Cobalt strike trial tgz download

0071836551
Copyright © 2015 by McGraw-Hill Education. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher.

ISBN: 978-0-07-183656-2 MHID: 0-07-183656-X

The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-183655-5, MHID: 0-07-183655-1.

eBook conversion by codeMantra Version 1.0

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please visit the Contact Us page at www.mhprofessional.com.

Information contained in this work has been obtained by McGraw-Hill Education from sources believed to be reliable. However, neither McGraw-Hill Education nor its authors guarantee the accuracy or completeness of any information published herein, and neither McGraw-Hill Education nor its authors shall be responsible for any errors, omissions, or damages arising out of use of this information. This work is published with the understanding that McGraw-Hill Education and its authors are supplying information but are not attempting to render engineering or other professional services. If such services are required, the assistance of an appropriate professional should be sought.

TERMS OF USE

This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.

THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,

http://www.mhprofessional.com
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.

Chocolate of course my Ancient Love. Morning and night I’m thinking of. Because of you two types of day one you’re here the other away.

—Vincent Nestler

I would like to thank my parents, Donald and Karen, for encouraging and supporting me and my endeavors. Their example will continue to inspire me throughout my life.

—Keith Harrison

About the Authors Vincent Nestler has a PhD in instructional design and an MS in network security from Capitol College, as well as an MAT in education from Columbia University. He is a professor at California State University – San Bernardino and has more than 20 years of experience in network administration and security. He has served as a data communications maintenance officer in the U.S. Marine Corps Reserve, and he designed and implemented the training for Marines assigned to the Defense Information Systems Agency (DISA) Computer Emergency Response Team. He also served as the assistant operations officer (training) for the Joint Broadcast System during its transition to DISA. Since 2007, he has been integral to training CyberCorps students both at Idaho State University and at California State University – San Bernardino. He is a professor of practice in information assurance at Capitol College. His professional certifications include Red Hat Certified Engineer, Microsoft Certified Trainer, Microsoft Certified Systems Engineer, AccessData Certified Examiner, AccessData Mobile Examiner, and Security+.

Keith Harrison has a PhD in computer science from the University of Texas – San Antonio. Dr. Harrison’s doctoral dissertation was on the scalable detection of community cyberincidents utilizing distributed and anonymous security information sharing. His research interests include community cybersecurity, information sharing, cryptography, peer-to-peer networks, honeynets, virtualization, and visualization. In addition to his research activities, Dr. Harrison is the lead developer of the Collegiate Cyber Defense Competition (CCDC) Scoring Engine and the CyberPatriot Competition System (CCS) Scoring Engine. He also enjoys assisting in the operation of the National Collegiate Cyber Defense Competition (NCCDC), Panoply King of the Hill Competition, and the CyberPatriot National High School Cyber Defense Competition.

Matthew Hirsch has an MS in network security from Capitol College and a BA in physics from State University of New York (SUNY) – New Paltz. Mr. Hirsch has worked in the information security operations group for a large financial firm, data distribution for firms including Deutsche Bank and Sanwa Securities, and systems/network administration for Market Arts Software. Formerly an adjunct professor at Capitol College, Katharine Gibbs School, and DeVry, Mr. Hirsch also enjoys a long-term association with Dorsai, a New York City nonprofit ISP/hosting firm.

Dr. Wm. Arthur Conklin, CompTIA Security+, CISSP, CSSLP, GISCP, CRISC, is an associate professor and director of the Center for Information Security Research and Education in the College of Technology at the University of Houston. He holds two terminal degrees: a PhD in business administration (specializing in information security) from the University of Texas – San Antonio (UTSA) and the degree Electrical Engineer (specializing in space systems engineering) from the Naval Postgraduate School in Monterey, California. He is a fellow of ISSA, a senior member of ASQ, and a member of IEEE and ACM. His research interests include the use of systems theory to explore information security, specifically in cyber physical systems. He has coauthored six security books and numerous academic articles associated with information security. He is active in the DHS- sponsored Industrial Control Systems Joint Working Group (ICSJWG) efforts associated with workforce development and cybersecurity aspects of industrial control systems. He has an extensive background in secure coding and is a co-chair of the DHS/DoD Software Assurance Forum working group for workforce education, training, and development.

