Академический Документы
Профессиональный Документы
Культура Документы
LAB MANUAL
Mr. SAYYAN SHAIKH
For VI Semester (CS &E) Diploma Engineering
GOVERNMENT POLYTECHNIC,
KARWAR
2014-2015
Date:
___
Date :
Experiment 1:Learn to install Wine/Virtual Box/ or any other equivalent s/w on the host OS.
Virtualization is the process of emulating hardware inside a virtual machine. This process of
hardware emulation duplicates the physical architecture needed for the program or process to function.
Virtualization allows us to create virtual version of something, such as an operating system, a server, a
storage device or network resources.
A host operating system (OS) is the original OS installed on a computer. Other operating systems are
sometimes installed on a computer.
A guest OS is an operating system that is installed in a virtual machine or disk partition in addition to
the host or main OS. In virtualization, a single computer can run more than one OS at the same time.
In a virtualization solution, a guest OS can be different from the host OS.
VMware Workstation:
One of the first companies to develop a virtual product was VMware, www.vmware.com.
VMware lets us to create and run a host of operating systems from one base system. We also gain the
ability to drag and drop files into the virtual system and to fully configure the virtual OS.
VMware Workstation even supports an option known as snapshots, which means we can set a base
point to which we can easily return.
To install VMware Workstation, we need to purchase a copy or download an evaluation copy.
We need about 25MB to download and install VMware Workstation. Just remember that amount of
memory is just to load the program. Each virtual system we install will require much more. On
average, we will need 3GB to 8GB for each virtual OS we install. Memory is another important issue.
Although the documentation might state that a minimum of 128MB to 256MB of memory is needed,
this typically wont be enough for anything more than a basic command-line install of Linux. Expect
operating systems such as Windows to require much more. Insufficient memory will devastate
performance on both the guest (VM) and host OS.
Date:
___
Date :
The basic steps required to install VMware Workstation on the host OS:
1. Log on to our installed Windows XP system as a user with Administrator privileges.
2. Download the newest VMware Workstation distribution from www.vmware.com/download and
then click it. we need an email address so that the key can be sent to us. If we do not want to
purchase the program at this time, VMware will send us a key that is valid for 30 days.
3. Read the end-user license agreement. This explains the licensing terms. Click Yes to continue.
4. We are now prompted to set the install location. The default is C:\Program Files\VMware.
Keep this default unless we have a really good reason to change it.
5. Now, select any folder to install, and click Next.
6. Wait a few minutes while the installer creates all necessary files on our system, as shown in
below figure.
7. Because Windows systems use AutoRun for their CD/DVD players, the VMware installer will
ask whether we want to turn AutoRun off. We should say yes, because having it on can affect
the functionality of the virtual machines.
8. If we have any previous versions of VMware Workstation, we are prompted to remove them.
We are also prompted to create a VMware Workstation icon on our Windows desktop. Click
Yes when prompted.
9. As with almost all Windows application installs, we are prompted to reboot our computer after
the installation process is complete.
10. When the system reboots, VMware Workstation is installed. Opening the program will display
a screen similar to that below figure.
Date:
___
Date :
11. Enter a serial number. Remember that we can get a free, temporary evaluation license or buy a
full license.
12. From this point forward, it is assumed that we have installed the files in the default location at
C:\Program Files\VMware\VMware Workstation.
13. In addition to a few shortcuts to Workstation, online help, and the uninstaller, we will find
documentation in a compiled HTML help file for Internet Explorer or our browser located in
the Workstation Programs folder: VMware.chm.
14. If we look in the Programs directory, we will see that there are a number of utility programs
and auxiliary files such as linux.iso, windows.iso, and freebsd.iso.
15. These ISOs contain the information used to install VMware Tools for Linux and Windows host
systems. This will allow us the functionality to do things such as drag and drop files from the
host OS to the virtual system. These files dont need to be transferred to actual CDs to use
them;
16. VMware will automatically attach them to the guest system when we perform a tools
installation.
17. At the end Install Backtrack 5 OS into our virtual machine.
Date:
___
Date :
Date:
___
Date :
Step 5: Give VM name as Backtrack and select the path and Click on Next.
Step 6: Give max disk size as 15GB and select store virtual disk as a single file then Click on Next.
Date:
___
Date :
Step 9: Now the BackTrack installation will start. Give the command startx and press Enter.
