You are on page 1of 55

C E H

Lab M a n u a l

Evading IDS, Firewalls, and Honeypots
M o d u le 17

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

Intrusion D e t e c t i o n S y s t e m
A n in tr u s io n d e te c tio n s y s te m a n d /o r ( ID S ) is a d e ric e o r s o ftw a re a p p lic a tio n m a lic io u s a c tiv itie s th a t

m o n ito rs

n e tir o r k

s y s te m

a c tiv itie s f o r

o r p o lic y

v io la tio n s a n d p ro d u c e s re p o rts to a M a n a g e m e n t S ta tio n .

I CON
[£ Z 7 V a lu a b le

KEY

L a b S c e n a r io

in fo rm a tio n

S

T est your k n o w le d g e

=

W e b e x e rc is e

m

W o r k b o o k r e v ie w

Due to a growing number of intrusions and since the Internet and local networks have become so ubiquitous, organizations increasingly implementing various systems that monitor IT security breaches. Intrusion detection systems (IDSes) are those diat have recently gained a considerable amount of interest. An IDS is a defense system that detects hostile activities 111 a network. The key is then to detect and possibly prevent activities that may compromise system security, 01‫ ־‬a hacking attempt 111 progress including reconnaissance/data collection phases that involve, for example, port scans. One key feature of intrusion detection systems is their ability to provide a view of unusual activity and issue alerts notifying administrators and/or block a suspected connection. According to Amoroso, intrusion detection is a “process ot identifying and responding to malicious activity targeted at computing and networking resources.” 111 addition, IDS tools are capable ot distinguishing between insider attacks originating from inside the organization (coming from own employees or customers) and external ones (attacks and the threat posed by hackers) (Source: http://www.windowsecurity.com)
111 order to become an expert penetration tester and security administrator, you must possess sound knowledge of network intrusion prevention system (IPSes), IDSes, malicious network activity, and log information.

L a b O b je c tiv e s
& Too ls

D e m o n s tra te d in th is lab a re lo c a te d a t D:\CEHT oo ls\C E H v8 M o du le 17 Evading IDS, F ire w a lls , and H o n eyp o ts

The objective ot tins lab is to help students learn and detect intrusions network, log, and view all log tiles. In tins lab, you will learn how to: ■ Install and configure Snort ■ Run Snort as a service ■ Log snort log files to Kiwi Syslog server IDS

111

a

■ Store snort log files to two output sources simultaneously
L a b E n v ir o n m e n t

To earn‫ ׳‬out tins lab, you need: ■ A computer mnning Windows Seiver 2012 as a host machine ■ A computer running Windows server 2008, Windows 8, 01‫־‬Windows 7 as a virtual maclnne WniPcap drivers nistalled 011 the host maclinie

C E H Lab Manual Page 847

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

■ Notepads-+ installed 011 the host machine ■ Kiwi Svslog Server installed 011 the host machine ■ Active Perl installed 011 the host machine to mil Perl scnpts ■ Administrative pnvileges to configure settings and run tools ■ A web browser with Internet access
L a b D u r a t io n

Time: 40 Minutes
O v e r v ie w o f In tr u s io n D e te c tio n S y s te m s

An intrusion detection system (IDS) is a device 01‫ ־‬software application that monitors network and/01‫ ־‬system activities for malicious activities 01‫ ־‬policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but tins is neither required 1101‫ ־‬expected of a monitoring system. 111 addition, organizations use intrusion detection and prevention systems (IDPSes) for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly even* organization. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping die attack itself, changing the security environment. IDPSes are primarily focused 011 identifying possible incidents, logging information about diem, attempting to stop them, and reporting them to security administrators.

O v e rv ie w

Pick an organization diat you feel is worthy of your attention. Tins could be an educational institution, a commercial company, 01‫־‬perhaps a nonprofit charity. Recommended labs to assist you 111 using IDSes: ■ Detecting Intrusions Using Snort ■ Logging Snort Alerts to Kiwi Svslog Server ■ Detecting Intruders and Worms using KFSensor Honeypot IDS ■ HTTP Tunneling Using HTTPort
L a b A n a ly s is

Analyze and document the results related to tins lab exercise. Give your opinion 011 your target’s security posture and exposure.

C E H Lab Manual Page 848

Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

PLE A SE

TA LK

TO

Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.

H A V E

Q U E ST IO N S

C E H Lab Manual Page 849

Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

D e l e c t i n g

Intrusions u s i n g S n o r t

S n o r t is a n o p e n s o u rc e n e tir o r k in tr u s io n p r e v e n tio n a n d d e te c tio n s y s te m ( ID S /IP S ) .

I C ON
/ V a lu a b le

KEY

L a b S c e n a r io

in fo rm a tio n

T est your k n o w le d g e □

W e b e x e rc is e

m

W o r k b o o k r e v ie w

The trade of die intrusion detection analyst is to find possible attacks against their network. The past few years have witnessed significant increases in DDoS attacks 011 the Internet, prompting network security to become a great concern. Analysts do tins by IDS logs and packet captures while corroborating with firewall logs, known vulnerabilities, and general trencUng data from the Internet. The IDS attacks are becoming more culuired, automatically reasoning the attack scenarios ni real time and categorizing those scenarios becomes a critical challenge. These result ni huge amounts of data and from tins data they must look for some land of pattern. However, die overwhelmnig dows of events generated by IDS sensors make it hard for security adnnnistrators to uncover hidden attack plans.
111 order to become an expert penetration tester and security administrator, you must possess sound knowledge of network IPSes, IDSes, malicious network activity, and log information.

&

Too ls

D e m o n s tra te d in th is lab a re lo c a te d a t D:\CEHToo ls\C E H v8 M o du le 17 Evading IDS, F ire w a lls , and H o n eyp o ts

L a b O b je c tiv e s

The objective of tins lab is to familiarize students widi IPSes and IDSes.
111 tliis lab, you

need to:

■ Install Snort and verify Snort alerts ■ Configure and validate snort.conf file ■ Test the worknig of Snort by carrying out an attack test ■ Perform mtmsion detection ■ Configure Omkmaster
L a b E n v ir o n m e n t

To earn‫ ־‬out dns lab, you need:

C E H Lab Manual Page 850

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

■ A computer running Windows Server 2012 as a host machine ■ Windows 7 running on virtual macliuie as an attacker macliuie ■ WmPcap dnvers installed on die host machine ■ Notepad++ installed on the host macliuie ■ Kiwi Svslog Server installed on the host macliuie ■ Active Perl installed on the host machine to nui Perl scripts ■ Administrative privileges to configure settings and run tools
L a b D u r a t io n

Time: 30 Minutes
O v e r v ie w In tr u s io n
Y ou can also download Snort from http://www.s rt. g.

o f

In tr u s io n

P r e v e n tio n

S y s te m s

a n d

D e te c tio n S y s te m s

110 01

A11 IPS is a n e tw o r k s e c u rity appliance that m o n ito rs a network and system activities for m a lic io u s activity. The main functions of IPSes are to id e n tify malicious activity, log in fo rm a tio n about said activity, attempt to b lo c k /s to p activity, and report activity. A11 IDS is a device or software application that m o n ito rs network and/or system activities for m a lic io u s activities or p o lic y v io la tio n s and produces re p o rts to a Management Station. It performs intrusion detection and attempt to s to p detected possible in c id e n ts .
L a b T a s k s 1. 2.

Start W in d o w s

S e rv e r 2 0 1 2

on the host machine. Install Snort.
D :\CEH -Tools\C EHv8 M o du le 17 Evading IDS,

To uistall Snort, navigate to

In s tall S nort

F ire w a lls , and H o n eyp o ts\ln tru sio n D e te c tio n Tools\Snort.

3. Double-click the wizard appears.

Snort_2_9_3_1_ln staller.exe

file. The Snort mstallation
d e fa u lt options

4. Accept the L ic en se A g re e m e n t and install Snort with the diat appear step -b y-step 111 the wizard.

l__ Snort is an open source network intrusion prevention and detection system (ID S / IP S ).

.

5. A window appears after successful installation of Snort. Click the button.
6.

C lose

Click O K to exit the S n ort

In s ta lla tio n

window.

C E H Lab Manual Page 851

Ethical Hacking and Countemieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

Snort 2.9.3.1 SetuD (&
Snort 2.9.3.1 Setup

‫' ־‬° I

*

*

Snort has successfully been installed.

r

Snort also requires WinPcap 4.1.1 to be installed on this machine, WinPcap can be downloaded from: http://www.winpcap.org/

It would also be wise to tighten the security on the Snort installation directory to prevent any malicious modification of the Snort executable.

Next, you must manually edit the 'snort.conf file to specify proper paths to allow Snort to find the rules files and classification files.

OK

Figure 1.1: Snort Successful Installation Window

7. Snort requires W in P ca p to be installed on your machine. 8. Install W inPcap by navigating to D :\C EH -Tools\C EH v8
IDS, F ire w a lls , and HoneypotsM ntrusion 4 1 _2.exe. C:\Snort M o du le 17 Evading Too ls\S no rt, D e te c tio n

and

double-clicking W in P ca p V^/ W inPcap is a tool for
link-layer network access that allows applications to capture and transmit network packets bypass the protocol stack

9. By default, Snort installs itself in disk drive in which OS installed).

(C:\ or D:\ depending upon die

10. Register on die Snort website h ttp s ://w w w .sn o rt.o rg /sig n u p 111 order to download Snort Rules. After registration comples it will automaticallv redirect to a download page. 11. Click die G et R ules button to download die latest mles. 1 1 1tins lab we have downloaded sn o rtru les-sn ap sh ot-2931 ■tar.gz. 12. Extract die downloaded rales and copy die extracted folder 111 tins padi:
D:\CEH -Tools\C EHv8 M o du le 17 E vading IDS, F ire w a lls , and H o n eyp o ts\ln tru sio n D e te c tio n Tools\Snort.

13. Rename die extracted folder to snortrules. 14. Now go to die
e tc

folder

111

die specified location

D:\CEH -Tools\C EHv8

M o du le 17 Evading IDS, F ire w a lls , and H o n eyp o ts\ln tru sio n D e te c tio n T o o ls\S n o rt\sn o rtru les\e tc

of die extracted Snort rales, copy die s n o rt.c o n f tile, and paste diis tile 111 C:\Snort\etc.
C:\Snort\etc;

15. The S n o rt.c o n f file is already present 111 die Snort rales S n o rt.c o n f file.

replace diis file with

16. Copv die so_rules folder from D :\C EH -Tools\C EH v8
IDS, F ire w a lls , and H o n eyp o ts\ln tru sio n D e te c tio n T oo ls\S no rt\sn o rtru les

M o du le 17 Evading

and paste it 111

C:\Snort.

C E H Lab Manual Page 852

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

17. Replace die p rep ro c

r u le s

folder trom D:\CEH -Tools\C EHv8

M o du le 17

Evading IDS, F ire w a lls , and HoneypotsM ntrusion D e te c tio n T oo ls\S no rt\sn o rtru les

and paste it 111 C:\Snort.
D :\CEH -Tools\C EHv8 M o du le 17 H o n eyp o ts\ln tru sio n D e te c tio n and

18. Copy all die tiles from dus location:
E vading IDS, F ire w a lls , T oo ls\S no rt\sn o rtru les\rules

to C:\Snort\rules.
C m d H ere

H

TASK

2

19. Now navigate to C:\Snort and right-click folder bin, and click trom die context menu to open it 111 a command prompt. 20. Type sn o rt and press E nter.
Administrator: C:\Windows\system32\cmd.exe - snort C:\Snort\bin/snort Running in packet dunp node

V e rify S n ort A le rt

—■ ■ In it ia liz in g Snort ■ ‫—יי‬ In it ia liz in g Output Plugins? pcap DAQ configured to passive. The D AQ uersion does not support reload. Acquiring network t r a f f i c fron "\Deuice\NPF_<0FB09822-88B5-411F-AFD2-FE3735A9?7B B> _ Decoding Ethernet — -- In it ia liz a t io n Conplete --— — »> Snort? <*‫־‬ Uersion 2.9 .3 .1-WIN32 GRE <Build 40) By Martin Roesch 8 r The Snort Tean: http://www.snort.org/snort/snort-t Copyright < C > 1998-2012 So u rce fire, In c ., et a l. Using PCRE uersion: 8.10 2010-06-25 Using ZLIB uersion: 1.2.3

To print out the T C P / IP packet headers to the screen (i.e. sniffer mode), type: snort — v.

y

o'‫׳‬ ‫״ ״‬ ■an

Connencing packet processing <pid-756>

Figure 1.2: Snort Basic Command

21. The In itia liza tio n C o m p le te message displays. Press C trl+C. Snort exits and comes back to C:\Snort\bin. 22. Now type sn o rt -W . Tins command lists your machine’s physical address, IP address, and Ediernet Dnvers, but all are disabled by default.
Administrator: C:\Windows\system32\cmd.exe

Snort exiting C:\Snort\bin‫ נ‬snort -W -*> Snort! <*— Uersion 2.9.3.1-WIN32 G R E (Build 40> By Martin Roesch 8 r The Snort Team: http://www.snort.org/snort/snort-t Copyright < C > 1998-2012 Sourcefire, Inc., et al. Using P C R E version: 8.10 2010-06-25 Using ZLIB uersion: 1.2.3 Index Physical Address IP Address Deuice N am e Description 1 00:00:00:00:00:00 disabled \Deuice\NPF_<0FB09822-88B5-41IFAFD2-FE3735A977BB> Microsoft Corporation 2 00:00:00:00:00:00 disabled \De‫ ״‬ice\NPF_<0BFD2FA3-2E17-46E3B614-0FC19B5DDA25> 3 00:00:00:00:00:00 disabled \Deuice\NPF_<lD13B78A-B411-4325rQRA<JRFOP?JM ‫־‬ V M 4 D4:BE:D9:C3:C3:C C disabled \Deuice\NPF_<2A3EB470-39FB-48809A79-77E5AE27E530> Realtek PCIe G B E Family Controller C:\Snort\bin>
Figure 1.3: Snort -W Command

23. Observe your Ediernet Driver in d ex n u m b er and write it down; 111 dus lab, die Ediernet Driver index number is 1 . 24. To enable die Ediernet Driver, 111 die command prompt, type sn o rt 2 and press Enter.
C E H Lab Manual Page 853

-d e v - i

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

25.
E 7 To specify a log into logging directory, type snort — dev — 1 /logdirectorylocationand, Snort automatically knows to go into packet logger mode.

You see a rapid scroll text Ethernet Driver is enabled and working properly.

111

die command prompt. It means

Administrator: C:\Windows\system32\cmd.exe - snort -dev i4 C:\Snort\bin,sno rt -dev - i 4 Running in packet uu11‫׳‬p 1'iuut; —= = In it ia liz in g Snort = = — In it ia liz in g Output Plugins? pcap DAQ configured to passive. The DAQ version does not support reload. Acquiring network t r a f f i c fron "\Device\NPF_<2A3EB470-39FB-4880-9A7977‫ ־‬E5AE27E53

B >".

Decoding Ethernet —■ ■ In it ia liz a t io n Conplete ■*— o'‫~> ׳‬ ‫״״״״‬
r .u i

-»> Snort? <*Uersion 2 .9 .3 .1-WIN32 GRE <Build 40> By Martin Roesch 8 r The Snort Tean: http://www.snort.org/snort/snort-t Copyright < C > 1998-2012 So u rce fire, In c ., et a l. Using PCRE version: 8.10 2010-06-25 Using ZLIB version: 1.2.3

Connencing packet processing <pid=2852> 11/14-09:55:49.352079 ARP who‫ ־‬has 10.0.0.13 t e l l 10.0.0.10

Figure 1.4: Snort — dev — i 4 Command

26. Leave die Snort command prompt window open, and launch anodier command prompt window. 27. Li a new command prompt, type ping
g o o g le .c o m

and press Enter.

£ Q Ping [-t] [-a] [-n count] [1 size] [-£] [-i T T L] [-v TO S] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] destination-list

Figure 1.5: Ping googje.com Command

28. Tliis pmg command triggers a Snort alert in the Snort command prompt with rapid scrolling text.
Administrator: C:\Windows\system32\cmd.exe - snort -dev i 4 ‫־‬TTD '4.125.236.85:443 10.0.0.10:51345 < ‫ ־‬TCP TTL:56 TOS:0x0 ID:55300 IpLen:20 DgnLe 95 nM .flP.M M • Seq: 0x81047C40 Ack: 0x4C743C54 Win: 0xFFFF TcpLen: 20 7 03 02 00 32 43 3F 4C 22 B4 01 69 AB 37 FD 34 2C?L‫ ״‬. . i. 7 . 4 IF 3F 70 86 CF B8 97 84 C9 9B 06 D7 11 6F 2C 5B .? p o ,[ D 8A B0 FF 4C 30 5B 22 F4 B9 6C BD AE E8 0E 5A L0[‫ ״‬. . l Z F F6 7D 55 31 78 EF ..>Ulx. 11/14-09:58:16.374896 D4:BE:D9:C3:C3:CC 00:09:5 < ‫ ־‬B: AE: 24: CC type:0x800 len:0x36 10.0.0.10:51345 -> 74.125.236.85:443 TCP TTL:128 TOS:0x0 ID:20990 IpLen:20 DgnLe n:40 DF Seq: 0x4C743C54 Ack: 0x81047C77 Win: 0xFB27 TcpLen: 20 .1/14-09:58:17.496035 ARP who-has 10.0.0.13 t e l l .1/14-09:58:18.352315 ARP who-has 10.0.0.13 t e l l .1/14-09:58:19.352675 ARP who-has 10.0.0.13 t e l l

To enable Network Intrusion Detect ion System (N ID S ) mode so that you don’t record every single packet sent down the wire, type: snort -dev 1 ./log-h 192.168.1.0/24-c snort.conf.

1 0 .0.0.10 1 0 .0.0.10 1 0 .0.0.10

Figure 1.6: Snort Showing Captured Google Request

C E H Lab Manual Page 854

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

29. Close both command prompt windows. The verification of Snort installation and triggering alert is complete, and Snort is working correcdy 111 verbose mode.
T A S K 3

30. Configure die sn o rt.c o n f file located at C :\Snort\etc. 31. Open die s n o rt.c o n f file widi Notepad++. 32. The s n o rt.c o n f file opens screenshot.
111

C o nfigure sn o rt.c o n f File

Notepad++ as shown

111

the following

& Make sure to grab the rules for the version you are installing Snort for.

