You are on page 1of 55

CEH Lab Manual

Evading IDS, Firewalls,


and Honeypots
Module 17

Module 17 - Evading IDS, Firewalls and Honeypots

Intrusion Detection System


A n intrusion detection system (IDS) is a derice or soft/rare application that
monitors netirork and/or system activities fo r malicious activities or policy
violations andprod/ices reports to a Management Station.
I CON

KEY

[Z7 Valuable
information
S

Test your
knowledge
Web exercise
Workbook review

Lab Scenario
Due to a growing number o f intrusions and since the Internet and local networks
have become so ubiquitous, organizations increasingly implementing various
systems that monitor IT security breaches. Intrusion detection systems (IDSes) are
those that have recently gained a considerable amount o f interest. An IDS is a
defense system that detects hostile activities 111 a network. The key is then to detect
and possibly prevent activities that may compromise system security, 01 a hacking
attempt 111 progress including reconnaissance/data collection phases that involve, for
example, port scans. One key feature o f intrusion detection systems is their ability to
provide a view o f unusual activity and issue alerts notifying administrators and/or
block a suspected connection. According to Amoroso, intrusion detection is a
process ot identifying and responding to malicious activity targeted at computing
and networking resources. 111 addition, IDS tools are capable ot distinguishing
between insider attacks originating from inside the organization (coming from own
employees 01 customers) and external ones (attacks and the threat posed by hackers)
(Source: http://www.windowsecurity.com)
111 order to become an expert penetration tester and security administrator, you
must possess sound knowledge o f network intrusion prevention system (IPSes),
IDSes, malicious network activity, and log information.

Lab Objectives
& Tools
Demonstrated in
this lab are
located at D:\CEHTools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots

The objective ot tins lab is to help students learn and detect intrusions 111 a
network, log, and view all log tiles. 111 tins lab, you will learn how to:
Install and configure Snort IDS
Run Snort as a service
Log snort log files to Kiwi Syslog server
Store snort log files to two output sources simultaneously

Lab Environment
To earn out tins lab, you need:

A computer miming Windows Server 2012 as a host machine

A computer running Windows server 2008, Windows 8, 01 Windows 7 as a


virtual machine
WniPcap drivers installed 011 the host machine

C E H L ab M an u al P ag e 847

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Notepads-+ installed 011 the host macliine

Kiwi Svslog Server installed 011 the host machine

Active Perl installed 011 the host macliine to mil Perl scnpts

Administrative pnvileges to configure settings and run tools

A web browser with Internet access

Lab Duration
Time: 40 Minutes

Overview of Intrusion Detection Systems


An intrusion detection system (IDS) is a device 01 software application that
monitors network an d / 01 system activities for malicious activities 01 policv
violations and produces reports to a Management Station. Some systems may
attempt to stop an intrusion attempt but tins is neither required nor expected o f a
monitoring system. 111 addition, organizations use intrusion detection and
prevention systems (IDPSes) for other purposes, such as identifying problems with
security policies, documenting existing threats and deterring individuals from
violating security policies. IDPSes have become a necessary addition to the secuntv
infrastructure o f nearly even* organization. Many IDPSes can also respond to a
detected tlireat by attempting to prevent it from succeeding. They use several
response techniques, which involve the IDPS stopping die attack itself, changing the
security environment.
IDPSes are primarily focused 011 identifying possible incidents, logging information
about diem, attempting to stop them, and reporting them to security administrators.

Overview

Pick an organization diat you feel is worthy o f your attention. Tins could be an
educational institution, a commercial company, 01 perhaps a nonprofit charity.
Recommended labs to assist you 111 using IDSes:

Detecting Intrusions Using Snort

Logging Snort Alerts to Kiwi Syslog Server

Detecting Intruders and Worms using KFSensor Honeypot IDS

HTTP Tunneling Using HTTPort

Lab Analysis
Analyze and document the results related to tins lab exercise. Give your opinion 011
your targets security posture and exposure.

C E H L ab M an u al Page 848

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

PLEASE TALK TO

C E H L ab M an u al Page 849

Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H I S LAB.

HAVE

QUESTIONS

E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Delecting Intrusions using Snort


Snort is an open source netnvrk intrusion prevention and detection system
(IDS/IPS).
I CON

KEY

/ Valuable
information
Test your
knowledge

Web exercise

m Workbook review

Lab Scenario
The trade o f die intrusion detection analyst is to find possible attacks against their
network. The past few years have witnessed significant increases 111 D D oS attacks
011 the Internet, prompting network security to become a great concern. Analysts do
tins by IDS logs and packet captures while corroborating with firewall logs, known
vulnerabilities, and general trending data from the Internet. The IDS attacks are
becoming more cultured, automatically reasoning the attack scenarios 111 real time
and categorizing those scenarios becomes a critical challenge. These result ni huge
amounts o f data and from tins data they must look for some land o f pattern.
However, die overwhelming tiows o f events generated by IDS sensors make it hard
for security administrators to uncover hidden attack plans.
111 order to become an expert penetration tester and security administrator, you
must possess sound knowledge o f network IPSes, IDSes, malicious network activity,
and log information.

& Tools
Demonstrated in
this lab are
located at D:\CEHTools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots

Lab Objectives
The objective o f tins lab is to familiarize students widi IPSes and IDSes.
111

tliis lab, you need to:

Install Snort and verify Snort alerts

Configure and validate snortconf file

Test the worknig o f Snort by carrying out an attack test

Perform intrusion detection

Configure Oinkmaster

Lab Environment
To earn out dns lab, you need:

C E H L ab M an u al P ag e 850

E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

A computer running Windows Server 2012 as a host machine

Windows 7 running on virtual maclune as an attacker maclune

WinPcap dnvers installed on die host machine

N otepad++ installed on the host maclune

Kiwi Svslog Server installed on the host maclune

Active Perl mstalled on the host macliuie to nui Perl scripts

Adnunistrative privileges to configure settings and run tools

Lab Duration
Tune: 30 Minutes

You can also


download Snort from
http:// www.sno1t.org.

Overview of Intrusion Prevention Systems and


Intrusion Detection Systems
A 11 IPS is a netw ork secu rity appliance that monitors a network and system
activities for m alicious activity. Tlie maui functions ot IPSes are to identify
malicious activity, log information about said activity, attempt to block/stop
activity, and report activity.
An IDS is a device or software application that m onitors network and/or system
activities for m alicious activities or policy violations and produces reports to a
Management Station. It performs intrusion detection and attempt to stop detected
possible incidents.

Lab Tasks
1

Install Snort

l.__ Snort is an open


source network intrusion
prevention and detection
system (IDS/IPS).

C E H L ab M an u al Page 851

Start Windows Server 2012 on the host maclune. Install Snort.

2. To uistall Snort, navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS,


Firewalls, and Honeypots\lntrusion Detection Tools\Snort.
3.

Double-click the Snort_2_9_3_1_lnstaller.exe file. The Snort mstallation


wizard appears.

4.

Accept the License Agreement and uistall Snort with the default options
diat appear step-by-step 111 the wizard.

5.

A wuidow appears after successful mstallation o f Snort. Click the Close


button.

6.

Click OK to exit the Snort Installation wuidow.

E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Snort 2.9.3.1 SetuD


Snort 2.9.3.1 Setup

(&

' I

Snort has successfully been installed.

Snort also requires W inPcap 4 .1 .1 to be installed on this m achine,


r

W inPcap can be dow nloaded from :


http ://w w w .w in p c a p .o rg /

It w ould also be wise to tighten th e security on th e Snort installation


directory to prevent any m alicious m odification of th e Snort executable.

Next, you m ust m anually edit th e 'sn o rt.co n f file to


specify proper paths to allow Snort to find th e rules files
and classification files.

OK

Figure 1.1: Snort Successful Installation Window

V^/

WinPcap is a tool for


link-layer network access
that allows applications to
capture and transmit
network packets bypass the
protocol stack

7.

Snort requires WinPcap to be installed 011 your machine.

8.

Install W inPcap by navigating to D:\CEH-T0 0 ls\CEHv8 Module 17 Evading


IDS, Firewalls, and HoneypotsMntrusion Detection Tools\Snort, and
double-clicking WinPcap 4 1 _2.exe.

9.

By default, Snort installs itself in C:\Snort (C:\ or D :\ depending upon die


disk drive in which OS installed).

10. Register 011 die Snort website https://www.snort.org/signup 111 order to


download Snort Rules. After registration comples it will automaticallv
redirect to a download page.
11. Click die Get Rules button to download die latest mles. 111 tins lab we have
downloaded snortrules-snapshot-2931 tar.gz.
12. Extract die downloaded mles and copy die extracted folder 111 diis padi:
D:\CEH-T0 0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and
Honeypots\lntrusion Detection Tools\Snort.
13. Rename die extracted folder to snortrules.
14. N ow go to die e tc folder 111 die specified location D:\CEH-T0 0 ls\CEHv8
Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection
Tools\Snort\snortrules\etc o f die extracted Snort mles, copy die snort.conf
hie, and paste diis hie 111 C:\Snort\etc.
15. The Snort.conf tile is already present 111 C:\Snort\etc; replace diis file with
die Snort mles Snort.conf tile.
16. Copv die so_rules folder from D:\CEH-T0 0 ls\CEHv8 Module 17 Evading
IDS, Firewalls, and Honeypots\lntrusion Detection
Tools\Snort\snortrules and paste it 111 C:\Snort.

C E H L ab M an u al Page 852

E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

17. Replace die preproc rules folder trom D:\CEH-Tools\CEHv8 Module 17


Evading IDS, Firewalls, and HoneypotsMntrusion Detection
Tools\Snort\snortrules and paste it 111 C:\Snort.
18. Copy all die tiles from diis location: D:\CEH-Tools\CEHv8 Module 17
Evading
IDS,
Firewalls,
and
Honeypots\lntrusion
Detection
Tools\Snort\snortrules\rules to C:\Snort\rules.

TASK

Verify Snort Alert

19. N o w navigate to C:\Snort and right-click folder bin, and click CmdHere
from die context menu to open it 111 a command prompt.
20. Type snort and press Enter.
Administrator: C:\Windows\system32\cmd.exe - snort
C : \S n o r t\b in /s n o r t
R unning in p a c k e t dunp node
I n i t i a l i z i n g S n o r t
I n i t i a l i z i n g O utput P lu g in s ?
pcap DAQ c o n f ig u r e d t o p a s s i v e .
The DAQ u e r s i o n d o e s n o t s u p p o r t r e l o a d .
A c q u ir in g n etw o rk t r a f f i c f r o n " \D eu ice\N P F _< 0F B 09822-88B 5-411F -A F D 2-F E 3735A 9?7B
B> _
D e co d in g E th e r n e t
- - I n it ia liz a t io n

y To print out the


TCP/IP packet headers to
the screen (i.e. sniffer
mode), type: snort v.

C o n p le te - -

> S n o r t? < *
U e r s io n 2 . 9 . 3 .1-W IN32 GRE < B u ild 4 0 )
By M artin R oesch 8r The S n o r t l e a n : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t

o '

an

C o p y r ig h t <C> 1 9 9 8 -2 0 1 2 S o u r c e f i r e , I n c . , e t a l .
U s in g PCRE u e r s i o n : 8 . 1 0 2 0 1 0 -0 6 - 2 5
U s in g ZLIB u e r s i o n : 1 . 2 . 3

C on n en cin g p a c k e t p r o c e s s in g < p i d 7 S6>

Figure 1.2: Snort Basic Command

21. Tlie Initialization Complete message displays. Press Ctrl+C. Snort exits and
comes back to C:\Snort\bin.
22. N ow type snort -W. Tins command lists your machines physical address,
IP address, and Ediernet Dnvers, but all are disabled by default.
Administrator: C:\Windows\system32\cmd.exe
S n o rt

e x itin g

C :\ S n o r t \ b in s n o r t

-W

- * > S n o rt! < *


U e r s i o n 2 . 9 . 3 . 1 - W I N 3 2 GRE < B u i l d 4 0 >
B y M a r t i n R o e s c h 8r T h e S n o r t T e a m : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t
C o p y r i g h t <C> 1 9 9 8 - 2 0 1 2 S o u r c e f i r e ,
U s i n g PCRE v e r s i o n : 8 . 1 0 2 0 1 0 - 0 6 - 2 5
U s in g Z L IB u e r s i o n : 1 . 2 . 3
In d e x

P h y s ic a l A d d re s s

IP

1
0 0 :0 0 :0 0 :0 0 :0 0 :0 0
A F D 2 -F E 3 7 3 5 A 9 7 7 B B >
M ic r o s o
2
0 0 :0 0 :0 0 :0 0 :0 0 :0 0
B 6 1 4 -0 F C 1 9 B 5 D D A 2 5 >
3
0 0 :0 0 :0 0 :0 0 :0 0 :0 0
rQRA<JRFOP?JM V
M
4
D 4 : B E : D 9 : C 3 : C 3 : CC
9 A 7 9 -7 7 E 5 A E 2 7 E 5 3 0 >
R e a lte k

A d d re s s

d is a b le d
f t C o r p o r a t io n
d is a b le d

In c .,

et

D e u ic e

a l.

Name

D e s c r ip tio n

\ D e u ic e \ N P F _ < 0 F B 0 9 8 2 2 - 8 8 B 5 - 4 1 I F \ D e ic e \ N P F _ < 0 B F D 2 F A 3 - 2 E 1 7 - 4 6 E 3 -

d is a b le d

\ D e u ic e \ N P F _ < lD 1 3 B 7 8 A - B 4 1 1 - 4 3 2 5 -

d is a b le d
P C Ie GBE F a m i l y

\ D e u ic e \ N P F _ < 2 A 3 E B 4 7 0 - 3 9 F B - 4 8 8 0 C o n t r o lle r

C : \ S n o r t \ b in >

Figure 1.3: Snort -W Command

23. Observe your Ediernet Driver index number and write it down; 111 diis lab,
die Ediernet Driver index number is 1.
24. To enable die Ediernet Driver, 111 die command prompt, type snort -dev -i
2
and press Enter.

C E H L ab M an u al Page 853

E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

25.
E 7 To specify a log into
logging directory, type
snort dev 1
/logdirectorylocationand,
Snort automatically knows
to go into packet logger
mode.

You see a rapid scroll text 111 die command prompt. It means
Ethernet Driver is enabled and working properly.
Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4
C : \S n o r t \ b i n , s n o r t -d e v - i 4
Running in p a c k e t dump 11uue
== I n i t i a l i z i n g S n o r t ==
I n i t i a l i z i n g O utpu t P lu g in s ?
pcap DAQ c o n f i g u r e d t o p a s s i v e .
The DAQ v e r s io n d o e s n o t s u p p o r t r e l o a d .
A c q u ir in g n etw o rk t r a f f i c fr o n " \D e v ic e \N P F _ < 2 A 3 E B 4 7 0 -3 9 F B -4 8 8 0 -9 A 7 9 7 7 E5AE27E53
B > ".

D e co d in g E th e r n e t
I n i t i a l i z a t i o n
o '~>

C om p lete *

- > S n o r t? < * U e r s io n 2 .9 . 3 .1-W IN32 GRE < B u ild 40>


By M artin R oesch 8r The S n o r t T ean : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t

r .u i

C o p y r ig h t <C> 1 9 9 8 -2 0 1 2 S o u r c e f i r e , I n c . , e t a l .
U s in g PCRE v e r s i o n : 8 . 1 0 2 0 1 0 -0 6 - 2 5
U s in g ZLIB v e r s i o n : 1 . 2 . 3
C on n en cin g p a c k e t p r o c e s s in g < p id =2852>
1 1 / 1 4 - 0 9 : 5 5 : 4 9 .3 5 2 0 7 9 ARP who h as 1 0 . 0 . 0 . 1 3 t e l l 1 0 . 0 . 0 . 1 0

Figure 1.4: Snort dev i4 Command

26. Leave die Snort command prompt window open, and launch anodier
command prompt window.
27. Li a new command prompt, type ping google.com and press Enter.

Q Ping [-t] [-a] [-n


count] [-1 size] [-] [-i TTL]
[-v TOS] [-r count] [-s
count] [[-j host-list] | [-k
host-list]] [-w timeout]
destination-list

Figure 1.5: Ping googje.com Command

28. Tliis pmg command triggers a Snort alert in the Snort command prompt
with rapid scrolling text.
Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4

To enable Network
Intrusion Detect ion
System (NIDS) mode so
that you dont record every
single packet sent down the
wire, type: snort -dev -1
./log-h 192.168.1.0/24-c
snort.conf.