Date:
___
Date :
Step 10: Now select the language default as English and press Forward
Step 13: Select the default keyboard layout as USA and click Forward
Date:
___
Date :
Step 14: Select the Erase the disk space and click Forward
Date:
___
Date :
Step 18: Enter Login as root and Password as toor and press Enter
Date:
___
Date :
Experiment 2:Perform an experiment to grab a banner with telnet and perform the task using Netcat.
Banner Grabbing is a technique to determine which application or service is running on the
specified port by attempting to make a connection to this host and sending some information. With this
request of information a user can be sent back some information about the service such as the name of
the service running, the version, the type of system the service is running on as well as other
information depending on what the application delivers back to a user.
Banner Grabbing is an enumeration technique used to get information about computer
systems on a network and the services running its open ports. Administrators can use this to take
inventory of the systems and services on their network. An intruder however can use banner grabbing
in order to find network hosts that are running versions of applications and operating systems with
known exploits.
Banner Grabbing can be performed in two ways.
1. ONLINE (Thru Internet connection by connecting to remote websites)
2. OFFLINE (Thru Local LAN or with Virtual Box Guest OS)
Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer
Protocol (HTTP) -80, File Transfer Protocol (FTP) -21, and Simple Mail Transfer Protocol
(SMTP) -25. Tools commonly used to perform banner grabbing are Telnet- which is included with
most operating systems and Netcat.
Introduction to Telnet:Telnet is a terminal emulation program for TCP/IP networks such as the Internet that operates
on port 23. The Telnet program runs on our computer and connects our PC to a server on the network.
For banner grabbing, we will be using the Telnet client. The telnet client is more of a legacy
piece of command line software that is still installed on most Operating Systems by default.
The basic telnet syntax is: telnet [target ip] [port]
Date:
___
Date :
Introduction to Netcat:Another way of banner grabbing is to use the tool Netcat. This versatile tool is sometimes
called the Swiss army knife of hacking tools because it can be used in many different ways. Netcat is
one of the most commonly used anti-hacking tool and its features includes port scanning, transferring
files, and port listening, and it can be used as a backdoor.
Netcat is a computer networking service for reading from and writing network connections
using TCP or UDP. Netcat is designed to be a dependable back-end device that can be used directly
or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging
and investigation tool, since it can produce almost any kind of correlation we would need and has a
number of built-in capabilities.
The basic netcat syntax is: netcat [target ip] [port]
-vv=verbose mode, -n=numerical IP address only.
Date:
___
Date :
Step 4: Now we can see the rediff website web servers information.
We can also try it on our local machine connecting to our Guest OS like telnet Guest IP address
(example: 192.168.56.101 80) and press enter twice.
nc www.rediff.com 80 (http port) and press enter key twice to see the result.
Date:
___
Date :
Experiment 3:Perform an experiment for Port Scanning with nmap, superscan or any other equivalent
software.
Port scanning is the process of connecting to TCP and UDP ports for the purpose of finding
which services and applications are open on the target machine.
Port Scanning is one of the most popular techniques attackers use to discover services they can
break into. All machines connected to a LAN or connected to Internet via a modem run many services
that listen at well-known and not so well-known ports. By port scanning the attacker finds which ports
are available (i.e., being listened to by a service). Essentially, a port scan consists of sending a
message to each port, one at a time. The kind of response received indicates whether the port is used
and can therefore be probed further for weakness.
Port :A port is an application-specific or process-specific software construct serving as a
communications endpoint in a computer's host operating system. A port is always associated with an
IP address of a host and the protocol type of the communication. It completes the destination or
origination address of a communications session. A port is identified for each address and protocol by
a 16-bit number, commonly known as the port number.
Port Number:The port numbers are unique only within a computer system. Port numbers are 16-bit unsigned
numbers. The port numbers are divided into three ranges: the Well Known Ports (0-1023), the
Registered Ports (1024-49151), and the Dynamic and/or Private Ports (49152-65535). All the
operating systems now honor the tradition of permitting only the super-user open the ports numbered 0
to 1023. Some of the ports are listed below:
Echo
ftp-data
7/tcp
Echo
ftp-control 21/tcp
ssh
22/tcp
telnet
23/tcp
Telnet
SMTP
domain
www-http
80/tcp
https
Date:
___
Date :
Nmap
Nmap ("Network Mapper") is a free and open source (license) utility for network exploration
or security auditing. Many systems and network administrators also find it useful for tasks such as
network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap
uses raw IP packets in novel ways to determine what hosts are available on the network, what services
(application name and version) those hosts are offering, what operating systems (and OS versions)
they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It
was designed to rapidly scan large networks, but works fine against single hosts.
