Professional Documents
Culture Documents
KEY
[Z7 Valuable
information
S
Test your
knowledge
Web exercise
Workbook review
Lab Scenario
Due to a growing number o f intrusions and since the Internet and local networks
have become so ubiquitous, organizations increasingly implementing various
systems that monitor IT security breaches. Intrusion detection systems (IDSes) are
those that have recently gained a considerable amount o f interest. An IDS is a
defense system that detects hostile activities 111 a network. The key is then to detect
and possibly prevent activities that may compromise system security, 01 a hacking
attempt 111 progress including reconnaissance/data collection phases that involve, for
example, port scans. One key feature o f intrusion detection systems is their ability to
provide a view o f unusual activity and issue alerts notifying administrators and/or
block a suspected connection. According to Amoroso, intrusion detection is a
process ot identifying and responding to malicious activity targeted at computing
and networking resources. 111 addition, IDS tools are capable ot distinguishing
between insider attacks originating from inside the organization (coming from own
employees 01 customers) and external ones (attacks and the threat posed by hackers)
(Source: http://www.windowsecurity.com)
111 order to become an expert penetration tester and security administrator, you
must possess sound knowledge o f network intrusion prevention system (IPSes),
IDSes, malicious network activity, and log information.
Lab Objectives
& Tools
Demonstrated in
this lab are
located at D:\CEHTools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots
The objective ot tins lab is to help students learn and detect intrusions 111 a
network, log, and view all log tiles. 111 tins lab, you will learn how to:
Install and configure Snort IDS
Run Snort as a service
Log snort log files to Kiwi Syslog server
Store snort log files to two output sources simultaneously
Lab Environment
To earn out tins lab, you need:
C E H L ab M an u al P ag e 847
Active Perl installed 011 the host macliine to mil Perl scnpts
Lab Duration
Time: 40 Minutes
Overview
Pick an organization diat you feel is worthy o f your attention. Tins could be an
educational institution, a commercial company, 01 perhaps a nonprofit charity.
Recommended labs to assist you 111 using IDSes:
Lab Analysis
Analyze and document the results related to tins lab exercise. Give your opinion 011
your targets security posture and exposure.
C E H L ab M an u al Page 848
PLEASE TALK TO
C E H L ab M an u al Page 849
Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H I S LAB.
HAVE
QUESTIONS
KEY
/ Valuable
information
Test your
knowledge
Web exercise
m Workbook review
Lab Scenario
The trade o f die intrusion detection analyst is to find possible attacks against their
network. The past few years have witnessed significant increases 111 D D oS attacks
011 the Internet, prompting network security to become a great concern. Analysts do
tins by IDS logs and packet captures while corroborating with firewall logs, known
vulnerabilities, and general trending data from the Internet. The IDS attacks are
becoming more cultured, automatically reasoning the attack scenarios 111 real time
and categorizing those scenarios becomes a critical challenge. These result ni huge
amounts o f data and from tins data they must look for some land o f pattern.
However, die overwhelming tiows o f events generated by IDS sensors make it hard
for security administrators to uncover hidden attack plans.
111 order to become an expert penetration tester and security administrator, you
must possess sound knowledge o f network IPSes, IDSes, malicious network activity,
and log information.
& Tools
Demonstrated in
this lab are
located at D:\CEHTools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots
Lab Objectives
The objective o f tins lab is to familiarize students widi IPSes and IDSes.
111
Configure Oinkmaster
Lab Environment
To earn out dns lab, you need:
C E H L ab M an u al P ag e 850
Lab Duration
Tune: 30 Minutes
Lab Tasks
1
Install Snort
C E H L ab M an u al Page 851
4.
Accept the License Agreement and uistall Snort with the default options
diat appear step-by-step 111 the wizard.
5.
6.
(&
' I
OK
V^/
7.
8.
9.
C E H L ab M an u al Page 852
TASK
19. N o w navigate to C:\Snort and right-click folder bin, and click CmdHere
from die context menu to open it 111 a command prompt.
20. Type snort and press Enter.
Administrator: C:\Windows\system32\cmd.exe - snort
C : \S n o r t\b in /s n o r t
R unning in p a c k e t dunp node
I n i t i a l i z i n g S n o r t
I n i t i a l i z i n g O utput P lu g in s ?
pcap DAQ c o n f ig u r e d t o p a s s i v e .
The DAQ u e r s i o n d o e s n o t s u p p o r t r e l o a d .
A c q u ir in g n etw o rk t r a f f i c f r o n " \D eu ice\N P F _< 0F B 09822-88B 5-411F -A F D 2-F E 3735A 9?7B
B> _
D e co d in g E th e r n e t
- - I n it ia liz a t io n
C o n p le te - -
> S n o r t? < *
U e r s io n 2 . 9 . 3 .1-W IN32 GRE < B u ild 4 0 )
By M artin R oesch 8r The S n o r t l e a n : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t
o '
an
C o p y r ig h t <C> 1 9 9 8 -2 0 1 2 S o u r c e f i r e , I n c . , e t a l .
U s in g PCRE u e r s i o n : 8 . 1 0 2 0 1 0 -0 6 - 2 5
U s in g ZLIB u e r s i o n : 1 . 2 . 3
21. Tlie Initialization Complete message displays. Press Ctrl+C. Snort exits and
comes back to C:\Snort\bin.
22. N ow type snort -W. Tins command lists your machines physical address,
IP address, and Ediernet Dnvers, but all are disabled by default.
Administrator: C:\Windows\system32\cmd.exe
S n o rt
e x itin g
C :\ S n o r t \ b in s n o r t
-W
P h y s ic a l A d d re s s
IP
1
0 0 :0 0 :0 0 :0 0 :0 0 :0 0
A F D 2 -F E 3 7 3 5 A 9 7 7 B B >
M ic r o s o
2
0 0 :0 0 :0 0 :0 0 :0 0 :0 0
B 6 1 4 -0 F C 1 9 B 5 D D A 2 5 >
3
0 0 :0 0 :0 0 :0 0 :0 0 :0 0
rQRA<JRFOP?JM V
M
4
D 4 : B E : D 9 : C 3 : C 3 : CC
9 A 7 9 -7 7 E 5 A E 2 7 E 5 3 0 >
R e a lte k
A d d re s s
d is a b le d
f t C o r p o r a t io n
d is a b le d
In c .,
et
D e u ic e
a l.
Name
D e s c r ip tio n
\ D e u ic e \ N P F _ < 0 F B 0 9 8 2 2 - 8 8 B 5 - 4 1 I F \ D e ic e \ N P F _ < 0 B F D 2 F A 3 - 2 E 1 7 - 4 6 E 3 -
d is a b le d
\ D e u ic e \ N P F _ < lD 1 3 B 7 8 A - B 4 1 1 - 4 3 2 5 -
d is a b le d
P C Ie GBE F a m i l y
\ D e u ic e \ N P F _ < 2 A 3 E B 4 7 0 - 3 9 F B - 4 8 8 0 C o n t r o lle r
C : \ S n o r t \ b in >
23. Observe your Ediernet Driver index number and write it down; 111 diis lab,
die Ediernet Driver index number is 1.
24. To enable die Ediernet Driver, 111 die command prompt, type snort -dev -i
2
and press Enter.
C E H L ab M an u al Page 853
25.
E 7 To specify a log into
logging directory, type
snort dev 1
/logdirectorylocationand,
Snort automatically knows
to go into packet logger
mode.
You see a rapid scroll text 111 die command prompt. It means
Ethernet Driver is enabled and working properly.
Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4
C : \S n o r t \ b i n , s n o r t -d e v - i 4
Running in p a c k e t dump 11uue
== I n i t i a l i z i n g S n o r t ==
I n i t i a l i z i n g O utpu t P lu g in s ?
pcap DAQ c o n f i g u r e d t o p a s s i v e .
The DAQ v e r s io n d o e s n o t s u p p o r t r e l o a d .
A c q u ir in g n etw o rk t r a f f i c fr o n " \D e v ic e \N P F _ < 2 A 3 E B 4 7 0 -3 9 F B -4 8 8 0 -9 A 7 9 7 7 E5AE27E53
B > ".
D e co d in g E th e r n e t
I n i t i a l i z a t i o n
o '~>
C om p lete *
r .u i
C o p y r ig h t <C> 1 9 9 8 -2 0 1 2 S o u r c e f i r e , I n c . , e t a l .
U s in g PCRE v e r s i o n : 8 . 1 0 2 0 1 0 -0 6 - 2 5
U s in g ZLIB v e r s i o n : 1 . 2 . 3
C on n en cin g p a c k e t p r o c e s s in g < p id =2852>
1 1 / 1 4 - 0 9 : 5 5 : 4 9 .3 5 2 0 7 9 ARP who h as 1 0 . 0 . 0 . 1 3 t e l l 1 0 . 0 . 0 . 1 0
26. Leave die Snort command prompt window open, and launch anodier
command prompt window.
27. Li a new command prompt, type ping google.com and press Enter.
28. Tliis pmg command triggers a Snort alert in the Snort command prompt
with rapid scrolling text.
Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4
To enable Network
Intrusion Detect ion
System (NIDS) mode so
that you dont record every
single packet sent down the
wire, type: snort -dev -1
./log-h 192.168.1.0/24-c
snort.conf.
TTD
.1 / 1 4 - 0 9 : 5 8 : 1 7 .4 9 6 0 3 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3
t e l l 1 0 .0 .0 .1 0
.1 / 1 4 - 0 9 : 5 8 : 1 8 .3 5 2 3 1 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3
t e l l 1 0 .0 .0 .1 0
.1 / 1 4 - 0 9 : 5 8 : 1 9 .3 5 2 6 7 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3
t e l l 1 0 .0 .0 .1 0
Configure
snort.conf File
&
Make sure to grab
the rules for the version
you are installing Snort for.
m Log packets in
tcpdump format and to
produce minimal alerts,
type: snort -b -A fast -c
snort.conf.