Log packets in tcpdump format and to produce minimal alerts, type: snort -b -A fast -c snort.conf Figure 1.7: Configuring Snortconf File in Notepad++

m

33. Scroll down to die S te p #1: S e t th e n e tw o rk v a ria b le s section (Line 41) of snort.conf file. 111 the H O M E_N ET line, replace any widi die IP addresses (Line 45) of die machine where Snort is mnning.
*C:\Sn0ft\etc\$n0rtx0nf - Notepad+ Be Edit Search 'iict* Encoding Language Settings Macro Run Plugns frndcw o I

-!□ X '
I i | !» '?‫׳‬

10 % ‫ד‬ « »&

JS

* C|

9

»‫* » צ‬fe

*

x

33 5 |

HJ □

I I

H molcwf |

4 4 4 1 # Se ep # 1 : Sec c h en etw o rk variables. F o x itoie m roraaclon.

X x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x


Notepad++ is a free source code editor and Notepad replacement that supports several languages. It runs in the M S Windows environment.

» setup tne n ecvcrx aaarcaaca yo u are crotectino
ir v a r HOME_»ET 110.0.0.101

: *cat situations

m

ygth: 25421 lines :657

4 5 :‫ ת‬C e l:2 5S d0

Figure 1.8: Configuring Snortconf File in Notepad++

34. Leave die EX TER N A L_N ET

any

line as it is.

C E H Lab Manual Page 855

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

The element ’any’ can be used to match all IPs, aldiough ’any’ is not allowed. Also, negated IP ranges diat are more general dian non-negated IP ranges are not allowed.

m

35. If you have a DNS Server, then make changes 111 the DNS_SERVERS line bv replacing $H O M E _N E T with your DNS Server IP address; otherwise, leave diis line as it is. 36. The same applies to SAITP_SER\TE,RS, HTTP_SER\TE.RS, SQL_SER\rERS, TELNET_SERVERS, and SSH_SER\TRS. 37. Remember diat if you don’t have any servers running on your machine, leave the line as it is. DO N O T make any changes 111 diat line. 38. Scroll down to R U LE_PATH (Line 104). 111 Line 104 replace ../rales widi C:\Snort\rules, 111 Line 105 ../so_rules replace with C:\Snort\so rules, and 111 Line 106 replace ../p rep ro c ru les with C:\Snort\preproc rules.
Ptc\s1x x tc o n f Notepad♦ ♦ Erie Ldit Search *1e« Encoding Language SetDngi _ |a x ‫ך‬ X a i l i f l *9‫׳‬

0

Macro R u

Piugnj ftmdow I ‫ ־‬. ! [IF □

M e

s a i i J f

ft fl| P C

ua Rule variable names can be modified in several ways. You can define metavariables using die $ operator. These can be used with the variable modifier operators ? and -

H cnoccorf | ♦ Kote r o r Wir.dowa usera: You are aavisea to r a re tm a ar. absolute pa tn . ♦ such as: c :\3 n o r t\r u le s var RU1X_PUH C :\S n o rt\ru le s v a r SO RULE PATH C :\S n o rt\a o ru le a ■war PRrPROC R^LE PATH C: \S n o rt\p r ‫ ־‬pro=_xrule3 10‫ד‬ # I f you are usin g re p u ta tio n preprocessor a c t these 1:9 # C u rre n tly tiie re i s a bug w ith r e la t iv e paths, th ey are r e la t iv e to where sno rt i3 # n o t r e la t iv e to s n o rt.c o n f lilc e the above v a ria b le s 4 Thia i s caa ple cely in c o n s is te n t w ith how oth e r ▼ars work, BCG 5 9986 l- l t s e t th e anaciute patn a p p ro p ria te ly 1*3 v a r HHTTELISTPATH . . / r u le s 114 var BUICK_LI5T_PAIK . ./ r u le s

t step #2: con n a u re tr.c decoder.

For sore in d o rs a tio n , see rta im e .decode

1 1
? * Stop gene ric decode events; c o n fig disable_decod«_alerts • Stop A le rta on experim ental TCP option a ccr.Tlg dl**ble_copopt_experim ent» !_ • 1 * 1 ‫־‬ .* 4 Stop A lc r ta on obaolet■ TCP option■ c c r.ria d19anie_t cpo pt_cb ao le te _a ie rt ‫ג‬ :;4

1 2 ‫־‬ ‫״‬

1:9 1 Stop A le rts on T/TCP a le rts <i______________________ !1______________________ Ncirrwl Ltil file length: 25439 lines: 657

V
Ln: 106 Cot :iS S*1:0 UNIX ANSI > N S I

Figure 1.9: Configuring Snortconf File in Notepad++

39.

111 Line
file

113 and 114 replace ../rules widi C:\Snort\
C:\Snort\etc\snort.conf - Notepad* tdit Search View Encoding Longuogc Settings Macro Run Plugre ftmdcvr J

rules.

!o 1 ‫׳‬MS d 83 4 * B| ♦ »< ‫ צ‬ft *a -* 3 ‫ ז‬nil S *1
H noco&rf I 103 f aucn a3: c 1 \a n o rt\ru ie a 104 var RtJLEPATfl C :\3 n o rt\ru le a 105 var SC_ROLE_PAIH C :\3 n o rt\so _ ru l« » :06 var PREPROCRULEPATH C :\S nortN preproc_rulea 108 *.09 110 111 t*.? ‫דלל‬

l i i i i f l ‫«י‬

f z r you are uaina re p u ta tio n preprocessor act tneae $ C u rre n tly th ere ia a bug w ith r e la t iv e paths, th ey are r e la t iv e to whereanort ia f no t r e la t iv e co •n ort.co nX l i k « th e above v a ria b le s • Thia 1 a com pletely ine on aia ten t w ith hew eth e r vara werlr, BUG 89986 4 Smt th • absolute path a p p ro p ria te ly var white L IS I PAIH c :\s n o r t\ r u ie a l

71: B m cm si.E A iii ciM aaalm ltal
4 Seen #3: Configure the decoder.

117

Foe ‫״־‬ore information, 9 .. BSirME. decade

angth: 25d51 lines:657_______ Ln:1» Col:35 S«l:0

Figure 1.10: Configuring Snort.conf File in Notepad++

C E H Lab Manual Page 856

Etliical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

40. Navigate to C :\Snort\rules and create two tiles and name them w h ite jis t.r u le s and b la c k jis t.r u le s make sure die two tiles extensions are
The include keyword allows other rule files to be included within the rule file indicated on die Snort command line. It works much like an #include from die C programming language, reading the contents o f the named file and adding the contents in the place where die include statement appears in die file.

m

.rules.

41. Scroll down to S tep #4 : C o nfigure d yn am ic loaded lib ra ries section (Line 242). Configure d yn am ic loaded lib ra ries in this section. 42. At padi to dynamic preprocessor libraries (Line 247), replace /usr/lo cal/lib/sn o rt_d yn am icp rep ro cessor/ with your dynamic preprocessor libranes tolder location. 43.
111 tins lab,

dynamic preprocessor libraries are located at
.‫־ ־ן‬ x X V ‫ז‬

C :\Snort\lib\snort_dynam icpreprocessor.
C:\Sn0 rl\etc\s1x x U 0 nf Notepad ♦♦ 7‫־ ־‬ Erie Ld!t Search Vie* Incoding Language Settings Macro Run P K 1 g < 1 3 ftmdew J O IM e % l ‘l| M *a * * [E 3

H tno*.coti j

2
• U 245 246 242 2‫ז־‬9 250 2‫צ‬252 253

Step *4: Configure dynamic loaded lib ra rie s . 70- e o ii In fo !station, see Snore Manual, Configuring 5r.cn - Dynamic Modules

♦ pat& to dynamic preprocessor lib ra rie s f patn to dynamic preprocessor lib ra rie s dytlMacpreprocessor directory C:\Sncrt\lib\3nort dynaai ^preprocessor| * path to base preprocessor engine ciyr.anlceng 1 ne /u9r/10cal/llb/sn0rL_£iyna»lcer.glne/ilbsr_er.gir.e.30 t path to dynamic rules lib ra rie s dynamlcdetecclon directory /u sr/local/1lb/anort_dynamlcr ulea V

H U Preprocessors are loaded and configured using the ‘preprocessor’ keyword. The format o f die preprocessor directive in the Snort rules file is: preprocessor <name>: <options>.

255 ? 5‫־‬ 4 step fs : Contiaure preprocessors 4 For more information, see the Snort Manual, Configuring Snort ‫ ־‬Preprocesso »

4 GTP Control Channle Preprocessor. For note information, see RFA2ME.OTP V preprocessor aces porta 1 2123 3386 2152 > 2»‫צ‬ f In lin e packet normalization. For mozt information, see R£AD2. normalize 4 Does notfting in IOS node r«pr0c«110r nornmlixe_ip4 preprocessor r.crmai1 se_top 1 1p9 eon scream preprocessor norma lie e ic m p i czeproceaaor normalize lp«

3

2 < 5 i

N.mul u»t file

length: 25 44 S linttt: 6 5 7

In :247 Col :69 S*i:0

UNIX

ANSI

1
NS

Figure 1.11: Configuring Snort.coiif File in Notepad++

44. At padi to base preprocessor (or dvnamic) engine (Line 250), replace /usr/lo cal/lib/sn o rt_d yn am icen g in e/lib sf_en gin e.so witii your base preprocessor engine C :\Snort\lib\snort_dynam icengine\sf_engine.dll.

Preprocessors allow the functionality o f Snort to be extended by allowing users and programmers to drop modular plug-ins into Snort fairly easily.

m

Figure 1.12: Configuring Snort.conf File in Notepad++

C E H Lab Manual Page 857

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

45.

C o m m en t (#) die dynamic rules libraries line as you already configured die libraries 111 dynamic preprocessor libraries (Line 253).
C:\Snort\et*V r c f < • f Notepad♦♦ Be Ldit Scorch View Encoding Language Settings Macro Run Piugns ftndcvr Z o x

o 'He 1 !3 *•‫ ־‬0^

■‫י‬g|

1[f3

b is b

^ !« ,9 ‫•׳‬

Note: Preprocessor code is nrn before the detection engine is called, but after the packet has been decoded. The packet can be modified or analyzed in an out-of-band manner using this mechanism.

. * r

* Step *4 : C onfinure dynamic loaded lib r a r ie s . t For core ln lc rm a cio n , see Snore Manual, C on figu rin g Snort - Dynanlc Modules # ***# # ***** **tM M # # # # # # # **# # **M ****M M *# # t**** **

* * * * * * * * * * * * * * * m w m * * * * * * * * * * * * * * * * * * * * * * * * * * *

249 250

* r a th to base preprocessor engine dyr.anu.ceng in - C :\3 n o rt\lib \s n o rt_ d y n s n 1 ic e n g in e \s f_ e n g in e .d ll ♦ path to dynamic ru le s lib r a r ie s > dynagu.c‫ ;׳‬l«c«cclon d lr « c to r y /u s r/lo c a l/'llb /s n o rt^ a y n a .-v l::!. 1««1

V step *M C onriaurc preprocessors * Por more m fonkaeion, see the Snore Manual, C o n figu rir.c Snort ‫ ־‬Preprocesso

* GTP C on trol C h.n nl• Preprocessor. For * o r . in fo rw a tio n , ‫ • • י‬RZASME.OTP * preprocessor 0 -c : p o rts ( 2123 3386 2152 ) I In lin e packet n o rm a liz a tio n . For store in£ on aa tlon , sec ?* 1 !‫ ב ג‬.norm alize * Does no tm na in IDS mode preprocessor norm elize_ip4 preprocessor r.c rx a l 1 ze_‫ ־‬cp: ip s ecr. 3‫ ־‬rear: preprocessor n c r» o l 1 ze_1 cmp1 preprocessor norm alize l p 6 I teal fie length :25446 ling :557 Ln:253 Col ;3 Sd :0 I

Figure 1.13: Configuring Snortconf File in Notepad‫—!־‬ 1 ‫־‬

46. Scroll down to S te p #5: C o nfigure P reprocesso rs section (Line 256), die listed preprocessor. Do nothing 111 IDS mode, but generate errors at mntime.
IPs may be specified individually, in a list, as a C ID R block, or any combination o f die duee.

m

47. Comment all the preprocessors listed each preprocessors.
lit

111

diis section by adding #

befo re

C:\Sn0 rt\etc\snort conf Notepad* L3t Search View Encoding Language Settings Macro Run Plugre Aatdcw I

‫ ־ רי‬1* 1

o‫י‬ h e » ‫־‬i i*f tr ! |» e * ‫׳‬ & >‫ ז‬BQ| s»‫י‬f f l ■ s ■ ‫ ש‬e ^ a>
liltllttttttttitiitlllllttttttttttttttttllllltttttl
Preprocessor

* t ¥ ¥ ¥ ¥ ¥ ¥ * ¥ ¥ T f W T W W W W T f T ¥ ¥ ¥ ¥ ¥ ¥ ¥ r ¥ ¥ f T * T T T T ¥ ¥ ¥ ¥ W ¥ ¥ ¥ T ¥ T r -

> REAnJE.GTP

♦ 4 ♦ ♦ I ♦

♦preprocessor norjralire ic m p C

In lin e packet n o rm a liz a tio n . For 1 Does noth in g in ZDS node preprocessor normal1ze_1p4 preprocessor n o rm a lis e tc p : ip s e! preprocessor normalize_lcmp4 preprocessor normal1 se_1 p 6

: in fo rm a tio n , see R£AI»‫׳‬E. norm alize

• Target-based IP de fragm entation. For more information, see BLADME. frag3 preprocessor tra g 5 _ g lo b a l: max_Irags 6SSS6 preprocessor troa3 engine: p o lic y windows dete ct_a r.* 1 a i 1 es cverlap_ 1 1 a n t 10 ann_fra 01r.cnt_length 100 tim eout V la r g c t s is c a scacecul insp e ctio n /o trca m reassembly. preprocessor serea»S_global; tr a c k e c p yes, \ tr*ck_u dp yaa, \ tra c k _ 1 cnc no, \ fo r xcrc m ro ra tio n , ace RLADKt.streanb

Many configuration and command line options o f Snort can be specified in the configuration file. Format: config <directive> [: <value>]

m

MX_tcp 3 6 2 1 4 4 ,\

rax_uap 131072, \ max_act1 ve_responses 2, \ m in response aaconda 5_________________

m y th :2 5 4 5 6 lin e .:5 5 7

1:269 Col:3 Sd 0

Figure 1.14: Configuring Snort.conf File in Notepad‫־‬l— 1 ‫־‬

48. Scroll down to S te p #6 : C o nfigure o u tp u t plugins (Line 514). 111 tins step, provide die location of die c la s s ific a tio n .c o n fig and re fe re n c e .c o n fig files. 49. These two files are 111 C :\Snort\etc. Provide diis location of files 111 configure output plugins (111 Lines 540 and 541).

C E H Lab Manual Page 858

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

lit
0

CASnort\ett\snmconf Notepad* ♦ idit Jjcareh view Incoding Language Settings Macro Run Plugns ftmdcw

‫ י‬hh« a , & * * r !| ‫ ס‬e m% > * ‫־ ־ י י‬- ‫ ז‬djae s i s c e

I

'- I‫ם‬

)"B •ncCcorf ‫ ף‬step 46: cor.riou re c utpu t p lu gin s 4 5 *‫׳‬j ?or more in fo rm a tio n , see Snort Manual, C on figu rin g Snort - Output Modules[ 5!«

=j r — il< "
51fl 519 520 521 Si'i4 523 524

* u n ifie d ? 4 aeeonsenaaa r c r !cost i n s t a lls 4 c u tp u t u n ifie d 2 : filenam e m erged.log, l i m i t 128, nosts3«r, wpl3_CTrent_type3, vlan_event_type3 ‫ ־‬A d d itio n a l c o n fig u ra tio n fo r s p e c ific tjp e s o f i n s t a lls # c utpu t a le rt_ u n i£ ie d 2 : filenam e s n o r t.a le r t , l i i a i t 125, nosCaap f o u tp ut lo g un1r1ed2: rilenarae sn a re .lo o , l i m i t 123, ncatamp

Tlie frag3 preprocessor is a targetbased IP defragmentation module for Snort.

ca

4 oatafcass 4 ou tp ut database: a le r t , <db_type>, us?r«<usernan!> pa3 3w=rd“ <pa3svord V c u tp u t aatacasei 100, <dto_typ«>, u9er‫< ־‬uacma&e> paaav:rs‫< ־‬Eaaavord>

• lii

» * c ta d a ti rercrcr.ee aata. do not * e a itv t£e include C:\Snarc\ece\elas31f1eat1on.e0nt10l lac lu d # C; \Sac r \ «c c \r »C«r«nc«. co n f i g_| length :25482 lina:6S7________In :541 Co) :22 S*l:0

Figure 1.15: Configuring Snort.coiif File in Notepad++ lrigure 1 .i ‫כ‬: Uonngunng inort.com rile in !Notepad^ ‫־‬1 ‫־‬

50.

this s te p #6 , add the line o u tp u t dump all logs 111 die a le rts .id s file.
111
o
0

ale rt_fa st: a le rts.id s .

for Snort to

*C :\S 00fl\elc\snoM -conf - N otepad*
file £d!t Search Ukw Encoding Language Settings Macro Run PHigns ftmdcvr I

*‫ ׳‬₪ ^ ‫ * |&־‬% C )| 9 c

» ‫ף‬8 4 > 139 ‫\ ו ?״‬Wz 2 ‫ י ו‬$ ‫ן ! ו‬
C utput Modules

‫?׳ »׳‬

*H «nc< corf ‫ן‬ b.A 4 step te : c on no ure outp ut p lu gin s 515 4 For more in fo rm a tio n , see Snort Manual, C on figu rin g Snort ‫־‬ 517 '*.fi 519 S?0 521 525 524

4 u n ifie d : V ;■ccorr.cr.ici cor !coat i n s t a lls 4 o u tp ut u n ifie d 2 : filenam e merged. 100, l i m i t 128, n03ta*p» « p ls _ e ^ n t_ ty p e s , vlan_event_types

4

A d d itio n a l c o n fig u ra tio n fo r s p e c ific types o f in s t a lls 4 c utpu t a lo rt_ u n ifi» d 2 : fila n a a » a n o r c .a le r t, l i m i t 129, r.oxaap 4 cu tp u t lo g un1E1ed2: rilenarae s n o r t.is o , l i m i t 126, r.: ‫ ־ י‬axt

N ote: ’ipvar’s are enabled only with IPv6 support. W ithout IPv6 support, use a regular ’var.’

m

- -533 534

4 oatafcass 4 c utpu t database: a le r t , <db_type>, uaer-<usemane> pe a3 *:rc‫<־‬fa3sw ord 4 c u tp u t ia ta £3 3e: lo o , <db type>, u3er=<uaemaEe> pa33wcr2=<pa33word> ‫׳‬

539 540 541

|c-;‫־‬ . p u t « le r t _ fa 3 t : a le r t s . id s | 4 metadata refe re nce da ta , do not m odify tcese lin e s inc lu d e C :\S no rt\ecc\cla 33 1f1 cat1o n.c0 nf1 0 ln c lu d a C :\3nQ rt\8cc\reC arenca.conf l q

‫׳‬

|hc«nwl U*t fil«

Itngth: 25511 lin»:657

1 6 ?5: ‫מ‬

Co<:30 S«l:0

Figure 1.16: Configuring Snort.conf File in Notepad++

51. By default, die C:\Snort\log folder is empty, widiout any files 111 it. Go to die C:\Snort\log folder, and create a new text file with die name alerts.ids.
Ii=yj Frag3 is intended as a replacement for die &ag2 defragmentation module and was designed with the following goals: 1. Faster execution than frag2 with less complex data management. 2. Target-based host modeling anti-evasion techniques.

