Week Date Teaching Attended 2 Jan 2013 Lab 1: Linux Services/Toolkit Dev t



Similar documents
Week Date Teaching Attended 3 24/01/10 Lab 2: Windows Services/Toolkit

FTP protocol (File Transfer Protocol)

File Transfer Protocol (FTP) Chuan-Ming Liu Computer Science and Information Engineering National Taipei University of Technology Fall 2007, TAIWAN

2.5 TECHNICAL NOTE FTP

Administrasi dan Manajemen Jaringan 2. File Transfer Protocol (FTP)

Communication Systems Network Applications - Online Services

Lab 7: Introduction to Pen Testing (NMAP)

Week Date Teaching Attended 5 Feb 2013 Lab 4: Vulnerability Analysis & Enumeration/Toolkit 4

Lab Objectives & Turn In

Laboration 3 - Administration

(1) Network Camera

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Lab - Configure a Windows 7 Firewall

Lab - Configure a Windows Vista Firewall

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Lab Configuring Access Policies and DMZ Settings

Lab Configuring Access Policies and DMZ Settings

Introduction to Operating Systems

Mapping ITS s File Server Folder to Mosaic Windows to Publish a Website

File Transfer And Access (FTP, TFTP, NFS) Chapter 25 By: Sang Oh Spencer Kam Atsuya Takagi

In this lab you will explore the Windows XP Firewall and configure some advanced settings.

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

Immotec Systems, Inc. SQL Server 2005 Installation Document

In order to upload a VM you need to have a VM image in one of the following formats:

PT Activity 8.1.2: Network Discovery and Documentation Topology Diagram

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Lab - Configure a Windows XP Firewall

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Network Load Balancing

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Remote PC Guide for Standalone PC Implementation

Configuration Guide. BES12 Cloud

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Deploy the ExtraHop Discover Appliance with Hyper-V

Fundamentals of UNIX Lab Networking Commands (Estimated time: 45 min.)

Case Closed Installation and Setup

How To - Implement Clientless Single Sign On Authentication with Active Directory

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

Installation Notes for Outpost Network Security (ONS) version 3.2

Training module 2 Installing VMware View

HP Device Manager 4.6

ParishSOFT Remote Installation

How to start with 3DHOP

Dell UPS Local Node Manager USER'S GUIDE EXTENSION FOR MICROSOFT VIRTUAL ARCHITECTURES Dellups.com

Configuring FTP Availability Monitoring With Sentry-go Quick & Plus! monitors

Virtual Office Remote Installation Guide

Updating MNS-BB CUSTOMER SUPPORT INFORMATION PK012906

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

1 Download & Installation Usernames and... Passwords

PasserellesNumeriquesCambodia (PNC)

D-Link Central WiFiManager Configuration Guide

ILTA HANDS ON Securing Windows 7

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Using VirtualBox ACHOTL1 Virtual Machines

TOE2-IP FTP Server Demo Reference Design Manual Rev1.0 9-Jan-15

Avalanche Remote Control User Guide. Version 4.1.3

$ftp = Net::FTP->new("some.host.name", Debug => 0) or die "Cannot connect to some.host.name: $@";

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM

How To Set Up Dataprotect

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Firewalls and Software Updates

Magaya Software Installation Guide

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Lab 10: Security Testing Linux Server

Lab Conducting a Network Capture with Wireshark

Addonics T E C H N O L O G I E S. NAS Adapter. Model: NASU Key Features

VNC User Guide. Version 5.0. June 2012

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Connecting your Virtual Machine to the Internet. BT Cloud Compute. The power to build your own cloud solutions to serve your specific business needs

Service & Support. How do you create a communication of VNC with an Industrial Thin Client SIMATIC ITC? Thin Client.

