Documente Academic
Documente Profesional
Documente Cultură
2.0 Hours
Lab Information
TechLab Authors: Dean McDonald and Susan Wilbert Revision Date: 4/19/2010 Feedback: All comments and suggestions should be submitted via the feedback system, which can
be accessed from Course Materials on the StudentWeb
Prerequisites
Successful completion of requisite Technology Based Training (TBT) courseware and textbook reading.
Knowledge Goal
This lab introduces the concepts of identifying various types of computer and network attacks
Exam Correlation
6.0 Network Security 6.6 Identify common security threats and mitigation techniques
Windows XP Professional Client, No Service Pack Setup Requirements: Client Name / Workgroup Name: Client2 / WORKGROUP1 IP Address / Subnet Mask: 172.16.0.20 / 255.255.0.0 Administrator username / password: Administrator / password or noted here: _____________ Networked to the Windows Server 2003 computer VPC Image Name XP Client2 No SP Workgroup
Page 1 of 18
Lab Overview
This TechLab will cover the definitions of many attacks, as well as some examples of malicious software and social engineering.
Attacks Generally, you can split attacks into 2 broad categories: Protocol/Service Based and Application based. While application based attacks strike at flaws in pieces of software, protocol attacks (such as Teardrop) strike at the standardized mechanisms used to transfer data on a network. Attacks are frequently based on exploits that are specific to an OS or program. A technique known as OS Fingerprinting is used to determine the operating system, service pack level, and the presence of various services running on a particular target. Once you know the OS that is running on the target you can begin to attempt the exploits which might be usable for that particular OS. OS Fingerprinting is accomplished by sending various TCP/IP packets, to a target computer and observing the results. The TCP/IP packets that are sent are designed to provoke somewhat-unusual responses in certain vendors TCP/IP implementations. When known OS-specific responses are received, the fingerprinting program can identify the OS that the target is running (and often the version and even service pack/patch level). A good example of OS fingerprinting is ICMP message quoting: The ICMP quotes back part of the original message with every ICMP error message. Each operating system will quote a definite amount of the message to the ICMP error messages. The peculiarities in the error messages received from various types of operating systems helps in identifying the remote host's OS. DoS/DDoS A Denial-of-Service (DoS) attack is an attempt to flood the target with data, so that either the target network is saturated with data, or the target host is saturated with requests, resulting in the loss of legitimate use of that system. If you see a significant and sudden increase in network traffic, it is a good indicator that your network or computer might be undergoing a DoS attack. A simple DoS attack could also be an attacker entering an unsecured server room and unplugging the server. This would result in a denial of service to legitimate users. A Distributed Denial-of-Service (DDoS) attack is type of DoS attack that is implemented by staging a DoS attack against a single target from multiple systems simultaneously. Hackers can gain access to a number of machines in a startling variety of ways (usually through the root or administrative accounts). A host computer that is controlled by an attacker is often referred to as drones or zombies. The group of programs that an attacker installs to gain complete control of a computer is sometimes called a rootkit. One device that an attacker may have in his/her rootkit is a protocol analyzer or packet sniffer. Sniffing is method by which an attacker can compromise the Copyright 2009, TechSkills LLC Page 2 of 18
Page 4 of 18
Page 5 of 18
Page 6 of 18
Supporting Security Efforts with Virtual Environments Virtual environments such as those created with VMware, Microsoft Virtual PC/Virtual Server, VirtualBox, Xen, and others allow you to run one or more operating systems on a single computer. For example, you can install VirtualBox on a Linux computer and run an instance of Windows Vista in a virtual machine (VM) inside VirtualBox. The Windows Vista VM uses the hardware resources of the host computer but it is contained within the virtual environment. This allows you to run the VM in a sandbox which is cordoned off from the host machine. Researchers often run and test security software and malware in virtual environments because they can readily duplicate VMs, control them and study the effects of the security software or malware in a safe, virtual environment without risking damage to the host machine or operating system. Antivirus Protection To help combat infection of network computers, you need to employ an antivirus protection strategy. This includes running firewall or proxy server software and/or hardware to perform real-time scans of network packets and local files to detect identified malicious code. Secondly, you must use an antivirus software program. Antivirus programs contain a software program that scans files, folders and programs in real time. The antivirus software contains virus definitions, which