Figure 1.7: Configuring Snortconf File in Notepad++
33. Scroll down to die Step #1: Set the network variables section (Line 41) o f
snort.conf file. 111 the HOME_NET line, replace any widi die IP addresses
(Line 45) o f die machine where Snort is ranning.
*C:\Sn0ft\etc\$n0rtx0nf - Notepad+
Be Edit Search 'iict* Encoding Language Settings Macro Run Plugns frndcw
o 10 e
H
|
41
-!
X'
44Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Seep # 1: Sec che necw ork v a r ia b le s . For ito ie m r o r a a c lo n .
Notepad)+ is a free
source code editor and
Notepad replacement that
supports several languages.
It runs in the MS Windows
environment.
45: Cel: 25 Sd 0
35. If you have a DNS Server, dien make changes 111 die DNS_SERVERS line bv
replacing $HOME_NET widi yonr D N S Server IP address; otherwise, leave
diis line as it is.
36. The
same
applies
to
SA1'I P_SER\TERS,
HTTP_SER\TERS,
SQL_SER\rERS, TELNET_SER\T 1 RS, and SSH_SER \T R S .
37. Remember diat if you dont have any servers running on your machine,
leave the line as it is. DO NOT make any changes 111 diat line.
38. Scroll down to RULE_PATH (Line 104). 111 Line 104 replace ../mles widi
C:\Snort\rules, 111 Line 105 ../so_rules replace with C:\Snort\so rules, and 111
Line 106 replace ../preproc rules with C:\Snort\preproc rules.
_ |a
Ptc\s1xxtconf Notepad
Erie Ldit Search !rfiew Encoding Language Settings
M e
f t f1 | p
Macro Ru
0 *
>
Piugnj
ftmdow I
1] ! . ?
X
a
i l i f l
*9
H tr o t corf |
s o t e r o r wir.aowa u s e r s : You a re a d v ise d to r a r e c m 3 an a r a c iu t e p a tn .
su ch a s : c : \ 3 n o r t \ r u l e s
v a r RU1X_PJJH C :\S n o r c \ru le s
v a r SO RULE PATH C :\S n o r t\a o r u le a
war PREPROCRtTLEPATH C :\S n o rt\p re p ro c _ x ru le s
10
1:9
1 *3
114
# I f you a r e u s in g r e p u ta tio n p r e p r o c e s s o r a c t th e a e
# C u r r e n tly th e r e 13 a bug w ith r e l a t i v e p a in s , th e y a r e r e l a t i v e co where sn o re 13
# n o t r e l a t i v e co s n o r t.c o n f lilc e th e obcve v a r ia b le s
4 T h is i s c o a p le te l y i n c o n s is te n t w ith how o th e r ars w ork, BCG 5 9986
t s e t th e a n sc iu c e p a th a p p r o p r ia te ly
v a r HHTTELISTPATH . . / r u l e s
v a r BUICK_LI5T_PATH . . / r u l e s
t s te p #2: c o n n a u r e th e d e co d e r.
119
* Sto p g e n e r ic decode e v e n ts ;
e o n fig d i s a b l e d e c o d e a l e r t s
1:4
12
1:9
1 Scop A le rc s on T/TCP a le r c s
<
Ln: 106 Cot :45 S*l:0
UNIX
ANSI
NS
39. Li Line 113 and 114 replace ../rules widi C:\Snort\ rules.
C:\Snort\etc\snort.conf - Notepad*
file tdit Search View Encoding Longuogc Settings Macro Run Plugre ftmdcvr J
! o 1 MS a
4 * B| < ^ * * ^ n!| ?
liiiiB
1*
'9
H nato&rf I
103 f aucn a 3: c ! \ a n o r t \ r u i e a
104 v a r RtJLEPATfl C : \3 n o r t \r u le s
105 v a r SC_ROLE_PAIH C :\3 n o rt\s o _ r u l
:0 6 v a r PREPROCRULEPATH C :\S n o rtN p re p ro c _ ru le s
108
*.09
110
111
1*.?
77
f z r you a re u a in a r e p u ta tio n p r e p r o c e s s o r a c t tn e a e
$ C u r r e n tly th e r e i s a bug w ith r e l a t i v e p a th s , th e y a r e r e l a t i v e
to
f n o t r e la c i v * co norc.conX l i k e che above v a r ia b le
T h is 1a c o n p le e e ly in c o n a ia te n t w ith how e th e r v a ra w or*, BUG89986
4 Smt th abaoluta path a p p ro p ria te ly
v a r white LISI PAIH c : \ s n o r t \ r u i e a l
117
where anore ia
40. Navigate to C:\Snort\rules and create two tiles and name them
w h itejist.ru les and blackjist.rules make sure die two dies extensions are
.rules.
41. Scroll down to Step #4: Configure dynamic loaded libraries section (Line
242). Configure dynamic loaded libraries in this section.
42. At padi to dynamic preprocessor libraries (Line 247), replace
/usr/local/lib/snort_dynamicpreprocessor/ with your dynamic preprocessor
libranes tolder location.
43. 111 tins lab, dynamic preprocessor libraries are located at
C:\Snort\lib\snort_dynamicpreprocessor.
.
Erie Ld!t Search Vie* Incoding Language Settings Macro Run PK1g<13 ftmdew J
O IM e
% l l|
M *a
[E 3
H tno*.coti j
e a r n t o dynamic p r e p r o c e s s o r l i b r a r i e s
245
246
242
2 9
S0
2 252
253
H U Preprocessors are
loaded and configured
using the preprocessor
keyword. The format of die
preprocessor directive in
the Snort rules file is:
preprocessor <name>:
<options>.
f p a tn t o dynamic p r e p r o c e s s o r l i b r a r i e s
c i-a n ic p re p ro c e a a o r d ir e c to r y C : \ S n c r t \ l i b \ 3 n o r t dy n a ai ^ p re p ro c e s s o r |
* p a th t o b ase p r e p r o c e s s o r e ngine
ciyr.anlceng 1 ne /u 9 r/1 0 c a l/llb /sn 0 rL _ iy n a m lc e n g ln e /llb sr_ e r.g ir.e .3 0
V
t p a th t o dynamic r u l e s l i b r a r i e s
d y n a n lc d e te c c lo n d i r e c to r y / u s r / l o c a l / 1 lb /a n o rc_ d y n a m lc r u lea
255
4 s te p t s : C o n tia u re p r e p r o c e s s o r s
4 For more in fo rm a tio n , se e th e Snore M anual, C o n fig u rin g S n o rt P re p ro c esso
2<5i
N.mul ut file
UNIX
ANSI
1NS
44. At padi to base preprocessor (or dynamic) engine (Line 250), replace
/usr/local/lib/snort_dynamicengine/libsf_engine.so
witii
your
base
preprocessor engine C:\Snort\lib\snort_dynamicengine\sf_engine.dll.
m Preprocessors allow
the functionality of Snort
to be extended by allowing
users and programmers to
drop modular plug-ins into
Snort fairly easily.
C E H L ab M an u al Page 857
45. Comment (#) die dynamic mles libraries line as you already configured die
libraries 111 dynamic preprocessor libraries (Line 253).
C:\Snort\et*V r c f < f Notepad
- o
Be Ldit Search View Encoding Language Settings Macro Run Pfcjgns ftndcvr Z
' H e o0 ^ *31 f 3
b i s b [1
***************mwm***************************
Note: Preprocessor
code is run before the
detection engine is called,
but after the packet has
been decoded. The packet
can be modified or
analyzed in an out-of-band
manner using this
mechanism.
###*#******#tMM#####*********M****tM**********
249
250
V >t e c *M c o n ria u r e p r e p r o c e s s o r s
* Por more m fo rm ac io n , se e th e Snore M anual, C o n fig u rir.c S n o rt P rep ro c esso
Ln:253 Col ;3 Sd :0
________________ I
46. Scroll down to Step #5: Configure Preprocessors section (Line 256), die
listed preprocessor. D o nothing 111 IDS mode, but generate errors at
mntime.
47. Comment all the preprocessors listed 111 diis section by adding # before
each preprocessors.
*1
L3t Search View Encoding Language Settings Macro Run Plugre Amdcw I
***************************************************
> README.GXP
*
*
I
*
: in f o r m a tio n , se e REAEKE.normalize
T a rg e t-b a se d IP d e fra g m e n ta tio n . For more inform ation, see RLADME. fra g 3
p r e p r o c e s s o r ra g S _ g lo b al: m ax_Iraga 6SSS6
p r e p r o c e s s o r tr o a 3 e n g in e: p o lic y windows d e te c t_ a r .* 1a i 1es c verlap_11m 1t 10 a 1 n _ fra o m e n t_ len g th 100 tim eo u t
Many configuration
and command line options
of Snort can be specified in
the configuration file.
Format: config <directive>
[: <value>]
1:269 Col :3 Sd 0
48. Scroll down to Step #6: Configure output plugins (Line 514). 111 tins step,
provide die location ol die classification.config and reference.config files.
49. These two files are 111 C:\Snort\etc. Provide diis location o l files 111 configure
output plugins (111 Lines 540 and 541).
C E H L ab M an u al Page 858
'-
idit Search view Encoding language Settings Macro Run Plugns ftmdcw I
0 hh
)"B ncCcorf
step 46: cor.rioure cutput plugins
4 5 *j ?or more information, see Snort Manual, Configuring Snort - Output Modules[
5!
=j r
il<"
51fl * unified?
519 4 aeeonsenaaa rcr !cost installs
520 4 cutput u n ified 2: filename merged.log,
521
Si'i4 A d d itio n a l c o n f ig u r a tio n f o r s p e c i f i c
c a Tlie frag3
preprocessor is a targetbased IP defragmentation
module for Snort.
