g t o d a m a g e o r s t e a l y o u r d a t a . T h e

a t t a c k e r c a n g e t p a c k e t s t h r o u g h a f i r e w a l l b y s p o o f i n g t h e I P a d d r e s s . I t

a t t a c k e r s a r e a b l e t o c a p t u r e n e t w o r k t r a f f i c a s y o u h a v e l e a r n e d t o d o i n t h e

p r e v i o u s l a b , t h e y c a n p e r f o r m T r o j a n a t t a c k s , r e g i s t r y a t t a c k s , p a s s w o r d

h i j a c k i n g a t t a c k s , e t c . , w h i c h c a n p r o v e t o b e d i s a s t r o u s f o r a n o r g a n i z a t i o n ’ s

n e t w o r k . A n a t t a c k e r m a y u s e a n e t w o r k p r o b e t o c a p t u r e r a w p a c k e t d a t a a n d

t h e n u s e t i n s r a w p a c k e t d a t a t o r e t r i e v e p a c k e t i n f o r m a t i o n s u c h a s s o u r c e a n d

d e s t i n a t i o n I P a d d r e s s , s o u r c e a n d d e s t i n a t i o n p o r t s , f l a g s , h e a d e r l e n g t h ,

c h e c k s u m . T i m e t o L i v e ( T T L ) , a n d p r o t o c o l t y p e .

H e n c e , a s a n e t w o r k a d m i n i s t r a t o r y o u s h o u l d b e a b l e t o i d e n t i f y a t t a c k s b v

e x t r a c t i n g i n f o r m a t i o n f r o m c a p u i r e d t r a f f i c s u c h a s s o u r c e a n d d e s t i n a t i o n I P

a d d r e s s e s , p r o t o c o l t y p e , h e a d e r l e n g t h , s o u r c e a n d d e s t i n a t i o n p o r t s , e t c . a n d

c o m p a r e t h e s e d e t a i l s w i t h m o d e l e d a t t a c k s ig n a t u r e s t o d e t e r m i n e i f a n a t t a c k

h a s o c c u r r e d . Y o u c a n a l s o c h e c k t h e a t t a c k l o g s t o r t h e l i s t o t a t t a c k s a n d t a k e

e v a s i v e a c t i o n s .

A l s o , y o u s h o u l d b e f a m i l i a r w i t h t h e H T T P t u n n e l i n g t e c h n i q u e b y w h i c h y o u

c a n i d e n t i f y a d d i t i o n a l s e c u r i t y r i s k s t h a t m a y n o t b e r e a d i l y v i s i b l e b y

c o n d u c t i n g s i m p l e n e t w o r k a n d v u l n e r a b i l i t y s c a n n i n g a n d d e t e r m i n e t h e e x t e n t

t o w h i c h a n e t w o r k I D S c a n i d e n t i f y m a l i c i o u s t r a f f i c w i d i i n a c o m m u n i c a t i o n

c h a n n e l . 111 t i n s l a b , y o u w i l l l e a r n H T T P n u i n e l i i i g u s i n g H T T P o r t .

Lab ObjectivesT i n s l a b w i l l s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w t o u s e HTTPort a n d HTTHost.

Lab Environment111 t h e la b , y o u n e e d d i e H T T P o r t t o o l .

I C O N K E Y

/ V a lu a b lein fo rm a t io n

S T e s t to u tk n o w le d g e

W e b exercise

caW o r k b o o k re v ie w

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



■ HTTPort is l o c a t e d a t D:\CEH-Tools\CEHv8 Module 16 Evading IDS, Firew alls and Honeypots\H TTPort

■ Y o u c a n a l s o d o w n l o a d t h e l a t e s t v e r s i o n o f HTTPort f r o m d i e l i n k

h t t p : / / w w w . t a r g e t e d . o r g

■ I f y o u d e c i d e t o d o w n l o a d t h e l a t e s t v e r s i o n , t h e n s c r e e n s h o t s s h o w n 1 1 1

t h e l a b m i g h t d i f f e r

■ I n s t a l l H T T H o s t o n W indows 8 V i r t u a l M a c h i n e

■ I n s t a l l H T T P o r t o n W indows S erver 2012 H o s t M a c h i n e

■ F o l l o w t h e w i z a r d - d r i v e n i n s t a l l a t i o n s t e p s a n d in sta ll it

■ A dm inistrative priv ileges a r e r e q u i r e d t o r u n t i n s t o o l

Lab DurationT i m e : 2 0 M i n u t e s

Overview of HTTPortHTTPort c r e a t e s a t r a n s p a r e n t t u n n e l t h r o u g h a p r o x y s e r v e r o r f i r e w a l l . H T T P o r t

a l l o w s u s i n g a l l s o r t s o t I n t e r n e t s o f t w a r e f r o m b e h i n d d i e p r o x y . I t b y p a s s e s HTTPproxies a n d HTTP, firewalls, a n d transparen t accelerato rs.

Lab Tasks1 . B e f o r e n u n i i n g t o o l y o u n e e d t o s t o p IIS Admin Service a n d World Wide

Web serv ices o n Windows Server 2008 virtual machine.

