Professional Documents
Culture Documents
CEH v8 Labs Module 17 Evading IDS, Firewalls and Honeypots PDF
CEH v8 Labs Module 17 Evading IDS, Firewalls and Honeypots PDF
Lab Objectives
The objective ot tins lab is to help students learn and detect intrusions 111 a
& Tools network, log, and view all log tiles. 111 tins lab, you will learn how to:
Demonstrated in
this lab are ■ Install and configure Snort IDS
located at D:\CEH-
■ Run Snort as a service
Tools\CEHv8
Module 17 ■ Log snort log files to Kiwi Syslog server
Evading IDS,
Firewalls, and ■ Store snort log files to two output sources simultaneously
Honeypots
Lab Environment
To earn ׳out tins lab, you need:
■ Active Perl installed 011 the host macliine to mil Perl scnpts
Lab Duration
Time: 40 Minutes
Overview Pick an organization diat you feel is worthy o f your attention. Tins could be an
educational institution, a commercial company, 01 ־perhaps a nonprofit charity.
Recommended labs to assist you 111 using IDSes:
■ Detecting Intrusions Using Snort
■ Logging Snort Alerts to Kiwi Syslog Server
■ Detecting Intruders and Worms using KFSensor Honeypot IDS
■ HTTP Tunneling Using HTTPort
Lab Analysis
Analyze and document the results related to tins lab exercise. Give your opinion 011
your target’s security posture and exposure.
■ Configure Oinkmaster
Lab Environment
To earn ־out dns lab, you need:
Lab Duration
Tune: 30 Minutes
Lab Tasks
1 . Start Windows Server 2012 on the host maclune. Install Snort.
OK
12. Extract die downloaded mles and copy die extracted folder 111 diis padi:
D:\CEH-T0 0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and
Honeypots\lntrusion Detection Tools\Snort.
19. N o w navigate to C:\Snort and right-click folder bin, and click CmdHere
H TASK 2 from die context menu to open it 111 a command prompt.
C : \S n o r t\b in /s n o r t
R unning in p a c k e t dunp node
— ■■ I n i t i a l i z i n g S n o r t ■—יי
I n i t i a l i z i n g O utput P lu g in s ?
pcap DAQ c o n f ig u r e d t o p a s s i v e .
The DAQ u e r s i o n d o e s n o t s u p p o r t r e l o a d .
A c q u ir in g n etw o rk t r a f f i c f r o n " \D eu ice\N P F _< 0F B 09822-88B 5-411F -A F D 2-F E 3735A 9?7B
B> _
D e co d in g E th e r n e t
— - - I n it ia liz a t io n C o n p le te - - —
—»> S n o r t? < *־
o '׳ U e r s io n 2 . 9 . 3 .1-W IN32 GRE < B u ild 4 0 )
y To print out the ■an
״ ״ By M artin R oesch 8r The S n o r t l e a n : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t
C o p y r ig h t <C> 1 9 9 8 -2 0 1 2 S o u r c e f i r e , I n c . , e t a l .
TCP/IP packet headers to U s in g PCRE u e r s i o n : 8 . 1 0 2 0 1 0 -0 6 - 2 5
the screen (i.e. sniffer U s in g ZLIB u e r s i o n : 1 . 2 . 3
mode), type: snort —v. C on n en cin g p a c k e t p r o c e s s in g < p i d 7 ־S6>
21. Tlie Initialization Complete message displays. Press Ctrl+C. Snort exits and
comes back to C:\Snort\bin.
22. N ow type snort -W. Tins command lists your machine’s physical address,
IP address, and Ediernet Dnvers, but all are disabled by default.
Administrator: C:\Windows\system32\cmd.exe
S n o rt e x itin g
C :\ S n o r t \ b in נs n o r t -W
C o p y r i g h t <C> 1 9 9 8 - 2 0 1 2 S o u r c e f i r e , In c ., et a l.
U s i n g PCRE v e r s i o n : 8 . 1 0 2 0 1 0 - 0 6 - 2 5
U s in g Z L IB u e r s i o n : 1 . 2 . 3
In d e x P h y s ic a l A d d re s s IP A d d re s s D e u ic e Name D e s c r ip tio n
1 0 0 :0 0 :0 0 :0 0 :0 0 :0 0 d is a b le d \ D e u ic e \ N P F _ < 0 F B 0 9 8 2 2 - 8 8 B 5 - 4 1 I F -
A F D 2 -F E 3 7 3 5 A 9 7 7 B B > M ic r o s o f t C o r p o r a t io n
2 0 0 :0 0 :0 0 :0 0 :0 0 :0 0 d is a b le d \ D e ״ic e \ N P F _ < 0 B F D 2 F A 3 - 2 E 1 7 - 4 6 E 3 -
B 6 1 4 -0 F C 1 9 B 5 D D A 2 5 >
3 0 0 :0 0 :0 0 :0 0 :0 0 :0 0 d is a b le d \ D e u ic e \ N P F _ < lD 1 3 B 7 8 A - B 4 1 1 - 4 3 2 5 -
rQRA<JRFOP?JM ־V M
4 D 4 : B E : D 9 : C 3 : C 3 : CC d is a b le d \ D e u ic e \ N P F _ < 2 A 3 E B 4 7 0 - 3 9 F B - 4 8 8 0 -
9 A 7 9 -7 7 E 5 A E 2 7 E 5 3 0 > R e a lte k P C Ie GBE F a m i l y C o n t r o lle r
C : \ S n o r t \ b in >
23. Observe your Ediernet Driver index number and write it down; 111 diis lab,
die Ediernet Driver index number is 1.
24. To enable die Ediernet Driver, 111 die command prompt, type snort -dev -i
2 and press Enter.
25. You see a rapid scroll text 111 die command prompt. It means
E 7 To specify a log into Ethernet Driver is enabled and working properly.
logging directory, type
snort —dev —1 Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4
/logdirectorylocationand, C : \S n o r t \ b i n , s n o r t -d e v - i 4
Running in p a c k e t dump 11uue
Snort automatically knows
— == I n i t i a l i z i n g S n o r t ==—
to go into packet logger I n i t i a l i z i n g O utpu t P lu g in s ?
pcap DAQ c o n f i g u r e d t o p a s s i v e .
mode. The DAQ v e r s io n d o e s n o t s u p p o r t r e l o a d .
A c q u ir in g n etw o rk t r a f f i c fr o n " \D e v ic e \N P F _ < 2 A 3 E B 4 7 0 -3 9 F B -4 8 8 0 -9 A 7 9 7 7 ־E5AE27E53
B > ".
D e co d in g E th e r n e t
— ■■ I n i t i a l i z a t i o n C om p lete ■*—
-» > S n o r t? < * -
o '~> ׳ U e r s io n 2 .9 . 3 .1-W IN32 GRE < B u ild 40>
״״״״ By M artin R oesch 8r The S n o r t T ean : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t
r .u i
C o p y r ig h t <C> 1 9 9 8 -2 0 1 2 S o u r c e f i r e , I n c . , e t a l .
U s in g PCRE v e r s i o n : 8 . 1 0 2 0 1 0 -0 6 - 2 5
U s in g ZLIB v e r s i o n : 1 . 2 . 3
C on n en cin g p a c k e t p r o c e s s in g < p id =2852>
1 1 / 1 4 - 0 9 : 5 5 : 4 9 .3 5 2 0 7 9 ARP who ־h as 1 0 . 0 . 0 . 1 3 t e l l 1 0 . 0 . 0 . 1 0
26. Leave die Snort command prompt window open, and launch anodier
command prompt window.
27. Li a new command prompt, type ping google.com and press Enter.
28. Tliis pmg command triggers a Snort alert in the Snort command prompt
with rapid scrolling text.
Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4 ־TTD
' 4 .1 2 5 .2 3 6 .8 5 : 4 4 3 1 0 . 0 .0 .1 0 : 5 1 3 4 5 < ־TCP TTL:56 TOS:0x0 I D :5 5 3 0 0 Ip L e n :2 0 DgnLe
95
nM.flP.MM• S eq : 0x81047C 40 Ack: 0x4C743C54 Win: 0xFFFF T cpLen: 20
7 03 02 00 32 43 3F 4C 22 B4 01 69 AB 37 FD 34 2C?L ״. . i . 7 . 4
IF 3F 70 86 CF B8 9 7 84 C9 9B 06 D7 11 6F 2C 5B . ? p o ,[
To enable Network D 8A B0 FF 4C 30 5B 22 F4 B9 6C BD AE E8 0E 5A L 0 [ ״. . l Z
F F6 7D 55 31 78 EF .. > U l x .
Intrusion Detect ion
System (NIDS) mode so
1 1 / 1 4 - 0 9 : 5 8 : 1 6 .3 7 4 8 9 6 D4: BE: D9:C 3: C 3: CC 0 0 : 0 9 : 5 < ־B: AE: 24: CC t y p e : 0 x 8 0 0 l e n :0 x 3 6
that you don’t record every
single packet sent down the 1 0 .0 .0 .1 0 : 5 1 3 4 5 - > 7 4 .1 2 5 .2 3 6 .8 5 : 4 4 3 TCP TTL:128 TOS:0x0 ID :2 0 9 9 0 Ip L e n :2 0 DgnLe
n :4 0 DF
wire, type: snort -dev -1 S eq : 0x4C743C54 Ack: 0x81047C 77 Win: 0xFB27 T cpLen: 20
./log-h 192.168.1.0/24-c
snort.conf. .1 / 1 4 - 0 9 : 5 8 : 1 7 .4 9 6 0 3 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3 t e l l 1 0 .0 .0 .1 0
.1 / 1 4 - 0 9 : 5 8 : 1 8 .3 5 2 3 1 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3 t e l l 1 0 .0 .0 .1 0
.1 / 1 4 - 0 9 : 5 8 : 1 9 .3 5 2 6 7 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3 t e l l 1 0 .0 .0 .1 0
T A S K 3
30. Configure die snort.conf file located at C:\Snort\etc.
m Log packets in
tcpdump format and to
produce minimal alerts,
type: snort -b -A fast -c
snort.conf.
Figure 1.7: Configuring Snortconf File in Notepad++
33. Scroll down to die Step #1: Set the network variables section (Line 41) o f
snort.conf file. 111 the HOME_NET line, replace any widi die IP addresses
(Line 45) o f die machine where Snort is ranning.
*C:\Sn0ft\etc\$n0rtx0nf - Notepad+ -!□ X'
Be Edit Search 'iict* Encoding Language Settings Macro Run Plugns frndcw I
o 10 e & JS * £ |נ.< » **צx
H |
44Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
41 # Seep # 1: Sec che necw ork v a r ia b le s . For ito ie m r o r a a c lo n .
□
» se tu p tn e n e cwcrx a a a re a aca you a re c rc c e c c 1.no
ip v e r HOME TOT 110.0.0.10|
: * c a t s it u a t i o n s
m Notepad־)־+ is a free
source code editor and
Notepad replacement that
supports several languages.
It runs in the MS Windows
environment.
35. If you have a DNS Server, dien make changes 111 die DNS_SERVERS line bv
replacing $HOME_NET widi yonr D N S Server IP address; otherwise, leave
m The element ’any’ can diis line as it is.
be used to match all IPs,
although ’any’ is not
allowed. Also, negated IP
36. The same applies to SA1'I P_SER\TERS, HTTP_SER\TERS,
ranges that are more SQL_SER\rERS, TELNET_SER\T 1 RS, and SSH_SER \־T R S .
general than non-negated
IP ranges are not allowed. 37. Remember diat if you don’t have any servers running on your machine,
leave the line as it is. DO NOT make any changes 111 diat line.
38. Scroll down to RULE_PATH (Line 104). 111 Line 104 replace ../mles widi
C:\Snort\rules, 111 Line 105 ../so_rules replace with C:\Snort\so rules, and 111
Line 106 replace ../preproc rules with C:\Snort\preproc rules.
Ptc\s1xxtconf Notepad♦ ♦ _ |a x ך
Erie Ldit Search !rfiew Encoding Language Settings Macro Ru Piugnj ftmdow I X
M e f t f1 | p c m 0 *ף * > 1] ! .□ ? ־ a i l i f l *9׳
H tr o t corf |
♦ s o t e r o r wir.aowa u s e r s : You a re a d v ise d to r a r e c m 3 an a r a c iu t e p a tn .
♦ su ch a s : c : \ 3 n o r t \ r u l e s
v a r RU1X_PJJH C :\S n o r c \ru le s
v a r SO RULE PATH C :\S n o r t\a o r u le a
■war PREPROCRtTLEPATH C :\S n o rt\p re p ro c _ x ru le s
10ד
ua Rule variable names # I f you a r e u s in g r e p u ta tio n p r e p r o c e s s o r a c t th e a e
1:9 # C u r r e n tly th e r e 13 a bug w ith r e l a t i v e p a in s , th e y a r e r e l a t i v e co where sn o re 13
can be modified in several # n o t r e l a t i v e co s n o r t.c o n f lilc e th e obcve v a r ia b le s
4 T h is i s c o a p le te l y i n c o n s is te n t w ith how o th e r ▼ars w ork, BCG 5 9986
ways. You can define meta- t s e t th e a n sc iu c e p a th a p p r o p r ia te ly
variables using the $ 1 *3 v a r HHTTELISTPATH . . / r u l e s
114 v a r BUICK_LI5T_PATH . . / r u l e s
operator. These can be
used with the variable t s te p #2: c o n n a u r e th e d e co d e r. For s o r e in d o r s a tio n , aee re a im e . decode
modifier operators ? and -
119
* Sto p g e n e r ic decode e v e n ts ;
e o n fig d i s a b l e d e c o d e a l e r t s
39. Li Line 113 and 114 replace ../rules widi C:\Snort\ rules.
C:\Snort\etc\snort.conf - Notepad*
file tdit Search View Encoding Longuogc Settings Macro Run Plugre ftmdcvr J
! o 1 ׳MS a 4 * B| ♦» < ^ * * יו ^ צn!| ו ?פ liiiiB 1* '9־
H nato&rf I
103 f aucn a 3: c ! \ a n o r t \ r u i e a
104 v a r RtJLEPATfl C : \3 n o r t \r u le s
105 v a r SC_ROLE_PAIH C :\3 n o rt\s o _ r u l« »
:0 6 v a r PREPROCRULEPATH C :\S n o rtN p re p ro c _ ru le s
40. Navigate to C:\Snort\rules and create two tiles and name them
w h itejist.ru les and blackjist.rules make sure die two dies extensions are
m The include keyword .rules.
allows other rule files to be
included within the rule file 41. Scroll down to Step #4: Configure dynamic loaded libraries section (Line
indicated on die Snort 242). Configure dynamic loaded libraries in this section.
command line. It works
much like an #include
from die C programming
42. At padi to dynamic preprocessor libraries (Line 247), replace
language, reading the /usr/local/lib/snort_dynamicpreprocessor/ with your dynamic preprocessor
contents of the named file
and adding the contents in
libranes tolder location.
the place where die include
statement appears in die 43. 111 tins lab, dynamic preprocessor libraries are located at
file. C:\Snort\lib\snort_dynamicpreprocessor.