Installation Guidelines (MySQL database & Archivists Toolkit client)

INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER

McAfee SMC Installation Guide 5.7. Security Management Center

PC Monitor Enterprise Server. Setup Guide

Bitrix Site Manager. VMBitrix Virtual Machine. Quick Start And Usage Guide

Important Notes for WinConnect Server VS Software Installation:

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Configuring Security for FTP Traffic

Using Public IP Settings

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Using Virtual Machines

Appendix D: Configuring Firewalls and Network Address Translation

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Desktop : Ubuntu Desktop, Ubuntu Desktop Server : RedHat EL 5, RedHat EL 6, Ubuntu Server, Ubuntu Server, CentOS 5, CentOS 6

How To Test The Bandwidth Meter For Hyperv On Windows V (Windows) On A Hyperv Server (Windows V2) On An Uniden V2 (Amd64) Or V2A (Windows 2

Advanced Event Viewer Manual

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

File Transfer: FTP and TFTP

1. Introduction What is Axis Camera Station? What is Viewer for Axis Camera Station? AXIS Camera Station Service Control 5

Remote Desktop In OpenSUSE 10.3

enicq 5 System Administrator s Guide

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Media Control Server MCS-EX Integration Guide for RTI Control Systems

Setting up VMware Server v1 for 2X VirtualDesktopServer Manual

Building a Penetration Testing Virtual Computer Laboratory

Installing NetSupport School for use with the NetSupport School Student extension for Google Chrome

Transcription:

Week Date Teaching Attended 2 Jan 2013 Lab 1: Linux Services/Toolkit Dev t Aim: The aim of this lab is to investigate the discovery and configuration of services within Linux. It uses a Linux Ubuntu Virtual Machine (UBUNTU). You can either run VMWare Workstation on the local machine in the lab, or connect via a web browser to the VM2003 IaaS virtualisation servers. The Console (DESKTOP) on the local machine will be from Windows 7, where in VM2003 it is an Ubuntu console, as outlined below. Local machine Lm2003.napier.ac.uk OR CONSOLE DESKTOP UBUNTU DESKTOP (Console) UBUNTU (LinuxServer) Time to spend on practicals: Up to 4/5 hours (Two supervised hours in the lab, and two/three additional hours, unsupervised). Activities: Complete Lab 1: Linux Services/Toolkit Development 1.pdf from WebCT or http://www.dcs.napier.ac.uk/~cs342/csn10102/lab1.pdf Take End of Unit Tests for unit1: http://asecuritysite.com/security/tests/tests?sortby=sfc07 Learning activities: At the end of these activities, you should understand: How to review/define services in Linux. How to interface to WinDump from the toolkit development Reflective statements (end-of-exercise): What are the key Linux commands used to discover the services which are being run? What is the key folder location for the Web server in Linux? Why does Linux need the VNC Client, when Windows uses the Remote Desktop Client? Source code used: http://buchananweb.co.uk/toolkit.zip Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 1

Lab 1: Linux Services Rich Macfarlane, Bill Buchanan 2013 1.1 Details Aim: To provide a foundation in setup, discovery, and use of Linux services. 1.2 Activities An overview of Linux commands, to assist with the lab, can be found at: http://www.computerhope.com/unix/overview.htm This part of the lab has two elements: the host machine (DESKTOP) and the Linux virtual server guest machine (UBUNTU), as shown below. The lab can be completed on either of the 2 architectures shown below. Either using VMWare Workstation on the local machine in the lab (shown in Figure 1), or remotely on our VM2003 virtualisation server cluster, via a web browser (shown in Figure 2). The local lab architecture is shown below. This requires the Linux VM Server to be run using VM Workstation on the local PC. Host PC DESKTOP Windows7 PC VM Workstation Physical NIC 146.176.160.10 192.168.23.1 Virtual NIC 192.168.23.129 Services Web Server FTP Server Telnet Server UBUNTU Linux Server Figure 1 - Lab Architecture The following video can be used as a guide to complete the local version of the lab: On-line video demo of the local lab: http://buchananweb.co.uk/adv_security_and_network_forensics/unix/unix.htm Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 2

