Copyright © 2015 by McGraw-Hill Education. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher.
ISBN: 978-0-07-183656-2 MHID: 0-07-183656-X
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-183655-5, MHID: 0-07-183655-1.
eBook conversion by codeMantra Version 1.0
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please visit the Contact Us page at www.mhprofessional.com.
Information contained in this work has been obtained by McGraw-Hill Education from sources believed to be reliable. However, neither McGraw-Hill Education nor its authors guarantee the accuracy or completeness of any information published herein, and neither McGraw-Hill Education nor its authors shall be responsible for any errors, omissions, or damages arising out of use of this information. This work is published with the understanding that McGraw-Hill Education and its authors are supplying information but are not attempting to render engineering or other professional services. If such services are required, the assistance of an appropriate professional should be sought.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
http://www.mhprofessional.com
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
Chocolate of course my Ancient Love. Morning and night I’m thinking of. Because of you two types of day one you’re here the other away.
—Vincent Nestler
I would like to thank my parents, Donald and Karen, for encouraging and supporting me and my endeavors. Their example will continue to inspire me throughout my life.
—Keith Harrison
About the Authors Vincent Nestler has a PhD in instructional design and an MS in network security from Capitol College, as well as an MAT in education from Columbia University. He is a professor at California State University – San Bernardino and has more than 20 years of experience in network administration and security. He has served as a data communications maintenance officer in the U.S. Marine Corps Reserve, and he designed and implemented the training for Marines assigned to the Defense Information Systems Agency (DISA) Computer Emergency Response Team. He also served as the assistant operations officer (training) for the Joint Broadcast System during its transition to DISA. Since 2007, he has been integral to training CyberCorps students both at Idaho State University and at California State University – San Bernardino. He is a professor of practice in information assurance at Capitol College. His professional certifications include Red Hat Certified Engineer, Microsoft Certified Trainer, Microsoft Certified Systems Engineer, AccessData Certified Examiner, AccessData Mobile Examiner, and Security+.
Keith Harrison has a PhD in computer science from the University of Texas – San Antonio. Dr. Harrison’s doctoral dissertation was on the scalable detection of community cyberincidents utilizing distributed and anonymous security information sharing. His research interests include community cybersecurity, information sharing, cryptography, peer-to-peer networks, honeynets, virtualization, and visualization. In addition to his research activities, Dr. Harrison is the lead developer of the Collegiate Cyber Defense Competition (CCDC) Scoring Engine and the CyberPatriot Competition System (CCS) Scoring Engine. He also enjoys assisting in the operation of the National Collegiate Cyber Defense Competition (NCCDC), Panoply King of the Hill Competition, and the CyberPatriot National High School Cyber Defense Competition.
Matthew Hirsch has an MS in network security from Capitol College and a BA in physics from State University of New York (SUNY) – New Paltz. Mr. Hirsch has worked in the information security operations group for a large financial firm, data distribution for firms including Deutsche Bank and Sanwa Securities, and systems/network administration for Market Arts Software. Formerly an adjunct professor at Capitol College, Katharine Gibbs School, and DeVry, Mr. Hirsch also enjoys a long-term association with Dorsai, a New York City nonprofit ISP/hosting firm.
Dr. Wm. Arthur Conklin, CompTIA Security+, CISSP, CSSLP, GISCP, CRISC, is an associate professor and director of the Center for Information Security Research and Education in the College of Technology at the University of Houston. He holds two terminal degrees: a PhD in business administration (specializing in information security) from the University of Texas – San Antonio (UTSA) and the degree Electrical Engineer (specializing in space systems engineering) from the Naval Postgraduate School in Monterey, California. He is a fellow of ISSA, a senior member of ASQ, and a member of IEEE and ACM. His research interests include the use of systems theory to explore information security, specifically in cyber physical systems. He has coauthored six security books and numerous academic articles associated with information security. He is active in the DHS- sponsored Industrial Control Systems Joint Working Group (ICSJWG) efforts associated with workforce development and cybersecurity aspects of industrial control systems. He has an extensive background in secure coding and is a co-chair of the DHS/DoD Software Assurance Forum working group for workforce education, training, and development.
About the Series Editor Corey Schou, PhD, is a frequent public speaker and an active researcher of more than 300 books, papers, articles, and other presentations. His interests include information assurance, software engineering, secure applications development, security and privacy, collaborative decision making, and the impact of technology on organization structure.
He has been described in the press as the father of the knowledge base used worldwide to establish computer security and information assurance. He was responsible for compiling and editing computer security training standards for the U.S. government.
In 2003 he was selected as the first university professor at Idaho State University. He directs the Informatics Research Institute and the National Information Assurance Training and Education Center. His program was recognized by the U.S. government as a Center of Academic Excellence in Information Assurance and is a leading institution in the CyberCorps/Scholarship for Service program.
In addition to his academic accomplishments, he holds a broad spectrum of certifications including Certified Cyber Forensics Professional (CCFP), Certified Secure Software Lifecycle Professional (CSSLP), HealthCare Information Security and Privacy Practitioner (HCISPP), Information Systems Security Architecture Professional (CISSP-ISSAP), and Information Systems Security Management Professional (CISSP-ISSMP).
During his career he has been recognized by many organizations including the Federal Information Systems Security Educators Association, which selected him as the 1996 Educator of the Year, and his research and center were cited by the Information Systems Security Association for Outstanding Contributions to the Profession. In 1997 he was given the TechLearn award for contributions to distance education.
He was nominated and selected as an honorary Certified Information Systems Security Professional (CISSP) based on his lifetime achievement. In 2001 the International Information Systems Security Certification Consortium (ISC)2 selected him as the second recipient of the Tipton award for contributions to the information security profession. In 2007, he was recognized as Fellow of (ISC)2.
About the Technical Editor Stephen R. Hyzny is a university lecturer in information technology at Governors State University specializing in IT security. He has more than 25 years of experience and is a subject matter expert for CompTIA and a senior network consultant and trainer for Einstein Technology Solutions. He is a board member of the Illinois Technology Foundation, an ACM member and advisor for Governors State’s ACM chapter and Collegiate Cyber Defense team, and a member of the Upsilon Pi Epsilon honor society. Stephen graduated from St. Mary’s University with a BA in computer science and from Capella University with an MS in technology concentration on network architecture and design. He holds numerous certifications from Cisco, Microsoft, CompTIA, and Novell.
About the Contributors
James D. Ashley III is a California cybersecurity professional with seven years of experience in the IT field. His experience includes a range of topics such as systems and network administration, web development, IT security and solutions consulting, Python and C++ development, and project management. He holds a BS in administration with a cybersecurity concentration from California State University – San Bernardino, as well as being a certified associate in project management. His early career was widely focused on private enterprise, while now he is currently employed as the project manager and solutions architect for the NICE Challenge Project, a virtual challenge environment development program funded by the National Science Foundation and the Department of Homeland Security. While his personal interests and professional interests are well aligned in his spare time, he often researches new security tools and follows the business side of the technology industry.
Jeffrey D. Echlin is a cybersecurity professional from California, with more than a decade of IT fieldwork and consultancy experience, including penetration testing and incident response. His enthusiasm for technology began at the age of 9 with his first computer and persists to this day reflected in every technological achievement and project he has completed. He holds a BS degree in business administration/cybersecurity from California State University – San Bernardino. Jeffrey also holds Security+, Network+, A+, and Certified Ethical Hacker certifications. He has transitioned from the private sector into the government sector and is currently the lead builder for the NICE Challenge project, funded by the National Science Foundation and the Department of Homeland Security. His primary personal and professional interests include penetration testing, forensics, and malware analysis.
Contents at a Glance
PART I NETWORKING BASICS: HOW DO NETWORKS WORK?
Chapter 1 WORKSTATION NETWORK CONFIGURATION AND CONNECTIVITY
Chapter 2 NETWORK TRANSPORTS
Chapter 3 NETWORK APPLICATIONS
PART II VULNERABILITIES AND THREATS: HOW CAN SYSTEMS BE COMPROMISED?
Chapter 4 PENETRATION TESTING
Chapter 5 ATTACKS AGAINST APPLICATIONS
Chapter 6 MORE ATTACKS: TROJAN ATTACKS, MITM, STEGANOGRAPHY
PART III PREVENTION: HOW DO YOU PREVENT HARM TO NETWORKS?
Chapter 7 HARDENING THE HOST COMPUTER
Chapter 8 SECURING NETWORK COMMUNICATIONS
PART IV DETECTION AND RESPONSE: HOW DO YOU DETECT AND RESPOND TO ATTACKS?
Chapter 9 PREPARING FOR AND DETECTING ATTACKS
Chapter 10 DIGITAL FORENSICS
Appendix OBJECTIVES MAP: COMPTIA SECURITY+™
INDEX
Contents FOREWORD ACKNOWLEDGMENTS INTRODUCTION
PART I NETWORKING BASICS: HOW DO NETWORKS WORK?
Chapter 1 WORKSTATION NETWORK CONFIGURATION AND CONNECTIVITY Lab 1.1: Network Workstation Client Configuration
Lab 1.1w: Windows Client Configuration Lab 1.1l: Linux Client Configuration Lab 1.1 Analysis Questions Lab 1.1 Key Terms Quiz
Lab 1.2: Computer Name Resolution Lab 1.2w: Name Resolution in Windows Lab 1.2 Analysis Questions Lab 1.2 Key Terms Quiz
Lab 1.3: IPv6 Basics Lab 1.3w: Windows IPv6 Basics (netsh/ping6) Lab 1.3 Analysis Questions Lab 1.3 Key Terms Quiz
Chapter 2 NETWORK TRANSPORTS Lab 2.1: Network Communication Analysis
Lab 2.1w: Network Communication Analysis in Windows Lab 2.1 Analysis Questions Lab 2.1 Key Terms Quiz
Lab 2.2: Port Connection Status Lab 2.2w: Windows-Based Port Connection Status Lab 2.2l: Linux-Based Port Connection Status Lab 2.2 Analysis Questions Lab 2.2 Key Terms Quiz
Chapter 3 NETWORK APPLICATIONS Lab 3.1: FTP Communication (FTP-HTTP)
Lab 3.1w: Windows FTP Communication (FTP-HTTP)
Lab 3.1l: Linux FTP Communication (FTP-HTTP) Lab 3.1 Analysis Questions Lab 3.1 Key Terms Quiz
Lab 3.2: E-mail Protocols: SMTP and POP3 Lab 3.2m: Windows E-mail: SMTP and POP3 Lab 3.2l: Linux E-mail: SMTP and POP3 Lab 3.2 Analysis Questions Lab 3.2 Key Terms Quiz
PART II VULNERABILITIES AND THREATS: HOW CAN SYSTEMS BE COMPROMISED?
Chapter 4 PENETRATION TESTING Lab 4.1: IP Address and Port Scanning, Service Identity Determination
Lab 4.1w: Using Nmap in Windows Lab 4.1 Analysis Questions Lab 4.1 Key Terms Quiz
Lab 4.2: GUI-Based Vulnerability Scanners Lab 4.2m: Using a Vulnerability Scanner (OpenVAS) Lab 4.2 Analysis Questions Lab 4.2 Key Terms Quiz
Lab 4.3: Researching System Vulnerabilities Lab 4.3i: Researching System Vulnerabilities Lab 4.3 Analysis Questions Lab 4.3 Key Terms Quiz
Lab 4.4: Using Metasploit Lab 4.4l: Using the Metasploit Framework Lab 4.4 Analysis Questions Lab 4.4 Key Terms Quiz
Lab 4.5: Password Cracking Lab 4.5l: Password Cracking Lab 4.5 Analysis Questions Lab 4.5 Key Terms Quiz
Lab 4.6: Using Cobalt Strike Lab 4.6l: Using Cobalt Strike Lab 4.6 Analysis Questions Lab 4.6 Key Terms Quiz
Chapter 5 ATTACKS AGAINST APPLICATIONS Lab 5.1: Web SQL Injection
Lab 5.1li: Web SQL Injection in Linux Lab 5.1 Analysis Questions Lab 5.1 Key Terms Quiz
Lab 5.2: Web Browser Exploits Lab 5.2m: Web Browser Exploits Lab 5.2 Analysis Questions Lab 5.2 Key Terms Quiz
Lab 5.3: E-mail System Exploits Lab 5.3m: Exploiting E-mail Vulnerabilities in Windows Lab 5.3 Analysis Questions Lab 5.3 Key Terms Quiz
Chapter 6 MORE ATTACKS: TROJAN ATTACKS, MITM, STEGANOGRAPHY Lab 6.1: Trojan Attacks
Lab 6.1w: Using the Dark Comet Trojan Lab 6.1 Analysis Questions Lab 6.1 Key Terms Quiz
Lab 6.2: Man-in-the-Middle Attack Lab 6.2m: Man-in-the-Middle Attack Lab 6.2 Analysis Questions Lab 6.2 Key Terms Quiz
Lab 6.3: Steganography Lab 6.3w: Steganography in Windows Lab 6.3 Analysis Questions Lab 6.3 Key Terms Quiz
PART III PREVENTION: HOW DO YOU PREVENT HARM TO NETWORKS?
Chapter 7 HARDENING THE HOST COMPUTER Lab 7.1: Hardening the Operating System
Lab 7.1w: Hardening Windows 7 Lab 7.1 Analysis Questions Lab 7.1 Key Terms Quiz
Lab 7.2: Using Antivirus Applications Lab 7.2w: Antivirus in Windows
Lab 7.2 Analysis Questions Lab 7.2 Key Terms Quiz
Lab 7.3: Using Firewalls Lab 7.3l: Configuring a Personal Firewall in Linux Lab 7.3 Analysis Questions Lab 7.3 Key Terms Quiz
Chapter 8 SECURING NETWORK COMMUNICATIONS Lab 8.1: Using GPG to Encrypt and Sign E-mail
Lab 8.1m: Using GPG in Windows Lab 8.1 Analysis Questions Lab 8.1 Key Terms Quiz
Lab 8.2: Using Secure Shell (SSH) Lab 8.2l: Using Secure Shell in Linux Lab 8.2m: Using Secure Shell in Windows Lab 8.2 Analysis Questions Lab 8.2 Key Terms Quiz
Lab 8.3: Using Secure Copy (SCP) Lab 8.3l: Using Secure Copy in Linux Lab 8.3m: Using Secure Copy in Windows Lab 8.3 Analysis Questions Lab 8.3 Key Terms Quiz
Lab 8.4: Using Certificates and SSL Lab 8.4l: Using Certificates and SSL in Linux Lab 8.4 Analysis Questions Lab 8.4 Key Terms Quiz
Lab 8.5: Using IPsec Lab 8.5w: Using IPsec in Windows Lab 8.5 Analysis Questions Lab 8.5 Key Terms Quiz
PART IV DETECTION AND RESPONSE: HOW DO YOU DETECT AND RESPOND TO ATTACKS?