TTD

' 4 .1 2 5 .2 3 6 .8 5 : 4 4 3 1 0 . 0 .0 .1 0 : 5 1 3 4 5 < TCP TTL:56 TOS:0x0 I D :5 5 3 0 0 Ip L e n :2 0 DgnLe


95
nM.flP.MM S eq : 0x81047C 40 Ack: 0x4C743C54 Win: 0xFFFF T cpLen: 20
7 03 02 00 32 43 3F 4C 22 B4 01 69 AB 37 FD 34
2C?L . . i . 7 . 4
IF 3F 70 86 CF B8 9 7 84 C9 9B 06 D7 11 6F 2C 5B . ? p
o ,[
D 8A B0 FF 4C 30 5B 22 F4 B9 6C BD AE E8 0E 5A
L 0 [ . . l
Z
F F6 7D 55 31 78 EF
.. > U l x .

1 1 / 1 4 - 0 9 : 5 8 : 1 6 .3 7 4 8 9 6 D4: BE: D9:C 3: C 3: CC 0 0 : 0 9 : 5 < B: AE: 24: CC t y p e : 0 x 8 0 0 l e n :0 x 3 6


1 0 .0 .0 .1 0 : 5 1 3 4 5 - > 7 4 .1 2 5 .2 3 6 .8 5 : 4 4 3 TCP TTL:128 TOS:0x0 ID :2 0 9 9 0 Ip L e n :2 0 DgnLe
n :4 0 DF
S eq : 0x4C743C54 Ack: 0x81047C 77 Win: 0xFB27 T cpLen: 20

.1 / 1 4 - 0 9 : 5 8 : 1 7 .4 9 6 0 3 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3

t e l l 1 0 .0 .0 .1 0

.1 / 1 4 - 0 9 : 5 8 : 1 8 .3 5 2 3 1 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3

t e l l 1 0 .0 .0 .1 0

.1 / 1 4 - 0 9 : 5 8 : 1 9 .3 5 2 6 7 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3

t e l l 1 0 .0 .0 .1 0

Figure 1.6: Snort Showing Captured Google Request

C E H L ab M anual Page 854

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

29. Close both command prompt windows. The verification o f Snort


installation and triggering alert is complete, and Snort is working correcdy 111
verbose mode.
T A S K

Configure
snort.conf File

30. Configure die snort.conf file located at C:\Snort\etc.


31. Open die snort.conf file with N otepad++.
32. Tlie snort.conf file opens 111 N otepad++ as shown 111 the following
screenshot

&
Make sure to grab
the rules for the version
you are installing Snort for.

m Log packets in
tcpdump format and to
produce minimal alerts,
type: snort -b -A fast -c
snort.conf.
Figure 1.7: Configuring Snortconf File in Notepad++

33. Scroll down to die Step #1: Set the network variables section (Line 41) o f
snort.conf file. 111 the HOME_NET line, replace any widi die IP addresses
(Line 45) o f die machine where Snort is ranning.
*C:\Sn0ft\etc\$n0rtx0nf - Notepad+
Be Edit Search 'iict* Encoding Language Settings Macro Run Plugns frndcw

o 10 e
H
|
41

-!

X'

& JS * |.< **x

44Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Seep # 1: Sec che necw ork v a r ia b le s . For ito ie m r o r a a c lo n .

se tu p tn e n e cwcrx a a a re a aca you a re c rc c e c c 1.no


ip v e r HOME TOT 110.0.0.10|
: * c a t s it u a t i o n s

Notepad)+ is a free
source code editor and
Notepad replacement that
supports several languages.
It runs in the MS Windows
environment.

ygth: 25421 lines :657

45: Cel: 25 Sd 0

Figure 1.8: Configuring Snortconf File in Notepad(1

34. Leave die EXTERNAL_NET any line as it is.

C E H L ab M anual Page 855

Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

m The element any can


be used to match all IPs,
although any is not
allowed. Also, negated IP
ranges that are more
general than non-negated
IP ranges are not allowed.

35. If you have a DNS Server, dien make changes 111 die DNS_SERVERS line bv
replacing $HOME_NET widi yonr D N S Server IP address; otherwise, leave
diis line as it is.
36. The
same
applies
to
SA1'I P_SER\TERS,
HTTP_SER\TERS,
SQL_SER\rERS, TELNET_SER\T 1 RS, and SSH_SER \T R S .
37. Remember diat if you dont have any servers running on your machine,
leave the line as it is. DO NOT make any changes 111 diat line.
38. Scroll down to RULE_PATH (Line 104). 111 Line 104 replace ../mles widi
C:\Snort\rules, 111 Line 105 ../so_rules replace with C:\Snort\so rules, and 111
Line 106 replace ../preproc rules with C:\Snort\preproc rules.
_ |a

Ptc\s1xxtconf Notepad
Erie Ldit Search !rfiew Encoding Language Settings
M e

f t f1 | p

Macro Ru

0 *

>

Piugnj

ftmdow I
1] ! . ?

X
a

i l i f l

*9

H tr o t corf |
s o t e r o r wir.aowa u s e r s : You a re a d v ise d to r a r e c m 3 an a r a c iu t e p a tn .
su ch a s : c : \ 3 n o r t \ r u l e s
v a r RU1X_PJJH C :\S n o r c \ru le s
v a r SO RULE PATH C :\S n o r t\a o r u le a
war PREPROCRtTLEPATH C :\S n o rt\p re p ro c _ x ru le s

ua Rule variable names


can be modified in several
ways. You can define metavariables using the $
operator. These can be
used with the variable
modifier operators ? and -

10

1:9

1 *3

114

# I f you a r e u s in g r e p u ta tio n p r e p r o c e s s o r a c t th e a e
# C u r r e n tly th e r e 13 a bug w ith r e l a t i v e p a in s , th e y a r e r e l a t i v e co where sn o re 13
# n o t r e l a t i v e co s n o r t.c o n f lilc e th e obcve v a r ia b le s
4 T h is i s c o a p le te l y i n c o n s is te n t w ith how o th e r ars w ork, BCG 5 9986
t s e t th e a n sc iu c e p a th a p p r o p r ia te ly
v a r HHTTELISTPATH . . / r u l e s
v a r BUICK_LI5T_PATH . . / r u l e s

t s te p #2: c o n n a u r e th e d e co d e r.

For s o r e in d o r s a tio n , aee re a im e . decode

119
* Sto p g e n e r ic decode e v e n ts ;
e o n fig d i s a b l e d e c o d e a l e r t s

1:4

Sto p A le r ts on e x p e rim e n ta l TCP opc iona


c c r.riq d l * b l _ c opopc_exprinwmc !_ 1e ic a

12

4 Sto p A lv r ta on obaolw t TCP option


c c r .ria a 1 aab ie _ c c co p t_ o & s o ie te _ a ie r z a

1:9

1 Scop A le rc s on T/TCP a le r c s

> 1___________________ !1___________________


Ncirrwl Ur! file

length: 25439 lines: 657

<
Ln: 106 Cot :45 S*l:0

UNIX

ANSI

NS

Figure 1.9: Configuring Snoitconf File in Notepad++

39. Li Line 113 and 114 replace ../rules widi C:\Snort\ rules.
C:\Snort\etc\snort.conf - Notepad*
file tdit Search View Encoding Longuogc Settings Macro Run Plugre ftmdcvr J

! o 1 MS a

4 * B| < ^ * * ^ n!| ?

liiiiB

1*

'9

H nato&rf I
103 f aucn a 3: c ! \ a n o r t \ r u i e a
104 v a r RtJLEPATfl C : \3 n o r t \r u le s
105 v a r SC_ROLE_PAIH C :\3 n o rt\s o _ r u l
:0 6 v a r PREPROCRULEPATH C :\S n o rtN p re p ro c _ ru le s
108
*.09
110
111
1*.?

77

f z r you a re u a in a r e p u ta tio n p r e p r o c e s s o r a c t tn e a e
$ C u r r e n tly th e r e i s a bug w ith r e l a t i v e p a th s , th e y a r e r e l a t i v e
to
f n o t r e la c i v * co norc.conX l i k e che above v a r ia b le
T h is 1a c o n p le e e ly in c o n a ia te n t w ith how e th e r v a ra w or*, BUG89986
4 Smt th abaoluta path a p p ro p ria te ly
v a r white LISI PAIH c : \ s n o r t \ r u i e a l

117

4 Seen #3: C onfigure Che decoder.

where anore ia

71: Bmcmsi.EAii ciMaaalmltaJ

For More in fo rm a tio n , 9ee BSASME. decode

angth: 25d51 lines:657_______ Ln:1 Col:35 Sl:0

Figure 1.10: Configuring Snort.conf File in Notepad++

C E H L ab M anual Page 856

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

m The include keyword


allows other rule files to be
included within the rule file
indicated on die Snort
command line. It works
much like an #include
from die C programming
language, reading the
contents of the named file
and adding the contents in
the place where die include
statement appears in die
file.

40. Navigate to C:\Snort\rules and create two tiles and name them
w h itejist.ru les and blackjist.rules make sure die two dies extensions are
.rules.
41. Scroll down to Step #4: Configure dynamic loaded libraries section (Line
242). Configure dynamic loaded libraries in this section.
42. At padi to dynamic preprocessor libraries (Line 247), replace
/usr/local/lib/snort_dynamicpreprocessor/ with your dynamic preprocessor
libranes tolder location.
43. 111 tins lab, dynamic preprocessor libraries are located at
C:\Snort\lib\snort_dynamicpreprocessor.
.

C:\Sn0rl\etc\s1xxU 0nf Notepad

Erie Ld!t Search Vie* Incoding Language Settings Macro Run PK1g<13 ftmdew J

O IM e

% l l|

M *a

[E 3

H tno*.coti j

S tep * 4: C o n fig u re dynamic lo a d ed l i b r a r i e s .


70- e o i i in f o r m a tio n , se e Snore M anual, C o n fig u rin g Snore - Syna c ic Modules

e a r n t o dynamic p r e p r o c e s s o r l i b r a r i e s
245
246
242
2 9
S0
2 252
253

H U Preprocessors are
loaded and configured
using the preprocessor
keyword. The format of die
preprocessor directive in
the Snort rules file is:
preprocessor <name>:
<options>.

f p a tn t o dynamic p r e p r o c e s s o r l i b r a r i e s
c i-a n ic p re p ro c e a a o r d ir e c to r y C : \ S n c r t \ l i b \ 3 n o r t dy n a ai ^ p re p ro c e s s o r |

* p a th t o b ase p r e p r o c e s s o r e ngine
ciyr.anlceng 1 ne /u 9 r/1 0 c a l/llb /sn 0 rL _ iy n a m lc e n g ln e /llb sr_ e r.g ir.e .3 0
V

t p a th t o dynamic r u l e s l i b r a r i e s
d y n a n lc d e te c c lo n d i r e c to r y / u s r / l o c a l / 1 lb /a n o rc_ d y n a m lc r u lea

255
4 s te p t s : C o n tia u re p r e p r o c e s s o r s
4 For more in fo rm a tio n , se e th e Snore M anual, C o n fig u rin g S n o rt P re p ro c esso

4 STP C o n tro l C hannle P re p ro c e s s o r. For n o te in f o r m a tio n , se e PFA2ME. OTP


V p r e p r o c e s s o r oe ci p o r ta 1 2123 3386 2152 >
2

2<5i

t Z n lm p a ck e t n o r m a liz a tio n . For moz in f o r m a tio n , se e R A D 2.norm alise


4 Does n o tn in a in IDS node
3rpr0c110r n o rnm lixe_ip4
p r e p r o c e s s o r r.crm ai1 s e _ to p 1 1p9 eon seream
p r e p r o c e s s o r norma l i e e i c m p i
p r e p r o c e s s o r n o rm a liz e lp

N.mul ut file

length: 2544S linttt: 657

In :247 Col :69 S*i:0

UNIX

ANSI

1NS

Figure 1.11: Configuring Snort.couf File in Notepad++

44. At padi to base preprocessor (or dynamic) engine (Line 250), replace
/usr/local/lib/snort_dynamicengine/libsf_engine.so
witii
your
base
preprocessor engine C:\Snort\lib\snort_dynamicengine\sf_engine.dll.

m Preprocessors allow
the functionality of Snort
to be extended by allowing
users and programmers to
drop modular plug-ins into
Snort fairly easily.

Figure 1.12: Configuring Snort.conf File in Notepad++

C E H L ab M an u al Page 857

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

45. Comment (#) die dynamic mles libraries line as you already configured die
libraries 111 dynamic preprocessor libraries (Line 253).
C:\Snort\et*V r c f < f Notepad

- o

Be Ldit Search View Encoding Language Settings Macro Run Pfcjgns ftndcvr Z

' H e o0 ^ *31 f 3

b i s b [1

***************mwm***************************
Note: Preprocessor
code is run before the
detection engine is called,
but after the packet has
been decoded. The packet
can be modified or
analyzed in an out-of-band
manner using this
mechanism.

* S tep * 4 : C o n fin u re dynamic lo a d ed l i b r a r i e s .


t For c o re ln lc rm a c io n , se e Snore M anual, C o n fig u rin g S n o rt - Dynamic Modules

###*#******#tMM#####*********M****tM**********

249
250

* r a t h t o b ase p r e p r o c e s s o r eng ine


dyr.anu.ceng in - C : \3n o r t\li b \s n o r t_ d y n s n 1ic e n g in e \s f _ e n g i n e .d ll
path to dynamic rules libraries
> d y n a c ic d e te c tlo n d ir e c to r y /u r /lo c a l /'ll b /s n o r t_ a y n a ls t..l e a |

V >t e c *M c o n ria u r e p r e p r o c e s s o r s
* Por more m fo rm ac io n , se e th e Snore M anual, C o n fig u rir.c S n o rt P rep ro c esso

4 GTP Control Chmnnlm Preprocessor. For *or. inforwation, RSADME.GTP


t p r e p r o c e s s o r a sp : p o r t s ( 2123 3386 2152 )
I I n lin e p a ck e t n o r m a liz a tio n . For more ing o z m atio n , se a ZZZZXZ. n o rm alize
Does n o ta in a in IDS mode
preprocessor normelize_ip4
p r e p r o c e s s o r r .c r x a l1 ze_ c p : ip s ecr. stream
p r e p r o c e s s o r ncrm011ze_1 cmp4
p r e p r o c e s s o r n o rm a liz e l p 6________________________________________________________
I teal fie

length :25*146 ling :557

Ln:253 Col ;3 Sd :0

________________ I

Figure 1.13: Configuring Snortconf File in Notepad++

46. Scroll down to Step #5: Configure Preprocessors section (Line 256), die
listed preprocessor. D o nothing 111 IDS mode, but generate errors at
mntime.

m IPs may be specified


individually, in a list, as a
CIDR block, or any
combination of die duee.

47. Comment all the preprocessors listed 111 diis section by adding # before
each preprocessors.

C:\Sn0rt\etc\snort conf Notepad*


lit

*1

L3t Search View Encoding Language Settings Macro Run Plugre Amdcw I

o h e ii * ft r!| e * > &- BQ| s 2 3 e ^ !, ?


lilt llt t t t t t t t it iit lllllt t t t t t t t t t t t t t t t lllllt t t t t l
P re p ro c e ss o r

***************************************************

> README.GXP

*
*

I
*

I n lin e p a c k e t n o r m a liz a tio n . For 1


Does nothing in ZDS node
p r e p r o c e s s o r normal1ze_1p4
p r e p r o c e s s o r n o r m a l is e t c p : ip s e!
p re p r o c e s s o r norm allze_lcm p4
p r e p r o c e s s o r norm al1 s e _ 1p 6
preprocessor norjralire icmpC

: in f o r m a tio n , se e REAEKE.normalize

T a rg e t-b a se d IP d e fra g m e n ta tio n . For more inform ation, see RLADME. fra g 3
p r e p r o c e s s o r ra g S _ g lo b al: m ax_Iraga 6SSS6
p r e p r o c e s s o r tr o a 3 e n g in e: p o lic y windows d e te c t_ a r .* 1a i 1es c verlap_11m 1t 10 a 1 n _ fra o m e n t_ len g th 100 tim eo u t

Many configuration
and command line options
of Snort can be specified in
the configuration file.
Format: config <directive>
[: <value>]

V l a r g e t s is e a a e a te c u l in s p e c tio n /o tr c a m rca sse e D iy .


p r e p r o c e s s o r s c re o S _ g lo b a l; t r a c k e c p y e s, \
tr* ck _ u d p y e a, \
t r a c k _ 1cnc no, \
MX_tcp 362144, \
rax_uap 131072, \
rax _ a c t1 v e _ re 3 p o n se s 2, \
m in re sp o n se seconds 5___________________
myth:25456 line.:557

f o r mere m r o r a tio n , ace h u .'j I'.l . s tr e a n b

1:269 Col :3 Sd 0

Figure 1.14: Configuring Snort.conf File in Notepad++

48. Scroll down to Step #6: Configure output plugins (Line 514). 111 tins step,
provide die location ol die classification.config and reference.config files.
49. These two files are 111 C:\Snort\etc. Provide diis location o l files 111 configure
output plugins (111 Lines 540 and 541).