Nmap runs on all major computer operating systems, and official binary packages are available
for Linux, Windows, and Mac OS X. Nmap is executable in classic command-line and an advanced
GUI results viewer Zenmap, a flexible data transfer, redirection, and debugging tool results viewer
Ncat.
Nmap can recognize five port states such as: Closed, Filtered, Unfiltered, Open-filtered and
Closed-Filtered.
Open: An application is actively accepting TCP connections, UDP datagrams or SCTP associations
on this port. Finding these is often the primary goal of port scanning. Security minded people know
that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports,
while administrators try to close or protect them with firewalls without thwarting legitimate users.
Open ports are also interesting for non-security scans because they show services available for use on
the network.
Closed: A closed port is accessible (it receives and responds to Nmap probe packets), but there is no
application listening on it. They can be helpful in showing that a host is up on an IP address (host
discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may
be worth scanning later in case some open up. Administrators may want to consider blocking such
ports with a firewall. Then they would appear in the filtered state.
Filtered: Nmap cannot determine whether the port is open because packet filtering prevents its probes
from reaching the port. The filtering could be from a dedicated firewall device, router rules, or hostbased firewall software. These ports frustrate attackers because they provide so little information.
Unfiltered: The unfiltered state means that a port is accessible, but Nmap is unable to determine
whether it is open or closed. Only the ACK scan, which is used to map firewall rule sets, classifies
ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan,
or FIN scan, may help resolve whether the port is open.
Date:
___
Date :
Open|filtered: Nmap places ports in this state when it is unable to determine whether a port is open or
filtered. This occurs for scan types in which open ports give no response. The lack of response could
also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know
for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans
classify ports this way.
Closed|filtered: This state is used when Nmap is unable to determine whether a port is closed or
filtered. It is only used for the IP ID idle scan.
Date:
___
Date :
Date:
___
Date :
Experiment 4:
Using nmap 1) Find Open ports on a system 2) Find machines which are active 3) Find
the version of remote OS on other systems 4) Find the version of s/w installed on other
system (using nmap or any other software).
The different scanning methods that network attackers use are:
1. Vanilla scan/SYNC scan: TCP SYN packets are sent to each address port in an attempt to
connect to all ports. Port numbers 0 65,535 are utilized.
2. Strobe scan: Here, the attacker attempts to connect to a specific range of ports that are
typically open on Windows based hosts or UNIX/Linux based hosts.
3. Sweep: A large set of IP addresses are scanned in an attempt to detect a system that has one
open port.
4. Passive scan: Here, all network traffic entering or leaving the network is captured and traffic is
then analyzed to determine which ports are open on the hosts within the network.
5. User Datagram Protocol (UDP) scan: Empty UDP packets are sent to the different ports of a
set of addresses to determine how the operating responds. Closed UDP ports respond with the
Port Unreachable message when any empty UDP packets are received. Other operating
systems respond with the Internet Control Message Protocol (ICMP) error packet.
6. FTP bounce: To hide the attackers location, the scan is initiated from an intermediary File
Transfer Protocol (FTP) server.
7. FIN scan: TCP FIN packets that specify that the sender wants to close a TCP session are sent
to each port for a range of IP addresses.
Date:
___
Date :
Date:
___
Date :
Date:
___
Date :
Date:
___
Date :
Experiment 5:
Perform an experiment on Active and Passive finger printing using XProbe2 and Nmap.
Fingerprinting is a process in scanning phase in which an attacker tries to identify Operating System
(OS) of target system.
Fingerprinting can be classified into two types
1. Active Stack Fingerprinting
2. Passive Stack Fingerprinting
1. Active Stack Fingerprinting
It involves sending data to the target system and then sees how it responds. Based on the fact
that each system will respond differently, the response is compared with database and the OS is
identified. It is commonly used method though there are high chances of getting detected. It can be
performed by following ways.
Using Nmap: Nmap is a port scanning tool that can be used for active stack OS fingerprinting.
Syntax: nmap -O IP_address
Example: nmap O 192.168.1.88
Using Xprobe2: It is UNIX only active stack fingerprinting tool. Also runs on Linux, it can not only
detect OS but also devices and their version numbers.