About the Series Editor Corey Schou, PhD, is a frequent public speaker and an active researcher of more than 300 books, papers, articles, and other presentations. His interests include information assurance, software engineering, secure applications development, security and privacy, collaborative decision making, and the impact of technology on organization structure.

He has been described in the press as the father of the knowledge base used worldwide to establish computer security and information assurance. He was responsible for compiling and editing computer security training standards for the U.S. government.

In 2003 he was selected as the first university professor at Idaho State University. He directs the Informatics Research Institute and the National Information Assurance Training and Education Center. His program was recognized by the U.S. government as a Center of Academic Excellence in Information Assurance and is a leading institution in the CyberCorps/Scholarship for Service program.

In addition to his academic accomplishments, he holds a broad spectrum of certifications including Certified Cyber Forensics Professional (CCFP), Certified Secure Software Lifecycle Professional (CSSLP), HealthCare Information Security and Privacy Practitioner (HCISPP), Information Systems Security Architecture Professional (CISSP-ISSAP), and Information Systems Security Management Professional (CISSP-ISSMP).

During his career he has been recognized by many organizations including the Federal Information Systems Security Educators Association, which selected him as the 1996 Educator of the Year, and his research and center were cited by the Information Systems Security Association for Outstanding Contributions to the Profession. In 1997 he was given the TechLearn award for contributions to distance education.

He was nominated and selected as an honorary Certified Information Systems Security Professional (CISSP) based on his lifetime achievement. In 2001 the International Information Systems Security Certification Consortium (ISC)2 selected him as the second recipient of the Tipton award for contributions to the information security profession. In 2007, he was recognized as Fellow of (ISC)2.

About the Technical Editor Stephen R. Hyzny is a university lecturer in information technology at Governors State University specializing in IT security. He has more than 25 years of experience and is a subject matter expert for CompTIA and a senior network consultant and trainer for Einstein Technology Solutions. He is a board member of the Illinois Technology Foundation, an ACM member and advisor for Governors State’s ACM chapter and Collegiate Cyber Defense team, and a member of the Upsilon Pi Epsilon honor society. Stephen graduated from St. Mary’s University with a BA in computer science and from Capella University with an MS in technology concentration on network architecture and design. He holds numerous certifications from Cisco, Microsoft, CompTIA, and Novell.

About the Contributors

James D. Ashley III is a California cybersecurity professional with seven years of experience in the IT field. His experience includes a range of topics such as systems and network administration, web development, IT security and solutions consulting, Python and C++ development, and project management. He holds a BS in administration with a cybersecurity concentration from California State University – San Bernardino, as well as being a certified associate in project management. His early career was widely focused on private enterprise, while now he is currently employed as the project manager and solutions architect for the NICE Challenge Project, a virtual challenge environment development program funded by the National Science Foundation and the Department of Homeland Security. While his personal interests and professional interests are well aligned in his spare time, he often researches new security tools and follows the business side of the technology industry.

Jeffrey D. Echlin is a cybersecurity professional from California, with more than a decade of IT fieldwork and consultancy experience, including penetration testing and incident response. His enthusiasm for technology began at the age of 9 with his first computer and persists to this day reflected in every technological achievement and project he has completed. He holds a BS degree in business administration/cybersecurity from California State University – San Bernardino. Jeffrey also holds Security+, Network+, A+, and Certified Ethical Hacker certifications. He has transitioned from the private sector into the government sector and is currently the lead builder for the NICE Challenge project, funded by the National Science Foundation and the Department of Homeland Security. His primary personal and professional interests include penetration testing, forensics, and malware analysis.

Contents at a Glance

PART I NETWORKING BASICS: HOW DO NETWORKS WORK?

Chapter 1 WORKSTATION NETWORK CONFIGURATION AND CONNECTIVITY

Chapter 2 NETWORK TRANSPORTS

Chapter 3 NETWORK APPLICATIONS

PART II VULNERABILITIES AND THREATS: HOW CAN SYSTEMS BE COMPROMISED?

Chapter 4 PENETRATION TESTING

Chapter 5 ATTACKS AGAINST APPLICATIONS

Chapter 6 MORE ATTACKS: TROJAN ATTACKS, MITM, STEGANOGRAPHY

PART III PREVENTION: HOW DO YOU PREVENT HARM TO NETWORKS?