52. Ensure diat extension of diat file is .ids.

C E H Lab Manual Page 859

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

log
v C

_

‫ם‬

Search log

P

Favorites ■ Desktop Downloads
M i Recent places

alerts.ids

Libraries

)= ‫יז‬
1 item

‫״‬

Figure 1.17: Configuring Snort.conf File in Notepad++

53.

die s n o rt.c o n f tile, find and replace die ip v ar string widi var. By default die string is ipvar, which is not recognized by Snort, so replace it widi die v a r string.
111

N o te: Snort now supports multiple configurations based 011 VLAN Id 01‫ ־‬IP subnet widiui a single instance of Snort. Tins allows administrators to specify multiple snort configuration files and bind each configuration to one 01‫ ־‬more VLANs or subnets radier dian ninning one Snort for each configuration required.
Replace
Three types o f variables may be defined in Snoit: ‫ ־‬Var ■ Portvar ■ ipvar
I IMatch ra s e @ W rae around Search Mode (•> Normal C Extended Op, V, \t, V O , \x ...) O Regular expression Q L m atches newline Direction O u> ® Dawn 0 Transparency (§) On losing focus O Always = 0=

‫ש‬

m

Find

Replace

Find in Files | Mark | ■ S |v a r □ in selection Find Next Replace Replace A|l Replace All in All Opened Documents

v l

Figure 1.18: Configuring Snort.conf File in Notepad++

54. Save die sn o rt.c o n f file. 55. Before running Snort you need to enable detection niles 111 die Snort niles file; for diis lab we have enabled ICMP mle so diat Snort can detect any host discovery ping probes to die system running Snort. 56. Navigate to
++.
C :\Snort\rules

and open die

icm p -info .ru les

file widi Notepad

57.

Uncom m ent

the Line number 4 7 and save and close die file.

C E H Lab Manual Page 860

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

C:\5nort\rules\icmp info.rules Nofepad♦ E*e Edit Search View Encoding Language SetDngs Macro Run Plugns 0 I >

■ 1 H « ft

4m* r!| P c* ft * ta t‫ז‬
SEXTERNAL_NET any ‫ > ־‬SHOMEKET any $ S X IE R N A 1 _ N E Tany >$ H O K E _ N E T any SEXTERNAL_NET any -> SH0HE_KET any SEXTERNALNET any -> SH0KE_NET any

r‫פ |״‬, T,[ | ‫ כ‬S i l i f l
(msg:‫ ־‬ICXP-IKyC IRDP (nsg :'I-X ^-IK F C FUJG (r\sg:‫ ״‬ICMP‫ ־‬INF0 PING (osg: ‫ ״‬IS 'P-INTC PING

« >

P i— !<■1 H trp+Tfo 1ute« |

­ ‫♦ נ‬alert isrsp $ EXIE R N A L _ N E T an y>$ H 0 K E _ N E T an y cnsj:‫״‬IC X E-IN FC I R E P router advertisem ent"; 1type:9; rereren‫׳‬29 * a le r t leap 3 0 # a le r t leap 31 * a le r t lc n p 32 * a le r t i=r^> 34 # a le r t icnj? 36 * a le r t ic n p ro u te r s e le c tio n "; ity p e :1 0 ; reference :‫ו‬ *H IX•; lcype :S ; co n te n t : 1 13 12 1 1 1 1 0 ‫■״‬ BSDtype"; 1 ty p e : 8 ; c o n te n t:‫| ״‬O0 09 OA 0 1 BayR3 R ou ter"; ity p e : 8 ; co n te n t:■ | 01 02

3 3 * alert re s © SE X IE R N A L_N E Tan y>$ H 0 K E _ N E T an y (m 3 ?:"X C X PlN FOrIUG SeOSI.x"; ltype:8; content:"| Q Q0 00 00 ‫׳‬ 3 5 # alert leap $ E X T E R N A L _ N E Ta n y
SEXTERNAL_NET any -> £H0KE_NET any (nsg:‫ ״‬ICM?-IK7C ?IUG Cisco Type. x " ; ity p e :8 ; co n te n t:"|A B CD

3 ‫ ־‬alert icnp SE X T E R N A LN E Ta n y>SH O K E N E Ta n y (x a s g :‫״‬IC X P-IK 7 CP IN G IP H etM onitor M acintosh‫ ;״‬itype:B; c o n t• ■ 3 8 t alert 1st® $exiernal_net an y> Shoke_n ei an y cn3g:1‫״‬cxp -lK F0pibg li2tjx/35‫״‬d ‫ ;״‬d 3 1ze:8; 1 d :1 3 1 7 0 ;1 type:8

4

> $ H 0 K E _ K E Ta n y (nsg:‫־‬irxP-IKFCP IN G DelpiH-PieLte Windowsltype:8; conien

SEXTERNAL~NET any -> SH0HE~NET any (msg:‫ ״‬ICHP-INF0 PIHG Flo*pom t2200 o r Network Management Scf‫־‬

♦ a le r t ic n p SEXTERNAL_NET any -> SH0XE_NET any (msg:*ICKP-IK?C PIHG M ic ro s o ft X indovs"; i ty p e : 8 ; c o n te n t:"0 40 I a le r t lea p $EXIERNA1_NET any -> $HOXE_KET any (nsg :‫ ״‬I3 (P ‫ ־‬XKFC POTG network Toolbox 3 Window*‫ ; ״‬l type : 8 ; coi * a le r t ic n p SEXTERNAL_NET any ‫ > ־‬SH0KE_NET any (msg:‫ ״‬ICMP-INF0 PIHG Pmg-O-HeterWindows"; ity p e :0 ; content: 42 « a le r t ict*> SEXTERNAL~NET any ‫ > ־‬SH0KE~NET any (rasg:‫ ״‬ICKP-IKFC PIHG Pinger Windows"; it y p e : 8 ; c o n te n t: "Oata 43 * a le r t 1 cnp cexie rn a l_ n e t any ‫ > ־‬Shoke_nei any (cs 3 : 1 ‫ ״‬cxp- 1 k fo pih c seer windows"; 1 ty p e i 8 ; con t e n t « 1 8 ‫ ״‬a 04 44 • a le r t 1 a 1p SEXTERNAL NET any ‫ > ־‬SHOKE NET any (msg:‫ ״‬ICKP-INF0 PING O racle S o la n s "; ds 18 e : 8 ; 1 type« 8 ; clas. 45 f a le r t lea p $EXTERNAL_NET any -> $H0XE_KIT any ( n » g :2 ‫ ״‬CXff-IKFC PIHG Window•‫ ; ״‬lc y p e : 8 ; co n te n t: ‫ ״‬abcdergfcljk. 9 a le r t !;rap SEXIERNAI_NEI any > SH0KE_KEI any !f» a :*1 a tP -lN fC tra c e ro u te 1 ;‫ ״‬svce: 8 ; t t l i l ; c la a a t ! t t : a t t c n “ a le r t icnp SFXTERXAL NFT any -> SHO XR_KET any (mag: ‫ ״‬TCMP-IKFC PINO‫ ; ״‬ic o d e :0 ; ity p e : 8 ; e la s s ty p - :» ia c - a c tiv 1 | » a le r t isno SHOKEJJET any -> CEXTERNAL_NET any ( n a a i- io t f - 1K5C Address mask R « ly "> ic o d c io ; lt v p e u s ; cia®. 49 • a le r t 1 cnp SEXTERNAL_NET any ‫ > ־‬SH0KE_NET any (msg:‫ ״‬ICKP-INF0 Address Maslr Reply undefined code"* 1 eode:>0 50 t a le r t lea p $SXTERKAL_NET any -> $K0XE_KET any ( e * g : 2 ‫(^ ״‬P-Z>:FC Add:««a Ka»k Rvquaat"; lc o d « :0 ; lty p e :1 7 ; cl• 51 ♦ a le r t 1 ‫ סגמ‬SEXIERNAL_NET any ‫ > ־‬$H0KE_NET any (ns 3 : ‫ ״‬ICJ4 P‫־‬IN f 0 Address Mask Reaucst undetined code‫! ; ״‬code::

5 2 « alert S E X T E R N A L ~ N E Ta n y>$ H O K E ~ N E Ta n y (M gr-ICVP-IKFCAlternate H o «t A d d re‫ ;״״״‬icode:0; itype:6; c f alert isnp «exiernal_net an y ‫«>־‬ho k e _net an y (nsg:1‫״‬c x p 1 N F CAlternate H o st A d aress u n d erm ed c o d e ‫ ;״‬ic e d •
* a le r t 1 cnp SEXTERNAL_NET any -> 8H0KE_NET any (e1sj:*IC H P ‫ ־‬INF0 Dataarati Conversion E r r o r "; icodesO; 1 ty p e :3 f a le r t lea p fEXTERNAL NET any -> <H0KE NET any (tasg: ‫ ״‬ZCXP-IKFC Satagraa Converalon E rro r undefined code"; i■ v 1 1 1 >

>4 55 <|

NcinwlUxlfile

le n g th : 17357 lin e s : 123

Ln:47 Cc4:1 SeJ:0

UMX

ANSI

IM S

Figure 1.19: Configuring Snort.coiif File iti N’otepad+‫־‬ f‫־‬

58. Now navigate to C:\Snort and nght-click folder bin, select die context menu to open it in die command prompt.
V a lid a te C o n fig uratio ns

C m d H e re

from

59. Type
as cii

sn o rt -iX -A co n so le -c C :\S n o rt\etc\sn o rt.co n f -I C:\Snort\log -K X

and press E n te r to start Snort (replace number; 111 dus lab: X is 1).

with your device index

60. If you enter all the command information c o rre c tly , you receive a g rac efu l e x it as shown 111 the following figure.
y ’ To run Snort as a daemon, add -D switch to any combination. Notice that if you want to be able to restart Snort by sending a S IG H U P signal to die daemon, specify the full path to die Snort binary when you start it, for example: /usr/local/bin/snort -d 192.168.1.0/24 \-l /var/log/snordogs -c /usr/local/etc/snort.conf s-D

61. If you receive a fa ta l error, you should first ve rify diat you have typed all modifications correcdy into the s n o rt.c o n f tile and then search dirough the tile for e n trie s matching your fatal error message. 62. If you receive an error stating “ Could n o t c r e a te run the command prompt as an A d m in is trato r.
th e re g is try ke y ,”

then

-11

Administrator: C:\Windows\system32\cmd.exe

C:\Snort\birOsnort -i4 -A console -c C:\Snort\etc\snort.conf -1 C:\Sno1 *t\log -K ascii

Figure 2.18: Snort Successfully Validated Configuration W indow

tasks
S ta rt Snort

63. Start Snort in IDS mode,

111

C :\S n o rt\etc\sn o rt.co n f - I C:\Snort\log - i 2

the command prompt type and dien press Enter.

snort

C E H Lab Manual Page 861

Ethical Hacking and Countenneasures Copynght © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

Figure 2.19: Start Snort in ID S Mode Command

64. Snort starts rumung in IDS mode. It first initializes output plug-ins, preprocessors, plug-ins, load dynamic preprocessors libranes, nile chains of Snort, and dien logs all signatures.
GO
C:\Snort\etc\snort.conf is the location o f the configuration file ■ Option: -l to log the output to C:\Snort\log folder ‫י‬ Option: -i 2 to specify die interface

65. After initializing interface and logged signauires, Snort starts and waits for an attack and tngger alert when attacks occur on the machine.
Uersion 2.9.3.1-UIN32 G R E <Build 40> B y Martin R oesch 8 r The Snort Team : http://www.snort.org/snort/snort-t Copyright < C > 1998-2012 Sourcefire, Inc., et al. Using P C R E version: 8.10 2010-06-25 Using ZLIB version: 1.2.3 Rules Engine: S F _ SN O R T_ D E TE C T IO N _E N G IH E Uersion 1.16 <Build 18> F _S S LP P Uersion 1.1 <Build 4> Preprocessor Object S F _ S S H Uersion1.1 <Build 3> Preprocessor Object S F .S M T P Uersion 1.1 <Build 9> Preprocessor Object S Preprocessor Object SF_SIP Uersion1.1 <Build 1> F.S D F Uersion1.1 <Build 1> Preprocessor Object S F _R E P U T A T IO N Uersion 1.1 <Build 1> Preprocessor Object S F _ P O P Uersion1.0 <Build 1> Preprocessor Object S F _ T 1 0 D B U S Uersion 1.1 <Build 1> Preprocessor Object S F _IM A P Uersion1.0 <Build 1> Preprocessor Object S F _ G T P Uersion1.1 <Build 1> Preprocessor Object S F JF T P T E LN E T Uersion 1.2 <Build 13> Preprocessor Object S F _ D N S Uersion1.1 <Build 4> Preprocessor Object S F _ D N P 3 Uersion 1.1 <Build 1> Preprocessor Object S F _ P C E R P C 2 Uersion 1.0 <Build 3> Preprocessor Object S C om m encing packet processing <pid=6664>
Figure 1.20: Initializing Snort Rule Chains Window
- * > Sn o rt T <*-

Run Snort as a Daemon syntax: /usr/local/bin/snort -d -h 192.168.1.0/24 \ 1 /var/log/snortlogs -c /usr/local/etc/snort.conf s- D . £01 When Snort is run as a Daemon, the daemon creates a P ID file in the log directory.

m

66 .

After initializing the interface and logged signatures. Snort starts and waits for an attack and trigger alert when attacks occur on the macliuie. Attack your own machine and check whedier Snort detects it or not.
M achin e).

67. Leave die Snort command prompt running.
68 .

^

TASK

6

69. Launch your Windows 8 Virtual Macliuie (A tta c k e r

A tta c k H o st M a c h in e

70. Open die command prompt and type ping X X X .X X X .X X X .X X X -t from die A tta c k e r M a c h in e (XXX.XXX.XXX.XX is your Windows Server 2012 IP
address;.

71. Go to W in d o w s S e rv e r 2 0 1 2 , open die Snort command prompt, and press C trl+ C to sto p Snort. Snort exits. 72. Now go to die C :\S n o rt\lo g \10 .0 .0 .12 folder and open the text file.
ICM P_EC HO .ids

Note that to view the snort log file, always stop snort and dien open snort log file.

m

C E H Lab Manual Page 862

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

ICMP.ECHO.idT- Notepad
File Edit Format View Help

!

‫’ם‬ ‫ '־‬x

|[* * ] ICMP-INFO PING [ * * ]

11/14-12:24:17.131365 10.0.0.12 -> 10.0.0.10 IC M P TTL:128 T O S :0 x0 ID :31479 IpLen:20 D g m L e n :6 0 Type:8 C ode:0 ID:1 S eq:198 E C H O [**] IC H P -IN F OP IN G [**] 11/14-12:24:18.146991 10.0.0.12 -> 10.0.0.10 IC M PT T L:128 T O S :0x0 ID:31 4 8 0 IpLen:20 D g m L e n :6 0 Type:8 C ode:0 ID:1 S eq:199 E C H O [••] IC M P -IN F OP IN G [**] 11/14-12:24:19.162664 10.0.0.12 -> 10.0.0.10 IC M PT T L:128 T O S :0x0 ID:3 1 4 8 1 IpLen:20 D g m L e n :6 0 Type:8 C ode:0 ID:1 S eq:200 E C H O [••] IC M P -IN F OP IN G [**] 11/14-12:24:20.178236 10.0.0.12 -> 10.0.0.10 IC M P TTL:1 2 8T O S :0x0 ID :31482 IpLen:20 D g m L e n :6 0 Type:8 C ode:0 ID:1 S eq:201 E C H O [**] IC M P -IN F OP IN G [**] 11/14-12:24:21.193933 10.0.0.12 -> 10.0.0.10 IC M PT T L:128 T O S :0 X 0 ID:31 4 8 3 IpLen:20 D g m L e n :6 0 Type:8 C ode:0 ID:1 S eq:202 E C H O [**] IC M P -IN F OP IN G [**] 11/14-12:24:22.209548 10.0.0.12 -> 10.0.0.10 IC M PT T L:128 T O S :0x0 ID:31 48 4 IpLen:20 D g m L e n :6 0 Type:8 C ode:0 ID:1 S eq:203 E C H O
Figure 1.21: Snort Alertsids Window Listing Snort Alerts

73. You see that all the log entries are saved 111 die ICM P_EC HO .ids hie. Tins means that your Snort is working correctly to trigger alert when attacks occur 011 your machine.
L a b A n a ly s is

Analyze and document die results related to diis lab exercise. Give your opinion 011 your target’s security posture and exposure.

PLE A SE

TA LK

TO

Y O U R IN S T R U C T O R IF YO U R E L A T E D TO T H IS LAB.

H A VE

Q U E ST IO N S

Tool/Utility Snort

Information Collected/Objectives Achieved Output: victim machine log are capuired

Q u e s t io n s

1. Determine and analyze die process to identify and monitor network ports after intnision detection.
C E H Lab Manual Page 863 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

2. Evaluate how you process Snort logs to generate reports. Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs

C E H Lab Manual Page 864

Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

Lab

L o g g i n g S n o r t Alerts to K i w i S y s l o g S e r v e r
S n o / t is a n o p e n s o u rc e n e tw o rk in tr u s io n p r e v e n tio n a n d d e te c tio n s y s te m ( ID S /IP S ) .

I CON
___ V a lu a b le

KEY

L a b S c e n a r io

in fo rm a tio n

T est your k n o w le d g e

W e b e x e rc is e

m

W o r k b o o k r e v ie w

Increased connectivity and the use ot the Internet have exposed organizations to subversion, thereby necessitating the use ot mtnision detection systems to protect information systems and communication networks from malicious attacks and unauthorized access. An intrusion detection system (IDS) is a security system diat monitors computer systems and network traffic, analyzes that traffic to identity possible security breaches, and raises alerts. A11 IDS tnggers thousands of alerts per day, malting it difficult for human users to analyze them and take appropriate actions. It is important to reduce the redundancy of alerts, uitelligendy integrate and correlate diem, and present lugh-level view of the detected security issues to the administrator. A11 IDS is used to inspect data for malicious 01‫ ־‬anomalous activities and detect attacks 01‫־‬unaudionzed use of system, networks, and related resources.
111 order to become an expert penetration tester and security administrator, you must possess sound knowledge ot network intrusion prevention system (IPSes), IDSes, identify network malicious activity, and log information, stop, or block malicious network activity.

