TechLab N10-004-E14 Security Attacks and Mitigation

2.0 Hours

Lab Information
TechLab Authors: Dean McDonald and Susan Wilbert Revision Date: 4/19/2010 Feedback: All comments and suggestions should be submitted via the feedback system, which can
be accessed from Course Materials on the StudentWeb

Prerequisites
Successful completion of requisite Technology Based Training (TBT) courseware and textbook reading.

Knowledge Goal
This lab introduces the concepts of identifying various types of computer and network attacks

Exam Correlation
6.0 Network Security 6.6 Identify common security threats and mitigation techniques

Lab Setup Requirements

Windows Server 2003 Stand Alone Server Setup Requirements: Client Name / Workgroup Name: Server1 / WORKGROUP IP Address / Subnet Mask: 172.16.0.10 / 255.255.0.0 Administrator username / password: Administrator / password or noted here: ___________ Internet connection Networked to the Windows XP Professional computer VPC Image Name: Server 2003 Server1 Workgroup

Windows XP Professional Client, No Service Pack Setup Requirements: Client Name / Workgroup Name: Client2 / WORKGROUP1 IP Address / Subnet Mask: 172.16.0.20 / 255.255.0.0 Administrator username / password: Administrator / password or noted here: _____________ Networked to the Windows Server 2003 computer VPC Image Name XP Client2 No SP Workgroup

Copyright 2009, TechSkills LLC

Page 1 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

References
All-In-One Network+ Certification Exam Guide, Fourth Edition, McGraw Hill, 2009 o Chapter 17: Protecting Your Network Virtual PC User Guide which is located in the General Resources folder of My Course Materials on the StudentWeb StudentWeb My Personal Bookshelf, Keyword: Antivirus, Fault Tolerance, RAID, Disaster Recovery

Lab Overview
This TechLab will cover the definitions of many attacks, as well as some examples of malicious software and social engineering.

6.6 Identify common security threats and mitigation techniques

6.6.1 Security Threats: 6.6.1.1 DoS 6.6.1.2 Viruses 6.6.1.3 Worms 6.6.1.4 Attackers 6.6.1.5 Man in the middle 6.6.1.6 Smurf 6.6.1.7 Rogue access points 6.6.1.8 Social engineering (phising)

Attacks Generally, you can split attacks into 2 broad categories: Protocol/Service Based and Application based. While application based attacks strike at flaws in pieces of software, protocol attacks (such as Teardrop) strike at the standardized mechanisms used to transfer data on a network. Attacks are frequently based on exploits that are specific to an OS or program. A technique known as OS Fingerprinting is used to determine the operating system, service pack level, and the presence of various services running on a particular target. Once you know the OS that is running on the target you can begin to attempt the exploits which might be usable for that particular OS. OS Fingerprinting is accomplished by sending various TCP/IP packets, to a target computer and observing the results. The TCP/IP packets that are sent are designed to provoke somewhat-unusual responses in certain vendors TCP/IP implementations. When known OS-specific responses are received, the fingerprinting program can identify the OS that the target is running (and often the version and even service pack/patch level). A good example of OS fingerprinting is ICMP message quoting: The ICMP quotes back part of the original message with every ICMP error message. Each operating system will quote a definite amount of the message to the ICMP error messages. The peculiarities in the error messages received from various types of operating systems helps in identifying the remote host's OS. DoS/DDoS A Denial-of-Service (DoS) attack is an attempt to flood the target with data, so that either the target network is saturated with data, or the target host is saturated with requests, resulting in the loss of legitimate use of that system. If you see a significant and sudden increase in network traffic, it is a good indicator that your network or computer might be undergoing a DoS attack. A simple DoS attack could also be an attacker entering an unsecured server room and unplugging the server. This would result in a denial of service to legitimate users. A Distributed Denial-of-Service (DDoS) attack is type of DoS attack that is implemented by staging a DoS attack against a single target from multiple systems simultaneously. Hackers can gain access to a number of machines in a startling variety of ways (usually through the root or administrative accounts). A host computer that is controlled by an attacker is often referred to as drones or zombies. The group of programs that an attacker installs to gain complete control of a computer is sometimes called a rootkit. One device that an attacker may have in his/her rootkit is a protocol analyzer or packet sniffer. Sniffing is method by which an attacker can compromise the Copyright 2009, TechSkills LLC Page 2 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

