Evading IDS, Firewalls, and Honeypots: CEH Lab Manual

CEH Lab Manual
Evading IDS, Firewalls,

and Honeypots
Module 17
Module 17 - Evading IDS, Firewalls and Honeypots
Intrusion Detection System

A n intrusion detection system (IDS) is a derice or soft/rare application that
monitors netirork and/or system activities fo r malicious activities or policy
violations andprod/ices reports to a Management Station.
I CON KEY Lab Scenario

[£Z7 Valuable Due to a growing number o f intrusions and since the Internet and local networks
information
have become so ubiquitous, organizations increasingly implementing various
S Test your systems that monitor IT security breaches. Intrusion detection systems (IDSes) are
knowledge those that have recently gained a considerable amount o f interest. An IDS is a
= Web exercise defense system that detects hostile activities 111 a network. The key is then to detect
and possibly prevent activities that may compromise system security, 01‫ ־‬a hacking
m Workbook review attempt 111 progress including reconnaissance/data collection phases that involve, for
example, port scans. One key feature o f intrusion detection systems is their ability to
provide a view o f unusual activity and issue alerts notifying administrators and/or
block a suspected connection. According to Amoroso, intrusion detection is a
“process ot identifying and responding to malicious activity targeted at computing
and networking resources.” 111 addition, IDS tools are capable ot distinguishing
between insider attacks originating from inside the organization (coming from own
employees 01‫ ־‬customers) and external ones (attacks and the threat posed by hackers)
(Source: http://www.windowsecurity.com)
111 order to become an expert penetration tester and security administrator, you
must possess sound knowledge o f network intrusion prevention system (IPSes),
IDSes, malicious network activity, and log information.
Lab Objectives
The objective ot tins lab is to help students learn and detect intrusions 111 a
& Tools network, log, and view all log tiles. 111 tins lab, you will learn how to:
Demonstrated in
this lab are ■ Install and configure Snort IDS
located at D:\CEH-
■ Run Snort as a service
Tools\CEHv8
Module 17 ■ Log snort log files to Kiwi Syslog server
Evading IDS,
Firewalls, and ■ Store snort log files to two output sources simultaneously
Honeypots
Lab Environment
To earn‫ ׳‬out tins lab, you need:
■ A computer miming Windows Server 2012 as a host machine
■ A computer running Windows server 2008, Windows 8, 01‫ ־‬Windows 7 as a

virtual machine
WniPcap drivers installed 011 the host machine
C E H L ab M an u al P ag e 847 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
■ Notepads-+ installed 011 the host macliine
■ Kiwi Svslog Server installed 011 the host machine
■ Active Perl installed 011 the host macliine to mil Perl scnpts
■ Administrative pnvileges to configure settings and run tools
■ A web browser with Internet access
Lab Duration
Time: 40 Minutes
Overview of Intrusion Detection Systems

An intrusion detection system (IDS) is a device 01‫ ־‬software application that
monitors network an d / 01‫ ־‬system activities for malicious activities 01‫ ־‬policv
violations and produces reports to a Management Station. Some systems may
attempt to stop an intrusion attempt but tins is neither required nor expected o f a
monitoring system. 111 addition, organizations use intrusion detection and
prevention systems (IDPSes) for other purposes, such as identifying problems with
security policies, documenting existing threats and deterring individuals from
violating security policies. IDPSes have become a necessary addition to the secuntv
infrastructure o f nearly even* organization. Many IDPSes can also respond to a
detected tlireat by attempting to prevent it from succeeding. They use several
response techniques, which involve the IDPS stopping die attack itself, changing the
security environment.
IDPSes are primarily focused 011 identifying possible incidents, logging information
about diem, attempting to stop them, and reporting them to security administrators.
Overview Pick an organization diat you feel is worthy o f your attention. Tins could be an
educational institution, a commercial company, 01‫ ־‬perhaps a nonprofit charity.
Recommended labs to assist you 111 using IDSes:
■ Detecting Intrusions Using Snort
■ Logging Snort Alerts to Kiwi Syslog Server
■ Detecting Intruders and Worms using KFSensor Honeypot IDS
■ HTTP Tunneling Using HTTPort
Lab Analysis
Analyze and document the results related to tins lab exercise. Give your opinion 011
your target’s security posture and exposure.
C E H L ab M an u al Page 848 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