C E H L ab M an u al Page 858

E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

CASnort\ett\snm conf Notepad*


lit

'-

idit Search view Encoding language Settings Macro Run Plugns ftmdcw I

0 hh

a , & * * r !| e m % > * - djae s i s c e

)"B ncCcorf
step 46: cor.rioure cutput plugins
4 5 *j ?or more information, see Snort Manual, Configuring Snort - Output Modules[
5!

=j r
il<"

51fl * unified?
519 4 aeeonsenaaa rcr !cost installs
520 4 cutput u n ified 2: filename merged.log,
521
Si'i4 A d d itio n a l c o n f ig u r a tio n f o r s p e c i f i c

c a Tlie frag3
preprocessor is a targetbased IP defragmentation
module for Snort.

523
524

lim it 128, nosts3r, wpls_eTrent_types, vlon_event_type3

tjp e s of in s t a ll s
# cutput alert_uniied2: filename snort.alert, liiait 125, nosCaap
f o u tp u t lo g un 1 r1 ed 2 : rile n arae s n a r e .lo o , l i m i t 123, n c s ta s p

4 o a ta ta s e
4 o u tp u t d a ta b a s e : a l e r t , <db_type>, us?r < u sern an !> pa9 9wsrd~<pass10rd
V cutput aatacasci 100, <dto_type>, u9er<uacma&e> passvsr3^<paaswo?d>

*e ta d a ti rercrcr.ee aata.

do not *e a itv te

11 1 0 10l

include C:\Snarc\ece\elass f eat on.e nf

lii_________ laclud# C; \Sac r \ c c \rCrnc. eonti g_|


length :25482 lina:6S7________In :541 Co) :22 S*l:0

Figure 1.15: Configuring SnorT.coiif File in Notepad++


lrigure 1 .i : V_on11gunng snort.coni rile in !Notepad1 !50.

11 1

step #6,

th is

d u m p a ll lo g s

111

a d d th e lin e

d ie

alerts.ids

output alert_fast: alerts.ids.

fo r S n o rt to

d ie .

*C:\Soon\elc\snoM-conf - Notepad *
file d!t Search Ukw Encoding Language Settings Macro Run PHigns ftmdcvr I

^ *e&| * % d 9 c 8 4 > 139 \ ?Wz2 $ !

*H nc< corf

m Note: ipvars are


enabled only with IPv 6
support. Without IPv6
support, use a regular var.

6 .1
515

4 s te p t e : c o n n o u re o u tp u t p lu g in s
4 For more information, see Snort Manual, Configuring Snort Cutput Modules

517
'*.fi
519
S?0
521

4 u n if ie d :
V ftccoescnaca co r !coat i n s t a l l s
4 c u tp u t u n if ie d 2 : file n am e m erged. 100, l i m i t 128, nosta*p * p ls _ e 'r e n t_ ty p e s , v la n _ e v e n t_ ty p e s

4 A d d itio n a l

525
524

c o n f ig u r a tio n f o r s p e c i f i c ty p e s o f i n s t a l l s
4 c u tp u t a lo r t _ u n if i d 2 : fila n an w a n o rt . a l . r t , l i m i t 129, r.o>ca>p
4 c u tp u t lo g un1E1ed2: rile n arae s n o r t . is o , l i m i t 126, r.: axt

- --

4 catafcase

533 4 cutput database: alert, <db_type>, uaer-<useman-> pea3*:rc<fa3sword


534 4 cutput dataoa3e: loo, <db type>, u3er=<u3emaEe> pa33w:ro=<pa33word>

539
540
541

|c-;. p u t a l e r t _ f a 3 t : a l e r t s . id s |
m e ta d a ta r e f e r e n c e d a ta , do n o t m odify t c e s e l i n e s

include C:\Snort\ecc\cla331f1cat1on.c0nf10
ln c lu d C :\3 n Q rt\8 c c \re C e re n c e .c o n f l q

|hcnwl U*t file

Itngth: 25511 lin:657

1 6 ?5:

CoJ:30 Sl:0

Figure 1.16: Configuring Snort.conf File in Notepad++


5 1 . B y d e fa u lt, d ie

C:\Snort\log
Ii=yj Frag3 is intended as a
replacement for die &ag2
defragmentation module
and was designed with the
following goals:
1. Faster execution than
frag2 with less complex
data management.
2. Target-based host
modeling anti-evasion
techniques.

C E H L ab M anual Page 859

C:\Snort\log

f o l d e r is e m p t y , w i d i o u t a n y f ile s

f o l d e r , a n d c r e a t e a n e w t e x t file w i t h d i e n a m e

5 2 . E n s u r e d i a t e x t e n s i o n o f d i a t file is

111

it. G o t o d i e

alerts.ids.

.ids.

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

log
v

Search log

alerts.ids

Favorites

Desktop

Downloads
M i Recent places

Libraries

)=
1 item

Figure 1.17: Configuring Snort.conf File in Notepad++

53. 111 die snort.conf tile, find and replace die ipvar string widi var. By default
die string is ipvar, which is not recognized by Snort, so replace it widi die
var string.
Note: Snort now supports multiple configurations based on VLAN Id or IP
subnet widiui a single instance o f Snort. Tins allows administrators to specify
multiple snort configuration files and bind each configuration to one or more
VLANs or subnets radier dian running one Snort for each configuration
required.
Replace

Find

Three types of
variables may be defined in
Snoit:

Replace Find in Files | Mark

| S

Find Next

vl

|var

Var

Replace

in selection

Portvar

Replace A|l
Replace All in All Opened
Documents

ipvar
I IMatch rase
@ Wrae around
Search Mode

Direction

(> Normal

O u>

() On losing focus

C Extended Op, V, \t, VO, \x...)

Dawn

O Always

O Regular expression

Q Lmatches newline

0 Transparency

Figure 1.18: Configuring Snort.conf File in Notepad++

54. Save die snort.conf file.


55. Before running Snort you need to enable detection mles 111 die Snort mles
tile; for diis lab we have enabled ICMP mle so diat Snort can detect any
host discovery ping probes to die system running Snort.
56. Navigate to C:\Snort\rules and open die icmp-info.rules file widi Notepad
++.

57. Uncomment the Line number 47 and save and close die file.

C E H L ab M anual Page 860

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

C:\Srxwi\rules\icrnp info.rules Nofepad


E*e Edit Search View Encoding Language SetDngs Macro Run Plugns ftndcw

0- > H

4m *

o a

P c* f t *ta -t -

r |, T,[ |

>

S i l i f l

>

Pi!<1 H trp+Tfo1ute|

29

30

31
32

*
#
*
*

isrsp $EXI ERNAL_NET any ->


le a p SEXTERNAL_NET any >
1
any
lc n p SEXTERNAL_NET any ->
i=r^> SEXTERNALNET any ->
S
# a l e r t icnj? SEXTERNAL_NET any ->
# a l e r t le a p $EXTERNAL_NET any ->
* a l e r t ic n p SEXTERNAL~NET any ->
a le r t
a le r t
a le r t
a le r t
a le r t

$H0KE_NET any cnsj:"ICXE-INFC I REP r o u te r a d v e r tis e m e n t" ; 1 ty p e :9 ; r e r e r e n -SHOMEKET any (m sg: ICXP-IKyC IRDP r o u te r s e le c tio n " ; ity p e :1 0 ; r e f e r e n c e :
(nsg: I-XP-IKFC
lc y p e :S ; c o n te n t :
1
13 12 11 1
SH0HE_KET any (r\sg: ICMP INF0 PING BSDtype"; 1ty p e : 8; c o n te n t:| O0 09 0A 01
SH0KE_NET any (o sg : "IS 'P -IN T C PING BayRS R o u te r"; i t y p e : 8; c o n te n t: | 01 02

leap $SXIERNA_NET -> $HOKE_NETany

FUJG*HIX;

10

33 * alert res EXIERNAL_NETany-> $H0KE_NETany (m3?:"XCXP-lNFOrIUGSeOSI.x"; ltype:8; content:"|QQ00 00 0


34
35
36

H0KE_NET any (n s g : ICM?-IK7C ?IUG C isco T ype. x " ; i t y p e : 8; c o n te n t:" |A B CD


$HOKE_NET any (n s g : irxP-IKFC PING D elpiH -P iecL e Windows"; lty p e :S ; c o n ien
SHOHEJJET any ( n s g : ICMP-INF0 PIHG F lo *pom t2200 o r Networlc Management Sof

34 alert icnp SEXTERNALNETany -> SHOKENET any (xasg:"ICXP-IK7C PIHGIP HetMonitor Macintosh"; itype:B; cont
38 t alert 1st $exiernal_net any ->Shoke_nei any (n3g:1cxp-lKFCpibg li2ijx/35d ;a31ze:8; 1a:13170; 1type:8
40

a le r t
I a le r t
*a le r t

ic n p SEXTERNAL_NET any -> SH0XE_NET any (msg:*ICKP-IK7C PIHG M ic ro so ft Windows"; i t y p e : 8; c o n te n t:"0


le a p $EXIERNA1_NET any -> $HOXE_KET any ( n s g :" I 3 ( ? XKFC POTG n etw ork T oolbox 3 Windows"; 1 typ e : 8; coi
ic n p SEXTERNAL_NET any > SH0KE_NET any (msg:"ICMP-INF0 PIHG Pm g-O -H eterW indow s"; lty p e :9 * c o n te n t:

42 alert
SEXTERNAL~NETany >SH0KE~NETany (rasg:ICKP-IKFCPIHG Pinger Windows"; itype:8; content:"Oata
43 * alert 1cnpcexiernal_net any >Shoxe_nei any (n93:1cxff-iKF0pihg seer wmdowa ;ltypese; content18a 04

44 a l e r t 1 a 1p SEXTERNAL NET any > SHOKE NET


45 f a l e r t le a p $EXTERNAL_NET any -> $H0XE_KIT
a l e r t icrap
any
alert icnp
->
KET
a le r t
S m o x ejjet any
CEXTERNAL_NET
49 a l e r t 1crp SEXTERNALNET any > SH0KE_NET
50 t a l e r t le a p $SXTERKAL_NET any -> $K0KE_KET
51 a l e r t 1 SEXIERNAL_NET any > SH0XE_NET

any (m sg: ICXP-INF0 PING O ra c le S o l a n s " ; d s 1 s e : 8; 1ty p e 0j c la s .


any ( n g :2 CXff-IKFC PIHG Window": lc y p e :8; c o n te n t: "abcderg fcljk.

SEXIERNAI_NEI
>SH0KE_KEI any !naa:*1atP-lNfCtr a c e r o u te " ; 1 s v c c :8; t t l i l ; claaat!tt: a t t c n
SFXTRRXALNFTany SH0XE any (mag::CMP-IKFC PIKG"; icode:0; itype:8; classtyp-:iac-activ1|
isno
->
any
i.src Aaareaa mask Rcpiv"> ic o d c io ; l t v p e u s ; cia.
any (m sg: ICKP-INF0 A ddress Maslr Reply u n d e fin e d code"* 1 eode:>0
any ( e s g : Z:X9-X):FC Add: Kak R vquest"; lc o d :0 ; lty p e :1 7 ; cl
any (ns3:"ICJ4P lNfO A ddress Mask R eauest u n d e tin e d c o d e"; !co d e ::

52 alert
SEXTERNAL~NET any-> $HOKE~NET any (Mgr-ICVP-INFCAlternate Hot Addre ;"icode:0; itype:6; c
f alert isnp exiernal_net any >hoxe_net any (nss:1cxp-1NFCAlternate Host aareaa undermed code ;iced

>4
55

<|

* a l e r t 1 cnp SEXTERNAL_NET any -> SH0KE_NET any


f a l e r t le a p fEXTERNAL NET any -> <H0KE NET any

111

NcinwlUxlfile

length: 17357 lines: 123

(e1sj:*IC H P INF0 D atagrati C onversion E r ro r " ; lcodesO ; 1ty p e :3


(tasg: "ZCXr-IKFC S a ta g ra a C onveralon E r ro r u n d e fin e d c o d e" ? 1v

>

Ln:47 Cc4:1 S1:0

UMX

ANSI

IMS

Figure 1.19: Configuring Snort.coiif File iti Notepad++

58. N o w navigate to C:\Snort and nght-click folder bin, select CmdHere from
die context menu to open it 111 die command prompt.
Validate
Configurations

59. Type snort -iX -A con sole -c C:\Snort\etc\snort.conf -I C:\Snort\log -K


ascii and press Enter to start Snort (replace X with your device index
number; 111 diis lab: X is 1).
60. If you enter all the command information correctly, you receive a graceful
exit as shown 111 the following figure.

y To run Snort as a
daemon, add -D switch to
any combination. Notice
that if you want to be able
to restart Snort by sending
a SIGHUP signal to die
daemon, specify the full
path to die Snort binary
when you start it, for
example:
/usr/local/bin/snort -d -11
192.168.1.0/24 \ - l
/var/log/snordogs -c
/usr/local/etc/snort.conf s-D

61. If you receive a fatal error, you should first verify diat you have typed all
modifications correcdy into the snort.conf tile and then search dirough the
tile for entries matching your fatal error message.
62. If you receive an error stating Could not create the registry key, then
run the command prompt as an Administrator.
Administrator: C:\Windows\system32\cmd.exe
C :\S n o r t \ b ir O s n o r t
a s c ii

- i4

-A

c o n s o le

-c

C :\S n o rt\e tc \s n o rt.c o n f

-1

C : \ S n o 1* t \ l o g

-K

Figure 2.18: Snort Successfully Validated Configuration Window

t a s k s
Start Snort

C E H L ab M anual Page 861

63. Start Snort in IDS mode, 111 the command prompt type snort
C:\Snort\etc\snort.conf -I C:\Snort\log -i 2 and dien press Enter.

E th ical H a ck in g a nd C ounterm easures Copynght by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Figure 2.19: Start Snort in IDS Mode Command

64. Snort starts running in IDS mode. It first initializes output plug-ins,
preprocessors, plug-ins, load dynamic preprocessors libranes, rale chains o f
Snort, and dien logs all signatures.

GO
C:\Snort\etc\snort.conf is
the location of the
configuration file

65. After initializing interface and logged signatures, Snort starts and waits for
an attack and tngger alert when attacks occur on the machine.
- *>

Option: -l to log the


output to C:\Snort\log
folder

Option: -i 2 to specify
the interface

m Run Snort as a
Daemon syntax:
/usr/local/bin/snort -d -h
192.168.1.0/24 \ -1
/var/log/snortlogs -c
/usr/local/etc/snort.conf s -D .
0 1 When Snort is run as
a Daemon, the daemon
creates a PID file in the log
directory.

Snort T <*-

Uersion 2.9.3.1-UIN32 GRE <Build 40>


By Martin Roesch 8r The Snort Team: http://www.snort.org/snort/snort-t
Copyright <C> 1998-2012 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
Rules Engine: SF_SNORT_DETECTION_ENGI HE Uersion 1.16 <Build 18>
Preprocessor Object SF_SSLPP Uersion 1.1 <Build 4>
Uersion 1.1 <Build 3>
Preprocessor Object SF_SSH
Uersion 1.1 <Build 9>
Preprocessor Object SF.SMTP
Uersion 1.1 <Build 1>
Preprocessor Object SF_SIP
Uersion 1.1 <Build 1>
Preprocessor Object SF.SDF
Preprocessor Object SF_REPUTATION Uersion 1.1 <Build 1>
Uersion1.0 <Build 1>
Preprocessor Object SF_POP
Preprocessor Object SF_T10DBUS Uersion 1.1 <Build 1>
Uersion1.0 <Build 1>
Preprocessor Object SF_IMAP
Uersion 1.1 <Build 1>
Preprocessor Object SF_GTP
Preprocessor Object SFJFTPTELNET Uersion 1.2 <Build 13>
Uersion 1.1 <Build 4>
Preprocessor Object SF_DNS
Uersion 1.1 <Build 1>
Preprocessor Object SF_DNP3
Preprocessor Object SF_PCERPC2 Uersion 1.0 <Build 3>
Commencing packet processing <pid=6664>

Figure 1.20: Initializing Snort Rule Chains Window

66. After initializing the interface and logged signatures. Snort starts and waits
for an attack and trigger alert when attacks occur on the maclune.
67. Leave die Snort command prompt mnning.
68. Attack your own machine and check whedier Snort detects it or not.