L a b O b je c tiv e s
H Too ls

The objective of tins lab is to help smdents learn and understand IPSes and IDSes.
111 tins lab, you need

d e m o n s tra te d in th is lab a re lo c a te d a t D:\CEHToo ls\C E H v8 M o du le 17 Evading IDS, F ire w a lls , and H o n eyp o ts

to:

■ Install Snort and configure snort.conf file ■ Validate configuration settings ■ Perform an attack 011 the Host Machine ■ Perform an intrusion detection ■ Attempt to stop detected possible incidents

C E H Lab Manual Page 865

Ethical Hacking and Countenneasures Copyright © by EC-Comicil All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

L a b E n v ir o n m e n t

To carry-out tins lab, you need: ■ A computer running Windows Server 2012 as a host machine ■ Windows 8 running on virtual machine as an attacker machine ■ WinPcap drivers installed on die host machine
£ 7 You can also download K iw i Syslog Server from http://www.kiwisyslog.co m

■ Kiwi Svslog Server installed on die host machine ■ Admnnstrative privileges to configure settings and nin tools
L a b D u r a t io n

Tune: 10 Minutes
O v e r v ie w o f o f IP S e s a n d ID S e s

An intrusion detection system (IDS) is a device or s o ftw a re application diat monitors network and/or system activities for m a lic io u s activities or polio,’ violations and produces reports to a management station. Intrusion detection and prevention systems (IDPS) are primarily tocused on identifying possible incid en ts, logging information about them, attempting to stop diem, and reporting diem to s e c u rity administrators.
S TASK 1
L a b T a s k s

Log S nort A lerts to Syslog S e rv e r

1. Navigate to

D :\CEH -Tools\C EHv8 M o du le 17 Evading IDS, F ire w a lls , and

H o n eyp o ts\ln tru sio n D e te c tio n T o o ls\K iw i Syslog S e rv e r K iw i_ S ys lo g _S erve r_ 9.3.4.E va l.se tu p .ex e

double click on

and install

K iw i Syslog S erve r

on die Windows Server 2012 host machine. 2. The L ic en se
A g re e m e n t

window appears, Click I A g ree.

Figure 2.1: kiwi syslog server installation

C E H Lab Manual Page 866

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

3.

111

die

Choose O p e ra tin g M o de

S e rv e r as an A p p lic a tio n

wizard, check the check box and click N e x t >.

In s ta ll K iw i Syslog

Kiwi Syslog Server 9.3.4 Installer
C h o o s e O p e ratin g M ode

‫ן ־‬° ‫ז‬

x

so larw ind s ‫־׳‬

The program can be run as a Service or Application

O In stall Kiwi S yslog S e iv e i a s a S e iv ic e This option installs Kiwi Syslog Server as a Windows service, alowing the program to run without the need for a user to logn to Windows. This option also retails the Kiwi Syslog Server Manager which is used to control the service.

|(* In stall Kiwi S yslog S e iv e r a s a n A pplication | This op bon retails Kiwi Syslog Server as a typical Windows appkcabon, requnng a user to login to Windows before r i m n g the application.

&

Too ls
SolarWinds, Inc.

d e m o n s tra te d in th is lab a re lo c a te d a t D:\CEH■ Too ls\C E H v8 M o du le 17 Evading IDS, F ire w a lls , and H o n eyp o ts

Figure 22: K rai Syslog seiver installation

4.

111

die In s ta ll K iw i Syslog selected and click N e x t >.

W eb A c c e s s

wizard, uncheck die option
X

Kiwi Syslog Server 9.3.4 Installer
Install Kiwi S yslog W eb A c c e s s

solarw ind s

Remote viewing, filtering and highlighting of Syslog events...

I I In stall Kiwi S yslog W e b A c c e s s V C re a te a n ew W e b A c c e s s logging ■ule in Kiwi S yslog S e iv e i

Kiwi Syslog Web Access can be enabled in the licensed or evaluation versions of Kiwi Syslog Server.

SolarWinds, Inc.

Figure 23: kiwi syslog seiver

5. Leave die settings as their defaults in the click N e x t >.

Choose C o m p o nents

wizard and

C E H Lab Manual Page 867

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

Kiwi Syslog Server 9.3.4 Installer

I ‫ ־־‬I
a ant

solarwinds

C h o o s e C o m p o n e n ts Choose which features of Kiwi Syslog Server 9 .3.4 you install.

to

This wll install Kiwi Syslog Server version 9.3.4

Select the type o f install: Or, select the optional components you wish to instal:

Normal Program files (required) 0 Shortcuts apply to all users 0 Add Start menu shortcut b^J Add Desktop shortcut p i Add QuickLaunch shortcut O Add Start-up shortcut Description

V

Space requred: 89.5MB

Position your mouse over a component to see its description.

SolarWinds, I n c .----------------------------------------------------------------------------------------------------------< Back | Next > | [ Cancel |

Figure 2.4: adding components

6.

111

die C hoose In s ta ll L o c atio n wizard, leave die settings as dieir defaults and click In s ta ll to continue.
Kiwi Syslog Server 9.3.4 Installer
C h o o s e Install L ocation

so larw ind s ‫׳׳‬

Choose the folder n whkh to n s ta l Kiwi Syslog Server 9.3.4 .

Setup w l n s ta l Kiwi Syslog Server 9.3.4 n the folowng folder. To n s ta l in a different folder, dick Browse and select another folder, dick Instal to start the installation.

Destination Folder

Space requred: 89.5MB Space available: 50.1GB SolarWinds, Inc.

1
Figure 2.5: Give destination folder

7. Click Finish to complete the installation.
You should see a test message appear, which indicates K iw i is working.

C E H Lab Manual Page 868

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

Kiwi Syslog Server 9.3.4 Installer

[_“ I 1‫ם‬

x

Completing the Kiwi Syslog S erver 9.3.4 S e tu p Wizard
Kiwi Syslog Server 9 .3.4 has been installed on your computer. Click Finish to dose this wizard. @ Run Kiwi Syslog Server 9.3.4

Visit the SotorWmds website

< Back

|

Ftnoh

|

Cancel

j

Figure 2.6: kiwi syslog server finish window

8.

Click O K ill the K iw i

Syslog S e rv e r - D e fa u lt S e ttin g s A p p lied

dialog box.

Kiwi Syslog Server - Default settings applied
Thank you for choosing Kiwi Syslog Server. This is the first time the program has been run on this machine. The following default 'Action' settings have been applied... ’ Display all messages * Log all messages to file: SyslogCatchAll.txt These settings can be changed from the File | Setup menu.

T U

Happy Syslogging...

OK

Figure 2.7: Default setting applied window

9. To launch die K iw i Syslog S e rv e r C onsole move your mouse cursor to lower-left corner of your desktop and click S tart.

Q j

Yiiw iSyslog Server is

Figure 2.8: starting menu in windows server 2012

a free syslog server for Windows. It receives logs, logs. Windows. displays and forwards syslog messages from hosts such as routers, switches, U N IX hosts and other syslog-enabled devices.

10.

111

die

S ta rt

menu apps click r r

K iw i Syslog S e rv e r C onsole

J

J

to launch die

app

C E H Lab Manual Page 869

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

'‫׳״יי״‬ *
C o n t r P a n e lol E / y k x e f

M o jiB *

ta n g le C h io m o

S i5 1 *9

©
C o m m a n d


N o t e p a d •

x '
Jnmtdl

■ s^r1091

V

O
M )p w Y M a n a g e !

pr
N e !a u s w e bC lie n t

R
V
KKl Package

a

5

< k
C *‫ ׳‬-‫־‬T

h

I

1

Figure 2.9: click kkvi syslog server application

11. Configure Syslog alerts 111 die s n o rt.c o n f file. 12. To configure Syslog (press Ctrl+C).
a le rts ,

first exit from die Snort command prompt

13. Go to C :\S n ort\etc and open die s n o rt.c o n f file widi N o tep ad + +. 14. Scroll down to S te p #6: C o n fig ure o u tp u t plugins, in the syslog section (Line 527), remove # and modify die line to o u tp u t alert_syslog:
h o s t= 1 2 7 .0 .0 .1 :5 1 4 , LOG _AUTH LOG ALERT.

Snort.conf before modification Syslog
C\Sn0rt\«c\srx>ftc<y»f Notewd■ H r [< *t Seaw ti yicw tvcMq

«‫ ׳‬mc . >a >‫■׳‬r 3c •‫ > יו‬q j7 5 !11‫@ י ן•ן‬ w■b j wa a 1 3 1 *

fectng* M arre Run Pluglni W indow J

t Step te: Coaflgrare output plugins

* Additional configuration fo r s!:eclflc types or In sta lls * output alert_unlfled2: filename s n o rt.a le rt. U n it 128, n09ta*p * output loc_3n1 r 1 ea2 : niecaae snort. I 09, lu u t 128 , rostairp flog; LO O AJIg 100 ALERT| I output log.topdja I output aatarase: I output aatanse: »t-< B03tnaa1e>

The reason why you have to run snortstart.bat batch file as an administrator is that, in your current configuration, you need to maintain rights to not only output your alerts to K iw i, but to write them to a log file.

m

Figiue 2.10: Snortconfig before modification

Snort.conf after modification Syslog

C E H Lab Manual Page 870

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

C:\Sn0 rt\etcVsrxyt cof't Notepad-• Filf fdt Sea rch V iew f‫׳‬w eSrf»g .‫ ן־י‬1.‫^ ץ׳ל‬flnqi Mam Run Pluqin W in do w

‫ן‬- ‫־‬g

13H • » ‫־‬. . & | *

fe| 3 c

‫ י‬-‫) |י‬ S ‫יי‬Cv 3 ‫)§[) י‬

3

iC < 5 preprocessor reputation: \

013 **#**#**«**«#*»*#*«##*«#*«*#•*#*«****#»**#•*#»*#** pi4 # Step *€: Coaflarare output plugins pis * For *ore information, see Snort Manual, Conflouring Snore - Output Modules 5

l output uniiieai: £ile:;«*e se;aec.ica, lu u t 128. nostanp, npls_e5 ‫ ז‬Additional configuration for specific types 0C installs 1 output alert_unlfled2: filename snort.alert. U n it 128, nostajip » output log_unlfled?: fllenaae snort.log, lljtlt 128, nostaxp

» database I output database! alert, <db_typ«>, users<usernane> pa8avford=<pa»sv0rd> test dbnaa!e-< r.a1*e> h0st*< S10atnam e3 I output databasei log. <db_typ«>. usera<usernane> password»<passv‫׳‬ord> test d bn as> es< naae> bo»t*<hostnaae>

U .

C

a .li M:l»

‫׳‬

Figure 2.11: Snortconfig after configuration

15. S av e die tile and close it. 16. Open K iw i Syslog S e rv e r Syslog Server alert logs.
R* File Edit Vic*

C onsole

and press

C trl+T.

Tlus is to test Kiwi
1-1‫״‬ H Day* luttin wsluslion '

Kiwi Syslog Server (14 Day evaluation - Version 93) Hdp Di.pl., 00 |Drf‫״‬Jl]

1
'

■ 1 ‫ ׳‬E

it ©

Dale Tun* P-o‫״‬ly lla*ln«m1 1 14 2012 1621 30 Lwal7.D»U1g 127.0.01 Kiwi Sytloy S*1vv1 •T*t< latfTtayw nuaibei 0001

1 1

J
1 0 0% 1MPH 1 6 2 1 11142012 1

Figure 2.12: Kiw i Syslog Service Manager window

17. Leave die Kiwi Syslog Server Console. Do not close die window. 18. Now open a command prompt with Snort and type diis command: press E n te r (here X is index number of vour Ediernet card) .
sn o rt iX - A co n so le - c C :\S n o rt\e tc\sn o rt.c o n f - I C:\Snort\log - K a s c ii - s

and

C E H Lab Manual Page 871

Etliical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

Administrator: C:\Windows\system32\cmd.exe

_

x

ua K iw i Syslog Server filtering options:
■ Filter on IP address, hostname, or message text ■ Filter out unwanted host messages or take a different logging action depending on the host name ■ Perform an action when a message contains specific keywords.

Figure 2.13: Snort Alerts-ids Window Listing Snort Alerts

19. Open a command prompt 111 your Windows 8 virtual machine and type tins command: ping 1 0 .0 .0 .1 0 (IP address of your host machine where Kiwi Svslog Server Console is running). 20. Go to K iw i Syslog S e rv ic e M a n a g e r window (diat is already open) and observe die triggered alert logs.
Kiwi Syslog Server (14 Day evaluation - Ve'sion 93) File Edit 1 ‫ ׳‬£ I n 1 x '

1€ ‫\י‬

Help D.tpk* 00 (Dvfdull) 1 4 Days left in ev‫־‬Dluotun llo1ln1 ‫׳‬rw Menage 127.0.01 Nvv 14 18 40.12 W1N-2N9SIOSGIEN w.ort |1 384 6| ICMP INF: PING |CU«ti»calion. Mbc activitf) [Piiuiily. 3] (ICMP) 10.0.0.12 1000.10 1 14 (1 11 WIN 2N9!iTOSGI( N mart |1 304 C| II Ml' INI 1 1I1NG [ClauArahor Mur. nohvilyl U1‫־‬ .n..ly- 3] (ICHP) 1 1 1II 111? 127 001 Nnv 14 1 10.0.0.10 4 18:40:10 WIN 2N9STOSGIEN mort |1 384 6| ICMP INFO PING (ClMstficd'ion: M.sc 0 ct1vity| (Piioiily: 3) (ICHP) 10.0.0 1 2 127.0.0 1 Nov 1 10.0.0.10 12700 1 Nuv 14 18 40 O ') WIN ?NSS10SGIFN tnurt |1 384 6| ICMP INFO PING (n«nii.:4l<ar• Mac adivi(•) (Piimily 3] (ICMP) 10 0 0 1? 10 0 n 1 n 127 001 Nov 14 11 1 4 1 1 ■ O il WIN 2N9!:TOSUK N •no* |1 304 C| 1 ( Ml‫־‬INI II I1NG (Clou*ration Mur. nr.hvityl [1'im trijr 3) IIIMPI 10 0 111? I0.0.U.IU 127.0.0.1 Nov 1 4 18:40:07 WIN 2N9STOSGIEN tnort |1 384 6| ICMP4NF0 PING (ClMtWcatiwi: Hite activity (Plioiity: 3] (ICHP) 10.0.0 1 2 10.0.0.10 | IfMP INm PING (CUsifirolian Mbc activity) [Piitxily: 3] IICMP) 10 0 01? 1270 0 1 Nuv 14 10 40 on WIN-?N9r.1nSG1rN tnatl |1 384 G 1000.10 127.0.0 1 Nov 1 4 10:40:0b WIN 2N91>1USGILN *noit: |l. J84:b| ILMI‫־‬INI U I1NG (Llasiiication: Hue nctivitvl H'noiity: 3 1 (ICHP) 10.0.0.12 10.0.0.10 4 18:40:04 WIN-2N9STOSGIEN tnort |1:384 6| ICMP-INF0 PING (Clact«cation: Hite activity [Plioiity: 3 1 {ICHP) 10.0.0.12 127.0.0.1 Nov 1 10.0.0.10 12700 1 Nov 14 10 40 01 WIN-2N9r.TOSGIFN mart |1 384 C| ICMP-INFO PING [Claxiilicatian Mbc activity] [Pliaiity: 3] (ICHP) 10 0 01? 10 00.10 127.0.0.1 Nov 1 4 18:40:02 WIN 2N9S1USGIEN tnort: |l:384:6| ICMP INFO PING [Lla**41cat10n: Mac actovitrl [Pnonty: 3] (ICHP) 10.0.0.12 10.0.0.10 127.0.0.1 Nov 14 18.40:01 WIN-2N9STOSGIEN tr.ort. [1.384.6] ICMP-INF0 PING [Cla*t«cation. Mbc activity] [Piioiily: 3) (ICHP) 10.0.0.12 10 00.10 127 0.01 Nov 14 18 40:00 WIN-2N9STOSGIEN snort [1 384 6j ICMP-INFO PIHG IClasirtcahon Mbc activity! [Piioiily: 3j ilCHP110 0 0 12 10 0 0.10 127.0.0.1 Nov 1 4 18:39:53 WIN 2N9510SGIEN snort |1:384:61 ICMP INFU PING [Clat*Scati«n: Mnc acbvitrl [Prioiity: 3) (ICHP) 10.0.0.12 10.0.0.10 1270 0 1 Nov 14 18 39:58 WIN-7N9STC1SGIFN tnort [1 384 6| ICMP-INFO PING [CLmificalian Mbc activity] [Plioiity: 3] (ICMP) 10 0 012 1000.10 127 001 Nov 14 10•39:57 WIN 2N9S10SGICN *nort |1 304 K| ICMP INFO PIHG ICUmrfirafiorv Mur. activityl [Pnoiitjr 3] IICMP110 0 0 12 10.0.0.10 127.0.0.1 Nov 1 4 18:39:56 WIN 2N9STOSGIEN *nort [1:384:6| ICMP INFO PING [□***ificalior: Mbc activilrl [Plioiity: 3] (ICMP) 10.0.0.12 100* OMFH 1 8 :4 0 1 1 142D 12

A 88

l,mr Dale P. m.4. 11-14-2012 184012 Auth Ale.!
1 1 14 ?01? 104011 AuHt Air.1 II 1 4 2012 18 4010 Auth Alcit 11-14-201? 18 40 09 Auth Alrll 1 1 14 ?01? 104*00 AuHt Alr.l 11-14-2012 184007 Auth Ale11 11-14-201? 18 40 nc Auth Alr.l 1 1 14 ?012 10.40.Ub Auth Alcit 11-14-2012 18:4004 Auth Aleu 11-14201? 18 40 03 Auth Alr.l 11-14 2012 18:4002 Auth Alcit 11-14-2012 18.40.01 Auth Ale.l 11-14-201? 18 40 (1 0 AulhAlril 1 1 14 2012 18:39:59 Auth Alcit 11-14-701? 1839 58 Auth Alr.l 1 1 14 201? 103*57 Aulh Alr.l 1 1 14 2012 18:3958 Auth Alcit fsiw5/jlooWebAcc«5 ■ ‫־‬ol m oled

J
*

II

1

j
|

Figure 2.14: Kiw i Syslog Service Manager widi Snort Logs

21.