Syntax: xprobe2 -v IP_address
Example: xprobe -v 192.168.1.88
Date:
___
Date :
nmap -O 192.168.1.88
Date:
___
Date :
p0f -i eth0 vt
Date:
___
Date :
Experiment 6:
Performa an experiment to demonstrate how to sniff for router traffic by using the tool
Cain and Abel / wireshark / tcpdump.
Sniffing refers to the process of capturing and analyzing network traffic. The packets contents
on a network are analyzed. The tools that attackers use for sniffing are called sniffers or more
correctly, protocol analyzers. While protocol analyzers are really network troubleshooting tools,
hackers also use them for malicious purposes.
A sniffer is an application or device that can read, monitor, and capture network data
exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of
the data inside the packet. Even encapsulated packets can be broken open and read unless they are
encrypted and the attacker does not have access to the key. Sniffers monitor, capture, and obtain
network information such as passwords and valuable customer information.
A packet sniffer, sometimes referred to as a network monitor or network analyzer, can be used
by a network or system administrator to monitor and troubleshoot network traffic. Using the
information captured by the packet sniffer an administrator can identify erroneous packets and use the
data to pinpoint bottlenecks and help maintain efficient network data transmission.
In its simple form a packet sniffer simply captures all of the packets of data that pass through a
given network interface. By placing a packet sniffer on a network in promiscuous mode, a malicious
intruder can capture and analyze all of the network traffic.
What is Wireshark?
Wireshark is a network packet analyzer. A network packet analyzer will try to capture
network packets and tries to display that packet data as detailed as possible. We could think of a
network packet analyzer as a measuring device used to examine what's going on inside a network
cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable
(but at a higher level, of course).
In the past, such tools were either very expensive, proprietary, or both. However, with the
advent of Wireshark, all that has changed. Wireshark is perhaps one of the best open source packet
analyzers available today.
Some intended purposes of Wireshark:
Network administrators use it to troubleshoot network problems.
Network security engineers use it to examine security problems.
Developers use it to debug protocol implementations.
People use it to learn network protocol internals.
Date:
___
Date :
Wireshark is used to capture and examine encrypted and unencrypted wireless traffic. Use the
Wireshark program that is preinstalled in Backtrack, or we can download the Windows version from
www.wireshark.org.
1.
After loading Wireshark, we will see several options across the top of the program. Select
Capture Options to configure the program. Make sure to choose the correct interface (NIC)
adapter and set the program to update packets in real time and for automatic scrolling.
2.
3.
After a few packets have been captured, stop Wireshark. We will see information displayed in
three different views. The top window shows all packets that were captured. Clicking one of
these will display that frames contents in the middle frame; we may also note that the bottom
frame displays the actually hex dump. While reading hex is not mandatory, notice the first 16
bytes of the frame. The first 8 bytes are the destination MAC and the second 8 bytes are the
source MAC.
4.
Now use Wireshark to capture and analyze some wireless traffic with and without encryption.
Note that the MAC addresses will be visible in both.
Date:
___
Date :
When we run the Wireshark program, the Wireshark graphical user interface shown below will be
displayed. Initially, no data will be displayed in the various windows.
Date:
___
Date :
The packet-header details window provides details about the packet selected (highlighted) in
the packet listing window. (To select a packet in the packet listing window, place the cursor
over the packets one-line summary in the packet listing window and click with the left mouse
button.). These details include information about the Ethernet frame (assuming the packet was
sent/received over an Ethernet interface) and IP datagram that contains this packet. The amount
of Ethernet and IP-layer detail displayed can be expanded or minimized by clicking on the
plus-or-minus boxes to the left of the Ethernet frame or IP datagram line in the packet details
window. If the packet has been carried over TCP or UDP, TCP or UDP details will also be
displayed, which can similarly be expanded or minimized. Finally, details about the highest
level protocol that sent or received this packet are also provided.
The packet-contents window displays the entire contents of the captured frame, in both ASCII
and hexadecimal format.
Towards the top of the Wireshark graphical user interface, is the packet display filter field,
into which a protocol name or other information can be entered in order to filter the
information displayed in the packet-listing window (and hence the packet-header and packetcontents windows). In the example below, well use the packet-display filter field to have
Wireshark
Capturing Packets
After downloading and installing Wireshark, we can launch it and click the name of an
interface under Interface List to start capturing packets on that interface. For example, if we want to
capture traffic on the wireless network, click our wireless interface. We can configure advanced
features by clicking Capture Options.