Chapter 9 PREPARING FOR AND DETECTING ATTACKS Lab 9.1: System Log Analysis
Lab 9.1w: Log Analysis in Windows
Lab 9.1l: Log Analysis in Linux Lab 9.1 Analysis Questions Lab 9.1 Key Terms Quiz
Lab 9.2: Intrusion Detection Systems Lab 9.2l: Using a Network Intrusion Detection System (Snort) in Linux Lab 9.2 Analysis Questions Lab 9.2 Key Terms Quiz
Lab 9.3: Backing Up and Restoring Data Lab 9.3w: Backing Up and Restoring Data in Windows Lab 9.3l: Backing Up and Restoring Data in Linux Lab 9.3 Analysis Questions Lab 9.3 Key Terms Quiz
Lab 9.4: Using Honeypots Lab 9.4w: Using Honeypots in Windows Lab 9.4 Analysis Questions Lab 9.4 Key Terms Quiz
Chapter 10 DIGITAL FORENSICS Lab 10.1: Live Analysis: Incident Determination
Lab 10.1w: Live Analysis: Incident Determination in Windows Lab 10.1 Analysis Questions Lab 10.1 Key Terms Quiz
Lab 10.2: Acquiring the Data Lab 10.2w: Acquiring the Data in Windows Lab 10.2 Analysis Questions Lab 10.2 Key Terms Quiz
Lab 10.3: Forensic Analysis Lab 10.3l: Forensic Analysis in CAINE Lab 10.3 Analysis Questions Lab 10.3 Key Terms Quiz
Lab 10.4: Remote Image Capture Lab 10.4l: Remote Forensic Image Capture Over a Network Lab 10.4 Analysis Questions Lab 10.4 Key Terms Quiz
Appendix OBJECTIVES MAP: COMPTIA SECURITY+™
INDEX
Foreword
In a cyber environment of hackers, attackers, and malefactors, defending and securing computer systems and forensic analysis is an increasingly important set of skills. Between script kiddies and experts, the defenders will always be outnumbered. Every time you detect a system attack, someone ought to do something. The underlying problem is that to some extent, each attack is unique but shares characteristics with other attacks—how are we to learn?
There are actually two forewords to this book. One is for the advanced learner who is already battle-hardened through many courses, while the other is for the aspiring practitioner who is learning the art of securing systems.
For the Advanced Student You might ask, why in the world should I use this book? I have listened intently in all my classes, and I certainly know about hardware, software, operating systems, computers, security, networks, and the myriad things that can go wrong. Right?
Nevertheless, how often do you have a chance to practice making things right? Sometimes there have been limited chances to do something hands on. You do not want your first hands-on practice to start right after the phone rings at 3 a.m. Something has happened, and from what you can tell from the panicked user, it means the end of the world as he knows it. So, you grab a cup of coffee and head into battle with the unknown.
Like most students, you know the theory of solving security problems, but you have little practice solving real problems.
As an advanced student, you are about to become a warrior in an ongoing cyberwar. There is an old adage—warriors fight only as well as they train. Well-trained warriors will prevail even when presented with a problem they have never encountered directly. A colleague of mine told me about an incident while he was in the Navy that required the crew to confront an unanticipated life-threatening situation. Their training made the difference. As professionals, we must train so that our actions are fluid and well practiced. If we are lucky, we have learned a kata (a form) from a well-seasoned sensei (teacher) who understands that in computer security each crisis is entirely new. This book allows you to practice your art without risking critical systems. It helps you improve your kata, and it helps you nurture aspiring practitioners. It will help make you a professional.
For the Aspiring Practitioner Years ago, a student of mine told me that he was a member of the Screen Actors Guild (SAG) union. I was impressed, and I asked him how he had gotten in. He laughed and told me that it was tricky. You could get a union card only if you had been in a professional performance, and the only way you could get a job in a professional performance was to have a union card. Well, to some extent, computer security presents a similar problem. The only way to get a computer security job is to have experience; the only way to get experience is to have a job. This book helps solve that problem: You
gain real knowledge and experience through real-world learning scenarios.
Learning How to Defend No matter your level of expertise, you will be able to practice the skills you need by learning about how systems work, system vulnerabilities, system threats, attack detection, attack response/defense, and attack prevention.
Using a flexible approach, you will be learning practical skills associated with the following items:
If you are an expert or you are just aspiring to know more about computer security, this book is a practical assistant that lets you practice, practice, practice. It can accompany any textbook or resource you want. The principles used are the essentials of the profession expressed in a hands-on environment.
—Corey D. Schou, PhD Series Editor
Acknowledgments
I would like to give special thanks to Brian Hay and Kara Nance of the University of Alaska Fairbanks for their support and for the use of the RAVE labs for the testing and development of this manual. Thank you to Tony Coulson and Jake Zhu for their continued support of my professional development and career path. To Greg Frey and Elizabeth Grimes, for your tireless dedication and attention to detail. Special thanks to Dr. Corey Schou. Ten years ago, you took the time and interest in what I had to share. You have helped me in no small way to make it further along my path. I am grateful for your kindness and generosity with your expertise.
—Vincent Nestler
Testing and Review Many hours were spent testing and tweaking the exercises in this manual. Thank you to the testers and reviewers, who contributed insightful reviews, criticisms, and helpful suggestions that continue to shape this book.
• Greg Frey
• Elizabeth Grimes
• Andrew Vasquez
• Blake Nelson
• Malcolm Reed
• Brendan Higgins
• Kurt E. Webber
Introduction
I hear and I forget. I see and I remember. I do and I understand.
—Confucius
The success of a learning endeavor rests on several factors including the complexity of the material and the level of direct involvement on the part of the student. It takes more than passive attendance at a lecture to learn most complex subjects. Truly learning and understanding all the elements of a complex issue requires exploration that comes from more intimate involvement with the material.
Computer security is a complex subject with many composite domains, overlapping principles, and highly specific, detailed technical aspects. Developing skilled professionals in computer security requires that several components be addressed, namely, technical and principle-based knowledge, coupled with practical experience using that knowledge in operational situations. This book is designed to assist in simulating the practical experience portion of the knowledge base of computer security.
This book is not a stand-alone reference designed to cover all aspects of computer security but is intended as a resource to put the principles of computer security into practice. It contains labs suitable for students ranging from novices to more advanced security experts. It can be used in conjunction with many computer security books; however, it has been tailored to accompany McGraw-Hill Education’s Principles of Computer Security, Fourth Edition, with cross-references provided after each lab. Together, in a well-balanced curriculum, these two books provide a foundation for understanding basic computer security concepts and skills.
Pedagogical Design This book is laid out in four sections, each corresponding to a question associated with the natural progression of inquiry for securing just about anything. These questions act as a structured framework designed to build upon each previous section as you strive to develop a hands-on understanding of computer security principles. The questions are as follows:
• How does the system work?
• How is the system vulnerable, and what are the threats?
• How do you prevent harm to the system?
• How do you detect and respond to attacks on the system? These four questions build upon one another. First, it is important to understand how a system
works before you can see the vulnerabilities it has. After studying the vulnerabilities and the threats that act upon them, you must look to the methods for preventing harm to the system. Lastly, even in the most secure environments, you must prepare for the worst and ask how can you detect attacks and how should you respond to them.
These four questions are key questions for students to learn. They are arguably more important than the content itself. Technology will change, and the content will change, but the thought process will remain the same.
Lab Exercise Design This lab manual is specifically designed to allow flexibility on the part of instructors. There is flexibility in regard to equipment and setup because the labs can be performed on a Windows, Linux, or Mac platform with the use of virtual machines. There is flexibility in regard to equipment quantity because both stand-alone networks and virtual networks can be employed. Lastly, there is flexibility in lab selection because it is not expected that every lab will be employed; rather, a selection of appropriate labs may be taken to support specific concepts.
The lab exercises are designed to teach skills and concepts in computer and network security. Several features of each lab allow for flexibility while not losing focus on important concepts. These features are as follows.
Labs Written for Windows and Linux Many lab exercises are written for both Windows and Linux operating systems. This not only allows the students to work in the operating system with which they are familiar but can serve to bridge the gap between understanding how each operating system works.
Each Lab Exercise Stands Alone While the labs build upon one another in terms of content and skills covered, they stand alone with respect to configuration and settings. This allows for maximum flexibility in relation to the sequence and repetition of labs.
Labs Are Presented in Progressive Sequence While the lab manual is broken down into four sections, each section is further broken down into chapters that divide the content into logical groupings. This will help students new to network security develop their knowledge and awareness of the skills and concepts in a progressive manner.
Labs Can Be Done in Sequence by Topic Not only are the lab exercises grouped by content according to the four questions, but references to later lab exercises that relate to the current one are included. For example, you may want to perform the lab exercises pertaining to e-mail. You could do the “E-mail Protocols: SMTP and POP3” lab
from Part I, which demonstrates the use of e-mail; the “E-mail System Exploits” lab from Part II, which demonstrates a vulnerability of e-mail; the “Using GPG to Encrypt and Sign E-mail” lab from Part III, which demonstrates encrypted e-mail; and the “System Log Analysis” lab from Part IV, which can be used to reveal attacks on an e-mail server.
Most Lab Exercises Have Suggestions for Further Study At the end of each lab there are suggestions for further investigation. These sections point the student in the right direction to discover more. For the student who is advanced and completes labs ahead of time, these suggested labs offer a challenge, though they need not be required for other students.
The Introduction of Challenges In this edition, an additional virtual machine has been added that has a network monitoring tool on it called Nagios. The Nagios machine has been configured to check for certain configurations of the machines used for the lab exercises. On the Nagios interface, the challenges are listed and will show up in red. When a challenge is completed successfully, it changes to green. We have provided instructions for the challenge machine and a list of challenges on the instructor’s Online Learning Center. Instructors may choose to use this challenge machine at their discretion.
The Use of Virtual Machines The exercises in this manual were built with the expectation of using virtual machine technology. A network-based virtual machine solution in many ways is even better. The following are some of the reasons for using virtual machines:
• Easy deployment Once the virtual machines are created, they can be moved or copied as necessary to other machines or a central location.
• Can be done on PC, Linux, or Mac platform As long as you meet the minimum resource and software requirements, the labs can be done on a PC, Linux, or Mac platform. If you are using a network-based solution, environments can be accessed with a browser.
• One student, multiple machines Instead of having one student to one machine, or in some cases multiple students to one machine, you can now flip that condition and have multiple machines to one student. Each student can now be responsible for the entire network. This increases the amount of depth and complexity of exercises that can be implemented.
• Labs are portable—laptops and browsers The use of virtual machines gives you the added benefit of having a network security lab on your laptop. This means the student does not necessarily have to go to the lab to do the exercises; you can take the lab with you wherever you go. If you have a network-based solution, you can simply access the environment with a browser.
• Easy rollback When properly configured, at the end of each lab exercise there is no need to uninstall or re-image computers. All that is needed is to exit the virtual machine without saving
the changes. If the virtual hard drive has been modified, restoring the original file is a simple process.
• Unlimited potential for further experimentation Unlike a simulation, each virtual machine is using the actual operating systems and as such can be used to develop new techniques and test other security concepts and software with relatively little difficulty.
Instructor and Student Online Learning Center For instructor and student resources, check out the Online Learning Center:
www.mhprofessional.com/PrinciplesSecurity4e
Additional Resources for Students The Student Center on the Online Learning Center features information about the book’s authors, table of contents, and key features, as well as an electronic sample chapter.
Additional Resources for Teachers The security lab setup instructions, virtual machines, and solutions to the lab manual questions and activities in this book are provided—along with the resources for teachers using Principles of Computer Security, Fourth Edition—via the Online Learning Center. The material follows the organization of Principles of Computer Security, Fourth Edition.
Security Lab Setup All lab exercises have a letter designation of w, l, m, or i. The “w” labs are Windows-based exercises, the “l” labs are Linux-based exercises, and the “m” labs are mixed Windows and Linux exercises. Labs with the w, l, or m designation are intended to be performed on a closed network or virtual PC. The “i” labs are labs that need to be performed on a computer with Internet access. See Figure 1.
http://www.mhprofessional.com/PrinciplesSecurity4e
FIGURE 1 Lab setup diagram
• The “w” labs These labs involve a Windows 7 Professional PC and a Windows 2008 Server. In general, the XP PC will be the attacker, and the server will be the defender.
• The “l” labs These labs involve a Kali Linux and Metasploitable-2 version of Linux. One will be configured as a client (Kali) and one as a server (Metasploitable-2). In general, the Linux client will be the attacker, and the server will be the defender.
• The “m” labs These labs will involve a combination of Windows and Linux PCs. The Linux PC is used as an SSH and mail server.
• The “i” labs These labs involve a host PC that has Internet access. While most exercises are designed not to require Internet access, a few have been added to allow the student to do research on various topics.
Note that all computers are configured with weak passwords intentionally. This is for ease of lab use and to demonstrate the hazards of weak passwords. Creating and using more robust passwords is covered in Part III.
Security Lab Requirements and Instructions You can find the requirements for the security lab setup and access to the virtual machines on the instructor’s Online Learning Center at www.mhprofessional.com/PrinciplesSecurity4e. Once you have downloaded the virtual machine files, please refer to the documentation of the virtual environment you will be using (VMware, VirtualPC, Virtual Box, and so on) on how to import the machines.
http://www.mhprofessional.com/PrinciplesSecurity4e
Note
As many vendors improve their software, the availability of the versions used in this book may no longer be available. As such, a few lab exercises may not work exactly as written but should still work in general. For updates and other information, please visit the Online Learning Center at www.mhprofessional.com/PrinciplesSecurity4e.
http://www.mhprofessional.com/PrinciplesSecurity4e
PART I Networking Basics: How Do Networks Work?