security of a network in a passive fashion. A sniffer, in network security circles, is a program or tool that passively monitors a computer network for key information that the attacker is interested in. In most cases, this information is authentication information, such as usernames and passwords, which can be used to gain access to a system or resource. Sniffers are included with most rootkits. An example of a cross-platform packet sniffer is the Wireshark program. Server versions of Microsoft Windows also include a sniffer program called Network Monitor. A SYN attack is a classic DoS attack. A standard TCP session consists of the two communicating hosts exchanging a SYN | SYN/ACK | ACK. The expected behavior is that the initiating host sends a SYN packet, to which the responding host sends a SYN/ACK and then waits for an ACK reply from the initiator. With a SYN attack, the attacker simply sends only the SYN packet, leaving the victim waiting for a reply. When a client initiates a session with a server, a very small memory buffer exists to handle the handshaking process between the client and the server. Since the server does not think that the conversations handshake has been completed, it keeps each SYN request in its table of connections in progress. As more and more partially open connection requests accumulate in the targets system tables, the target eventually reaches the point of being unable to handle additional requests. It overflows this small buffer. When this happens, the server is unable to accept new connections, and legitimate users are prevented from accessing the server. SYN Floods and TCP/IP Hijacking are the two most common attacks carried out at the transport layer of the OSI model. A SYN scan can be used with FTP sessions in this way. There are many other variants on the DoS attack. The Ping of Death attack sends ICMP ECHO requests to a single host, which quickly and exponentially exhausts bandwidth on the target hosts network. Ping of Death attacks are easy to deploy and can be an effective DoS attack against a host. Ping of Death works by sending a spoofed packet that is larger than 65,536 bytes. Usually, sending a packet of this size over IP is impossible (because of the Maximum Transmission Unit or MTU size), but the packets can be broken up into parts, allowing the packet to be sent and reassembled on the victim's side. Not only can this cause a system slowdown, it is usually effective in causing a buffer overflow on the victim's computer, possibly crashing it. The reverse ICMP flood, or Smurf attack, sends an ICMP packet with a spoofed IP address to the broadcast address of the target network. Because packets sent to the broadcast address are seen by and responded to by all hosts on the network, you potentially have hundreds of machines replying to one single ping packet. This saturates the network with ICMP messages and quickly exhausts the available bandwidth. Back Door A back door is essentially any program or deliberate configuration designed to allow for unauthenticated access to a system. Back doors come in two forms; Application hooks in legitimate programs and malicious software programs that allow unauthenticated access to a system. Legitimate back doors are created by application developers to allow administrative access into a program without using the normal access control methods. These back door application hooks are generally used to troubleshoot or debug a program during development. If these back door access hooks are not closed or removed, before the software is released, they can allow unfettered access to anyone who knows about the back door access. Back door attacks can also use malicious programs like Back Orifice, Masters Paradise, NetBus, SubSeven and T0rnkit. Masters Paradise is a back door delivered via Trojan horse written for Windows 95/98 by a German programmer, Den Lehmann. NetBus is also a back door delivered via Trojan horse, which can open a back door to a PC, so it can be accessed from the network. This program was created by Carl-Fredrik Neikter from Sweden. Spoofing Spoofing is an attack in which packets are made to appear to originate from a system other than the one they really originated from. If your network monitor or Intrusion Detection System (IDS) detects that you are receiving packets from the Internet which lists an address on your internal network as the source IP address, it is likely that you are experiencing an IP spoofing attack. Spoofing is providing false information about the source of an attack. Spoofing can also happen when a DNS server resolves a domain name to a different address, thus redirecting traffic. To help prevent spoofing attacks from being successful on your own network, administrators can set up a router filter that does not allow outside packets whose source IP address is set to a host in one of your internal networks, into your network (this is also known as ingress filtering). This will catch most spoofing attempts originating outside your network, directed toward your internal network. It will, however, not catch attempts made from inside your network (spoofing the address of another internal host, perhaps in an attempt to gain privileges), Copyright 2009, TechSkills LLC Page 3 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