523
524
tjp e s of in s t a ll s
# cutput alert_uniied2: filename snort.alert, liiait 125, nosCaap
f o u tp u t lo g un 1 r1 ed 2 : rile n arae s n a r e .lo o , l i m i t 123, n c s ta s p
4 o a ta ta s e
4 o u tp u t d a ta b a s e : a l e r t , <db_type>, us?r < u sern an !> pa9 9wsrd~<pass10rd
V cutput aatacasci 100, <dto_type>, u9er<uacma&e> passvsr3^<paaswo?d>
*e ta d a ti rercrcr.ee aata.
do not *e a itv te
11 1 0 10l
11 1
step #6,
th is
d u m p a ll lo g s
111
a d d th e lin e
d ie
alerts.ids
fo r S n o rt to
d ie .
*C:\Soon\elc\snoM-conf - Notepad *
file d!t Search Ukw Encoding Language Settings Macro Run PHigns ftmdcvr I
*H nc< corf
6 .1
515
4 s te p t e : c o n n o u re o u tp u t p lu g in s
4 For more information, see Snort Manual, Configuring Snort Cutput Modules
517
'*.fi
519
S?0
521
4 u n if ie d :
V ftccoescnaca co r !coat i n s t a l l s
4 c u tp u t u n if ie d 2 : file n am e m erged. 100, l i m i t 128, nosta*p * p ls _ e 'r e n t_ ty p e s , v la n _ e v e n t_ ty p e s
4 A d d itio n a l
525
524
c o n f ig u r a tio n f o r s p e c i f i c ty p e s o f i n s t a l l s
4 c u tp u t a lo r t _ u n if i d 2 : fila n an w a n o rt . a l . r t , l i m i t 129, r.o>ca>p
4 c u tp u t lo g un1E1ed2: rile n arae s n o r t . is o , l i m i t 126, r.: axt
- --
4 catafcase
539
540
541
|c-;. p u t a l e r t _ f a 3 t : a l e r t s . id s |
m e ta d a ta r e f e r e n c e d a ta , do n o t m odify t c e s e l i n e s
include C:\Snort\ecc\cla331f1cat1on.c0nf10
ln c lu d C :\3 n Q rt\8 c c \re C e re n c e .c o n f l q
1 6 ?5:
CoJ:30 Sl:0
C:\Snort\log
Ii=yj Frag3 is intended as a
replacement for die &ag2
defragmentation module
and was designed with the
following goals:
1. Faster execution than
frag2 with less complex
data management.
2. Target-based host
modeling anti-evasion
techniques.
C:\Snort\log
f o l d e r is e m p t y , w i d i o u t a n y f ile s
f o l d e r , a n d c r e a t e a n e w t e x t file w i t h d i e n a m e
5 2 . E n s u r e d i a t e x t e n s i o n o f d i a t file is
111
it. G o t o d i e
alerts.ids.
.ids.
log
v
Search log
alerts.ids
Favorites
Desktop
Downloads
M i Recent places
Libraries
)=
1 item
53. 111 die snort.conf tile, find and replace die ipvar string widi var. By default
die string is ipvar, which is not recognized by Snort, so replace it widi die
var string.
Note: Snort now supports multiple configurations based on VLAN Id or IP
subnet widiui a single instance o f Snort. Tins allows administrators to specify
multiple snort configuration files and bind each configuration to one or more
VLANs or subnets radier dian running one Snort for each configuration
required.
Replace
Find
Three types of
variables may be defined in
Snoit:
| S
Find Next
vl
|var
Var
Replace
in selection
Portvar
Replace A|l
Replace All in All Opened
Documents
ipvar
I IMatch rase
@ Wrae around
Search Mode
Direction
(> Normal
O u>
() On losing focus
Dawn
O Always
O Regular expression
Q Lmatches newline
0 Transparency
57. Uncomment the Line number 47 and save and close die file.
0- > H
4m *
o a
P c* f t *ta -t -
r |, T,[ |
>
S i l i f l
>
Pi!<1 H trp+Tfo1ute|
29
30
31
32
*
#
*
*
$H0KE_NET any cnsj:"ICXE-INFC I REP r o u te r a d v e r tis e m e n t" ; 1 ty p e :9 ; r e r e r e n -SHOMEKET any (m sg: ICXP-IKyC IRDP r o u te r s e le c tio n " ; ity p e :1 0 ; r e f e r e n c e :
(nsg: I-XP-IKFC
lc y p e :S ; c o n te n t :
1
13 12 11 1
SH0HE_KET any (r\sg: ICMP INF0 PING BSDtype"; 1ty p e : 8; c o n te n t:| O0 09 0A 01
SH0KE_NET any (o sg : "IS 'P -IN T C PING BayRS R o u te r"; i t y p e : 8; c o n te n t: | 01 02
FUJG*HIX;
10
34 alert icnp SEXTERNALNETany -> SHOKENET any (xasg:"ICXP-IK7C PIHGIP HetMonitor Macintosh"; itype:B; cont
38 t alert 1st $exiernal_net any ->Shoke_nei any (n3g:1cxp-lKFCpibg li2ijx/35d ;a31ze:8; 1a:13170; 1type:8
40
a le r t
I a le r t
*a le r t
42 alert
SEXTERNAL~NETany >SH0KE~NETany (rasg:ICKP-IKFCPIHG Pinger Windows"; itype:8; content:"Oata
43 * alert 1cnpcexiernal_net any >Shoxe_nei any (n93:1cxff-iKF0pihg seer wmdowa ;ltypese; content18a 04
SEXIERNAI_NEI
>SH0KE_KEI any !naa:*1atP-lNfCtr a c e r o u te " ; 1 s v c c :8; t t l i l ; claaat!tt: a t t c n
SFXTRRXALNFTany SH0XE any (mag::CMP-IKFC PIKG"; icode:0; itype:8; classtyp-:iac-activ1|
isno
->
any
i.src Aaareaa mask Rcpiv"> ic o d c io ; l t v p e u s ; cia.
any (m sg: ICKP-INF0 A ddress Maslr Reply u n d e fin e d code"* 1 eode:>0
any ( e s g : Z:X9-X):FC Add: Kak R vquest"; lc o d :0 ; lty p e :1 7 ; cl
any (ns3:"ICJ4P lNfO A ddress Mask R eauest u n d e tin e d c o d e"; !co d e ::
52 alert
SEXTERNAL~NET any-> $HOKE~NET any (Mgr-ICVP-INFCAlternate Hot Addre ;"icode:0; itype:6; c
f alert isnp exiernal_net any >hoxe_net any (nss:1cxp-1NFCAlternate Host aareaa undermed code ;iced
>4
55
<|
111
NcinwlUxlfile
>
UMX
ANSI
IMS
58. N o w navigate to C:\Snort and nght-click folder bin, select CmdHere from
die context menu to open it 111 die command prompt.
Validate
Configurations
y To run Snort as a
daemon, add -D switch to
any combination. Notice
that if you want to be able
to restart Snort by sending
a SIGHUP signal to die
daemon, specify the full
path to die Snort binary
when you start it, for
example:
/usr/local/bin/snort -d -11
192.168.1.0/24 \ - l
/var/log/snordogs -c
/usr/local/etc/snort.conf s-D
61. If you receive a fatal error, you should first verify diat you have typed all
modifications correcdy into the snort.conf tile and then search dirough the
tile for entries matching your fatal error message.
62. If you receive an error stating Could not create the registry key, then
run the command prompt as an Administrator.
Administrator: C:\Windows\system32\cmd.exe
C :\S n o r t \ b ir O s n o r t
a s c ii
- i4
-A
c o n s o le
-c
-1
C : \ S n o 1* t \ l o g
-K
t a s k s
Start Snort
63. Start Snort in IDS mode, 111 the command prompt type snort
C:\Snort\etc\snort.conf -I C:\Snort\log -i 2 and dien press Enter.
64. Snort starts running in IDS mode. It first initializes output plug-ins,
preprocessors, plug-ins, load dynamic preprocessors libranes, rale chains o f
Snort, and dien logs all signatures.
GO
C:\Snort\etc\snort.conf is
the location of the
configuration file
65. After initializing interface and logged signatures, Snort starts and waits for
an attack and tngger alert when attacks occur on the machine.
- *>
Option: -i 2 to specify
the interface
m Run Snort as a
Daemon syntax:
/usr/local/bin/snort -d -h
192.168.1.0/24 \ -1
/var/log/snortlogs -c
/usr/local/etc/snort.conf s -D .
0 1 When Snort is run as
a Daemon, the daemon
creates a PID file in the log
directory.
Snort T <*-
66. After initializing the interface and logged signatures. Snort starts and waits
for an attack and trigger alert when attacks occur on the maclune.
67. Leave die Snort command prompt mnning.
68. Attack your own machine and check whedier Snort detects it or not.
TASK
Attack Host
Machine
ICMP.ECHO.idT- Notepad
File
Edit
|[* * ]
Format
View
' x
Help
IC M P -IN F O PING [ * * ]
[ * * ] ICHP-INFO PING [ * * ]
11/14-12:24:18.146991 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0x0 ID :31480 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:199 ECHO
[ ] ICMP-INFO PING [ * * ]
11/14-12:24:19.162664 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0
ICMP TTL:128 TOS:0x0 ID :31481 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:200 ECHO
[ ] ICMP-INFO PING [ * * ]
11/14-12:24:20.178236 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0
ICMP TTL:128 TOS:0x0 ID:31482 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:201 ECHO
[ * * ] ICMP-INFO PING [ * * ]
11/14-12:24:21.193933 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0X0 ID :31483 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:202 ECHO
[ * * ] ICMP-INFO PING [ * * ]
11/14-12:24:22.209548 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0x0 ID :31484 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:203 ECHO
73. You see that all the log entries are saved 111 die ICMP_ECHO.ids die. Tins
means diat your Snort is working correcdy to trigger alert when attacks
occur 011 your maclune.