Chapter 7 HARDENING THE HOST COMPUTER

Chapter 8 SECURING NETWORK COMMUNICATIONS

PART IV DETECTION AND RESPONSE: HOW DO YOU DETECT AND RESPOND TO ATTACKS?

Chapter 9 PREPARING FOR AND DETECTING ATTACKS

Chapter 10 DIGITAL FORENSICS

Appendix OBJECTIVES MAP: COMPTIA SECURITY+™

INDEX

Contents FOREWORD ACKNOWLEDGMENTS INTRODUCTION

PART I NETWORKING BASICS: HOW DO NETWORKS WORK?

Chapter 1 WORKSTATION NETWORK CONFIGURATION AND CONNECTIVITY Lab 1.1: Network Workstation Client Configuration

Lab 1.1w: Windows Client Configuration Lab 1.1l: Linux Client Configuration Lab 1.1 Analysis Questions Lab 1.1 Key Terms Quiz

Lab 1.2: Computer Name Resolution Lab 1.2w: Name Resolution in Windows Lab 1.2 Analysis Questions Lab 1.2 Key Terms Quiz

Lab 1.3: IPv6 Basics Lab 1.3w: Windows IPv6 Basics (netsh/ping6) Lab 1.3 Analysis Questions Lab 1.3 Key Terms Quiz

Chapter 2 NETWORK TRANSPORTS Lab 2.1: Network Communication Analysis

Lab 2.1w: Network Communication Analysis in Windows Lab 2.1 Analysis Questions Lab 2.1 Key Terms Quiz

Lab 2.2: Port Connection Status Lab 2.2w: Windows-Based Port Connection Status Lab 2.2l: Linux-Based Port Connection Status Lab 2.2 Analysis Questions Lab 2.2 Key Terms Quiz

Chapter 3 NETWORK APPLICATIONS Lab 3.1: FTP Communication (FTP-HTTP)

Lab 3.1w: Windows FTP Communication (FTP-HTTP)

Lab 3.1l: Linux FTP Communication (FTP-HTTP) Lab 3.1 Analysis Questions Lab 3.1 Key Terms Quiz

Lab 3.2: E-mail Protocols: SMTP and POP3 Lab 3.2m: Windows E-mail: SMTP and POP3 Lab 3.2l: Linux E-mail: SMTP and POP3 Lab 3.2 Analysis Questions Lab 3.2 Key Terms Quiz

PART II VULNERABILITIES AND THREATS: HOW CAN SYSTEMS BE COMPROMISED?

Chapter 4 PENETRATION TESTING Lab 4.1: IP Address and Port Scanning, Service Identity Determination

Lab 4.1w: Using Nmap in Windows Lab 4.1 Analysis Questions Lab 4.1 Key Terms Quiz

Lab 4.2: GUI-Based Vulnerability Scanners Lab 4.2m: Using a Vulnerability Scanner (OpenVAS) Lab 4.2 Analysis Questions Lab 4.2 Key Terms Quiz

Lab 4.3: Researching System Vulnerabilities Lab 4.3i: Researching System Vulnerabilities Lab 4.3 Analysis Questions Lab 4.3 Key Terms Quiz

Lab 4.4: Using Metasploit Lab 4.4l: Using the Metasploit Framework Lab 4.4 Analysis Questions Lab 4.4 Key Terms Quiz

Lab 4.5: Password Cracking Lab 4.5l: Password Cracking Lab 4.5 Analysis Questions Lab 4.5 Key Terms Quiz

Lab 4.6: Using Cobalt Strike Lab 4.6l: Using Cobalt Strike Lab 4.6 Analysis Questions Lab 4.6 Key Terms Quiz

Chapter 5 ATTACKS AGAINST APPLICATIONS Lab 5.1: Web SQL Injection

Lab 5.1li: Web SQL Injection in Linux Lab 5.1 Analysis Questions Lab 5.1 Key Terms Quiz

Lab 5.2: Web Browser Exploits Lab 5.2m: Web Browser Exploits Lab 5.2 Analysis Questions Lab 5.2 Key Terms Quiz

Lab 5.3: E-mail System Exploits Lab 5.3m: Exploiting E-mail Vulnerabilities in Windows Lab 5.3 Analysis Questions Lab 5.3 Key Terms Quiz