or attempts made against a third partys network in which your network is listed as the origin of the attack in the source IP address. Man in the Middle A man in the middle (MITM) attack means that someone places themselves in the communication channel between the two parties already at the time of certificate exchange. This could happen if someone captured and manipulated packets as they are passing through your network. When one party sends its public key to another party, the MITM takes this key and replaces it with his/her own. The other party thinks the key just received came from the expected sender, but in fact it comes from the MITM. That's the reasons why public keys should be signed by a trusted authority (a.k.a. "trust center" or "certificate authority"). It is for this reason that Public Key Infrastructure (PKI) is considered one of the best technologies to reduce the threat of man-in-the-middle attacks. This type of strong authentication is the best form of defense against this type of attack. Research Replay A replay attack is one that involves capturing and saving the packets in a conversation, resending one side (generally the client side) of the conversation at a later time, in order to accomplish something malicious such as identifying themselves as another user, or process the same transaction more times than it legitimately occurred. Again, this type of attack is made possible due to lax security in the protocol. Every TCP/IP conversation is stamped with TCP Sequence numbers. In theory, no two conversations will generate the same set of numbers. However, it has been proven that in many implementations, the formula for producing these numbers is weak, and TCP sequence prediction is not as difficult as could be. There are countermeasures against this type of attack. Secure protocols such as IPSec operate at the network layer and extend the IP protocol while maintaining compatibility with existing TCP/IP stacks by using additional protocol numbers. Basically, this means that more numbers are used to generate the TCP Sequence numbers thus making it more complex and harder to duplicate. Secondly, Kerberos prevents replay attacks by requiring tight time synchronization and verifying time stamps on Kerberos authentication traffic. Kerberos authentication requires that the time on the Key Distribution Center (KDC) and Kerberos clients is synchronized, usually within plus/minus five minutes. It uses specific time stamps on Kerberos authentication traffic to ensure the authenticating client is sending packet in real-time. Using the time stamp reduces the possibility that the authentication traffic can be captured and replayed using a replay attack. Challenge Handshake Authentication Protocol (CHAP) authenticates a user on a server by sending the client a random value concatenated with an ID and a shared secret. The client works with the random value that is sent, along with the ID and the secret, to create a Message Digest 5 (MD5) hash. The result of the MD5 hash value is sent back to the server. If the returned MD5 hash value is what the server expects, authentication is granted. By changing the ID value with each session, the server prevents a replay attack. A replay attack will not work against the Challenge Handshake Authentication Protocol (CHAP). TCP/IP Hijacking TCP/IP hijacking involves taking control of a legitimate conversation between a server and a client, intercepting the source side packets, throwing them away and replacing them with new packets sent to the destination. This can be accomplished in a variety of settingsa telnet connection can be hijacked by means of a MITM (Man in the Middle) attack, and a web session can be hijacked by causing the victims system to load a hacked cookie. SYN Floods and TCP/IP Hijacking are the two most common attacks carried out at the transport layer of the OSI model. Weak Keys The weak key attack takes advantage of the weakness of keys being used to protect encrypted information, including network sessions and password resources. The shorter the key length, the easier it is to break the encryption on a piece of data. There are US export restrictions on encryption keys of significant strength. In essence, the longer the encryption key, the harder it is to decipher the message. Mathematical

Copyright 2009, TechSkills LLC

Page 4 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

Mathematical attacks include those based on the fact that a key is generally easier to break, the shorter it is, and the less the variety in characters used in the key. Mathematical attacks also include those that somehow break an encryption algorithm that find a way to reverse it without discovering the original key. Birthday A birthday attack is a specific kind of brute force attack that takes advantage of the fact that multiple sets of source data can encrypt to the same hash value. For example, it could be used to find another message that would encrypt to the same MD5 hash value associated with an original message. Theoretically, this would let an attacker change the contents of the message. It is referred to as a birthday attack because it takes advantage of probabilities, much like the old trick in which you would bet your friend dinner that two people in a 50-person room shared the same birthday (and you would usually win, due to the odds increasing with each additional person in the room). Password Guessing A 'black hat' or white hat' will have in their toolkit several password guessing programs, which automate the process of rapidly testing many potential passwords for a given account. It is common for network security personnel to attempt to crack passwords in an effort to evaluate the strength of passwords that the users in their organization are using. The most commonly used password guessing method is the dictionary attack. Passwords are generally stored in what is called a hashed format. When a password is entered into a system, it passes through a one-way hashing function, and the output is recorded. When you attempt to authenticate, the password you provide is passed through that hashing function and compared with the stored hashed value. If the values match, you are authenticated. Brute Force/Dictionary attacks attempt to discover passwords by stealing a copy of the username and hashed password listing and methodically encrypting possible passwords using the same hashing function. For this reason, hashed passwords are vulnerable to Dictionary/Brute Force attacks. The longer the password the more resistant it becomes to Brute Force and Dictionary attacks. The minimum suggested password length to deter Dictionary/Brute Force attacks is eight characters. Brute Force This type of attack involves running programs that attempt to break a password by using as many combinations as possible until the correct key is found. Dictionary This type of attack involves trying passwords and or keys from a precompiled list of values. The more words and or keys that are in the precompiled list, the more likely the value will be found. Users with very simple passwords make themselves particularly vulnerable to dictionary attacks. Dumpster Diving Dumpster diving is the process of physically digging through a victims trash in an attempt to gain information. Hackers dumpster dive to find sticky notes with passwords, printouts with usernames, discarded CD's or floppies with confidential information. Organizations need to develop policies for the safe destruction and disposal of data and equipment. This information is then used to break into the organizations computer network or for a social engineering attack to gain additional information. Malicious Code Malicious code could be a program that includes harmful code in an apparently normal program or set of data. Viruses A virus is a program that attaches itself to a host file and replicates itself on a system. Usually when run, unbeknownst to the user, a virus performs some action that is either malicious or simply annoying. For example, a virus may delete or modify system files, or just produce a joke message on the users screen. A virus is a piece of malicious code that can replicate itself and has no productive purpose and exists only to damage computer systems or create further vulnerabilities. Viruses also have the ability to modify programs to include a version of the original virus. Virus Hoaxes