PLEASE TALK TO Y O U R I N S T R U C T O R IF YOU HAVE QUESTIONS

R E L A T E D T O T H I S LAB.
C E H L ab M an u al Page 849 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Delecting Intrusions using Snort

Snort is an open source netnvrk intrusion prevention and detection system
(IDS/IPS).
I CON KEY Lab Scenario

/ Valuable The trade o f die intrusion detection analyst is to find possible attacks against their
information
network. The past few years have witnessed significant increases 111 D D oS attacks
Test your 011 the Internet, prompting network security to become a great concern. Analysts do
knowledge tins by IDS logs and packet captures while corroborating with firewall logs, known
□ Web exercise vulnerabilities, and general trending data from the Internet. The IDS attacks are
becoming more cultured, automatically reasoning the attack scenarios 111 real time
m Workbook review and categorizing those scenarios becomes a critical challenge. These result ni huge
amounts o f data and from tins data they must look for some land o f pattern.
However, die overwhelming tiows o f events generated by IDS sensors make it hard
for security administrators to uncover hidden attack plans.
must possess sound knowledge o f network IPSes, IDSes, malicious network activity,
and log information.
& Tools
Demonstrated in Lab Objectives
this lab are
located at D:\CEH- The objective o f tins lab is to familiarize students widi IPSes and IDSes.
Tools\CEHv8
111 tliis lab, you need to:
Module 17
Evading IDS, ■ Install Snort and verify Snort alerts
Firewalls, and
■ Configure and validate snortconf file
Honeypots
■ Test the worknig o f Snort by carrying out an attack test
■ Perform intrusion detection
■ Configure Oinkmaster
Lab Environment
To earn‫ ־‬out dns lab, you need:
C E H L ab M an u al P ag e 850 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

■ A computer running Windows Server 2012 as a host machine
■ Windows 7 running on virtual maclune as an attacker maclune
■ WinPcap dnvers installed on die host machine
■ N otepad++ installed on the host maclune
■ Kiwi Svslog Server installed on the host maclune
■ Active Perl mstalled on the host macliuie to nui Perl scripts
■ Adnunistrative privileges to configure settings and run tools
Lab Duration
Tune: 30 Minutes
Overview of Intrusion Prevention Systems and

Intrusion Detection Systems
You can also
download Snort from
A 11 IPS is a netw ork secu rity appliance that monitors a network and system
http:// www.sno1t.org.
activities for m alicious activity. Tlie maui functions ot IPSes are to identify
malicious activity, log information about said activity, attempt to block/stop
activity, and report activity.
An IDS is a device or software application that m onitors network and/or system
activities for m alicious activities or policy violations and produces reports to a
Management Station. It performs intrusion detection and attempt to stop detected
possible incidents.
Lab Tasks
1 . Start Windows Server 2012 on the host maclune. Install Snort.
2. To uistall Snort, navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS,

Install Snort Firewalls, and Honeypots\lntrusion Detection Tools\Snort.
3. Double-click the Snort_2_9_3_1_lnstaller.exe file. The Snort mstallation

wizard appears.
4. Accept the License Agreement and uistall Snort with the default options
diat appear step-by-step 111 the wizard.
5. A wuidow appears after successful mstallation o f Snort. Click the Close
button.
l.__ Snort is an open
source network intrusion 6. Click OK to exit the Snort Installation wuidow.
prevention and detection
system (IDS/IPS).