Lab Analysis
Analyze and document die results related to dus lab exercise. Give your opinion 011
yoiu targets security posture and exposure.
PLEASE TALK TO
T o o l/U tility
Snort
Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H I S LAB.
HAVE
QUESTIONS
Questions
1.
Determine and analyze die process to identify and monitor network ports
after intnision detection.
Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
2.
Yes
0 No
Platform Supported
0 Classroom
C E H L ab M an u al Page 864
0 !Labs
Lab
KEY
_ Valuable
information
Test your
knowledge
Web exercise
m
Workbook review
Lab Scenario
Increased connectivity and the use ot the Internet have exposed organizations to
subversion, thereby necessitating the use ot mtnision detection systems to protect
information systems and communication networks from malicious attacks and
unauthorized access. An intrusion detection system (IDS) is a security system diat
monitors computer systems and network traffic, analyzes that traffic to identity
possible security breaches, and raises alerts. An IDS tnggers thousands o f alerts per
day, making it difficult for human users to analyze them and take appropriate
actions. It is important to reduce the redundancy of alerts, mtelligendy integrate and
correlate diem, and present high-level view of the detected security issues to the
administrator. An IDS is used to inspect data for malicious 01 anomalous activities
and detect attacks 01 unaudiorized use of system, networks, and related resources.
111 order to become an expert penetration tester and security administrator, you
must possess sound knowledge ot network mtnision prevention system (IPSes),
IDSes, identify network malicious activity, and log information, stop, or block
malicious network activity.
Lab Objectives
H Tools
dem onstrated in
this lab are
located at D:\CEHTools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots
Tlie objective of tins lab is to help students learn and understand IPSes and IDSes.
111
C E H L ab M an u al Page 865
Lab Environment
To carry-out tins lab, you need:
Lab Duration
Tune: 10 Minutes
Lab Tasks
1. Navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and
Honeypots\lntrusion Detection Tools\Kiwi Syslog Server double click on
Kiwi_Syslog_Server_9.3.4.Eval.setup.exe and install Kiwi Syslog Server
on die Windows Server 2012 host machine.
2. The L icense Agreement window appears, Click I Agree.
3.
111 die Choose Operating Mode wizard, check die Install Kiwi Syslog
Server a s an Application check box and click Next >.
Kiwi Syslog Server 9.3.4 Installer
C h o o s e O p e r a t in g M o d e
solarwinds
O
I n s t a l l K iw i S y s lo g S e i v e i a s a S e i v ic e
This option installs Kiwi Syslog Server as a Windows service, alowing the
program to run without the need for a user to logn to Windows. This option also
retails the Kiwi Syslog Server Manager which is used to control the service.
| ( * I n s t a l l K iw i S y s lo g S e i v e i a s a n A p p l i c a t io n |
& Tools
dem onstrated in
this lab are
located at D:\CEH
Tools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots
SolarWinds, Inc.
111 die Install Kiwi Syslog Web A c c e ss wizard, uncheck die option
selected and click Next >.
Kiwi Syslog Server 9.3.4 Installer
I n s ta ll K iw i S y s lo g W e b A c c e s s
solarwinds
I
I I n s t a l l K iw i S y s lo g W e b A c c e s s
V
C r e a t e a n e w W e b A c c e s s lo g g in g u le in K iw i S y s lo g S e i v e i
Kiwi Syslog Web Access can be enabled in the licensed or evaluation versions of Kiwi
Syslog Server.
SolarWinds, Inc.
I I
C h o o s e C o m p o n e n ts
s o la r w in d s
Normal
Desa 1ptx>n
Space requred: 89.5MB
Next >
| |
Cancel
solarwinds
Setup w! nstal Kiwi Syslog Server 9.3.4 n the folowng folder. To nstal in a different
folder, dick Browse and select another folder, dick Instal to start the installation.
Destination Folder
41'
Space requred: 89.5MB
Space available: 50.1GB
SolarWinds, Inc.
1
Figure2.5: Givedestinationfolder
7.
[_ I 1
< Back
Ftnoh
Cancel
Click OK ill the Kiwi Syslog Server - Default Settings Applied dialog box.
TU
Happy Syslogging...
OK
Figure2.7: Default settingappliedwindow
9. To launch die Kiwi Syslog Server Console move your mouse cursor to
lower-left corner o f your desktop and click Start.
'
*
MojiB*
Google
Chiomo
Command
Notepad
Jnmtdl
Control
?artel
E/ykxef
pr
M)pw-Y
Manage!
Ne!aus
web Client
a.
S i 51* 9
'
5 ^ r >,Sl09 |
5
V
KKl
Package
C* -T
12
128
I output aaratase:
I output aataease:
t-<B03tnaa1e>
- g
Filf fdt Search View fweSrfg . 1. ^ flnqi Mam Run Pluqin Window
13H . . &| *
fe| 3 c
-) | S Cv 3 )[) 3
013 **#**#****#**#*##**#**#*#*****#**#*#*#**
pi4 # Step *: Coaflarare output plugins
pis * For *ore Infomatlon, see Snort Manual, Conflouring Snore - Output Modules
5
database
I output database! a le r t, <db_t/pe>, users<usernan> pa8avford=<pasv0rd> te s t dbnaa!e-<r.a1*e> h0st*<S10atname3
I output databasei log. <db_typ>, usera<usernane> password<passvord> te s t dbnaes<naae> bot*<ho*tnaae>
U.
Ca . li M:l
16. Open Kiwi Syslog Server Console and press Ctrl+T. Tins is to test Kiwi
Syslog Server alert logs.
Kiwi Syslog Server (14 Day evaluation - Version 93)
R*
File Edit Vic*
1'
1 E
1 -1
'
Hdp
it
Di.pl., 00 |DrfJl]
Dale
Tun*
P-oly
lla*lnm11 14 2012 1621 30 Lwal7.DU1g 127.0.01 Kiwi Sytloy S* 1vv1 T*t< latfttayw nuaibei 0001
11
J
100% 1MPH
1621
11142012
C E H L ab M an u al Page 871
Administrator: C:\Windows\system32\cmd.exe
ua Kiwi SyslogServer
filtering options:
Filter on IP address,
hostname, or message
text
Filter out unwanted host
messages or take a
different logging action
depending on the host
name
Perform an actionwhen
a message contains
specific keywords.
1\
A 88
D.tpk* 00 (Dvfdull)
Dale
Time
P.m.4.
11-14-2012 184012 Autf. Aleil
11 14 ?01? 104011
Autf. Alril
'
Help
lloilnmne He11age
127.0.01 Nvv 14 18 40.12 WIN-2N9STOSGIEN w.ort
100010
Nov 14 111 411 11 WIN 2N9!iTOSGI( N inort
127 001
1u.au.1u
127.0.0 1 Nov 14 18:40:10 WIN 2N9SIOSGIEN nort
10.0.0.10
12700 1 Nuv 14 18 40 O') WIN ?NSSTOSGIFN tnurt
1000 10
127 001
Nov 14 111 411 Oil WIN 2N9!:TOSUK N nort
IU.0.U.IU
127.0.0.1 Nov 14 18:40:07 WIN 2N9STOSGIEN *nort
10.0.0.10
1270 0 1 Nov 14 10 40 on WIN-?N9r.1nSG1rN tnatl
1000.10
127.0.0 1 Nov 14 10:40:0b WIN 2N91>1USGILN *nort:
10.0.0.10
127.0.01 Nov 14 18:40:04 WIN-2N9STOSGIEN tnort
10.0.0.10
12700 1 Nov 14 10 40 01 WIN-?N9r.TnSGIFN mart
10 00.10
127.0.0.1 Nov 14 18:40:02 WIN 2N9S1USGIEN *nort:
10.0.0.10
127.0.0.1 Nov 14 18.40:01 WIN-2N9STOSGIEN w.ort.
10 00.10
127 0.01 Nov 14 18 40:00 WIN-2N9STOSGIEN snort
10 0 0.10
127.0.0.1 Nov 14 18:39:53 WIN 2N9510SGIEN *nort
10.0.0.10
1270 0 1 Nov 14 18 39:58 WIN-7N9STC1SGIFN tnort
1000.10
Nov 14 1039:57 WIN 2N9S10SGICN *nort
127 001
10.0.0.10
127.0.0.1 Nov 14 18:39:56 WIN 2N9STOSGIEN *nort
fsiw5/jloo WebAcc3
ol m oled
|1 384 6| ICMP INF: PING |CU*ic*tion. Hhc activity) [Piiuiily. 3] {ICHP) 10.0.0.12
|1 104 K| II Ml'INI 11 I1NG [ClauArahor Mur. nohv1(y| Un..ty- 3] (ICHP) 111 II 111?
|1 384 6| ICMP INFO PING fCIJMtficdtion: H.sc 0ct1vi(y| (Piioiity: 3) (ICMP) 10.0.0 12
*
|1 384 6| ICMP INFO PING (rianii! 4l<ar Mac adivi() [PiNiiity 3] {IPHP) 10 0 0 1?
II
|1:384:6) ICMP INF (J PING (Ua3*tf1cat10n: Mac acbvitrl [Pnonty: 3] {ICHP) 10.0.0.12
[1.384.6] ICMP-1NF0 PING |CU*c*tion: H c activity) [Piioiily: 3) {ICHP) 10.0.0.12
|1 384 6| ICMP-INF0 PIHG IClasirtcahan Mbc activity) [Piioiily: 3J ilCHP110 0 0 12
|1:384:61 ICMP INFU PING [CIroiication: Mnc acbvitrl [PrioiKy: 3) {ICHP) 10.0.0.12
[1 384 6| ICMP-INFO PING [CLmificatian Mbc activity) [Pifciiily: 3] {ICHP) 10 0 012
|1 304 K| ICMP INFO PIHG U:U1 *r,ahon Mmc cebvitj[ )Pnoiiljr 3] IICMP110 0 0 12
)1:384:6) ICMP INFO PING )***ification: Mbc activitrl [Piioiity: 31 {ICMP) 10.0.0.12
100* OMFH
18:40 11 142D12
j
|
111
Kiwi Syslog
Lab Analysis
Analyze and document die results related to diis lab exercise. Give your opinion on
your targets security posture and exposure.