Chapter 6 MORE ATTACKS: TROJAN ATTACKS, MITM, STEGANOGRAPHY Lab 6.1: Trojan Attacks

Lab 6.1w: Using the Dark Comet Trojan Lab 6.1 Analysis Questions Lab 6.1 Key Terms Quiz

Lab 6.2: Man-in-the-Middle Attack Lab 6.2m: Man-in-the-Middle Attack Lab 6.2 Analysis Questions Lab 6.2 Key Terms Quiz

Lab 6.3: Steganography Lab 6.3w: Steganography in Windows Lab 6.3 Analysis Questions Lab 6.3 Key Terms Quiz

PART III PREVENTION: HOW DO YOU PREVENT HARM TO NETWORKS?

Chapter 7 HARDENING THE HOST COMPUTER Lab 7.1: Hardening the Operating System

Lab 7.1w: Hardening Windows 7 Lab 7.1 Analysis Questions Lab 7.1 Key Terms Quiz

Lab 7.2: Using Antivirus Applications Lab 7.2w: Antivirus in Windows

Lab 7.2 Analysis Questions Lab 7.2 Key Terms Quiz

Lab 7.3: Using Firewalls Lab 7.3l: Configuring a Personal Firewall in Linux Lab 7.3 Analysis Questions Lab 7.3 Key Terms Quiz

Chapter 8 SECURING NETWORK COMMUNICATIONS Lab 8.1: Using GPG to Encrypt and Sign E-mail

Lab 8.1m: Using GPG in Windows Lab 8.1 Analysis Questions Lab 8.1 Key Terms Quiz

Lab 8.2: Using Secure Shell (SSH) Lab 8.2l: Using Secure Shell in Linux Lab 8.2m: Using Secure Shell in Windows Lab 8.2 Analysis Questions Lab 8.2 Key Terms Quiz

Lab 8.3: Using Secure Copy (SCP) Lab 8.3l: Using Secure Copy in Linux Lab 8.3m: Using Secure Copy in Windows Lab 8.3 Analysis Questions Lab 8.3 Key Terms Quiz

Lab 8.4: Using Certificates and SSL Lab 8.4l: Using Certificates and SSL in Linux Lab 8.4 Analysis Questions Lab 8.4 Key Terms Quiz

Lab 8.5: Using IPsec Lab 8.5w: Using IPsec in Windows Lab 8.5 Analysis Questions Lab 8.5 Key Terms Quiz

PART IV DETECTION AND RESPONSE: HOW DO YOU DETECT AND RESPOND TO ATTACKS?

Chapter 9 PREPARING FOR AND DETECTING ATTACKS Lab 9.1: System Log Analysis

Lab 9.1w: Log Analysis in Windows

Lab 9.1l: Log Analysis in Linux Lab 9.1 Analysis Questions Lab 9.1 Key Terms Quiz

Lab 9.2: Intrusion Detection Systems Lab 9.2l: Using a Network Intrusion Detection System (Snort) in Linux Lab 9.2 Analysis Questions Lab 9.2 Key Terms Quiz

Lab 9.3: Backing Up and Restoring Data Lab 9.3w: Backing Up and Restoring Data in Windows Lab 9.3l: Backing Up and Restoring Data in Linux Lab 9.3 Analysis Questions Lab 9.3 Key Terms Quiz

Lab 9.4: Using Honeypots Lab 9.4w: Using Honeypots in Windows Lab 9.4 Analysis Questions Lab 9.4 Key Terms Quiz

Chapter 10 DIGITAL FORENSICS Lab 10.1: Live Analysis: Incident Determination

Lab 10.1w: Live Analysis: Incident Determination in Windows Lab 10.1 Analysis Questions Lab 10.1 Key Terms Quiz

Lab 10.2: Acquiring the Data Lab 10.2w: Acquiring the Data in Windows Lab 10.2 Analysis Questions Lab 10.2 Key Terms Quiz

Lab 10.3: Forensic Analysis Lab 10.3l: Forensic Analysis in CAINE Lab 10.3 Analysis Questions Lab 10.3 Key Terms Quiz

Lab 10.4: Remote Image Capture Lab 10.4l: Remote Forensic Image Capture Over a Network Lab 10.4 Analysis Questions Lab 10.4 Key Terms Quiz

Appendix OBJECTIVES MAP: COMPTIA SECURITY+™

INDEX

Foreword

In a cyber environment of hackers, attackers, and malefactors, defending and securing computer systems and forensic analysis is an increasingly important set of skills. Between script kiddies and experts, the defenders will always be outnumbered. Every time you detect a system attack, someone ought to do something. The underlying problem is that to some extent, each attack is unique but shares characteristics with other attacks—how are we to learn?