Snort 2.9.3.1 SetuD ‫ ' ־‬° I *

(& Snort 2.9.3.1 Setup *
Snort has successfully been installed.
Snort also requires W inPcap 4 .1 .1 to be installed on this m achine,

r W inPcap can be dow nloaded from :
http ://w w w .w in p c a p .o rg /
It w ould also be wise to tighten th e security on th e Snort installation

directory to prevent any m alicious m odification of th e Snort executable.
Next, you m ust m anually edit th e 'sn o rt.co n f file to

specify proper paths to allow Snort to find th e rules files
and classification files.
OK
Figure 1.1: Snort Successful Installation Window
7. Snort requires WinPcap to be installed 011 your machine.

8. Install W inPcap by navigating to D:\CEH-T0 0 ls\CEHv8 Module 17 Evading
IDS, Firewalls, and HoneypotsMntrusion Detection Tools\Snort, and
double-clicking WinPcap 4 1 _2.exe.
9. By default, Snort installs itself in C:\Snort (C:\ or D :\ depending upon die

V^/ WinPcap is a tool for
link-layer network access disk drive in which OS installed).
that allows applications to
capture and transmit 10. Register 011 die Snort website https://www.snort.org/signup 111 order to
network packets bypass the download Snort Rules. After registration comples it will automaticallv
protocol stack
redirect to a download page.
11. Click die Get Rules button to download die latest mles. 111 tins lab we have
downloaded snortrules-snapshot-2931 ■tar.gz.
12. Extract die downloaded mles and copy die extracted folder 111 diis padi:
D:\CEH-T0 0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and
Honeypots\lntrusion Detection Tools\Snort.
13. Rename die extracted folder to snortrules.

14. N ow go to die e tc folder 111 die specified location D:\CEH-T0 0 ls\CEHv8
Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection
Tools\Snort\snortrules\etc o f die extracted Snort mles, copy die snort.conf
hie, and paste diis hie 111 C:\Snort\etc.
15. The Snort.conf tile is already present 111 C:\Snort\etc; replace diis file with
die Snort mles Snort.conf tile.
16. Copv die so_rules folder from D:\CEH-T0 0 ls\CEHv8 Module 17 Evading
IDS, Firewalls, and Honeypots\lntrusion Detection
Tools\Snort\snortrules and paste it 111 C:\Snort.

17. Replace die preproc rules folder trom D:\CEH-Tools\CEHv8 Module 17

Evading IDS, Firewalls, and HoneypotsMntrusion Detection
Tools\Snort\snortrules and paste it 111 C:\Snort.
18. Copy all die tiles from diis location: D:\CEH-Tools\CEHv8 Module 17
Evading IDS, Firewalls, and Honeypots\lntrusion Detection
Tools\Snort\snortrules\rules to C:\Snort\rules.
19. N o w navigate to C:\Snort and right-click folder bin, and click CmdHere
H TASK 2 from die context menu to open it 111 a command prompt.
Verify Snort Alert 20. Type snort and press Enter.

Administrator: C:\Windows\system32\cmd.exe - snort
C : \S n o r t\b in /s n o r t
R unning in p a c k e t dunp node
— ■■ I n i t i a l i z i n g S n o r t ■‫—יי‬
I n i t i a l i z i n g O utput P lu g in s ?
pcap DAQ c o n f ig u r e d t o p a s s i v e .
The DAQ u e r s i o n d o e s n o t s u p p o r t r e l o a d .
A c q u ir in g n etw o rk t r a f f i c f r o n " \D eu ice\N P F _< 0F B 09822-88B 5-411F -A F D 2-F E 3735A 9?7B
B> _
D e co d in g E th e r n e t
— - - I n it ia liz a t io n C o n p le te - - —
—»> S n o r t? < *‫־‬
o '‫׳‬ U e r s io n 2 . 9 . 3 .1-W IN32 GRE 1 9 9 8 -2 0 1 2 S o u r c e f i r e , I n c . , e t a l .
TCP/IP packet headers to U s in g PCRE u e r s i o n : 8 . 1 0 2 0 1 0 -0 6 - 2 5
the screen (i.e. sniffer U s in g ZLIB u e r s i o n : 1 . 2 . 3
mode), type: snort —v. C on n en cin g p a c k e t p r o c e s s in g 
Figure 1.2: Snort Basic Command
21. Tlie Initialization Complete message displays. Press Ctrl+C. Snort exits and
comes back to C:\Snort\bin.
22. N ow type snort -W. Tins command lists your machine’s physical address,
IP address, and Ediernet Dnvers, but all are disabled by default.
Administrator: C:\Windows\system32\cmd.exe
S n o rt e x itin g
C :\ S n o r t \ b in ‫ נ‬s n o r t -W
- * > S n o rt! < *—