identifies characteristics about known viruses. These antivirus software programs use the virus definitions to scan network packets and files, folders and registry settings on a computer looking for known virus files or suspicious activity. In network environments that contain multiple computers it is a general practice to install an antivirus suite on a central computer that downloads and updates antivirus definitions and performs scans on multiple computers. The central antivirus server manages all the client computers from a central software program. This dramatically reduces the administrative burden on network administrators because they can efficiently configure the central server to perform that various antivirus tasks. Administrators do not need to touch each computer on the network to update the virus definitions or run scans. Many companies produce these antivirus suites but most antivirus suites perform three basic functions. They monitor realtime activity, they perform periodic scans on the computer and they remove or quarantine known viruses. During real-time protection, they monitor the MBR, system files and network packets and files for known virus activity. During a computer scan, the software inspects the MBR, system files, and all other files and programs on the hard drive, floppy or other storage drives. Most can perform deep scans which can even scan files inside of compressed files such as .zip files. It compares each file with known virus characteristics. These include file name, file location, specific text or code in the file. If it finds a suspected virus it moves the infected file to a special location on the hard drive. This is known as quarantining or locking the virus. After a complete scan, the antivirus software attempts to either clean an infected file or remove it from the computer. Antivirus protection software is only as good as the current virus definitions. New viruses and malicious code are produced daily. Antivirus companies release new virus definitions to deal with these new viruses. When installing and configuring antivirus software on a network it is important to update antivirus definitions and run scans often. Out of date virus definitions may miss new viruses because it is not aware of them. Most antivirus software will automatically download and install updated virus definition files. Most do it at least once a day and some can update more frequently.
Page 7 of 18
Step-by-Step Instructions
Exercise 1 Exercise Summary: During this exercise you will use the SMBDIE.exe program to perform a denial of service attack on a Windows XP Professional client computer. 1) Prepare the attack environment a. Prepare the Windows Server 2003 computer i) Boot and logon to the Windows Server 2003 computer as the local Administrator. ii) Remove Internet Explorer Enhanced Security. (1) Click Start point to Control Panel click Add or Remove Programs. (2) Click the Add/Remove Windows Components button. (3) In the Windows Components Wizard, scroll down to and uncheck Internet Explorer Enhanced Security Configuration click Next. (4) The Enhanced Security Configuration of Internet Explorer on Windows Server 2003 does not allow you to open any web sites what are not trusted. By default only some Microsoft and Windows Update sites are trusted. Click Finish. (5) Close Add or Remove Programs. iii) Open Internet Explorer Note: If this is the first time you have connected to the Internet, Internet Explorer will close and the New Connection Wizard will start. Complete the wizard to create a new Internet connection open Internet Explorer again and browse to and logon to the StudentWeb. (1) In the Address bar, type https://secure.techskills.com/studentweb. (2) Log into your StudentWeb. (3) Download the attack files: (a) Browse to the Supplemental folder for the course on the StudentWeb download the lc5setup.zip and SMBdie.zip files and save them to the Desktop. (b) Close all open windows. (4) Extract the attack files: (a) Right click the lc5setup.zip file click Extract All... click Next click Next click Finish. (b) Close the window that opens. (c) Repeat this process to extract the SMBdie.zip file. (5) Prepare network adapters and TCP/IP settings: (a) Configure a Static IP address for the Local Area Connection (i) Open the Local Area Connection properties 1. Click Start point to Control Panel point to Network Connections right click the Local Area Connection click Properties. 2. Select the Internet Protocol (TCP/IP) entry click Properties. 3. Verify/Assign the Internet Protocol (TCP/IP) Properties as follows. All other settings on this page should be left blank.
Page 8 of 18
3. Close all open windows. b. Prepare the Windows XP Professional computer i) Boot and logon to the Windows XP Professional computer as the local Administrator. ii) Prepare network adapters and TCP/IP settings: (1) Configure a Static IP address for the Local Area Connection: (a) Open the Local Area Connection properties: (i) Click Start Click Control Panel double click Network Connections right click the Local Area Connection click Properties. (ii) Select the Internet Protocol (TCP/IP) entry click Properties. (iii) Verify/Assign the Internet Protocol (TCP/IP) Properties as follows. All other settings on this page should be left blank.