111 K iw i Syslog,

you see the Snort alerts outputs listed

111

Kiwi Syslog

Service Manager. 22. You have successfully output Snort Alerts to two sources.
L a b A n a ly s is

Analyze and document die results related to diis lab exercise. Give your opinion on your target’s security posture and exposure.

C E H Lab Manual Page 872

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

PLE A SE

TA LK

TO

Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.

H A V E

Q U E ST IO N S

Tool/U tility Kiwi Syslog Server
Q u e s t io n s

Information Collected/Objectives Achieved Output: The Snort alerts outputs listed 111 Kiwi Syslog Service Manager.

1. Evaluate how you can capture a memory dump to confirm a leak using Kiwi Syslog Server. 2. Determine how you can move Kiwi Syslog Daemon to another machine. 3. Each Syslog message includes a priority value at die beginning of the text. Evaluate die priority of each Kiwi Syslog message and on what basis messages are prioritized. Internet Connection Required □ Yes Platform Supported
0 Classroom 0 !Labs 0 No

C E H Lab Manual Page 873

Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

3

D e t e c t i n g U s i n g

Intruders a n d

W o r m s I D S

K F S e n s o r H o n e y p o t

K F S e n s o r is a W in d o w s b a s e d h o n e y p o t In tr u s io n D e te c tio n S y s te m ( ID S ) .

I C ON

KEY

L a b S c e n a r io

l ^ ~ / V a lu a b le
in fo rm a tio n T est your k n o w le d g e mm

W e b e x e rc is e

ca

W o r k b o o k r e v ie w

Intrusion detection systems are designed to search network activity (we are considering both host and network IDS detection) for evidence ot malicious abuse. When an IDS algontlmi “detects” some sort of activity and the activity is not malicious or suspicious, tliis detection is known as a false positive. It is important to realize diat from the IDS’s perspective, it is not doing anything incorrect. Its algoridim is not making a mistake. The algontlmi is just not perfect. IDS designers make many assumptions about how to detect network attacks. A11 example assumption could be to look for extremely long URLs. Typically, a URL may be onlv 500 bytes long. Telling an IDS to look for URLs longer dian 2000 bytes may indicate a denial of service attack. A false positive could result from some complex e-commerce web sites that store a wide variety of information 111 the URL and exceed 2000 bvtes.
111 order to become an expert penetration tester and security administrator, you must possess sound knowledge of network intrusion prevention systems (IPSes), intrusion detection systems (IDSes), identity network malicious activity and log information, and stop or block malicious network activity.

L a b O b je c tiv e s
H Too ls

The objective of tins lab is to make students learn and understand IPSes and IDSes.
111 tins lab,

d e m o n s tra te d in th is lab a re lo c a te d a t D:\CEHToo ls\C E H v8 M o du le 17 Evading IDS, F ire w a lls , and H o n eyp o ts

you need to:

■ Detect hackers and worms 111 a network ■ Provide network security
L a b E n v ir o n m e n t

To carry-out tins lab, you need:

C E H Lab Manual Page 874

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

KF S en sor

located at D :\CEH -Tools\C EHv8
8

M o du le 17 E vading IDS,

F ire w a lls , and H o n eyp o ts\H o n eyp o t T oo ls\K F S en so r

■ Install KF Sensor 111 W in d o w s

^__ You can also download KFSensor from http://www.keyfocus.net

M eg aP in g

located at D:\CEH -Tools\C EHv8
S e rv e r 2 0 1 2

M o du le 0 3 S can ning

N e tw o rk s \S c a n n in g T oo ls\M eg aP ing

■ Install Mega ping 111 W in d ow s

■ It vou have decided to download latest of version ol these tools, then screen shots would be differ ■ Administrative privileges to configure settings and run tools
L a b D u r a t io n

Time: 10 Minutes
O v e r v ie w o f IP S e s a n d ID S e s

An intrusion prevention system (IPS) is a n e tw o r k s e c u rity appliance that m o n ito rs network and system activities tor m a lic io u s activity. The main functions ot IPSes are to id e n tify malicious activity, log re la te d in fo rm a tio n , attempt to b lo c k /s to p activity, and report activity. An IDS is a software device or application that m o n ito rs network and/or system activities for m a lic io u s activities or p o lic y v io la tio n s and delivers re p o rts to a Management Station. It performs intrusion detection and attempts to s to p detected possible in c id e n ts .
^ TASK
C o nfigure K F S en so r

1

L a b T a s k s

1. Launch W in d o w s 8 virtual machine and follow the wizard-driven installation steps to install KFSensor. 2. After installation it will prompt to reboot die system. R ebo o t the system. 3.
111 Windows 8 launch KFSensor.

To Launch KFSensor move your mouse cursor to the lower-left corner of your desktop and click S tart.

C E H Lab Manual Page 875

Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

u

►.'crla

C*‫׳‬e~s

Windows 8 Release Previev. , Evaluation copy. Build WOO

= ‫־‬ ____
To set up common ports KFSensor lias a set of pre-defined listen definitions. They are: ■ Windows Workstation ■ Windows Server ■ Windows Internet Services ■ Windows Applications ■ Linux (services not usually in Windows) * Trojans and worms

m

1

‫יי‬

m o

«.

.
F IG U R E 3.1: KFSensor Window with Setup Wizard

m

4. In die S ta rt menu apps, right click die K F S en so r app, and click Run A d m in is tra to r at die bottom.
S ta rt
Admin

as

^

m
Vriro

m
Cam ara

p

Google Chrome

o
services

m ‫יז ל׳‬
M essaging W eather

1 1 I ® a
Store

Mozilla Firefox

H
Calfrdar

&
Internet F«pfcvr‫׳‬

Command Prompt

KFSensor

FI

m

V \ V » as; (S)
edm inh*r«t© r

%

®

@

®

tasoon

F IG U R E 3.2: KFSensor Window with Setup Wizard

5. At die first-time launch of die K F S en so r S e t

Up W izard ,

click N e xt.

C E H Lab Manual Page 876

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

K F S e n s o rP ro fe s s io n a l -E v a lu a tio nT ria l
File View Scenario Signatures Settings Help_______________________________________

i l ?t!l U -L
a , kfsensor - iocalhos

z ta tcp

Visitor )atagram.. The KFSensor Set Up Wizard will take you through a number of steps to Donfigure you systen. All of these can configurations can be modfied later using the menj option. You m ight like to read the rrenual at this port to team how KFSenso‫־‬works and the concepts behind t. )atagram.. )atagram.. )atagram.. )atagram.. )atagram.. )atagram.. )atagram.. n the options in th& Set Up Wizard. Wizard Heb )atagram.. )atagram.. WindowsS WIN-ULY358K WIN-D39MR5J WIN-LXQN3W WIN-MSSELG WIN-2N9STO? WIN-2N9STO? WIN-ULY358K Windows^ WINDOWS8

q * ^ ic c c d T C^
g
2 1 FTP 53 DNS 63 DHCP SO IIS POP3 110 , g ‫־‬ 119 NNTP M i RPC 1 35 139 NET Se

..__ Tlie Set up Wizard is used to perform the initial configuration o f KFSensor.

j S 25 SMTP. ! I I j. J L

§

g

LDAP 339 ^ HTTPS 443 $ i | J4. 5-NB. T-St< i 593 CIS jjj 1028 MS Cl! 5 g 1080 SOCKi 2234 Direct! 3 ( 1433 SQL S < j § 3128 IIS Pro g 3268 Global Calal

Ser/en Status

Visitors: 0

F IG U R E 3.3: KFSensor main Window

6.

Check all die port

c la s s e s

to include and click N e xt.
Set Up Wizard - Port Classes

Port classes to include: /j Windows Workstation @ Windows Applications @ Windows Server @ Windows Internet Services 0 Linux (services not usually in Windows) @ Trojans and woims KFSensor can detect irrtiusions on many many different ports and simulate different types of services. Domain Name is tlie domain name used to identify the server to a visitor. It is used in several Sim Servers.

m

These ports are grouped by class. Checked classes will be added to the scenario. Unchecked classes will be removed the scenario.

Wizard Help

<Back

Next >

Cancel

F IG U R E 3.4: KFSensor Window with Setup Wizard

7. Live die domain name Held as default and click N ext.

C E H Lab Manual Page 877

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

Set Up Wizard - Domain
Domain Name: [networksfonj.com| This is the domain name used to identify the server to a visitor. This could be the real domain name of the machine or a fictious one. If you pick a fictious one. try not to use a real domain belonging somebody else. e=yi KFSensor can send alerts by email. The settings in the wizard are the minimum needed to enable this feature. Wizard Help

D

<Back

|

Next >

Cancel

F IG U R E 3.5: KFSensor Window with Setup Wizard

It you want to send K F S en so r a le rts by email and then specify die email address details and click N e xt.
Set Up Wizard - EMail Alerts

systems service is a special type o f application that Windows runs in the background and is similar in concept to a U N IX daemon.

Send to: Send from :

[I

If you want KFSensor to send alerts by email then fill in the email address details

Wizard Help

<Back

Next >

Cancel

F IG U R E 3.6: KFSensor Window with Setup Wizard-email alerts

9. Choose options for D enial
The KFSensor Server becomes independent o f the logged on user, so the user can log o ff and another person can log on without affecting the server.

o f S ervice . Port a c tiv ity . Proxy Em u lation ,

and

m

N e tw o rk Pro to co l A n a ly ze r

and click N e xt.

C E H Lab Manual Page 878

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

Set Up Wizard - Options
Denial Of Service Options Cautious Port Activity 1 Hour Proxy Emulation Allow banner grabs and loop backs Network Protocol Analyzer !Enable packet dump files j v Dump files are useful for detailed analysis but take up a lot of disk space The KFSensor M onitor is a module that provides the user interface to the KFSensor system. W ith it you can configure the KFSensor Server and examine die events that it generates. v Controls if KFSensor is allowed to make lim ited external connections v How long a port should indicate activity after after an event v Controls how many events are recorded before the server locks up

D

m

Wizard Help

<Back

Next >

Cancel

.
F IG U R E 3.7: KFSensor Window with Setup Wizard-options

10. Check die In s tall

as sy s te m s e rv ic e

opdon and click N e xt.

Set Up Wizard - Systems Service
[v ] Install as systems service A systems service is a special type of application that Windows runs in the background and is similar in concept to a UNIX daemon The KFSensor Server becomes independent of the logged on user, so you can log off and another person can log on without affecting the server The KFSensor Server can be configured to start automatically when the systems starts, even before you log on. You must be logged in a the Administratorto install a systems service

Wizard Help

The Ports View is displayed on the left panel o f the main window. It comprises o f a tree structure that displays the name and status o f the KFSensor Server and the ports on which it is listening.

m

<Back

Cancel

F IG U R E 3.8: KFSensor Window with Setup Wizard-system service

11. Click Finish to complete the S e t

Up w izard .

C E H Lab Manual Page 879

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

Set Up Wizard - Finish
The KFSensor Set Up Wizard has now got all the information it needs to configure your system. To read up on where to go from here dick the button below Getting Started

‫ו‬0

‫ו‬

Note on the Evaluation Version

I

There are a number of restrictions set forthe ten day duration of the evaluation period The export functionality is unavailable and the details of some events are deliberately obscured

/ The Ports View can be displayed by selecting the Ports option from the ViewTmenu.

<B a ck

Finish

Cancel

F IG U R E 3.9: KFSensor finish installation

12. Tlie K F S en so r main window appears. It displays list ol ID protocols. V is ito r and R e ce iv ed automatically when it starts. 111 the following window, all die nodes 111 die left block crossed out with blu e lin es are die ports that are being used.

F

i ■ i2 C
,

Settings

K F S e n s o rP ro fe s s io n a l -E v a lu a tio nT ria l H e lp
° i @ 151a
Start 9/27/2012 5:27:41 PM... 9/27/2012 S:27:3S PM .‫״‬ 9/27/2012 5:27:36 PM... 9/27/2012 5:27:3C PM... 9/27/2012 5:27:15 PM... 9/27/2012 5:16:15 PM... 9/27/2012 5:15:4^ PM... 9/27/2012 5:15:35 PM... 9/27/2012 5:15:3£ PM... 9/27/2012 5:15:35 PM... 9/27/2012 5:15:31 PM... 9/26/2012 3:41:32 PM... 9/26/2012 3:37:16 PM... 9/26/2012 3:36:57 PM... 9/26/2012 3:36:57 PM...

4 1 tt ;1

‫־‬1 3
ID 1 ‫י‬5 |§14 1 ‫י‬3
g '2

^

a! ‫מ‬

‫ש‬
Duration 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 Pro... UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP

^
Sens... Name Visitor WIN-ULY358K WIN-LXQN3\* WIN-MSSELCI WIN-D39MR5I Window^ Windows^ WIN-ULY358K] WIN-D39MR5I WINLXQN3'A WIN-MSSELCI WIN-2N9STO< WIN-2N9STO! WIN-ULY358K Windows^ WINDOWS8 138 NBT Datagram... 138 NBT Datagram... 138 NBT Datagram... 138 NBT Datagram... 138 NBT Datagram... 138 NBT Datagram... 138 NBT Datagram... 138 NBT Datagram... 138 NBT Datagram... 138 NBT Datagram... 138 NBT Datagram... 138 NBT Datagram... 138 NBT Datagram... 138 NBT Datagram... 138 NBT Datagram...

kfsensor - local host - M...

^& C to s « lIC P Por...
g
3 21 FTP 25 SMTP 53 DNS 63 DHCP 110 POP3 j § 119 NNTP g 155 MSRPC— B m 5 } 139 NBT Session ... j j 339 LDAP

TCP

3

-g 80 IIS

111 §10__
U 9 1 8 1 7 1 6

g
g g 5

443 HTTPS ■ j 4.15 NBT SM 8— 593 CIS 1028 MS CIS 1080 SOCKS 1433 SQL Server 2234 Dircctplay 3128 IIS Proxy 3268 Gtobdl Catal..

15 14 13

m?
1 1

§
^ ^ J

Ser/en Running Visitors: 8

F IG U R E 3.10: KFSensor Main Window

13. Open a command prompt from the S ta rt menu apps.

C E H Lab Manual Page 880

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

The top level item is the server. The IP address o f the KFSensor Server and the name o f the currently active Scenario are displayed. The server icon indicates the state o f the server:

14.

111 die

command prompt window, type n e ts ta t -an.
Command Prompt

Microsoft W in d o w sC U ersion 6.2 8400] l< c> 2 0 1 2 Microsoft Corporation All rights reserved. |C:M Jsers\Adnin)netstat -an Rctive C onnections Proto Local A ddress Foreign A ddress T C P 0.0.0.0:2 0.0.0.0:0 T C P 0.0.0.017 0.0.0.0:0 T C P 0.0.0.0:9 0.0.0.0:0 T C P 0.0.0.0:13 0.0.0.0:0 T C P 0.0.0.0:17 0.0.0.0:0 T C P 0.0.0.0:19 0.0.0.0:0 T C P 0.0.0.0:21 0.0.0.0:0 T C P 0.0.0.0:22 0.0.0.0:0 T C P 0.0.0.0:23 0.0.0.0:0 T C P 0.0.0.0:25 0.0.0.0:0 0.0.0.0:0 T C P 0.0.0.0:42 T C P 0.0.0.0:53 0.0.0.0:0 T C P 0.0.0.0:57 0.0.0.0:0 0.0.0.0:0 T C P 0.0.0.0:68 T C P 0.0.0.0:80 0.0.0.0:0 T C P 0.0.0.0:81 0.0.0.0:0 T C P 0.0.0.0:82 0.0.0.0:0

State L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G

F IG U R E 3.11: Command Prompt with netstat -an

15. Tins will display a list ol listening ports.
The protocol level o f KFSensor is used to group the ports based on their protocol; either T C P or U D P.

m

I 35

Command Prompt

E 3 |

T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P T C P

0.0.0.0:82 0.0.0.0:83 0.0.0.0:88 0.0.0.0:98 0.0.0.0:110 0.0.0.0:111 0.0.0.0:113 0.0.0.0:119 0.0.0.0:135 0.0.0.0:139 0.0.0.0:143 0.0.0.0:389 0.0.0.0:443 0.0.0.0:445 0.0.0.0:464 0.0.0.0:522 0.0.0.0:543 0.0.0.0:563 0.0.0.0:593 0.0.0.0:636 0.0.0.0:999 0.0.0.0:1024 0.0.0.0:1028 0.0.0.0:1080 0.0.0.0:1214

0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0

L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G L IS T E N IN G

F IG U R E 3.12: Command Prompt with netstat -an

C E H Lab Manual Page 881

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

1 6 . L e a v e d ie 17.
m

KF S e n so r

t o o l r u n n in g .

F o llo w

d ie w iz a r d - d r iv e n in s ta lla t io n s te p s t o in s ta ll M e g a P in g i n

Windows

T h e V is ito rs V ie w is

S erver 2012 (Host Machine).
1 8 . T o la u n c h

displayed o n the le ft panel o f the m ain w in d o w . I t com prises o f a tree structure th a t displays the nam e and status o f the K F S ensor Server and the visito rs w h o have connected to the server.

M egaPing

m o v e y o u r m o u s e c u r s o r to d ie lo w e r - le f t c o r n e r o f

y o u r d e s k to p a n d c lic k

Start.

F IG U R E 3.13: starting window s in w indow s server 2012 19. C lic k d ie

MegaPing

a p p 11 1 d ie

S ta rt

m e n u apps.

Start
Mo/11la Firefox

Administrator

£

awane

Googfc

*‫ג‬
m

* £

©
HTTPort 3.SNFM

6
Conmand Promp*

E ach v is ito r detected
Admnktr... Tools Hyper•V Manager

1 *
v/ogaPrv;

‫ף״י‬
Notepad*

b y the K F S ensor Server is listed. T he visito r's IP address and d om ain name are displayed.

‫«י‬

* S

B

F IG U R E 3.14: click on megaping 20. T h e m a in w in d o w o f

M egaPing

a p p e a rs

as

show n

in

d ie

f o llo w in g

s c r e e n s h o t.

C E H Lab Manual Page 882

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

2*
File View Tools Help

MegaPirvg (Unregistered)

I- n ' x

A A fl (3 JA A
DNS Lookup Name J ? Finger Network Time

= 5< 3 >4 * * ■ * * ‫ ע‬n ©
® DNS List Hods A, ______ DNS Ust Hosts Destnabon: <None> ^ DNS List Hosts Settings

A Pin9
|| ^ ^5 % ^ f '4^ V ^ J

Traceroute Whois Network Resources Process Info System Info IP Scanner NetBIOS Scanner Share Scanner Security Scanner Port Scanner Host Monitor

□ Select Al I Add

ca

F IG U R E 3.15: MegaPing o n W indows Server 2012 T h e V is ito rs V ie w 21. 22. S e le c t

can be displayed b y selecting the V isito rs o p tio n fro m the V ie w m enu.