C E H L ab M an u al Page 872
PLEASE TALK TO
T o o l/U tility
Kiwi Syslog
Server
Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H I S LAB.
HAVE
QUESTIONS
111
Kiwi Svslog
Questions
1. Evaluate how you can capture a memory dump to confirm a leak using
Kiwi Svslog Server.
2.
Determine how you can move Kiwi Svslog Daemon to another machine.
3.
Each Svslog message includes a priority value at die beginning ot the text.
Evaluate die priority o f each Kiwi Syslog message and on what basis
messages are prioritized.
In te rn e t C o n n ectio n R eq u ired
Yes
0 No
P latform S upported
0 C lassroom
C E H L ab M an u al Page 873
0 !Labs
Valuable
inform ation
T est your
knowledge
mm
W eb exercise
ca
W orkbook review
Lab Scenario
Intrusion detection systems are designed to search network activity (we are
considering both host and network IDS detection) for evidence of malicious abuse.
When an IDS algontlmi detects some sort o f activity and the activity is not
malicious or suspicious, tliis detection is known as a false positive. It is important to
realize that from the IDSs perspective, it is not doing anything incorrect. Its
algontlmi is not making a mistake. The algontlmi is just not perfect. IDS designers
make many assumptions about how to detect network attacks.
A 11 example assumption could be to look for extremely long URLs. Typically, a
URL may be only 500 bytes long. Telling an IDS to look for URLs longer than 2000
bytes may indicate a denial of service attack. A false positive could result from some
complex e-conmierce web sites that store a wide variety of information 111 the URL
and exceed 2000 bvtes.
111 order to become an expert penetration tester and security administrator, you
must possess sound knowledge of network intrusion prevention systems (IPSes),
intrusion detection systems (IDSes), identify network malicious activity and log
information, and stop or block malicious network activity.
Lab Objectives
H Tools
dem onstrated in
this lab are
located at D:\CEHTools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots
C E H L ab M an u al Page 874
The objective of tins lab is to make students learn and understand IPSes and IDSes.
111
Lab Environment
To carry-out tins lab, you need:
It you have decided to download latest of version ot these tools, then screen
shots would be differ
Lab Duration
Time: 10 Minutes
TASK 1
Configure
KFSensor
Lab Tasks
1. Launch Windows 8 virtual maclune and follow the wizard-driven
installation steps to install KFSensor.
2. After installation it will prom pt to reboot die system. Reboot the system.
3.
C E H L ab M an u al Page 875
.'crla
C*e~s
,
=
____
m o
.
FIGURE3.1: KFSensorWindowwithSetupWizard
m To set up common
ports KFSensor lias a set of
pre-defined listen
definitions. They are:
Windows Workstation
Windows Server
4. In die Start menu apps, right click die KFSensor app, and click Run as
Administrator at die bottom.
Admin ^
S ta rt
Windows Internet
Services
Windows Applications
Linux (services not
usuallyin Windows)
* Trojans and worms
m
Vriro
Camera
1 Mozilla
1 Firefox
Messaging
&
H
Calendar
Interne*
o
services
Command
Prompt
KFSensor
FI
V\\
a
Stw
as;
Weaiha
p Chrome
(S)
edminh*fr
Iccsoon
FIGURE3.2: KFSensorWindowwithSetupWizard
5.
View
Scenario
Signatures
Settings
Help____________________________________
i l ?t!l U
-L
a
, kfsensor - localhos
q *^icccd TC ^
Visitor
z ta tcp
21 FTP
j S 25 SMTP. !
I
j. J
53 DNS
63 DHCP
i J 80 IIS
)atagram..
WindowsS
)atagram..
WIN-ULY358K
)atagram..
WIN-D39MR5I
)atagram..
WIN-LXQN3W
)atagram..
WIN-MSSELG
)atagram..
WIN-2N9STO?
POP3 110
)atagram..
WIN-2N9STO?
)atagram..
WIN-ULY358K
)atagram..
Windows^
)atagram..
WINDOWS8
,g
119 NMTP
M i RPC 135
139 NET Se
i| .US-M
BT-SE,
i 593 CIS
jjj 1028 MS Cl!
5
1080 SOCK!
2234 Direct!
Server: Status
Visitors: 0
< Back
Next >
Cancel
C E H L ab M an u al Page 877
< Back
Next >
Cancel
-
FIGURE3.5: KFSensorWindowwithSetupWizard
It you want to send KFSensor alerts by email and dien specify die email
address details and click Next.
Set Up Wizard - EMail Alerts
systems service is a
special type of application
that Windows runs in the
background and is similar
in concept to a UNIX
daemon.
Send to:
[I
Send from:
If you want KFSensor to send alerts by email then fill
in the email address details
Wizard Help
< Back
Next >
Cancel
C E H L ab M an u al Page 878
Choose options for Denial of Service. Port activity. Proxy Emulation, and
Network Protocol Analyzer and click Next.
Controls how many events are recorded before the server locks up
Port Activity
1 Hour
j v
Dump files are useful for detailed analysis but take up a lot of disk space
Wizard Help
m The KFSensor
Monitor is a module that
provides the user interface
to the KFSensor system.
With it you can configure
the KFSensor Server and
examine die events diat it
generates.
< Back
Next >
Cancel
.
FIGURE3.7: KFSensorWindowwithSetupWizard-options
10. Check die Install a s system service opdon and click Next.
Set Up Wizard - Systems Service
[7| Install as systems service
A systems service is a special type of application that Windows runs in the
background and is similar in concept to a UNIX daemon
The KFSensor Server becomes independent of the logged on user, so you can
log off and another person can log on without affecting the server
The KFSensor Server can be configured to start automatically when the systems
starts, even before you log on.
You must be logged in a the Administrator to install a systems service
Wizard Help
< Back
Cancel
There are a number of restrictions set for the ten day duration
of the evaluation period
The export functionality is unavailable and the details of
some events are deliberately obscured
Finish
< B ack
Cancel
F
Ci i 2
Settings
4 1
Jt ;1
1 3
Help
i
^
g
3
3
53 DNS
63 DHCP
- g 80 IIS
@ 151a
a !
Start
ID
!
Duration
Name
Visitor
0.000
UDP
138
NBT Datagram...
WIN-ULY358K
| 1 4
0.000
Pro...
UDP
Sens...
138
NBT Datagram...
WIN-LXQN3\*
0.000
UDP
138
NBT Datagram...
WIN-MSSELCI
'2
0.000
UDP
138
NBT Datagram...
111
0.000
UDP
138
NBT Datagram...
Windows3
1 0 ___
0.000
UDP
138
NBT Datagram...
Windows^
WIN-D39MR5I
110 POP3
U 9
0.000
UDP
138
NBT Datagram...
WIN-ULY358K]
j 119 NNTP
1 8
0.000
UDP
138
NBT Datagram...
155 MS RPC B m
1 7
0.000
UDP
138
NBT Datagram...
WIN-D39MR5I
WINLXQN3'A
1 6
0.000
UDP
138
NBT Datagram...
WIN-MSSELCI
j j 339 LDAP
1 5
0.000
UDP
138
NBT Datagram...
WIN-2N9STO<
1 4
0.000
UDP
138
NBT Datagram...
WIN-2N9STO!
1 3
0.000
UDP
138
NBT Datagram...
WIN-ULY358K
593 CIS
m ?
0.000
UDP
138
NBT Datagram...
Windows^
1028 MS CIS
1 1
0.000
UDP
138
NBT Datagram...
WINDOWS8
1080 SOCKS
443 HTTPS
2234 Dircctplay
Local Address
0 .0 .0 .0 :2
0.0.0 .01 7
0 .0 .0 .0 :9
0 .0 .0 .0 :1 3
0 .0 .0 .0 :1 7
0 .0 .0 .0 :1 9
0 .0 .0 .0 :2 1
0 .0 .0 .0 :2 2
0 .0 .0 .0 :2 3
0 .0 .0 .0 :2 5
0 .0 .0 .0 :4 2
0 .0 .0 .0 :5 3
0 .0 .0 .0 :5 7
0 .0 .0 .0 :6 8
0 .0 .0 .0 :8 0
0 .0 .0 .0 :8 1
0 .0 .0 .0 :8 2
Foreign Address
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
I35TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
E 3|
Command Prompt
0 .0 .0 .0 :8 2
0 .0 .0 .0 :8 3
0 .0 .0 .0 :8 8
0 .0 .0 .0 :9 8
0 .0 .0 .0 :1 1 0
0 .0 .0 .0 :1 1 1
0 .0 .0 .0 :1 1 3
0 .0 .0 .0 :1 1 9
0 .0 .0 .0 :1 3 5
0 .0 .0 .0 :1 3 9
0 .0 .0 .0 :1 4 3
0 .0 .0 .0 :3 8 9
0 .0 .0 .0 :4 4 3
0 .0 .0 .0 :4 4 5
0 .0 .0 .0 :4 6 4
0 .0 .0 .0 :5 2 2
0 .0 .0 .0 :5 4 3
0 .0 .0 .0 :5 6 3
0 .0 .0 .0 :5 9 3
0 .0 .0 .0 :6 3 6
0 .0 .0 .0 :9 9 9
0 .0 .0 .0 :1 0 2 4
0 .0 .0 .0 :1 0 2 8
0 .0 .0 .0 :1 0 8 0
0 .0 .0 .0 :1 2 1 4
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
C E H L ab M an u al Page 881
18. To launch MegaPing move your mouse cursor to die lower-left corner of
your desktop and click Start.
Administrator
Mo/11la
Firefox
Admnktr...