Know thyself.
—Oracle at Delphi
Securing a network can be a tricky business, and there are many issues to consider. We must be aware of the vulnerabilities that exist and their corresponding threats and then estimate the probability of the threat acting upon the vulnerability. Measures are implemented to mitigate, avoid, or transfer risk. However, regardless of the effort to minimize risk, there is always the possibility of harm to our information, so we must develop plans for dealing with a possible compromise of our network. Yet before we can really protect our network from attackers, we must first know our network and, ideally, know it better than they do. Hence, we need to learn about what the network does and how it does it so we can develop an understanding of our network’s abilities and limitations. Only then can we truly see our network’s vulnerabilities and do what is necessary to guard them. We cannot secure our network if we do not know how it works.
Part I will demonstrate how devices communicate on a local area connection and cover IP addressing, routing, the three-way handshake, and some of the basic network applications. It will also introduce tools that will be used throughout the remainder of the book, such as ping, arp, nslookup, and Wireshark.
This part is divided into three chapters that will discuss the different aspects of the TCP/IP protocol stack. Chapter 1 will cover exercises relating to the network access and Internet layer, Chapter 2 will deal with the transport layer, and Chapter 3 will discuss the application layer. As you go through the labs in this part, you should be constantly asking yourself one question: How is this network vulnerable to attack, and how can it be exploited? It might seem strange to think about how something can be broken when you are learning about how it works, but this is a good opportunity for you to start thinking the way an attacker thinks.
This part will also prepare you for the labs that are to come in Part II.
Chapter 1 Workstation Network Configuration and Connectivity
Labs • Lab 1.1 Network Workstation Client Configuration
Lab 1.1w Windows Client Configuration Lab 1.1l Linux Client Configuration
Lab 1.1 Analysis Questions Lab 1.1 Key Terms Quiz
• Lab 1.2 Computer Name Resolution Lab 1.2w Name Resolution in Windows
Lab 1.2 Analysis Questions Lab 1.2 Key Terms Quiz
• Lab 1.3 IPv6 Basics Lab 1.3w Windows IPv6 Basics (netsh/ping6)
Lab 1.3 Analysis Questions Lab 1.3 Key Terms Quiz
This chapter contains lab exercises designed to illustrate the various commands and methods used to establish workstation connectivity in a network based on Transmission Control Protocol/Internet Protocol (TCP/IP). The chapter covers the basics necessary to achieve and monitor connectivity in a networking environment, using both Windows PCs and Linux-based PCs. In this chapter, you will be introduced to some basic commands and tools that will enable you to manipulate and monitor the network settings on a workstation. This is necessary as a first step toward learning how to secure connections.
The chapter consists of basic lab exercises that are designed to provide a foundation in network connectivity and tools. In later chapters of this book, you will use the skills from these lab exercises to perform functions that are necessary to secure a network from attack and investigate current conditions. Built upon the premise that one learns to crawl before walking and to walk before running, this chapter represents the crawling stage. Although basic in nature, this chapter is important because it provides the skills needed to “walk” and “run” in later stages of development.
Depending on your lab setup and other factors, you won’t necessarily be performing all the lab exercises presented in this book. Therefore, to help you identify which lab exercises are relevant for you, each lab exercise number is appended with a letter: “w” labs are built using the Windows environment; “l” labs are built using the Linux environment; “m” labs are built using a combination of Windows and Linux; and “i” labs require an Internet connection.
Lab 1.1: Network Workstation Client Configuration For two computers to communicate in a TCP/IPv4 network (IPv6 is discussed later, in Lab 1.3), both computers must have a unique Internet Protocol (IP) address. An IP address has four octets. The IP address is divided into a network address and a host address. The subnet mask identifies which portion of the IP address is the network address and which portion is the host address. On a local area network (LAN), each computer must have the same network address and a different host address. To communicate outside the LAN, using different network IP addresses, a default gateway is required. To connect to a TCP/IP network, normally four items are configured: the IP address (this is both the network portion and the host portion), the subnet mask, the IP address for a Domain Name System (DNS) server, and the IP address for the gateway machine. To communicate within a LAN only, you need the IP address and subnet mask. To communicate with other networks, you need the default gateway. If you want to be able to connect to different sites and networks using their domain names, then you need to have the address of a DNS server as well.
When communicating between machines on different networks, packets are sent via the default gateway on the way into and out of the LAN. The routing is done using (Layer 3) IP addresses. If the computer is on the same network, then the IP address gets resolved to a (Layer 2) Media Access Control (MAC) address to communicate with the computer. MAC addresses are hard-coded onto the Ethernet card by the company that made the card.
The ability to retrieve and change your IP configuration is an important skill. In this lab, you will use the ipconfig command in Windows and the ifconfig command in Linux to view the configuration
information. You will then use the Local Area Connection Properties window to change the IP address in Windows and use ifconfig to change the IP address in Linux.
Computers use both MAC and IP addresses to communicate with one another across networks. In this lab, two computers will “talk” to each other via ping messages. You will then modify the Address Resolution Protocol (ARP) table of one computer to demonstrate the relationship between the IP and MAC addresses for a machine.
The ping (Packet Internet Groper) program is a basic utility that is used for testing the connectivity between two computers. This message name was derived from the sound that sonar on a submarine makes and is used in a similar way. A “signal” or request is sent out to probe for the existence of the target along a fixed “distance.” The distance between two computers can be measured using time to live (TTL). The TTL is decremented by at least one for each router it passes through, also known as a hand-off point (HOP). It may be decremented by more than one if the router holds on to it for more than one second, which is rarely the case. Ping operates using Internet Control Message Protocol (ICMP) to test for connectivity; so, in cases where ICMP is restricted, the ping utility may not be useful. Ping is usually implemented using ICMP echo messages, although other alternatives exist.
When you use the ping command in this lab, you will see that although you are using the IP address as the target of the ping, it is actually the MAC address that is used to communicate with that computer. IP addresses are used to transfer data from one network to another, whereas MAC addresses are used to send information from one device to another on the same network. It is ARP that resolves IP addresses to their associated MAC addresses. ARP is a Transmission Control Protocol/Internet Protocol (TCP/IP) tool that is used to modify the ARP cache. The ARP cache contains recently resolved MAC addresses of IP hosts on the network. The utility used to view and modify the ARP protocol is also called arp.
As you progress through the labs, you will see how a computer obtains both MAC addresses and IP addresses in order to communicate. This is the question you should be considering: How does the computer know that the information it is getting is correct?
Learning Objectives After completing this lab, you will be able to
• Retrieve IP address configuration information via the command line
• List the switches that can be added to the ipconfig (Windows) or ifconfig (Linux) command to increase its functionality
• Use the Windows graphical user interface (GUI) to configure a network card to use a given IP address
• Determine your machine’s MAC address
• Determine your machine’s assigned network resources, including its DNS address and gateway address
• Use the ifconfig (Linux) command to configure a network card with a given IP address
• Understand how to test network connectivity between two computers
• List the options that can be added to the ping command to increase its functionality
• Use the arp command to view and manage the ARP cache on a computer
10 MINUTES
Lab 1.1w: Windows Client Configuration
Materials and Setup You will need the following:
• Windows 7
• Windows 2008 Server
Lab Steps at a Glance
Step 1: Start the Windows 2008 Server and Windows 7 PCs. Log on only to the Windows 7 machine.
Step 2: View the network card configuration using the ipconfig command.
Step 3: Change the IP address of the Windows 7 machine.
Step 4: Verify the new IP address. Use the ipconfig command to verify that the IP address has changed.
Step 5: Change the IP address of the Windows 7 machine back to the original address.
Step 6: Ping the Windows 2008 Server machine from the Windows 7 PC.
Step 7: View and modify the ARP table.
Step 8: Log off from the Windows 7 PC.
Lab Steps
Step 1: Start the Windows 2008 Server and Windows 7 PCs. Log on only to the Windows 7 machine.
To log on to the Windows 7 PC, follow these steps:
1. At the Login screen, click the Admin icon. 2. In the password text box, type the password adminpass and press ENTER.
Step 2: View the network card configuration using the ipconfig command. On the Windows 7 PC, you will view the network card configuration using ipconfig. This utility allows administrators to view and modify network card settings.
1. To open the command prompt, click Start; in the Search Programs And Files box, type cmd and then press ENTER.
2. At the command prompt, type ipconfig /? and press ENTER. a. Observe the options available for ipconfig. You may have to scroll up to see all of the
information. b. Which options do you think would be most useful for an administrator? c. Which option would you use to obtain an IP configuration from a Dynamic Host
Configuration Protocol (DHCP) server? 3. Type ipconfig and press ENTER, as shown in Figure 1-1.
a. What is your IP address? b. What is your subnet mask?
4. Type ipconfig /all and press ENTER. a. Observe the new information. b. What is the MAC address (physical address) of your computer? c. What is your DNS server address?
5. Type exit and press ENTER.
FIGURE 1-1 The ipconfig command
Step 3: Change the IP address of the Windows 7 machine.
You will access the Local Area Connection Properties dialog box and change the host portion of the IP address.
1. Click Start | Control Panel | Network and Internet | Network and Sharing Center. 2. Click Change adapter settings. 3. Right-click Local Area Connection and select Properties. 4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. 5. In the IP Address text box, you will see the IP address 192.168.100.101, as shown in Figure
1-2. Change the last octet (101) to 110. 6. Click OK. 7. In the Local Area Connection Properties window, click Close. 8. Click Close to close the Network Connections window.
FIGURE 1-2 The Internet Protocol (TCP/IP) Properties window
Step 4: Verify the new IP address. Use the ipconfig command to verify that the IP address has changed.
1. To open the command prompt, click Start; in the Search Programs And Files box, type cmd and then press ENTER.
2. Type ipconfig and press ENTER. 3. Observe that your IP address has changed.
4. Type exit and press ENTER.
Step 5: Change the IP address of the Windows 7 machine back to the original address.
1. Click Start | Control Panel | Network and Internet | Network and Sharing Center. 2. Click Change Adapter Settings. 3. Right-click Local Area Connection and select Properties. 4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. 5. In the IP Address text box, you will see the IP address 192.168.100.110. Change the last
octet (110) to 101 as shown in Figure 1-2. 6. Click OK. 7. In the Local Area Connection Properties window, click Close. 8. Click Close to close the Network Connections window.
Step 6: Ping the Windows 2008 Server machine from the Windows 7 PC.
1. On the Windows 7 PC, click Start; in the Search Programs And Files box, type cmd and then press ENTER.
2. To view the ping help file, type ping /? at the command line and then press ENTER. 3. To ping the IP address of the Windows 2008 Server computer, type ping 192.168.100.102 at
the command line and press ENTER, as shown in Figure 1-3. a. Observe the information displayed. b. What is the time value observed for all four replies? c. What is the TTL observed? d. What does this number refer to? e. How can you be sure that this response is actually coming from the correct computer?
FIGURE 1-3 The ping command in Windows
Step 7: View and modify the ARP table. At the Windows 7 machine, you are now going to view the ARP cache, using the arp utility.
1. Close the current Command Prompt window. 2. Select Start | All Programs | Accessories and then right-click Command Prompt. 3. Click Run as administrator. 4. In the User Account Control dialog box, click Yes. 5. At the command line, type arp /? and press ENTER.
a. Observe the options for this command. b. Which command displays the current ARP entries?
Tip
When you need to type the same command several times with only slight changes, pressing the UP ARROW key will show the previous command you just typed. You can then modify the command easily with the new options.
6. At the command line, type arp –a and press ENTER. 7. Observe the entry. Notice that the MAC address for the Windows 2008 Server machine is
listed. 8. At the command line, type arp –d and press ENTER. (The –d option deletes the ARP cache.) 9. Observe the entries. (Do not worry if no entries are listed; you are simply deleting what is
in the ARP cache.) 10. At the command line, type arp –a and press ENTER, as shown in Figure 1-4. 11. Observe that the ARP cache now has no entries. 12. At the command line, type ping 192.168.100.102 and press ENTER. 13. At the command line, type arp –a and press ENTER.
a. Observe any entry. Notice that the MAC address is once again listed. b. How does using the ping utility cause the machine’s MAC address to be populated in
the ARP cache? (This is explored in “Lab 2.1, Network Communication Analysis,” in Chapter 2.)
c. How can you be sure that this is actually the correct MAC address for the computer?
FIGURE 1-4 The arp command in Windows
Step 8: Log off from the Windows 7 PC. At the Windows 7 PC, follow these steps:
1. Choose Start | Shutdown arrow | Log off. 2. In the Log Off Windows dialog box, click Log Off.
10 MINUTES
Lab 1.1l: Linux Client Configuration
Materials and Setup
You will need the following:
• Kali
• Metasploitable
Lab Steps at a Glance
Step 1: Start the Kali and Metasploitable PCs. Log on only to the Kali PC.
Step 2: View the network card configuration using ifconfig.
Step 3: Use the cat command to view the file resolv.conf to determine the DNS address.
Step 4: Use the netstat –nr command to determine the gateway router address.
Step 5: Use the ifconfig command to change the network configuration for a machine.
Step 6: View the ARP table.
Step 7: Ping the Metasploitable machine by IP address and view the cache.
Step 8: Modify the ARP cache and view the ARP cache again.
Step 9: Log off from the Kali PC.
Lab Steps
Step 1: Start the Kali and Metasploitable PCs. Log on only to the Kali PC. To log on to the Kali PC, follow these steps:
1. At the login screen, click Other. 2. In the Username text box, type root and press ENTER. 3. In the Password text box, type toor and press ENTER.
Step 2: View the network card configuration using ifconfig.
1. Click the Terminal icon in the menu bar at the top. 2. At the command line, type ifconfig –h and press ENTER. (The information may scroll off the
screen. To see the text, hold the SHIFT key down and press PAGEUP.) 3. Observe the different options that can be used.
Tip
For many commands in Linux, you can type the command and the –h option (help) to get information about the command. To get more detailed information, you can use the manual command by typing man man (command) and pressing ENTER. To exit the main program,
type q.
Here is how you can utilize this command:
4. At the command line, type man ifconfig and press ENTER. 5. Use the UP ARROW and DOWN ARROW keys to scroll through the man page. 6. When you are done looking at the man page, press q to exit.