Port S c a n n e r

fro m

l e f t s id e o f d i e lis t . d iis la b I P a d d r e s s is

E n te r d ie I P

a d d re s s o f

W indows 8 ( 1 1 1

10 .0.0.12

m a c h in e 1 1 1 w h i c h I v F S e n s o r is r u n n i n g 1 1 1 D e s t i n a t i o n A d d r e s s L i s t a n d c lic k

Add.

‫־‬7
file Yiew Tools Help

MegaPing (Unregistered)

n ^ i

A a g ai A A o 3 % 4
A DNS List Hosts * DNS Lookup Name Finger Network Time

3 4 ‫י‬ © >
Port Scanner Settings TCP and UDP v | Start

J ‫׳‬

Po»l Scanner

J2f Port Scanner Destnabon: . .

A Pin9
22 Traceroute ^ Whois 3 Network Resources <$> Process Info .J | System Info ^ IP Scanner NetBIOS Scanner Share Scanner £ Security Scanner Host Monitor

100 0 .12

Protocob Scan Type

Range of Ports ♦ Custom Ports L v

Destnabon Address List

□ Seiect Al

Type Keyword

Description

|

»Vw.

F IG U R E 3.16: MegaPing: Select 10.0.0.12 fro m H ost, Press Start button 23. C h e c k d ie I P a d d re s s a n d c lic k d ie

S ta rt

b u t t o n t o s ta r t lis t e n in g t o d ie

tr a ffic 0 1 1 1 0 .0 .0 .1 2 .

C E H Lab Manual Page 883

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

ry 1 File yiew Tools Help
3 DNS List Hosts ^5, DNS Lookup Name Finger Network Time f t pin9 gg Traceroute Whols 1 3 Network Resources % Process Info ^ System Info $ IP Scanner NetBIOS Scanner Share Scanner £ Security Scanner Host Monitor >‫ <יז‬4

MegaPing (Unregistered)

‫ ו‬- ‫ז ״י‬

*

i ti V

<$ 0

■ < *

‫צ‬

ca

V is ito r is obtained by

$

Port Scanner

Port Scanner Settings Protocols Scan Type: TCP and UDP v

a reverse D N S lo o k u p on the visito r's IP address. A n ic o n is displayed in dicatin g the last tim e the v is ito r connected to the server:

10 .0 .0 .12
Destnation Address L ist Ho*

Range of Ports ♦ Custom Ports L v

1

a t

1

₪al 1 0 .0 .0 .1 2

JSelect Al Add Delete

Type Keyword

Description

F IG U R E 3.17: MegaPing: Data o f die packets recieved 24. T h e f o l l o w i n g im a g e d is p la y s d i e i d e n t i f i c a t i o n o f T e l n e t o n p o r t 2 3 . MegaPing (Unregistered)
File yiew Jools Help

i. A S al 1*1 A #
DNS List Hosts Jj, DNS Lookup Name £ Finger J i Network Time t i p'"9 f f Traceroute Whols " 3 Network Resources <3> Process Info ^ System Info f IP Scanner ^ NetBIOS Scanner ^ Share Scanner £ Security Scanner £ } Host Monitor
£ 2 2

Port Scanner Destnabon:

IF

Port Scanner Settings TCP and UDP v

1 0 .0 .0 .1 2
Destination Address bat Host

Protocols Scan Type

Range of Ports ♦ Custom Ports L v

‫ ס‬a‫־‬p ‫כ‬
□ Select Al I Add

/ T h e V is ito rs V ie w is

lin ke d to the E ve nts V ie w and acts as a filte r to it. I f yo u select a v is ito r then o n ly diose events related to th a t v is ito r w ill be displayed in d ie E vents V iew .

0 S 1 0 .0 .0 .1 2

‫ צ‬123 ^42 f 53

Type TCP TCP TCP TCP TCP

Keyword telnet smtp nameser... domain

Descnption Risk High Telnet Elevated | Simple Mail Transfer Elevated Host Name Server Low Domain Name Serv... Low

F IG U R E 3.18: MegaPing: Telnet po rt data 25. T h e f o l l o w i n g im a g e d is p la y s d i e i d e n t i f i c a t i o n o f S o c k s o n p o r t 1 0 8 0 .

C E H Lab Manual Page 884

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

r< $
file View Tools Help

MegaPing (Unregistered)

l- T 0 ■ *

|4. A
jS,

S

aj it ti 4 % 3 3‫־‬

• t ti V 3 y

4 4 3‫י‬

T h e events are sorted in e itlie r ascending o r descending chronological order. T h is is co n tro lle d by o p tio n s o n the V ie w M enu.

DNS List Hosts DNS Lookup Name ^ Finger a i Network Time Pin9 gg Traceroute ^ Whols 13‫ ־‬Network Resources Process Info ^ System Info $ IP Scanner NetBIOS Scanner jj* Share Scanner <0 Security Scanner Jgj Host Monitor Ports 080‫ ג‬/ |‫ו‬ £ 1214 £ 1433 £ 1494 JT 1801

A

Port Scanner Settings Destnabon: . .

100 0 .12

Protocob: Scan Type

TCP and UDP

v Sop

Range of Ports + Custom Ports L v

Destination Address L ist Host 0S1O.O.O.12

□ Select fll

I * A
[ Delete Type Keyvwrd Descnption TCP socks Socks TCP TCP ms-sql-s M crosoft-SQL‫־‬Ser... TCP ica Citrix ICA Client TCP

EE

1

Low Low Low Low

'

[

Bepoit

F IG U R E 3.19: MegaPing: Blackjack virus 26. N o w c o m e b a c k to

Windows 8 v i r t u a l
Settings Help

m a c liu ie a n d lo o k f o r T e ln e t d a ta .

KFSensor Professional - Evaluation Trial File View Scenario Signatures J

9 a T |‫ ־‬e |1 ° I ° i @ I 5 » a J kfsensor - localhost - M... •

!d a > a a lfc t * I
Duration Pro... ‫ ״‬TCP Sens... Name 23 Telnet

B *-J T C P
^ 0 Closed TCP Per■ ■ 0 2 Death, Trojan ... 7 Echo - Recent... *I 9 Discard - Rec... ^ 15 Daytime - R... ^ 17 Quote of the.. ^ 19 chergcn R c. 21 FTP - Recent.. ^ 22 SSH - Recen... A 123 Telnet - Reel] j § 25 SMTP - Rece.. g 42 WINS • Rece.. g 53 DNS • Recen.. ^ 57 Mail Transfer.. g DHCP • Rece... 80 IIS • Recent... j§ 8 1 IIS 81 - Rece.. 82 IIS 82 ■Rece.. 83 IIS 83 - Rece.. J Keiberos - R... ^

•1 31

9/27/2012 6:24:13 PM .0.000

/ T h e events th a t are displayed are filte re d b y the c u rre n tly selected ite m in the P orts V ie w o r the V is ito rs V iew .

6 8 8 8

Ser/er Running Visitors:

8

F IG U R E 3.20: Telnet data o n KFSensor 27. T h e t o l l o w u i g im a g e d is p la y s d i e d a t a o f a D e a d i T r o ja n .

C E H Lab Manual Page 885

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

KFSensor Professional - Evaluation Trial
File View Scenario Signatures Settings Help

0-

j a a if^]a ifrtln Tpili
kfsensor - localhost - M... < ‫<״‬
TCP

Duration Pro...

Sens... Name

j -^ QC lo se dT C P P ofT r
Q 1 2 Death, Trojan ...| I £ 7 Echo - Recent... U £ 9 Discard - Rec...
& 13 Daytime - R...

9/27/2012 624:12 PM...

E x it: Shuts d o w n the KF S ensor M o n ito r. I f the KF S ensor Server i f n o t installed as a systems service then it w ill be shut d o w n as w ell.

^ ^ £ ^ r=| g ^ g

17 19 21 22 23 25 42 53 57

6 8

Quote of the.. chargcn - Rc... FTP - Recent... SSH - Recen... Telnet ‫ ־‬Rec... SMTP - Rece.. WINS - Rece.. DNS - Recen.. Mail Transfer.. DHCP - Rece.. IIS 81 - Rece.. IIS 82 - Rece.. IIS 83 - Rece.. Kerberos - R... y
Ser/en Running Visitors: 8

80 IIS - R ecent...

j§ 8 1 ^ 82 j § 83 =j

8 8

F IG U R E 3.21: Death Trojan data on KFSensor

Lab Analysis
A n a l y z e a n d d o c u m e n t d i e r e s u lt s r e la t e d t o d i e la b e x e r c is e . G i v e y o u r o p i n i o n o n y o u r t a r g e t ’ s s e c u r it y ‫ ־‬p o s t u r e a n d e x p o s u r e .

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U L A B .

H A V E

Q U E S T I O N S

R E L A T E D

T o o l/U tility

I n f o r m

a tio n

C o lle c te d /O b je c tiv e s

A c h ie v e d

O u tp u t: K F S e n s o r

In fe c te d P o rt n u m b e r:
H o n e y p o t ID S

1080

N u m b e r o t D e te c t e d T r o ja n s : 2

I n te r n e t

C o n n e c tio n

R e q u ir e d

Y e s

0

N o

P la tf o r m

S u p p o r te d

0

C la s s r o o m

0

!L a b s

C E H Lab Manual Page 886

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

H T T P

T u n n e lin g

U s in g

H T T P o r t

HTTPo/fisap r o g r a m fromHTTHostthatc r e a t e sa tr a n s p a re n ttu n n e lt h r o u g ha proxys e r v e ro rfirewall.
I C O N
/ V a lu a b le in f o r m a tio n

K E Y

Lab Scenario
A tta c k e rs th e y c a n a tta c k e r a tta c k e rs p r e v io u s a re a lw a y s in a h u n t b y fo r IP c lie n t s th a t c a n to be e a s ily o r c o m p r o m is e d and e n te r y o u r n e tw o r k can a re la b , get a b le p a c k e ts to s p o o fin g a fir e w a ll tr a ffic dam age b y s te a l y o u r d a ta . T h e th e IP to a d d re s s . d o in It th e

S

T est to u t k n o w le d g e

th ro u g h

s p o o fin g have

c a p tu re can

n e tw o rk

as y o u

le a r n e d

th e y

p e rfo rm can

T r o ja n p ro v e to

a tta c k s , be

r e g is t r y fo r

a tta c k s , an

p a s s w o rd

W e b e x e r c is e

ca

h ija c k in g
W o r k b o o k r e v ie w

a tta c k s ,

e tc ., w h ic h

d is a s tr o u s to c a p tu re

o r g a n iz a t io n ’s and and

n e tw o rk . A n

a tta c k e r m a y u s e p a c k e t d a ta

a n e tw o rk to r e tr ie v e and

p ro b e

ra w

p a c k e t d a ta

t h e n u s e tin s r a w d e s t in a tio n IP

p a c k e t in fo r m a tio n p o rts ,

s u c h as s o u rc e header

a d d re s s , to L iv e

s o u rc e

d e s t in a tio n

f la g s ,

le n g th ,

c h e c k s u m . T im e H ence, as a

( T T L ) , a n d p r o t o c o l ty p e . yo u s h o u ld be a b le to id e n t if y and a tta c k s b v IP and

n e tw o rk

a d m in is t r a t o r fro m

e x tr a c tin g

in fo r m a tio n

c a p u ir e d

tr a ffic

such

as s o u rc e

d e s t in a tio n p o r t s , e tc . if an

a d d re s s e s , p r o t o c o l ty p e , h e a d e r le n g th , c o m p a re th e s e d e t a ils w i t h c a n a ls o m o d e le d c h e c k th e

s o u rc e

and

d e s t in a tio n to

a tta c k

s ig n a t u r e s

d e te r m in e

a tta c k ta k e

has o c c u rre d . Y o u e v a s iv e a c t io n s . A ls o , y o u can s h o u ld

a t t a c k lo g s

t o r th e

lis t o t a tta c k s

and

be

fa m ilia r w it h s e c u r it y

th e

H T T P th a t

t u n n e lin g m ay n o t

te c h n iq u e be

b y w h ic h v is ib le

you by

id e n t if y

a d d it io n a l

r is k s

r e a d ily

c o n d u c tin g to w h ic h

s im p le n e t w o r k ID S

a n d v u ln e r a b ilit y

s c a n n in g a n d d e t e r m in e tr a ffic w id iin

th e e x te n t

a n e tw o rk

c a n id e n t if y

m a lic io u s

a c o m m u n ic a t io n

c h a n n e l . 111 t i n s l a b , y o u w i l l l e a r n H T T P

n u in e liiig u s in g H T T P o r t .

Lab Objectives
T in s la b w i l l s h o w y o u h o w and n e tw o rk s c a n b e s c a n n e d a n d h o w to use

HTTPort

HTTHost.

Lab Environment
1 1 1t h e
C E H Lab Manual Page 887
la b , y o u n e e d d ie H T T P o r t t o o l.

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

HTTPort is l o c a t e d a t D:\CEH-Tools\CEHv 8 M odule 16 Evading IDS, F irew alls an d H oneypots\H T T Port
Y o u c a n a ls o d o w n lo a d t h e la t e s t v e r s io n o f

& Tools d e m o n stra te d in th is lab a re available in D:\CEHTools\CEHv 8 Module 16 Evading IDS, Firew alls and H oneypots

HTTPort

fro m

d ie lin k

h t t p : / / w w w .t a r g e t e d . o r g ■ I f y o u d e c id e t o d o w n lo a d th e la te s t v e r s io n , t h e n s c re e n s h o ts s h o w n 111

t h e la b m ig h t d i f f e r ■ ■ ■ In s ta ll H T T H o s t o n In s ta ll H T T P o r t o n F o llo w

W indow s 8 V

ir t u a l M a c h in e H o s t M a c h in e

W indow s S erv er 2012

th e w iz a r d - d r iv e n in s ta lla t io n

s te p s a n d

in sta ll it
t in s t o o l

A d m in istrativ e p riv ile g es

a re r e q u ir e d t o r u n

Lab Duration
T im e : 2 0 M in u t e s

Overview of H TTP ort
HTTPort proxies
c re a te s a t r a n s p a r e n t t u n n e l t h r o u g h a p r o x y s e r v e r o r f ir e w a ll. H T T P o r t b e h in d d ie p r o x y . I t b y p a s s e s a llo w s u s in g a ll s o r ts o t I n t e r n e t s o f tw a r e f r o m and

HTTP

HTTP, firew alls,

and

tra n sp a re n t a c c elera to rs.

TASK 1
Stopping IIS S erv ices

Lab Tasks
1. B e fo r e n u n iin g t o o l y o u n e e d to s to p

Web se rv ic e s
S e le c t

on

IIS Admin Service a n d World Wide W indows S erver 2008 virtual m achine.
n g lit -

c li c k a n d s e le c t

A dm inistrative Privileges ‫ ^־־‬S ervices ‫ ^־־‬IIS Admin Service, Stop.

^
File A*on View H elp

₪ Cff ₪ e ■ d? H D

IIS Admin Service

1Description
^Hum aT Interface D.. ^jHypet-V Data Exch.. ^jHypcr-V Gue*t JUl.. Enables ge... Provides a... Provides a... % H y p e r‫־‬V Heartbeat... Monitors th. . Synchronc...

| Status
Started Started Started Started

I Startup Type
Disabled Automatic Automatic Automatic Automatic Aiitnmatif Disabled Disabled Disabled Automatic Disabled Manual Disabled Automatic Manual Disabled Manual Manual Disabled Disabled

1 og Cn As ±
Local Syste Local Syste Local 5yste Local Syste Local Syste I oral 5 y< t< * Local Syste Local Syste Local Syste__ I Local Syste Local Syste Local Syste Networks, Local Syste Local Syste Local Syste Local Syste Local Syste Local Servic Local Syste j j j j j I 1 I

G Q HTTPort c re a te s a tra n sp a re n t tunnel through a proxy serv e r o r firew all. This allow s you to u se all s o rts of Intern et so ftw are from behind th e proxy.

Stco the service Pans* the service Restart the service

Description:

Enoblcs this uorvor to administer Web and FTP servces. If this service is stepped, the server will be unable to run Web, FTP, NNTP, or SNTP sites or configure 1 1 5 . If this service is disced, anv services chat expliatly depend on it will fail to start.

*^Hyper-V Time Sync... t^)Hypw‫־‬V 4 ^ IM A Pl CD'Burnirtg ... ^ In d ex n g Service ^ Intersite Messagng % IPSEC Services

% BM E3ESH■"
P a u s e
Restart

..

S ta rte d

P"
Resume

^Kerberos Key Distri... 4 ^JJLC Remote Agent License Logging % Logical Disk Manager % Logic‫ !־‬Disk Manag... ^Messenger ^Microsoft Software ...

Al T asks Refresh
Properties

Help

^f&Net Looon Maintainsa. . Net.Tcp Port Sharin... Provides a... ^ NetMeeting Rerrot... Enables an... ^Network Connections \ Extended X Standard / Manageso... Started

Manual

Local Syste ▼ I

_ J
top servce IIS Adrm Service on Local Com puter

j

J

F IG U R E 4.1: Stopping IIS A d m in Service in W indow s Server 2008

C E H Lab Manual Page 888

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

3.

S e le c t

A dm inistrative Privileges S ervices S ervices, r i g h t - c l i c k a n d s e l e c t Stop.
File Action View Help

World Wide Web
JJ3 Jx f
‫ן‬

& it b y p a sse s HTTPS and HTTP proxies, tra n sp a re n t a c c e le ra to rs, and firew alls. It h a s a built-in SOCKS4 server.

«- -► H

g? B

[ S i

► ■

‫וו‬

Ser/ices (Local)

% Services (Local)
Name Stop the service Pause the service Restart the service Descript on: Provides Web connectivity and administration through the Internet Information Services Manager | Description | Status Started | Startup Type Manual Disabled Disabled Manual Manual Manual Disabled Started Started Automatic Manual Automatic Disabled Started Manual Automatic Manual Manual

1 LoqOnAs
Local Syste Local Syste Local Syste Local Servic Local Syste Local Syste Local Servic Local Syste Local Syste Local Syste Local Servic Local Syste Local Syste Local Servic Local Servic Local Servic Local Servic Local Syste Local Syste Local Syste

A

Termiial Services Alows user %Termhal Services S... Enables a. ^Themes Provides u. ^^UninterruptiblePow... Manages a.

i]

^

Virtual Disk Service

Provides s.