S e le c t Administrative Privileges ־־ Services ־־ IIS Admin Service, n g l i t -

c l i c k a n d s e le c t Stop.^

File A*on View Help

₪ Cff ₪ e■ d? HD

og Cn As ±Local Syste Local Syste ILocal 5yste 1Local Syste ILocal SysteI or al 5y<t<*

Local Syste Local SysteLocal Syste__ ILocal Syste Local Syste Local Syste jNetworks, jLocal Syste Local Syste jLocal Syste Local Syste Local Syste Local Servic jLocal Syste jLocal Syste ▼ I

_ J j J

1 Description | Status I Startup Type 1DisabledAutomaticAutomaticAutomaticAutomaticAiitnmatif

DisabledDisabledDisabledAutomaticDisabledManualDisabledAutomaticManualDisabledManualManualDisabledDisabledManual

Enables ge...Provides a... StartedProvides a... StartedMonitors th. . StartedSynchronc... Started

.. Started" P"

PauseResumeRestart

Al Tasks

Refresh

Properties

HelpMaintainsa. .Provides a...Enables an... Manageso... Started

^HumaT Interface D.. ^jHypet-V Data Exch.. ^jHypcr-V Gue*t JUl.. %Hyper־V Heartbeat... *^Hyper-V Time Sync...t^)Hypw־V%BME3ESH■4 IM APl CD'Burnirtg ... Îndexng Service ^ Inter site Messagng % IPSEC Services ^Kerberos Key Distri... 4 JJLC Remote Agent

License Logging % Logical Disk Manager % Logic־! Disk Manag... ^Messenger ^Microsoft Software ... ^f&Net Looon

Net.Tcp Port Sharin... ^ NetMeeting Rerrot... ^Network Connections

IIS Admin Service

Stco the service Pans* the service Restart the service

Description:Enoblcs this uorvor to administer Web and FTP servces. If this service is stepped, the server will be unable to run Web, FTP, NNTP, or SNTP sites or configure 115. If this service is disced, anv services chat expliatly depend on it will fail to start.

\ Extended X Standard /top servce IIS Adrm Service on Local Computer

FIG U R E 4.1: Stopping IIS A dm in Service in W indows Server 2008

& Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 16 Evading IDS, Firewalls and Honeypots

TASK 1

Stopping IIS Services

GQ HTTPortc re a te s a transparen t tunnel through a proxy server or firewall. This allows you to use all so rts of Internet softw are from behind the proxy.



http://www


3 . S e le c t Administrative Privileges Services World Wide Web Services, r i g h t - c l i c k a n d s e le c t Stop.

File Action View Help

J J 3 J x f

ן«- -► H g ? B [ S i וו ■ ►

Ser/ices (Local) % Services (Local)

Name | Description | Status | Startup Type 1 LoqOnAs A

Stop the service Pause the service Restart the service

Descript on:Provides Web connectivity and administration through the Internet Information Services Manager

T ermiial Services Alows user %Termhal Services S... Enables a. ^Themes Provides u.^ÛninterruptiblePow... Manages a.^ Virtual Disk Service Provides s.

Volurre Shadow Copy Manages a, ^WebClient -nabtes W1,

Windows Autk Manages a, ^Windows CardSpace Securely e. ^Windows Firewal/I... Provides n.

Started

Started

Started

ManualDisabledDisabledManualManualManualDisabledAutomaticManualAutomatic

Local Syste Local Syste Local Syste Local Servic i] Local Syste Local Syste Local Servic Local Syste Local Syste Local Syste

^Windows ImaiWindows I n s t | ^ ^ ^ ^ ^ ^

Started

DisabledManualAutomaticManualManual

Local Servic Local Syste

^ Windows Man r1 c. ^Windows Pres Kestd't

Local Syste Local Servic j

^ Windows Tim*% Windows Usei * Started Automatic

ManualLocal Servic Local Servic 1

%w.nHTTPWet Refre* Manual Local Servic Local Syste Local Syste Local Syste

Wireless Conf ־% W M I Perform* Properties ^ Workstation .. Started

AutomaticManualAutomatic

.. Started Automatic Local SysteHl<1 _____1 ע

\ Extencted / Standard /|Rop ser/ice Worid Wide Web Publishing Service on Local Computer

J

F IG U R E 4.2: Stopping W orld Wide Web Services in W indows Server 2008

4 . L o g i n t o Windows Server 2008 v i r t u a l m a c h in e .

5 . O p e n M a p p e d N e t w o r k D r i v e CEH-Tools a t Z:\CEH-Tools\CEHv8 Module 16 Evading IDS, Firewalls and Honeypots.

6. O p e n t h e HTTHost f o l d e r a n d d o u b l e - c l i c k h tthost.exe.

7 . A HTTHost w i z a r d w i l l o p e n ; s e le c t d i e Options t a b .

8. O n d i e Options t a b le a v e a l l d i e s e t t i n g s a s t h e i r d e f a u l t s e x c e p t d i e

Personal Passw ord h e l d , w h i c h s h o u l d b e t i l l e d w i d i a n y o d i e r p a s s w o r d .

L i d u s L a b d i e P e r s o n a l P a s s w o r d is “m agic.”

9 . C h e c k d i e Log Connections o p t i o n a n d c l i c k Apply.

& it bypasses HTTPS and HTTPproxies, transparen t acce lera to rs, and firewalls. It has a built-in SOCKS4 server.

£9 It supports strong traffic encryption, which m akes proxy logging use less, and supports NTLM and other authentication schem es.