Tools
Googfc
awane
HTTPort
3.SNFM
Conmand
Prompt
1*
HyperV
Manager
ktogaPng
Notepad*
*S
C E H L ab M an u al Page 882
2*
MegaPirvg (Unregistered)
File
View
Tools
A Pin9
^
Whois
A,______
Network Time
Traceroute
n ' x
4 **** H
A A f l a l A A 4 =5
| |
I-
Help
Destnabon:
<None>
^ 5 Network Resources
%
Process Info
^
f
System Info
Select Al
IP Scanner
Share Scanner
Security Scanner
Port Scanner
Host Monitor
Add
n ^ i
MegaPing (Unregistered)
file
Yiew
Tools
Help
3
4
A a S a) A A o 3 % 4
A
*
A Pin9
Port Scanner
Port Scanner
Whois
Destnabon:
10.0.0.12
Network Resources
2 2 Traceroute
>
Protocob
Scan Type
v
|
Start
Select P
i
IP Scanner
NetBIOS Scanner
Share Scanner
Security Scanner
Host Monitor
Type
Keyword
Description
Vw.
C E H L ab M an u al Page 883
ry
1File
l-' F *
MegaPing (Unregistered)
yiew
Tools
Help
3
< v i .y ^ 0
> <4
ca Visitor is obtained by
Finger
Network Time
Port Scanner
f t pin9
g g Traceroute
10.0.0.12
Whols
1 3 Network Resources
%
Process Info
System Info
IP Scanner
Protocob
Scan Type:
v
1
Host
NetBIOS Scanner
a t
JSelect AI
al 10.0.0.12
Add
Share Scanner
Security Scanner
Delete
Host Monitor
Type
Keyword
Description
yiew
Jools
Help
i. A S Oi 1*i A #
DNS List Hosts
J j, DNS Lookup Name
Finger
J i Network Time
Port Scanner
IF
t i p'" 9
f f
Traceroute
Whols
Destnabon:
10.0.0.12
Protocols
Scan Type
ap
System Info
IP Scanner
NetBIOS Scanner
Share Scanner
Security Scanner
Host
Select AI
0 S 10.0.0.12
Add
} Host Monitor
Type
Keyword
Descnption
TCP telnet
Risk
High
TCP
- < 123
Telnet
Elevated |
Elevated
TCP smtp
42
Low
53
TCP domain
Low
rST
MegaPing (Unregistered)
file
View
| 4. A S
Tools
aj
Help
it t i
%3
t t i V 3 y
44
jS,
Finger
a i Network Time
A Pin9
Destnabon:
10.0.0.12
g g Traceroute
^
Whols
Protocob:
Scan Type
v
Sop
13 Network Resources
Process Info
^
System Info
IP Scanner
Host
Select fll
01S1O.O.O.12
NetBIOS Scanner
I *A
Delete
Bepoit
EE
Jgj Host Monitor
Ports
Type
1214
1433
1494
080 / |
JT 1801
Keyvwrd
TCP socks
Descnption
Socks
TCP
Low
TCP ms-sql-s
M 1crosoft-SQLSer...
TCP ica
Low
Low
TCP
Low
'
View
Scenario
Signatures
Settings
Help
T | e|1 I i @ I 5 a ! d a > a a l f c t * I
B*-JTCP
^
Duration
1 31
Pro...
Sens...
TCP
Name
23 Telnet
7 Echo - Recent...
*I 9 Discard - Rec...
^
^
^
13 Daytime - R...
17 Quote o f th e ..
19 chergcn
R c.
21 FTP - Recent..
^
22 SSH - Recen...
42 WINS Rece..
g 53 DNS Recen..
^ 57 Mail Transfer..
g 68 DHCP Rece...
80 IIS Recent...
j 8 1
IIS 81 - Rece..
82 IIS 82 Rece..
83 IIS 83 - Rece..
J 88 Keiberos - R... ^
C E H L ab M an u al Page 885
View
0-
Scenario
Signatures
Settings
Help
Duration
TCP
j- ^
Pro...
Sens...
Name
Q Closed TCP-PofTr
9 Discard - Rec...
19 chargcn - Rc...
22 SSH - Recen...
23 Telnet Rec...
21 FTP - Recent...
25 SMTP - Rece..
r=| 42 WINS - Rece..
g
53 DNS - Recen..
57 Mail Transfer..
68 DHCP - Rece..
80 IIS - Recent...
j 8 1 IIS 81 - Rece..
^
82 IIS 82 - Rece..
j 83 IIS 83 - Rece..
= j 88 Kerberos - R... y
Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on
your targets security posture and exposure.
P L E A S E TA LK T O Y O U R I N S T R U C T O R IF YOU H A V E
R E L A T E D T O T H IS LAB.
T o o l/U tility
KFSensor
Honeypot IDS
QUESTIONS
Output:
Infected Port number: 1080
N um ber ot Detected Trojans: 2
In te rn e t C o n n ectio n R eq u ired
Yes
0 No
Platform Supported
0 Classroom
0 !Labs
K E Y
Valuable
inform ation
T est t o u t
knowledge
W eb exercise
ea W orkbook review
Lab Scenario
Attackers are always in a hunt for clients that can be easily com prom ised and
they can enter your network by IP spoofing to damage or steal your data. Tlie
attacker can get packets through a firewall by spoofing the IP address. It
attackers are able to capture network traffic as you have learned to do in the
previous lab, they can perform Trojan attacks, registry attacks, password
hijacking attacks, etc., which can prove to be disastrous for an organizations
network. A 11 attacker may use a network probe to capture raw packet data and
then use tins raw packet data to retrieve packet inform ation such as source and
destination IP address, source and destination ports, flags, header length,
checksum. Time to Live (TTL), and protocol type.
Hence, as a network administrator you should be able to identity attacks by
extracting inform ation from capuired traffic such as source and destination IP
addresses, protocol type, header length, source and destination ports, etc. and
compare these details with modeled attack signatures to determine if an attack
has occurred. You can also check the attack logs tor the list ot attacks and take
evasive actions.
Also, you should be familiar with the H TTP tunneling technique by which you
can identity additional security risks that may not be readily visible by
conducting simple network and vulnerability scanning and determine the extent
to which a network IDS can identify malicious traffic widiin a communication
channel. 111 tins lab, you will learn H TTP Uuineling using H TTPort.
Lab Objectives
Tins lab will show you how networks can be scanned and how to use HTTPort
and HTTHost.
Lab Environment
111 the lab, you need die HTTPort tool.
C E H L ab M an u al Page 887
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 16
Evading IDS,
Firewalls and
Honeypots
You can also download the latest version o f HTTPort from the link
h ttp :/ Avww.targeted.org
111
Lab Duration
Tune: 20 Minutes
Overview of HTTPort
HTTPort creates a transparent tunnel through a proxy server or firewall. HTTPort
allows usmg all sorts of Internet software from behind die proxy. It bypasses HTTP
proxies and HTTP, firewalls, and transparent accelerators.
TASK 1
Stopping IIS
Services
Lab Tasks
1.
Before running tool you need to stop IIS Admin Service and World Wide
Web services on Windows Server 2008 virtual machine.
Select Administrative Privileges ^Services ^IIS Admin Service, nghtclick and select Stop.
^
File
A *on
View
Help
Cff e d? HD
1 Description
KJ HTTPort
crea tes a
transparent tunnel
through a proxy
server or firewall.
This allow s you to
use all sorts of
Internet softw are
from behind the
proxy.
^H um aT Interface D..
^jHypet-V Data Exch..
^jHyper-V Guest !hu..
Description:
Enoblcs this uorvor to administer Web
and FTP servces. If this service is
stepped, the server will be unable to run
Web, FTP, NNTP, or SNTP sites cr
configure 115. If this service is disced,
anv services chat expliatly depend on it
will fail to start.
| Status
Enables ge...
I Startup Type
Disabled
Local Syste
Provides a ...
Provides a ...
% HyperV Heartbeat... Monitors th. .
Started
Started
Started
Automatic
Automatic
Local Syste
Local 5yste
I
1
Automatic
Local Syste
Started
Automatic
Local Syste
Antnmahr
I or al 5y<t<*
Disabled
Local Syste
Disabled
Disabled
Local Syste
Local Syste__I
Automatic
Disabled
Manual
Local Syste
Synchronc...
t^Hypw-V Volume Sh
%BME3ESH"
P"
Pause
Resume
Restart
Al Tasks
Refresh
Properties
^Messenger
Help
^Microsoft Software ...
^t&Net Looon
Maintainsa. .
^N e t.T cp Port Sharin... Provides a...
^ NetMeeting Rerrot... Enables an...
^ N etw o rk Connections
Manageso...
Started
Disabled
Local Syste
Local Syste
Networks,
j
j
Automatic
Manual
Local Syste
Local Syste
Disabled
Local Syste
Manual
Local Syste
Manual
Disabled
Local Syste
Local Servic
Disabled
Local Syste
Manual
Local Syste I
_ J jJ
\ Extended X Standard /
top servce IIS Adrm Service on Local Computer
C E H L ab M an u al Page 888
3.
& it b yp asses
HTTPS and HTTP
proxies,
transparent
accelerators, and
firewalls. It has a
built-in SOCKS4
server.
File
-
Action
-
View
Help
[ S
g? B
Ser/ices (Local)
Services (Local)
Name
| Description
| Status
Termiial Services
Alows user
%Termhal Services S... Enables a.
Descript on:
Provides Web connectivity and
administration through the Internet
Information Services Manager
Started
| Startup Type
Local Syste
Local Syste
^Themes
Provides u.
^jUnintcrruptiblcPow... Manages a.
Disabled
Manual
Local Syste
Local Servic
Manual
Local Syste
Manual
Disabled
Local Syste
Local Servic
Provides s.
Manages a,
Started
Automatic
Local Syste
Securely e.
Provides n.