Volurre Shadow Copy Manages a, ^WebClient -nabtes W , Windows Autk ^Windows CardSpace ^Windows Firewal/I... ^Windows Imai Windows I n s t | ^ ^ ^ ^ ^ ^ ^ Windows Man ^Windows Pres ^ Windows Tim * % Windows Usei %w.nHTTPW et Wireless Conf ‫־‬ % W M I Perform* ^ Workstation Manages a, Securely e. Provides n.

1

r 1
c . Kestd't

j 1

*
Refre*

Started

Automatic Manual Manual Automatic Manual Automatic Automatic

Properties
.. .. Started Started

Local SysteH l

< 1 \ Extencted / Standard / |Rop ser/ice Worid Wide Web Publishing Service on Local Computer

_____

1‫ע‬

J

F IG U R E 4.2: Stopping W o rld W ide W eb Services in W indow s Server 2008 4. 5. L o g in to

W indows S erver 2008

v ir t u a l m a c h in e .

O p e n M a p p e d N e tw o r k D r iv e

CEH-Tools a t Z:\CEH-Tools\CEHv8 Module 16 Evading IDS, Firew alls and Honeypots. HTTHost
f o ld e r a n d d o u b le - c lic k

£9 It su p p o rts strong traffic encryption, w hich m ak es proxy logging u se le ss, and su p p o rts NTLM and o th er a u th en ticatio n sc h e m e s.

6.
7.

O p e n th e A

h tth o st.ex e.
ta b . d ie p a s s w o rd .

HTTHost w

i z a r d w i l l o p e n ; s e le c t d ie

O ptions

8.

O ptions t a b l e a v e a l l d i e s e t t i n g s a s t h e i r d e f a u l t s e x c e p t P ersonal P assw ord h e l d , w h i c h s h o u l d b e t i l l e d w i d i a n y o d i e r L i d u s L a b d i e P e r s o n a l P a s s w o r d i s “ m agic.”
O n d ie C h e c k d ie

9.

Log C onnections

o p t io n a n d c lic k

Apply.

C E H Lab Manual Page 889

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

: H T T H o s t 1 .8 .5 — Ne tw or k B in d li s t e n i n g t o : | 0 .0 , 0 . 0 |80 B in d e x t e r n a l t o : |0 ,0 , 0 . 0 Personal password:

Tools d e m o n stra te d in th is lab a re available in Z:\ M apped N etw ork Drive

Allow a cc e ss f r o m : | 0 .0 . 0 . 0

n*****

P assthroug h un rec o g n ize d requests to: H o s t n a m e or IP: |1 27 .0 .0 .1 M a x . local b u f f e r : 1256K Port: |S 1 T im e o u ts : O r i g i n a l IP h e a d e r fiel |x-O rigin al-IP

| 0:1:2 ^‫[־‬
Apply

R eu alid a te DNS n a m e s 1✓ L o g c o n n e c t i o n s

Stati stics | A p p l i c a t i o n lo g

:| s e c u r i t y ) S e n d a Gift )

F IG U R E 4.3: H T T H o s t O ptions tab 10. N o w le a v e

HTTHost i n t a c t ,

a n d d o n ’t t u r n o i l

W indows S erver 2008

V i r t u a l M a c h in e . 11. N o w fro m s w i t c h t o W indows Server 2008 H ost M achine, a n d i n s t a l l H T D:\CEH-Tools\CEHv7 Module 16 Evading IDS, Firew alls and H oneypots. d ie w iz a r d - d r iv e n in s t a lla t io n s te p s . fro m T P o rt

12.

F o llo w

13. N o w

o p e n HTTPort HTTPort 35NFM.

S tart

‫^־־‬

All Program s ‫ )־‬HTTPort 35NFM ‫^־־‬

14. T h e

HTTPort w

in d o w

a p p e a r s a s s h o w n 1 1 1 t h e f o ll o w i n g f ig u r e .

H TTPort 3.SNFM
S y s te m P ro x y j P o rt m a p p in g | A b o u t ) R e g i s t e r )

‫ ־־‬H T T P p ro x y to b y p a s s ( b la n k = d ire c t or fire w a ll) H ost n a m e or I P a d d re s s ! P o rt:

& To s e t up HTTPort need to point your bro w ser to 127.0.0.1

I

P r o x y re q u ire s a u th e n tic a tio n Passw o rd :

U se rn a m e!

‫ ־‬M isc. o p tio n s U s e r- A g e n t: B ypass m ode:

‫ פ ו‬rR e m o t e

host

‫־‬ 31

U s e p e r s o n a l r e m o t e h o s t a t ( b la n k = u s e p u b lic) H o st n a m e or I P a d d re ss: P o rt: Passw o rd :

F----- I----------< — T h is b u tto n h e lp s

F IG U R E 4.4: H T T P o rt M ain W ind ow

C E H Lab Manual Page 890

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

15.

S e le c t t h e m a c h in e .

Proxy

ta b a n d e n te r th e

H ost n am e

o r

IP ad d re ss

o f d ie ta rg e te d

& HTTPort g o es w ith th e predefined m apping "External HTTP proxy" of local port

16.

H e r e , as a n e x a m p le , e n te r d ie

ad d ress,

a n d e n te r

Windows S erver 2008 Port num ber 80.
and

v ir t u a l m a c h in e

IP

1 7 . Y o u c a n n o t s e t d ie 18. 111

U sem am e

P assw ord

fie ld s . d ie ta rg e te d

U ser personal rem ote h o st a t section, e n t e r m achine IP a d d re ss a n d d i e p o r t s h o u l d b e 80. magic.
HTTPort 3.SNFM
S y s te m

Host

19.

H e r e a n y p a s s w o r d c o u l d b e c h o s e n . H e r e a s a n e x a m p l e t h e p a s s w o r d is

IE !* ]

P ro x y j p 0 rt m a p p in g | A b o u t | R e g is t e r j

H T T P p ro x y to b y p a s s ( b la n k = d irect or fir e b a ll) H o s t n a m e or I P a d d r e s s : Po rt:

1 80
I P ro x y re q u ire s a u th e n tic a tio n Passw o rd : U se rn a m e:

n F o r each softw are to create custom , g iven all the addresses fro m w h ic h it operates. F o r applications d ia t are dynam ically changing the po rts there S ocks4-proxy m ode, in w h ic h die softw are w ill create a lo cal server Socks (127.0.0.1)
‫ ־־‬M isc. o p tio n s U s e r- A g e n t: IE 6.0 B ypass m ode:

‫[ פ ו‬R e m o t e

host

‫פו‬

U s e p e r s o n a l r e m o t e h o s t a t !.b lan k = u s e p u b lic) H o st n a m e or I P a d d re s s : 110.0.0.31 P o rt: 80 Passw o rd :
* * * * *

j j

^— T h is b u tto n h e lp s

F IG U R E 4.5: H T IP o r t Proxy settings w indow 20. S e le c t d i e

Port Mapping

ta b a n d c lic k

Add

t o c re a te

New Mapping.

In real world environm ent, people so m etim es u se passw o rd p ro te c te d proxy to m ake com pany em p lo y ees to a c c e s s th e Internet.

C E H Lab Manual Page 891

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

■ * HTTPort 3.SNFM
S y s t e m | P ro x y

W '

J s jx f

P o r t m a p p in g j A b o u t j R e g is t e r j

‫ ־־‬S ta tic T C P / I P p o rt m a p p in g s ( t u n n e ls ) 0• N ew m a p p in g 0 | L o cal p ort !.... 0 r e m o t e .h o s t . n a m e 0 • R e m o t e p ort I.... 0 I I f....A'dtJ.... !| Rem ove |

0 ‫ ׳‬R e m o te h ost

S e le c t a m a p p in g to s e e s ta tis tic s : No s ta ts ‫ ־‬in a c tiv e n /a x n/a B / s e c n/a K

LED s: ‫□ □ □ ם‬ O P ro x y

‫ ־־‬Built- in S 0 C K S 4 s e r v e r

[7

R u n S O C K S s e r v e r (p o r t 1 0 8 0 )

A v a ila b le in " R e m o t e H o s t" m o d e :

V

Full S O C K S 4 s u p p o r t ( B IN D )

*— T h is b u tto n h e lp s

F IG U R E 4.6: H T IP o r t creating a N e w M apping 21. S e le c t

New Mapping Node,

a n d r ig h t - c lic k

New Mapping,

a n d s e le c t

Edit.

S y s t e m | P ro x y

P o rt m a p p in g j A b o u t j R e g is t e r j

p S ta t ic T C P / I P p o rt m a p p in g s (tu n n e ls )
* ------------------- ‫ז‬ I Edit ■ H I ------------ 1 J

[ 0

Local p o r

0• R e m o te host r e m o t e .h o s t .n a m e 0 R e m o t e p ort
I....

Q

H T T H o s t supports the

registration, b u t i t is free and passw ord-free - yo u w ill be issued a unique I D , w h ic h y o u can contact tlie supp ort team and ask y o u r questions.

0

S e le c t a m a p p in g to s e e s ta tis tic s : No s ta ts - in a c tiv e n/a x n/a B / s e c n/a K

LE D s: ‫□ □ □ ם‬ O P ro x y

‫ ־־‬Built-in S O C K S 4 s e r v e r [7 R u n S O C K S s e r v e r (p o r t 1 0 8 0 )

A v a ila b le in " R e m o t e H o s t" m o d e : IFull S O C K S 4 s u p p o r t ( B IN D )

*— T h is b u tto n h e lp s

F IG U R E 4.7: H T T P o rt E d iting to assign a mapping 22. R e n a m e it to

Edit
23. N o w

a n d e n te r a

ftp certified hacker, Port value t o 80.

a n d s e le c t

Local port node,

r ig h t - c lic k to

H g h t - c l i c k R em ote h o st node ftp .certified h ack er.co m . N o w r ig h t c lic k

to

Edit Edit

a n d r e n a m e i t as

24.

R em ote port

n o d e to

a n d e n te r d ie p o r t v a lu e o f

21.

C E H Lab Manual Page 892

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

> HTTPort 3.SNFM

Tools d e m o n stra te d in th is lab a re available in D:\CEHTools\CEHv 8 Module 16 Evading IDS, Firew alls and H oneypots

S y s te m | Pro x y

P o rt m a p p in g | A b o u t | R e g is t e r |

S ta t ic T C P / I P p o rt m a p p in g s (tu n n e ls )

E|•‫ ׳‬L o cal p ort

1-21

‫־‬3 1
□ □□□

g 0

R e m o te h ost I— ftp .c e r tifie d h a c k e r .c o m R e m o t e p ort !....

21

S e le c t a m a p p in g to s e e s ta tis tic s : No s ta ts - in a c tiv e n/a x n/a E / s e c n/a K

O P ro x y

E u ilt‫ ־‬in S O C K S 4 s e r v e r W R u n S O C K S s e r v e r (p o r t 1 0 8 0 )

A v a ila b le in " R e m o t e H o s t" m o d e : Full S O C K S 4 s u p p o r t ( B IN D )

*— T h is b u tto n h e lp s

F IG U R E 4.8: H T IP o r t Static T C P /IP p o rt mapping 25. C lic k

H In th is kind of environm ent, th e fed e ra ted s e a rc h w eb p art of M icrosoft S earch Server 2008 will not w ork out-ofthe-box b e c a u s e w e only su p p o rt non-passw ord p ro te c te d proxy.

S ta rt

o i l d ie

Proxy

ta b o f H T T P o r t t o m n d ie H T T P

t u n n e lin g .

HTTPort 3.SNFM
S y s te m P r o x y | P o rt m a p p in g | A b o u t ) R e g i s t e r )

]□Txi

r‫ ־‬H T T P p ro x y to b y p a s s ( b la n k = d irec t o r fire w a ll) H o st n a m e or I P a d d re s s : P o rt:

ji o . o . o . :

I-

P r o x y re q u ire s a u th e n tic a tio n Passw o rd :

U se rn a m e:

— M isc. o p tio n s U s e r- A g e n t: ‫פ ־‬ Byp ass m ode: [ R e m o te host

‫פ ־‬

‫ ־־‬U s e p e r s o n a l r e m o t e h o s t a t ( b la n k = u s e p u b lic ) — H o st n a m e or I P a d d re s s : P o rt: Passw o rd :

110.0.0.: 110.0.0.3
j J < — T h is b u tto n h e lp s

[80

I‫**** ״‬

F IG U R E 4.9: H T T P o rt to start tunneling 26. N o w s w i t c h t o W indows Server 2008 A pplications log t a b . C h e c k d i e la s t lin e . I f p ro p e d v . v ir t u a l m a c h in e a n d c lic k d ie

27.

Listener: listening a t 0.0.0.0:80,

t h e n i t is r u n n i n g

C E H Lab Manual Page 893

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

: : H T T H o s t 1 .8 .5

Application log: M A IN HTTHOST 1,8,5 PERSO N A LG IFTW A RE D EM O starting M A IN Project codename: 99 red balloons M A IN Written by Dmitry Dvoinikov M A IN (c) 1999-2004, Dmitry Dvornikov M A IN 64 total available connection(s) M A IN network started M A IN RSA keys initialized M A IN loading security filters... M A IN loaded filter "grant,dll" (allows all connections within M A IN loaded filter "block,dll" (denies all connections withir M A IN done, total 2 filter(s) loaded M A IN using transfer encoding: PrimeScrambler64/SevenT‫־‬ grant.dll: filters conections .block,d.ll,:_ £ iIters conection.s------LISTEN ER: listening at 0,0,0.0:80]

I 1
28. N o w
S ta t is tic s A p p l i c a t i o n lo q

1 .................
[ O p tio n s S e c u r ity Send a G if t |

d

F IG U R E 4.10: H T T H o s t A pplication lo g section s w i t c h t o W indows Server 2008 W indows Firewall. G o to S e le c t h o s t m a c h in e a n d t u r n

ON

d ie

29. 30.

W indows Firewall w ith A dvanced Security. O utbound rules
fro m d ie le f t p a n e o f d ie w in d o w , t h e n c lic k

New

Rule
Fib Anon View

in d ie r ig h t p a n e o f d ie w in d o w .

■ tec

« ‫־ י‬M
N?C c e :c r -!
B Moniwing

I‫ ם‬fa
ire | ©EIT5 Peercan r ‫־‬c CContent‫־‬Out] BITS Pee1 ccc‫־‬irg J,',SC-Cut) <9 1 ®CtertfarNFSCrCP-Out) * 'Cle-tf0rNFS(u:O-Ojt) ut) <9 Core Networking - DNS (LDP■O core Networking - Dynamic M ost Configuratl... 0 1Core Networking - Group Poky (LSASS-Out) ©Core Networking ‫ ־‬Group aoicy (NP-Out) ilCore Networking - Group Poky ^TCP-O ut} Core Networking - lrte‫׳‬net GroupManager!,.. * Cor®Networking • IPv6 (P*5-Out) ©Co*e Networking ‫ ־‬Multicast LStener Co‫־‬ e (I... ©Core Networking • Multeo»t Latener Query (... O Core Networking • Mjtaot Latener Report... ©Core Networking ■ Mjtcaot Lotenc‫ ׳‬Report... © Cor• Networking • NeiJW Discovery A dv‫׳‬e .. * cor# Networking • negroor Dlieovery solat. . <3 Core Networking • Packet Too Bo 0CMPv6•‫״‬ © c « f« N «t>vg1 ‫־‬luno • P. aC'-T... Cf Core Networking • Router Adverfcjement (IC... &Core Networking • Router Solctator !ICM P... Core Networking ■'ereoo (UDP-Out) cor* Networking • ' it# Exceeded (tCVPi/6• .. ©DtetrbcteCT'ranseCttonCootdinaioi (TCP-Oui) © Fife and Prrte‫ ־‬Sharhj (Edo Request ‫ ־‬ICM... f il'fe and Frrte‫ ׳‬Sharog (Ec‫־‬o Reqjest - ICM... File and Prrte‫ ׳‬Snarng (N B-06tag‫־‬am-0ut) File and Prrte‫ ׳‬i‫׳‬narng (NBAsme-Out) Pile and Frrte‫ ׳‬Snarrg (NB-Sesscr-Cut) @ Fife and Frrte‫ ׳‬SharhQ (SMBOut) a Hvper‫־‬/ -WM! fTCP-OuO ®Hyper‫־‬VManagercntClients ‫ ־‬W M I (TCP•Out) ut) € iSCSI Ser/ce (TCP■O NR-UDP-CUt) « !NetworkDeco'/ery (LLM ‘ G 'Oup BITS see‫־‬codino BITS 3ee'CBching dent far NFS Cient 'or NFS co‫׳‬e \etA0r<re Co‫׳‬e ‫־‬ setAorxrc Co‫־‬e NctworMX C»‫׳‬e 'ctAorxrc C»‫׳‬e '■ct‫׳‬.or<rc Ca‫׳‬e \* t‫\׳‬or<1 ‫־‬s Ca‫׳‬e ■^tAcryrg C0 ‫׳‬e MftAOhcrc Ca‫־‬e Nfctftorxrc Ca‫־‬e ‫ >י‬1^0^>‫?רו‬ Co‫״‬e ‫־‬ sctAorxr^ Co‫״‬e \* t‫\׳‬or<r5 Co‫ •־‬r\#meryrc C0‫׳‬e NttAOhcrc C»'« Nitncrwe Ca‫׳‬e Net^orxrg Ca‫׳‬e NetAoncrg Ca‫׳‬e \etA 0ncrg Ca‫׳‬e \#tA0 r<rc Dst!1txj:ec T ‫ ׳‬ansae tor cocrd Fie and Prrter Shorrc Fie and Prrter Sl‫«־‬rrg Fie and Prrter Sfarrg Fie and Prrter Sf‫־‬arrc Fie and Prrter st-arrc Fie and Prrter Sfcarrc Hyser-V H/dc’-VKfarogen*ent Cients SCSI Sen‫ ׳‬oe Network ^scc«w«r/ .... 1 n‫־‬ofle 1 Enabled Ary No fr y No Ary ves Ary ves Ary *es Ary ve? Ccnar ves Ccnar ves Ccnar v« Ary ’« try fir y v« Arr vea Ary Tea Ary V e1 Ary ve« firy ‫»״‬ fit)y *es v«t Amy Ary Ve3 Ary ves Ary ,M ‫א־‬ firy firy N O Ccna... Yea Ccna... ves Ccna... ves Ccna... ves Ccna. . ves Dons... ^es Pry V C 5 Ary V C 5 Ary No Ccna... No 1 Action A IIoa *JIoa *JI0A A IIoa A IIoa flllO A A J Ioa A IIoa A IIoa A IIoa A IIoa A IIoa A IIoa A IIoa A IIoa A IIoa A llO A A IIoa A IIoa A IIoa A IIoa A IIoa A IIoa A IIoa A IIoa A J Ioa A IIoa A IIoa A IIoa A IIoa A IIoa aJI0A A J Ioa A IIoa 1 p-~ Sv V t S‫׳‬t % % % % a: 5\ A l A 1 A f A r A r A ! A r__| A 1 A l A 1 V, A r % A 1 A r s> s> s\ Si ‫׳‬H Outbound Rules [jg NeARic■■■ V V 7 ] Fiterbv P 0‫־‬fil= Fiterbv Sate Fitr■‫ ־‬bv 5 quo

& Tools d em o n stra te d in th is lab are available in Z:\ Mapped N etw ork Drive in Virtual M achines

£$ Re'resr Export ue

Q

Hep

■ ■ ■ f

F IG U R E 4.11: W indows Firewall w ith Advanced Security w in d o w it! W indow s Server 2008 31. 111 t h e

s e c d o n a n d c lic k

New O utbound Rule Wizard, Next.

c h e c k d ie

Port

o p t io n in d ie

Rule Type

C E H Lab Manual Page 894

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

9New O utbound R ule W izard
R ule Type
Select the type of fie w a l rule to create. Steps:

•a Rule Type

What type of njle would you like to create’’

£H H T T P o r t d oesn't really care f o r d ie p ro s y as such, it w o rks perfecdy w id i firew alls, transparent accelerators, N A T s and basically a nything drat lets H T T P p ro to c o l through.