Copyright 2009, TechSkills LLC

Page 5 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

Occasionally malicious people will prey on unsuspecting computer users by concocting various virus hoaxes. The hoaxes can range from harmless pranks to intentionally destructive or deceptive messages. The destructive hoaxes are generally sent in the form of an email and it will describe to the user that their computer is infected with a virus and it will list instructions for how to remove the infection. The process or removing the virus will generally render the users computer inoperable. The user in a sense has been tricked into manually disabling their computer. The proliferation of these virus hoaxes are as serious a threat as viruses because they can lead users to ignore warnings about legitimate viruses. Trojan Horses A Trojan horse is a type of malicious code that appears to the user to be a legitimate program (or data fileeven Word .doc files can contain Trojan horse code in the form of macros), but includes hidden functions designed to perform malicious actions. Trojan horse attacks typically use Visual Basic Scripting (VBS). The main difference between viruses and Trojan Horses are that Trojan Horses do not replicate. Trojan Horses are often considered digital pests that are hidden inside another seemingly benign program and are installed when the program is created. Logic Bombs A logic bomb is a piece of malicious code that is designed to not trigger the malicious functionality until a certain date or event (for example the activation of a particular program). An example of a logic bomb in a virus would be the Michelangelo virus. This virus was triggered to erase computer hard disks each year on March 6, which is the birthday of renaissance painter Michelangelo. More commonly, upset employees, triggering some malicious functionality at some date in the future, may insert logic bombs into in-house programs. Worms A worm is a virus, usually containing malicious code, which can replicate itself and propagate across a network. Unlike a Trojan horse or many viruses, it does not have to attach itself to other host programs. It generally does not require any user action to replicate and infect other machines. Rootkits A rootkit is a program or software code that masks administrative functions or procedures and allows unauthorized access to a computer system. Rootkits often take advantage of antivirus and antimalware software that is not up to date. Rootkit programs can circumvent operating system and program security to allow unauthorized access to services and programs. Often these programs have unfettered root or Administrator privileges so they can perform their malicious attacks without restrictions. Social Engineering Social engineering involves defeating established security mechanisms by enlisting the assistance of (usually unwitting) users to accomplish malicious things or acquire data that the attacker is not authorized to have. It is a particularly insidious technique because: No software tools are needed to acquire information like passwords and specific network addresses of file servers containing certain data (the attacker just convinces the user to tell them the information they want). In a social engineering attack, the human element is the weakest link. Unlike most attacks, an attack based on social engineering activities is not detectable via an automated system like an IDS or network monitor (it is carried out in simple conversation) A social engineering attack is based on deceiving users or administrators at the target site. Education is the most effective means of combating social engineering. User awareness of social engineering tactics applies to all methods of internal and external communication, including instant messaging, phone calls, and emails. Turning Good Computers Bad During our discussion of Distributed Denial of Service or DDoS attacks, we mentioned the use of drone or zombie machines. A collection of zombie machines is sometimes called a botnet. These systems are controlled by a master zombie machine and are configured to perform some kind of malicious act. Often these zombie slaves report information back to the master zombie machine. In addition to performing in a Distributed Denial of Service (DDoS) attacks, the zombie slaves may be used send spam, or perform other malicious tasks.

Copyright 2009, TechSkills LLC

Page 6 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

6.6 Identify common security threats and mitigation techniques
6.6.1 Mitigation Techniques: 6.6.1.1 Policies and procedures 6.6.1.2 User Training 6.6.1.3 Patches and updates

Supporting Security Efforts with Virtual Environments Virtual environments such as those created with VMware, Microsoft Virtual PC/Virtual Server, VirtualBox, Xen, and others allow you to run one or more operating systems on a single computer. For example, you can install VirtualBox on a Linux computer and run an instance of Windows Vista in a virtual machine (VM) inside VirtualBox. The Windows Vista VM uses the hardware resources of the host computer but it is contained within the virtual environment. This allows you to run the VM in a sandbox which is cordoned off from the host machine. Researchers often run and test security software and malware in virtual environments because they can readily duplicate VMs, control them and study the effects of the security software or malware in a safe, virtual environment without risking damage to the host machine or operating system. Antivirus Protection To help combat infection of network computers, you need to employ an antivirus protection strategy. This includes running firewall or proxy server software and/or hardware to perform real-time scans of network packets and local files to detect identified malicious code. Secondly, you must use an antivirus software program. Antivirus programs contain a software program that scans files, folders and programs in real time. The antivirus software contains virus definitions, which identifies characteristics about known viruses. These antivirus software programs use the virus definitions to scan network packets and files, folders and registry settings on a computer looking for known virus files or suspicious activity. In network environments that contain multiple computers it is a general practice to install an antivirus suite on a central computer that downloads and updates antivirus definitions and performs scans on multiple computers. The central antivirus server manages all the client computers from a central software program. This dramatically reduces the administrative burden on network administrators because they can efficiently configure the central server to perform that various antivirus tasks. Administrators do not need to touch each computer on the network to update the virus definitions or run scans. Many companies produce these antivirus suites but most antivirus suites perform three basic functions. They monitor realtime activity, they perform periodic scans on the computer and they remove or quarantine known viruses. During real-time protection, they monitor the MBR, system files and network packets and files for known virus activity. During a computer scan, the software inspects the MBR, system files, and all other files and programs on the hard drive, floppy or other storage drives. Most can perform deep scans which can even scan files inside of compressed files such as .zip files. It compares each file with known virus characteristics. These include file name, file location, specific text or code in the file. If it finds a suspected virus it moves the infected file to a special location on the hard drive. This is known as quarantining or locking the virus. After a complete scan, the antivirus software attempts to either clean an infected file or remove it from the computer. Antivirus protection software is only as good as the current virus definitions. New viruses and malicious code are produced daily. Antivirus companies release new virus definitions to deal with these new viruses. When installing and configuring antivirus software on a network it is important to update antivirus definitions and run scans often. Out of date virus definitions may miss new viruses because it is not aware of them. Most antivirus software will automatically download and install updated virus definition files. Most do it at least once a day and some can update more frequently.

