Information Security Training. Assignment 1 Networking



Similar documents
Packet Sniffing and Spoofing Lab

Lab Objectives & Turn In

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Linux Network Security

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Unix System Administration

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

Protecting and controlling Virtual LANs by Linux router-firewall

Network Security. Network Packet Analysis

Sniffing in a Switched Network

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Tcpdump Lab: Wired Network Traffic Sniffing

Lab VI Capturing and monitoring the network traffic

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

1. LAB SNIFFING LAB ID: 10

Packet Sniffer Detection with AntiSniff

LAB THREE STATIC ROUTING

Firewalls and Software Updates

Looking for Trouble: ICMP and IP Statistics to Watch

Cloud.com CloudStack Community Edition 2.1 Beta Installation Guide

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Cain & Abel v 2.5. Password Cracking Via ARP Cache Poisoning Attacks. v.1. Page 1 of 15

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

ARP Poisoning (Man-in-the-Middle) Attack and Mitigation Techniques

Web Application Firewall

Automated Penetration Test

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Attack Lab: Attacks on TCP/IP Protocols

PFSENSE Load Balance with Fail Over From Version Beta3

1 PC to WX64 direction connection with crossover cable or hub/switch

Project 2: Firewall Design (Phase I)

ISERink Installation Guide

The Virtual Environment

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Internet Filtering Appliance. User s Guide VERSION 1.2

Network Traffic Analysis

ARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Topics in Network Security

The Trivial Cisco IP Phones Compromise

Chapter 9 Monitoring System Performance

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

CS179i: Guide - Virtual Machine Setup and Internal Networking in Alpha Lab

Practical Network Forensics

Introduction to Network Security Lab 1 - Wireshark

- Basic Router Security -

Using VirtualBox ACHOTL1 Virtual Machines

Lab Conducting a Network Capture with Wireshark

Penetration Testing LAB Setup Guide

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

Technical Support Information Belkin internal use only

Case Study 2 SPR500 Fall 2009

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Figure 1. Wireshark Menu Bar

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

HOWTO: Set up a Vyatta device with ThreatSTOP in router mode

CS5008: Internet Computing

Computer Networks I Laboratory Exercise 1

VIRTUAL NETWORKING WITH "ORACLE VM VIRTUALBOX" FROM A "LINUX" PERSPECTIVE

Modern snoop lab lite version

How to Create, Setup, and Configure an Ubuntu Router with a Transparent Proxy.

Configuring SSL VPN on the Cisco ISA500 Security Appliance

How to protect your home/office network?

A Research Study on Packet Sniffing Tool TCPDUMP

Using WhatsUp IP Address Manager 1.0

Lab Configuring Access Policies and DMZ Settings

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Own your LAN with Arp Poison Routing

DNS Pharming Attack Lab

EKT 332/4 COMPUTER NETWORK

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

VIA CONNECT PRO Deployment Guide

NetPoint Configuration Guide. for thin clients

BASIC ANALYSIS OF TCP/IP NETWORKS

StarMOBILE Network Configuration Guide. A guide to configuring your StarMOBILE system for networking

TCP Labs. WACREN Network Monitoring and Measurement Workshop Antoine Delvaux perfsonar developer

Firewall Firewall August, 2003

CounterACT 7.0 Single CounterACT Appliance

Lab Configuring Access Policies and DMZ Settings

Altor Virtual Network Security Analyzer v1.0 Installation Guide

Packet filtering with Linux

IBM. Vulnerability scanning and best practices

Computer Networks/DV2 Lab

Linux Networking Basics

Ethical Hacking as a Professional Penetration Testing Technique

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

How To Test The Bandwidth Meter For Hyperv On Windows V (Windows) On A Hyperv Server (Windows V2) On An Uniden V2 (Amd64) Or V2A (Windows 2