The virtualisation server cluster lab architecture is shown in Figure 1 - Lab Architecture below. This requires a Linux VM Console and a Linux VM Server to be run in the Virtualisation Cluster (our Private Cloud). Virtual Machines Cluster Virtual Machine - Server INTERNET Virtual NIC 192.168. Web Server FTP Server Telnet Server Virtual NIC Virtual Machine - Console UBUNTU Linux Server Napier Network 146.176.x.x 192.168. Services DESKTOP Linux VM Desktop PC LOCAL MACHINE Windows 7 PC Figure 2 - Cluster Lab Architecture The following video can be used as a guide to complete the server cluster version of the lab: On-line video demo of the cluster lab: http://buchananweb.co.uk/e_presentations/vmware_lab01/vmware_lab01.html Linux Ubuntu Server L1.1 Run the virtual Linux server image (locally run the.vmx file, and power on the virtual machine, or deploy your LinuxServer VM in the Adv Security Workspace on the cluster). Log into the server as User name: Napier, Password: napier123. When using VM Workstation some shortcuts are worth remembering, such as CTRL+G to grab the input focus to the current guest VM, and CTRL+ALT to return focus to the host machine. The following link has a list of shortcuts for VM Workstation: http://www.vmware.com/support/ws5/doc/ws_learning_keyboard_shortcuts.html Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 3

Within the virtual server UBUNTU, open a Terminal Window (command line window), from Applications->Accessories->Terminal such as shown in Figure 3. Figure 3 - Run Linux Terminal From UBUNTU determine the servers IP address using the Linux ifconfig command. If your UBUNTU VM does not have an IP Address, check that it is connected to the host via NAT, using the menu VM>Settings, as shown below, and issue the dhclient command to get an IP Address from the VMWare DHCP server. From DESKTOP open a command line window and determine the IP Address of the host PC using the Windows ipconfig more command (or ifconfig more if using the cluster). Look for the interface which is on the same subnet as UBUNTU. Complete the IP Addressing diagrams in Figure 4 OR 5, depending on which architecture you are using. Fill in the IP addresses(s) of the DESKTOP machine, and the UBUNTU virtual server. Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 4

Host PC DESKTOP Windows7 PC VM Workstation 192.168. Virtual NIC Physical NIC 146.176. 192.168. UBUNTU Linux Server Figure 4 - Local lab IP Addressing Virtual Machines Cluster Virtual Machine - Server Virtual NIC 192.168. Virtual Machine - Console DESKTOP Linux VM Virtual NIC 192.168. UBUNTU Linux Server Web Server FTP Server Telnet Server Figure 5 - Cluster IP Addressing L1.2 From DESKTOP, ping UBUNTU, and vice-versa, to check the connectivity. Was the ping from DESKTOP to UBUNTU successful? Was the ping from UBUNTU to DESKTOP successful? Why might this be? YES/NO YES/NO Windows 7 Firewall If DESKTOP is a Windows7 machine it may be that the firewall is blocking virtual networks (typically connected as network type Public), and so we need to either allow ICMP traffic through, or turn the firewall off on the VMWare network. (192.168.x.x) On DESKTOP, open the Windows Network and Sharing Center window. This can be accessed by left clicking the Windows Network Connections Icon, ( or ) in the Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 5

notification area, and selecting Open Network and Sharing Center. (It can aso be accessed via the Windows Control Panel). Check which type of network UBUNTU is connected to (typically Public). Select Change advanced sharing settings, and Turn on file and printer sharing for this network type, as shown below. This should allow ICMP packets used by the ping tool through the firewall for this network type. Retest the connectivity test from WINDOWS2003 to DESKTOP. Was the ping from UBUNTU to DESKTOP successful? YES/NO Linux Services L1.3 To list the running network services in the UBUNTU server, the netstat command can be used. From UBUNTU use netstat -help to check the arguments and options. Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 6