Tip
When you need to type the same command several times with only slight changes, pressing the UP ARROW key will show the previous command you just typed. You can then modify the command easily with the new options.
7. At the command line, type ifconfig and press ENTER.
a. Observe the information displayed. b. How does Linux refer to the IP address? What is your IP address? c. How does Linux refer to the subnet mask? What is your subnet mask?
Step 3: Use the cat command to view the file resolv.conf to determine the DNS address.
1. At the command line, type cat /etc/resolv.conf and press ENTER. a. Observe the information displayed. b. What is your DNS server address?
Step 4: Use the netstat –nr command to determine the gateway router address.
1. At the command line, type netstat –nr and press ENTER. Observe the information displayed. Note that a default gateway is not configured. One is not needed since all the machines for the lab exercises will communicate only on the 192.168.100.0 network. If traffic needs to go to a network other than 192.168.100.0, a default gateway is needed.
Step 5: Use the ifconfig command to change the network configuration for a machine.
1. At the command line, type ifconfig eth0 192.168.100.210 and press ENTER. 2. At the command line, type ifconfig and press ENTER.
Did your IP address change? 3. At the command line, type ifconfig eth0 192.168.100.201 and press ENTER.
4. At the command line, type ifconfig and press ENTER. Did your IP address change?
Tip
Using the ifconfig command to change your IP address this way makes the change only temporarily. When the machine is rebooted, it will default to the configuration set in the /etc/network/interfaces file. To make a permanent change, you need to modify that file with a text editor.
Step 6: View the ARP table. Working at the Kali machine, you are now going to view the ARP table using the arp utility.
1. At the command line, type arp –h and press ENTER. 2. Observe the options for this command. 3. At the command line, type arp –an and press ENTER.
a. What do the options a and n do? b. Do you have any entries?
Step 7: Ping the Metasploitable machine by IP address and view the cache. From the Kali PC, you are going to use the ping utility to communicate with the Metasploitable server machine.
1. At the command line, type ping 192.168.100.202 and press ENTER. a. Notice that the ping replies will continue until you stop them. Press CTRL-C to stop the
replies, as shown in Figure 1-5. b. Observe the information displayed. c. What is icmp_req? d. Notice the time the first reply took compared with the rest of the replies. Was there a
significant difference? If so, why? e. How can you be sure that this response is actually coming from the correct computer?
2. At the command line, type arp –an and press ENTER. 3. Observe the entry. Notice that the MAC address for the Metasploitable machine is listed.
FIGURE 1-5 The ping command in Linux
Step 8: Modify the ARP cache and view the ARP cache again.
1. At the command line, type arp –d 192.168.100.202 and press ENTER. 2. Observe the entries. (If you do not see an entry, do not worry; we are simply deleting what
is in the ARP cache.) 3. At the command line, type arp –an and press ENTER, as shown in Figure 1-6. 4. Observe that the ARP cache now has no MAC addresses. 5. At the command line, type ping 192.168.100.202 and press ENTER. Press CTRL-C to stop the
replies. 6. At the command line, type arp –an and press ENTER.
a. Observe the entry. Notice that the MAC address is once again listed. b. How does pinging the machine cause its MAC address to be populated in the ARP
cache? (This is explored in “Lab 2.1, Network Communication Analysis,” in the next chapter.)
c. How can you be sure that this is actually the correct MAC address for the computer?
FIGURE 1-6 The arp command in Linux
Step 9: Log off from the Kali PC.
1. In the upper-right corner, click root | Shutdown. 2. In the Shut Down This System Now? dialog box, click Shut Down.
Note
The ARP protocol and implementation are based on a simple trusting characteristic. This aids in the implementation but adds a problematic weakness: ARP is totally trusting and believes everything even if it never requested it.
Lab 1.1 Analysis Questions The following questions apply to the labs in this section:
1. You have been called in to troubleshoot a client’s computer, which is unable to connect to the local area network. What command would you use to check the configuration? What information would you look for?
2. You have been called in to troubleshoot a client’s computer, which is able to connect to the local area network but unable to connect to any other network. What command would you use to check the configuration? What information would you look for?
3. If you needed to obtain a user’s MAC address as well as the user’s network configuration information, what command and switch would you enter?
4. To use the Windows GUI utility to adjust IP settings, including DNS and gateway information, what steps would you take?
5. You have just pinged a remote computer. You would now like to retrieve the MAC address of the remote computer locally. How would you obtain the remote computer’s MAC address?
6. You are about to run some network traffic analysis tests. You need to clear your ARP cache. How would you go about performing this task (for Windows and Linux)?
7. What information does ping return to the user?
8. How does a computer ensure that the replies it gets from an ARP broadcast are correct?
Lab 1.1 Key Terms Quiz Use these key terms from the labs to complete the sentences that follow:
Address Resolution Protocol (ARP)
ARP cache
cat
Domain Name System (DNS)
Dynamic Host Configuration Protocol (DHCP)
gateway
host address
ifconfig
Internet Control Message Protocol (ICMP)
Internet Protocol (IP)
ipconfig
Media Access Control (MAC) address
network address
ping (Packet Internet Groper)
resolv.conf
subnet mask
time to live (TTL)
Transmission Control Protocol/Internet Protocol (TCP/IP)
1. The letters IP stand for ____________________. 2. The ____________________ is the physical address of your network interface card that
was assigned by the company that made the card. 3. ipconfig /renew will renew an IP address obtained from the ____________________
server. 4. The four items needed to connect a machine to the Internet are the ____________________
address, the ____________________ address, the ____________________, and the ____________________ address.
5. The ____________________ is used to separate the host address and network address from an IP address.
6. ____________________ is the file that contains DNS server addresses in Linux. 7. The ____________________ command is used to display the contents of text files in Linux. 8. The command used in this lab to test network connectivity is ____________________.
Follow-Up Labs • Lab 1.2: Computer Name Resolution Now that you know how IP addresses resolve to MAC
addresses, find out how computer and domain names are resolved.
• Lab 1.3: IPv6 Basics IPv6 is the next generation of addressing and will be implemented in the not too distant future.
• Lab 4.1: IP Address and Port Scanning, Service Identity Determination Nmap uses ARP in a ping sweep to discover devices on a network.
• Lab 6.2: Man-in-the-Middle Attack This attack exploits ARP.
Suggested Experiments 1. DHCP is designed to facilitate setting a client device’s IP settings from a host server that
exists to enable autoconfiguration of IP addresses. This is particularly useful in large networks and provides a mechanism that allows remote administration of settings such as IP address and DNS and gateway IP addresses. To experiment with DHCP, you need to set up a DHCP server and then add clients to the network, exploring how DHCP sets the parameters automatically.
2. Research stack fingerprinting. When you ping a device and get a reply, you know that a device is working on the network. Are there any clues in the ICMP replies that might reveal what kind of device is responding?
References • ARP
• Microsoft arp reference www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/arp.mspx
• RFC 826: An Ethernet Address Resolution Protocol www.faqs.org/rfcs/rfc826.html
• DHCP • RFC 2131: Dynamic Host Configuration Protocol www.faqs.org/rfcs/rfc2131.html
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/arp.mspx
http://www.faqs.org/rfcs/rfc826.html
http://www.faqs.org/rfcs/rfc2131.html
• ICMP • RFC 792: Internet Control Message Protocol www.faqs.org/rfcs/rfc792.html • RFC 950: Internet Standard Subnetting Procedure www.faqs.org/rfcs/rfc950.html
• IP addressing and subnetting http://www.subnetting.net/Tutorial.aspx
• Linux commands • Ifconfig Linux Programmer’s Manual, Section 8 (type the command man ifconfig) • Netstat Linux Programmer’s Manual, Section 8 (type the command man netstat)
• Microsoft ipconfig reference www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipconfig.mspx
• Principles of Computer Security, Fourth Edition (McGraw-Hill Education, 2015), Chapter 14
Lab 1.2: Computer Name Resolution Remembering IP addresses can be cumbersome, especially when there are many machines on many networks. One way we sort out this complexity is with the use of the Domain Name System (DNS). When one computer connects to another computer using its domain name, the DNS translates the computer’s domain name into its appropriate IP address.
The DNS will first access a local file called the hosts file. The hosts file is a listing of corresponding IPv4 addresses and host names. By default, there is only one IP address—the localhost address; it is equivalent to the loopback address 127.0.0.1. The hosts file can always be modified to accommodate additional IP addresses.
If it has not found the IP address in the hosts file, the computer will need to query the DNS cache (on Windows machines) and then the DNS server for the IP address. The DNS cache is a local copy of recently used name–IP address pairs. If the name is not in the cache, then the request is directed to a DNS server. If the DNS server does not have the IP address in its database, it can “ask” another DNS server for the information. DNS servers are organized in a hierarchical structure, ultimately ending at servers maintained by the naming authorities. This is an efficient method of resolving IP addresses to names.
The fully qualified domain name (FQDN) is a dot-separated name that can be used to identify a host on a network. The FQDN consists of the host name along with its domain name and any other subdomain names, such as www.somename.com.
In this lab, you will modify the hosts file, test connectivity using the FQDN, and then explore the functionality of the nslookup command.
Learning Objectives After completing this lab, you will be able to
http://www.faqs.org/rfcs/rfc792.html
http://www.faqs.org/rfcs/rfc950.html
http://www.subnetting.net/Tutorial.aspx
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipconfig.mspx
http://www.somename.com
• Understand how the loopback address can be used to test a network card
• Modify the hosts file on a computer using a basic text editor
• Check the DNS cache on a computer from the command line
• From the command line, resolve an FQDN to an IP address, and vice versa
• Understand how names are resolved into IP addresses in a Windows environment
15 MINUTES
Lab 1.2w: Name Resolution in Windows
Materials and Setup You will need the following:
• Windows 7
• Windows 2008 Server
• Metasploitable (acting as a DNS server)
Lab Steps at a Glance
Step 1: Start the Windows 7, Windows 2008 Server, and Metasploitable PCs. Log on only to the Windows 7 machine.
Step 2: Ping the Windows 7 machine from the Windows 7 machine.
Step 3: View and modify the hosts file.
Step 4: Ping the Windows 2008 Server machine by the FQDN.
Step 5: Use the nslookup command to view name-to–IP address information.
Step 6: Log off from the Windows 7 PC.
Lab Steps
Step 1: Start the Windows 7, Windows 2008 Server, and Metasploitable PCs. Log on only to the Windows 7 machine. To log on to the Windows 7 PC, follow these steps:
1. Click Admin at the Login screen. 2. In the password text box, type adminpass and press ENTER.
Step 2: Ping the Windows 7 machine from the Windows 7 machine. Using the Windows 7 machine, you are going to ping the machine that you are working on, using both the loopback address (127.0.0.1) and the name “localhost.” This is often done to test whether the network interface card (NIC) and TCP/IP are working before moving on to other troubleshooting methods.
1. To ping the machine using the loopback address, choose Start | Run, type cmd in the Open field, and press ENTER.
2. At the command line, type ping 127.0.0.1 and press ENTER. 3. Observe the information displayed. 4. To ping the Windows 7 computer using localhost, type ping localhost at the command line
and press ENTER. a. Observe the information displayed. b. How does the computer know that localhost defaults to 127.0.0.1?
Step 3: View and modify the hosts file. You are now going to view and modify the hosts file. The hosts file is a text file that lists host (computer) names and their IP addresses on a network. On a small network, the hosts file can be used as an alternative to DNS.
To view and modify the hosts file, follow these steps:
1. Select Start | Programs | Accessories and right-click Notepad. 2. Click Run as administrator. 3. In the User Account Control dialog box, click Yes. 4. Click File | Open. Set the extension type to All Files. Then navigate to
c:\windows\system32\drivers\etc\ and select the hosts file. a. Observe the information displayed. b. What entries are already there? c. Why are they commented out?
5. Add the following lines to the end of the hosts file (refer to Figure 1-7): 192.168.100.102 2k8serv 192.168.100.101 me
6. Choose File | Save. Be sure that Save as type is set to All Files. 7. Close Notepad.
To ping the new names, follow these steps:
8. At the command line, type ping me and press ENTER. What IP address comes up?
9. At the command line, type ping 2k8serv and press ENTER. a. What IP address comes up? b. Why do you think administrative rights are required to modify the hosts file? c. Can you think of a way that this file could be exploited?
FIGURE 1-7 Modifying the hosts file with Notepad
Step 4: Ping the Windows 2008 Server machine by the FQDN. From the Windows 7 PC, you are going to use the ping utility to communicate with the Windows 2008 Server machine. You will look at the DNS cache and see how it changes during this process.
1. To ping the IP address of the Windows 2008 Server computer, type ping 192.168.100.102 at the command line and press ENTER.
2. Observe the information displayed. 3. To check the contents of the DNS cache, type ipconfig /displaydns at the command line and
press ENTER. a. What listings do you see?
b. Is there one for win2k8serv.security.local? 4. To ping the Windows 2008 Server computer by name, type ping win2k8serv.security.local
at the command line and press ENTER. a. Observe the information displayed. b. Did it show the IP address of the server?
5. To check the DNS cache again, type ipconfig /displaydns at the command line and press ENTER. a. Is there an entry for 2k8serv.security.local this time? b. Where did the DNS cache get it from?
Step 5: Use the nslookup command to view name-to–IP address information. You will use nslookup to view name resolution. The nslookup command allows you to either discover the IP address of a computer from its FQDN or use the IP address to determine the FQDN.
To list the options available for the nslookup command, follow these steps: 1. At the command line, type nslookup and press ENTER. 2. At the command prompt, type help and press ENTER.
Note
Unlike most other commands at the Windows command line, the /? switch will not provide the usage information for nslookup.
a. Observe the information displayed. b. Which option displays the current server/host?
3. At the command line, type exit and press ENTER. 4. To check the IP address for the Windows 7 computer, type nslookup win7.security.local at
the command line and press ENTER. Is the IP address correct?
5. To check the IP address for the Windows 2008 Server computer, type nslookup Win2k8serv.security.local at the command line and press ENTER, as shown in Figure 1-8. a. Is the IP address correct? b. Note that the name of the server is win2k8serv and not 2k8serv, which you put into the
hosts file.