There are actually two forewords to this book. One is for the advanced learner who is already battle-hardened through many courses, while the other is for the aspiring practitioner who is learning the art of securing systems.

For the Advanced Student You might ask, why in the world should I use this book? I have listened intently in all my classes, and I certainly know about hardware, software, operating systems, computers, security, networks, and the myriad things that can go wrong. Right?

Nevertheless, how often do you have a chance to practice making things right? Sometimes there have been limited chances to do something hands on. You do not want your first hands-on practice to start right after the phone rings at 3 a.m. Something has happened, and from what you can tell from the panicked user, it means the end of the world as he knows it. So, you grab a cup of coffee and head into battle with the unknown.

Like most students, you know the theory of solving security problems, but you have little practice solving real problems.

As an advanced student, you are about to become a warrior in an ongoing cyberwar. There is an old adage—warriors fight only as well as they train. Well-trained warriors will prevail even when presented with a problem they have never encountered directly. A colleague of mine told me about an incident while he was in the Navy that required the crew to confront an unanticipated life-threatening situation. Their training made the difference. As professionals, we must train so that our actions are fluid and well practiced. If we are lucky, we have learned a kata (a form) from a well-seasoned sensei (teacher) who understands that in computer security each crisis is entirely new. This book allows you to practice your art without risking critical systems. It helps you improve your kata, and it helps you nurture aspiring practitioners. It will help make you a professional.

For the Aspiring Practitioner Years ago, a student of mine told me that he was a member of the Screen Actors Guild (SAG) union. I was impressed, and I asked him how he had gotten in. He laughed and told me that it was tricky. You could get a union card only if you had been in a professional performance, and the only way you could get a job in a professional performance was to have a union card. Well, to some extent, computer security presents a similar problem. The only way to get a computer security job is to have experience; the only way to get experience is to have a job. This book helps solve that problem: You

gain real knowledge and experience through real-world learning scenarios.

Learning How to Defend No matter your level of expertise, you will be able to practice the skills you need by learning about how systems work, system vulnerabilities, system threats, attack detection, attack response/defense, and attack prevention.

Using a flexible approach, you will be learning practical skills associated with the following items:

If you are an expert or you are just aspiring to know more about computer security, this book is a practical assistant that lets you practice, practice, practice. It can accompany any textbook or resource you want. The principles used are the essentials of the profession expressed in a hands-on environment.

—Corey D. Schou, PhD Series Editor

Acknowledgments

I would like to give special thanks to Brian Hay and Kara Nance of the University of Alaska Fairbanks for their support and for the use of the RAVE labs for the testing and development of this manual. Thank you to Tony Coulson and Jake Zhu for their continued support of my professional development and career path. To Greg Frey and Elizabeth Grimes, for your tireless dedication and attention to detail. Special thanks to Dr. Corey Schou. Ten years ago, you took the time and interest in what I had to share. You have helped me in no small way to make it further along my path. I am grateful for your kindness and generosity with your expertise.

—Vincent Nestler

Testing and Review Many hours were spent testing and tweaking the exercises in this manual. Thank you to the testers and reviewers, who contributed insightful reviews, criticisms, and helpful suggestions that continue to shape this book.

• Greg Frey

• Elizabeth Grimes

• Andrew Vasquez

• Blake Nelson

• Malcolm Reed

• Brendan Higgins

• Kurt E. Webber

Introduction

I hear and I forget. I see and I remember. I do and I understand.

—Confucius

The success of a learning endeavor rests on several factors including the complexity of the material and the level of direct involvement on the part of the student. It takes more than passive attendance at a lecture to learn most complex subjects. Truly learning and understanding all the elements of a complex issue requires exploration that comes from more intimate involvement with the material.