Tools dem onstrated in th is lab are available in Z:\ Mapped Network Drive

1 0 . N o w le a v e HTTHost i n t a c t , a n d d o n ’ t t u r n o i l Windows Server 2008 V i r t u a l M a c h in e .

1 1 . N o w s w i t c h t o Windows Server 2008 Host Machine, a n d i n s t a l l H T T P o r t

f r o m D:\CEH-Tools\CEHv7 Module 16 Evading IDS, Firewalls and Honeypots.

1 2 . F o l l o w d i e w i z a r d - d r i v e n i n s t a l l a t i o n s te p s .

1 3 . N o w o p e n HTTPort f r o m S tart ־־^ All Program s ־) HTTPort 35NFM ־־ HTTPort 35NFM.

1 4 . T h e HTTPort w i n d o w a p p e a r s a s s h o w n 1 1 1 t h e f o l l o w i n g f ig u r e .

& To se t up HTTPort need to point your brow ser to 127.0.0.1

F IG U R E 4.4: H TTPort Main W indow

HTTPort 3.SNFMS y s te m Proxy j Po rt m app ing | A b o u t) R e g is te r )

H ־־ T TP proxy to b yp ass (b la n k = d irect or firew all)

Host n am e or I P ad d re ss ! Port:

I Proxy requ ires au then tication U se rn am e ! Passw ord :

־31B yp ass m o d e:

ו פ r R e m o te host

־ Misc. options

User-Agent:

U se pe rsonal rem o te host a t (b la n k = u se public)

H ost n am e or I P ad d ress : Po rt: Passw ord :

F----- I-----------

<— This button helps

: H T T H o s t 1 .8 .5

Bind e x t e r n a l t o :

— Ne twork

Bind li ste nin g t o :

|0 .0 , 0 . 0 |80 |0,0 , 0 . 0

Allow a cc ess f r o m : P e r s o n a l p a s s w o r d :

|0 .0 . 0 . 0 n*****

P a s s t h r o u g h u n r e c o g n i z e d r e q u e s t s t o :

H o s t n a m e or IP : Port : O r ig in a l IP h e a d e r fiel

| 1 2 7 .0 . 0 . 1 | S 1 | x - O r i g i n a l - I P

T i m e o u t s :

|0:1:2 ]־M a x . local buffe r :

1 2 5 6 K

A p p ly

R e u a l id a te D NS n a m e s

1✓ L o g co n n e ct io n s

Statistics | A p p l ic a t io n log :|s ec ur ity ) S e n d a Gift )

F IG U R E 4.3: H T T H ost Options tab




1 5 . S e le c t t h e Proxy t a b a n d e n t e r t h e Host nam e o r IP add ress o f d i e t a r g e t e d

m a c h in e .

1 6 . H e r e , a s a n e x a m p l e , e n t e r d i e Windows Server 2008 v i r t u a l m a c h in e IP address, a n d e n t e r Port num ber 80.

1 7 . Y o u c a n n o t s e t d i e U sem am e a n d Passw ord f i e l d s .

1 8 . 111 User personal rem ote host a t section, e n t e r d i e t a r g e t e d Host m achine IP ad d ress a n d d i e p o r t s h o u ld b e 80.

1 9 . H e r e a n y p a s s w o r d c o u l d b e c h o s e n . H e r e a s a n e x a m p l e t h e p a s s w o r d is

magic.

IE !* ]HTTPort 3.SNFMSys te m Proxy j p0rt m app ing | About | R e g is te r j

H TTP proxy to b ypass (b la n k = direct or fireb a ll)

Port:180

Host n am e or I P ad d ress :

I Proxy requ ires au then tication U se rn am e : Passw ord :

ו פB yp ass m o d e:

ו פ [ R e m o te host

Misc. options ־־

User-Agent:

IE 6.0

U se personal rem o te host a t !.b lank = u se public)

H ost n am e or I P ad d re ss : Port: Passw ord :* * * * *80110.0.0.31

j j ^— This button helps

F IG U R E 4.5: H T IP o r t Proxy settings w indow

2 0 . S e le c t d i e Port Mapping t a b a n d c l i c k Add t o c r e a t e New Mapping.

& HTTPort goes with the predefined mapping "External HTTP proxy" of local port

n F o r each software to create custom, g iven all the addresses fro m w h ich it operates. F o r applications d ia t are dynamically changing the ports there Socks4-proxy mode, in w h ich die software w ill create a local server Socks (127.0.0.1)

In real world environm ent, people som etim es u se passw ord pro tected proxy to m ake com pany em ployees to a c c e s s the Internet.




W ' J s j x fS y s te m | Proxy Po rt m app ing j About j R e g is te r j

S ־־ ta tic T C P / IP port m ap p in g s (tu n n e ls )

0• New m app ing 0 Local port| !.... 0

0 R ׳ e m o te hostre m o te .h o s t.n a m e

0• R e m o te portI.... 0

I I f....A'dtJ.... !|

R e m o v e |

LED s:S e le c t a m ap p ing to se e sta tistics :

No sta ts inactive ־ n/a x n/a B/sec n/a K

ם □ □ □O Proxy

Built-in S ־־ 0 C K S 4 se rve r

[7 Run S O C K S se rve r (po rt 1080)

A va ilab le in "R e m o te H ost" m o d e: V Full SO C K S 4 support (B IN D )

*— This button helps

■* HTTPort 3.SNFM

F IG U R E 4.6: H T IP o r t creating a N ew Mapping

2 1 . S e le c t New Mapping Node, a n d r i g h t - c l i c k New Mapping, a n d s e le c t Edit.