1. Click the Advanced... button click the WINS tab verify the Enable NetBIOS over TCP/IP radio button is selected click OK click Yes on the Microsoft TCP/IP information window click OK click OK Close (iv) Disable all other network interfaces: 1. Disable all network interfaces EXCEPT the Local Area Connection. To do so, right click any other network connections that are displayed click Disable. This will disable all but the Local Area Connection with the TCP/IP settings you verified/assigned earlier. Online TechLab Note: Make sure you disable the network connection named DO NOT Modify Internet Connection.
iii) Obtain the name of the computer: (1) Click Start Right click My Computer click Properties (2) Click the Computer Name tab note the Full computer name: of this computer: ________________________ (3) Close all open windows. 2) Perform a Denial of Service Attack Copyright 2009, TechSkills LLC Page 9 of 18
b. On the Windows Server 2003 computer, double click the SMBdie folder on the Desktop double click the SMBdie.exe program. This opens the SMBDIE.exe program which is a proof of concept program that will perform a denial of service attack on a Windows client using Server Message Block (SMB) packets. c. Enter the Computer (IP address) and NETBIOS name of the Windows XP Professional client into the appropriate textboxes. d. Click the KILL button. In the SMBdie.exe application window you should see it connect to the target system, identify the operating system, and then send the exploit. If you observe the target machine you should see it stop functioning with a Blue Screen of Death (BSoD) or it may restart automatically. e. Close all open windows. 3) Using @stake LC5 to run a Dictionary Password Attack a. Create user accounts i) On the Windows Server 2003 computer create two new user accounts. (1) Create a new user named user1 and assign a simple password using a word normally found in the dictionary. Refer to these instructions if you do not remember how to create a user account. Click Start Right Click My Computer click Manage expand local Users and Groups right click User click New User
b. Create a second user account named user2. Assign a more complex password of using letters and numbers. c. Install the LC5 Password Cracking Program: You will now use a password recovery/cracking program to decipher the new user account passwords. The program you will use is called LC5 which is made by a company named @stake. Install the application on your machine. d. On the Windows Server 2003 computer, double click the lc5setup folder on the Desktop double click the lc5setup.exe program to start the installation click Next click Next click Yes click Next click Next click Next click Finish. e. Start the application. To do so, click Start click All Programs click LC5> click LC5. f. Click on the Trial button click Next.
Page 10 of 18
Online TechLab Note: The screens for the LC5 program are larger than this and will display off the viewable screen area. Switch to full screen mode using the F12+Enter key combination. To switch back to normal view press the F12+Enter keys again. g. Select the Retrieve from the local machine radio button click Next. h. Select the Common Password Audit radio button click Next. Strong Password Audit is only available in the registered version of this program.
i. j.
Make sure all the checkboxes are selected on the Pick Reporting Style dialog window
click Next.
k.
Click Finish to begin the Audit. You will see that in a remarkably short amount of time the usernames for this system will be enumerated and the passwords will be cracked for the Administrator and user1. Since user2 has a more complex password it will not be cracked with the Trial version of the software. However, with the full version most complex passwords can also be cracked. Take note of the statistics available on the right-hand side of the screen.
4) Researching the NETBUS Trojan Horse a. b. c. d. e. f. Log onto the Windows XP Professional computer as Administrator. Re-enable the Internet connection Open Internet Explorer browse to http://www.symantec.com. In the Search field type Backdoor.Netbus Click Search. Click the Backdoor.Netbus.444051 - Symantec.com link. Summarize the Technical Details below: _______________________________________________________________________________________ _______________________________________________________________________________________ _______________________________________________________________________________________ _______________________________________________________________________________________ _______________________________________________________________________________________ _______________________________________________________________________________________ Exercise 2 Exercise Summary: Download the latest version of a free Antivirus software Avast and install it on a Windows 2003 Server. 1) Install Antivirus Software a. Install from CD-ROM / .iso file: Online TechLab Note: The Avast software program has been downloaded and saved to an .iso file in the CD-ROM .iso Files folder. The .iso file is named avast Antivirus Server 60 day Evaluation.iso. You do not need to download the file from the Avast website. Simply insert the .iso file, and browse to the CD-ROM, and then continue on with the next step. i) Insert the avast! Antivirus Server 60 day Evaluation CD-ROM or .iso file. ii) Browse to the CD-ROM and double click the installation program. Continue to step 1) c. b. Install from Downloaded program: Copyright 2009, TechSkills LLC Page 11 of 18
Note: If this is the first time you have started Internet Explorer the New Connection Wizard starts. Click Next. Click the Connect to the Internet radio button click Next. Click the Connect using a broadband connection that is always on radio button click Next click Finish. ii) Click Tools click Internet Options Medium click OK. click the Security tab slide the security level slider to
Note: This action reduces the security of the local system but it will allow you to download and install the Avast Antivirus software. iii) Type http://www.avast.com in the address bar press Enter.