*

Protocol and Ports Action Profile Name

* * *

C

Program Rule that controls connections for a program

(ff
r

p ort

]

P re d e fin e d :

‫פ ר‬
Rule that controls connections for a Windows experience.

C Custom
Custom lule.

Leam more about rule types

Next >

F IG U R E 4.12: W indow s Firewall selecting a Rule Type 32. N o w s e le c t

All local ports

in th e

Protocol and P orts

s e c t io n .

* New O u tbound R ule W izard

Protocol and Ports
Specify the protocol and ports that this rule matches.

Steps: S Yo u need to install htthost on a PC, who is generally accessible on the Internet ‫־‬ typically your "home" PC. This means that if you started a Webserver on the home PC, everyone else must be able to connect to it. There are two shows toppers for htthost on home PCs

« Rule Type
<* Protocol and Ports

Does this lule apply to

TCP or UDP^

< ‫ז‬

tcp

*
« #

Action Profile Name

r

udp

Does this rule apply to all local ports or specific local ports'’ [<• C A ll lo c a l p o rts

j
| Example: 8 0 .4 4 3 .1

S p e c ific lo c a l p o rts :

Leam more about protocol and ports

< Back

||

Next >

|

Cancel

|

F IG U R E 4.13: W indow s Firewall assigning Protocols and Ports 33. 111 t h e

Action

s e c t io n , s e le c t

Block th e co nnection

:m d c lic k

Next.

C E H Lab Manual Page 895

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

1■** New O utbound Rule Wizard 1 A c t io n 1 Specify the action thatistaken when a connection matches the conditions specified n the rule. Steps: # Rule Type '//hat action should be taken when a connection matches the specified conditions‫ל‬

_x]

m NAT/firewall

issu e s: You need to en ab le an incom ing port. For HTThost it will typically be 80(http) or 443(https), but any port c a n be u sed ■ IF th e HTTP proxy a t w ork su p p o rts it - so m e proxy’s a re configured to allow only 80 and 443.

«# Protocol and Ports •‫ י‬/®ction

C A llow th e co n n e ctio n
Alow connections that have been protected with IPsec as well as those that have not.

<# Profite 1# Name

C A llow th e c o n n e ctio n if it is secure
Aflow only connections that have been authenticated and integnty ■protected through the use of IPsec. Connections w i be secured usma the settings m IPsec properties and rules in the Connection Security Rule node

V

Require th e conn e ctio n s to be e ncypted Require pnvacy m addtion to rtegnty and authentication

(• B lock th e conn e ctio n

Learn more about actions

< Back

||

Next‫־‬

||

Cancel

|

F IG U R E 4.14: W indow s Firewall setting an A c tio n 34. 111 d i e

Profile s e c t i o n , s e l e c t a l l t h e d i r e e Domain. Public, Private a n d c l i c k Next.

o p t io n s . T h e

m le

w i l l a p p ly

to :

** New O utbound Rule Wizard Pro file
Specify the profiles for wf»ch this rule applies Steps: <• Rule Type * « * Protocol and Ports Action PrnfJe 17 Domain .Applies wh< n a computer is connected to its corporate domain 17 Private Applies win n a computer is connected to a private network location. 17 Public Applies win n a computer is connected to a public network location. When does this rule apply 7

& Tools d e m o n stra te d in th is lab a re available in D:\CEHTools\CEHv 8 Module 16 Evading IDS, Firew alls and H oneypots

Learn more about profiles

‫ ־‬Back

Next ‫ג‬

I

Cancel

F IG U R E 4.15: W indows Firewall Profile settings 35. T ype

Port 21 B locked

111 d ie

Name

fie ld , a n d c lic k

Finish.

C E H Lab Manual Page 896

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

N am e
Specify the name and description of this rule Steps: 4 4 Rule Type Protocol and Ports Action Profie ‫״י‬ Name Description (optional): Name: |Port 21 Blocked

Q

T h e default T C P p o rt

fo r F T P co n n e ctio n is p o rt 21. Sometim es the local In te rn e t Service P rovider blocks this p o r t and this w ill result in F T P conn ection issues.

< Back

|

Finish

Cancel

|

F IG U R E 4.16: W indow s Firewall assigning a name to Port 36. N e w R u le

Port 21 Blocked

is c r e a t e d a s s h o w n i n d i e f o l l o w i n g f i g u r e .

j=iir
Fie Action View Help ^ VVtnco/i* Fretval Advanced S t3 Iroourc Rdes : - : ; ‫ ־‬. :: Come:t>an Sca*1ty Rue5 Outbound Rules -

H T T P o r t doesn't really care fo r d ie p ro x y as such: it w o rks pe rfe ctly w ith firew alls, transparent accelerators, N A T s and basically anything d ia t lets the H T T P p ro to c o l through.

K Fat2 1 B k x k e d © C lien tfy N = SC T C P O u t )
© EI"S 3eeriocing (WSD‫־‬ Out) Q Client for M =S (UDP-Out) Ccrc Ner//crking - DUS (UDP-Out) B rs ^eerrsenrg BI”S ^eercccnng Client ft)‫ ׳‬MFS Client fo‫ ׳‬MFS Core Networking Cae Netwafcino Core Networking Core ■ ,Jer/'orbng Cae Netwabng Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Cae Networking Core Networking Core Networking Core Networking Cae Networking Core Networtano Core Networking Distributed Trensacton C30>d... File and *irter Sharng File and *rter Sharng File and *inter Sh«rhg File and ^!rrer sharng File and *rter Sharng File and *irter Sh<rng Hype‫׳‬-v Hype‫־׳‬/ Vanageniert Cierts iSCSI Se‫־‬vioe

F% r ‫־‬ io n i1ai‫׳‬x )

BCereNetw o r k m o‫־‬D y n a m ich o s tC o n fic c ra t...
Q c c r e Networking - Grouo Palcy (LSASS-Out) Cere Networking GrousPolcy (UP‫־‬ Cut) © Cere Networking • G icud Polcy fTCP-Out) Q Cere isjetvrortong • Internet Group Yanagerr. . Ccre Networking ■IPv6 ( IP v 0 6‫׳‬ut) Cae Networking ■Multicast Listenei D 01‫־‬e (I... Q) ( ‫־׳‬re Networking • Multicast Listener Query (... Q c cr e Networking Multicast Listener Repo‫׳‬t ... © C a e Networking • Multicast Listenei Reixrt... Q c er e Networking • Neighbor Qscovery Adve. . © Cere Networking Neighbor Oocovery Soleit... Q C a c Networking ‫ ־‬Pocket TooBg {ICMPvfi•... Q Cere Networking • Par»m#ter Pretolem (ICMP... © C ere Networking Rotter Adverbccment :1C... Coe Networking *Route! Sokiteton (1CNP...

e

e r / ‫׳‬o r k 1n o• T e r e d o(U O P ‫־‬ O u t) gCcreN
Q H T T P is the basis fo r

W e b surfing, so i f yo u can free ly s u rf d ie W e b fro m w here yo u are, H T T P o r t w ill b rin g yo u die rest o f the In te rn e t applications.

Cere Networking Time Exceeded (ICM \6‫׳‬. .. © Dotibcted Treroacfon Cooidnator (TCP•Out) © File and *inter Shwng (Echo Request ■ICM... © File and *inter Sharng (Ec‫־‬o Request - !CM... t t n i e and *inter Sharing (NB‫־‬Dalog‫־‬orr‫־‬Ojt) © W e and W inter shjrng (NB-Name-Out) © File and *inter Sharng (NE-Sessan-Out) ©File and *inter Sherhg (SMB-Out)

© H yp e‫־׳‬/* V / M Ia c p o u t)

a

© Hype'-v Vsn3gernert Gierts ‫ ־‬,A /W I (TCP-Out) © iSCSI Se‫\־‬ice (TCP-Cut)

I

1

Any Any Any Ant Any Any Am Dom ain Donain Dooain Any Any Any Any Any Any Any Any Any Any Any Any Any Any Any Donai.. Donai... Donai... Donai.. Donai.. Donai... Any Any Any

No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Y #S Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes No

AIoa AIoa AI0A AIch a AIoa AIc t a AIoa AI0‫׳‬a AIoa Alow Alovs A Ig‫׳‬a A Ioa A Ioa AIc ‫׳‬a A Ioa AIoa AIoa A Ioa Alovs Alovs Alovs Alev. AIoa Alovs Alovs AIoa Ale‫׳‬a Alovs AIoa Alovs AI0‫׳‬a AIoa

New Rule... S\ % % % % °/ c % °‫׳‬ c V Piter by Profile ► > ► ►

"\7 Fiter by State *7 Fiter by Group view [($] Refresh |3» Export List... Q Heb

A 1 A r A l A r A 1 A 1 A r A 1 % A r ‫*י‬ A r A r 5\ 5\ Sy 5\ °c

Port 21 Bbckcd (♦ Disable Rjle

-

x
Q

Delete

la l P lO U C It o Heto

F IG U R E 4.17: W indows Firewall N e w rale 37. R i g h t - c l ic k t h e n e w ly c r e a te d r a le a n d s e le c t

Properties.

C E H Lab Manual Page 897

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

|

* WVuwkyws h rm
Pile Acoor

tl vwtti /Utvitnrrd Sfnin ry ndp

Ve«

B HTTPort th en

*■ » ! »[P1U ‫ ם‬T T _
P Whdovts Frevrdl <vth Ad.oxed S KQ !rbourdRjbs gg Outbound Rjtes Jiu Correcton Secjnt/ 3_ies ®SITS Peercecihg (Content-Out) 3 Monito'irg ®BIT5 Pcer^ecihg (WSD-Out) ® C ien t St 1 ‫־‬ TS (TCP-Out) © C fent *6‫ ־‬NFS (UDP-Out) ©CCKer\e:v‫׳‬crkirg -CNS (UDP-Out) ® Cxe he:v‫׳‬crkirg -Dynarrlc host Conflcu‫־‬ ati... © C x e r e »‫׳‬akirg -Gouo Poky (LSASS-Out) Q c x e networking -GrouoPolcy (I'P-Out) O core hecwcrkirg -Grouo poIcy (TCP*Ou:) ©core ser/>crk]ra -internet Group r^anacen. ‫״‬ ©cofefcetv/crkira -ipvO OPVft-OuO ® c o re her/‫׳‬ak ra -Mj :as: Listener Dons a... ®Core se:v‫׳‬crlurQ •Miticas: Listener Query (... ®Coretserv‫׳‬crk rg •Miticast listensr Re!»rt... ®Coreiserv‫׳‬crk rg •Miticas; listener Re!»rt... ®CoreNe;v‫׳‬crk rg •Neghto‫ ׳‬Discovery Adve... ® C o re Nerv‫׳‬erkro •Nefchbof Discovery Solicit... ®Core IServ‫׳‬crk rg ‫־‬Packet Too GCMPv *... ®Car# N#rv‫׳‬erkng •P»r*^#t»f Problem (ICMP... ®Car# N erv< erkrg •Ranter Aev#rticem»M (IC. . ®Car# N#rv!erk rg •Ranter Solicitation (ICVP... v# Nerv/erkirg •Teredo (UDP-Out) ^ C ore Ne?‫״‬ ‫׳־‬crlurg • Tire Exceeded (ICNP6/ ‫׳‬ • ... ® D crbuted Transa:ton Coordinator (TCP-Out) (J =le and 3rirter Sharrg (Ecno Request - ICM... Fie 3rd ^irter Snarrg (Ecno Request - ICM... =le 3rd 3rirter ^arrg (NE-Datagram‫־‬Out) (J -ie 3rd 3rirter Sharng (MB-Name-Out' @iFle and 3rirter Sharng (NE-Session-Out ‫׳‬ ® F ie 3rd 3rirter Sharng (SMB-Out; ®Hyper-V - V YN I (TCP-Out} (J Hyper-V Naiogc-ncnt Clients ‫ ־‬V/MI (TCP-Out) ®!SCSI Service (TCP-Out) Outbound Rules

in te rc e p ts th a t co n n ectio n and runs it through a tunnel through th e proxy.

NewRule...
,‫?י‬ FIter by P‫־‬cfie

V Fiterb yStete
V
Core W L\*K1 ‫־‬ ^' Core NetAOikng Daren Dcman Dorian FlterbyGroio

1

vew
id ReYesh © Q Export bst... tisb

1

C J C

1 0 1 1 1 1 1 1 8 0 6 1 1 1

c o reN e t A O r t c n g c o reN e t A O r t c n g c o reN e tA o r ic n o c o reN e tA o r k n o c o reN e tA O r tT K J C o r eN e t A O r t a T O C o r eM e t A O r t c n g C o r eN Je t A o r t c n g C o r eM e tA o r tc n o C o r eM e tA o r tc n o C o r eS ie t A O r t c n o
Core VJetAorieng Core VletAortcng Cor* MetAOficng Cor# VletAorkng Cor# VletAortcng Distibutec Trareactoor Coord. File anc Prn:er Shares File anc Prn:er Shanng Fite anc Prn:er Sharing Fite anc Prn:e‫ ־‬Sharing Fite anc Prn:e‫ ־‬Sharing Fite 3nc Prnjet Sharing Hyper-V Hyper-V MDragencn: Cle‫־‬tis SCSI Ssrvce

Pori 21 Dbckcd (♦' D»ablc Rule

‫ א‬D ‫־‬te* p ‫׳‬c P C tt)C 3

UH ‫־‬b

Ary

& E nables you to byp ass your HTTP proxy in c a s e it blocks you from th e Internet

Ary

M o m M o m M o m M o m M o m
Mom
5‫־‬ ‫־‬ or i ‫־‬e current selec‫ר‬cn.

‫_______; _______ע‬

!p-cperbes c &iog box

F IG U R E 4.18: W indow s Firewall new rule properties 38. S e le c t t h e

P rotocols and P orts t a b . C h a n g e d i e R em ote Port Specific P orts a n d e n t e r d i e Port num ber a s 21.
d e f a u l t s a n d S e le c t

o p t io n to

39.

L e a v e d ie o d i e r s e ttin g s as d i e ir

Apply ‫ ^־־‬OK.

& With HTTPort, you c a n u se various In ternet so ftw a re from behind th e proxy, e.g., e-mail, in stan t m e sse n g e rs, P2P file sharing, ICQ, N ew s, FTP, IRC e tc . T he b asic idea is th a t you s e t up your In tern et so ftw are

General Protocols and Ports

Programs and Services | Scope

Computes

j

Advanced

Protocols and ports
r

Protocol type: Protocol num ber: local port:

■ ‫ע‬ l
|.A II Ports

zi d

1
FMmn1« an m anan Remote port: ]Specific Ports

I2 1
Exam ple: 80.445. 8080 Internet Control Message Protocol (ICMP) settings: ---

Learn m ore about protocol and ports OK | Cancel | fipply

F IG U R E 4.19: Firewall P o rt 21 Blocked Properties 40. T ype

ftp 127.0.0.1

111 th e c o m m a n d p r o m p t a n d p re s s

c o n n e c t i o n is b l o c k e d a t d i e lo c a l h o s t 1 1 1

Enter. T h e W indows Server 2008.

C E H Lab Manual Page 898

Etliical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

Q H T T P o r t does neither freeze n o r hang. W h a t yo u are experiencing is k n o w n as "b lo c k in g operations"

F IG U R E 4.20: ftp connection is blocked 41. N o w ty p e
c \.

o p e n a c o m m a n d p r o m p t 111

ftp ftp.certifiedhacker.com

a n d P re s s

Windows S erver 2008 E nter

h o s t m a c h in e a n d

A dm intstrator Command Prom pt - ftp ftp.certifiedhacker.com

IC:\Users\Adninistrator>ftp ft p .c e r t ifie d h a c k e r. con Connected to ftp .ce rtifie d Jh a c k e r.co n . 220-hicrosoft FTP Seruice 220 IJelcopte TO FTP Account User Cftp.certifiedhacker.con:<none>>: _
2^7 H T T P o r t makes it

possible to ope n a clie n t side o f a T C P /IP co nn ection and p ro vid e i t to any software. T h e keyw ords here are: " clie n t" and " any softw are".

F IG U R E 4.21: Executing ftp command

Lab Analysis
D o c u m e n t a ll d ie I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a tio n s , a n d p r o t o c o ls y o u d i s c o v e r e d d u r i n g t h e la b .

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U L A B .

H A V E

Q U E S T I O N S

R E L A T E D

T o o l/U tility

I n f o r m

a tio n

C o lle c te d /O b je c tiv e s

A c h ie v e d

P r o x y

s e r v e r

U s e d :

1 0 .0 .0 .4

H

T T P o r t

P o r t

s c a n n e d :

80 c o n n e c te d to 1 2 7 .0 .0 .1

R e s u lt:

ftp

1 2 7 .0 .0 .1

C E H Lab Manual Page 899

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

Questions
1. H o w w o u ld y o u s e t u p a n H T T P o r t t o u s e a n e m a il c lie n t ( O u t lo o k , M e s s e n g e r , e tc .)? 2. E x a m in e i f th e s o ftw a r e d o e s n o t a llo w e d itin g th e a d d re s s t o c o n n e c t to .

I n te r n e t

C o n n e c tio n

R e q u ir e d

0

Y e s S u p p o rte d

□ N o

P la tfo r m

iL a b s

C E H Lab Manual Page 900

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.