S ys te m | Proxy Po rt m app ing j About j R e g is te r j

p S ta tic T C P / IP port m ap p in g s (tu n n e ls )

*-------------------ז[ 0 Local por I Edit ■ H

I------------ 1 J

0• R e m o te hostre m o te .h o s t.n am e

0 R e m o te portI.... 0

S e le c t a m app ing to se e statistics : LEDs:

No sta ts - inactiven/a x n/a B/sec n/a K

ם □ □ □O Proxy

Built-in SO ־־ C K S 4 se rve r

[7 Run SO C K S se rve r (po rt 1080)

A va ilab le in "R e m o te H ost" m o d e: I- Full SO C K S4 support (B IN D )

*— This button helps

F IG U R E 4.7: H T T P ort Editing to assign a mapping

2 2 . R e n a m e i t t o ftp certified hacker, a n d s e le c t Local port node, r i g h t - c l i c k t o

Edit a n d e n t e r a Port value t o 80.

2 3 . N o w H g h t - c l i c k Rem ote host node t o Edit a n d r e n a m e i t a s

ftp .certifiedhacker.com .

2 4 . N o w r i g h t c l i c k Rem ote port n o d e t o Edit a n d e n t e r d i e p o r t v a l u e o f 21.

Q H T T H o s t supports the registration, bu t i t is free and password-free - you w ill be issued a unique ID , w h ich you can contact tlie support team and ask your questions.



ftp://ftp.certifiedhacker.com


> HTTPort 3.SNFMS ys te m | Proxy Po rt m app ing | A bout | R e g is te r |

S ta tic T C P / IP port m ap p in g s (tu n n e ls Local port ׳•|E־31(1-21

g R e m o te hostI— ftp .ce rtified hacker.com

0 R e m o te port !.... 21

S e le c t a m ap p in g to se e statistics :

□ □□□O Proxy

No s ta ts - inactiven/a x n/a E/sec n/a K

Eu ilt־ in SO C K S4 se rve r

W Run SO C K S se rve r (po rt 1080)

A va ilab le in "R e m o te H ost" m o d e: Full SO C K S 4 support (B IN D )

*— Th is button helps

F IG U R E 4.8: H T IP o r t Static T C P /IP port mapping

2 5 . C l i c k Start o i l d i e Proxy t a b o f H T T P o r t t o m n d i e H T T P t u n n e l i n g .

]□TxiHTTPort 3.SNFMSys te m Proxy | Po rt m app ing | A b o u t) R e g is te r )

r־ H T TP proxy to b yp ass (b la n k = direct or firew all)

H ost n am e or I P ad d ress : Port:j io . o .o . :

I- Pro xy requ ires au then tication U se rn am e : Passw ord :

־ פ

B yp ass m o d e:

־ פ [ R e m o te host

— Misc. options

User-Agent:

U ־־ se pe rsonal rem o te host a t (b la n k = u se public) —

H ost n am e or I P ad d re ss : Po rt: Passw ord :110.0.0.3 [80 I ״ ****110.0.0.:

j J <— This button helps

F IG U R E 4.9: H T TP ort to start tunneling

2 6 . N o w s w i t c h t o Windows Server 2008 v i r t u a l m a c h in e a n d c l i c k d i e

Applications log t a b .

2 7 . C h e c k d i e la s t l i n e . I f Listener: listening a t 0.0.0.0:80, t h e n i t is r u n n i n g

p r o p e d v .

Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 16 Evading IDS, Firewalls and Honeypots

H In th is kind of environm ent, the federated search w ebpart of Microsoft Search Server 2008 will not work out-of- the-box becau se w e only support non-password p ro tected proxy.





: : H T T H o s t 1 .8 .5

Application log:HTTHOST 1,8,5 PERSONAL GIFTWARE DEMO starting Project codename: 99 red balloons Written by Dmitry Dvoinikov (c) 1999-2004, Dmitry Dvornikov 64 total available connection(s) network started RSA keys initialized loading security filters...loaded filter "grant,dll" (allows all connections within loaded filter "block,dll" (denies all connections withir done, total 2 filter(s) loadedusing transfer encoding: PrimeScrambler64/SevenT־

grant.dll: filters conections .block,d.ll,:_£iIters conection.s-------

MAINMAINMAINMAINMAINMAINMAINMAINMAINMAINMAINMAIN

LISTENER: listening at 0,0,0.0:80]

I 1 dS ta t is t ic s A p p l ic a t io n lo q [ O p t io n s S e c u r i t y S e n d a G if t |

1 .................F IG U R E 4.10: H T T H os t Application log section

2 8 . N o w s w i t c h t o Windows Server 2008 h o s t m a c h in e a n d t u r n ON d i e

Windows Firewall.

2 9 . G o t o Windows Firewall with Advanced Security.

3 0 . S e le c t Outbound rules f r o m d i e l e f t p a n e o f d i e w i n d o w , t h e n c l i c k New Rule i n d i e r i g h t p a n e o f d i e w i n d o w .