Note: The following instructions are current as of the time this lab was written. The avast! website may change. You may have to extrapolate these instructions if the site changes. iv) Click the download link on the top of the screen. v) Click the Programs link on the left-hand side of the screen. vi) Click the avast! Server Edition link on the left-hand side of the screen. vii) Click the Download button. viii) Save the file to the Desktop. ix) Click Open when the download completes. Install avast! Server Edition software: i) The Installation program starts. Click Next click Next click Next. ii) Click the I agree radio button click Next click Next click Next. iii) Click Demo click OK. iv) Click Next. v) Click No. You will not schedule a boot-time scan. You will perform a manual scan after you restart. vi) Click Finish to restart.
c.
2) Configure Antivirus Software a. Update avast! Server Edition Software: i) After restart, login as the local Administrator. ii) Click the avast! Resident Protection popup balloon in the notification area. This will start the avast! Server Deployment Wizard click Next.
Page 12 of 18
iii) Click the Normal Server radio button click Next. iv) Leave the default setting for avast! Server plug-ins click Next. v) This software has the ability to send e-mail notifications for important events. You could enter e-mail setting information and configure the software to notify an administrator when an event occurs. Leave the e-mail settings blank click Next. vi) Click Finish. vii) In the background the software will connect to the Internet and download the latest virus definition database. It will then install the database so the server has the latest protection files installed. You will see a popup window when the database has been updated.
viii) To verify this has happened, right click the icon in the notification area on the Desktop point to Updating click !AVS Update. The software will check the local files against the latest files on the avast servers. It will display a message that states that the virus database is up to date click Close. b. Run a manual scan of the server: i) ii) iii) iv) Right click the icon click Start avast! Antivirus. A memory test will run. Maximize the program. Click the Tasks option. Notice the list of default tasks. Right click the Scan: local disks option in the right hand pane click Run. Notice the scan starts and details about the scan are displayed in the bottom right-hand window.
Note: This scan can take quite a long time to complete, feel free to cancel the scan at any time and move on to the next step. To cancel the san, right click the Scan in the left hand Copyright 2009, TechSkills LLC Page 13 of 18
Lab Validation
To validate that you completed this lab correctly answer the following question and verify it with your Instructor. Use regedit to locate the answer. If you are unable to locate the answer, see your instructor. 1. Open the registry editor (Start Run Regedit). Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\aswcsfile\shell\open\command. What is the default value data entry for that key? ____________________________________________________________________
Page 14 of 18
Exercise 3 Exercise Summary: Identifying Attacks. Match the following attacks with a scenario to the right. Each attack may be used more than once. Attempt to perform this activity without looking back at the Lab Overview section, or without any other assistance.