FIGURE 1-8 The nslookup command
Note
The nslookup command uses the fully qualified domain name of a computer.
Step 6: Log off from the Windows 7 PC. At the Windows 7 PC, follow this step:
• Choose Start | Shut Down arrow | Log off.
Note
Although it is easy to look up, a packet’s source IP address can be changed (spoofed) and should not be relied upon blindly as proof of origin. This is a weakness of IPv4 and has been addressed using IP Security (IPsec), an optional component of the Internet Protocol.
Lab 1.2 Analysis Questions 1. The following questions apply to the lab in this section:You are the administrator of a large
network. You would like to make a change that allows users to type one word into their web browsers to access a web site. For example, instead of typing www.yoursite.com, users could just type yoursite. Based on the lab you have just done, how is this accomplished for the example given?
http://www.yoursite.com
2. What is the sequence in which domain names are resolved on a Windows machine?
3. Entering the command nslookup IP address will provide you with what information about the IP address?
Lab 1.2 Key Terms Quiz Use these key terms from the lab to complete the sentences that follow:
127.0.0.1
DNS cache
Domain Name System (DNS)
fully qualified domain name (FQDN)
hosts file
IP addresses
localhost address
loopback address
nslookup
ping localhost
1. The command used in this lab to test and query DNS servers is called ____________________.
2. You can type ____________________ to test whether a network card and TCP/IP are working on the local machine.
3. The letters FQDN stand for ____________________ ____________________ ____________________ ____________________.
4. Entering nslookup www.yoursite.com will provide you with all the ____________________ associated with that FQDN.
5. The ____________________ is a small space in memory that will maintain resolved names for a period of time.
6. What file maps computer names to IP addresses? ____________________
Follow-Up Labs
http://www.yoursite.com
• Lab 4.1: IP Address and Port Scanning, Service Identity Determination Discover how to scan a network for IP addresses and find open ports on each one discovered.
• Lab 5.3: E-mail System Exploits See how domain names are used in spoofing e-mails.
Suggested Experiment On your home computer, use nslookup to find the IP addresses for different sites that you normally go to, such as www.google.com or www.microsoft.com.
References • ARP
• RFC 826: An Ethernet Address Resolution Protocol www.faqs.org/rfcs/rfc826.html
• ICMP • RFC 792: Internet Control Message Protocol www.faqs.org/rfcs/rfc792.html
• nslookup • RFC 2151: A Primer on Internet and TCP/IP Tools and Utilities
www.faqs.org/rfcs/rfc2151.html
• Principles of Computer Security, Fourth Edition (McGraw-Hill Education, 2015), Chapter 9
Lab 1.3: IPv6 Basics The TCP/IP network that is commonly referred to as either TCP or IP seldom refers to the version of the protocol in use. Until recently, this was because everyone used the same version, version 4. One of the shortcomings of IPv4 is the size of the address space. This was recognized early, and a replacement protocol, IPv6, was developed in the late 1990s. Adoption of IPv6 has been slow because, until recently, there have been IPv4 addresses remaining in inventory for use. The impending end of the IPv4 address inventory has resulted in the move of enterprises into dual-stack operations, where both IPv4 and IPv6 are used.
The IPv6 protocol is not backward compatible to IPv4. There are many aspects that are identical, yet some have changed to resolve issues discovered during the use of IPv4. A key aspect is the autoconfiguration features associated with the IPv6 standard. IPv6 is designed to extend the reach of the Internet Protocol by addressing issues discovered in the 30 years of IPv4. The IP address space is the most visible change, but issues such as simpler configuration of IP-enabled devices without using DHCP, deployment of security functionality, and quality of service were also designed into IPv6 as optional extensions (with limitations).
A significant change occurs in ICMPv6: ICMP messages are used to control issues associated with routing packet losses, so blocking ICMPv6 at the edge of the network would result in a system not getting delivery failure messages. ICMP is also used to convey Neighbor Discovery (ND) and
http://www.microsoft.com
http://www.faqs.org/rfcs/rfc826.html
http://www.faqs.org/rfcs/rfc792.html
http://www.faqs.org/rfcs/rfc2151.html
Neighbor Solicitation (NS) messages to enable autoconfiguration of IP-enabled devices. ICMP becomes a complete part of the protocol set with version 6.
IPv6 supports a variety of address types, as listed in Table 1-1.
TABLE 1-1 IPv6 Address Types
Link-local unicast addresses are analogous to the IPv4 address series 169.254.0.0/16. These addresses are automatically assigned to an interface and are used for the autoconfiguration of addresses and Neighbor Discovery. They are not to be routed. Multicast addresses are used to replace the broadcast function from IPv4. Multicast addresses can be defined in a range of scopes, from link to site to Internet. Global unicast addresses are used to send to a specific single IP address, multicast addresses are used to send to a group of IP addresses, and the anycast address, a new type in IPv6, is used to communicate with any member of a group of IPv6 addresses.
Learning Objectives After completing this lab, you will be able to
• Understand the new IPv6 header
• Understand different address configurations
• Understand IPv6 addressing nomenclature
• Identify differences between IPv6 and IPv4 traffic
40 MINUTES
Lab 1.3w: Windows IPv6 Basics (netsh/ping6)
Materials and Setup You will need the following:
• Windows 7
• Windows 2008 Server
Lab Steps at a Glance
Step 1: Start the Windows 7 and Windows 2008 Server machines. Log on only to the Windows 7 machine.
Step 2: Verify IPv6 settings.
Step 3: Log on to the Windows 2008 Server machine.
Step 4: Verify IPv6 settings.
Step 5: Launch Wireshark on the Windows 7 PC.
Step 6: Ping the Windows 2008 Server machine from the Windows 7 machine.
Step 7: Change the IPv6 address of the Windows 7 machine.
Step 8: Change the IPv6 address of the Windows 2008 machine.
Step 9: View the IPv6 ping traffic in Wireshark.
Step 10: Investigate communications between various IP addresses.
Step 11: Reset all IPv6 configuration states.
Step 12: Log off from both the Windows 7 and Windows 2008 Server machines.
Lab Steps
Step 1: Start the Windows 7 and Windows 2008 Server machines. Log on only to the Windows 7 machine.
To log on to the Windows 7 PC, follow these steps:
1. Click Admin at the Login screen. 2. In the password text box, type adminpass and press ENTER.
Step 2: Verify IPv6 settings.
1. Click Start; in the Search Programs And Files box, type cmd and press ENTER. 2. Type netsh interface ipv6 show address and press ENTER. You should get a reply similar to
what’s shown in Figure 1-9.
3. Record your IPv6 address for later use.
FIGURE 1-9 IPv6 settings
Step 3: Log on to the Windows 2008 Server machine. To log on to the Windows 2008 Server PC, follow these steps:
1. At the Login screen, press CTRL-ALT-DEL. 2. Enter the username administrator and the password adminpass. 3. Click OK.
Step 4: Verify IPv6 settings.
1. Click Start; in the Search programs and files box, type cmd and press ENTER. 2. Type netsh interface ipv6 show address and press ENTER. 3. Record your IPv6 address for later use.
Step 5: Launch Wireshark on the Windows 7 PC.
Note
Wireshark is a protocol analyzer and network sniffing program. It will be covered in more depth in Chapter 2.
On the Windows 7 machine, follow these steps:
1. Choose Start | All Programs | Wireshark. 2. Within Wireshark, choose Capture | Interfaces. 3. Click Start for the correct interface.
Note
The correct interface has the corresponding IP address you recorded in the previous step.
Step 6: Ping the Windows 2008 Server machine from the Windows 7 PC machine.
On the Windows 7 machine, in the command window, type ping -6 [IPv6 address of Windows 2008 Server machine] and press ENTER.
The IPv6 address will look something like fe80::8cb8:89fc:bc3a:8ec9. You should get a reply similar to what’s shown in Figure 1-10.
FIGURE 1-10 The ping -6 command
Step 7: Change the IPv6 address of the Windows 7 machine.
1. On the Windows 7 machine, close the current Command Prompt window. 2. Select Start | Programs | Accessories and right-click Command Prompt. 3. Click Run as administrator. 4. In the User Account Control dialog box, click Yes. 5. In the command window, type netsh interface ipv6 set address your interface name
2001:db8:1234:5678::2 and press ENTER. 6. Verify address by typing netsh interface ipv6 show address and pressing ENTER. 7. Record the IPv6 addresses and types for later use.
Note
See Figure 1-11 for an example of interface name.
FIGURE 1-11 Changing and showing the IPv6 address
Step 8: Change the IPv6 address of the Windows 2008 machine.
1. Select Start | Programs | Accessories and right-click Command Prompt. 2. Click Run as administrator. 3. In the User Account Control dialog box, click Yes. 4. In the command window, type netsh interface ipv6 set address “your interface name”
2001:db8:1234:5678::3 and press ENTER. 5. Verify the address by typing netsh interface ipv6 show address and pressing ENTER. 6. Record the IPv6 addresses and types for later use.
Step 9: View the IPv6 ping traffic in Wireshark. On the Windows 7 PC, verify the IPv6 ping by viewing the Wireshark output. You should get a reply similar to what’s shown in Figure 1-12.
FIGURE 1-12 IPv6 traffic in Wireshark
Note
You can filter the results to show only IPv6-related traffic by specifying ipv6 in the Filter field and clicking Apply.
Step 10: Investigate communications between various IP addresses. For this step, experiment using Wireshark and the ping6 command on Windows 7 and using Wireshark and the ping command on Windows 2008 Server. Investigate communicating between various IPv6 addresses.
What are the differences?
Step 11: Reset all IPv6 configuration states.
On both machines, in the Command Prompt window, type netsh interface ipv6 reset and press ENTER.
Step 12: Log off from both the Windows 7 and Windows 2008 Server machines.
1. On the Windows 7 PC, choose Start | Shutdown arrow | Log Off. 2. On the Windows 2008 Server machine, choose Start | Log Off, click Log Off, and click OK.
Lab 1.3 Analysis Questions The following questions apply to the lab in this section:
1. What are the different types of IPv6 traffic captured in Wireshark?
2. Using Wireshark, describe the differences between IPv4 and IPv6 packets observed in this lab.
Lab 1.3 Key Terms Quiz Use these key terms from the lab to complete the sentences that follow:
anycast address
global unicast addresses
ICMPv6
link-local unicast addresses
multicast addresses
Neighbor Discovery (ND)
Neighbor Solicitation (NS)
1. The protocol used for Neighbor Discovery (ND) is ____________________. 2. ARP is replaced in IPv6 by ____________________ transmitted using
____________________. 3. IPv6 addresses that begin with FE80 represent ____________________. 4. In IPv6, broadcast messages are accomplished using ____________________.
Suggested Experiments 1. Get the Kali and Metasploitable to ping each other with IPV6. 2. Get all four machines to ping each other with IPV6.
3. Get all machines to use only IPv6 and get HTTP and FTP services working.
References • ARIN IPv6 wiki www.getipv6.info/index.php/Main_Page
• ICMPv6 • RFC 2463: Internet Control Message Protocol (ICMPv6) for the Internet Protocol
Version 6 (IPv6) Specification www.faqs.org/rfcs/rfc2463.html
• Introduction to IP Version 6 (Microsoft Corporation, updated January 2008) http://download.microsoft.com/download/e/9/b/e9bd20d3-cc8d-4162-aa60- 3aa3abc2b2e9/IPv6.doc
• IPv6 • RFC 2460: Internet Protocol, Version 6 (IPv6) Specification
www.faqs.org/rfcs/rfc2460.html • IPv6: What, Why, How presentation slides (Jen Linkova)
www.openwall.com/presentations/IPv6/
• IPv6 transition • RFC 4942: IPv6 Transition/Co-existence Security Considerations
www.faqs.org/rfcs/rfc4942.html
• Neighbor Discovery • RFC 2461: Neighbor Discovery for IP Version 6 (IPv6) www.faqs.org/rfcs/rfc2461.html
• Principles of Computer Security, Fourth Edition (McGraw-Hill Education, 2015), Chapter 9
http://www.getipv6.info/index.php/Main_Page
http://www.faqs.org/rfcs/rfc2463.html
http://download.microsoft.com/download/e/9/b/e9bd20d3-cc8d-4162-aa60-3aa3abc2b2e9/IPv6.doc
http://www.faqs.org/rfcs/rfc2460.html
http://www.openwall.com/presentations/IPv6/
http://www.faqs.org/rfcs/rfc4942.html
http://www.faqs.org/rfcs/rfc2461.html
Chapter 2 Network Transports
Labs • Lab 2.1 Network Communication Analysis
Lab 2.1w Network Communication Analysis in Windows Lab 2.1 Analysis Questions Lab 2.1 Key Terms Quiz
• Lab 2.2 Port Connection Status Lab 2.2w Windows-Based Port Connection Status Lab 2.2l Linux-Based Port Connection Status
Lab 2.2 Analysis Questions Lab 2.2 Key Terms Quiz
Networks work by transporting data from point A to point B, and vice versa. However, to do so, they need standards to control data communication. In the lab exercises in this chapter, you will work with three of those standards: Address Resolution Protocol, User Datagram Protocol, and Transmission Control Protocol. You will be able to fully see how packets interact with one another to establish connections and get information where it is supposed to go. You will do this using tools such as netstat and Wireshark.
Note
You can find instructions for setting up all environments used in this chapter on the book’s companion online learning center at www.mhprofessional.com/PrinciplesSecurity4e.
Lab 2.1: Network Communication Analysis Wireshark is a powerful protocol analyzer (and sniffer) that network professionals can use to troubleshoot and analyze network traffic under great scrutiny. Since the information revealed by Wireshark can be used to either attack or defend a network, administrators should learn how to use it so that they are aware of what potential attackers can see. Wireshark is a utility that will help you to look at how various protocols work. It will be examined in several labs throughout the book.
In Lab 1.1, “Network Workstation Client Configuration,” you looked at the relationship of IP addresses to MAC addresses and the use of the ping command. In this lab, first you will see the traffic generated by one computer requesting the MAC address of another computer using Address Resolution Protocol (ARP). You will then look at the ICMP traffic in the ping request and reply process. Next, you will look at the connectionless protocol UDP that is used by DNS. Finally, you’ll look at connection-oriented TCP traffic.