Fib Anon View ■tec

« י ־ M I ם faOutbound Rules

[jg NeARic■■■ ]

V Fiterbv P0־fil=

V Fiterbv Sate

7 Fitr■־ bv 5 quo

£$ Re'resr

Export ue

Q Hep

ire | G'Oup - 1 n־ofle 1 Enabled 1 Action 1 p-~©EIT5 Peer can r־c CContent־Out] BITS see־codino Ary No AIIoa Sv<9 1BITS Pee1ccc־irg J,',SC-Cut) BITS 3ee'CBching fr y No *JIoa Vt®CtertfarNFSCrCP-Out) dent far NFS Ary ves *JI0A S׳t

* 'Cle-tf0rNFS(u:O-Ojt) Cient 'or NFS Ary ves AIIoa %<9 Core Networking - DNS (LDP■Out) co׳e \etA0r<re Ary *es AIIoa %

core Networking - Dynamic Most Configuratl... Co׳e ־setAorxrc Ary ve? flllOA %0 1 Core Networking - Group Poky (LSASS-Out) Co־e NctworMX Ccnar ves AJIoa %©Core Networking ־ Group aoicy (NP-Out) C»׳e 'ctAorxrc Ccnar ves AIIoailCore Networking - Group Poky TCP-Out} C»׳e '■ct׳.or<rc Ccnar v« AIIoa a:

* Core Networking - lrte׳net Group Manager!,.. Ca׳e \* t׳\or<1־s Ary ’« AIIoaCor® Networking • IPv6 (P*5-Out) Ca׳e ■ tAcryrg try AIIoa 5\

©Co*e Networking ־ Multicast LStener Co־e (I... C0׳e MftAOhcrc fir y v« AIIoa Al©Core Networking • Multeo»t Latener Query (... Ca־e Nfctftorxrc Arr vea AIIoa A1O Core Networking • Mjtaot Latener Report... Ca־e <י01?רו< Ary Tea AIIoa Af©Core Networking ■ Mjtcaot Lotenc׳ Report... Co״e ־sctAorxr^ Ary Ve1 AIIoa Ar©Cor• Networking • NeiJW Discovery Adv׳e .. Co״e \* t׳\or<r5 Ary ve« AIIoa Ar

* cor# Networking • negroor Dlieovery solat. . Co־• r\#meryrc firy ״ » AllOA A!<3 Core Networking • Packet Too Bo 0CMPv6•״ C0׳e NttAOhcrc fit) y *es AIIoa Ar__|© c«f« N«t>vg1־luno • P. aC'-T... C»'« Nitncrwe Amy v«t AIIoa A1Cf Core Networking • Router Adverfcjement (IC... Ca׳e Net orxrg Ary Ve3 AIIoa Al&Core Networking • Router Solctator !ICMP... Ca׳e NetAoncrg Ary ves AIIoa A1

Core Networking ■ 'ereoo (UDP-Out) Ca׳e \etA0ncrg Ary , M AIIoa V,cor* Networking • ' it# Exceeded (tCVPi/6• .. Ca׳e \#tA0r<rc firy ־ א AIIoa Ar

©DtetrbcteCT'ranseCttonCootdinaioi (TCP-Oui) Dst!1txj:ec T׳ ansae tor cocrd firy NO AIIoa %© Fife and Pr rte־ Sharhj (Edo Request ־ ICM... Fie and Prrter Shorrc Ccna... Yea AIIoa A1fil'fe and Frrte׳ Sharog (Ec־o Reqjest - ICM... Fie and Prrter Sl־«rrg Ccna... ves AJIoa Ar

File and Prrte׳ Snarng (NB -06tag־am-0ut) Fie and Prrter Sfarrg Ccna... ves AIIoa s>File and Prrte׳ i׳narng (NBAsme-Out) Fie and Prrter Sf־arrc Ccna... ves AIIoa s>Pile and Frrte׳ Snarrg (NB-Sesscr-Cut) Fie and Prrter st-arrc Ccna. . ves AIIoa s\

@ Fife and Frrte׳ SharhQ (SMBOut) Fie and Prrter Sfcarrc Dons... es AIIoa Sia Hvper־/ -WM! fTCP-OuO Hyser-V Pry VC5 AIIoa®Hyper־V ManagercntClients ־ WMI (TCP•Out) H/dc’-V Kfarogen*ent Cients Ary VC5 aJI0A H׳€ iSCSI Ser/ce (TCP■Out) SCSI Sen׳ oe Ary No AJIoa

« !Network Deco'/ery (LLMNR-UDP-CUt) Network scc«w«r/ Ccna... No AIIoa

‘ ■ ■ ■ f ....

N?Cc--e:-cr- !B Moniwing

F IG U R E 4.11: Windows Firewall w ith Advanced Security w indow it! W indows Server 2008

3 1 . 111 t h e New Outbound Rule Wizard, c h e c k d i e Port o p t i o n i n d i e Rule Types e c d o n a n d c l i c k Next.

& Tools dem onstrated in th is lab are available in Z:\ Mapped Network Drive in Virtual M achines




£H H T T P o rt doesn't really care fo r d ie p rosy as such, i t w orks perfecdy w id i firewalls, transparent accelerators, N A T s and basically anything drat lets H T T P p ro toco l through.

F IG U R E 4.12: W indows Firewall selecting a Rule Type

3 2 . N o w s e le c t All local ports i n t h e Protocol and Ports s e c t io n .