7־ ־ C:\Sn0rl\etc\s1xxU 0nf Notepad ♦ ♦ .־ ־ן x ז
Erie Ld!t Search Vie* Incoding Language Settings Macro Run PK1g<13 ftmdew J X
O IM e % l ‘ l| M *a * * [E 3 V
H tno*.coti j
♦ e a r n t o dynamic p r e p r o c e s s o r l i b r a r i e s
245
246 f p a tn t o dynamic p r e p r o c e s s o r l i b r a r i e s
c i-a n ic p re p ro c e a a o r d ir e c to r y C : \ S n c r t \ l i b \ 3 n o r t dy n a ai ^ p re p ro c e s s o r |
242
2 ז־9 * p a th t o b ase p r e p r o c e s s o r e ngine
2 S0 ciyr.anlceng 1 ne /u 9 r/1 0 c a l/llb /sn 0 rL _ £ iy n a m lc e n g ln e /llb sr_ e r.g ir.e .3 0
2 צ-
V
252 t p a th t o dynamic r u l e s l i b r a r i e s
253 d y n a n lc d e te c c lo n d i r e c to r y / u s r / l o c a l / 1 lb /a n o rc_ d y n a m lc r u lea
255
H U Preprocessors are 4 s te p t s : C o n tia u re p r e p r o c e s s o r s
4 For more in fo rm a tio n , se e th e Snore M anual, C o n fig u rin g S n o rt ־P re p ro c esso »
loaded and configured
using the ‘preprocessor’
4 STP C o n tro l C hannle P re p ro c e s s o r. For n o te in f o r m a tio n , se e PFA2ME. OTP
keyword. The format of die V p r e p r o c e s s o r oe ci p o r ta 1 2123 3386 2152 >
preprocessor directive in 2 »צ t Z n lm « p a ck e t n o r m a liz a tio n . For moz• in f o r m a tio n , se e R £A D 2.norm alise
the Snort rules file is: 4 Does n o tn in a in IDS node
3r«pr0c«110r n o rnm lixe_ip4
preprocessor <name>: p r e p r o c e s s o r r.crm ai1 s e _ to p 1 1p9 eon seream
p r e p r o c e s s o r norma l i e e i c m p i
<options>. 2<5i p r e p r o c e s s o r n o rm a liz e lp «
N.mul u»t file length: 2544S linttt: 657 In :247 Col :69 S*i:0 UNIX ANSI 1NS
44. At padi to base preprocessor (or dynamic) engine (Line 250), replace
/usr/local/lib/snort_dynamicengine/libsf_engine.so witii your base
preprocessor engine C:\Snort\lib\snort_dynamicengine\sf_engine.dll.
m Preprocessors allow
the functionality of Snort
to be extended by allowing
users and programmers to
drop modular plug-ins into
Snort fairly easily.
45. Comment (#) die dynamic mles libraries line as you already configured die
libraries 111 dynamic preprocessor libraries (Line 253).
C:\Snort\et*V r c f < •f Notepad♦♦ - o x
Be Ldit Search View Encoding Language Settings Macro Run Pfcjgns ftndcvr Z
' H e o־0 ^ ■ *•י31 יf 3 b i s b [1
***************mwm***************************
* S tep * 4 : C o n fin u re dynamic lo a d ed l i b r a r i e s .
Note: Preprocessor t For c o re ln lc rm a c io n , se e Snore M anual, C o n fig u rin g S n o rt - Dynamic Modules
###*#******#t«MM#####*********M****tM**********
code is run before the
detection engine is called,
but after the packet has
249 * r a t h t o b ase p r e p r o c e s s o r eng ine
been decoded. The packet 250 dyr.anu.ceng in - C : \3n o r t\li b \s n o r t_ d y n s n 1ic e n g in e \s f _ e n g i n e .d ll
can be modified or ♦ path to dynamic rules libraries
analyzed in an out-of-band > d y n a c ic d e te c tlo n d ir e c to r y /u » r /lo c a l /'ll b /s n o r t_ a y n a » ls t..l e a |
46. Scroll down to Step #5: Configure Preprocessors section (Line 256), die
listed preprocessor. D o nothing 111 IDS mode, but generate errors at
mntime.
m IPs may be specified 47. Comment all the preprocessors listed 111 diis section by adding # before
individually, in a list, as a
CIDR block, or any each preprocessors.
combination of die duee.
C:\Sn0rt\etc\snort conf Notepad* ־ רי 1 *1
lit L3t Search View Encoding Language Settings Macro Run Plugre Amdcw I
o יh e » ־ii * ft r!| » e * > &׳- זBQ| s» י2 3 ® ■ שe ^ !״, ■?־
lilt llt t t t t t t t it iit lllllt t t t t t t t t t t t t t t t lllllt t t t t l
P re p ro c e ss o r
***************************************************
> README.GXP
• T a rg e t-b a se d IP d e fra g m e n ta tio n . For more inform ation, see RLADME. fra g 3
p r e p r o c e s s o r £ ra g S _ g lo b al: m ax_Iraga 6SSS6
p r e p r o c e s s o r tr o a 3 e n g in e: p o lic y windows d e te c t_ a r .* 1a i 1es c verlap_11m 1t 10 a 1 n _ fra o m e n t_ len g th 100 tim eo u t
48. Scroll down to Step #6: Configure output plugins (Line 514). 111 tins step,
provide die location ol die classification.config and reference.config files.
49. These two files are 111 C:\Snort\etc. Provide diis location o l files 111 configure
output plugins (111 Lines 540 and 541).
51fl * unified?
519 4 aeeonsenaaa rcr !cost installs
520 4 cutput u n ified 2: filename merged.log, lim it 128, nosts3«r, wpls_eTrent_types, vlon_event_type3
521
Si'i4 ־A d d itio n a l c o n f ig u r a tio n f o r s p e c i f i ctjp e s of in s t a ll s
c a Tlie frag3 523 # cutput alert_uni£ied2: filename snort.alert, liiait 125, nosCaap
524 f o u tp u t lo g un 1 r1 ed 2 : rile n arae s n a r e .lo o , l i m i t 123, n c s ta s p
preprocessor is a target-
based IP defragmentation
module for Snort.
4 o a ta ta s e
4 o u tp u t d a ta b a s e : a l e r t , <db_type>, us?r« < u sern an !> pa9 9wsrd~<pass«10rd
V cutput aatacasci 100, <dto_type>, u9er<־uacma&e> passvsr3^<paaswo?d>
517
'*.fi 4 u n if ie d :
519 V ftccoescnaca co r !coat i n s t a l l s
S?0 4 c u tp u t u n if ie d 2 : file n am e m erged. 100, l i m i t 128, nosta*p» * p ls _ e 'r e n t_ ty p e s , v la n _ e v e n t_ ty p e s
521
4 A d d itio n a l c o n f ig u r a tio n f o r s p e c i f i c ty p e s o f i n s t a l l s
525 4 c u tp u t a lo r t _ u n if i » d 2 : fila n an w a n o rt . a l . r t , l i m i t 129, r.o>ca>p
524 4 c u tp u t lo g un1E1ed2: rile n arae s n o r t . is o , l i m i t 126, r.: ־ יaxt
|c-;־. p u t a l e r t _ f a 3 t : a l e r t s . id s |
539 f m e ta d a ta r e f e r e n c e d a ta , do n o t m odify t c e s e l i n e s
540 include C:\Snort\ecc\cla331f1cat1on.c0nf10
541 ln c lu d • C :\3 n Q rt\8 c c \re C e re n c e .c o n f l q
׳
|hc«nwl U*t file Itngth: 25511 lin»:657 1 6 ?5: מ CoJ:30 S«l:0
_ ם
log
v C Search log P
Favorites alerts.ids
■ Desktop
£ Downloads
M i Recent places
Libraries
)=״ יז
1 item
53. 111 die snort.conf tile, find and replace die ipvar string widi var. By default
die string is ipvar, which is not recognized by Snort, so replace it widi die
var string.
Note: Snort now supports multiple configurations based on VLAN Id or IP
subnet widiui a single instance o f Snort. Tins allows administrators to specify
multiple snort configuration files and bind each configuration to one or more
VLANs or subnets radier dian running one Snort for each configuration
required.