Internet Control Message Protocol (ICMP) is a transport protocol used between different devices on a network to help the network know a bit more about what is happening and why it might be happening.
User Datagram Protocol (UDP) is a connectionless transport protocol used to send small amounts of data, typically where the order of transmission does not matter or where the timeliness of the traffic is more important than the completeness of the traffic (for example, Voice over IP).
Transmission Control Protocol (TCP) is a connection-oriented protocol between two or more computers. As such, a reliable connection must be established before data is transmitted. The process of two devices establishing this connection with TCP is called the three-way handshake. The following illustration shows the header of a TCP packet, and the following list (from RFC 791, “Internet Protocol,” at www.faqs.org/rfcs/rfc791.html) describes its fields.
http://www.mhprofessional.com/PrinciplesSecurity4e
http://www.faqs.org/rfcs/rfc791.html
• Source Port 16 bits. This is the source port number.
• Destination Port 16 bits. This is the destination port number.
• Sequence Number 32 bits. This is the sequence number of the first data octet in this segment (except when SYN is present). If SYN is present, the sequence number is the initial sequence number (ISN), and the first data octet is ISN+1.
• Acknowledgment Number 32 bits. If the ACK control bit is set, this field contains the value of the next sequence number the sender of the segment is expecting to receive. Once a connection is established, this is always sent.
• Data Offset 4 bits. This is the number of 32-bit words in the TCP header. This indicates where the data begins. The TCP header (even one including options) is an integral number of 32 bits long.
• Reserved 6 bits. This is reserved for future use and must be zero.
• Control Bits 6 bits (from left to right): • URG Urgent Pointer field significant • ACK Acknowledgment field significant • PSH Push function • RST Reset the connection • SYN Synchronize sequence numbers • FIN No more data from sender
• Window 16 bits. This is the number of data octets beginning with the one indicated in the acknowledgment field, which the sender of this segment is willing to accept.
• Checksum 16 bits. The checksum field is the 16-bit ones’ complement of the ones’ complement sum of all 16-bit words in the header and text. If a segment contains an odd number of header and text octets to be check-summed, the last octet is padded on the right with zeros to form a 16-bit word for checksum purposes. The pad is not transmitted as part of the segment. While computing the checksum, the checksum field itself is replaced with zeros.
• Urgent Pointer 16 bits. This field communicates the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field is only to be interpreted in segments with the URG control bit set.
• Options Variable.
• Padding Variable. The TCP header padding is used to ensure that the TCP header ends and data begins on a 32-bit boundary. The padding is composed of zeros.
There are essentially three steps to the three-way handshake. Initially, the first computer establishes a connection with the second computer via a synchronize packet (SYN). When the second computer receives this packet, it responds by sending a synchronize packet and an acknowledgment packet (ACK). When the initiating computer receives these two packets, it replies with an acknowledgment packet of its own, and a communication link is established between the two computers. When you think of the three-way handshake, think SYN, SYN/ACK, and ACK. As you will see, this is an important security concept.
For example, HTTP is an application-layer protocol that utilizes the TCP three-way handshake. It is a generic protocol that is most often used in web-based communication on the Internet. HTTP is used for communication between user agents and proxies, or gateways, to other Internet systems. It is a TCP-based protocol and uses port 80 to communicate.
Note that because switches are used in most networks, Wireshark will normally see broadcast traffic and traffic to and from only the machine it is running on. A switch filters out all other unicast traffic for the other machines on the network. To see all the traffic on the network, a hub or a switch with a spanned port would need to be used.
Learning Objectives After completing this lab, you will be able to
• Use Wireshark to capture a communication session between two computers
• Given a screenshot of a session captured using Wireshark, identify the three main sections of the Wireshark display
• Use Wireshark’s filter option to view desired protocols
• Use Wireshark to capture and identify UDP traffic
• Use Wireshark to capture and identify TCP traffic, including the three-way handshake and the packets used to determine that a TCP session has ended
Note
This lab is constructed upon protocols and methods associated with IPv4, including ARP. Because ARP is not part of IPv6, this lab will not provide the same results in an IPv6 environment.
25 MINUTES
Lab 2.1w: Network Communication Analysis in Windows
Materials and Setup You will need the following:
• Windows 7 Professional
• Windows 2008 Server
• Metasploitable In addition, you will need the following:
• Wireshark
Lab Steps at a Glance
Step 1: Start the Windows 7 Professional and Windows 2008 Server PCs. Log on only to the Windows 7 PC.
Step 2: Clear the ARP cache.
Step 3: Start Wireshark and capture a ping session.
Step 4: Examine the captured session.
Step 5: Filter the captured session.
Step 6: Capture a DNS session.
Step 7: Examine the DNS session.
Step 8: Clear the ARP cache and capture a Telnet session.
Step 9: Examine the Telnet session and identify all the protocols in use.
Step 10: Log off from the Windows 7 Professional PC.
Lab Steps
Step 1: Start the Windows 7 Professional and Windows 2008 Server PCs. Log on only to the Windows 7 PC.
Log on to the Windows 7 Professional PC with these steps:
1. At the Login screen, click the Admin icon. 2. In the password text box, type the password adminpass and then press ENTER.
Step 2: Clear the ARP cache. The ARP cache is an area in memory where the computer stores the information that is found in the ARP table. Clearing the ARP cache before you start the capture session allows you to have greater control over data you capture.
1. Click Start | All Programs | Accessories and right-click Command Prompt. Select Run As Administrator.
2. In the User Account Control dialog box, click Yes. 3. At the command line, type arp –a and press ENTER. 4. There should be no entries. If there are, clear them with the arp –d command.
Note
Leave the Command Prompt window open throughout this lab because you will use it multiple times.
Step 3: Start Wireshark and capture a ping session. This step introduces you to Wireshark and shows you how to use it to capture, view, and filter communication between two computers.
1. Start Wireshark by choosing Start | All Programs | Wireshark. See Figure 2-1.
Note
The startup screen displays the commands needed to use Wireshark.
2. Start capturing data by clicking Interface List. (You use Capture | Interfaces on the menu bar
when the startup screen is not displayed.) 3. In the Capture Interfaces dialog box, shown in Figure 2-2, click Start to start capturing data. 4. At the command line, type ping 192.168.100.102 and press ENTER. 5. Observe the response. You should receive four replies. 6. Stop capturing data in Wireshark by clicking Capture | Stop. 7. Observe the captured session. See the example shown in Figure 2-3.
What protocol is being used for the ping requests?
FIGURE 2-1 Wireshark startup screen
FIGURE 2-2 Capture Interfaces dialog box
FIGURE 2-3 Wireshark after collecting ping data
Step 4: Examine the captured session. You will now look at the information that Wireshark gives you.
1. As shown in Figure 2-3, Wireshark’s main screen is separated into three sections. • Packet list section Located at the top, this section summarizes the packets captured.
Clicking any one of the packets in this section displays more detailed information in the other two sections.
• Tree view section Located in the middle, this section displays in a tree format detailed information about the packet selected in the top section.
• Data view section Located at the bottom, this section shows the raw data of a captured packet in hexadecimal format and textual format. Hexadecimal is the base16 numbering system. It is composed of the numbers 0–9 and the letters A–F. Hexadecimal is sometimes used as a short way of representing binary numbers. Any section selected in the tree view section will be highlighted in this section.
2. The following are the columns in the packet list section. Each column provides specific information. • No The order in which the packets were received
• Time The time each packet was captured relative to the beginning of the capture • Source Source address • Destination Destination address • Protocol Protocol used to capture the packet • Length Packet length in (bytes) • Info A summary of what the packet is doing Whichever frame is highlighted in the packet list section is what is displayed in the tree view and data view sections. In the packet list section, you may have other packets besides the ones you intended to generate. These may include packets of IGMP (used for multicast) or 802.1D (for spanning tree). Which packets you see depends upon your network equipment or what network equipment is being simulated.
Note
You will see two packets that have a protocol of ARP. The first is a broadcast, and the second is a reply.
3. Select the first packet that has a protocol of ARP and a destination of Broadcast. 4. Select in the tree view section the part labeled Ethernet II and click the + symbol. 5. Select the line that says Destination.
a. What is the broadcast address in hexadecimal? b. Observe that the broadcast address is also highlighted in the data view section. c. Which is first, the source or the destination?
6. In the tree view section, click Address Resolution Protocol and expand it (click the + symbol). a. What is the protocol type? b. What is the protocol size?
7. In the packet list section, select the ARP reply packet, which should be the ARP packet listed after the broadcast packet. The information in the tree view and data view sections will change accordingly.
8. For the two computers to communicate, the MAC address of the destination must be known. Since you cleared the ARP cache table, the computer had to request it again. Can you think of ways that this mechanism might be exploited?
9. In the packet list section, click the first ping request and look in the Info section. a. This is the first ping you sent. Notice that there are four of them as well as four replies.
b. What protocol does Wireshark list as being used by ping to send and reply?
Step 5: Filter the captured session. Even though this packet capture did not gather too much information, on a busy network it is easy to get thousands of packets, sometimes in a short time. Sorting through them can be quite a chore. Therefore, it is useful to learn how to use the filters. The filters can help you access the information you are looking for.
1. Click inside the Filter text box on the Filter bar. 2. Type arp and press ENTER (or click Apply).
Warning
This is a case-sensitive command. If you type ARP, the box will be highlighted in red, and the filter will not work.
3. Notice that only the ARP packets are displayed now. Also, notice that when you type in the
Filter box, the background is highlighted red if you have incorrect syntax and is highlighted green if the syntax is correct.
4. When you are finished with that filter and want to see all packets captured, click Clear on the Filter bar.
Note
On the Filter bar, the Expression button will help you create correctly formatted filter instructions.
Step 6: Capture a DNS session. In the previous steps, you used Wireshark to look at ICMP and lower-layer protocols. You will now look at UDP traffic.
UDP is a transport layer protocol. However, UDP is a connectionless protocol. As such, it has few error-recovery functions and no guarantee of packet delivery. UDP reduces the protocol overhead significantly. This illustration shows the UDP header format, and the following list (from RFC 768, “User Datagram Protocol,” at www.faqs.org/rfcs/rfc768.html) describes the fields.
http://www.faqs.org/rfcs/rfc768.html
• Source Port An optional field. When meaningful, it indicates the port of the sending process and may be assumed to be the port to which a reply should be addressed in the absence of any other information. If not used, a value of zero is inserted.
• Destination Port Has meaning within the context of a particular Internet destination address.
• Length The length in octets of this user datagram including the header and the data.
• Checksum The 16-bit ones’ complement of the ones’ complement sum of a pseudoheader of information from the IP header, the UDP header, and the data, padded with zero octets at the end (if necessary) to make a multiple of two octets.
To capture a DNS session, follow these steps:
1. Start a new capture session in Wireshark by choosing Capture | Interfaces and clicking Start; then click Continue Without Saving.
2. At the command line, type nslookup linuxserv.security.local and press ENTER. 3. Once you get the response in the command prompt, stop the capture in Wireshark by
choosing Capture | Stop.
Step 7: Examine the DNS session. At this point you should have a capture of an nslookup command. It may have an ARP session in the capture. See the example in Figure 2-4.
FIGURE 2-4 Wireshark after collecting nslookup
1. In the packet list section, select the first packet that has DNS listed in the Protocol column. 2. In the tree view section, expand the User Datagram Protocol item.
a. Observe the information that is displayed. b. What is the source port? c. What is the destination port? d. What is the checksum value?
Step 8: Clear the ARP cache and capture a Telnet session.
1. At the command prompt, type arp –a. 2. If you see entries, use arp –d to remove them. 3. Start a new capture session in Wireshark by choosing Capture | Interfaces and clicking Start;
then click Continue Without Saving. 4. Type telnet linuxserv.security.local and press ENTER. 5. At the login prompt, enter labuser and press ENTER.
6. At the password prompt, type password and press ENTER. Note that you will not see the characters as you type the password. This is normal.
7. Check to see which accounts are on the machine by typing cat /etc/passwd and pressing ENTER. You can now log out by typing exit and pressing ENTER.
8. Stop the capture in Wireshark by choosing Capture | Stop.
Step 9: Examine the Telnet session and identify all the protocols in use.
1. In the packet list section, select the first packet that has TCP listed in the Protocol column. 2. In the tree view section, expand the Transmission Control Protocol item.
a. Observe the information that is displayed. b. What is the source port? c. What is the destination port? d. What is the checksum value? Is it correct? e. What differences do you notice between the TCP and UDP headers?
3. You can now see just the TCP connection by selecting any packet in the TCP connection and then right-clicking it and choosing Follow TCP Stream. This opens a text window that shows the text of the TCP connection. The red text is what was sent by the client, and the blue text is what was sent by the server. When you close that window, you will see that a filter has been set up that will show only that TCP stream. On the top will be the three-way handshake. On the bottom will be the closing of the TCP session.
Step 10: Log off from the Windows 7 Professional PC. At the Windows 7 PC, follow this step:
1. Choose Start | Log Off.
Lab 2.1 Analysis Questions The following questions apply to the lab in this section:
1. What protocol does Wireshark indicate is being used when pinging a computer?
2. You are the network administrator for your LAN. You have just captured the network traffic for the last ten minutes and have thousands of packets captured. You are interested in looking only at packets using the AIM protocol. What would you do to view only the desired packets?
3. You are the network administrator for your LAN. You have just captured network traffic and are analyzing the packets. You find several packets that look suspicious to you. How would
you find out what the source IP address and the source MAC address of the packets are?
4. Besides HTTP, name three other protocols or applications that are TCP based and would require a three-way handshake to initiate the session.
5. What is a disadvantage of using a connectionless protocol?
6. What is a benefit of using a connection-oriented protocol?
7. What is a benefit of using a connectionless protocol?
Lab 2.1 Key Terms Quiz Use these key terms from the lab to complete the sentences that follow:
ACK
filter
HTTP
packet
packet delivery
port
session
SYN
SYN/ACK
three-way handshake
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Wireshark
1. Wireshark captures ____________________ sent across the network. 2. The ____________________ will show you only the packets you are looking for.
3. ____________________ is the packet sent to acknowledge the completion of the three-way handshake and thus the beginning of communications.
4. ____________________ is a connection-oriented protocol and implements the three-way handshake as its basis for communication.