Tools for Attacking Layer 2 Network Infrastructure

Guideline for setting up a functional VPN

Linux: 20 Iptables Examples For New SysAdmins

ZTE Australia Help Guides MF91

Lab 1: Introduction to the network lab

Transcription:

Information Security Training Assignment 1 Networking By Justin C. Klein Keane <jukeane@sas.upenn.edu> September 28, 2012

Assignment 1 For this assignment you will utilize several networking utilities to get comfortable using them and expand your exposure to networking protocols. In the last lecture we discussed TCP/IP networking, the OSI model, and several related protocols. Learning More Many of the tools described in this document have extensive documentation that is installed when the tool is installed. These documentations are known as man pages for manual pages and can be accessed using the 'man' command. For instance, if you were interested in the documentation for nmap you could type: $ man nmap and read the documentation at the command line. Man pages cover options for the command, such as command line switches, general uses, and examples. It is highly recommended that you read the man pages for each of the tools covered in this document to learn more about their usage. ARP Exercises The first protocol we'll discuss is APP, or Address Resolution Protocol. Recall that ARP is used on LAN segments to quickly identify hosts and determine the network segment upon which they run. In VirtualBox, look at the 'Settings' in your Fedora 17 virtual machine. In the 'Network' section, choose the 'Adapter 1' tab and set the 'Attached to:' section to Bridged Adapter mode. To understand more about VirtualBox networking read Chapter 6 of the Documentation (under the Help menu). Bridged mode allows your virtual machine to use your real ethernet adapter, so that when your machine boots it will probe your LAN for a DHCP server. Be sure your 'Promiscous Mode' drop down is set to 'Allow All'. Save the settings and start the virtual machine. In your virtual machine ensure that tcpdump is installed. You can do this using: $ rpm q tcpdump in a terminal window. If you need to install it you can do so using: $ sudo yum install y tcpdump You will need sudo access, or you can perform this command as root. To give a local user sudo access simply edit the /etc/sudoers file.

Once tcpdump is installed you can start it up at the command line. Unless you tell it, tcpdump will look at all traffic on all devices. To limit this inspection to just your ethernet use the ifconfig command to determine the name of your active device: In the above example the primary ethernet card is 'p2p1' the secondary one, 'p7p1' is actually the VirtualBox Network 2 adapter (host-only) that can only communicate with the hardware host. Now that we have the name of the ethernet adapter we can limit sniffing. To start tcpdump to examine ARP traffic use: $ sudo tcpdump i [ethdev] apr where you substitute the name of your ethernet device for [ethdev].

In my case I use 'p2p1' and the following output begins to stream onto my console: Looking at the ARP traffic you can clearly see host querying the local network to see who is around. This is extremely interesting because you can passively determine the occupants of the network by simply looking at ARP. In traditional network discovery the easiest way to determine if a host is online is to send an ICMP ECHO-REQUEST packet to the host and see if you get a response. This is an ICMP ping. Most hosts, however, have ICMP blocked at their host firewall. Start up your CentOS virtual machine, making sure that the networking is set to 'Bridged' in the same way as your Fedora machine. Alternatively you can start both machines with two adapters, one set to 'Host-only' and one set to 'NAT'. This will allow the two virtual machines to communicate over the NAT connection while also being visible to the hardware host using the 'Host-only' connection. Once your CentOS machine is started determine the IP address of that host using the ifconfig command as before. Next, let's adjust the firewall rules so the CentOS machine rejects all ICMP packets. The firewall configuration script is found at /etc/sysconfig/iptables. You can edit this file as root. Find the line that reads: A INPUT p icmp j ACCEPT And change it to the following A INPUT p icmp j REJECT Now, restart the firewall using the command: # service iptables restart