TASK

Attack Host
Machine

69. Launch your Windows 8 Virtual ]Maclune (Attacker Machine).


70. Open die command prompt and type ping XXX.XXX.XXX.XXX -t from die
Attacker Machine (XXX.XXX.XXX.XX is your Windows Server 2012 IP
address;.
71. G o to Windows Server 2012, open die Snort command prompt, and press
Ctrl+C to stop Snort. Snort exits.
72. N ow go to die C:\Snort\log\10.0.0.12 folder and open the ICMP_ECHO.ids
text file.

m Note that to view the


snort log file, always stop
snort and dien open snort
log file.

C E H L ab M anual Page 862

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

ICMP.ECHO.idT- Notepad
File

Edit

|[* * ]

Format

View

' x

Help

IC M P -IN F O PING [ * * ]

11/14-12:24:17.131365 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0


ICMP TTL:128 TOS:0x0 ID:31479 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:198 ECHO

[ * * ] ICHP-INFO PING [ * * ]
11/14-12:24:18.146991 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0x0 ID :31480 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:199 ECHO

[ ] ICMP-INFO PING [ * * ]
11/14-12:24:19.162664 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0
ICMP TTL:128 TOS:0x0 ID :31481 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:200 ECHO

[ ] ICMP-INFO PING [ * * ]
11/14-12:24:20.178236 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0
ICMP TTL:128 TOS:0x0 ID:31482 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:201 ECHO

[ * * ] ICMP-INFO PING [ * * ]
11/14-12:24:21.193933 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0X0 ID :31483 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:202 ECHO

[ * * ] ICMP-INFO PING [ * * ]
11/14-12:24:22.209548 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0x0 ID :31484 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:203 ECHO

Figure 1.21:Snort Alertsids Window Listing Snort Alerts

73. You see that all the log entries are saved 111 die ICMP_ECHO.ids die. Tins
means diat your Snort is working correcdy to trigger alert when attacks
occur 011 your maclune.

Lab Analysis
Analyze and document die results related to dus lab exercise. Give your opinion 011
yoiu targets security posture and exposure.

PLEASE TALK TO

T o o l/U tility
Snort

Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H I S LAB.

HAVE

QUESTIONS

Information C o llected /O b jectives Achieved


Output: victim maclune log are capuired

Questions
1.

C E H L ab M anual Page 863

Determine and analyze die process to identify and monitor network ports
after intnision detection.
Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

2.

Evaluate how you process Snort logs to generate reports.

Internet Connection Required

Yes

0 No

Platform Supported
0 Classroom

C E H L ab M an u al Page 864

0 !Labs

E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Lab

Logging Snort Alerts to Kiwi


Syslog Server
Sno/t is an open source network intrusionprevention and detection system
(IDS/IPS).
I CON

KEY

_ Valuable
information
Test your
knowledge
Web exercise
m

Workbook review

Lab Scenario
Increased connectivity and the use ot the Internet have exposed organizations to
subversion, thereby necessitating the use ot mtnision detection systems to protect
information systems and communication networks from malicious attacks and
unauthorized access. An intrusion detection system (IDS) is a security system diat
monitors computer systems and network traffic, analyzes that traffic to identity
possible security breaches, and raises alerts. An IDS tnggers thousands o f alerts per
day, making it difficult for human users to analyze them and take appropriate
actions. It is important to reduce the redundancy of alerts, mtelligendy integrate and
correlate diem, and present high-level view of the detected security issues to the
administrator. An IDS is used to inspect data for malicious 01 anomalous activities
and detect attacks 01 unaudiorized use of system, networks, and related resources.
111 order to become an expert penetration tester and security administrator, you
must possess sound knowledge ot network mtnision prevention system (IPSes),
IDSes, identify network malicious activity, and log information, stop, or block
malicious network activity.

Lab Objectives
H Tools
dem onstrated in
this lab are
located at D:\CEHTools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots

Tlie objective of tins lab is to help students learn and understand IPSes and IDSes.
111

tins lab, vou need to:

Install Snort and configure snortconf file

Validate configuration settings


Perform an attack 011 the Host Machine
Perform an intrusion detection
Attempt to stop detected possible incidents

C E H L ab M an u al Page 865

E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Lab Environment
To carry-out tins lab, you need:

7 You can also


download Kiwi Syslog
Server from
http://www.kiwisyslog.co
m

A computer running Windows Server 2012 as a host macliine

Windows 8 running on virtual machine as an attacker macliine

WinPcap drivers installed on die host macliine

Kiwi Syslog Server installed on die host macliine

Admniistrative privileges to configure settings and mil tools

Lab Duration
Tune: 10 Minutes

Overview of of IPSes and IDSes


An intrusion detection system (IDS) is a device or softw are application diat
monitors network and/or system activities for m alicious activities or polio,
violations and produces reports to a management station.
Intrusion detection and prevention systems (IDPS) are primarily tocused on
identifying possible incidents, logging information about them, attempting to stop
diem, and reporting diem to security administrators.
TASK 1
Log Snort Alerts
to Syslog Server

Lab Tasks
1. Navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and
Honeypots\lntrusion Detection Tools\Kiwi Syslog Server double click on
Kiwi_Syslog_Server_9.3.4.Eval.setup.exe and install Kiwi Syslog Server
on die Windows Server 2012 host machine.
2. The L icense Agreement window appears, Click I Agree.

Figure 2.1: kiwi syslogserverinstallation

C E H L ab M anual Page 866

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

3.

111 die Choose Operating Mode wizard, check die Install Kiwi Syslog
Server a s an Application check box and click Next >.
Kiwi Syslog Server 9.3.4 Installer

C h o o s e O p e r a t in g M o d e

solarwinds
O

The program can be run as a Service or Application

I n s t a l l K iw i S y s lo g S e i v e i a s a S e i v ic e

This option installs Kiwi Syslog Server as a Windows service, alowing the
program to run without the need for a user to logn to Windows. This option also
retails the Kiwi Syslog Server Manager which is used to control the service.

| ( * I n s t a l l K iw i S y s lo g S e i v e i a s a n A p p l i c a t io n |

This op bon retails Kiwi Syslog Server as a typical Windows appkcabon,


requrng a user to login to Windows before rim n g the application.

& Tools
dem onstrated in
this lab are
located at D:\CEH
Tools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots

SolarWinds, Inc.

Figure22: Kiwi Syslogserverinstallation


4.

111 die Install Kiwi Syslog Web A c c e ss wizard, uncheck die option
selected and click Next >.
Kiwi Syslog Server 9.3.4 Installer

I n s ta ll K iw i S y s lo g W e b A c c e s s

solarwinds
I

Remote viewing, filtering and highlighting of Syslog events...

I I n s t a l l K iw i S y s lo g W e b A c c e s s
V

C r e a t e a n e w W e b A c c e s s lo g g in g u le in K iw i S y s lo g S e i v e i

Kiwi Syslog Web Access can be enabled in the licensed or evaluation versions of Kiwi
Syslog Server.

SolarWinds, Inc.

Figure 23: kiwi syslogserver


5. Leave die settings as their defaults in the Choose Components wizard and
click Next >.

C E H L ab M anual Page 867

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Kiwi Syslog Server 9.3.4 Installer

I I

C h o o s e C o m p o n e n ts

s o la r w in d s

Choose which features of Kiwi Syslog Server 9.3.4 youwantto


install.

This wll install Kiwi Syslog Server version 9.3.4

Select the type of install:

Normal

Or, select the optional


components you wish to
instal:

Program files (required)


0 Shortcuts apply to all users
0 Add Start menu shortcut
b^J Add Desktop shortcut
p i Add QuickLaunch shortcut
O Add Start-up shortcut

Desa 1ptx>n
Space requred: 89.5MB

Position your mouse over a component to see its


description.

SolarWinds, In c .-------------------------------------------------------------------------------------------------< Back

Next >

| |

Cancel

Figure 2.4: addingcomponents


6. 111 die Choose Install Location wizard, leave the settings as their defaults
and click Install to continue.
Kiwi Syslog Server 9.3.4 Installer
C h o o s e In s ta ll L o c a t io n

solarwinds

Choose the folder n whkh to nstal Kiwi Syslog Server 9.3.4 .

Setup w! nstal Kiwi Syslog Server 9.3.4 n the folowng folder. To nstal in a different
folder, dick Browse and select another folder, dick Instal to start the installation.

Destination Folder

41'
Space requred: 89.5MB
Space available: 50.1GB
SolarWinds, Inc.

1
Figure2.5: Givedestinationfolder
7.

Click Finish to complete the installation.

You should see a test


message appear, which
indicates Kiwi is working.

C E H L ab M anual Page 868

Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Kiwi Syslog Server 9.3.4 Installer

[_ I 1

C o m p le tin g th e Kiwi S yslo g S e rve r


9 .3 .4 S e tu p W iza rd
Kiwi Syslog Server 9.3.4 has been installed on your
computer.
Click Finish to dose this wizard.
@ Run Kiwi Syslog Server 9.3.4

Visit the SotorWmds website

< Back

Ftnoh

Cancel

Figure 2.6: kiwi syslogserverfinishwindow


8.

Click OK ill the Kiwi Syslog Server - Default Settings Applied dialog box.

TU

Kiwi Syslog Server - Default settings applied


Thank you fo r choosing Kiwi Syslog Server.
This is the first tim e the program has been run on this machine.
The follow ing default 'A ction' settings have been applied...
Display all messages
* Log all messages to file: SyslogCatchAll.txt
These settings can be changed fro m the File | Setup menu.

Happy Syslogging...

OK
Figure2.7: Default settingappliedwindow
9. To launch die Kiwi Syslog Server Console move your mouse cursor to
lower-left corner o f your desktop and click Start.

Q j Yiiwi Syslog Server is


a free
syslog
server forlogs.
indow
s. It receives
Windows.
logs,
displays and forwards
syslogmessages fromhosts
such as routers, switches,
UNIX hosts and other
syslog-enabled devices.
C E H L ab M anual Page 869

Figure2.8: startingmenuinwindows server 2012


10. 111 die Start menu apps
r r click Kiwi Syslog
J J Server Console to launch die
app

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

'
*

MojiB*

Google
Chiomo

Command

Notepad

Jnmtdl

Control
?artel

E/ykxef

pr

M)pw-Y
Manage!

Ne!aus
web Client

a.

S i 51* 9
'

5 ^ r >,Sl09 |
5

V
KKl
Package

C* -T

Figure2.9: clickkkvi syslogserver application


11. Configure Syslog alerts 111 die snort.conf file.
12. To contigiire Syslog alerts, first exit from the Snort command prompt
(press Ctrl+C).
13. Go to C:\Snort\etc and open die snort.conf file widi Notepad++.
14. Scroll down to Step #6: Configure output plugins, in the syslog section
(Line 527), remove # and modify die line to output alert_syslog:
host=127.0.0.1:514, LOG_AUTH LOG ALERT.

Snort.conf before modification Syslog

C\Sn rt\c\srx>ftc<yf NotewdHr [<*t SmtHi yicw tvcM q

fectng* Marre Run Pluglni Window J

mc . >a >r 3c > qj75!11@ wbj wa a 131*

t Step te: Coaflgrare output plugins

* Additional configuration for 9Ec1r1c typea or lnatalla


* output al*rt_unlfled2: filename snort.alert. U n it 128, n08ta*p
* output log_UT ea : niecaae 9rtort.log, u n i t
, rostairp

12

128

flo g ; LOO AJIg 100 ALERT|


I output log.topdja

The reasonwhy you


have to run snortstart.bat
batch file as an
administrator is that, in
your current configuration,
you need to maintain rights
to not only output your
alerts to Kiwi, but to write
themto a log file.

C E H L ab M anual Page 870

I output aaratase:
I output aataease:

t-<B03tnaa1e>

Figiue 2.10: Snortconfigbeforemodification


Snort.conf after modification Syslog

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

C:\Sn0rt\etcVsrxyt cof't Notepad-

- g

Filf fdt Search View fweSrfg . 1. ^ flnqi Mam Run Pluqin Window

13H . . &| *

fe| 3 c

-) | S Cv 3 )[) 3

iC<5 preprocessor reputation: \

013 **#**#****#**#*##**#**#*#*****#**#*#*#**
pi4 # Step *: Coaflarare output plugins
pis * For *ore Infomatlon, see Snort Manual, Conflouring Snore - Output Modules
5

l output u n iiie a i: ile:;*e se;aec.ica, l u u t 128. nostanp, npls_e5


Additional configuration fo r sp e cific types of in s ta lls
1 output a lert_ u n lfle d 2: filename s n o r t.a le r t. U n it 128, nostajip
output log_unlfled?: fllen aae s n o r t.log, llj tlt 128, nostaxp

database
I output database! a le r t, <db_t/pe>, users<usernan> pa8avford=<pasv0rd> te s t dbnaa!e-<r.a1*e> h0st*<S10atname3
I output databasei log. <db_typ>, usera<usernane> password<passvord> te s t dbnaes<naae> bot*<ho*tnaae>

U.

Ca . li M:l

Figure 2.11: Snortconfigafter configuration


15. Save die die and close it.

16. Open Kiwi Syslog Server Console and press Ctrl+T. Tins is to test Kiwi
Syslog Server alert logs.
Kiwi Syslog Server (14 Day evaluation - Version 93)

R*
File Edit Vic*
1'

1 E

1 -1

'

Hdp

it

H Day* luttin wsluelion

Di.pl., 00 |DrfJl]

Dale
Tun*
P-oly
lla*lnm11 14 2012 1621 30 Lwal7.DU1g 127.0.01 Kiwi Sytloy S* 1vv1 T*t< latfttayw nuaibei 0001

11

J
100% 1MPH

1621

11142012

Figure 2.12: Kiwi SyslogServiceManagerwindow


17. Leave die Kiwi Syslog Server Console. D o not close die window.
18. Now open a command prom pt with Snort and type diis command: snort iX -A con so le - c C:\Snort\etc\snort.conf -I C:\Snort\log -K ascii - s and
press Enter (here X is index number o f your Ediernet card) .

C E H L ab M an u al Page 871

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Administrator: C:\Windows\system32\cmd.exe

ua Kiwi SyslogServer
filtering options:
Filter on IP address,
hostname, or message
text
Filter out unwanted host
messages or take a
different logging action
depending on the host
name
Perform an actionwhen
a message contains
specific keywords.

Figure 2.13: Snort Alerts-idsWindowListingSnort Alerts


19. O pen a com m and prom pt 111 your W indows 8 virtual machine and type
tins command: ping 10.0.0.10 (IP address o f your host machine where
Kiwi Svslog Server Console is running).
20. Go to Kiwi Syslog Service Manager window (diat is already open) and
observe die triggered alert logs.
n 1 x

Kiwi Syslog Server (14 Day evaluation - Ve son 93)


File Edit
-1
I

1\

A 88

D.tpk* 00 (Dvfdull)

Dale
Time
P.m.4.
11-14-2012 184012 Autf. Aleil
11 14 ?01? 104011

Autf. Alril

II 14 2012 18 4010 Autf. Alert


11-14-201? 18 40 09 Autf. AW-ll
11 14 ?01? 1840110 AuHt Alrit
11-14-2012 184007 Autf. Ale11
11-14-201? 18 40 0C Autf. Air,I
11 14 ?012

'

Help

10.40.Ub Autfi Alcit

11-14-2012 18:4004 Autf. Aleu


11-14201? 18 40 03 Autf. Air.1
11-14 2012 18:4002 Autf. Alcit
11-14-2012 18.40.01 Autfi Ale. J
11-14-201? 18 40 (10 AutfiAlril
11 14 2012 18:39:59 Autf* Alert
11-14-701? 1839 58 Autf. Aletl
11 14 201? 103*57 Autf. Alert
11 14 2012 18:3958 Autfi Alcil

14 Days left in evDluotun

lloilnmne He11age
127.0.01 Nvv 14 18 40.12 WIN-2N9STOSGIEN w.ort
100010
Nov 14 111 411 11 WIN 2N9!iTOSGI( N inort
127 001
1u.au.1u
127.0.0 1 Nov 14 18:40:10 WIN 2N9SIOSGIEN nort
10.0.0.10
12700 1 Nuv 14 18 40 O') WIN ?NSSTOSGIFN tnurt
1000 10
127 001
Nov 14 111 411 Oil WIN 2N9!:TOSUK N nort
IU.0.U.IU
127.0.0.1 Nov 14 18:40:07 WIN 2N9STOSGIEN *nort
10.0.0.10
1270 0 1 Nov 14 10 40 on WIN-?N9r.1nSG1rN tnatl
1000.10
127.0.0 1 Nov 14 10:40:0b WIN 2N91>1USGILN *nort:
10.0.0.10
127.0.01 Nov 14 18:40:04 WIN-2N9STOSGIEN tnort
10.0.0.10
12700 1 Nov 14 10 40 01 WIN-?N9r.TnSGIFN mart
10 00.10
127.0.0.1 Nov 14 18:40:02 WIN 2N9S1USGIEN *nort:
10.0.0.10
127.0.0.1 Nov 14 18.40:01 WIN-2N9STOSGIEN w.ort.
10 00.10
127 0.01 Nov 14 18 40:00 WIN-2N9STOSGIEN snort
10 0 0.10
127.0.0.1 Nov 14 18:39:53 WIN 2N9510SGIEN *nort
10.0.0.10
1270 0 1 Nov 14 18 39:58 WIN-7N9STC1SGIFN tnort
1000.10
Nov 14 1039:57 WIN 2N9S10SGICN *nort
127 001
10.0.0.10
127.0.0.1 Nov 14 18:39:56 WIN 2N9STOSGIEN *nort

fsiw5/jloo WebAcc3
ol m oled

|1 384 6| ICMP INF: PING |CU*ic*tion. Hhc activity) [Piiuiily. 3] {ICHP) 10.0.0.12

|1 104 K| II Ml'INI 11 I1NG [ClauArahor Mur. nohv1(y| Un..ty- 3] (ICHP) 111 II 111?
|1 384 6| ICMP INFO PING fCIJMtficdtion: H.sc 0ct1vi(y| (Piioiity: 3) (ICMP) 10.0.0 12
*
|1 384 6| ICMP INFO PING (rianii! 4l<ar Mac adivi() [PiNiiity 3] {IPHP) 10 0 0 1?