Date:
___
Date :
As soon as we click the interfaces name, we will see the packets start to appear in real time.
Wireshark captures each packet sent to or from our system. If we are capturing on a wireless interface
and have promiscuous mode enabled in our capture options, we will also see other the other packets on
the network.
Click the stop capture button near the top left corner of the window when we want to stop
capturing traffic.
Date:
___
Date :
Color Coding
Observe the packets highlighted in green, blue, and black. Wireshark uses colors to help us to
identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic,
light blue is UDP traffic, and black identifies TCP packets with problems.
Sample Captures
If theres nothing interesting on our own network to inspect, Wiresharks wiki has we covered.
The wiki contains a page of sample capture files that we can load and inspect. Opening a capture file is
easy; just click Open on the main screen and browse for a file. We can also save our own captures in
Wireshark and open them later.
Filtering Packets
If we are trying to inspect something specific, such as the traffic a program sends when
phoning home, it helps to close down all other applications using the network so we can narrow down
the traffic. Still, we will likely have a large amount of packets to sift through. Thats where
Wiresharks filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the window
and clicking Apply (or pressing Enter). For example, type dns and we will see only DNS packets.
When we start typing, Wireshark will help us autocomplete our filter.
Example: ip.addr == 192.168.1.77
ip.src == 192.168.1.77
ip.dst == 192.168.1.77
TCP.Port == 80
Date:
___
Date :
You can also click the Analyze menu and select Display Filters to create a new filter.
Another interesting thing we can do is right-click a packet and select Follow TCP Stream.
Date:
___
Date :
Youll see the full conversation between the client and the server.
Close the window and we will find a filter has been applied automatically Wireshark is
showing us the packets that make up the conversation.
Date:
___
Date :
Experiment 7:
easy to take the results and port them into a spreadsheet so that holes in system security are readily
apparent and easily tracked. It can provide us with usernames, SIDs, RIDs, account comments,
account policies, and dial-in information.
DumpSec allow us to dump the permissions (DACLs) and audit settings (SACLs) for the file
system, registry, printers and shares in a concise, readable listbox format, so that holes in system
security are readily apparent.
You click on the Report tab, Select Computer (enter IP number) and select what items we want
in the report. We will receive the output. It allows users to remotely connect to any computer and
dump permissions, audit settings, and ownership for the Windows NT/2000 file system into a format
that is easily converted to Microsoft Excel for editing. Hackers can choose to dump either NTFS or
share permissions. It can also dump permissions for printers and the registry. The user can also get
password information such as 'Password Last Set Time' and 'Password Expires Time'. To summarize,
Dumpsec can pull a list of users, groups, and the NT system's policies and user rights.
Steps for DumpSec:
1. Download and install DumpSec from www.somarsoft.com.
2. Once its installed, open a command prompt and establish a null session to a local host. The
command syntax for doing so is as follows:
3. net use //IP address/IPC$ "" \u:""
4. Now open DumpSec and select Report Select Computer.
5. Now select Report Dump Users as Table, and click OK.
6. You need to select all items to the left of the screen and move them to the right screen so that
all fields will be selected.
7. Click the OK button, and all the open fields will be populated. Notice that we now have a
complete list of users and related information.
Date:
___
Date :
Step 3: Now select report dump users as table and click ok.
Date:
___
Date :
Date:
___
Date :
Address Resolution Protocol (ARP) poisoning is a type of attack where the Media Access Control
(MAC) address is changed by the attacker. Also, called an ARP spoofing attacks, it is effective
against both wired and wireless local networks. Some of the things an attacker could perform from
ARP poisoning attacks include stealing data from the compromised computers and prevent legitimate
access to services, such as Internet service. Thus MAN in MIDDLE watches the traffic between
Source and Target machines.
MAC address is a unique identifier for network nodes, such as computers, printers, and other
devices on a LAN. MAC addresses are associated to network adapter that connects devices to
networks. The MAC address is critical to locating networked hardware devices because it ensures that
data packets go to the correct place. ARP tables, or cache, are used to correlate network devices IP
addresses to their MAC addresses.