Started
Manual
Automatic
Local Syste
Local Syste
Disabled
Local Servic
Manual
Automatic
Local Syste
Manual
Manual
Local Syste
Local Servic
Automatic
Local Servic
Manual
Manual
Local Servic
Local Servic
Local Syste
^Windows Imai
Windows I n s t | ^ ^ ^ ^ ^ ^
Started
^ Windows Man
r1 c.
^Windows Pres
^ Windows Tim*
Kesta't
% Windows Usei
%w.nHTTPWet
Started
*
R efre*
Wireless Conf
% W M I Perform*
Properties
^ Workstation
..
Started
Automatic
Manual
Automatic
..
Started
Automatic
<1
\ Extencfcd /
1 LoqOnAs
Manual
Disabled
i]
j
1
Local Syste
Local Syste
Local SysteHl
______
Standard /
9 It supports
strong traffic
encryption, which
m akes proxy
logging u seless,
and supports
NTLM and other
authentication
sch em es.
6.
O n die Options tab leave all die settings as their defaults except die
Personal Password held, which should be tilled widi any odier password,
hi diis Lab die Personal Password is m agic.
9.
: HTTHost 1.8.5
Tools
dem onstrated in
this lab are
available in Z:\
Mapped Network
Drive
Network
Bind listening to:
|0.0.0.0
|80
Personal password:
n*****
Timeouts:
| 0:1:2 ^[
Apply
:|security ) Send a Gift )
14. The HTTPort window appears as shown 111 die following figure.
H TTP ort 3.SNFM
S y s te m
P roxy
j P o rt
m a p p in g | A b o u t ) R e g is te r j
& To s e t up
HTTPort need to
point your browser
to 127.0.0.1
P o rt:
U s e rn a m e !
P a ssw ord:
Misc. o p tio n s
U s e r-A g e n t:
B ypass m o d e :
rR e m o te
host
31
Use p e rs o n a l re m o te h o s t a t ( b la n k = u s e p u b lic )
H o s t n a m e o r IP a d d re s s :
P o rt:
P a ssw ord:
15. Select the Proxy tab and enter the Host nam e or IP address o f die targeted
machine.
& HTTPort g o es
with the
predefined
mapping "External
HTTP proxy" of
local port
16. Here, as an example, enter die Windows Server 2008 virtual machine IP
address, and enter Port number 80.
17. You cannot set die U sem am e and Password fields.
18. 111 User personal remote host at section, enter die targeted Host
machine IP address and die port should be 80.
19. Here any password could be chosen. Here as an example the password is
magic.
IE !* ]
P roxy j p 0 rt m a p p in g | A b o u t | R e g is te r j
P o rt:
180
I
U s e rn a m e :
P a ssw ord:
Misc. o p tio n s
U s e r-A g e n t:
IE 6 .0
B ypass m o d e :
[ R e m o te
host
j j
P o rt:
80
P a ssw ord:
* * * * *
^ T h is b u tto n h e lp s
P o rt m a p p in g
'
About
J s jx f
R e g is te r
S ta tic T C P /IP p o rt m a p p in g s ( tu n n e ls )
0 New m a p p in g
0 Local p o rt
|
IIf...A'dtJ... !|
R em ove |
!.... 0
0 R e m o te
0
host
re m o te .h o s t.n a m e
R e m o te p o rt
I.... 0
S e le c t a m a p p in g to s e e s ta tis tic s :
No s ta ts in a c tiv e
n /a x
n /a B /s e c
LEDs:
O P roxy
n /a K
B u ilt-in S 0 C K S 4 s e rv e r
[7 Run
SOCKS s e rv e r ( p o r t 1 0 8 0 )
Full SOCKS4 s u p p o rt (B IN D )
* T h is b u tto n h e lp s
P o rt m a p p in g
About
R e g is te r
[ 0
Local p o r
* ------------------------------------
I
Edit
H
I-----------------------1
J
0 R e m o te h o s t
r e m o te .h o s t.n a m e
0 R e m o te p o rt
I....
n /a K
LEDs:
O P roxy
B u ilt-in SOCKS4 s e rv e r
[ 7 Run SOCKS s e rv e r ( p o r t 1 0 8 0 )
A v a ila b le in "R e m o te H o s t" m o d e :
I-
Full SOCKS4 s u p p o rt (B IN D )
* T h is b u tto n h e lp s
24. Now right click Remote port node to Edit and enter die port value of 21.
>
Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 16
Evading IDS,
Firewalls and
Honeypots
P o rt m a p p in g | A b o u t | R e g is te r |
31
E| Local p o rt
1-21
g
0
R e m o te h o s t
I ftp .c e rtifie d h a c k e r.c o m
R e m o te p o rt
!....
21
S e le c t a m a p p in g to s e e s ta tis tic s :
No s ta ts - in a c tiv e
n /a x
n /a E /sec
n /a K
O P roxy
E u ilt in SOCKS4 s e rv e r
Run SOCKS s e rv e r ( p o r t 1 0 8 0 )
* T h is b u tto n h e lp s
011
P ro x y | P o rt m a p p in g | A b o u t) R e g is te r)
P o rt:
jio .o .o .:
I-
U s e rn a m e :
P a ssw ord:
Misc. o p tio n s
U s e r-A g e n t:
B yp ass m o d e :
[ R e m o te
host
Use p e rs o n a l re m o te h o s t a t ( b la n k = u s e p u b lic )
j J
H o s t n a m e o r IP a d d re s s :
P o rt:
P a ssw ord:
110.0.0.:
1 1 0 .0 .0 .3
[8 0
I* * * *
< T h is b u tto n h e lp s
: : H TTHost 1.8.5
Application log:
MAIN HTTHOST 1,8,5 PERSONAL GIFTWARE DEMO starting
MAIN Project codename: 99 red balloons
MAIN Written by Dmitry Dvoinikov
MAIN (c) 1999-2004, Dmitry Dvornikov
MAIN 64 total available connection(s)
MAIN network started
MAIN RSA keys initialized
MAIN loading security filters...
MAIN loaded filter "grant.dM" (allows all connections within
MAIN loaded filter "block,dll" (denies all connections withir
MAIN done, total 2 filter(s) loaded
MAIN using transfer encoding: PrimeScrambler64/SevenT
grant.dll: filters conections
block,dll,:_iIters conection.s-------LISTENER: listening at 0,0,0.0:80]
I
1
1
S t a t is t ic s
A p p li c a t i o n lo q
[ O p t io n s
S e c u r ity
S e n d a G if t |
Anon
View
M
B
& Tools
dem onstrated in
this lab are
available in Z:\
Mapped Network
Drive in Virtual
Machines
N ? Ce--g:-Cr- !
Moniwing
tec
IB[h
ire
|
EIT5 Peerc a n rc (Content-Out]
<9 1BITS Pee cccirg 0,',SC-Cut)
ae rtfc rN F S r^-O ut}
* 1C le t for NFS (UZP-OjtJ
<9 Core Networking - DNS (LDPOut)
core Networking - Dynamic Most Configuratl...
0 1Core Networking - Group Poky (LSASS-Out)
Core Networking Group Pokv (NP-Out)
ilCore Networking - Group ^oicy 0 *-Out)
Core Networking - lrtenet Group Managen ..
*
Core Networbng IPv6 (P*5-Out)
Co*e Networking Metcast istener Coe (I...
C ore Networking MultttBt Latener Query (...
O Core Networbng M jtaot Latene Report...
Core Networking Mjtcaot Lotcnc Report...
C o r Networking Neighbor Discovery Adve ..
* cor# Networking Negroy Dlteovery Solat. .
<3 Co*e Networking Packet Too Bo 0CMPv6 .
c f N.tws- tung p..
P. ou4r< aC'-T...
Cf Core Networking Router Adverfcjement (IC...
&Core Networking Router Solctator !ICMP...
Core Networking 'ereco (UDP-Out)
core Networking ire Exceeded (!CVP /& ..
Distrbctec Transaction Cootdinaioi (TCP-Out)
Fife and Pr rte Sharhj (Edo Regjest ICM...
f il'fe and Frrte Sharng (Eco Reqjest - ICM...
File and Prrte Snarng (NB-06t3gam-0ut)
File and Prrte inang (NBAsme-Out)
Fite and Frrts Snarrg (NB-Sesscr-Cut)
@ Fife and Frrte SharhQ (SMBOut)
a Hvper/ - WM: (TCPOut)
Hyper-v' Managerent Clients \ VNI (TCPOut)
iSCSI Ser/ce (TCP-Out)
ilietwock Dea)/ery (LLMNR-UDP-CUt)
0
1
0 1
0
....
1 nofle 1 Enabled
fir T
No
fr y
No
firy
ves
tr y
ves
cry
ves
tr y
ve?
Conor
ves
Ccnar
ves
Ccnar
v
tr y
try
Or
ve5
Arr
ves
tr y
yea
fir y
ve*
fir y
ve
fir y
fir
vt
firy
firy
Ve3
ve
firy
tr y
,M
try
fin
NO
Cono... Yea
Ccna... vea
Ccn3... ves
Ccna... ves
Ccna. . ves
Cons... Yes
firy
VC5
firy
VC5
No
firy
Ccna... No
1 actt'
4110a
*JlOft
*JI0A
AIIoa
allaA
Albft
aJIoA
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AllOA
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AJIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
aJI0A
*JI0A
AIIoa
1 p-~
S\
Vt
St
%
%
%
%
a:
$\
5\
Ai
A1
Ar
Ar
Ar
Ar
Ar__|
Ai
Ar
Ar
V,
Ar
%
Ai
Ar
s>
s>
s\
Si
Outbound Rules
[ j g NeARic
Fiterbv P 0fifc
Fiterbv Sate
Fitr bv 5 quo
$ Re'resr
Export Lie
Q Hep
r1
FIGURE 4.11: Windows Firewall with Advanced Security window it! Windows Server 2008
31. 111 the New Outbound Rule Wizard, check die Port option in die Rule Type
secdon and click Next.