5. ____________________ is a packet sent to acknowledge the receipt of the original SYN packet.
6. ____________________ is a connectionless protocol. 7. UDP does not guarantee ___________________.
Follow-Up Labs • Lab 4.1: IP Address and Port Scanning Service Identity Determination Now that you are
familiar with Wireshark and how ARP and port connections work, you will see how to discover devices on the network and the ports they have open.
• Lab 8.2: Using SSH SSH can be used to encrypt traffic so that the content is hidden from Wireshark and other sniffers.
Suggested Experiments 1. Start a Wireshark capture. Log in to your e-mail account or other online account. What kind
of data is captured? Can anything be exploited? 2. Try the same capture with other TCP-based applications such as Telnet, FTP, or SMTP. 3. Streaming audio and video is typically done using UDP. Capture some packets from a
streaming source and verify this by analyzing whether the packets are TCP or UDP.
References • ARP
• www.faqs.org/rfcs/rfc826.html • www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/arp.mspx
• HTTP www.w3.org/Protocols/rfc2616/rfc2616.html
• TCP www.faqs.org/rfcs/rfc793.html
• Three-way handshake www.faqs.org/rfcs/rfc3373.html
• UDP www.faqs.org/rfcs/rfc768.html
• Wireshark www.wireshark.org/
• Principles of Computer Security, Fourth Edition (McGraw-Hill Education, 2015), Chapter 9
http://www.faqs.org/rfcs/rfc826.html
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/arp.mspx
http://www.w3.org/Protocols/rfc2616/rfc2616.html
http://www.faqs.org/rfcs/rfc793.html
http://www.faqs.org/rfcs/rfc3373.html
http://www.faqs.org/rfcs/rfc768.html
http://www.wireshark.org/
Lab 2.2: Port Connection Status Netstat is an important utility for network administrators. It is used to display active TCP connections and UDP connections, Ethernet statistics, and the IP routing table. A port can be in any one of a number of states. When a TCP port is in a listening state, it is waiting for the initiation and completion of a three-way handshake. This results in the port transforming to an established state.
Learning Objectives After completing this lab, you will be able to
• Name the command used to display protocol statistics and current TCP/IP network connections
• Understand how a computer can manage multiple communications through the use of ports
• List the switches that can be added to the netstat command to increase its functionality
10 MINUTES
Lab 2.2w: Windows-Based Port Connection Status In this lab you will use the Windows netstat command to analyze an FTP connection and an HTTP connection to a server.
Materials and Setup You will need the following:
• Windows 7 Professional
• Windows 2008 Server
Lab Steps at a Glance
Step 1: Log on to the Windows 7 Professional and Windows 2008 Server PCs.
Step 2: Use the netstat command to look at the open ports on the Windows 2008 Server machine.
Step 3: From the Windows 7 machine, establish an FTP connection and an HTTP connection to the Windows 2008 Server machine.
Step 4: Use the netstat command to look at the connections on the Windows 2008 Server machine.
Step 5: Log off from both the Windows 2008 Server and Windows 7 PCs.
Lab Steps
Step 1: Log on to the Windows 7 Professional and Windows 2008 Server PCs.
1. On the Windows 7 PC, at the Login screen, click the Admin icon and then type adminpass in the password text box.
2. On the Windows 2008 Server PC, press CTRL-ALT-DEL at the Login screen, enter the username administrator and the password adminpass, and then click OK.
Step 2: Use the netstat command to look at the open ports on the Windows 2008 Server machine. A server will have several ports in a listening state. A port that is in a listening state is waiting for a request to connect.
To view the open ports on the Windows 2008 Server computer, follow these steps:
1. Click Start; type cmd in the Search Programs And Files box and press ENTER. 2. At the command line, type netstat /? and press ENTER.
a. Observe the display options for the network connection. b. What option displays the ports in use by number? c. What option lists all connections and listening ports? d. What option shows the programs that created each connection?
3. At the command line, type netstat –na and press ENTER.
Note
If the text scrolls up off the screen, maximize the Command Prompt window and use the scroll bar on the right to adjust your view of the text.
a. Observe the ports that are in a listening state. b. How many ports are in a listening state? c. What port numbers are used for FTP and HTTP? d. Are those ports in a listening state? e. Why are so many ports open, and do they all need to be open? f. Should you be concerned that so many ports are open?
Step 3: From the Windows 7 machine, establish an FTP connection and an HTTP connection to the Windows 2008 Server machine. From the Windows 7 machine, follow these steps:
1. Click Start; type cmd in the Search Programs And Files box and press ENTER. 2. At the command line, type ftp 192.168.100.102 and press ENTER.
3. At the login prompt, type administrator and press ENTER. 4. At the password prompt, type adminpass and press ENTER.
Leave the command line open to see the results. 5. Choose Start | Internet Explorer. 6. In the address box, type 192.168.100.102 and press ENTER.
Step 4: Use the netstat command to look at the connections on the Windows 2008 Server machine.
1. At the command line of the Windows 2008 Server machine, type netstat. 2. After a brief pause, you should get output that looks like the following:
Note
If you do not see the HTTP connection the first time you do this, refresh Internet Explorer and then, at the command line, retype netstat and press ENTER.
Even though you are connected to the same machine twice, the use of port assignments keeps information in the FTP session separate from information in the HTTP session. The combination of an IP address and port number is called a socket.
3. Connect to the server on a well-known port (FTP and HTTP) from an ephemeral port (a port with a number greater than 1023). The output listed in step 2 shows a connection between port 1065 locally and port 21 (FTP) on the remote machine. The local machine is connected from port 1068 to port 80 (HTTP). a. In your output of netstat, what port is connected to FTP? b. In your output of netstat, what port is connected to HTTP?
Step 5: Log off from both the Windows 2008 Server and Windows 7 PCs.
1. To log off from the Windows 2008 Server PC, choose Start | Log Off. 2. To log off from the Windows 7 PC, choose Start | Log Off.
10 MINUTES
Lab 2.2l: Linux-Based Port Connection Status
Materials and Setup You will need the following:
• Kali
• Metasploitable
Lab Steps at a Glance
Step 1: Log on to the Metasploitable and Kali PCs.
Step 2: Use the netstat command to look at the open ports on the Metasploitable PC.
Step 3: Using the Kali PC, establish an FTP connection and an HTTP connection to the Metasploitable PC.
Step 4: Use the netstat command to look at the connections on the Metasploitable PC.
Step 5: Trace the port to a process.
Step 6: Close Iceweasel and log out of the GUI on the Kali PC.
Step 7: Log off from both the Metasploitable and Kali PCs.
Lab Steps
Step 1: Log on to the Metasploitable and Kali PCs. To log on to the Metasploitable PC, follow these steps:
1. At the login prompt, type user and press ENTER. 2. At the password prompt, type user and press ENTER.
Note
You will not see any characters as you type in the password.
To log on to the Kali PC, follow these steps:
3. At the login screen, click Other.
4. In the Username text box, type root and press ENTER. 5. In the Password text box, type toor and press ENTER.
Step 2: Use the netstat command to look at the open ports on the Metasploitable PC. A server will have several ports in a listening state. A port that is in a listening state is waiting for a request for a connection to be established to it.
To use the netstat command on the Metasploitable PC, follow these steps: 1. At the command line, type netstat -h and press ENTER.
a. Observe the options. b. What option displays the ports in use by number? c. What option shows all connections and listening ports?
2. At the command line, type netstat –tuna and press ENTER.
Note
If the text scrolls up off the screen, maximize the Command Prompt window and use the scroll bar on the right to adjust your view of the text. You can also use SHIFT-PAGE UP or SHIFT-PAGE DOWN.
a. Observe the ports that are in a “listening” state. b. How many ports are in a listening state? c. What port numbers are used for HTTP and FTP? d. Are those ports in a listening state? e. Why are so many ports open, and do they all need to be open? f. Should you be concerned that so many ports are open?
Step 3: Using the Kali PC, establish an FTP connection and an HTTP connection to the Metasploitable PC. You will now connect to the Metasploitable PC on well-known ports (FTP and HTTP) from ephemeral ports (ports with a number greater than 1023). The output listed shows a connection between port 1065 locally and port 21 (FTP) on the remote machine. The local machine is connected from port 1068 to port 80 (HTTP).
1. On the Kali PC, click the Terminal icon, as shown in Figure 2-5. 2. At the command line, type ftp 192.168.100.202 and press ENTER. 3. At Name (192.168.100.202:root), type user and press ENTER. 4. At Password, type user and press ENTER.
Now view a web page on the server by following these steps: 5. Click the Iceweasel icon at the top. 6. In the address bar, type http://192.168.100.202/ and press ENTER.
FIGURE 2-5 The Terminal shell
Step 4: Use the netstat command to look at the connections on the Metasploitable PC.
1. At the command line, type netstat –tn. 2. After a brief pause, you should get output that looks like the following:
Note
If you do not see port 80 the first time you do this, refresh Iceweasel and then, at the command line, retype netstat –tn and press ENTER.
Even though you are connected to the same machine twice, the use of port assignments keeps
information in the FTP session separate from information in the Telnet session. The combination of IP address and port number is called a socket. a. From the output displayed by the netstat command, what port is connected to FTP? b. From the output displayed by the netstat command, what port is connected to HTTP?
Step 5: Trace the port to a process.
1. At the command line, type lsof > ~/lsof and press ENTER. 2. Type less ~/lsof and press ENTER.
What is the process ID for the FTP connection? 3. Type q to exit the less output. 4. At the command line, type ps –ax and press ENTER.
What information is given for the FTP process ID?
Step 6: Close Iceweasel and log out of the GUI on the Kali PC.
1. In the Iceweasel window, click the x in the upper-right corner. 2. On the Kali PC, choose K Menu | Log Out and click Log Out again.
Step 7: Log off from both the Metasploitable and Kali PCs.
1. At the Metasploitable PC command line, type logout and press ENTER. 2. On Kali, click the Root icon in the top-right corner and select logout.
Lab 2.2 Analysis Questions The following questions apply to the labs in this section:
1. What is the netstat command used for?
2. What options would you use with the netstat command to show only TCP connections?
3. What option would you use with the netstat command to show statistics for each protocol?
4. Look at the following output from the netstat command and explain what it means:
5. Look at the following output from the netstat command and explain what it means:
6. You need to look at the routing table for a computer connected to your local area network. What command would you use to view the routing table?
Lab 2.2 Key Terms Quiz Use these key terms from the labs to complete the sentences that follow:
established state
HTTP
listening state
netstat
port
session
socket
states
TCP connections
UDP connections
1. Active connections on a computer system can be displayed by entering ____________________ at the command line.
2. The line 216.239.39.147:80 ESTABLISHED indicates an active connection to a computer system on ____________________ 80.
3. The ____________________ information displayed by the netstat command shows the current status of the connection.
4. The combination of an IP address and its associated port is referred to as a(n) ____________________.
5. The command netstat -p tcp will show ____________________.
Follow-Up Lab • Lab 6.1: Trojan Attacks Commands used in this lab will help to show when your computer
may be infected with a Trojan.
Suggested Experiments 1. On your computer at home, run the netstat command and look at the ports that are open. List
the ports that are open and identify what they are used for. Which ports are open that don’t need to be?
2. Install and run the utility fport from Foundstone (www.foundstone.com). Fport will show you the applications associated with the ports that are open.
References • Netstat
• www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/netstat.mspx • www.linuxhowtos.org/Network/netstat.htm
• TCP • RFC 793: TCP www.faqs.org/rfcs/rfc793.html
• UDP • RFC 768: UDP www.faqs.org/rfcs/rfc768.html
• Principles of Computer Security, Fourth Edition (McGraw-Hill Education, 2015), Chapter 9
http://www.foundstone.com
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/netstat.mspx
http://www.linuxhowtos.org/Network/netstat.htm
http://www.faqs.org/rfcs/rfc793.html
http://www.faqs.org/rfcs/rfc768.html
Chapter 3 Network Applications
Labs • Lab 3.1 FTP Communication (FTP-HTTP)
Lab 3.1w Windows FTP Communication (FTP-HTTP) Lab 3.1l Linux FTP Communication (FTP-HTTP)
Lab 3.1 Analysis Questions Lab 3.1 Key Terms Quiz
• Lab 3.2 E-mail Protocols: SMTP and POP3 Lab 3.2m Windows E-mail: SMTP and POP3 Lab 3.2l Linux E-mail: SMTP and POP3
Lab 3.2 Analysis Questions Lab 3.2 Key Terms Quiz
This chapter contains lab exercises that are designed to illustrate various applications and how they communicate using TCP/IP protocols. Applications using both Windows PCs and Linux-based PCs are covered. This chapter examines the nature of communications with HTTP, FTP, and e-mail transmissions. Understanding the nature of the data communications with these protocols is a necessary step toward establishing secure connections.
The lab exercises are built upon the tools demonstrated in earlier labs. Wireshark and netstat are used with both the Windows and Linux platforms to illustrate the clear-text packet transfer of data between applications. E-mail is a common application used in networks, yet few people understand how e-mail protocols work.
Looking at applications and their communication methods serves two purposes. First, it introduces the protocols used by these applications. Second, it demonstrates the use of the tools presented in earlier labs to examine the inner workings of these protocols. This chapter consists of four lab exercises designed to introduce network connectivity and basic network tools in the Linux and Windows environments.
Lab 3.1: FTP Communication (FTP-HTTP) Most networks were developed and designed for sharing files. File Transfer Protocol (FTP) is a protocol used for this purpose. FTP is an important protocol to become familiar with because it is often utilized to upload and download files from a server; furthermore, it is often the target of attackers.
Hypertext Transfer Protocol (HTTP) is a lightweight and fast application-layer protocol that can also be used to share files. Hypertext Markup Language (HTML) is the language in which files can be written to display specially formatted text or link to other files and resources.
In this lab, you will use the Windows FTP application to upload a simple web page to a server, and then you will view it from a browser.
Learning Objectives After completing this lab, you will be able to
• Create a simple web page using HTML and a text editor
• Upload a web page to a Windows-based web server
• View a page using a web browser
20 MINUTES
Lab 3.1w: Windows FTP Communication (FTP-HTTP)
Materials and Setup You will need the following:
• Windows 7
• Windows 2008 Server
Lab Steps at a Glance
Step 1: Start the Windows 2008 Server and Windows 7 machines. Log on only to the Windows 7 machine.