When a device to be able to communicate with another device with a known IP Address but an
unknown MAC address the sender sends out an ARP packet to all computers on the network. The
ARP packet requests the MAC address from the intended recipient with the known IP address. When
the sender receives the correct MAC address then is able to send data to the correct location and the IP
address and corresponding MAC address are store in the ARP table for later use.
ARP poisoning is when an attacker is able to compromise the ARP table and changes the MAC
address so that the IP address points to another machine. If the attacker makes the compromised
devices IP address point to his own MAC address then he would be able to steal the information, or
simply eavesdrop and forward on communications meant for the victim. Additionally, if the attacker
changed the MAC address of the device that is used to connect the network to Internet then he could
effectively disable access to the web and other external networks.
Date:
___
Date :
Cain & Abel: It is a nifty program that deals with recovering lost passwords using the most powerful
and tough decryption algorithms. It is capable to quickly and efficiently retrieve Outlook and network
passwords and to display passwords underneath asterisks. Most encrypted passwords are breakable
using this program via Dictionary, Brute-Force and Cryptanalysis attacks. Decrypting scrambled
passwords or wireless network keys is not a challenge either. Besides the ability to record VoIP
conversations, the application also features the possibility to analyze route protocols.
Date:
___
Date :
Steps for Cain and Abel:Step 1: First, download and Install the Cain & Abel program, then run it.
Step 2: Select configure and make sure we see the list of all network adapters.
Step 3: At main screen, select Configure, then click our network adapter, then Apply and Ok.
Step 5: Next go to the sniffer tab and right click anywhere inside the tab. we should see a "Scan MAC
addresses" option. Click it.
Date:
___
Date :
Step 6: Select the IP range accordingly to our local area network and click on OK.
Step 7: The Progress bar scans and list all the MAC address present on the subnet.
Step 8: After the scan, click on the APR sub-tab at the bottom of the window. Then click on the +
icon on the top of the window to add host to attack. A following dialog box appears on the screen.
Date:
___
Date :
Step 9: Click the '+' button and add which host we want to sniff the passwords. Then click the
radioactive button to activate the ARP Poisoning Process.
Step 10: Wait for the victim host to enter his credentials. To see the password captured, just go to the
"Passwords" tab beside the APR tab.
Date:
___
Date :
Experiment 10:Install IPCop on a Linux system and learn all the function available on the software.
IPCOP Linux is a complete Linux distribution. Its sole purpose is to protect the network. Its
main features are: IP table network filter, All types of Drive Support and Quad Network support such
as GREEN (Internal Trusted Network), BLUE (Wireless Semi-Trusted Network, ORANGE
(Demilitarized Zone for internet Access Servers, RED (The Internet).
Before starting the installation, let us go over the basics of IPCop. The default IPCop
installation supports up to 4 Ethernet interfaces, which are color-coded according to trust levels (refer
to the following table).
Interface
color
Green
Blue
Orange
Red
Trust level
Typical function
1 Most trusted
2 Semi-trusted
3 DMZ (Demilitarized zone)
4 Non-trusted
Pentium Processor with 32MB RAM, 300MB hard disk and 2 Network Cards
2 x 5 port 10/100/1000 switch or a Layer 3 switch
Network Cables
Burned ISO CD
VM Ware
Installation of IPCOP:
1. Download IPCOP 2.0.2.iso from www.ipcop.org.
2. Run Virtual Box on Host PC and add IPCOP.ISO file and Start the Installation.
3. The Bootup Screen appears hit enter key.
4. Select Default English Language and Press Enter-Key
5. Select default US layout Keyboard and Press Enter-Key.
6. Select Asia/Calcutta and Press OK to proceed.
7. Change the Date and Time if required and Press OK.
8. Select the disk installation default HDD and Press OK.
Date:
___
Date :
Date:
___
Date :
Date:
___
Date :
Date:
___
Date :
Date:
___
Date :
Date:
___
Date :
Experiment 11:Install JCrypt tool (or any other equivalent) and demonstrate Asymmetric, Symmetric
crypto algorithm, Hash and Digital/PKI signatures studied in theory Network Security
and Management.
Public-key
cryptography,
also
known
as asymmetric
cryptography,
is
class
of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and
one of which is public. The public key is used to encrypt plaintext or to verify a digital signature;
whereas the private key is used to decrypt cipher text or to create a digital signature. The term
"asymmetric" stems from the use of different keys to perform these opposite functions.