U e r s i o n 2 . 9 . 3 . 1 - W I N 3 2 GRE 
B y M a r t i n R o e s c h 8r T h e S n o r t T e a m : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t
C o p y r i g h t <C> 1 9 9 8 - 2 0 1 2 S o u r c e f i r e , In c ., et a l.
U s i n g PCRE v e r s i o n : 8 . 1 0 2 0 1 0 - 0 6 - 2 5
U s in g Z L IB u e r s i o n : 1 . 2 . 3
In d e x P h y s ic a l A d d re s s IP A d d re s s D e u ic e Name D e s c r ip tio n
1 0 0 :0 0 :0 0 :0 0 :0 0 :0 0 d is a b le d \ D e u ic e \ N P F _ < 0 F B 0 9 8 2 2 - 8 8 B 5 - 4 1 I F -
A F D 2 -F E 3 7 3 5 A 9 7 7 B B > M ic r o s o f t C o r p o r a t io n
2 0 0 :0 0 :0 0 :0 0 :0 0 :0 0 d is a b le d \ D e ‫ ״‬ic e \ N P F _ < 0 B F D 2 F A 3 - 2 E 1 7 - 4 6 E 3 -
B 6 1 4 -0 F C 1 9 B 5 D D A 2 5 >
3 0 0 :0 0 :0 0 :0 0 :0 0 :0 0 d is a b le d \ D e u ic e \ N P F _ < lD 1 3 B 7 8 A - B 4 1 1 - 4 3 2 5 -
rQRA<JRFOP?JM ‫־‬V M
4 D 4 : B E : D 9 : C 3 : C 3 : CC d is a b le d \ D e u ic e \ N P F _ < 2 A 3 E B 4 7 0 - 3 9 F B - 4 8 8 0 -
9 A 7 9 -7 7 E 5 A E 2 7 E 5 3 0 > R e a lte k P C Ie GBE F a m i l y C o n t r o lle r
C : \ S n o r t \ b in >
Figure 1.3: Snort -W Command
23. Observe your Ediernet Driver index number and write it down; 111 diis lab,
die Ediernet Driver index number is 1.
24. To enable die Ediernet Driver, 111 die command prompt, type snort -dev -i
2 and press Enter.
C E H L ab M an u al Page 853 E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council

25. You see a rapid scroll text 111 die command prompt. It means
E 7 To specify a log into Ethernet Driver is enabled and working properly.
logging directory, type
snort —dev —1 Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4
/logdirectorylocationand, C : \S n o r t \ b i n , s n o r t -d e v - i 4
Running in p a c k e t dump 11uue
Snort automatically knows
— == I n i t i a l i z i n g S n o r t ==—
to go into packet logger I n i t i a l i z i n g O utpu t P lu g in s ?
pcap DAQ c o n f i g u r e d t o p a s s i v e .
mode. The DAQ v e r s io n d o e s n o t s u p p o r t r e l o a d .
A c q u ir in g n etw o rk t r a f f i c fr o n " \D e v ic e \N P F _ < 2 A 3 E B 4 7 0 -3 9 F B -4 8 8 0 -9 A 7 9 7 7 ‫ ־‬E5AE27E53
B > ".
D e co d in g E th e r n e t
— ■■ I n i t i a l i z a t i o n C om p lete ■*—
-» > S n o r t? < * -
o '‫~> ׳‬ U e r s io n 2 .9 . 3 .1-W IN32 GRE 
‫״״״״‬ By M artin R oesch 8r The S n o r t T ean : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t
r .u i
C o p y r ig h t <C> 1 9 9 8 -2 0 1 2 S o u r c e f i r e , I n c . , e t a l .
U s in g PCRE v e r s i o n : 8 . 1 0 2 0 1 0 -0 6 - 2 5
U s in g ZLIB v e r s i o n : 1 . 2 . 3
C on n en cin g p a c k e t p r o c e s s in g 
1 1 / 1 4 - 0 9 : 5 5 : 4 9 .3 5 2 0 7 9 ARP who‫ ־‬h as 1 0 . 0 . 0 . 1 3 t e l l 1 0 . 0 . 0 . 1 0
Figure 1.4: Snort —dev —i4 Command
26. Leave die Snort command prompt window open, and launch anodier
command prompt window.
27. Li a new command prompt, type ping google.com and press Enter.
£ Q Ping [-t] [-a] [-n