Computer security is a complex subject with many composite domains, overlapping principles, and highly specific, detailed technical aspects. Developing skilled professionals in computer security requires that several components be addressed, namely, technical and principle-based knowledge, coupled with practical experience using that knowledge in operational situations. This book is designed to assist in simulating the practical experience portion of the knowledge base of computer security.

This book is not a stand-alone reference designed to cover all aspects of computer security but is intended as a resource to put the principles of computer security into practice. It contains labs suitable for students ranging from novices to more advanced security experts. It can be used in conjunction with many computer security books; however, it has been tailored to accompany McGraw-Hill Education’s Principles of Computer Security, Fourth Edition, with cross-references provided after each lab. Together, in a well-balanced curriculum, these two books provide a foundation for understanding basic computer security concepts and skills.

Pedagogical Design This book is laid out in four sections, each corresponding to a question associated with the natural progression of inquiry for securing just about anything. These questions act as a structured framework designed to build upon each previous section as you strive to develop a hands-on understanding of computer security principles. The questions are as follows:

• How does the system work?

• How is the system vulnerable, and what are the threats?

• How do you prevent harm to the system?

• How do you detect and respond to attacks on the system? These four questions build upon one another. First, it is important to understand how a system

works before you can see the vulnerabilities it has. After studying the vulnerabilities and the threats that act upon them, you must look to the methods for preventing harm to the system. Lastly, even in the most secure environments, you must prepare for the worst and ask how can you detect attacks and how should you respond to them.

These four questions are key questions for students to learn. They are arguably more important than the content itself. Technology will change, and the content will change, but the thought process will remain the same.

Lab Exercise Design This lab manual is specifically designed to allow flexibility on the part of instructors. There is flexibility in regard to equipment and setup because the labs can be performed on a Windows, Linux, or Mac platform with the use of virtual machines. There is flexibility in regard to equipment quantity because both stand-alone networks and virtual networks can be employed. Lastly, there is flexibility in lab selection because it is not expected that every lab will be employed; rather, a selection of appropriate labs may be taken to support specific concepts.

The lab exercises are designed to teach skills and concepts in computer and network security. Several features of each lab allow for flexibility while not losing focus on important concepts. These features are as follows.

Labs Written for Windows and Linux Many lab exercises are written for both Windows and Linux operating systems. This not only allows the students to work in the operating system with which they are familiar but can serve to bridge the gap between understanding how each operating system works.

Each Lab Exercise Stands Alone While the labs build upon one another in terms of content and skills covered, they stand alone with respect to configuration and settings. This allows for maximum flexibility in relation to the sequence and repetition of labs.

Labs Are Presented in Progressive Sequence While the lab manual is broken down into four sections, each section is further broken down into chapters that divide the content into logical groupings. This will help students new to network security develop their knowledge and awareness of the skills and concepts in a progressive manner.

Labs Can Be Done in Sequence by Topic Not only are the lab exercises grouped by content according to the four questions, but references to later lab exercises that relate to the current one are included. For example, you may want to perform the lab exercises pertaining to e-mail. You could do the “E-mail Protocols: SMTP and POP3” lab

from Part I, which demonstrates the use of e-mail; the “E-mail System Exploits” lab from Part II, which demonstrates a vulnerability of e-mail; the “Using GPG to Encrypt and Sign E-mail” lab from Part III, which demonstrates encrypted e-mail; and the “System Log Analysis” lab from Part IV, which can be used to reveal attacks on an e-mail server.

Most Lab Exercises Have Suggestions for Further Study At the end of each lab there are suggestions for further investigation. These sections point the student in the right direction to discover more. For the student who is advanced and completes labs ahead of time, these suggested labs offer a challenge, though they need not be required for other students.

The Introduction of Challenges In this edition, an additional virtual machine has been added that has a network monitoring tool on it called Nagios. The Nagios machine has been configured to check for certain configurations of the machines used for the lab exercises. On the Nagios interface, the challenges are listed and will show up in red. When a challenge is completed successfully, it changes to green. We have provided instructions for the challenge machine and a list of challenges on the instructor’s Online Learning Center. Instructors may choose to use this challenge machine at their discretion.

The Use of Virtual Machines The exercises in this manual were built with the expectation of using virtual machine technology. A network-based virtual machine solution in many ways is even better. The following are some of the reasons for using virtual machines:

• Easy deployment Once the virtual machines are created, they can be moved or copied as necessary to other machines or a central location.