Replace ש
m Three types of Find Replace Find in Files | Mark
variables may be defined in
| ■S vl Find Next
Snoit:
|var Replace
־Var
□ in selection Replace A|l
■ Portvar
Replace All in All Opened
■ ipvar Documents
I IMatch rase
@ Wrae around
57. Uncomment the Line number 47 and save and close die file.
“
9
a l e r t icrap
alert icnp
SEXIERNAI_NEI
any >SH0KE_KEI any !naa:*1atP-lNfCtr a c e r o u te " ; 1 s v c c :8; t t l i l ; claaat!tt: a t t c n
SFXTRRXALNFTany SH0XE any (mag:•׳:CMP-IKFC PIKG"; icode:0; itype:8; classtyp-:»iac-activ1|
-> KET
»
a le r t isno
S m o x ejjet any ->
CEXTERNAL_NET
49 • a l e r t 1cr«p SEXTERNALNET any > ־SH0KE_NET
any i.src Aaareaa mask Rcpiv"> ic o d c io ; l t v p e u s ; cia®.
any (m sg: ״ICKP-INF0 A ddress Maslr Reply u n d e fin e d code"* 1 eode:>0
50 t a l e r t le a p $SXTERKAL_NET any -> $K0KE_KET any ( e s g :” Z:X9-X):FC Add:««« Ka»k R vquest"; lc o d « :0 ; lty p e :1 7 ; cl•
51 ♦ a l e r t 1 סג מSEXIERNAL_NET any > ־SH0XE_NET any (ns3:"ICJ4P ־lNfO A ddress Mask R eauest u n d e tin e d c o d e"; !co d e ::
52 « alert SEXTERNAL~NET any-> $HOKE~NET any (Mgr-ICVP-INFCAlternate Ho«t Addre ;"״״icode:0; itype:6; c
f alert isnp «exiernal_net any « >־hoxe_net any (nss:1״cxp-1NFCAlternate Host ״aareaa undermed code ;״iced•
>4 * a l e r t 1 cnp SEXTERNAL_NET any -> SH0KE_NET any (e1sj:*IC H P ־INF0 D atagrati C onversion E r ro r " ; lcodesO ; 1ty p e :3
55 f a l e r t le a p fEXTERNAL NET any -> <H0KE NET any (tasg: "ZCXr-IKFC S a ta g ra a C onveralon E r ro r u n d e fin e d c o d e" ? 1■v
<| 111 >
NcinwlUxlfile length: 17357 lines: 123 Ln:47 Cc4:1 S«1:0 UMX ANSI IMS
58. N o w navigate to C:\Snort and nght-click folder bin, select CmdHere from
die context menu to open it 111 die command prompt.
Validate
Configurations 59. Type snort -iX -A con sole -c C:\Snort\etc\snort.conf -I C:\Snort\log -K
ascii and press Enter to start Snort (replace X with your device index
number; 111 diis lab: X is 1).
60. If you enter all the command information correctly, you receive a graceful
exit as shown 111 the following figure.
y ’To run Snort as a
daemon, add -D switch to 61. If you receive a fatal error, you should first verify diat you have typed all
any combination. Notice
that if you want to be able
modifications correcdy into the snort.conf tile and then search dirough the
to restart Snort by sending tile for entries matching your fatal error message.
a SIGHUP signal to die
daemon, specify the full 62. If you receive an error stating “Could not create the registry key,” then
path to die Snort binary
when you start it, for run the command prompt as an Administrator.
example:
/usr/local/bin/snort -d -11 Administrator: C:\Windows\system32\cmd.exe
192.168.1.0/24 \ - l
C :\S n o r t \ b ir O s n o r t - i4 -A c o n s o le -c C :\S n o rt\e tc \s n o rt.c o n f -1 C : \ S n o 1* t \ l o g -K
/var/log/snordogs -c a s c ii
/usr/local/etc/snort.conf -
s-D
t a s k s 63. Start Snort in IDS mode, 111 the command prompt type snort
C:\Snort\etc\snort.conf -I C:\Snort\log -i 2 and dien press Enter.
Start Snort
64. Snort starts running in IDS mode. It first initializes output plug-ins,
preprocessors, plug-ins, load dynamic preprocessors libranes, rale chains o f
Snort, and dien logs all signatures.
65. After initializing interface and logged signatures, Snort starts and waits for
GO an attack and tngger alert when attacks occur on the machine.
C:\Snort\etc\snort.conf is
the location of the
configuration file
- *> Snort T <*-
■ Option: -l to log the Uersion 2.9.3.1-UIN32 GRE <Build 40>
By Martin Roesch 8r The Snort Team: http://www.snort.org/snort/snort-t
output to C:\Snort\log
folder Copyright <C> 1998-2012 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
י Option: -i 2 to specify
the interface Rules Engine: SF_SNORT_DETECTION_ENGI HE Uersion 1.16 <Build 18>
Preprocessor Object SF_SSLPP Uersion 1.1 <Build 4>
Preprocessor Object SF_SSH Uersion 1.1 <Build 3>
Preprocessor Object SF.SMTP Uersion 1.1 <Build 9>
Preprocessor Object SF_SIP Uersion 1.1 <Build 1>
Preprocessor Object SF.SDF Uersion 1.1 <Build 1>
Preprocessor Object SF_REPUTATION Uersion 1.1 <Build 1>
Preprocessor Object SF_POP Uersion1.0 <Build 1>
Preprocessor Object SF_T10DBUS Uersion 1.1 <Build 1>
Preprocessor Object SF_IMAP Uersion1.0 <Build 1>
m Run Snort as a Preprocessor Object SF_GTP Uersion 1.1 <Build 1>
Preprocessor Object SFJFTPTELNET Uersion 1.2 <Build 13>
Daemon syntax: Preprocessor Object SF_DNS Uersion 1.1 <Build 4>
/usr/local/bin/snort -d -h Preprocessor Object SF_DNP3 Uersion 1.1 <Build 1>
Preprocessor Object SF_PCERPC2 Uersion 1.0 <Build 3>
192.168.1.0/24 \ -1 Commencing packet processing <pid=6664>
/var/log/snortlogs -c
/usr/local/etc/snort.conf -
s -D . Figure 1.20: Initializing Snort Rule Chains Window
£ 0 1 When Snort is run as 66. After initializing the interface and logged signatures. Snort starts and waits
a Daemon, the daemon for an attack and trigger alert when attacks occur on the maclune.
creates a PID file in the log
directory. 67. Leave die Snort command prompt mnning.
68. Attack your own machine and check whedier Snort detects it or not.
^ TASK 6
69. Launch your Windows 8 Virtual ]Maclune (Attacker Machine).
70. Open die command prompt and type ping XXX.XXX.XXX.XXX -t from die
Attack Host Attacker Machine (XXX.XXX.XXX.XX is your Windows Server 2012 IP
Machine
address;.
71. G o to Windows Server 2012, open die Snort command prompt, and press
Ctrl+C to stop Snort. Snort exits.
72. N ow go to die C:\Snort\log\10.0.0.12 folder and open the ICMP_ECHO.ids
text file.
[ * * ] ICHP-INFO PING [ * * ]
11/14-12:24:18.146991 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0x0 ID :31480 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1 Seq:199 ECHO
[ • • ] ICMP-INFO PING [ * * ]
11/14-12:24:19.162664 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0
ICMP TTL:128 TOS:0x0 ID :31481 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1 Seq:200 ECHO
[ • • ] ICMP-INFO PING [ * * ]
11/14-12:24:20.178236 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0
ICMP TTL:128 TOS:0x0 ID:31482 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1 Seq:201 ECHO
[ * * ] ICMP-INFO PING [ * * ]
11/14-12:24:21.193933 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0X0 ID :31483 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1 Seq:202 ECHO
[ * * ] ICMP-INFO PING [ * * ]
11/14-12:24:22.209548 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0x0 ID :31484 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1 Seq:203 ECHO
73. You see that all the log entries are saved 111 die ICMP_ECHO.ids die. Tins
means diat your Snort is working correcdy to trigger alert when attacks
occur 011 your maclune.