Finally, on your Fedora machine, ping the CentOS host, using the '-c' flag to limit the number of ICMP packets that are sent to 2 (otherwise ping will just keep sending packets until you stop it with something like Ctrl+c), and observe the response. In this example my CentOS box is as 10.0.0.5: Now, given that there is definitely a host on the network, how would we discover it? Well, using ARP would be a good way to do just that. In fact, looking at the output of your tcpdump should reveal a request to 10.0.0.5 (or whatever is the IP address of your CentOS machine) and a response. You can also force this type of behavior using the extremely handy network mapping tool NMAP. If you don't have NMAP installed install it using: $ sudo yum install y nmap you can use NMAP at the command line by typing 'nmap'. NMAP is an extremely useful tool designed to find machines and fingerprint them. Normally this is done by sending ping style ICMP echo requests, but NMAP also tries to connect to ports on remote machines to discover what services are available. NMAP can also use ARP for discovery, which is much faster and more reliable, but as discussed during the lecture, only works on the local network segment. To discover all the hosts on your Fedora machines network using nmap type the following (note that you have root privileges to use layer 2 protocols): $ sudo nmap -PR 10.0.0.1-254 substitute the network range of your virtual machines instead of the above 10.0.0.1-254. Two things should be immediately obvious. The first is the speed of the scan. You can watch your tcpdump session and observe the ARP broadcast queries and replies:

The second thing you will notice is that NMAP will show you what ports are open on machines it identifies (if any) as well as the manufacturer of the MAC address for any addresses that respond. Network Abuse Now that you've seen how network traffic can be observed and how remote hosts can be mapped let's examine how the network can be abused by attackers. Be aware that our exercises are going to be somewhat contrived. In a real network a DHCP server and a malicious actor may work against each other, and race conditions are going to be determined by copper wire between them and the target, and the arbitration of signals by the LAN router. Using virtual machines we can simulate a network, but with a virtual network, the DHCP server is often the host, meaning the router and the DHCP server are the same machine. Furthermore there is not copper to introduce latency in network transmission. All network communication in a completely virtualized environment is actually just controlled by software that emulates the network. For this reason it is difficult to do things like cause a denial of service, or otherwise dupe the router (which is just a the virtualization software). The software is still useful, however, but your experience will be slightly removed from actual practice. As mentioned before, please be extremely careful if you choose to use tools like Ettercap in a live network. A misconfiguration, mistake, or uninformed use of these tools could cause portions of your network or your LAN networking equipment, to cease functioning. This can be a costly and time consuming issue to resolve, so if you're going to try these tools out on a real network be sure you know what you're doing first. For this task let's try and snoop, from our Fedora virtual machine, on the traffic generated by the CentOS virtual machine. For this operation it will be important to configure the networking on your two virtual machines so that VirtualBox mimics a real network and segregates traffic. Set up two network adapters on each of your virtual machines. Set the first to be NAT, which allows the VM to communicate to the internet (to do things like download updates). Set the second adapter to 'Host-only' mode, which creates an internal LAN shared by the virtual machines. In the 'advanced' options set 'Promiscuous Mode' to 'Allow VMs' so we can carry out the exercise. Once the network is configured and both machines are booted go ahead and start a packet capture on the Fedora machine using tcpdump. Note that your network interface may have changed. For example: $ sudo tcpdump i p7p1 tcp

This should capture all TCP traffic that the network adapter can observe. Next, in your CentOS machine, at the command line type the following, which will download a copy of the Google home page (note that you may have to install 'wget' using the 'yum install' command first): $ wget www.google.com Notice that there is no output from the Fedora box showing that the download has happened. This is because the machines are in a 'switched' environment so traffic is only sent to and from intended recipient machines. To show the difference, from the CentOS machine try to SSH to the Fedora machine, substituting the proper IP of the Fedora machine in the following exampe: $ ssh 10.10.0.102 Note the output on each machine. From the CentOS machine we see the connection is refused: However, from the Fedora machine we can clearly observe the output in tcpdump: Now, let's install Ettercap, a man-in-the-middle (mitm) tool that we can use to do ARP poisoining to redirect traffic from the CentOS machine to the Fedora machine as a gateway. Although an RPM exists for Ettercap that we can install via yum, installing the latest version from source is recommended since it tends to be less buggy. Download the latest version of Ettercap from http://ettercap.sourceforge.net. Once you've downloaded the file (which should be in the form ettercap-0.7.4.1.tar.gz) you can upack it using: $ tar xvzf ettercap 0.7.4.1 tar.gz This will unpack the zipped tar (Tape ARchive) into a directory. Move into this directory using: $ cd ettercap Next you'll need to install some dependencies to make sure you can compile the source. Do this using: $ sudo yum install y gcc make gtk2 devel pango pango devel atd atkdevel libnet libnet devel bison bison devel flex