II

|1 104 K| II MlINI II I1NG (Claurfirahor. Mur. nchv1ty| IPimirijr 3) IICHP) 10 0 111?


|1 384 6| ICMP4NF0 PING (ClMtiffcatiwi: Hite activity (Plioiity: 3] (ICHP) 10.0.012
|1 384 G| ICMP-INFO PING (CtasiKcalian Mbc n:tivil*| [PiKnityr 3] (irMPJ 10 0 01?
|l. J84:b| ILMIINI U I1NG ILIautfication: Hue nctivitvl H'noiity: 31 (ICMP) 10.0.0.12
|1:384 6| ICMP-1NF0 PING ICIattificalion: Hite activity [Piioiity: 3] {ICMP) 10.0.0.12
|1 384 C| ICMP-INTO PING (CUsiKcalian Mbc activity] [Piiaifty: 3] (IPMP) 10 0 01?

|1:384:6) ICMP INF (J PING (Ua3*tf1cat10n: Mac acbvitrl [Pnonty: 3] {ICHP) 10.0.0.12
[1.384.6] ICMP-1NF0 PING |CU*c*tion: H c activity) [Piioiily: 3) {ICHP) 10.0.0.12
|1 384 6| ICMP-INF0 PIHG IClasirtcahan Mbc activity) [Piioiily: 3J ilCHP110 0 0 12
|1:384:61 ICMP INFU PING [CIroiication: Mnc acbvitrl [PrioiKy: 3) {ICHP) 10.0.0.12
[1 384 6| ICMP-INFO PING [CLmificatian Mbc activity) [Pifciiily: 3] {ICHP) 10 0 012
|1 304 K| ICMP INFO PIHG U:U1 *r,ahon Mmc cebvitj[ )Pnoiiljr 3] IICMP110 0 0 12
)1:384:6) ICMP INFO PING )***ification: Mbc activitrl [Piioiity: 31 {ICMP) 10.0.0.12

100* OMFH

18:40 11 142D12

j
|

Figure2.14: Kiwi SyslogServiceManagerwidi Snort Logs


21. 111 Kiwi Syslog, you see the Snort alerts outputs listed
Service Manager.

111

Kiwi Syslog

22. You have successfully output Snort Alerts to two sources.

Lab Analysis
Analyze and document die results related to diis lab exercise. Give your opinion on
your targets security posture and exposure.

C E H L ab M an u al Page 872

E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

PLEASE TALK TO

T o o l/U tility
Kiwi Syslog
Server

Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H I S LAB.

HAVE

QUESTIONS

In fo rm atio n C o lle c te d /O b je c tiv e s A chieved


O u tp u t: The Snort alerts outputs listed
Service Manager.

111

Kiwi Svslog

Questions
1. Evaluate how you can capture a memory dump to confirm a leak using
Kiwi Svslog Server.
2.

Determine how you can move Kiwi Svslog Daemon to another machine.

3.

Each Svslog message includes a priority value at die beginning ot the text.
Evaluate die priority o f each Kiwi Syslog message and on what basis
messages are prioritized.

In te rn e t C o n n ectio n R eq u ired
Yes

0 No

P latform S upported
0 C lassroom

C E H L ab M an u al Page 873

0 !Labs

E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Detecting Intruders and Worms


Using KFSensor Honeypot IDS
KFSensor is n Windows based honeypot Intrusion Detection System (IDS).
I CON KEY
l^~/

Valuable
inform ation
T est your
knowledge

mm

W eb exercise

ca

W orkbook review

Lab Scenario
Intrusion detection systems are designed to search network activity (we are
considering both host and network IDS detection) for evidence of malicious abuse.
When an IDS algontlmi detects some sort o f activity and the activity is not
malicious or suspicious, tliis detection is known as a false positive. It is important to
realize that from the IDSs perspective, it is not doing anything incorrect. Its
algontlmi is not making a mistake. The algontlmi is just not perfect. IDS designers
make many assumptions about how to detect network attacks.
A 11 example assumption could be to look for extremely long URLs. Typically, a
URL may be only 500 bytes long. Telling an IDS to look for URLs longer than 2000
bytes may indicate a denial of service attack. A false positive could result from some
complex e-conmierce web sites that store a wide variety of information 111 the URL
and exceed 2000 bvtes.
111 order to become an expert penetration tester and security administrator, you
must possess sound knowledge of network intrusion prevention systems (IPSes),
intrusion detection systems (IDSes), identify network malicious activity and log
information, and stop or block malicious network activity.

Lab Objectives
H Tools
dem onstrated in
this lab are
located at D:\CEHTools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots

C E H L ab M an u al Page 874

The objective of tins lab is to make students learn and understand IPSes and IDSes.
111

tins lab, you need to:

Detect hackers and worms 111 a network

Provide network security

Lab Environment
To carry-out tins lab, you need:

E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

^_ You can also


download KFSensor from
http://www.keyfocus.net

KF Sensor located at D:\CEH-Tools\CEHv8 Module 17 Evading IDS,


Firewalls, and Honeypots\Honeypot Tools\KFSensor

Install KF Sensor 111 Windows 8

MegaPing located at D:\CEH-Tools\CEHv8 Module 03 Scanning


Networks\Scanning Tools\MegaPing

Install Mega ping 111 Windows Server 2012

It you have decided to download latest of version ot these tools, then screen
shots would be differ

Administrative privileges to configure settings and m n tools

Lab Duration
Time: 10 Minutes

Overview of IPSes and IDSes


An intrusion prevention system (IPS) is a network secu rity appliance that
m onitors network and system activities tor m alicious activity. Tlie main functions
ot IPSes are to identify malicious activity, log related information, attempt to
block/stop activity, and report activity.
An IDS is a software device or application that m onitors network and/or system
activities for m alicious activities or policy violations and delivers reports to a
Management Station. It performs intrusion detection and attempts to sto p detected
possible incidents.
^

TASK 1
Configure
KFSensor

Lab Tasks
1. Launch Windows 8 virtual maclune and follow the wizard-driven
installation steps to install KFSensor.
2. After installation it will prom pt to reboot die system. Reboot the system.
3.

C E H L ab M an u al Page 875

111 Windows 8 launch KFSensor. To Launch KFSensor move your mouse


cursor to the lower-left corner of your desktop and click Start.

E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

.'crla

C*e~s

Windows 8 Release Previev.


Evaluation copy. Build WOO

,
=

____

m o

.
FIGURE3.1: KFSensorWindowwithSetupWizard

m To set up common
ports KFSensor lias a set of
pre-defined listen
definitions. They are:
Windows Workstation
Windows Server

4. In die Start menu apps, right click die KFSensor app, and click Run as
Administrator at die bottom.
Admin ^

S ta rt

Windows Internet
Services
Windows Applications
Linux (services not
usuallyin Windows)
* Trojans and worms

Google

m
Vriro

Camera

1 Mozilla
1 Firefox

Messaging

&

H
Calendar

Interne*

o
services

Command
Prompt

KFSensor

FI

V\\

a
Stw

as;

Weaiha

p Chrome

(S)
edminh*fr

Iccsoon

FIGURE3.2: KFSensorWindowwithSetupWizard
5.

C E H L ab M anual Page 876

At die first-time launch o f die KFSensor Set Up Wizard, click Next.

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

KFSensor Professional - Evaluation Trial


File

View

Scenario

Signatures

Settings

Help____________________________________

i l ?t!l U
-L
a

, kfsensor - localhos
q *^icccd TC ^

.._ Tlie Set up Wizard is


used to performthe initial
configuration of KFSensor.

Visitor

z ta tcp

21 FTP

j S 25 SMTP. !
I

j. J

53 DNS

63 DHCP

i J 80 IIS

)atagram..

WindowsS

The KFSensor Set Up Wizard will take you through


a number of steps to Donfigure you systen.
All of these can configurations can be mcdfied later
using the menj option.

)atagram..

WIN-ULY358K

)atagram..

WIN-D39MR5I

)atagram..

WIN-LXQN3W

You might like to read the rrarwal at this port to team


how KFSensoworks and the concepts behind t.

)atagram..

WIN-MSSELG

)atagram..

WIN-2N9STO?

POP3 110

)atagram..

WIN-2N9STO?

)atagram..

WIN-ULY358K

)atagram..

Windows^

)atagram..

WINDOWS8

,g

119 NMTP

M i RPC 135

139 NET Se

n the options in th& Set Up Wizard.


Wizard Heb

LDAP 339 &


HTTPS 443 $

i| .US-M
BT-SE,
i 593 CIS
jjj 1028 MS Cl!
5

1080 SOCK!

3( 1433 SQL S<


g

2234 Direct!

j 3128 IIS Pro


g 3268 Global Calal

Server: Status

Visitors: 0

FIGURE3.3: KFSensor mainWuidow


6.

Check all die port c la s s e s to include and click Next.


Set Up W izard - Port Classes

Port classes to include:


/ j Windows Workstation
@ Windows Applications
@ Windows Server
@ Windows Internet Services
0 Linux (services not usually in Windows)
@ Trojans and woims
KFSensor can detect irrtiusions on many many different ports
and simulate different types of services.

m Domain Name is die


domain name used to
identifythe server to a
visitor. It is used in several
SimServers.

These ports are grouped by class.


Checked classes will be added to the scenario.
Unchecked classes will be removed the scenario.
Wizard Help

< Back

Next >

Cancel

FIGURE3.4: KFSensor WindowwithSetupWizard


7. Live die domain name Held as default and click Next.

C E H L ab M an u al Page 877

Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Set Up Wizard - Domain


Domain Name: [networksfonj.com|
This is the domain name used to identify the server to a visitor.
This could be the real domain name of the machine or a fictious one.
If you pick a fictious one. try not to use a real domain belonging
somebody else.

e=yi KFSensor can send


alerts by email. The settings
in the wizard are the
minimumneeded to enable
this feature.
Wizard Help

< Back

Next >

Cancel
-

FIGURE3.5: KFSensorWindowwithSetupWizard
It you want to send KFSensor alerts by email and dien specify die email
address details and click Next.
Set Up Wizard - EMail Alerts

systems service is a
special type of application
that Windows runs in the
background and is similar
in concept to a UNIX
daemon.

Send to:

[I

Send from:
If you want KFSensor to send alerts by email then fill
in the email address details

Wizard Help

< Back

Next >

Cancel

FIGURE 3.6: KFSensorWindowwithSetupWizard-email alerts


9.

m The KFSensor Server


becomes independent of
the logged on user, so the
user canlog off and
another person can log on
without affecting the
server.

C E H L ab M an u al Page 878

Choose options for Denial of Service. Port activity. Proxy Emulation, and
Network Protocol Analyzer and click Next.

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Set Up Wizard - Options


Denial Of Service Options
Cautious

Controls how many events are recorded before the server locks up
Port Activity
1 Hour

How long a port should indicate activity after after an event


Proxy Emulation
Allow banner grabs and loop backs

Controls if KFSensor is allowed to make limited external connections


Network Protocol Analyzer
!Enable packet dump files

j v

Dump files are useful for detailed analysis but take up a lot of disk space
Wizard Help

m The KFSensor
Monitor is a module that
provides the user interface
to the KFSensor system.
With it you can configure
the KFSensor Server and
examine die events diat it
generates.

< Back

Next >

Cancel

.
FIGURE3.7: KFSensorWindowwithSetupWizard-options
10. Check die Install a s system service opdon and click Next.
Set Up Wizard - Systems Service
[7| Install as systems service
A systems service is a special type of application that Windows runs in the
background and is similar in concept to a UNIX daemon
The KFSensor Server becomes independent of the logged on user, so you can
log off and another person can log on without affecting the server
The KFSensor Server can be configured to start automatically when the systems
starts, even before you log on.
You must be logged in a the Administrator to install a systems service

Wizard Help

m The Ports Viewis


displayed on the left panel
of the main window. It
comprises of a tree
structure that displays the
name and status of the
KFSensor Server and the
ports on which it is
listening.

C E H L ab M anual Page 879

< Back

Cancel

FIGURE 3.8: KFSensor WindowwithSetupWizard-systemservice


11. Click Finish to complete the Set Up wizard.

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Set Up Wizard - Finish

The KFSensor Set Up Wizard has now got all the


information it needs to configure your system.
To read up on where to go from here dick the button below
Getting Started

Note on the Evaluation Version

There are a number of restrictions set for the ten day duration
of the evaluation period
The export functionality is unavailable and the details of
some events are deliberately obscured

I The Ports Viewcan


be displayed by selecting
the Ports option fromthe
ViewTmenu.

Finish

< B ack

Cancel

FIGURE3.9: KFSensor finishinstallation


12. The KFSensor main window appears. It displays list ol ID protocols.
Visitor, and Received automatically when it starts. 111 the following
window, all die nodes 111 die left block crossed out with blue lines are die
ports that are being used.
KFSensor Professional - Evaluation Trial

F
Ci i 2

Settings

4 1

Jt ;1

1 3

Help
i

, kfsensor - local host - M...


TCP

^
g

& C toslICP Por...


21 FTP
25 SMTP

3
3

53 DNS
63 DHCP

- g 80 IIS

@ 151a

a !

Start

ID
!

Duration

Name

Visitor

9/27/2012 5:27:41 PM...

0.000

UDP

138

NBT Datagram...

WIN-ULY358K

| 1 4

9/27/2012 S:27:3S PM.

0.000

Pro...

UDP

Sens...

138

NBT Datagram...

WIN-LXQN3\*

9/27/2012 5:27:36 PM...

0.000

UDP

138

NBT Datagram...

WIN-MSSELCI

'2

9/27/2012 5:27:3C PM...

0.000

UDP

138

NBT Datagram...

111

9/27/2012 5:27:15 PM...

0.000

UDP

138

NBT Datagram...

Windows3

1 0 ___

9/27/2012 5:16:15 PM...

0.000

UDP

138

NBT Datagram...

Windows^

WIN-D39MR5I

110 POP3

U 9

9/27/2012 5:15:4^ PM...

0.000

UDP

138

NBT Datagram...

WIN-ULY358K]

j 119 NNTP

1 8

9/27/2012 5:15:35 PM...

0.000

UDP

138

NBT Datagram...

155 MS RPC B m

1 7

9/27/2012 5:15:3 PM...

0.000

UDP

138

NBT Datagram...

WIN-D39MR5I
WINLXQN3'A

5 } 139 NBT Session ...

1 6

9/27/2012 5:15:35 PM...

0.000

UDP

138

NBT Datagram...

WIN-MSSELCI

j j 339 LDAP

1 5

9/27/2012 5:15:31 PM...

0.000

UDP

138

NBT Datagram...

WIN-2N9STO<

1 4

9/26/2012 3:41:32 PM...

0.000

UDP

138

NBT Datagram...