Lab Analysis
Analyze and document die results related to dus lab exercise. Give your opinion 011
yoiu ־target’s security posture and exposure.
Questions
1. Determine and analyze die process to identify and monitor network ports
after intnision detection.
□ Yes 0 No
Platform Supported
0 Classroom 0 !Labs
Lab
Lab Objectives
Tlie objective of tins lab is to help students learn and understand IPSes and IDSes.
H Tools
dem onstrated in 111 tins lab, vou need to:
this lab are
located at D:\CEH- ■ Install Snort and configure snortconf file
Tools\CEHv8 ■ Validate configuration settings
Module 17
Evading IDS, ■ Perform an attack 011 the Host Machine
Firewalls, and ■ Perform an intrusion detection
Honeypots
■ Attempt to stop detected possible incidents
Lab Environment
To carry-out tins lab, you need:
■ A computer running Windows Server 2012 as a host macliine
■ Windows 8 running on virtual machine as an attacker macliine
■ WinPcap drivers installed on die host macliine
£ 7 You can also ■ Kiwi Syslog Server installed on die host macliine
download Kiwi Syslog
Server from ■ Admniistrative privileges to configure settings and mil tools
http://www.kiwisyslog.co
m
Lab Duration
Tune: 10 Minutes
3. 111 die Choose Operating Mode wizard, check die Install Kiwi Syslog
Server a s an Application check box and click Next >.
Kiwi Syslog Server 9.3.4 Installer ן ־° זx
C h o o s e O p e r a t in g M o d e
solarwinds ־׳ The program can be run as a Service or Application
O I n s t a l l K iw i S y s lo g S e i v e i a s a S e i v ic e
This option installs Kiwi Syslog Server as a Windows service, alowing the
program to run without the need for a user to logn to Windows. This option also
retails the Kiwi Syslog Server Manager which is used to control the service.
| ( * I n s t a l l K iw i S y s lo g S e i v e i a s a n A p p l i c a t io n |
& Tools
dem onstrated in
SolarWinds, Inc.
this lab are
located at D:\CEH■
Tools\CEHv8
Module 17 Figure22: Kiwi Syslogserverinstallation
Evading IDS, 4. 111 die Install Kiwi Syslog Web A c c e ss wizard, uncheck die option
Firewalls, and selected and click Next >.
Honeypots
Kiwi Syslog Server 9.3.4 Installer X
I n s ta ll K iw i S y s lo g W e b A c c e s s
solarwinds Remote viewing, filtering and highlighting of Syslog events...
I I I n s t a l l K iw i S y s lo g W e b A c c e s s
V C r e a t e a n e w W e b A c c e s s lo g g in g ■ u le in K iw i S y s lo g S e i v e i
Kiwi Syslog Web Access can be enabled in the licensed or evaluation versions of Kiwi
Syslog Server.
SolarWinds, Inc.
Desa 1ptx>n
Space requred: 89.5MB Position your mouse over a component to see its
description.
SolarWinds, In c .--------------------------------------------------------------------------------------------------
C h o o s e In s ta ll L o c a t io n
solarwinds ׳׳ Choose the folder n whkh to nstal Kiwi Syslog Server 9.3.4 .
Setup w! nstal Kiwi Syslog Server 9.3.4 n the folowng folder. To nstal in a different
folder, dick Browse and select another folder, dick Instal to start the installation.
Destination Folder
41'
SolarWinds, Inc.
Figure2.5: Givedestinationfolder
7. Click Finish to complete the installation.
You should see a test
message appear, which
indicates Kiwi is working.
This is the first tim e the program has been run on this machine.
The follow ing default 'A ction' settings have been applied...
Happy Syslogging...
OK
MojiB* Google
'׳ ״ יי ״ S i 51* 9
Chiomo
* © • x ' ■
Control Command Notepad• Jnmtdl
?artel E/ykxef 5 ^ r >,Sl09 |
V O pr
R a 5
M)pw-Y Ne!aus
Manage! web Client
a. h ■ V
KKl
Package
C* ׳-־T I 1
12 128
* output al*rt_unlfled2: filename snort.alert. U n it 128, n08ta*p
* output log_«UT ea : niecaae 9rtort.log, u n i t , rostairp
I output log.topdja
013 **#**#**«**«#*»*#*«##**#*«*#•*#*«****#»**#•*#»*#**
pi4 # Step *€: Coaflarare output plugins
pis * For *ore Infomatlon, see Snort Manual, Conflouring Snore - Output Modules
5
» database
I output database! a le r t, <db_t/pe>, users<usernan«> pa8avford=<pa»sv0rd> te s t dbnaa!e-<r.a1*e> h0st*<S10atname3
I output databasei log. <db_typ«>, usera<usernane> password»<passv׳ord> te s t dbna»es<naae> bo»t*<ho*tnaae>
U. Ca . li M:l»
׳
Figure 2.11: Snortconfigafter configuration
15. Save die die and close it.
16. Open Kiwi Syslog Server Console and press Ctrl+T. Tins is to test Kiwi
Syslog Server alert logs.
R* Kiwi Syslog Server (14 Day evaluation - Version 93) 1 -1 ״ - '
File Edit Vic* Hdp
1' ■1 ׳E it © Di.pl., 00 |Drf״Jl] H Day* luttin wsluelion
Dale Tun* P-o״ly lla*ln«m-
11 14 2012 1621 30 Lwal7.D»U1g 127.0.01 Kiwi Sytloy S* 1vv1 • T*t< latfttayw nuaibei 0001
11
J
100% 1MPH 1621 11142012 1
_ □ x
Administrator: C:\Windows\system32\cmd.exe
ua Kiwi SyslogServer
filtering options:
■ Filter on IP address,
hostname, or message
text
■ Filter out unwanted host
messages or take a
different logging action
depending on the host
name Figure 2.13: Snort Alerts-idsWindowListingSnort Alerts
■ Perform an actionwhen 19. O pen a com m and prom pt 111 your W indows 8 virtual machine and type
a message contains
specific keywords. tins command: ping 10.0.0.10 (IP address o f your host machine where
Kiwi Svslog Server Console is running).
20. Go to Kiwi Syslog Service Manager window (diat is already open) and
observe die triggered alert logs.
Kiwi Syslog Server (14 Day evaluation - Ve ׳s»on 93) n 1 x '
Lab Analysis
Analyze and document die results related to diis lab exercise. Give your opinion on
your target’s security posture and exposure.
Kiwi Syslog O u tp u t: The Snort alerts outputs listed 111 Kiwi Svslog
Server Service Manager.
Questions
1. Evaluate how you can capture a memory dump to confirm a leak using
Kiwi Svslog Server.
2. Determine how you can move Kiwi Svslog Daemon to another machine.
3. Each Svslog message includes a priority value at die beginning ot the text.
Evaluate die priority o f each Kiwi Syslog message and on what basis
messages are prioritized.
In te rn e t C o n n ectio n R eq u ired
□ Yes 0 No
P latform S upported
0 C lassroom 0 !Labs
Lab Objectives
H Tools The objective of tins lab is to make students learn and understand IPSes and IDSes.
dem onstrated in
111 tins lab, you need to:
this lab are
located at D:\CEH- ■ Detect hackers and worms 111 a network
Tools\CEHv8
Module 17 ■ Provide network security
Evading IDS,
Firewalls, and Lab Environment
Honeypots
To carry-out tins lab, you need:
Lab Duration
Time: 10 Minutes
►.'crla
€
C*׳e~s
=־ m 1 יי m o «.
____ .
FIGURE3.1: KFSensorWindowwithSetupWizard
m To set up common
ports KFSensor lias a set of 4. In die Start menu apps, right click die KFSensor app, and click Run as
pre-defined listen
definitions. They are: Administrator at die bottom.