Next start the installer using: $ sudo./configure Be sure to look at any error messages. It is possible you may need to install other libraries on your Fedora system. To search for packages in yum use: $ sudo yum search packagename Once the configure script finishes you can start the install using: $ sudo make Then once that is complete: $ sudo make install After the install script completes you should find the ettercap executable in /usr/local/bin/ettercap. Once installed start up ettercap using: $ sudo /usr/local/bin/ettercap G m 255.255.255.0 This will start the graphical installer.

To start your session choose Sniff -> Unified sniffing from the menu, and select the network adapter that is shared between your CentOS and Fedora machine. Once complete this will change the menu options at the top of Ettercap. Next you'll want to set up the targets list. To do this click Hosts -> Scan for hosts. Click the Hosts -> Host list to view all the hosts detected on the LAN. In the above screenshot you can see three hosts, the Fedora machine, the CentOS machine, and the VirtualBox host (at 10.10.0.1). Next, click View -> Connections to open the Connections tab to see what is sniffed.

To start sniffing click Start->Start sniffing, then click View -> Connections to see the sniffed connections. To start the ARP attack first select Mitm->ARP poisoning and select the 'Sniff remote connection.' checkbox. To begin DHCP attacks simply go to the Mitm->DHCP menu and input the Netmask 255.255.255.0 and the DNS server of your choosing (8.8.4.4 is Google's public DNS server and a good choice in absence of others). Once started you should be able to view DHCP requests and responses. Unfortunately, in a VirtualBox environment it's nearly impossible to beat the VirtualBox DHCP without major backflips, and because the machines actually only use the host-only network to communicate with one another (they use the NAT connection for external communication) you'll only be able to see connections between the machines. This is further confused by the fact that promiscuous mode for the host-only network is set to all VM's, all VM's and the host, or deny, so there is no way to truly simulate a switched network. If you set up your hardware host behind a gateway router, such as a cheap Netgear box, you can set your VM to have only one 'bridged' adapter and attempt to use Ettercap against other machines on the LAN. Beware of using Ettercap in live environments though, as it can be extremely destructive to networking configurations. Packet Captures One of the primary purposes for ARP poisoning or DHCP abuse is to get access to traffic that would otherwise not be visible to an attacker. However, once this traffic is visible, tcpdump may not be sufficient to examine the traffic. Wireshark is an extremely useful graphical tool that can be used to view, manipulate, and analyze network traffic. Wireshark can perform active captures or it can be used to load up files that contain previously captured packet traffic (PCAP files). Wireshark can be installed on your Fedora machine using: $ sudo yum install y wireshark wireshark gnome Once installed you can find wireshark in your 'Activities' menu. Wireshark needs to be started using superuser privileges to put the network card into promiscuous mode, however. The simplest way to do this is at the command line using:

$ sudo /sbin/wireshark Once opened you can start a new capture by first specifying which interface to capture on then starting a new live capture. Alternatively you can load a.pcap file from the File -> Open options. Open the packet capture file that you can find at https://sites.sas.upenn.edu/sites/default/files/kleinkeane/files/capture1.pcap_.zip in wireshark and examine the contents. Can you find any information that would be useful to an attacker in the file?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information