WIN-2N9STO!

j 4.15 NBT SM8 E~

1 3

9/26/2012 3:37:16 PM...

0.000

UDP

138

NBT Datagram...

WIN-ULY358K

593 CIS

m ?

9/26/2012 3:36:57 PM...

0.000

UDP

138

NBT Datagram...

Windows^

1028 MS CIS

1 1

9/26/2012 3:36:57 PM...

0.000

UDP

138

NBT Datagram...

WINDOWS8

1080 SOCKS

1433 SQL Server

443 HTTPS

2234 Dircctplay

3128 IIS Proxy

3268 Gtobdl Catal..

Ser/en Running Visitors: 8

FIGURE3.10: KFSensor MainWindow

13. Open a command prom pt from the Start menu apps.

C E H L ab M anual Page 880

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

The top level itemis


the server. The IP address
of the KFSensor Server
and the name of the
currently active Scenario
are displayed. The server
icon indicates the state of
the server:

14. 111 die command prom pt window, type netstat -an.


Command Prompt
M ic ro s o ft Windows CUersion 6.2 8400]
l<c> 2012 M ic ro s o ft C orporation A l l r ig h ts reserved.
|C :M Jsers\A dnin)netstat -an
R c tiv e Connections
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP

Local Address
0 .0 .0 .0 :2
0.0.0 .01 7
0 .0 .0 .0 :9
0 .0 .0 .0 :1 3
0 .0 .0 .0 :1 7
0 .0 .0 .0 :1 9
0 .0 .0 .0 :2 1
0 .0 .0 .0 :2 2
0 .0 .0 .0 :2 3
0 .0 .0 .0 :2 5
0 .0 .0 .0 :4 2
0 .0 .0 .0 :5 3
0 .0 .0 .0 :5 7
0 .0 .0 .0 :6 8
0 .0 .0 .0 :8 0
0 .0 .0 .0 :8 1
0 .0 .0 .0 :8 2

Foreign Address
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0

State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING

FIGURE3.11: CommandPromptwithnetstat -an


15. Tins will display a list of listening ports.

m The protocol level of

KFSensor is used to group


the ports based on their
protocol; either TCP or
UDP.

I35TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP

E 3|

Command Prompt
0 .0 .0 .0 :8 2
0 .0 .0 .0 :8 3
0 .0 .0 .0 :8 8
0 .0 .0 .0 :9 8
0 .0 .0 .0 :1 1 0
0 .0 .0 .0 :1 1 1
0 .0 .0 .0 :1 1 3
0 .0 .0 .0 :1 1 9
0 .0 .0 .0 :1 3 5
0 .0 .0 .0 :1 3 9
0 .0 .0 .0 :1 4 3
0 .0 .0 .0 :3 8 9
0 .0 .0 .0 :4 4 3
0 .0 .0 .0 :4 4 5
0 .0 .0 .0 :4 6 4
0 .0 .0 .0 :5 2 2
0 .0 .0 .0 :5 4 3
0 .0 .0 .0 :5 6 3
0 .0 .0 .0 :5 9 3
0 .0 .0 .0 :6 3 6
0 .0 .0 .0 :9 9 9
0 .0 .0 .0 :1 0 2 4
0 .0 .0 .0 :1 0 2 8
0 .0 .0 .0 :1 0 8 0
0 .0 .0 .0 :1 2 1 4

0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0

LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING

FIGURE3.12: CommandPromptwithnetstat -an

C E H L ab M an u al Page 881

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

16. Leave die KF Sensor tool running.


17. Follow die wizard-driven installation steps to install MegaPing in Windows

m The Visitors Viewis

displayed on the left panel


of the mainwindow. It
comprises of a tree
structure that displays the
name and status of the
KFSensor Server and the
visitors who have
connected to die server.

Server 2012 (Host Machine).

18. To launch MegaPing move your mouse cursor to die lower-left corner of
your desktop and click Start.

FIGURE3.13: startupwindowsinwindows server 2012


19. Click die MegaPing app 111 die Start menu apps.
Start

Administrator

Mo/11la
Firefox

m Each visitor detected


by the KFSensor Server is
listed. The visitor's IP
address and domain name
are displayed.

Admnktr...
Tools

Googfc
awane

HTTPort
3.SNFM

Conmand
Prompt

1*

HyperV
Manager

ktogaPng

Notepad*

*S

FIGURE3.14: clickon megaping


20. The main window of MegaPing appears as shown in die following
screenshot.

C E H L ab M an u al Page 882

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

2*

MegaPirvg (Unregistered)

File

View

Tools

DNS Lookup Name


J ? Finger

DNS Ust Hosts

A Pin9
^

Whois

DNS List Hods

A,______

Network Time
Traceroute

n ' x

4 **** H

A A f l a l A A 4 =5

| |

I-

Help

DNS List Hosts Settings

Destnabon:
<None>

^ 5 Network Resources
%

Process Info

^
f

System Info
Select Al

IP Scanner

'4^ NetBIOS Scanner


V

Share Scanner

Security Scanner

Port Scanner

Host Monitor

Add

FIGURE3.15: MegaPingonWindows Server 2012


c a The Visitors View
can be displayed by
selecting the Visitors
option fromthe View
menu.

21. Select Port Scanner Irom left side o f die list.


22. Enter die IP address ot Windows 8 (111 diis k b IP address is 10.0.0.12
machine 111 which IvFSensor is running 111 Destination Address List and
click Add.
7

n ^ i

MegaPing (Unregistered)

file

Yiew

Tools

Help

3
4

A a S a) A A o 3 % 4
A
*

DNS List Hosts


DNS Lookup Name
Finger
Network Time

A Pin9

Port Scanner

Port Scanner

Whois

Destnabon:
10.0.0.12

Network Resources

Destnabon Address List

2 2 Traceroute

>

Port Scanner Settings

Protocob

TCP and UDP

Scan Type

Range of Ports Custom Ports L v

v
|

Start

<$> Process Info


.J | System Info
^

Select P
i

IP Scanner
NetBIOS Scanner
Share Scanner

Security Scanner
Host Monitor
Type

Keyword

Description

Vw.

FIGURE3.16: MegaPing: Select 10.0.0.12fromHost, Press Start button


23. Check die IP address and click die Start button to start listening to die
traffic 0 11 10.0.0.12,

C E H L ab M an u al Page 883

E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

ry
1File

l-' F *

MegaPing (Unregistered)
yiew

Tools

Help
3

< v i .y ^ 0

> <4

DNS List Hosts


^5, DNS Lookup Name

ca Visitor is obtained by

a reverse DNS lookup on


the visitor's IP address. An
icon is displayed indicating
the last time the visitor
connected to the server:

Finger

Network Time

Port Scanner

Port Scanner Settings

f t pin9
g g Traceroute
10.0.0.12

Whols
1 3 Network Resources
%

Process Info

System Info

IP Scanner

Protocob

TCP and UDP

Scan Type:

Range of Ports Custom Ports L v

v
1

Host

NetBIOS Scanner

a t

Destnation Address List

JSelect AI

al 10.0.0.12

Add

Share Scanner

Security Scanner

Delete

Host Monitor
Type

Keyword

Description

FIGURE3.17: MegaPingData ofdiepackets recieved


24. The following image displays die identification of Telnet on port 23.
MegaPing (Unregistered)
File

yiew

Jools

Help

i. A S Oi 1*i A #
DNS List Hosts
J j, DNS Lookup Name

Finger

J i Network Time

Port Scanner

IF

t i p'" 9
f f

Traceroute
Whols

/ The Visitors Viewis


linked to the Events View
and acts as a filter to it. If
you select avisitor then
only diose events related to
that visitor will be displayed
in die Events View.

" 3 Network Resources

Destnabon:

10.0.0.12

Port Scanner Settings

Protocols

TCP and UDP

Scan Type

Range of Ports Custom Ports L v

ap

Destination Address bat

<3> Process Info


^

System Info

IP Scanner

NetBIOS Scanner

Share Scanner

Security Scanner

Host

Select AI

0 S 10.0.0.12

Add

} Host Monitor
Type

Keyword

Descnption

TCP telnet

Risk
High

TCP
- < 123

Telnet

Elevated |

Simple Mail Transfer

Elevated

TCP smtp

42

TCP nameser... Host Name Server

Low

53

TCP domain

Low

Domain Name Serv...

FIGURE3.18: MegaPing: Telnet port data


25. The following image displays die ldentihcation of Socks on port 1080.

C E H L ab M anual Page 884

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

rST

MegaPing (Unregistered)

file

View

| 4. A S

Tools

aj

Help

it t i

%3

t t i V 3 y

44

DNS List Hosts

! The events are sorted


in eitlier ascending or
descending chronological
order. This is controlled by
options on the ViewMenu.

jS,

DNS Lookup Name

Finger

a i Network Time

Port Scanner Settings

A Pin9

Destnabon:
10.0.0.12

g g Traceroute
^

Whols

Protocob:

TCP and UDP

Scan Type

Range of Ports + Custom Ports L v

v
Sop

Destination Address List

13 Network Resources
Process Info
^

System Info

IP Scanner

Host

Select fll

01S1O.O.O.12

NetBIOS Scanner

I *A

jj* Share Scanner

<0 Security Scanner

Delete

Bepoit

EE
Jgj Host Monitor
Ports

Type

1214
1433
1494
080 / |

JT 1801

Keyvwrd

TCP socks

Descnption
Socks

TCP

Low

TCP ms-sql-s

M 1crosoft-SQLSer...

TCP ica

Citrix ICA Client

Low
Low

TCP

Low

'

FIGURE3.19: MegaPing: Blackjackvirus


26. N ow come back to Windows 8 virtual machine and look for Telnet data.
KFSensor Professional - Evaluation Trial
File

View

Scenario

Signatures

Settings

Help

T | e|1 I i @ I 5 a ! d a > a a l f c t * I

J kfsensor - localhost - M...

B*-JTCP
^

0 Closed TCP Per

2 Death, Trojan ...

Duration
1 31

9/27/2012 6:24:13 PM. 0. 000

Pro...

Sens...

TCP

Name

23 Telnet

7 Echo - Recent...

*I 9 Discard - Rec...
^
^
^

13 Daytime - R...
17 Quote o f th e ..
19 chergcn

R c.

21 FTP - Recent..
^

/ The events that are


displayed are filtered bythe
currently selected itemin
the Ports Viewor the
Visitors View.

22 SSH - Recen...

A 123 Telnet - R eel]


j 25 SMTP - Rece..
g

42 WINS Rece..

g 53 DNS Recen..
^ 57 Mail Transfer..
g 68 DHCP Rece...
80 IIS Recent...
j 8 1

IIS 81 - Rece..

82 IIS 82 Rece..
83 IIS 83 - Rece..
J 88 Keiberos - R... ^

Ser/en Running Visitors: 8

FIGURE3.20: Telnet dataonKFSensor


27. The following image displays die data o f a Death Trojan.

C E H L ab M an u al Page 885

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

KFSensor Professional - Evaluation Trial


File

View

0-

Scenario

Signatures

Settings

Help

a if^]a ifrtln Tpili


kfsensor - localhost - M... <<

Duration

TCP
j- ^

Pro...

Sens...

Name

9/27/2012 624:12 PM...

Q Closed TCP-PofTr

Q 12 Death, Trojan ...|


I 7 Echo - Recent...
U

9 Discard - Rec...

& 13 Daytime - R...


^ 17 Quote of th e ..

Exit: Shuts down the


KFSensor Monitor. If the
KFSensor Server if not
installed as a systems
service then it will be shut
down as well.

19 chargcn - Rc...

22 SSH - Recen...

23 Telnet Rec...

21 FTP - Recent...

25 SMTP - Rece..
r=| 42 WINS - Rece..
g

53 DNS - Recen..

57 Mail Transfer..

68 DHCP - Rece..
80 IIS - Recent...

j 8 1 IIS 81 - Rece..
^

82 IIS 82 - Rece..

j 83 IIS 83 - Rece..
= j 88 Kerberos - R... y

Ser/en Running Visitors: 8

FIGURE3.21: Deadi Trojandataon KFSensor

Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on
your targets security posture and exposure.

P L E A S E TA LK T O Y O U R I N S T R U C T O R IF YOU H A V E
R E L A T E D T O T H IS LAB.

T o o l/U tility

KFSensor
Honeypot IDS

QUESTIONS

In fo rm atio n C o lle c te d /O b je c tiv e s A chieved

Output:
Infected Port number: 1080
N um ber ot Detected Trojans: 2

In te rn e t C o n n ectio n R eq u ired

Yes

0 No

Platform Supported
0 Classroom

C E H L ab M anual Page 886

0 !Labs

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

HTTP Tunneling Using HTTPort


HTTPo/f is aprogramfrom HTTHost that creates a transparent tunnel through a
proxy server orfirewall.
I C O N
/

K E Y

Valuable
inform ation
T est t o u t
knowledge
W eb exercise

ea W orkbook review

Lab Scenario
Attackers are always in a hunt for clients that can be easily com prom ised and
they can enter your network by IP spoofing to damage or steal your data. Tlie
attacker can get packets through a firewall by spoofing the IP address. It
attackers are able to capture network traffic as you have learned to do in the
previous lab, they can perform Trojan attacks, registry attacks, password
hijacking attacks, etc., which can prove to be disastrous for an organizations
network. A 11 attacker may use a network probe to capture raw packet data and
then use tins raw packet data to retrieve packet inform ation such as source and
destination IP address, source and destination ports, flags, header length,
checksum. Time to Live (TTL), and protocol type.
Hence, as a network administrator you should be able to identity attacks by
extracting inform ation from capuired traffic such as source and destination IP
addresses, protocol type, header length, source and destination ports, etc. and
compare these details with modeled attack signatures to determine if an attack
has occurred. You can also check the attack logs tor the list ot attacks and take
evasive actions.
Also, you should be familiar with the H TTP tunneling technique by which you
can identity additional security risks that may not be readily visible by
conducting simple network and vulnerability scanning and determine the extent
to which a network IDS can identify malicious traffic widiin a communication
channel. 111 tins lab, you will learn H TTP Uuineling using H TTPort.

Lab Objectives
Tins lab will show you how networks can be scanned and how to use HTTPort
and HTTHost.

Lab Environment
111 the lab, you need die HTTPort tool.

C E H L ab M an u al Page 887

E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 16
Evading IDS,
Firewalls and
Honeypots

HTTPort is located at D:\CEH-Tools\CEHv8 Module 16 Evading IDS,


Firewalls and Honeypots\HTTPort

You can also download the latest version o f HTTPort from the link
h ttp :/ Avww.targeted.org

If you decide to download the latest version, then screenshots shown


the lab might differ

Install H T T H ost on W indows 8 Virtual Machine

Install H TTPort on W indows Server 2012 H ost Machine

Follow the wizard-driven installation steps and install it

Adm inistrative privileges are required to run tins tool

111

Lab Duration
Tune: 20 Minutes

Overview of HTTPort
HTTPort creates a transparent tunnel through a proxy server or firewall. HTTPort
allows usmg all sorts of Internet software from behind die proxy. It bypasses HTTP
proxies and HTTP, firewalls, and transparent accelerators.

TASK 1
Stopping IIS
Services

Lab Tasks
1.

Before running tool you need to stop IIS Admin Service and World Wide
Web services on Windows Server 2008 virtual machine.
Select Administrative Privileges ^Services ^IIS Admin Service, nghtclick and select Stop.
^
File

A *on

View

Help

Cff e d? HD

1 Description

IIS Admin Service

KJ HTTPort
crea tes a
transparent tunnel
through a proxy
server or firewall.
This allow s you to
use all sorts of
Internet softw are
from behind the
proxy.

^H um aT Interface D..
^jHypet-V Data Exch..
^jHyper-V Guest !hu..

Stco the service


Pan;* the service
Restart the service

Description:
Enoblcs this uorvor to administer Web
and FTP servces. If this service is
stepped, the server will be unable to run
Web, FTP, NNTP, or SNTP sites cr
configure 115. If this service is disced,
anv services chat expliatly depend on it
will fail to start.

| Status

Enables ge...

I Startup Type

Disabled

Local Syste

Provides a ...
Provides a ...
% HyperV Heartbeat... Monitors th. .

Started
Started
Started

Automatic
Automatic

Local Syste
Local 5yste

I
1

Automatic

Local Syste

*^Hyper-V Time Sync...

Started

Automatic

Local Syste

Antnmahr

I or al 5y<t<*

Disabled

Local Syste

Disabled
Disabled

Local Syste
Local Syste__I

Automatic
Disabled
Manual

Local Syste

Synchronc...

t^Hypw-V Volume Sh

%BME3ESH"

P"

4^IM A P l CD'Burnirtg ...