S You need to install htthost on a PC, who is generally accessible on the Internet ־ typically your "home" PC. This means that if you started a Webserver on the home PC, everyone else must be able to connect to it. There are two shows toppers for htthost on home PCs

3 3 . 111 t h e Action s e c t io n , s e le c t Block th e connection : m d c l i c k Next.

* New O utbound Rule W izard

Protocol and Ports

Specify the protocol and ports that this rule matches.

Steps:« Rule Type Does this lule apply to TCP or UDP^

Example: 8 0 .443 .1

Leam more about protocol and ports

< Back | | Next > | Cancel |

<* Protocol and Ports ז> t c p

* Action r udp

« Profile

# NameDoes this rule apply to all local ports or specific local ports'’

[<• A ll lo ca l po rts j

C S p e c ific lo ca l po rts : |

F IG U R E 4.13: W indows Firewall assigning Protocols and Ports

ר פ

9 New O utbound Rule W izard

Rule Type

Select the type of fie w a l rule to create.

Steps:

r P rede fined :

Rule that controls connections for a Windows experience.

C CustomCustom lule.

Leam more about rule types

Next >

•a Rule Type What type of njle would you like to create’’

* Protocol and Ports

* Action C Program

* ProfileRule that controls connections for a program

* Name (ff port ]




m NAT/firewall issues: You need to enable an incoming port. For HTThost it will typically be 80(http) or 443(https), but any port can be used ■ IF the HTTP proxy a t work supports it - som e proxy’s are configured to allow only 80 and 443.

3 4 . 111 d i e Profile s e c t io n , s e le c t a l l t h e d i r e e o p t i o n s . T h e m l e w i l l a p p l y t o :

Domain. Public, Private a n d c l i c k Next.

& Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 16 Evading IDS, Firewalls and Honeypots

3 5 . T y p e Port 21 Blocked 1 1 1 d i e Name f i e l d , a n d c l i c k Finish.

** New Outbound Rule Wizard

Profile

Specify the profiles for wf»ch this rule applies

When does this rule apply 7

17 Domain

.Applies wh< n a computer is connected to its corporate domain

17 Private

Applies win n a computer is connected to a private network location.

17 Public

Applies win n a computer is connected to a public network location.

Learn more about profiles

I Cancel ג Back Next ־

Steps:

<• Rule Type

* Protocol and Ports

« Action

* PrnfJe

F IG U R E 4.15: W indows Firewall Profile settings

1 ■** New Outbound Rule Wizard _x]

1 A c t io n

1 Specify the action thatistaken when a connection matches the conditions specified n the rule.

Steps:

# Rule Type '//hat action should be taken when a connection matches the specified conditionsל

«# Protocol and Ports

ction®/ י• C A llow th e connection

<# Profite Alow connections that have been protected with IPsec as well as those that have not.

1# Name C A llow the connection if it is secure

Aflow only connections that have been authenticated and int egnty ■protected through the useof IPsec. Connections w i be secured usma the settings m IPsec properties and rules in theConnection Security Rule node

V Require the connections to be encyptedRequire pnvacy m addtion to rtegnty and authentication

(• B lock the connection

Learn more about actions

< Back | | Next־ | | Cancel |

F IG U R E 4.14: W indows Firewall setting an Action




Q The default TC P p o rt fo r FTP connection is p o rt 21. Sometimes the local In te rne t Service Provider blocks this p o rt and this w ill result in FTP connection issues.

3 6 . N e w R u le Port 21 Blocked is c r e a t e d a s s h o w n i n d i e f o l l o w i n g f ig u r e .

H T T P o rt doesn't really care fo r d ie p roxy as such: it works perfectly w ith firewalls, transparent accelerators, N A T s and basically anything d ia t lets the H T T P p ro toco l through.

Q H T T P is the basis fo r W eb surfing, so i f you can freely su rf d ie W eb from where you are, H T T P o rt w ill b ring you die rest o f the In te rne t applications.

3 7 . R i g h t - c l i c k t h e n e w l y c r e a t e d r a le a n d s e le c t Properties.

j=iir

Outbound Rules -

New Rule...

V Piter by Profile ►

"\7 Fiter by State >

*7 Fiter by Group ►

view ►

[($] Refresh

|3» Export List...

Q Heb

Port 21 Bbckcd -

(♦ Disable Rjle

x Delete

la l PlOUCI t o

Q Heto

AnyBrs êerrsenrg Any No AIoa S\BI”S eercccnng Any No AIoa %Client ft)׳ MFS Ant Yes AI0A %Client fo׳ MFS Any Yes AIcha %Core Networking Any Yes AIoa %Cae Netwafcino Am Yes AIcta °/cCore Networking Domain Yes AIoa %Core ■,Jer/'orbng Donain Yes AI0׳aCae Netwabng Dooain Yes AIoa ° c׳Core Networking Any Yes AlowCore Networking Any Yes AlovsCore Networking Any Yes AIg׳a A1Core Networking Any Yes AIoa ArCore Networking Any Yes AIoaCore Networking Any Yes AIc׳a AlCore Networking Any Y#S AIoa ArCae Networking Any Yes AIoa