• Can be done on PC, Linux, or Mac platform As long as you meet the minimum resource and software requirements, the labs can be done on a PC, Linux, or Mac platform. If you are using a network-based solution, environments can be accessed with a browser.

• One student, multiple machines Instead of having one student to one machine, or in some cases multiple students to one machine, you can now flip that condition and have multiple machines to one student. Each student can now be responsible for the entire network. This increases the amount of depth and complexity of exercises that can be implemented.

• Labs are portable—laptops and browsers The use of virtual machines gives you the added benefit of having a network security lab on your laptop. This means the student does not necessarily have to go to the lab to do the exercises; you can take the lab with you wherever you go. If you have a network-based solution, you can simply access the environment with a browser.

• Easy rollback When properly configured, at the end of each lab exercise there is no need to uninstall or re-image computers. All that is needed is to exit the virtual machine without saving

the changes. If the virtual hard drive has been modified, restoring the original file is a simple process.

• Unlimited potential for further experimentation Unlike a simulation, each virtual machine is using the actual operating systems and as such can be used to develop new techniques and test other security concepts and software with relatively little difficulty.

Instructor and Student Online Learning Center For instructor and student resources, check out the Online Learning Center:

www.mhprofessional.com/PrinciplesSecurity4e

Additional Resources for Students The Student Center on the Online Learning Center features information about the book’s authors, table of contents, and key features, as well as an electronic sample chapter.

Additional Resources for Teachers The security lab setup instructions, virtual machines, and solutions to the lab manual questions and activities in this book are provided—along with the resources for teachers using Principles of Computer Security, Fourth Edition—via the Online Learning Center. The material follows the organization of Principles of Computer Security, Fourth Edition.

Security Lab Setup All lab exercises have a letter designation of w, l, m, or i. The “w” labs are Windows-based exercises, the “l” labs are Linux-based exercises, and the “m” labs are mixed Windows and Linux exercises. Labs with the w, l, or m designation are intended to be performed on a closed network or virtual PC. The “i” labs are labs that need to be performed on a computer with Internet access. See Figure 1.

http://www.mhprofessional.com/PrinciplesSecurity4e
FIGURE 1 Lab setup diagram

• The “w” labs These labs involve a Windows 7 Professional PC and a Windows 2008 Server. In general, the XP PC will be the attacker, and the server will be the defender.

• The “l” labs These labs involve a Kali Linux and Metasploitable-2 version of Linux. One will be configured as a client (Kali) and one as a server (Metasploitable-2). In general, the Linux client will be the attacker, and the server will be the defender.

• The “m” labs These labs will involve a combination of Windows and Linux PCs. The Linux PC is used as an SSH and mail server.

• The “i” labs These labs involve a host PC that has Internet access. While most exercises are designed not to require Internet access, a few have been added to allow the student to do research on various topics.

Note that all computers are configured with weak passwords intentionally. This is for ease of lab use and to demonstrate the hazards of weak passwords. Creating and using more robust passwords is covered in Part III.

Security Lab Requirements and Instructions You can find the requirements for the security lab setup and access to the virtual machines on the instructor’s Online Learning Center at www.mhprofessional.com/PrinciplesSecurity4e. Once you have downloaded the virtual machine files, please refer to the documentation of the virtual environment you will be using (VMware, VirtualPC, Virtual Box, and so on) on how to import the machines.

http://www.mhprofessional.com/PrinciplesSecurity4e
Note

As many vendors improve their software, the availability of the versions used in this book may no longer be available. As such, a few lab exercises may not work exactly as written but should still work in general. For updates and other information, please visit the Online Learning Center at www.mhprofessional.com/PrinciplesSecurity4e.

http://www.mhprofessional.com/PrinciplesSecurity4e
PART I Networking Basics: How Do Networks Work?

Know thyself.

—Oracle at Delphi

Securing a network can be a tricky business, and there are many issues to consider. We must be aware of the vulnerabilities that exist and their corresponding threats and then estimate the probability of the threat acting upon the vulnerability. Measures are implemented to mitigate, avoid, or transfer risk. However, regardless of the effort to minimize risk, there is always the possibility of harm to our information, so we must develop plans for dealing with a possible compromise of our network. Yet before we can really protect our network from attackers, we must first know our network and, ideally, know it better than they do. Hence, we need to learn about what the network does and how it does it so we can develop an understanding of our network’s abilities and limitations. Only then can we truly see our network’s vulnerabilities and do what is necessary to guard them. We cannot secure our network if we do not know how it works.