Copyright 2009, TechSkills LLC

Page 7 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

Step-by-Step Instructions
Exercise 1 Exercise Summary: During this exercise you will use the SMBDIE.exe program to perform a denial of service attack on a Windows XP Professional client computer. 1) Prepare the attack environment a. Prepare the Windows Server 2003 computer i) Boot and logon to the Windows Server 2003 computer as the local Administrator. ii) Remove Internet Explorer Enhanced Security. (1) Click Start point to Control Panel click Add or Remove Programs. (2) Click the Add/Remove Windows Components button. (3) In the Windows Components Wizard, scroll down to and uncheck Internet Explorer Enhanced Security Configuration click Next. (4) The Enhanced Security Configuration of Internet Explorer on Windows Server 2003 does not allow you to open any web sites what are not trusted. By default only some Microsoft and Windows Update sites are trusted. Click Finish. (5) Close Add or Remove Programs. iii) Open Internet Explorer Note: If this is the first time you have connected to the Internet, Internet Explorer will close and the New Connection Wizard will start. Complete the wizard to create a new Internet connection open Internet Explorer again and browse to and logon to the StudentWeb. (1) In the Address bar, type https://secure.techskills.com/studentweb. (2) Log into your StudentWeb. (3) Download the attack files: (a) Browse to the Supplemental folder for the course on the StudentWeb download the lc5setup.zip and SMBdie.zip files and save them to the Desktop. (b) Close all open windows. (4) Extract the attack files: (a) Right click the lc5setup.zip file click Extract All... click Next click Next click Finish. (b) Close the window that opens. (c) Repeat this process to extract the SMBdie.zip file. (5) Prepare network adapters and TCP/IP settings: (a) Configure a Static IP address for the Local Area Connection (i) Open the Local Area Connection properties 1. Click Start point to Control Panel point to Network Connections right click the Local Area Connection click Properties. 2. Select the Internet Protocol (TCP/IP) entry click Properties. 3. Verify/Assign the Internet Protocol (TCP/IP) Properties as follows. All other settings on this page should be left blank.

Copyright 2009, TechSkills LLC

Page 8 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

4. Click the Advanced... button click the WINS tab select the Enable NetBIOS over TCP/IP radio button click OK click OK click OK. (ii) Disable all other network interfaces: 1. Click Start point to Control Panel right click Network Connections click Open. 2. Disable all network interfaces EXCEPT the Local Area Connection. To do so, right click any other network connections that are displayed click Disable. This will disable all but the Local Area Connection with the TCP/IP settings you verified/assigned earlier. Online TechLab Note: Make sure you disable the network connection named DO NOT Modify Internet Connection. This will prevent the attack program from using the network connection which is used for controlling the Online TechLab system. If you attempt an attack on the Online TechLab system network you may lose your connection to the Online TechLab system and you will not be able to complete the rest of the TechLab.

3. Close all open windows. b. Prepare the Windows XP Professional computer i) Boot and logon to the Windows XP Professional computer as the local Administrator. ii) Prepare network adapters and TCP/IP settings: (1) Configure a Static IP address for the Local Area Connection: (a) Open the Local Area Connection properties: (i) Click Start Click Control Panel double click Network Connections right click the Local Area Connection click Properties. (ii) Select the Internet Protocol (TCP/IP) entry click Properties. (iii) Verify/Assign the Internet Protocol (TCP/IP) Properties as follows. All other settings on this page should be left blank.