count] [-1 size] [-£] [-i TTL]
[-v TOS] [-r count] [-s
count] [[-j host-list] | [-k
host-list]] [-w timeout]
destination-list
Figure 1.5: Ping googje.com Command
28. Tliis pmg command triggers a Snort alert in the Snort command prompt
with rapid scrolling text.
Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4 ‫־‬TTD
' 4 .1 2 5 .2 3 6 .8 5 : 4 4 3 1 0 . 0 .0 .1 0 : 5 1 3 4 5 <‫ ־‬TCP TTL:56 TOS:0x0 I D :5 5 3 0 0 Ip L e n :2 0 DgnLe
95
nM.flP.MM• S eq : 0x81047C 40 Ack: 0x4C743C54 Win: 0xFFFF T cpLen: 20
7 03 02 00 32 43 3F 4C 22 B4 01 69 AB 37 FD 34 2C?L‫ ״‬. . i . 7 . 4
IF 3F 70 86 CF B8 9 7 84 C9 9B 06 D7 11 6F 2C 5B . ? p o ,[
To enable Network D 8A B0 FF 4C 30 5B 22 F4 B9 6C BD AE E8 0E 5A L 0 [‫ ״‬. . l Z
F F6 7D 55 31 78 EF .. > U l x .
Intrusion Detect ion
System (NIDS) mode so
1 1 / 1 4 - 0 9 : 5 8 : 1 6 .3 7 4 8 9 6 D4: BE: D9:C 3: C 3: CC 0 0 : 0 9 : 5 <‫ ־‬B: AE: 24: CC t y p e : 0 x 8 0 0 l e n :0 x 3 6
that you don’t record every
single packet sent down the 1 0 .0 .0 .1 0 : 5 1 3 4 5 - > 7 4 .1 2 5 .2 3 6 .8 5 : 4 4 3 TCP TTL:128 TOS:0x0 ID :2 0 9 9 0 Ip L e n :2 0 DgnLe
n :4 0 DF
wire, type: snort -dev -1 S eq : 0x4C743C54 Ack: 0x81047C 77 Win: 0xFB27 T cpLen: 20
./log-h 192.168.1.0/24-c
snort.conf. .1 / 1 4 - 0 9 : 5 8 : 1 7 .4 9 6 0 3 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3 t e l l 1 0 .0 .0 .1 0
.1 / 1 4 - 0 9 : 5 8 : 1 8 .3 5 2 3 1 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3 t e l l 1 0 .0 .0 .1 0
.1 / 1 4 - 0 9 : 5 8 : 1 9 .3 5 2 6 7 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3 t e l l 1 0 .0 .0 .1 0
Figure 1.6: Snort Showing Captured Google Request
C E H L ab M anual Page 854 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

29. Close both command prompt windows. The verification o f Snort

installation and triggering alert is complete, and Snort is working correcdy 111
verbose mode.
T A S K 3
30. Configure die snort.conf file located at C:\Snort\etc.
Configure 31. Open die snort.conf file with N otepad++.