Example: DiffieHellman key exchange, digital signatures and RSA
Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic
keys for both encryption of plaintext and decryption of cipher text. The keys may be identical or there
may be a simple transformation to go between the two keys. This requirement that both parties have
access to the secret key is one of the main drawbacks of symmetric key encryption
Example: AES (Rijndael), Blowfish, CAST5, RC4, 3DES
A cryptographic hash function takes a group of characters (called a key) and maps it to a
value of a certain length (called a hash value or hash). The hash value is representative of the original
string of characters, but is normally smaller than the original. Example: SHA1
Hashing is done for indexing and locating items in databases because it is easier to find the
shorter hash value than the longer string. Hashing is also used in encryption. This term is also known
as a hashing algorithm or message digest function. The input data is often called the message, and the
hash value is often called the message digest or simply the digest.
The ideal cryptographic hash function has four main properties:
It is easy to compute the hash value for any given message.
It is infeasible to generate a message from its hash.
It is infeasible to modify a message without changing the hash.
It is infeasible to find two different messages with the same hash.
Digital Signature is a digital code (generated and authenticated by public key encryption) which is
attached to an electronically transmitted document to verify its contents and the sender's identity.
A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message
or document.
Date:
___
Date :
Step 2: Open the text editor in jcryptool & write the message which we want to encrypt.
Date:
___
Date :
Step 6: Decrypt the same text by selecting decrypt and provide the same password which provided
during encryption.
Date:
___
Date :
Date:
___
Date :
Experiment 12:Demonstrate Intrusion Detection System (IDS) using any tool e.g. Snort or any other s/w.
With the development of network technologies and applications, network attacks are greatly
increasing both in number and severity. As a key technique in network security domain, Intrusion
Detection System (IDS) plays vital role of detecting various kinds of attacks and secures the
networks. Main purpose of IDS is to find out intrusions among normal audit data and this can be
considered as classification problem. Intrusion detection systems (IDS) are an effective security
technology, which can detect, prevent and possibly react to the attack. It performs monitoring of target
sources of activities, such as audit and network traffic data in computer or network systems, requiring
security measures, and employs various techniques for providing security services. With the
tremendous growth of network-based services and sensitive information on networks, network security
is becoming more and more important than ever before.
Intrusion: Attempting to break into or misuse our system. Intruders may be from outside the network
or legitimate users of the network. Intrusion can be a physical, system or remote intrusion. Intrusion
Detection Systems look for attack signatures, which are specific patterns that usually indicate
malicious or suspicious intent.
Snort is an open source network intrusion prevention system, capable of performing real time traffic
analysis and packet logging on IP networks. It can perform protocol analysis, content
searching/matching, and can be used to detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
Snort has three primary uses: It can be used as a straight packet sniffer like tcp dump, a packet logger
(useful for network traffic debugging, etc.), or as a full blown network intrusion prevention system.
The privacy of the Snort community is very important to Sourcefire. If we choose to opt out,
the information collected at the time of registration will not be used for any Sourcefire marketing
efforts. In addition, Sourcefire will not sell or distribute any personal information to 3rd party
companies.
SNORT can be configured to run in three modes:
1. Sniffer mode 2. Packet Logger mode
Date:
___
Date :
Packet Logger mode: snort dev l c:\snort\log [create this directory in the C drive] and snort
will automatically know to go into packet logger mode, it collects every packet it sees and places it in
log directory.
11. Create a path variable and point it at snort.exe variable name : path and variable
value as c:\snort\bin
Date:
___
Date :
C:\snort\etc\snort.conf.we will want to open the .conf file with a basic text
editor, such as Edit or Notepad.
14. Go to command prompt and get into Snort/bin directory and run Snort.exe file.
15. An editor window displays the complete details of packets flowing across the
system, the IP Address of packet generator, date &Time, length of Packet, Time
to live (TTL) Etc. at Real time.
16. By analyzing these details Intruders can be traced at real time.
17. These details can be documents by using a print screen option.
Steps for Snort:Snort can operate in three different modes: Sniffer mode, Packet Logger mode and Network
Intrusion mode.
Sniffer Mode: Sniffer mode works just as the name implies. It configures Snort to sniff traffic.
Lets take a moment as this point to verify Sniffer mode:
1. Reboot our machine and log back on to Windows. To check whether Snort was properly
configured, open two command prompts.