^ In d e x n g Service
^ Intersite Messagng
%IPSEC Services

^Kerberos Key Distri...


4^JJLC Remote Agent
License Logging
% Logical Disk Manager
% Logical Disk Manag...

Pause
Resume
Restart
Al Tasks
Refresh
Properties

^Messenger

Help
^Microsoft Software ...
^t&Net Looon
Maintainsa. .
^N e t.T cp Port Sharin... Provides a...
^ NetMeeting Rerrot... Enables an...
^ N etw o rk Connections

Manageso...

Started

Disabled

Local Syste
Local Syste
Networks,

j
j

Automatic
Manual

Local Syste
Local Syste

Disabled

Local Syste

Manual

Local Syste

Manual
Disabled

Local Syste
Local Servic

Disabled

Local Syste

Manual

Local Syste I

_ J jJ
\ Extended X Standard /
top servce IIS Adrm Service on Local Computer

FIGURE4.1: StoppingIISAdminServiceinWindows Server 2008

C E H L ab M an u al Page 888

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

3.
& it b yp asses
HTTPS and HTTP
proxies,
transparent
accelerators, and
firewalls. It has a
built-in SOCKS4
server.

Select Administrative Privileges


Services
Services, right-click and select Stop.

World Wide Web


JJ3Jxf

File
-

Action
-

View

Help

[ S

g? B

Ser/ices (Local)

Services (Local)
Name

| Description

| Status

Termiial Services
Alows user
%Termhal Services S... Enables a.

Stop the service


Pause the service
Restart the service

Descript on:
Provides Web connectivity and
administration through the Internet
Information Services Manager

Started

| Startup Type

Local Syste
Local Syste

^Themes
Provides u.
^jUnintcrruptiblcPow... Manages a.

Disabled
Manual

Local Syste
Local Servic

^ Virtual Disk Service

Manual

Local Syste

Manual
Disabled

Local Syste
Local Servic

Provides s.

Volurre Shadow Copy Manages a,


4 kwebCI1ent
-nabtes W1,
Windows Autk
^Windows CardSpace
^Windows Firewal/I...

Manages a,

Started

Automatic

Local Syste

Securely e.
Provides n.

Started

Manual
Automatic

Local Syste
Local Syste

Disabled

Local Servic

Manual
Automatic

Local Syste

Manual
Manual

Local Syste
Local Servic

Automatic

Local Servic

Manual
Manual

Local Servic
Local Servic
Local Syste

^Windows Imai
Windows I n s t | ^ ^ ^ ^ ^ ^
Started
^ Windows Man

r1 c.

^Windows Pres
^ Windows Tim*

Kesta't

% Windows Usei
%w.nHTTPWet

Started
*
R efre*

Wireless Conf
% W M I Perform*
Properties
^ Workstation

..

Started

Automatic
Manual
Automatic

..

Started

Automatic

<1
\ Extencfcd /

1 LoqOnAs

Manual
Disabled

i]

j
1

Local Syste
Local Syste
Local SysteHl

______

Standard /

|Rop ser/ice Worid Wide Web Publishing Service on Local Computer

FIGURE4.2: StoppingWorldWideWebServicesinWindows Server 2008


4. Log in to Windows Server 2008 virtual machine.
5.

Open Mapped Network Drive CEH-Tools at Z:\CEH-Tools\CEHv8 Module


16 Evading IDS, Firewalls and Honeypots.

9 It supports
strong traffic
encryption, which
m akes proxy
logging u seless,
and supports
NTLM and other
authentication
sch em es.

C E H L ab M anual Page 889

6.

Open the HTTHost folder and double-click htthost.exe.

7. A HTTHost wizard will open; select die Options tab.


8.

O n die Options tab leave all die settings as their defaults except die
Personal Password held, which should be tilled widi any odier password,
hi diis Lab die Personal Password is m agic.

9.

Check die Log Connections option and click Apply.

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

: HTTHost 1.8.5

Tools
dem onstrated in
this lab are
available in Z:\
Mapped Network
Drive

Network
Bind listening to:
|0.0.0.0

Bind external to:


|0,0,0.0

|80

Allow access from:


|0.0.0.0

Personal password:
n*****

Passthrough unrecognized requests to:


Host name or IP:
Port:
Original IP header fiel
|127.0.0.1
| S1
|x-Original-IP
Max. local buffer:
1256K

Timeouts:
| 0:1:2 ^[

Reualidate DNS names


1 Log connections
Statistics | Application log

Apply
:|security ) Send a Gift )

FIGURE4.3: HTTHost Options tab


10. Now leave HTTHost intact, and dont turn oil Windows Server 2008
Virtual Machine.
11. Now switch to Windows Server 2008 Host Machine, and install HTTPort
trom D:\CEH-Tools\CEHv7 Module 16 Evading IDS, Firewalls and
Honeypots.

12. Follow die wizard-driven installation steps.


13. Now open HTTPort from Start ^All Programs )HTTPort 35NFM ^
HTTPort 35NFM.

14. The HTTPort window appears as shown 111 die following figure.
H TTP ort 3.SNFM
S y s te m

P roxy

j P o rt

m a p p in g | A b o u t ) R e g is te r j

HTTP p ro x y to b y p a s s ( b la n k = d ire c t o r fire w a ll)


H o s t n a m e o r IP a d d re s s !

& To s e t up
HTTPort need to
point your browser
to 127.0.0.1

P o rt:

P ro x y re q u ire s a u th e n tic a tio n

U s e rn a m e !

P a ssw ord:

Misc. o p tio n s
U s e r-A g e n t:

B ypass m o d e :

rR e m o te

host

31

Use p e rs o n a l re m o te h o s t a t ( b la n k = u s e p u b lic )
H o s t n a m e o r IP a d d re s s :

P o rt:

P a ssw ord:

|5----- I----------< T h is b u tto n h e lp s

FIGURE4.4: HTTPort MainWindow


C E H L ab M anual Page 890

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

15. Select the Proxy tab and enter the Host nam e or IP address o f die targeted
machine.
& HTTPort g o es
with the
predefined
mapping "External
HTTP proxy" of
local port

16. Here, as an example, enter die Windows Server 2008 virtual machine IP
address, and enter Port number 80.
17. You cannot set die U sem am e and Password fields.
18. 111 User personal remote host at section, enter die targeted Host
machine IP address and die port should be 80.
19. Here any password could be chosen. Here as an example the password is
magic.

IE !* ]

H TTP ort 3.SNFM


S y s te m

P roxy j p 0 rt m a p p in g | A b o u t | R e g is te r j

HTTP p ro x y to by p a s s ( b la n k = d ire c t o r fir e b a ll)


H o s t n a m e or IP a d d re s s :

P o rt:

180
I

P roxy re q u ire s a u th e n tic a tio n

U s e rn a m e :

n For each software to


create custom, given all the
addresses fromwhich it
operates. For applications
that are dynamically
changing the ports there
Socks4-proxy mode, in
which tlie software will
create a local server Socks
(127.0.0.1)

P a ssw ord:

Misc. o p tio n s
U s e r-A g e n t:
IE 6 .0

B ypass m o d e :

[ R e m o te

host

Use p e rs o n a l re m o te h o s t a t !.b la n k = u s e p u b lic )


H o s t n a m e o r IP a d d re s s :
110.0.0.31

j j

P o rt:
80

P a ssw ord:
* * * * *

^ T h is b u tto n h e lp s

FIGURE4.5: HTIPort Proxysettingswindow


20. Select die Port Mapping tab and click Add to create New Mapping.
In real world
environment,
people som etim es
u se password
protected proxy to
make company
em ployees to
a c c e s s the
Internet.

C E H L ab M anual Page 891

Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

* H TTP ort 3.SNFM


S y s te m | P roxy

P o rt m a p p in g

'

About

J s jx f
R e g is te r

S ta tic T C P /IP p o rt m a p p in g s ( tu n n e ls )

0 New m a p p in g
0 Local p o rt
|

IIf...A'dtJ... !|
R em ove |

!.... 0

0 R e m o te
0

host
re m o te .h o s t.n a m e
R e m o te p o rt

I.... 0

S e le c t a m a p p in g to s e e s ta tis tic s :
No s ta ts in a c tiv e
n /a x
n /a B /s e c

LEDs:


O P roxy

n /a K

B u ilt-in S 0 C K S 4 s e rv e r

[7 Run

SOCKS s e rv e r ( p o r t 1 0 8 0 )

A v a ila b le in " R e m o te H o s t" m o d e :

Full SOCKS4 s u p p o rt (B IN D )

* T h is b u tto n h e lp s

FIGURE4.6: HTIPort creatingaNewMapping


21. Select New Mapping Node, and right-click New Mapping, and select Edit.
S y s te m | P roxy

P o rt m a p p in g

About

R e g is te r

p S ta tic T C P /IP p o rt m a p p in g s (tu n n e ls )

[ 0

Q HTTHost supports the


registration, but it is free and
password-free - youwill be
issued a unique ID, which
you can contact the support
teamand askyour questions.

Local p o r

* ------------------------------------
I
Edit

H
I-----------------------1
J

0 R e m o te h o s t
r e m o te .h o s t.n a m e
0 R e m o te p o rt
I....

S e lect a m a p p in g to s e e s ta tis tic s :


No s ta ts - in a c tiv e
n /a x
n /a B /s e c

n /a K

LEDs:


O P roxy

B u ilt-in SOCKS4 s e rv e r
[ 7 Run SOCKS s e rv e r ( p o r t 1 0 8 0 )
A v a ila b le in "R e m o te H o s t" m o d e :
I-

Full SOCKS4 s u p p o rt (B IN D )

* T h is b u tto n h e lp s

FIGURE4.7: HTTPort Editingto assignamapping


22. Rename it to ftp certified hacker, and select Local port node, right-click to
Edit and enter a Port value to 80.
23. N ow Hght-click Remote host node to Edit and rename it as
ftp.certifiedhacker.com .

24. Now right click Remote port node to Edit and enter die port value of 21.

C E H L ab M anual Page 892

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

>

H TTP ort 3.SNFM


S y s te m | P ro x y

Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 16
Evading IDS,
Firewalls and
Honeypots

P o rt m a p p in g | A b o u t | R e g is te r |

S ta tic T C P /IP p o rt m a p p in g s (tu n n e ls )

31

E| Local p o rt

1-21

g
0

R e m o te h o s t
I ftp .c e rtifie d h a c k e r.c o m
R e m o te p o rt
!....

21

S e le c t a m a p p in g to s e e s ta tis tic s :

No s ta ts - in a c tiv e
n /a x
n /a E /sec

n /a K

O P roxy

E u ilt in SOCKS4 s e rv e r

Run SOCKS s e rv e r ( p o r t 1 0 8 0 )

A v a ila b le in "R e m o te H o s t" m o d e :


Full SOCKS4 s u p p o rt (B IN D )

* T h is b u tto n h e lp s

FIGURE4.8: HTIPort StaticTCP/IPport mapping


H In this kind of
environment, the
federated search
webpart of
Microsoft Search
Server 2008 will
not work out-ofthe-box b eca u se
w e only support
non-password
protected proxy.

25. Click Start

011

die Proxy tab o f HTTPort to run die HTTP tunneling.


] T x i

H TTP ort 3.SNFM


S y s te m

P ro x y | P o rt m a p p in g | A b o u t) R e g is te r)

r HTTP p ro x y to b y p a s s ( b la n k = d ire c t o r fire w a ll)


H o s t n a m e o r IP a d d re s s :

P o rt:

jio .o .o .:

I-

P ro x y re q u ire s a u th e n tic a tio n

U s e rn a m e :

P a ssw ord:

Misc. o p tio n s
U s e r-A g e n t:

B yp ass m o d e :

[ R e m o te

host

Use p e rs o n a l re m o te h o s t a t ( b la n k = u s e p u b lic )

j J

H o s t n a m e o r IP a d d re s s :

P o rt:

P a ssw ord:

110.0.0.:
1 1 0 .0 .0 .3

[8 0

I* * * *

< T h is b u tto n h e lp s

FIGURE4.9: HTTPort to start tunneling


26. N ow switch to Windows Server 2008 virtual machine and click die
Applications log tab.
27. Check die last line. If Listener: listening at 0.0.0.0:80, then it is running
properly.

C E H L ab M anual Page 893

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

: : H TTHost 1.8.5

Application log:
MAIN HTTHOST 1,8,5 PERSONAL GIFTWARE DEMO starting
MAIN Project codename: 99 red balloons
MAIN Written by Dmitry Dvoinikov
MAIN (c) 1999-2004, Dmitry Dvornikov
MAIN 64 total available connection(s)
MAIN network started
MAIN RSA keys initialized
MAIN loading security filters...
MAIN loaded filter "grant.dM" (allows all connections within
MAIN loaded filter "block,dll" (denies all connections withir
MAIN done, total 2 filter(s) loaded
MAIN using transfer encoding: PrimeScrambler64/SevenT
grant.dll: filters conections
block,dll,:_iIters conection.s-------LISTENER: listening at 0,0,0.0:80]

I
1

1
S t a t is t ic s

A p p li c a t i o n lo q

[ O p t io n s

S e c u r ity

S e n d a G if t |

FIGURE4.10: HTTHost Applicationlogsection


28. N ow switch to Windows Server 2008 host machine and turn ON die
Windows Firewall.

29. Go to Windows Firewall with Advanced Security.


30. Select Outbound rules from die left pane o f die window, then click New
Rule 111 die right pane of die window.
Fib

Anon

View

M
B

& Tools
dem onstrated in
this lab are
available in Z:\
Mapped Network
Drive in Virtual
Machines

N ? Ce--g:-Cr- !
Moniwing

tec

IB[h
ire
|
EIT5 Peerc a n rc (Content-Out]
<9 1BITS Pee cccirg 0,',SC-Cut)
ae rtfc rN F S r^-O ut}
* 1C le t for NFS (UZP-OjtJ
<9 Core Networking - DNS (LDPOut)
core Networking - Dynamic Most Configuratl...
0 1Core Networking - Group Poky (LSASS-Out)
Core Networking Group Pokv (NP-Out)
ilCore Networking - Group ^oicy 0 *-Out)
Core Networking - lrtenet Group Managen ..
*
Core Networbng IPv6 (P*5-Out)
Co*e Networking Metcast istener Coe (I...
C ore Networking MultttBt Latener Query (...
O Core Networbng M jtaot Latene Report...
Core Networking Mjtcaot Lotcnc Report...
C o r Networking Neighbor Discovery Adve ..
* cor# Networking Negroy Dlteovery Solat. .
<3 Co*e Networking Packet Too Bo 0CMPv6 .
c f N.tws- tung p..
P. ou4r< aC'-T...
Cf Core Networking Router Adverfcjement (IC...
&Core Networking Router Solctator !ICMP...
Core Networking 'ereco (UDP-Out)
core Networking ire Exceeded (!CVP /& ..
Distrbctec Transaction Cootdinaioi (TCP-Out)
Fife and Pr rte Sharhj (Edo Regjest ICM...
f il'fe and Frrte Sharng (Eco Reqjest - ICM...
File and Prrte Snarng (NB-06t3gam-0ut)
File and Prrte inang (NBAsme-Out)
Fite and Frrts Snarrg (NB-Sesscr-Cut)
@ Fife and Frrte SharhQ (SMBOut)
a Hvper/ - WM: (TCPOut)
Hyper-v' Managerent Clients \ VNI (TCPOut)
iSCSI Ser/ce (TCP-Out)
ilietwock Dea)/ery (LLMNR-UDP-CUt)

G'Oup BITS seeceding


BITS 3ee'CBching
de n t far NFS
Cient 'or NFS
cae \etA0r<re
Coe setAorxrc
Coe f>ctA rMc
C9e 'ctAorxrc
Coe 'ct .or<rc
Cae \* t\or< s
Cae ^tAcryrg
C e MftAOhcrc
Coe Nfctwrxrc
C0e
C0'C sctAOrxr^
C e \#tworxrg
CO\ et .orvr<;
CD't NttAOrHrc
C M iv o w e
Ce Net^orxrg
Cae NetAorcrg
C e NetAorxr^
Cae ^TAcr<rc
Dstilbutec T ansae tor cocrA
Fie and Pnrter Shorrc
Fie and Prrter Slrrg
Fie and Prrter Sfarrg
Fie and Prrter Sfarrc
Fie and Prrter st-arrc
Fie and Prrter Sfcarrc
Hyset-V
H/ac'-V Kfarogen*ent Cients
SCSI Sen oe
Network ^sccwr/

0
1

0 1
0

....