Part I will demonstrate how devices communicate on a local area connection and cover IP addressing, routing, the three-way handshake, and some of the basic network applications. It will also introduce tools that will be used throughout the remainder of the book, such as ping, arp, nslookup, and Wireshark.

This part is divided into three chapters that will discuss the different aspects of the TCP/IP protocol stack. Chapter 1 will cover exercises relating to the network access and Internet layer, Chapter 2 will deal with the transport layer, and Chapter 3 will discuss the application layer. As you go through the labs in this part, you should be constantly asking yourself one question: How is this network vulnerable to attack, and how can it be exploited? It might seem strange to think about how something can be broken when you are learning about how it works, but this is a good opportunity for you to start thinking the way an attacker thinks.

This part will also prepare you for the labs that are to come in Part II.

Chapter 1 Workstation Network Configuration and Connectivity

Labs • Lab 1.1 Network Workstation Client Configuration

Lab 1.1w Windows Client Configuration Lab 1.1l Linux Client Configuration

Lab 1.1 Analysis Questions Lab 1.1 Key Terms Quiz

• Lab 1.2 Computer Name Resolution Lab 1.2w Name Resolution in Windows

Lab 1.2 Analysis Questions Lab 1.2 Key Terms Quiz

• Lab 1.3 IPv6 Basics Lab 1.3w Windows IPv6 Basics (netsh/ping6)

Lab 1.3 Analysis Questions Lab 1.3 Key Terms Quiz

This chapter contains lab exercises designed to illustrate the various commands and methods used to establish workstation connectivity in a network based on Transmission Control Protocol/Internet Protocol (TCP/IP). The chapter covers the basics necessary to achieve and monitor connectivity in a networking environment, using both Windows PCs and Linux-based PCs. In this chapter, you will be introduced to some basic commands and tools that will enable you to manipulate and monitor the network settings on a workstation. This is necessary as a first step toward learning how to secure connections.

The chapter consists of basic lab exercises that are designed to provide a foundation in network connectivity and tools. In later chapters of this book, you will use the skills from these lab exercises to perform functions that are necessary to secure a network from attack and investigate current conditions. Built upon the premise that one learns to crawl before walking and to walk before running, this chapter represents the crawling stage. Although basic in nature, this chapter is important because it provides the skills needed to “walk” and “run” in later stages of development.

Depending on your lab setup and other factors, you won’t necessarily be performing all the lab exercises presented in this book. Therefore, to help you identify which lab exercises are relevant for you, each lab exercise number is appended with a letter: “w” labs are built using the Windows environment; “l” labs are built using the Linux environment; “m” labs are built using a combination of Windows and Linux; and “i” labs require an Internet connection.

Lab 1.1: Network Workstation Client Configuration For two computers to communicate in a TCP/IPv4 network (IPv6 is discussed later, in Lab 1.3), both computers must have a unique Internet Protocol (IP) address. An IP address has four octets. The IP address is divided into a network address and a host address. The subnet mask identifies which portion of the IP address is the network address and which portion is the host address. On a local area network (LAN), each computer must have the same network address and a different host address. To communicate outside the LAN, using different network IP addresses, a default gateway is required. To connect to a TCP/IP network, normally four items are configured: the IP address (this is both the network portion and the host portion), the subnet mask, the IP address for a Domain Name System (DNS) server, and the IP address for the gateway machine. To communicate within a LAN only, you need the IP address and subnet mask. To communicate with other networks, you need the default gateway. If you want to be able to connect to different sites and networks using their domain names, then you need to have the address of a DNS server as well.

When communicating between machines on different networks, packets are sent via the default gateway on the way into and out of the LAN. The routing is done using (Layer 3) IP addresses. If the computer is on the same network, then the IP address gets resolved to a (Layer 2) Media Access Control (MAC) address to communicate with the computer. MAC addresses are hard-coded onto the Ethernet card by the company that made the card.

The ability to retrieve and change your IP configuration is an important skill. In this lab, you will use the ipconfig command in Windows and the ifconfig command in Linux to view the configuration