■ Windows Workstation
■ Windows Server Admin ^
S ta rt
■ Windows Internet
Services
■ Windows Applications Google
p Chrome
■ Linux (services not m m
usuallyin Windows) Vriro Camera o
* Trojans and worms 1 Mozilla services
1 Firefox
m
יזל׳
Messaging Weaiha I ®
Command KFSensor
Prompt
H & a
Calendar Interne* Stw FI m
as;
V\«\
® @ ® (S)
edminh*f«©r Iccsoon
FIGURE3.2: KFSensorWindowwithSetupWizard
5. At die first-time launch o f die KFSensor Set Up Wizard, click Next.
i l ?t!l U
-L
a , kfsensor - localhos Visitor
z ta tcp )atagram.. WindowsS
q *^icccd TC ^
The KFSensor Set Up Wizard will take you through )atagram.. WIN-ULY358K
g 21 FTP a number of steps to Donfigure you systen.
All of these can configurations can be mcdfied later )atagram.. WIN-D39MR5I
.._ Tlie Set up Wizard is I
j S 25 SMTP. !
j. J 53 DNS
using the menj option. )atagram.. WIN-LXQN3W
used to performthe initial I L § 63 DHCP You might like to read the rrarwal at this port to team )atagram.. WIN-MSSELG
configuration of KFSensor. i J § 80 IIS how KFSenso־works and the concepts behind t. )atagram..
)atagram..
WIN-2N9STO?
WIN-2N9STO?
POP3 110
,g 119 NMTP )atagram.. WIN-ULY358K
n the options in th& Set Up Wizard. )atagram.. Windows^
־ M i RPC 135
g 139 NET Se Wizard Heb )atagram.. WINDOWS8
LDAP 339 &
HTTPS 443 $
i| .US-M
BT-SE,
i 593 CIS
jjj 1028 MS Cl!
5 1080 SOCK!
3( 1433 SQL S<
g 2234 Direct!
j § 3128 IIS Pro
g 3268 Global Calal
FIGURE3.5: KFSensorWindowwithSetupWizard
It you want to send KFSensor alerts by email and dien specify die email
address details and click Next.
Wizard Help
Wizard Help
m The KFSensor
Monitor is a module that
provides the user interface
to the KFSensor system. < Back Next > Cancel
With it you can configure
the KFSensor Server and .
examine die events diat it FIGURE3.7: KFSensorWindowwithSetupWizard-options
generates.
10. Check die Install a s system service opdon and click Next.
Wizard Help
Getting Started
Ci ■i 2 4 1 Jt ;1
, kfsensor - local host - M...
־1 3 ° i @ 151a
Start
a ! מ ש
Duration Pro... Sens... Name Visitor
TCP ID
9/27/2012 5:27:41 PM... 0.000 UDP 138 NBT Datagram... WIN-ULY358K
^ & C tos«lICP Por...
! ״
9/27/2012 S:27:3S PM.״ 0.000 UDP 138 NBT Datagram... WIN-LXQN3\*
g 21 FTP
|§ 1 4
9/27/2012 5:27:36 PM... 0.000 UDP 138 NBT Datagram... WIN-MSSELCI
1 י3
25 SMTP
9/27/2012 5:27:3C PM... 0.000 UDP 138 NBT Datagram... WIN-D39MR5I
3 53 DNS
g
111
'2
9/27/2012 5:27:15 PM... 0.000 UDP 138 NBT Datagram... Windows3
3 63 DHCP
§ 1 0 ___ 9/27/2012 5:16:15 PM... 0.000 UDP 138 NBT Datagram... Windows^
- g 80 IIS
110 POP3 U 9 9/27/2012 5:15:4^ PM... 0.000 UDP 138 NBT Datagram... WIN-ULY358K]
j § 119 NNTP 1 8 9/27/2012 5:15:35 PM... 0.000 UDP 138 NBT Datagram... WIN-D39MR5I
g 155 MS RPC— B m 1 7 9/27/2012 5:15:3£ PM... 0.000 UDP 138 NBT Datagram... WINLXQN3'A
5 } 139 NBT Session ... 1 6 9/27/2012 5:15:35 PM... 0.000 UDP 138 NBT Datagram... WIN-MSSELCI
j j 339 LDAP 1 5 9/27/2012 5:15:31 PM... 0.000 UDP 138 NBT Datagram... WIN-2N9STO<
g 443 HTTPS 1 4 9/26/2012 3:41:32 PM... 0.000 UDP 138 NBT Datagram... WIN-2N9STO!
■ j 4.15 NBT SM8— E~ 1 3 9/26/2012 3:37:16 PM... 0.000 UDP 138 NBT Datagram... WIN-ULY358K
g 593 CIS m ? 9/26/2012 3:36:57 PM... 0.000 UDP 138 NBT Datagram... Windows^
g 1028 MS CIS 9/26/2012 3:36:57 PM... 0.000 UDP 138 NBT Datagram... WINDOWS8
1 1
5 1080 SOCKS
§ 1433 SQL Server
^ 2234 Dircctplay
^ 3128 IIS Proxy
J 3268 Gtobdl Catal..
Start Administrator £
Mo/11la Googfc
Firefox awane
*ג * © 6
HTTPort Conmand
3.SNFM Prompt
£ 1* ף״י
m Each visitor detected
by the KFSensor Server is Admnktr...
Tools
Hyper•V
Manager
ktogaPng Notepad*
A A f l a l A A 4 =5 4 **■** עH ©
® DNS List Hods
DNS Lookup Name
J ? Finger
A,______
Network Time DNS Ust Hosts ^ DNS List Hosts Settings
A Pin9
| | Traceroute Destnabon:
^ Whois <None>
^ 5 Network Resources
% Process Info
^ System Info
f IP Scanner □ Select Al
A a S a) A A o 3 % 4 י3
4 ©
A DNS List Hosts
* DNS Lookup Name
Finger
J׳ Port Scanner
Host Monitor
Type Keyword Description
| »Vw.
the visitor's IP address. An Whols 10.0.0.12 Scan Type: Range of Ports ♦ Custom Ports L v 1 a t 1
icon is displayed indicating 1 3 Network Resources
% Process Info
Destnation Address List
Host Monitor
Type Keyword Description
i. A S Oi 1*i A #
DNS List Hosts
J j, DNS Lookup Name
£ Finger
J i Network Time Port Scanner IF Port Scanner Settings
t i p'" 9
Destnabon: Protocols TCP and UDP v
f f Traceroute
Whols 10.0.0.12 Scan Type Range of Ports ♦ Custom Ports L v סa־p כ
" 3 Network Resources Destination Address bat
/ The Visitors Viewis <3> Process Info
| 4. A S aj it t i 4 %3 3־ •t t i V 3 y 44 3י
DNS List Hosts
jS, DNS Lookup Name
EE
Jgj Host Monitor
Ports Type Keyvwrd Descnption
£ 1214
080 ג/ | ו TCP socks Socks
£ 1433
TCP Low
M 1crosoft-SQL־Ser...
£ 1494
TCP ms-sql-s Low
TCP ica Citrix ICA Client Low
JT 1801 TCP Low ' [ Bepoit
J 9 a T | ־e|1 °I ° i @ I 5 » a ! d a > a a l f c t * I
J kfsensor - localhost - M... • Duration Pro... Sens... Name
B*-JTCP •1 31 9/27/2012 6:24:13 PM. 0. 000 ״ TCP 23 Telnet
^ 0 Closed TCP Per■■
0 2 Death, Trojan ...
7 Echo - Recent...
*I 9 Discard - Rec...
^ 13 Daytime - R...
^ 17 Quote o f th e ..
^ 19 chergcn R c.
21 FTP - Recent..
^ 22 SSH - Recen...
down as well. g
^
53 DNS - Recen..
57 Mail Transfer..
g 68 DHCP - Rece..
80 IIS - Recent...
j § 8 1 IIS 81 - Rece..