Core Networking Any Yes AIoa A1Core Networking Any Yes AIoa A1Core Networking Any Yes Alovs ArCae Networking Any Yes Alovs A1Core Networtano Any Yes Alovs %Core Networking Any Yes Alev. ArDistributed Trensacton C30>d... Any No AIoa *יFile and *irter Sharng Donai.. Yes Alovs ArFile and *rter Sharng Donai... Yes Alovs ArFile and *inter Sh«rhg Donai... Yes AIoa 5\File and !rrer sharng Donai.. Yes Ale׳a 5\File and *rter Sharng Donai.. Yes Alovs SyFile and *irter Sh<rng Donai... Yes AIoa 5\Hype׳-v Any Yes Alovs °cHype־׳/ Vanageniert Cierts Any Yes AI0׳aiSCSI Se־vioe Any No AIoa

1

KFat21Bkxked© EI"S 3eeriocing (WSD־Out)©Client fy N=S CTCP-Out)Q Client for M=S (UDP-Out)

BCcrc Ner//crking - DUS (UDP-Out)CereNetworkmo ־ Dynamic hostConficcrat...

Q cc re Networking - Grouo Palcy (LSASS-Out) Cere Networking GrousPolcy (UP־Cut)

© Cere Networking • Gicud Polcy fTCP-Out)Q C ere isjetvrortong • Internet Group Yanagerr. .

eCcre Networking ■ IPv6 (IP v 0 (ut׳6 Cae Networking ■ Multicast Listenei D01־e (I...

Q) ( ...) re Networking • Multicast Listener Query־׳Q ccre Networking Multicast Listener Repo׳t ... © C a e Networking • Multicast Listenei Reixrt... Q cere Networking • Neighbor Qscovery Adve. . ©Cere Networking Neighbor Oocovery Soleit... Q C a c Networking ־ Pocket TooBg {ICMPvfi•... Q Cere Networking • Par»m#ter Pretolem (ICMP... ©Cere Networking Rotter Adverbccment :1C...

Coe Networking * Route! Sokiteton (1CNP...

gCcre Ner/׳ork1no • Teredo (UOP־Out)Cere Networking Time Exceeded (ICM\6׳. ..

©Dotibcted Treroacfon Cooidnator (TCP •Out) © File and *inter Shwng (Echo Request ■ ICM... © File and *inter Sharng (Ec־o Request - !CM... t t n i e and *inter Sharing (NB־Dalog־orr־Ojt) © W e and Winter shjrng (NB-Name-Out)©File and *inter Sharng (NE-Sessan-Out)©File and *inter Sherhg (SMB-Out)©Hype־׳/ *V/MI acp-out)© Hype'-v Vsn3gernert Gierts ־ ,A/WI (TCP-Out) © iSCSI Se־\ice (TCP-Cut)a I

Fie Action View Help

^ VVtnco/i* Fretval Advanced S t3 Iroourc Rdes

: - : ; ־ . ::Come:t>an Sca*1ty Rue5

F % r־ioni1a i׳x)

F IG U R E 4.17: Windows Firewall N ew rale

N am e

Specify the name and description of this rule

Steps:

4 Rule Type

4 Protocol and Ports

Action

Profie

״י Name

Name:

|Port 21 Blocked

Description (optional):

< Back | Finish Cancel |

F IG U R E 4.16: Windows Firewall assigning a name to Port




| * WVuwkyws h rm tl vwtti /Utvitnrrd SfninryPile Acoor Ve« ndp

* ■»! » [P1U ם TT_Outbound Rules

New Rule...?י, FI ter by P־cfie

V FiterbySteteV FlterbyGroio

vew id ReYesh

© Export bst...

Q tisbPori 21 Dbckcd

(♦' D»ablc Rule

א D־te*p׳cPCtt)C3

U H־b

MomMomMomMomMomMom

DarenDcmanDorian

Ary

Ary

Core WL\*K1־ 'Core NetAOikngcore NetAOrtcngcore NetAOrtcngcore NetAoricnocore NetAorknocore NetAOrtTKJCore NetAOrtaTOCore MetAOrtcngCore NJetAortcngCore MetAortcnoCore MetAortcnoCore SietAOrtcnoCore VJetAoriengCore VletAortcngCor* MetAOficngCor# VletAorkngCor# VletAortcngDistibutec Trareactoor Coord.File anc Prn:er SharesFile anc Prn:er ShanngFite anc Prn:er SharingFite anc Prn:e־ SharingFite anc Prn:e־ SharingFite 3nc Prn-jet SharingHyper-VHyper-V MDragencn: Cle־tis SCSI Ssrvce

®SITS Peercecihg (Content-Out)®BIT5 Pcerêcihg (WSD-Out)®C ient St TS (TCP-Out)־1 ©Cfent *6־ NFS (UDP-Out)©CCKer\e:v׳crkirg -CNS (UDP-Out)® Cxe he:v׳crkirg - Dynarrlc host Conflcu־ati... © Cxe r1e»׳akirg -Gouo Poky (LSASS-Out) Q c x e networking - Grouo Polcy (I'P-Out) Ocore hecwcrkirg - Grouo poIcy (TCP*Ou:) ©core 1ser/>crk]ra - internet Group r anacen. ״ ©cofefcetv/crkira -ipvO OPVft-OuO ® co reher/׳ak1ra -Mj0:as: Listener Dons a... ®Core 1se:v׳crlurQ •Miticas: Listener Query (... ®Coretserv׳crk1rg •Miticast listensr Re!»rt... ®Coreiserv׳crk1rg • Miticas; listener Re!»rt... ®CoreNe;v׳crk1rg •Neghto׳ Discovery Adve... ®CoreNerv׳erk1ro •Nefchbof Discovery Solicit... ®Core IServ׳crk1rg ־ Packet Too 80 GCMPv6*... ®Car# N#rv׳erk1ng •P»r*^#t»f Problem (ICMP... ®Car# Nerv<erk1rg •Ranter Aev#rticem»M (IC. . ®Car# N#rv!erk1rg •Ranter Solicitation (ICVP... CJ Cv# Nerv/erkirg • Teredo (UDP-Out)^C ore Ne?׳־״crlurg • Tire Exceeded (ICNP6/ ...•׳®Dcrbuted Transa:ton Coordinator (TCP-Out) (J =le and 3rirter Sharrg (Ecno Request - ICM...