2. At one of the command prompts, navigate to the C:\snort\bin folder, and enter snort W. We
should see a list of possible adapters on which we can install the sensor. The adapters are
numbered 1, 2, 3, and so forth.
C:\Snort\binsnort -W
3. At the c:\snort\bin prompt, enter snort v ix, where x is the number of the NIC to place our
Snort sensor on.
4. Switch to the second command prompt and ping another computer.
Date:
___
Date :
5. When ping is complete, switch back to the command prompt window running Snort, and press
Ctrl+C to stop Snort.
Packet Logger Mode: Packet logger mode allows Snort to capture and log traffic. For this we will
use the l (log) switch:
1. From the command line, change to the directory wherewe installed Snort. Then from the
command prompt, enter snort ix dev l c:\snort \log. This will start Snort and instruct it to
record headers in the C:\snort \log folder.
2. Now ping the system that Snort is installed on from another system.
3. As soon as the ping is complete, press Ctrl+C to stop the packet capture.
4. Use Windows Explorer to navigate to the snort\log folder.
5. Examine the contents of the log folder. Use Notepad to examine the contents of the capture.
The individual packets are filed in hierarchical directories based on the IP address from where the
packet was received
Date:
___
Date :
Date:
___
Date :
There are two software applications installed in Backtrack 5 designed to find possible rootkits on the
operating system.
chkrootkit (Check Rootkit) is a common Unix-based program intended to help system
administrators check their system for known rootkits. It is a shell script using common UNIX/Linux
tools like the strings and grep commands to search core system programs for signatures and for
comparing a traversal of the /proc file system with the output of the ps (process status) command to
look for discrepancies.
rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and
possible local exploits. It does this by comparing SHA-1 hashes of important files with known good
ones in online database, searching for default directories (of rootkits), wrong permissions, hidden files,
suspicious strings in kernel modules, and special tests for Linux and FreeBSD.
Chkrootkit takes only a few moments to run while rkhunter takes about 20 minutes to analyze
our computer. There is no full proof way to guarantee that our computer is not infected with a rootkit.
Steps for Chkrootkit:Step 1: Navigate to Applications BackTrack Forensics Anti-Virus Forensics Tools
chkrootkit
Date:
___
Date :
--list: Displays a list of Perl modules, rootkits available for checking, and tests that will be
performed
rkhunter --list
--sk: Allow us to skip pressing the Enter key after each test runs
rkhunter --check --sk
rkhunter is a similar tool to chkrootkit, it also scans the system for rootkits, but it is capable a bit
more. Let's see, what we can do with it. It will do scans like:
MD5 hash compare
Look for default files used by rootkits
Wrong file permissions for binaries
Look for suspected strings in LKM and KLD modules
Look for hidden files
Optional scan within plaintext and binary files
Date:
___
Date :
Step 3: First we can check the version, and also check if there is a newer one:
rkhunter -V - display current version
rkhunter --versioncheck - check if there is an update
Date:
___
Date :
The scan logs (what it printed on the screen, and much more) will be at /var/log/rkhunter.log.
Step 6: There is one more useful task: we can do a list of SHA1 hashes of some common system files,
rkhunter will save it for later, and when it runs the scan, will compare the actual hash with the stored
one. If there is a change, it will drop a warning. This can be done with running:
rkhunter propupd
Date:
___
Date :
STANDARD COMMANDS
openssl - OpenSSL command line tool
passwd -Generation of hashed passwords.
pkey -Public and private key management.
rand -Generate pseudo-random bytes.
ts -Time Stamping Authority tool (client/server)
version -OpenSSL Version Information.
Date:
___
Date :
Step 9: genrsa 1024 This will generate RSA Private key of size 1024.
Date:
___
Date :
Date:
___
Date :
hit. In the upper right hand side the application displays the Packet History list view of all transmitted
and received IP packets associated with the hit.
Step 10: By clicking on a record in the Packet History box. we can view the complete Packet
data in the lower window.
Step 11: All log files are saved by default to c:\honeybot\logs folder. Log files store information
relating to the hits on the system and also store all data received and sent to the attacking computer.
Step 12: Click on the red stop button to shut down all listening services and terminate all
existing open sockets.
Uninstalling HoneyBOT
Click the Uninstall HoneyBOT icon in the programs start menu to uninstall HoneyBOT and
follow the prompts.
Date:
___
Date :