^ 82 IIS 82 - Rece..
j § 83 IIS 83 - Rece..
= j 88 Kerberos - R... y
Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on
your target’s security ־posture and exposure.
P L E A S E TA LK T O Y O U R I N S T R U C T O R IF YOU H A V E QUESTIONS
R E L A T E D T O T H IS LAB.
Output:
KFSensor
Infected Port number: 1080
Honeypot IDS
N um ber ot Detected Trojans: 2
In te rn e t C o n n ectio n R eq u ired
□ Yes 0 No
Platform Supported
0 Classroom 0 !Labs
I C O N K E Y Lab Scenario
/ Valuable Attackers are always in a hunt for clients that can be easily com prom ised and
inform ation they can enter your network by IP spoofing to damage or steal your data. Tlie
attacker can get packets through a firewall by spoofing the IP address. It
S T est t o u t
knowledge attackers are able to capture network traffic as you have learned to do in the
previous lab, they can perform Trojan attacks, registry attacks, password
W eb exercise
hijacking attacks, etc., which can prove to be disastrous for an organization’s
ea W orkbook review network. A 11 attacker may use a network probe to capture raw packet data and
then use tins raw packet data to retrieve packet inform ation such as source and
destination IP address, source and destination ports, flags, header length,
checksum. Time to Live (TTL), and protocol type.
Hence, as a network administrator you should be able to identity attacks by
extracting inform ation from capuired traffic such as source and destination IP
addresses, protocol type, header length, source and destination ports, etc. and
compare these details with modeled attack signatures to determine if an attack
has occurred. You can also check the attack logs tor the list ot attacks and take
evasive actions.
Also, you should be familiar with the H TTP tunneling technique by which you
can identity additional security risks that may not be readily visible by
conducting simple network and vulnerability scanning and determine the extent
to which a network IDS can identify malicious traffic widiin a communication
channel. 111 tins lab, you will learn H TTP Uuineling using H TTPort.
Lab Objectives
Tins lab will show you how networks can be scanned and how to use HTTPort
and HTTHost.
Lab Environment
111 the lab, you need die HTTPort tool.
& Tools ■ You can also download the latest version o f HTTPort from the link
dem onstrated in h ttp :/ Avww.targeted.org
this lab are
■ If you decide to download the latest version, then screenshots shown 111
available in
the lab might differ
D:\CEH-
Tools\CEHv8 ■ Install H T T H ost on W indows 8 Virtual Machine
Module 16
Evading IDS, ■ Install H TTPort on W indows Server 2012 H ost Machine
Firewalls and ■ Follow the wizard-driven installation steps and install it
Honeypots
■ Adm inistrative privileges are required to run tins tool
Lab Duration
Tune: 20 Minutes
Overview of HTTPort
HTTPort creates a transparent tunnel through a proxy server or firewall. HTTPort
allows usmg all sorts of Internet software from behind die proxy. It bypasses HTTP
proxies and HTTP, firewalls, and transparent accelerators.
TASK 1
Lab Tasks
Stopping IIS 1. Before running tool you need to stop IIS Admin Service and World Wide
Services Web services on Windows Server 2008 virtual machine.
₪ Cff ₪ e■ d? HD
_ J jJ
\ Extended X Standard /
top servce IIS Adrm Service on Local Computer
: HTTHost 1.8.5
—Network
Bind listening to: Bind external to:
|0.0.0.0 |80 |0,0,0.0
Tools
dem onstrated in Allow access from: Personal password:
|0.0.0.0 n*****
this lab are
available in Z:\ Passthrough unrecognized requests to:
Mapped Network Host name or IP: Port: Original IP header fiel
Drive |127.0.0.1 | S1 |x-Original-IP
Max. local buffer: Timeouts:
1256K | 0:1:2 ^[־
Reualidate DNS names
1✓ Log connections Apply
H o s t n a m e o r IP a d d re s s ! P o rt:
Use p e rs o n a l re m o te h o s t a t ( b la n k = u s e p u b lic )
|5----- I-----------
<— T h is b u tto n h e lp s
15. Select the Proxy tab and enter the Host nam e or IP address o f die targeted
machine.
16. Here, as an example, enter die Windows Server 2008 virtual machine IP
& HTTPort g o es
address, and enter Port number 80.
with the
predefined 17. You cannot set die U sem am e and Password fields.
mapping "External
HTTP proxy" of 18. 111 User personal remote host at section, enter die targeted Host
local port machine IP address and die port should be 80.
19. Here any password could be chosen. Here as an example the password is
magic.
H TTP ort 3.SNFM IE !* ]
S y s te m P roxy j p 0 rt m a p p in g | A b o u t | R e g is te r j
H o s t n a m e or IP a d d re s s : P o rt:
180
I P roxy re q u ire s a u th e n tic a tio n
U s e rn a m e : P a ssw ord:
j j ^— T h is b u tto n h e lp s
In real world
environment,
people som etim es
u se password
protected proxy to
make company
em ployees to
a c c e s s the
Internet.
0• New m a p p in g IIf...A'dtJ... !|
0 Local p o rt
| !.... 0 R em ove |
0 ׳R e m o te host
re m o te .h o s t.n a m e
0• R e m o te p o rt
I.... 0
*— T h is b u tto n h e lp s
S y s te m | P roxy P o rt m a p p in g j About j R e g is te r j
p S ta tic T C P /IP p o rt m a p p in g s (tu n n e ls )
* ------------------------------------ ז
I Edit ■ H
[ 0 Local p o r
I-----------------------1 J
0 • R e m o te h o s t
r e m o te .h o s t.n a m e
0 R e m o te p o rt
Q HTTHost supports the I.... 0
registration, but it is free and
password-free - youwill be
issued a unique ID, which S e lect a m a p p in g to s e e s ta tis tic s : LEDs:
you can contact the support No s ta ts - in a c tiv e □ □ □ם
teamand askyour questions. n /a x n /a B /s e c n /a K O P roxy
־־B u ilt-in SOCKS4 s e rv e r
[ 7 Run SOCKS s e rv e r ( p o r t 1 0 8 0 )
A v a ila b le in "R e m o te H o s t" m o d e :
I- Full SOCKS4 s u p p o rt (B IN D )
*— T h is b u tto n h e lp s
*— T h is b u tto n h e lp s
w e only support
non-password
— Misc. o p tio n s
protected proxy.
U s e r-A g e n t: B yp ass m o d e :
[ פ ־R e m o te host פ־
־־Use p e rs o n a l re m o te h o s t a t ( b la n k = u s e p u b lic ) —
j J <— T h is b u tto n h e lp s
27. Check die last line. If Listener: listening at 0.0.0.0:80, then it is running
properly.
: : H TTHost 1.8.5
Application log:
MAIN HTTHOST 1,8,5 PERSONAL GIFTWARE DEMO starting
MAIN Project codename: 99 red balloons
MAIN Written by Dmitry Dvoinikov
MAIN (c) 1999-2004, Dmitry Dvornikov
MAIN 64 total available connection(s)
MAIN network started
MAIN RSA keys initialized
MAIN loading security filters...
MAIN loaded filter "grant.dM" (allows all connections within
MAIN loaded filter "block,dll" (denies all connections withir
MAIN done, total 2 filter(s) loaded
MAIN using transfer encoding: PrimeScrambler64/SevenT־
grant.dll: filters conections
block,dll,:_£iIters conection.s--------
LISTENER: listening at 0,0,0.0:80]
I 1 d
S t a t is t ic s A p p li c a t i o n lo q [ O p t io n s S e c u r ity S e n d a G if t |
1
FIGURE4.10: HTTHost Applicationlogsection
28. N ow switch to Windows Server 2008 host machine and turn ON die
Windows Firewall.
29. Go to Windows Firewall with Advanced Security.
30. Select Outbound rules from die left pane o f die window, then click New
Rule 111 die right pane of die window.
available in Z:\
Core Networbng • IPv6 (P*5-Out)
©Co*e Networking ־Metcast istener Co־e (I...