Fie 3rd irter Snarrg (Ecno Request - ICM... =le 3rd 3rirter arrg (NE-Datagram־Out)

(J -ie 3rd 3rir ter Sharng (MB-Name-Out'@iFle and 3rirter Sharng (NE-Session-Out ׳ ® F ie 3rd 3rirter Sharng (SMB-Out;®Hyper-V - VYNI (TCP-Out}(J Hyper-V Naiogc-ncnt Clients ־ V/MI (TCP -Out) ®!SCSI Service (TCP-Out)

ע_______;_______

P Whdovts Frevrdl <vth Ad.oxed S KQ !rbourdRjbs gg Outbound RjtesJiu Correcton Secjnt/ 3_ies

3 Monito'irg

.cnרe current selec־or i5 ־־ p-cperbes c&iog box!

F IG U R E 4.18: W indows Firewall new rule properties

3 8 . S e le c t t h e Protocols and Ports t a b . C h a n g e d i e Rem ote Port o p t i o n t o

Specific Ports a n d e n t e r d i e Port num ber a s 21.

3 9 . L e a v e d i e o d i e r s e t t i n g s a s d i e i r d e f a u l t s a n d S e le c t Apply ־־ OK.

B HTTPort then in tercep ts th a t connection and runs it through a tunnel through th e proxy.

& Enables you to bypass your HTTP proxy in c a se it blocks you from the Internet

& With HTTPort, you can use various Internet softw are from behind th e proxy, e.g., e-mail, instan tm essengers, P2P file sharing, ICQ, News, FTP, IRC e tc . The basic idea is th a t you se t up your Internet softw are

4 0 . T y p e ftp 127.0.0.1 1 1 1 t h e c o m m a n d p r o m p t a n d p r e s s Enter. T h e

c o n n e c t i o n is b l o c k e d a t d i e l o c a l h o s t 1 1 1 Windows Server 2008.

General Programs and Services ComputesProtocols and Ports | Scope j Advanced

Protocols and portsr Protocol type: ■ ע

Protocol number: l

local port: |.AII Ports

1FMmn1« an m anan

zi

Remote port: ]Specific Ports

I21Example: 80.445. 8080

d

Internet Control Message Protocol(ICMP) settings: ---

Learn more about protocol and ports

OK | Cancel | fipply

F IG U R E 4.19: Firewall Port 21 Blocked Properties

Etliical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



Q H T T P o rt does neither freeze n o r hang. W hat you are experiencing is know n as "b lock ing operations"

F IG U R E 4.20: ftp connection is blocked

4 1 . N o w o p e n a c o m m a n d p r o m p t 1 1 1 Windows Server 2008 h o s t m a c h in e a n d

t y p e ftp ftp.certifiedhacker.com a n d P r e s s Enter

c \ . A dm intstrator Command Prompt - ftp ftp.certifiedhacker.com

IC:\Users\Adninistrator>ftp ftp .ce rt ifiedhacker.con Connected to ftp .certifiedJhacker.con.220-hicrosoft FTP Seruice220 IJelcopte TO FTP AccountUser Cftp.certifiedhacker.con:<none>>: _

2^7 H T T P o rt makes i t possible to open a client side o f a T C P /IP connection and provide i t to any software. The keywords here are: " client" and " any software".

F IG U R E 4.21: Executing ftp command

Lab AnalysisD o c u m e n t a l l d i e I P a d d r e s s e s , o p e n p o r t s a n d r u n n i n g a p p l i c a t i o n s , a n d p r o t o c o l s

y o u d i s c o v e r e d d u r i n g t h e la b .


T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d

H T T P o r t

P r o x y s e r v e r U s e d : 1 0 . 0 . 0 . 4

P o r t s c a n n e d : 8 0

R e s u l t : f t p 1 2 7 . 0 . 0 . 1 c o n n e c t e d t o 1 2 7 . 0 . 0 . 1





ftp://ftp.cert

ftp://ftp.certifiedJhacker.con


Questions1 . H o w w o u l d y o u s e t u p a n H T T P o r t t o u s e a n e m a i l c l i e n t ( O u t l o o k ,

M e s s e n g e r , e t c . ) ?

2 . E x a m i n e i f t h e s o f t w a r e d o e s n o t a l l o w e d i t i n g t h e a d d r e s s t o c o n n e c t t o .

□ N o

I n t e r n e t C o n n e c t i o n R e q u i r e d

0 Y e s

P l a t f o r m S u p p o r t e d

□ i L a b s

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.


Technology

Ceh v8 labs module 17 evading ids, firewalls and honeypots