1. Click the Advanced... button click the WINS tab verify the Enable NetBIOS over TCP/IP radio button is selected click OK click Yes on the Microsoft TCP/IP information window click OK click OK Close (iv) Disable all other network interfaces: 1. Disable all network interfaces EXCEPT the Local Area Connection. To do so, right click any other network connections that are displayed click Disable. This will disable all but the Local Area Connection with the TCP/IP settings you verified/assigned earlier. Online TechLab Note: Make sure you disable the network connection named DO NOT Modify Internet Connection.

iii) Obtain the name of the computer: (1) Click Start Right click My Computer click Properties (2) Click the Computer Name tab note the Full computer name: of this computer: ________________________ (3) Close all open windows. 2) Perform a Denial of Service Attack Copyright 2009, TechSkills LLC Page 9 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

By sending a specially crafted packet request, an attacker can mount a denial of service attack on the target server machine and crash the system. The attacker could use both a user account and anonymous access to accomplish this. Though not confirmed, it may be possible to execute arbitrary code on the target machine. SMB (Server Message Block) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what is described as a client server, request-response protocol. The problem is that is that instead of a normal SMB exchange it is actually a massive attack this is a denial of service attack. If system administrators have turned off anonymous access, it would not be possible for a non-authenticated user to exploit this vulnerability. However, turning off anonymous access does not prevent authenticated users from using this attack. In addition, an administrator can block access to SMB on TCP ports 445 and 139 at the network perimeter. This would block access from un-trusted networks. However, legitimate users could be blocked in a file and print networking environment too. Administrators could also shut down the LanMan server service. However, in a file and print networking environment this may not be a viable solution because it would block legitimate users from using file and print services on a particular server where the LanMan service had been stopped. a. Verify that both computers are not running Antivirus software. If they are, disable Real-time protection. If you do not disable the Antivirus software the attack may not work properly. Online TechLab Note: None of the Online TechLabs system computer images have Antivirus software installed.

b. On the Windows Server 2003 computer, double click the SMBdie folder on the Desktop double click the SMBdie.exe program. This opens the SMBDIE.exe program which is a proof of concept program that will perform a denial of service attack on a Windows client using Server Message Block (SMB) packets. c. Enter the Computer (IP address) and NETBIOS name of the Windows XP Professional client into the appropriate textboxes. d. Click the KILL button. In the SMBdie.exe application window you should see it connect to the target system, identify the operating system, and then send the exploit. If you observe the target machine you should see it stop functioning with a Blue Screen of Death (BSoD) or it may restart automatically. e. Close all open windows. 3) Using @stake LC5 to run a Dictionary Password Attack a. Create user accounts i) On the Windows Server 2003 computer create two new user accounts. (1) Create a new user named user1 and assign a simple password using a word normally found in the dictionary. Refer to these instructions if you do not remember how to create a user account. Click Start Right Click My Computer click Manage expand local Users and Groups right click User click New User

b. Create a second user account named user2. Assign a more complex password of using letters and numbers. c. Install the LC5 Password Cracking Program: You will now use a password recovery/cracking program to decipher the new user account passwords. The program you will use is called LC5 which is made by a company named @stake. Install the application on your machine. d. On the Windows Server 2003 computer, double click the lc5setup folder on the Desktop double click the lc5setup.exe program to start the installation click Next click Next click Yes click Next click Next click Next click Finish. e. Start the application. To do so, click Start click All Programs click LC5> click LC5. f. Click on the Trial button click Next.

Copyright 2009, TechSkills LLC

Page 10 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

Online TechLab Note: The screens for the LC5 program are larger than this and will display off the viewable screen area. Switch to full screen mode using the F12+Enter key combination. To switch back to normal view press the F12+Enter keys again. g. Select the Retrieve from the local machine radio button click Next. h. Select the Common Password Audit radio button click Next. Strong Password Audit is only available in the registered version of this program.

i. j.

Make sure all the checkboxes are selected on the Pick Reporting Style dialog window

click Next.

k.

Click Finish to begin the Audit. You will see that in a remarkably short amount of time the usernames for this system will be enumerated and the passwords will be cracked for the Administrator and user1. Since user2 has a more complex password it will not be cracked with the Trial version of the software. However, with the full version most complex passwords can also be cracked. Take note of the statistics available on the right-hand side of the screen.

4) Researching the NETBUS Trojan Horse a. b. c. d. e. f. Log onto the Windows XP Professional computer as Administrator. Re-enable the Internet connection Open Internet Explorer browse to http://www.symantec.com. In the Search field type Backdoor.Netbus Click Search. Click the Backdoor.Netbus.444051 - Symantec.com link. Summarize the Technical Details below: _______________________________________________________________________________________ _______________________________________________________________________________________ _______________________________________________________________________________________ _______________________________________________________________________________________ _______________________________________________________________________________________ _______________________________________________________________________________________ Exercise 2 Exercise Summary: Download the latest version of a free Antivirus software Avast and install it on a Windows 2003 Server. 1) Install Antivirus Software a. Install from CD-ROM / .iso file: Online TechLab Note: The Avast software program has been downloaded and saved to an .iso file in the CD-ROM .iso Files folder. The .iso file is named avast Antivirus Server 60 day Evaluation.iso. You do not need to download the file from the Avast website. Simply insert the .iso file, and browse to the CD-ROM, and then continue on with the next step. i) Insert the avast! Antivirus Server 60 day Evaluation CD-ROM or .iso file. ii) Browse to the CD-ROM and double click the installation program. Continue to step 1) c. b. Install from Downloaded program: Copyright 2009, TechSkills LLC Page 11 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