1 nofle 1 Enabled
fir T
No
fr y
No
firy
ves
tr y
ves
cry
ves
tr y
ve?
Conor
ves
Ccnar
ves
Ccnar
v
tr y

try
Or
ve5
Arr
ves
tr y
yea
fir y
ve*
fir y
ve
fir y

fir
vt
firy
firy
Ve3
ve
firy
tr y
,M

try
fin
NO
Cono... Yea
Ccna... vea
Ccn3... ves
Ccna... ves
Ccna. . ves
Cons... Yes
firy
VC5
firy
VC5
No
firy
Ccna... No

1 actt'
4110a
*JlOft
*JI0A
AIIoa
allaA
Albft
aJIoA
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AllOA
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
AJIoa
AIIoa
AIIoa
AIIoa
AIIoa
AIIoa
aJI0A
*JI0A
AIIoa

1 p-~
S\
Vt
St
%
%
%
%
a:
$\
5\
Ai
A1
Ar
Ar
Ar
Ar
Ar__|
Ai
Ar
Ar
V,
Ar
%
Ai
Ar
s>
s>
s\
Si

Outbound Rules
[ j g NeARic

Fiterbv P 0fifc

Fiterbv Sate

Fitr bv 5 quo

$ Re'resr
Export Lie

Q Hep

r1

FIGURE 4.11: Windows Firewall with Advanced Security window it! Windows Server 2008

31. 111 the New Outbound Rule Wizard, check die Port option in die Rule Type
secdon and click Next.

C E H L ab M anual Page 894

E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

9 New O utbound Rule W izard


R u le T y p e

Select the type of fiewal rule to create.


Steps:
What type of njle would you like to create

Rule Type

HHTTPort doesn't really


care for die prosy as such, it
works perfecdywidi
firewalls, transparent
accelerators, NATs and
basicallyanything diat lets
HTTP protocol through.

Protocol and Ports

* Action

P ro g ra m

Rule that controls connections for a program

* Profile

(ff

* Name

port

P r e d e f in e d :

Rule that controls connections for a Windows experience.

C Custom
Custom lule.

Leam more about rule types

Next >

FIGURE4.12: WindowsFirewall selectingaRuleType


32. Now select All local ports in the Protocol and Ports section.
* New Outbound Rule W izard
P r o t o c o l a n d P o rts

Specify the protocol and ports that this rule matches.


Steps:

Y o u need to install htthost


on a P C , w h o is generally
accessible on the Internet
typically you r "hom e" P C . This
means that i f you started a
Webserver o n the hom e P C ,
everyone else m ust be able to
connect to it. There are two
shows toppers fo r htthost on
hom e P C s

Rule Type

Does this lule apply to TCP or UDP^

<* Protocol and Ports

<

tcp

* Action

udp

Profile

# Name

Does this rule apply to all local ports or specific local ports'
[<
C

A ll l o c a l p o r t s

S p e c i f i c lo c a l p o r t s :

Example: 80.443.1

Leam more about protocol and ports

<Back

||

Next >

Cancel

FIGURE 4.13: Windows Firewall assigning Protocols and Ports

33. 111 the Action section, select Block the connection and click Next.

C E H L ab M anual Page 895

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

1**N e w Outbound Rule Wizard

_x]

1 A c t io n

1 Specify the action thatistaken when a connection matches the conditions specified n the rule.

m NAT/firewall

issues: You need


to enable an
incoming port. For
HTThost it will
typically be
80(http) or
443(https), but any
port can be used
IF the HTTP proxy
at work supports it
- som e proxys are
configured to
allow only 80 and
443.

Step s:

# Rule Type

'//hat action should be taken when a connection matches the specified conditions

# Protocol and Ports


/ction

1#

Name

A llo w t h e c o n n e c tio n

Alow connections that have been protected with IPsec as well as those that have not.

<# Pnofie

A llo w th e c o n n e c tio n if it is s e c u r e

Aflow only connections that have been authenticated and integntyprotected through the use
of IPsec. Connections w i be secured usmg the settings m IPsec properties and rules in the
Connection Security Rule node

V Require the connections to be encypted


Require pnvacy m addtion to rtegnty and authentication

B lo c k t h e c o n n e c tio n

Leam more about actions

<Back

||

Next

||

Cancel

FIGURE4.14: Windows Firewall settinganAction


34. 111 die Profile section, select all the three options. The mle will apply to:
Domain. Public, Private and click Next.
** New Outbound Rule Wizard
P ro file

Specify the profiles for wfch this rule applies

& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 16
Evading IDS,
Firewalls and
Honeypots

Steps:
< Rule Type
*

When does this rule apply 7

Protocol and Ports

Action
* PrnfJe

17 Domain
.Applies wh< n a computer is connected to its corporate domain
17 Private
Applies win n a computer is connected to a private network location.
17 Public
Applies win n a computer is connected to a public network location.

Leam more about profiles

Back

Next

Cancel

FIGURE4.15: Windows Firewall Profilesettings


35. Type Port 21 Blocked

C E H L ab M anual Page 896

111 die

Name held, and click Finish.

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Nam e
Specify the name and description of this rule
S te p s :

* Riie Type
Protocol and Ports

Q The default TCP port


for FTP connection is port
21. Sometimes the local
Internet Service Provider
blocks this port and this will
result in FTP connection
issues.

Action
Name:

Profie

|Port 21 Blocked

* Name

Description (optional):

<Back

Finish

Cancel

FIGURE4.16: Windows Firewall assigninganame toPort


36. New Rule Port 21 Blocked is created as shown in die following tigure.
j=iir
Fie

HTTPort doesn't really


care for die proxy as such: it
works perfectlywith
firewalls, transparent
accelerators, NATs and
basicallyanything diat lets
the HTTP protocol through.

Acaor

View

Help

^ iV1nco/ts Freival
Advanced S
t 3 Iroourc RuJes
; . ::
Come:t>on Sea*1ty Rues
F % rioni1a ix)

Outbound Rules

KFat21Bkxked
EI"S 3eeriocing (WSDOut)
Client f y N=S CTCP-Out)
Q Client for M=S (UDP-Out)
Ccrc Ner//crbng - DUS (UDP-Out)
Cere Networklno Dynamic hostConfiecrat...
C ere Networking - Grouo Palcy (LSASS-Out)
Cere Netvcrbng GrousPolcy (UPCut)
Cere Ner/.-orfcing Gicud Polcy fTCP-Out)
Q Cere Networking Internet Group Yanagerr. .
Ccre Networking IPv6 ( I P v 0 6ut)
Cae Networking Multicast Listenei D01e (I...
( re Networking Multicast Listener Query (...
Q ccre Netwcrbng Multicast Listener Repot ...
C a e Networking Multicast Listenei Reixrt...
Q cere Netvcrkmg Neighbor Qscovery Adve. .
Cere Netwcrbng Neighbor Oocovery Soleit...
Q C a c Neiworbng Packct TooBg {ICMPvfi...
Cere Networking P*r*m#t* Pretolem (ICMP...
C ereNetwcrbng Rotter Adverbccment :1C...
Coe Netwcrbng * Router Sokiletbn (JCNP...
Ccre Me?/ortano Teredo (UOPOut)
Cere Netwcrbng Time Exceeded (IC M \6. ..
Distributed Transaction Cooidnatoi (TCPOut)
File and *inter Shwng (Echo Request ICM...
File and *inter Sharing (Edno Request - !CM...
n e and *inter Sharing (NB-Dalagrair-Out)
File and Winter shjrng (NB-Name-Out)
File and *inter Sharing (NE-Sesson-Out)
File and *inter Sherhg (SMB-Out)
Hype/ *V/MI acp-out)
Hyper-v Vsn3gernert Gierts ' /WI (TCP-Out)
iSCSI Se\ice (TCP-Cut)

B
e

Q)

g
Q HTTP is the basis for
Web surfing, soif you can
freely surf die Web from
where you are, HTTPort will
bringyou die rest of the
Internet applications.

BrS 5eer:scnrg
BI S ^ccrcccnrg
Client ft) NFS
Client fo NFS
Core Nc:waking
Cae Netwafcino
Core Ne:warbng
Core ,Jer/'orbng
Cae Netwabng
Core Networking
Core Networking
Core Networking
Core Networking
Core Networking
Core Netwaking
Core Networking
C ae Networking
Core Networking
Cor# Merwortang
Core Networking
Cor e Networking
Core Networking
Core Networking
Distributed Trensocton Coord...
File and *irter $h#rng
File and * r te r Sharng
File and *inter Sherhg
File and ^irter sharng
File and * r te r Sharng
File and *irter Sherhg
Hype-v
Hype / Vanagerriert Cierts
iSCSI Sevioe

Any
Any
Any
Any
Any
Any
Any
Domain
Domain
Domain
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Donai..
Domai...
Domai...
Dom*..
Domai..
Donai...
Any
Any
Any

No
No
Yes
Yes
Yes
Yes
YK
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Y#S
Yea
Yes
Y#
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No

AIca
AIoa
AlOA
AIoa
AIoa
AIoa
AIoa
AIoa
AIoa
Alow
AIoa
AIga
AIoa
AIoa
AIoa
AIoa
AIoa
AIoa
AIoa
Alovs
AIoa
AIoa
AIoa
AIoa
AIoa
Alovs
AIoa
AlOA
AIoa
AIoa
AlOA
AIoa
AIoa

New Rule...
S\
%
%
%
%
Vc
%
c

Piter by Profile

"\7 FiterbySta:e
*7 Fiter by Group
view

>

[($] Refresh
|3 Export List...
Q

Heb

Port 21 Bbckcd

Ai
Ar

( Disable Rjle

Ai
Ar

lal PlOUCI t o

Ai
Ai
Ar
Ai
%
Ar
*
Ar
Ar
5\
5\
Sy
5\
c

x
Q

Delete

Heto

FIGURE 4.17: Windows Firewall New rale

37. Right-click the newly created rale and select Properties.

C E H L ab M anual Page 897

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

B HTTPort then

intercepts that
connection and
runs it through a
tunnel through the
proxy.

*WVuwkyws h r m t l vwtti /U tvitnrrd Sfninry


Pile Acoor Ve ndp

* ! [P1U TT_
P Whdovts Frevrdl vth Ad.oxed S
KQ !rbourdRjbs
g g Outbound Rjtes
Jiu Correcton Secjrity 3_ies
SITS Peercecihg (Content-Out)
3
Monito'irg
BIT5 Pcer^ecihg (WSD-Out)
C ie n t St 1TS (TCP-Out)
C fen t *6 NFS (UDP-Out)
CCKer\e:vcrkirg -CNS (UDP-Out)
Core he:vcrkirg - Dynanic host ConflQuati...
Core r1eakirg -Gouo Poky (LSASS-Out)
Q c x e networking - GrouoPolcy (I'P-Out)
core hecwcrlarg - Grouo poIcy (TCP*Ou:)
core 1ser/>crk]ra - internet Group r^anacen.
cofefcewcrkira - ipvO OPVft-OuO
c o re her/ak 1ra -M j 0:as: Listener Done
Core 1se:vcrlurQ Miticas: Listener Query (...
Coretservcrk1rg Miticast Listener Retrt...
Coreiservcrk1rg Miticas; listener Recort...
CoreNe;vcrk1rg Neghto Discovery Adve...
C o reNerverk1r0 Nefchbof Discovery Solicit...
Core IServcrk1rg Packet Too 80 QCMPv6-...
Car# N#rverk1ng Pr*^#tf Problem (ICMP...
Car# Nerv<erk1rg Ranter Aev#rticemM (IC. .
Car# N#rv!erk1rg Ranter Solicitation (ICVP...
CJ Cv# Nerv/erkirg Teredo (UDPOut)
^ C o r e Ne?crlurg Tire Exceeded (ICNP6/ ..
D crb u ted Transa:ton Coordinator (TCP-Out)
(J =le and 3rirter Sharrg (Ecno Request - ICM...
Fie 3rd ^rirter Siarrg (Ecno Request - ICM...
=le 3rd 3rirter Siarrg (NE-DatagramOut)
(J -ie 3rd 3rir ter Sharng (MB-Name-Out'
F ie 3rd 3rirter Sharng (MBSessionOut
F ie 3rd 3rirter Sharng (SMB-Out;
H yper-V- VYNI (TCP-Out}
(J -typer-V Ncnogc-ncnt Clients V/MI (TCP-Out)
!SCSI Service (TCP-Out)

a...

& Enables you to


bypass your HTTP
proxy in c a s e it
blocks you from
the Internet

_______; _______

Outbound Rules
New Rule...
, ?FIter by Pcfie
Fiter by State

Piter by Grouo

vew

Core W L\*K 1'^


Core NetAOikng
core NetAOrtcng
core NetAOrtcng
core NetAoricno
core NetAorkno
core NetAOrtTKJ
Core NetAOrtaTO
Core MetAOrtcng
Core NJetAortcng
Core MetAortcno
Core MetAortcno
Core SJetAOrtcno
Core VJetAorteng
Core VletAortcng
Cor* MetAOficng
Cor# VletAorkng
Cor# MetAoricng
Di!tib1.tec Trareactoor Coord.
File anc Prn:er Shares
File anc Prn:er Shanng
Fite anc Prn:er Sharing
Fite anc Prn:e Sharing
Fite anc Prr>:e Sharing
Fite 3nc Prnjet Sharing
Hyper-V
Hvper-V MDrogcncn: Cletis
SCSI Ssrvce

!p

Daren
Dcman
Dorian

id ReYesh

Export bst...

tisb

Pori 21 Dbckcd
(' Dablc Rule

Dte*
pcPCtt)C3
U

Hb

Ary

Mom
Mom
Mom
Mom
Mom
Mom

Ary

5cperbes c&iogbox or i e current seleccn.

FIGURE4.18: Windows Firewall newruleproperties


38. Select tlie Protocols and Ports tab. Change die Remote Port option to
Specific Ports and enter die Port number as 21.
39. Leave die odier settings as dieir defaults and Select Apply ^OK.
& With HTTPort,
you can use
various Internet
softw are from
behind th e proxy,
e.g., e-mail,
instant
m essen gers, P2P
file sharing, ICQ,
N ew s, FTP, IRC
etc. The basic
idea is that you
se t up your
Internet softw are

G e ne ra l

P rogram s a n d S e rv ic e s

P ro to co ls a n d Ports

C o m p u te s

S cope

Advanced

Protocols and ports

Protocol type:
Protocol number:

local port:

|.AII Ports

zi

1
FMmn1 an m
Remote port:

anan

]Specific Ports

I21
Example: 80.445. 8080
Internet Control Message Protocol
(ICMP) settings:

------

Leam more about protocol and ports


OK

Cancel

fipply

FIGURE4.19: Firewall Port 21BlockedProperties


40. Tvpe ftp 127.0.0.1 111 the command prompt and press Enter. Tlie
connection is blocked at die local host 111 Windows Server 2008.

C E H L ab M anual Page 898

Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Q HTTPort does neither


freeze nor hang. What you
are experiencingis known as
"blocking operations"
FIGURE4.20: ftpconnectionisblocked
41. Now open a command prompt 111 Windows Server 2008 host machine and
type ftp ftp.certifiedhacker.com and Press Enter

c\.Admmrstrator Command Prompt - ftp ftp.certmedhacker.com


IC :\U s e rs \A d n in is tr a to r> ftp f t p . c e r t ifie d h a c k e r.c o n
C o n n e c te d

to

f tp .c e r tifie d h a c k e r .c o n .

2 2 0 -h ic ro s o ft FTP S eruice
220 We leone TO FTP Account
User < ftp .c e rtifie d h a c k e r.c o n :< n o n e > > : _

2^7 HTTPort makes it


possible to open a client side
of a TCP/IP connection and
provide it to any software.
The keywords here are:
"client" and "any software".

FIGURE4.21: Executingftpcommand

Lab Analysis
Document all die IP addresses, open ports and running applications, and protocols
you discovered during the lab.

PLEASE TALK TO

T o o l/U tility

Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H I S LAB.

HAVE

QUESTIONS

In fo rm atio n C o lle c te d /O b je c tiv e s A chieved


Proxy server U sed: 10.0.0.4

H T T P o rt

P o rt scanned: 80
R esult: ftp 127.0.0.1 connected to 127.0.0.1

C E H L ab M anual Page 899

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council


All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 17 - Evading IDS, Firewalls and Honeypots

Questions
1.

How would you set up an HTTPort to use an email client (Outlook,


Messenger, etc.)?

2. Examine if the software does not allow editing the address to connect to.

In te rn e t C o n n ectio n R eq u ired
0 Yes

No

P latform S upported
iLabs

C E H L ab M an u al Page 900

E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council


All Rights Reserved. Reproduction is Strictly Prohibited.