A. DoS B. Smurf C. Ping of Death D. SYN Flood E. Dictionary Attack F. Spoofing Attack G. Replay Attack H. Man-in-the-Middle I. J. Social Engineering DDoS
_____ Natalie receives an Instant Message asking for her account and password. The person sending the message states that is comes from her IT department because they need to do a backup of her hard drive. _____ You analyze a network trace capture file and find that a number of packets on your network have been intercepted and retransmitted to both the sender and receiver. _____ You are a Network Administrator for a college campus in New York. You get a call from a Network Administrator for a Business in Austin, Texas, that says his network is getting attacked from machines on your campus network. You have noticed that your network is particularly sluggish today. _____ While conducting a password audit of your company you find that many users configure their passwords using simple and meaningful things such as pet names and birthdays. You decide you need to explain to them that this make them more vulnerable to a certain type of attack. _____ You find that a domain name server is resolving the domain name to a different IP address than it is suppose to and thus misdirecting Internet traffic. _____ You discover an unauthorized wireless access point under an Accounting Department Employees desk. Upon questioning her, she denies that she knew it was even there. She does inform you that an employee from your companys branch office in Topeka, Kansas, has recently visited her office and asked if he could use the office for the day. She agreed. Your company has no branch office in Topeka. _____ You are an Assistant Network Admin for a small company. You are enjoying the scenic view from your office of the back alley of your companys building. You notice that two individuals are digging through the trash located in the dumpsters below your window. _____ You notice a significant increase in network traffic and determine that an attack has occurred on your network. You determine that there was no theft of information or other security loss, but you have lost the use of that system until you can get it back up. _____ While monitoring your network you notice that it is saturated with ICMP ECHO requests. _____ You notice a number of half-open TCP handshakes on your server. These halfopen connections are starting to pile up in your servers buffer. _____ You have heard of a type of attack that is making its way through many organizations networks. You have installed CHAP to guard against this type of attack. _____ While monitoring your network you notice that a number of ICMP packets with spoofed IP addresses are being sent to your networks broadcast IP address.
K. Dumpster Diving
Page 15 of 18
_____ You find NetBus and Masters Paradise installed on a number of machines on your network. By researching them on Symantecs website you find that they actually deliver malicious code. _____ A piece of malicious code that can replicate itself by infecting other programs and modifying them to include a version of itself. _____ You receive an email that says the following: There's a new virus which was found recently which will erase the whole 'C' drive. If u gets a mail with the subject "Osama Vs Bush", please delete that mail right away. Otherwise it will erase the whole C drive. As soon as you open it, it asks "will this war affect the world economy? If you click on any button, your system will be shut down and will never boot again. It already caused a major damage in the US, INDIA and few other parts of the world. The remedy for this has not yet been discovered. So please forward this mail to as many people as possible and let everybody be aware of this. Be Careful. I received this in the mail and am passing it along. I hope that you and your computer stay healthy. You decide to research it on the Symantec website under the words Osama vs. Bush _____ An application that appears to perform a useful function, but instead contains some sort of malicious code. It often uses Visual Basic Scripting (VBS). _____ This malicious code replicates itself from system to system without attaching to a file. _____ An employee was recently fired. You are cleaning out his computer. You click on an unknown icon on his desktop. After clicking on the icon the computer crashes and the hard drive is wiped clean.
Page 16 of 18
Assessment
To provide assessment for this lab, answer the following questions for evaluation by your Instructor. 1) What is the minimum password length to deter dictionary attacks? ____________________________________________________________________________________________ 2) Hashed passwords are particularly vulnerable to what attack? ____________________________________________________________________________________________ 3) What is the definition of a Trojan horse? ____________________________________________________________________________________________ ____________________________________________________________________________________________ ____________________________________________________________________________________________ 4) What is the main difference between viruses and Trojan Horses? ____________________________________________________________________________________________ 5) What is the most effective method for fight social engineering attacks? ____________________________________________________________________________________________ 6) What kind of attack is a SYN flood an example of? ____________________________________________________________________________________________ 7) What are the most common attacks carried out at the transport layer of the OSI model? ____________________________________________________________________________________________ 8) Sniffing is an example of a _______________ attack. 9) What is a rootkit? ____________________________________________________________________________________________ ____________________________________________________________________________________________ 10) What is the best technical solution for reducing the threat of a man-in-the-middle attack? ____________________________________________________________________________________________ 11) What network attack uses ICMP and improperly formatted MTUs to crash a target computer? ____________________________________________________________________________________________ 12) To combat social engineering attacks through Instant Messaging, what is the most effective method? ____________________________________________________________________________________________ 13) Describe OS Fingerprinting? ____________________________________________________________________________________________ Copyright 2009, TechSkills LLC Page 17 of 18
After lab completion, please validate this lab and check your answers with an Instructor.
Page 18 of 18