i) If you do not have the CD-ROM or .iso file you can down load the installation program from the avast website. To do so, open Internet Explorer click In the future, do not show this message click OK on the Internet Explorer warning message. Online TechLab Note: Make sure you enable the network connection named DO NOT Modify Internet Connection.

Note: If this is the first time you have started Internet Explorer the New Connection Wizard starts. Click Next. Click the Connect to the Internet radio button click Next. Click the Connect using a broadband connection that is always on radio button click Next click Finish. ii) Click Tools click Internet Options Medium click OK. click the Security tab slide the security level slider to

Note: This action reduces the security of the local system but it will allow you to download and install the Avast Antivirus software. iii) Type http://www.avast.com in the address bar press Enter.

Note: The following instructions are current as of the time this lab was written. The avast! website may change. You may have to extrapolate these instructions if the site changes. iv) Click the download link on the top of the screen. v) Click the Programs link on the left-hand side of the screen. vi) Click the avast! Server Edition link on the left-hand side of the screen. vii) Click the Download button. viii) Save the file to the Desktop. ix) Click Open when the download completes. Install avast! Server Edition software: i) The Installation program starts. Click Next click Next click Next. ii) Click the I agree radio button click Next click Next click Next. iii) Click Demo click OK. iv) Click Next. v) Click No. You will not schedule a boot-time scan. You will perform a manual scan after you restart. vi) Click Finish to restart.

c.

2) Configure Antivirus Software a. Update avast! Server Edition Software: i) After restart, login as the local Administrator. ii) Click the avast! Resident Protection popup balloon in the notification area. This will start the avast! Server Deployment Wizard click Next.

Copyright 2009, TechSkills LLC

Page 12 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

iii) Click the Normal Server radio button click Next. iv) Leave the default setting for avast! Server plug-ins click Next. v) This software has the ability to send e-mail notifications for important events. You could enter e-mail setting information and configure the software to notify an administrator when an event occurs. Leave the e-mail settings blank click Next. vi) Click Finish. vii) In the background the software will connect to the Internet and download the latest virus definition database. It will then install the database so the server has the latest protection files installed. You will see a popup window when the database has been updated.

viii) To verify this has happened, right click the icon in the notification area on the Desktop point to Updating click !AVS Update. The software will check the local files against the latest files on the avast servers. It will display a message that states that the virus database is up to date click Close. b. Run a manual scan of the server: i) ii) iii) iv) Right click the icon click Start avast! Antivirus. A memory test will run. Maximize the program. Click the Tasks option. Notice the list of default tasks. Right click the Scan: local disks option in the right hand pane click Run. Notice the scan starts and details about the scan are displayed in the bottom right-hand window.

Note: This scan can take quite a long time to complete, feel free to cancel the scan at any time and move on to the next step. To cancel the san, right click the Scan in the left hand Copyright 2009, TechSkills LLC Page 13 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

pane and select Stop. v) Close all open windows.

Lab Validation
To validate that you completed this lab correctly answer the following question and verify it with your Instructor. Use regedit to locate the answer. If you are unable to locate the answer, see your instructor. 1. Open the registry editor (Start Run Regedit). Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\aswcsfile\shell\open\command. What is the default value data entry for that key? ____________________________________________________________________

Copyright 2009, TechSkills LLC

Page 14 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

Exercise 3 Exercise Summary: Identifying Attacks. Match the following attacks with a scenario to the right. Each attack may be used more than once. Attempt to perform this activity without looking back at the Lab Overview section, or without any other assistance.

A. DoS B. Smurf C. Ping of Death D. SYN Flood E. Dictionary Attack F. Spoofing Attack G. Replay Attack H. Man-in-the-Middle I. J. Social Engineering DDoS