Ca׳e ■^tAcryrg
0
C ׳e MftAOhcrc
try
Or ץ ve5
AIIoa
AIIoa
5\
Ai
Q Hep
© C ore Networking • MultttBt Latener Query (... Co־e Nfct»wrxrc Arr ves AIIoa A1
Mapped Network O Core Networbng • M jtaot Latene ׳Report...
© Core Networking ■Mjtcaot Lotcnc ׳Report...
C0־e
C0'C ־sctAOrxr^
tr y
fir y
yea
ve*
AIIoa
AIIoa
Ar
Ar
FIGURE 4.11: Windows Firewall with Advanced Security window it! Windows Server 2008
31. 111 the New Outbound Rule Wizard, check die Port option in die Rule Type
secdon and click Next.
Steps:
פר
Rule that controls connections for a Windows experience.
C Custom
Custom lule.
Next >
P r o t o c o l a n d P o rts
Steps:
S Y o u need to install htthost « Rule Type Does this lule apply to TCP or UDP^
on a P C , w h o is generally
<* Protocol and Ports <ז tcp
accessible on the Internet ־
typically you r "hom e" P C . This * Action r udp
means that i f you started a « Profile
Webserver o n the hom e P C ,
everyone else m ust be able to # Name
Does this rule apply to all local ports or specific local ports'’
connect to it. There are two
shows toppers fo r htthost on [< • A ll l o c a l p o r t s j
hom e P C s C S p e c i f i c lo c a l p o r t s : |
Example: 80.443.1
33. 111 the Action section, select Block the connection and click Next.
1 Specify the action thatistaken when a connection matches the conditions specified n the rule.
Step s:
m NAT/firewall
# Rule Type '//hat action should be taken when a connection matches the specified conditionsל
issues: You need «# Protocol and Ports
to enable an • י/®ction C A llo w t h e c o n n e c tio n
incoming port. For <# Pnofie Alow connections that have been protected with IPsec as well as those that have not.
443.
P ro file
Steps:
& Tools <• Rule Type When does this rule apply 7
dem onstrated in * Protocol and Ports
this lab are « Action 17 Domain
.Applies wh< n a computer is connected to its corporate domain
available in * PrnfJe
17 Private
D:\CEH- Applies win n a computer is connected to a private network location.
Tools\CEHv8 17 Public
Module 16 Applies win n a computer is connected to a public network location.
Evading IDS,
Firewalls and
Honeypots
Nam e
S te p s :
* Riie Type
Protocol and Ports
proxy. ®Core he:v׳crkirg - Dynanic host ConflQu־ati... Core W L\*K 1'^־ vew
®Core r1e»׳akirg -Gouo Poky (LSASS-Out) Core NetAOikng Daren
id ReYesh
Q c x e networking - GrouoPolcy (I'P-Out) core NetAOrtcng Dcman
® core hecwcrlarg - Grouo poIcy (TCP*Ou:) core NetAOrtcng Dorian © Export bst...
© core 1ser/>crk]ra - internet Group r^anacen. ״ core NetAoricno
Q tisb
®cofefcewcrkira - ipvO OPVft-OuO core NetAorkno
® c o re her/׳ak 1ra -M j 0:as: Listener Done a... core NetAOrtTKJ Pori 21 Dbckcd
®Core 1se:vcrlurQ •Miticas: Listener Query (... Core NetAOrtaTO (♦' D»ablc Rule
®Coretserv׳crk1rg •Miticast Listener Ret»rt... Core MetAOrtcng
®Coreiserv׳crk1rg • Miticas; listener Recort... Core NJetAortcng אD־te*
®CoreNe;v׳crk1rg •Neghto ׳Discovery Adve... Core MetAortcno p׳cPCtt)C3
® C o reNerv׳erk1r0• ־Nefchbof Discovery Solicit... Core MetAortcno
®Core IServ׳crk1rg ־Packet Too 80 QCMPv6-... Core SJetAOrtcno U H־b
® Car# N#rv׳erk1ng •P»r*^#t»f Problem (ICMP... Core VJetAorteng
®Car# Nerv<erk1rg •Ranter Aev#rticem»M (IC. . Core VletAortcng
®Car# N#rv!erk1rg •Ranter Solicitation (ICVP... Cor* MetAOficng
CJ Cv# Nerv/erkirg • Teredo (UDP■Out) Cor# VletAorkng
^ C o r e Ne?׳־״crlurg • Tire Exceeded (ICNP6/ •׳.. Cor# MetAoricng
® D crb u ted Transa:ton Coordinator (TCP-Out) Di!t׳ib1.tec Trareactoor Coord. Ary
(J =le and 3rirter Sharrg (Ecno Request - ICM... File anc Prn:er Shares
Fie 3rd ^rirter Siarrg (Ecno Request - ICM... File anc Prn:er Shanng
=le 3rd 3rirter Siarrg (NE-DatagramOut) Fite anc Prn:er Sharing
& Enables you to (J -ie 3rd 3rir ter Sharng (MB-Name-Out' Fite anc Prn:e ־Sharing Mom
® F ie 3rd 3rirter Sharng (MB־Session־Out ׳ Fite anc Prr>:e ־Sharing Mom
bypass your HTTP ® F ie 3rd 3rirter Sharng (SMB-Out; Fite 3nc Prn•jet Sharing Mom
® H yper-V- VYNI (TCP-Out} Hyper-V Ary Mom
proxy in c a s e it (J -typer-V Ncnogc-ncnt Clients ־V/MI (TCP-Out)
®!SCSI Service (TCP-Out)
Hvper-V MDrogcncn: Cle־tis
SCSI Ssrvce
Mom
Mom
blocks you from _______; _______ ע
!p 5־cperbes c&iogbox ־־or i ־e current selecרcn.
the Internet
FIGURE4.18: Windows Firewall newruleproperties
38. Select tlie Protocols and Ports tab. Change die Remote Port option to
Specific Ports and enter die Port number as 21.
39. Leave die odier settings as dieir defaults and Select Apply ^־־OK.
various Internet
Protocols and ports
softw are from r Protocol type: ■ע
behind th e proxy, Protocol number:
l
e.g., e-mail,
instant local port: |.AII Ports zi
m essen gers, P2P 1
FMmn1« an m anan
file sharing, ICQ,
N ew s, FTP, IRC Remote port: ]Specific Ports d
etc. The basic I21
Example: 80.445. 8080
idea is that you
Internet Control Message Protocol
se t up your (ICMP) settings: ------
Internet softw are
OK | Cancel | fipply
FIGURE4.20: ftpconnectionisblocked
41. Now open a command prompt 111 Windows Server 2008 host machine and
type ftp ftp.certifiedhacker.com and Press Enter
c\.Admmrstrator Command Prompt - ftp ftp.certmedhacker.com
IC :\U s e rs \A d n in is tr a to r> ftp f t p . c e r t ifie d h a c k e r.c o n
C o n n e c te d to f tp .c e r tifie d h a c k e r .c o n .
2 2 0 -h ic ro s o ft FTP S eruice
220 We leone TO FTP Account
User < ftp .c e rtifie d h a c k e r.c o n :< n o n e > > : _
2^7 HTTPort makes it
possible to open a client side
of a TCP/IP connection and
provide it to any software.
The keywords here are:
"client" and "any software".
FIGURE4.21: Executingftpcommand
Lab Analysis
Document all die IP addresses, open ports and running applications, and protocols
you discovered during the lab.
H T T P o rt P o rt scanned: 80
R esult: ftp 127.0.0.1 connected to 127.0.0.1
Questions
1. How would you set up an HTTPort to use an email client (Outlook,
Messenger, etc.)?
2. Examine if the software does not allow editing the address to connect to.
In te rn e t C o n n ectio n R eq u ired
0 Yes □No
P latform S upported
□ iLabs