Use the netstat ltu command to determine the services that are running. (-l listening, -t TCP, -u UDP) List some of the services (and their port numbers) which are running on the server: Note: The n flag can be used to find the numeric port numbers of the listening servers. The IANA Port Numbers web page lists the official services and their protocol/portnumbers. Try googling for it. To view the associated processes for the services, on UBUNTU use the p flag such as: sudo netstat antp List some of the services and their processes? Services: Web L1.4 In the virtual Linux server UBUNTU, open a Terminal Window and navigate to the folder /var/www. Use the ls command to list the contents of the directory. What are the names of the files in this directory, and what type of files are they: L1.5 From the host system DESKTOP, using a browser, connect to the Web Server running on UBUNTU using http://w.x.y.z, where w.x.y.z is the IP address of your UBUNTU Linux server, as shown below. Figure 6 - HTTP connection to web server on UBUNTU Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 7

On UBUNTU use the netstat atu command to determine the services that are running. (-a all connections, listening and established, -t TCP, -u UDP) Can you see the established client/server connection between DESKTOP and UBUNTU? What is the client port? From DESKTOP, connect to the Web Server, but this time using telnet from a windows command shell or Putty (you may need to activate the Windows telnet client via Control Panel>Programs & Features>Turn Windows Features On & Off): telnet w.x.y.z 80 and then send the HTTP GET command to the server: GET /index.html What is the response from the web server? How does this relate to accessing the home page, using the web browser? L1.6 On the UBUNTU Linux Server create your own home web page. Open an editor to create a new html web page, using a command such as such as sudo vi or sudo gedit. Save the page with a name such as my_home_page.html, and in the /var/www folder. It should contain a link to the default page (index.html), such as: My Home Page This is a sample HTML page. Click [here] to return to the default home file. Figure 7 - Creating 'My Home Page' web page Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 8

Can you access this new web page, via a browser, from the host (DESKTOP)? YES/NO On UBUNTU, go to /var/log/apache2. What are the contents of the folder? Using the cat filename command or an editor such as vi find out, and explain, what the different files contain: How might these log files be used to trace malicious activity? Figure 8 - Apache Web Server Access Log Services: Telnet L1.7 Connect to the Telnet Server on UBUNTU from DESKTOP using telnet w.x.y.z, where w.x.y.z is the IP address of UBUNTU. Login in with the user: napier (password: napier123). On UBUNTU, use the netstat atu command to determine the services that are running. (-a all connections, listening and established, -t TCP, -u UDP) Can you see the established telent client/server connection between DESKTOP and UBUNTU? Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 9

What is the default home folder for Telnet on UBUNTU? (Look up/google the Linux command to determine the current [working] directory) Quit from Telnet, using the exit command. Services: FTP L1.8 From your host, connect to the FTP Server from DESKTOP, via a web browser using ftp://w.x.y.z, where w.x.y.z is the IP address of UBUNTU, as shown in Figure 9. Figure 9 - FTP connection Open a command line window from DESKTOP, and connect to the FTP Server using the command: telnet w.x.y.z 21 Then enter the commands in bold (and note the some of the commands that you get beside the sample return ones): USER napier 331 Password required for napier. PASS napier123 230- Linux ubuntu 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 230-230- To access official Ubuntu documentation, please visit: 230- http://help.ubuntu.com/ 230-230 User napier logged in. HELP Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 10

214- The following commands are recognized (* =>'s unimplemented). USER PORT STOR MSAM* RNTO NLST MKD CDUP PASS PASV APPE MRSQ* ABOR SITE XMKD XCUP ACCT* TYPE MLFL* MRCP* DELE SYST RMD STOU SMNT* STRU MAIL* ALLO CWD STAT XRMD SIZE QUIT RETR MSOM* RNFR LIST NOOP XPWD PWD 257 "/home/napier" is current directory. TYPE I 200 Type set to I. PASV 227 Entering Passive Mode (192,168,75,136,146,31) LIST Did the LIST command succeed? YES/NO The PASV FTP command opens up a different port for the data transfer. This is calculated from the last two digits of the Passive Mode response (227 response). It is calculated as, the second last (146) digital multiplied by 256, plus the last digital (31). So, in this case, it would be: Port = 146*256 + 31 = 37397 Next, open up the data transfer channel by creating a new Telnet connection, in a second command line window, such as with the command: telnet w.x.y.z 37397 Now try the LIST command again, in the 1 st command window. Did the LIST command succeed? YES/NO On UBUNTU, go to /var/log dir. View the syslog file (using the cat syslog command or the vi editor). What is its contents? How might these log files be used to trace malicious activity? View the contents of /etc/inetd.conf file. How is this used to enable services? Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 11