Rule Type
* Action
P ro g ra m
* Profile
(ff
* Name
port
P r e d e f in e d :
C Custom
Custom lule.
Next >
Rule Type
<
tcp
* Action
udp
Profile
# Name
Does this rule apply to all local ports or specific local ports'
[<
C
A ll l o c a l p o r t s
S p e c i f i c lo c a l p o r t s :
Example: 80.443.1
<Back
||
Next >
Cancel
33. 111 the Action section, select Block the connection and click Next.
_x]
1 A c t io n
1 Specify the action thatistaken when a connection matches the conditions specified n the rule.
m NAT/firewall
Step s:
# Rule Type
'//hat action should be taken when a connection matches the specified conditions
1#
Name
A llo w t h e c o n n e c tio n
Alow connections that have been protected with IPsec as well as those that have not.
<# Pnofie
A llo w th e c o n n e c tio n if it is s e c u r e
Aflow only connections that have been authenticated and integntyprotected through the use
of IPsec. Connections w i be secured usmg the settings m IPsec properties and rules in the
Connection Security Rule node
B lo c k t h e c o n n e c tio n
<Back
||
Next
||
Cancel
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 16
Evading IDS,
Firewalls and
Honeypots
Steps:
< Rule Type
*
Action
* PrnfJe
17 Domain
.Applies wh< n a computer is connected to its corporate domain
17 Private
Applies win n a computer is connected to a private network location.
17 Public
Applies win n a computer is connected to a public network location.
Back
Next
Cancel
111 die
Nam e
Specify the name and description of this rule
S te p s :
* Riie Type
Protocol and Ports
Action
Name:
Profie
|Port 21 Blocked
* Name
Description (optional):
<Back
Finish
Cancel
Acaor
View
Help
^ iV1nco/ts Freival
Advanced S
t 3 Iroourc RuJes
; . ::
Come:t>on Sea*1ty Rues
F % rioni1a ix)
Outbound Rules
KFat21Bkxked
EI"S 3eeriocing (WSDOut)
Client f y N=S CTCP-Out)
Q Client for M=S (UDP-Out)
Ccrc Ner//crbng - DUS (UDP-Out)
Cere Networklno Dynamic hostConfiecrat...
C ere Networking - Grouo Palcy (LSASS-Out)
Cere Netvcrbng GrousPolcy (UPCut)
Cere Ner/.-orfcing Gicud Polcy fTCP-Out)
Q Cere Networking Internet Group Yanagerr. .
Ccre Networking IPv6 ( I P v 0 6ut)
Cae Networking Multicast Listenei D01e (I...
( re Networking Multicast Listener Query (...
Q ccre Netwcrbng Multicast Listener Repot ...
C a e Networking Multicast Listenei Reixrt...
Q cere Netvcrkmg Neighbor Qscovery Adve. .
Cere Netwcrbng Neighbor Oocovery Soleit...
Q C a c Neiworbng Packct TooBg {ICMPvfi...
Cere Networking P*r*m#t* Pretolem (ICMP...
C ereNetwcrbng Rotter Adverbccment :1C...
Coe Netwcrbng * Router Sokiletbn (JCNP...
Ccre Me?/ortano Teredo (UOPOut)
Cere Netwcrbng Time Exceeded (IC M \6. ..
Distributed Transaction Cooidnatoi (TCPOut)
File and *inter Shwng (Echo Request ICM...
File and *inter Sharing (Edno Request - !CM...
n e and *inter Sharing (NB-Dalagrair-Out)
File and Winter shjrng (NB-Name-Out)
File and *inter Sharing (NE-Sesson-Out)
File and *inter Sherhg (SMB-Out)
Hype/ *V/MI acp-out)
Hyper-v Vsn3gernert Gierts ' /WI (TCP-Out)
iSCSI Se\ice (TCP-Cut)
B
e
Q)
g
Q HTTP is the basis for
Web surfing, soif you can
freely surf die Web from
where you are, HTTPort will
bringyou die rest of the
Internet applications.
BrS 5eer:scnrg
BI S ^ccrcccnrg
Client ft) NFS
Client fo NFS
Core Nc:waking
Cae Netwafcino
Core Ne:warbng
Core ,Jer/'orbng
Cae Netwabng
Core Networking
Core Networking
Core Networking
Core Networking
Core Networking
Core Netwaking
Core Networking
C ae Networking
Core Networking
Cor# Merwortang
Core Networking
Cor e Networking
Core Networking
Core Networking
Distributed Trensocton Coord...
File and *irter $h#rng
File and * r te r Sharng
File and *inter Sherhg
File and ^irter sharng
File and * r te r Sharng
File and *irter Sherhg
Hype-v
Hype / Vanagerriert Cierts
iSCSI Sevioe
Any
Any
Any
Any
Any
Any
Any
Domain
Domain
Domain
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Donai..
Domai...
Domai...
Dom*..
Domai..
Donai...
Any
Any
Any
No
No
Yes
Yes
Yes
Yes
YK
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Y#S
Yea
Yes
Y#
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
AIca
AIoa
AlOA
AIoa
AIoa
AIoa
AIoa
AIoa
AIoa
Alow
AIoa
AIga
AIoa
AIoa
AIoa
AIoa
AIoa
AIoa
AIoa
Alovs
AIoa
AIoa
AIoa
AIoa
AIoa
Alovs
AIoa
AlOA
AIoa
AIoa
AlOA
AIoa
AIoa
New Rule...
S\
%
%
%
%
Vc
%
c
Piter by Profile
"\7 FiterbySta:e
*7 Fiter by Group
view
>
[($] Refresh
|3 Export List...
Q
Heb
Port 21 Bbckcd
Ai
Ar
( Disable Rjle
Ai
Ar
lal PlOUCI t o
Ai
Ai
Ar
Ai
%
Ar
*
Ar
Ar
5\
5\
Sy
5\
c
x
Q
Delete
Heto
B HTTPort then
intercepts that
connection and
runs it through a
tunnel through the
proxy.
* ! [P1U TT_
P Whdovts Frevrdl vth Ad.oxed S
KQ !rbourdRjbs
g g Outbound Rjtes
Jiu Correcton Secjrity 3_ies
SITS Peercecihg (Content-Out)
3
Monito'irg
BIT5 Pcer^ecihg (WSD-Out)
C ie n t St 1TS (TCP-Out)
C fen t *6 NFS (UDP-Out)
CCKer\e:vcrkirg -CNS (UDP-Out)
Core he:vcrkirg - Dynanic host ConflQuati...
Core r1eakirg -Gouo Poky (LSASS-Out)
Q c x e networking - GrouoPolcy (I'P-Out)
core hecwcrlarg - Grouo poIcy (TCP*Ou:)
core 1ser/>crk]ra - internet Group r^anacen.
cofefcewcrkira - ipvO OPVft-OuO
c o re her/ak 1ra -M j 0:as: Listener Done
Core 1se:vcrlurQ Miticas: Listener Query (...
Coretservcrk1rg Miticast Listener Retrt...
Coreiservcrk1rg Miticas; listener Recort...
CoreNe;vcrk1rg Neghto Discovery Adve...
C o reNerverk1r0 Nefchbof Discovery Solicit...
Core IServcrk1rg Packet Too 80 QCMPv6-...
Car# N#rverk1ng Pr*^#tf Problem (ICMP...
Car# Nerv<erk1rg Ranter Aev#rticemM (IC. .
Car# N#rv!erk1rg Ranter Solicitation (ICVP...
CJ Cv# Nerv/erkirg Teredo (UDPOut)
^ C o r e Ne?crlurg Tire Exceeded (ICNP6/ ..
D crb u ted Transa:ton Coordinator (TCP-Out)
(J =le and 3rirter Sharrg (Ecno Request - ICM...
Fie 3rd ^rirter Siarrg (Ecno Request - ICM...
=le 3rd 3rirter Siarrg (NE-DatagramOut)
(J -ie 3rd 3rir ter Sharng (MB-Name-Out'
F ie 3rd 3rirter Sharng (MBSessionOut
F ie 3rd 3rirter Sharng (SMB-Out;
H yper-V- VYNI (TCP-Out}
(J -typer-V Ncnogc-ncnt Clients V/MI (TCP-Out)
!SCSI Service (TCP-Out)
a...
_______; _______
Outbound Rules
New Rule...
, ?FIter by Pcfie
Fiter by State
Piter by Grouo
vew
!p
Daren
Dcman
Dorian
id ReYesh
Export bst...
tisb
Pori 21 Dbckcd
(' Dablc Rule
Dte*
pcPCtt)C3
U
Hb
Ary
Mom
Mom
Mom
Mom
Mom
Mom
Ary
G e ne ra l
P rogram s a n d S e rv ic e s
P ro to co ls a n d Ports
C o m p u te s
S cope
Advanced
Protocol type:
Protocol number:
local port:
|.AII Ports
zi
1
FMmn1 an m
Remote port:
anan
]Specific Ports
I21
Example: 80.445. 8080
Internet Control Message Protocol
(ICMP) settings:
------
Cancel
fipply
to
f tp .c e r tifie d h a c k e r .c o n .
2 2 0 -h ic ro s o ft FTP S eruice
220 We leone TO FTP Account
User < ftp .c e rtifie d h a c k e r.c o n :< n o n e > > : _
FIGURE4.21: Executingftpcommand
Lab Analysis
Document all die IP addresses, open ports and running applications, and protocols
you discovered during the lab.
PLEASE TALK TO
T o o l/U tility
Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H I S LAB.
HAVE
QUESTIONS
H T T P o rt
P o rt scanned: 80
R esult: ftp 127.0.0.1 connected to 127.0.0.1
Questions
1.
2. Examine if the software does not allow editing the address to connect to.
In te rn e t C o n n ectio n R eq u ired
0 Yes
No
P latform S upported
iLabs
C E H L ab M an u al Page 900