_____ Natalie receives an Instant Message asking for her account and password. The person sending the message states that is comes from her IT department because they need to do a backup of her hard drive. _____ You analyze a network trace capture file and find that a number of packets on your network have been intercepted and retransmitted to both the sender and receiver. _____ You are a Network Administrator for a college campus in New York. You get a call from a Network Administrator for a Business in Austin, Texas, that says his network is getting attacked from machines on your campus network. You have noticed that your network is particularly sluggish today. _____ While conducting a password audit of your company you find that many users configure their passwords using simple and meaningful things such as pet names and birthdays. You decide you need to explain to them that this make them more vulnerable to a certain type of attack. _____ You find that a domain name server is resolving the domain name to a different IP address than it is suppose to and thus misdirecting Internet traffic. _____ You discover an unauthorized wireless access point under an Accounting Department Employees desk. Upon questioning her, she denies that she knew it was even there. She does inform you that an employee from your companys branch office in Topeka, Kansas, has recently visited her office and asked if he could use the office for the day. She agreed. Your company has no branch office in Topeka. _____ You are an Assistant Network Admin for a small company. You are enjoying the scenic view from your office of the back alley of your companys building. You notice that two individuals are digging through the trash located in the dumpsters below your window. _____ You notice a significant increase in network traffic and determine that an attack has occurred on your network. You determine that there was no theft of information or other security loss, but you have lost the use of that system until you can get it back up. _____ While monitoring your network you notice that it is saturated with ICMP ECHO requests. _____ You notice a number of half-open TCP handshakes on your server. These halfopen connections are starting to pile up in your servers buffer. _____ You have heard of a type of attack that is making its way through many organizations networks. You have installed CHAP to guard against this type of attack. _____ While monitoring your network you notice that a number of ICMP packets with spoofed IP addresses are being sent to your networks broadcast IP address.

K. Dumpster Diving

Copyright 2009, TechSkills LLC

Page 15 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

Exercise 4 Exercise Summary: Identify malicious code. Match the types of malicious code with a scenario to the right. Each attack may be used more than once. Attempt to perform this activity WITHOUT looking back at the Lab Overview section, or without any other assistance.

A. Viruses B. Trojan Horses C. Logic Bombs D. Worms E. Hoax

_____ You find NetBus and Masters Paradise installed on a number of machines on your network. By researching them on Symantecs website you find that they actually deliver malicious code. _____ A piece of malicious code that can replicate itself by infecting other programs and modifying them to include a version of itself. _____ You receive an email that says the following: There's a new virus which was found recently which will erase the whole 'C' drive. If u gets a mail with the subject "Osama Vs Bush", please delete that mail right away. Otherwise it will erase the whole C drive. As soon as you open it, it asks "will this war affect the world economy? If you click on any button, your system will be shut down and will never boot again. It already caused a major damage in the US, INDIA and few other parts of the world. The remedy for this has not yet been discovered. So please forward this mail to as many people as possible and let everybody be aware of this. Be Careful. I received this in the mail and am passing it along. I hope that you and your computer stay healthy. You decide to research it on the Symantec website under the words Osama vs. Bush _____ An application that appears to perform a useful function, but instead contains some sort of malicious code. It often uses Visual Basic Scripting (VBS). _____ This malicious code replicates itself from system to system without attaching to a file. _____ An employee was recently fired. You are cleaning out his computer. You click on an unknown icon on his desktop. After clicking on the icon the computer crashes and the hard drive is wiped clean.

Copyright 2009, TechSkills LLC

Page 16 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

Assessment
To provide assessment for this lab, answer the following questions for evaluation by your Instructor. 1) What is the minimum password length to deter dictionary attacks? ____________________________________________________________________________________________ 2) Hashed passwords are particularly vulnerable to what attack? ____________________________________________________________________________________________ 3) What is the definition of a Trojan horse? ____________________________________________________________________________________________ ____________________________________________________________________________________________ ____________________________________________________________________________________________ 4) What is the main difference between viruses and Trojan Horses? ____________________________________________________________________________________________ 5) What is the most effective method for fight social engineering attacks? ____________________________________________________________________________________________ 6) What kind of attack is a SYN flood an example of? ____________________________________________________________________________________________ 7) What are the most common attacks carried out at the transport layer of the OSI model? ____________________________________________________________________________________________ 8) Sniffing is an example of a _______________ attack. 9) What is a rootkit? ____________________________________________________________________________________________ ____________________________________________________________________________________________ 10) What is the best technical solution for reducing the threat of a man-in-the-middle attack? ____________________________________________________________________________________________ 11) What network attack uses ICMP and improperly formatted MTUs to crash a target computer? ____________________________________________________________________________________________ 12) To combat social engineering attacks through Instant Messaging, what is the most effective method? ____________________________________________________________________________________________ 13) Describe OS Fingerprinting? ____________________________________________________________________________________________ Copyright 2009, TechSkills LLC Page 17 of 18

Lab # TechLab N10-004-E14 Security Attacks and Mitigation

____________________________________________________________________________________________ ____________________________________________________________________________________________ ____________________________________________________________________________________________ 14) Applying ingress filtering to routers is a good defense against what kind of attack? Why? ____________________________________________________________________________________________ ____________________________________________________________________________________________ 15) Hoaxes can create as much damage as a real virus. TRUE / FALSE

After lab completion, please validate this lab and check your answers with an Instructor.

Copyright 2009, TechSkills LLC

Page 18 of 18