Step 2: Create a simple web page.
Step 3: View the web page in Internet Explorer.
Step 4: Upload the web page.
Step 5: Use Internet Explorer to view the web page from the web server.
Step 6: Log off from the Windows 7 PC.
Lab Steps
Step 1: Start the Windows 2008 Server and Windows 7 machines. Log on only to the Windows 7 machine. To log on to the Windows 7 PC, follow these steps:
1. At the Login screen, click the Admin icon. 2. In the password text box, type adminpass and press ENTER.
Step 2: Create a simple web page. To create this web page, you are going to use HTML. HTML is not a programming language but rather a methodology that tells a web browser how to display text on the screen. HTML is composed of tags that surround the text that the tag affects. All HTML files are saved with either an .htm or .html file extension. In this exercise, you will create a web page with the message “This page is under construction” using HTML. Pay careful attention to how the tags are written because HTML is unforgiving of spelling errors and will either display your web page incorrectly or not display it at all if you misspell tags.
To create a simple web page using the Windows 7 PC, follow these steps:
1. Open the Start menu.
2. In the Search box, type notepad and press ENTER. 3. In Notepad, type the following text:
4. In Notepad, choose File | Save. 5. In the File Name combo box, type default.htm. 6. Under Libraries, on the left side, select Documents. 7. In the Save As Type combo box, select All Files (*.*) from the drop-down list. 8. Click Save. 9. Close Notepad by clicking the x in the upper-right corner.
Step 3: View the web page in Internet Explorer.
1. Choose Start | Documents. 2. In the Documents window, double-click default.htm.
You will see the web page that you will be uploading to the web server. 3. In the Internet Explorer window, click the x to close the window. 4. In the Documents window, click the x to close the window.
Step 4: Upload the web page. To upload the web page using Windows 7, follow these steps:
1. Open the Start menu. 2. In the Search box, type cmd and press ENTER. 3. At the command line, type cd C:\Users\user1\Documents and press ENTER.
Note
If your command prompt is C:\Users\Administrator>, then you can just type cd Documents at the prompt. This version uses a forward slash, not a backward slash.
4. At the command line, type ftp 192.168.100.102 and press ENTER. 5. At User (192.168.100.102:none), type administrator and press ENTER. 6. At the password prompt, type adminpass and press ENTER.
Before you upload the file, take a look at some of the commands in FTP by following steps 7 and 8.
7. At the ftp prompt, type help and press ENTER. a. Observe the list of commands. b. To find out more about an individual command, insert a question mark in front of the
command. 8. At the ftp prompt, type ? ls and press ENTER.
a. What does typing the ls command at the ftp prompt do? b. Which command do you use to change the local working directory? c. Which command is used to upload a file? Upload the web page now, as described in steps 9 and 10.
9. At the ftp prompt, type send default.htm and press ENTER. Refer to Figure 3-1. 10. Click Allow Access in the Windows Security Alert window. 11. At the ftp prompt, type bye and press ENTER to exit the FTP session.
FIGURE 3-1 Uploading a web page with the ftp command in Windows
Step 5: Use Internet Explorer to view the web page from the web server.
1. Choose Start | Internet Explorer. 2. In the Internet Explorer address bar, type http://192.168.100.102 and press ENTER. Refer to
Figure 3-2. a. You should now see the web page that was just uploaded. b. What might an attacker use the FTP program and FTP server to do?
FIGURE 3-2 Viewing the web page over the network
Step 6: Log off from the Windows 7 PC. At the Windows 7 PC, follow these steps:
1. Choose Start | Log Off. 2. At the Log Off Windows screen, click Log Off.
30 MINUTES
Lab 3.1l: Linux FTP Communication (FTP-HTTP)
Materials and Setup You will need the following:
• Metasploitable
• Kali
Lab Steps at a Glance
Step 1: Start the Kali and Metasploitable PCs. Log on only to the Kali PC.
Step 2: Create a simple web page.
Step 3: View the web page in Iceweasel.
Step 4: Upload the web page.
Step 5: Open Iceweasel and view the web page from the web server.
Step 6: Log off from the Kali PC.
Lab Steps
Step 1: Start the Kali and Metasploitable PCs. Log on only to the Kali PC. To log on to the Kali PC, follow these steps:
1. At the login prompt, select Other, type root, and press ENTER. 2. At the password prompt, type toor and press ENTER.
Step 2: Create a simple web page. To create this web page, you are going to use HTML. HTML is not a programming language but rather a language that tells a web browser how to display text on the screen. HTML is composed of tags that surround the text that the tag affects. All HTML files are saved as either .htm or .html files. In this exercise, you will create a web page that does not have a title and displays the sentence “This page is under construction.” Pay careful attention to how the tags are written because HTML is unforgiving of spelling errors and will either display your web page incorrectly or not display it at all if you misspell tags.
1. Click the Terminal icon at the top. 2. At the command line, type nano and press ENTER. (Nano is a text editor.) 3. In nano, type the following:
4. Press ctrl-x to exit. 5. Press y to save the document. 6. Type index.html and press ENTER.
Note
The file (which is the name of the home page) must be saved as index.html in order to be displayed by a web browser over the Internet without having to specify the name of the page. If the file is saved as anything else, then step 5 that follows will not work correctly.
Step 3: View the web page in Iceweasel.
1. In the taskbar, click the icon for the Iceweasel web browser. 2. In Iceweasel, choose File | Open File. 3. Navigate to the root folder, select index.html, and click Open.
You will see the web page that you will be uploading to the web server. 4. Close Iceweasel.
Step 4: Upload the web page.
1. At the command line, type ftp 192.168.100.202 and press ENTER. 2. At Name (192.168.100.202:root), type user and press ENTER. 3. At the password prompt, type user and press ENTER.
Before you create a directory and upload the file, take a look at some of the commands in FTP by following steps 5 to 7.
4. At the ftp prompt, type help and press ENTER. 5. Observe the list of commands.
Tip
To find out more about an individual ftp command, type ? in front of the command.
6. At the ftp prompt, type ? ls and press ENTER.
a. What does typing the ls command at the ftp prompt do? b. After you use ? at the ftp prompt, which command do you use to change the remote
working directory? c. Which command is used to retrieve a file? Now, create a directory and upload your web page, as described in steps 8 and 11.
7. At the ftp prompt, type mkdir public_html and press ENTER. 8. At the ftp prompt, type cd public_html. 9. At the ftp prompt, type send index.html and press ENTER. 10. At the ftp prompt, type bye and press ENTER to exit the FTP session.
Step 5: Open Iceweasel and view the web page from the web server.
1. In the taskbar, click the icon for the Iceweasel web browser. 2. In the address bar, type http://192.168.100.202/~user/ and press ENTER.
You should now see the web page that was just uploaded.
Step 6: Log off from the Kali PC. Click root in the upper-right corner and select Shut Down.
Lab 3.1 Analysis Questions The following questions apply to the labs in this section:
1. What is FTP used for?
2. As the administrator for a web server, you must often connect to the server via FTP. Today you are working from home and must connect to the server, whose address is 100.10.10.1. What are the steps you would take to connect to the server?
3. You have just successfully connected to a remote FTP server. You need to get a listing of the files in the current directory. What is the command to display a list of files and directories in the current directory?
4. You have just been hired as the webmaster for www.yoursite.com. You need to upload the company’s new home page to the server via FTP. You have just connected to the server via
http://www.yoursite.com
FTP. How would you go about sending the file homepage.html to the server?
5. You need to download the financial report Finance_Report.txt from your company’s server. You have connected to the server via FTP and have navigated to the appropriate directory where the file is located. How would you go about downloading the file to your local computer?
Lab 3.1 Key Terms Quiz Use these key terms from the labs to complete the sentences that follow:
extension
File Transfer Protocol (FTP)
Hypertext Markup Language (HTML)
Hypertext Transfer Protocol (HTTP)
send
tags
upload
1. A protocol used for uploading and downloading files is ____________________. 2. ____________________ is composed of tags that tell a web browser how to display a web
page. 3. HTML markup ____________________ are used to describe how sections of text should
be handled. 4. Web pages must be saved with the ____________________ of .htm or .html. 5. The FTP command ____________________ would be used to upload your web pages to
the server.
Follow-Up Lab • Lab 8.3: Using Secure Copy (SCP) SCP will encrypt file transfer traffic.
Suggested Experiment Connect to the FTP server and test some of the other commands listed in the help section.
References • FTP
• RFC 959 www.faqs.org/rfcs/rfc959.html
• HTML www.w3.org/html/wg/
• HTTP • RFC 2616 www.faqs.org/rfcs/rfc2616.html
• Principles of Computer Security, Fourth Edition (McGraw-Hill Education, 2015), Chapter 11
Lab 3.2: E-mail Protocols: SMTP and POP3 Simple Mail Transfer Protocol (SMTP) is used for sending e-mail messages between servers and operates on TCP port 25. Messages sent are retrieved by using either Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4 (IMAPv4). POP3 operates on TCP port 110, and IMAP operates on TCP port 143. An e-mail client is usually configured to work with these protocols and makes it easier to manage e-mail.
It is important to understand how e-mail works since it is widely used and often exploited via spoofing (a method used by crackers to impersonate e-mail addresses) and sending virus-infected attachments.
In this lab you will use the program Telnet to connect to an SMTP server and send an e-mail. You will then use Telnet to connect to the POP3 server to retrieve the e-mail. Telnet is used because it performs a simple action. It opens a TCP connection for user interaction. When a user types any text, it is sent through the TCP connection, and any message sent by the remote machine is displayed to the user.
Learning Objectives After completing this lab, you will be able to
• Telnet via the Linux command line
• Send e-mail via the Linux command line
• Connect to a POP3 port and read e-mail on a Linux machine
30 MINUTES
Lab 3.2m: Windows E-mail: SMTP and POP3
Materials and Setup
http://www.faqs.org/rfcs/rfc959.html
http://www.w3.org/html/wg/
http://www.faqs.org/rfcs/rfc2616.html
You will need the following:
• Windows 7
• Metasploitable
Lab Steps at a Glance
Step 1: Start the Windows 7 and Metasploitable PCs. Log on only to the Windows 7 machine.
Step 2: Telnet to the mail server.
Step 3: Send e-mail via the command line.
Step 4: Connect to the POP3 port and read the e-mail.
Step 5: Log off from the Windows 7 PC.
Lab Steps
Step 1: Start the Windows 7 and Metasploitable PCs. Log on only to the Windows 7 machine. To log on to the Windows 7 PC, follow these steps:
1. At the Login screen, click the Admin icon. 2. In the password text box, type adminpass and press ENTER.
Step 2: Telnet to the mail server. Normally, you connect to a mail server with a mail client. However, a mail client hides much of the irrelevant communication from you. You will be using Telnet to connect to the mail server so that you can observe how SMTP is used to send mail.
To Telnet to the mail server from the Windows 7 machine, follow these steps:
1. Click Start, type cmd in the Search Programs And Files box, and press ENTER. 2. Type telnet and press ENTER. 3. At the telnet prompt, type set localecho and press ENTER. 4. At the telnet prompt, type open 192.168.100.202 25 and press ENTER.
Note
The number 25 is a port number and should be typed after a space.
a. Wait a few seconds for the connection to be established.
b. Observe any messages. c. What is the purpose of typing 25 at the end of the command?
Note
All commands to the SMTP server start with a four-character word. The server is designed for another computer to talk to it and does not accept backspace characters. If you make a mistake, press ENTER, wait for the error message (which will start with a number between 500 and 599), and then retype the line in which you made a mistake.
Also, note that the prompt is a flashing cursor.
Step 3: Send e-mail via the command line. You are going to use SMTP commands to send an e-mail message from the Windows 7 machine to the Metasploitable machine.
To send e-mail via the command line, follow these steps:
1. At the prompt, type helo localhost and press ENTER. The helo command is used for the client to say “hello” to the server and initiate communications. The server, upon receipt of this “hello,” inserts this information into the header of the e-mail that is delivered to the user. The data command is used for typing the body of your e-mail.
2. At the prompt, type mail from: root@linuxserv.security.local and press ENTER. 3. At the prompt, type rcpt to: labuser@linuxserv.security.local and press ENTER. 4. At the prompt, type data and press ENTER. 5. Type the following (press ENTER after you type each line):
From: root To: labuser Subject: test message from (your name)
6. Press ENTER to create a blank line. The blank line is used to separate the heading of the e- mail from the body of the e-mail.
7. Type a message that is at least three lines long. When you are done with your message, you must type a period on a line by itself. So, for example, the message might look like the following (refer to Figure 3-3):
Note
The period on the last line by itself is mandatory. This is how SMTP will know that your message is finished.
a. What message did you get from the mail server? b. Can you think of a way that this process could be exploited?
8. Type quit and press ENTER. 9. Again, type quit and press ENTER.
FIGURE 3-3 Using Telnet and SMTP to send an e-mail
In this section, you sent a message to the account labuser. You can now check whether this mail message was delivered successfully. If you wanted, you could view this mail message with any standard mail client. For now, you will connect to the POP3 server (running on port 110 of your server) and view that mail message.
Step 4: Connect to the POP3 port and read the e-mail.
1. Type telnet at the command line and press ENTER. 2. In Telnet, type open 192.168.100.202 110 and press ENTER. 3. At the command line, type user labuser and press ENTER.
What is the message you get in response?
Note
You may need to wait at least 45 seconds after pressing ENTER to see the message.
4. At the command line, type pass password and press ENTER.
What message did you get? 5. At the command line, type list and press ENTER.
a. What message did you get? b. What do you think the purpose of this command is?
6. At the command line, type retr 1 and press ENTER. Refer to Figure 3-4. What significance, if any, do you think that the number 1 has in the command?
7. At the command line, type dele 1 and press ENTER. 8. Exit the POP session. At the prompt, type quit and press ENTER. 9. Again, type quit and press ENTER.
FIGURE 3-4 Using Telnet and POP3 to retrieve e-mail
Step 5: Log off from the Windows 7 PC. At the Windows 7 PC, follow these steps:
1. Choose Start | Log Off. 2. At the Log Off Windows screen, click Log Off.