Services: Remote Desktop L1.9 On the host PC, download the VNC Client application from: http://www.realvnc.com/cgi-bin/download.cgi Downloads Tab, and choose Free Edition once you have installed. Then from the host (DESKTOP), connect to UBUNTU using the VNC Client, as shown in Figure 10. Note: A dialog may appear on the server, which requires you to allow access to the VNC Client program. Figure 10 - VNC Viewer Client Application Which is the service which is running on UBUNTU that allows the remote connection to happen? Figure 11 - VNC Viewer Application with Remote Desktop of UBUNTU Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 12

1.3 Security & Forensics Toolkit Development The objective of this series of labs is to build an integrated Security & Forensic Toolkit in C#. Partially complete versions of the toolkit, written in C#, will be used as a starting point in the labs. A complete, fully functional toolkit can also be downloaded from the link below. The finished toolkit application can be downloaded from: http://buchananweb.co.uk/dotnetclientserver.zip 1.4 Toolkit Development 1 - Windows Utilities This toolkit lab shows how to integrate some Windows command line security utilities in to the toolkit software. This toolkit software development lab has an associated video demo. Video demo of toolkit software development part 1: http://buchananweb.co.uk/adv_security_and_network_forensics/toolkit01/toolkit01.htm For this lab, download the partially finished toolkit application source code (a Visual Studio C# Solution) from the link below: Toolkit source code: http://buchananweb.co.uk/toolkit.zip Extract the source code for the C# Windows Application to a local folder. Next open the toolkit application with Visual Studio (VS) (double click the VS solution file toolkit.sln). You should see the Solution Explorer panel on the right of the VS Window. Open the Toolkit Windows Form by double clicking the client.cs module, from the Solution Explorer panel. The Toolkit form should now be shown in the panel on the left. The Network tab should be displayed, as shown below. Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 13

L1.10 Select the [Network] tab, and to edit the code for the netstat a button, double click it. The event handler code associated with the button should be displayed. Add the following code to the event handler: runprogram("netstat", "-a"); Run the program, and test. L1.11 Select the [Network] tab, and complete the rest of the buttons (see http://buchananweb.co.uk/dotnetclientserver.zip, or the figure below for the functions required). Figure 12 - Buttons to add Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 14

L1.12 Select the [Network] table, and complete the rest of the buttons (netstat a, arp a, nbstat n, systeminfo, ipconfig, ipconfig /all, route print and net view ). See Figure L1.4. For Audit Policy add: runprogram("auditpol", "/get /category:*"); For Clear ARP add: runprogram("netsh", "interface ip delete arpcache"); For Add Firewall Rule: runprogram("netsh", "advfirewall firewall add rule name=\"networksims Rule\" dir=in action=allow protocol=tcp localport=65000"); For Add ICMP Rule: runprogram("netsh", "advfirewall firewall add rule name=\"networksims Rule\" protocol=icmpv4:8,any dir=in action=allow"); For Delete Rule: runprogram("netsh", "advfirewall firewall delete rule name=\"networksims Rule\" dir=in"); For Show Rules: runprogram("netsh", "advfirewall firewall show rule name=\"networksims Rule\""); L1.10 Now add three buttons, and three text boxes (tbping, tbtracert and tbtracert) and add a ping, tracert and nslookup button. Next add the code to each of the buttons: runprogram("ping", tbping.text); runprogram("tracert", tbtracert.text); runprogram("nslookup", tbtracert.text); Adv. Security & Net. Forensics Linux Services Bill Buchanan, Rich Macfarlane 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information