snort.conf File
32. Tlie snort.conf file opens 111 N otepad++ as shown 111 the following
screenshot
& Make sure to grab

the rules for the version
you are installing Snort for.
m Log packets in
tcpdump format and to
produce minimal alerts,
type: snort -b -A fast -c
snort.conf.
Figure 1.7: Configuring Snortconf File in Notepad++
33. Scroll down to die Step #1: Set the network variables section (Line 41) o f
snort.conf file. 111 the HOME_NET line, replace any widi die IP addresses
(Line 45) o f die machine where Snort is ranning.
*C:\Sn0ft\etc\$n0rtx0nf - Notepad+ -!□ X'
Be Edit Search 'iict* Encoding Language Settings Macro Run Plugns frndcw I
o 10 e & JS * £‫ |נ‬.< »‫ **צ‬x
H |
44Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
41 # Seep # 1: Sec che necw ork v a r ia b le s . For ito ie m r o r a a c lo n .
□
» se tu p tn e n e cwcrx a a a re a aca you a re c rc c e c c 1.no
ip v e r HOME TOT 110.0.0.10|
: * c a t s it u a t i o n s
m Notepad‫־)־‬+ is a free
source code editor and
Notepad replacement that
supports several languages.
It runs in the MS Windows
environment.
ygth: 25421 lines :657 45: ‫ ת‬Cel: 25 Sd 0
Figure 1.8: Configuring Snortconf File in Notepad‫־־(־‬1‫־‬
34. Leave die EXTERNAL_NET any line as it is.
C E H L ab M anual Page 855 Etliical H a ck in g a nd C o untenneasures Copyright © by EC-Council

35. If you have a DNS Server, dien make changes 111 die DNS_SERVERS line bv
replacing $HOME_NET widi yonr D N S Server IP address; otherwise, leave
m The element ’any’ can diis line as it is.
be used to match all IPs,
although ’any’ is not
allowed. Also, negated IP
36. The same applies to SA1'I P_SER\TERS, HTTP_SER\TERS,
ranges that are more SQL_SER\rERS, TELNET_SER\T 1 RS, and SSH_SER‫ \־‬T R S .
general than non-negated
IP ranges are not allowed. 37. Remember diat if you don’t have any servers running on your machine,
leave the line as it is. DO NOT make any changes 111 diat line.
38. Scroll down to RULE_PATH (Line 104). 111 Line 104 replace ../mles widi
C:\Snort\rules, 111 Line 105 ../so_rules replace with C:\Snort\so rules, and 111
Line 106 replace ../preproc rules with C:\Snort\preproc rules.
Ptc\s1xxtconf Notepad♦ ♦ _ |a x ‫ך‬
Erie Ldit Search !rfiew Encoding Language Settings Macro Ru Piugnj ftmdow I X
M e f t f1 | p c m 0 ‫*ף‬ * > 1] ! .‫□ ? ־‬ a i l i f l *9‫׳‬
H tr o t corf |
♦ s o t e r o r wir.aowa u s e r s : You a re a d v ise d to r a r e c m 3 an a r a c iu t e p a tn .
♦ su ch a s : c : \ 3 n o r t \ r u l e s
v a r RU1X_PJJH C :\S n o r c \ru le s
v a r SO RULE PATH C :\S n o r t\a o r u le a
■war PREPROCRtTLEPATH C :\S n o rt\p re p ro c _ x ru le s
10‫ד‬
ua Rule variable names # I f you a r e u s in g r e p u ta tio n p r e p r o c e s s o r a c t th e a e
1:9 # C u r r e n tly th e r e 13 a bug w ith r e l a t i v e p a in s , th e y a r e r e l a t i v e co where sn o re 13
can be modified in several # n o t r e l a t i v e co s n o r t.c o n f lilc e th e obcve v a r ia b le s
4 T h is i s c o a p le te l y i n c o n s is te n t w ith how o th e r ▼ars w ork, BCG 5 9986
ways. You can define meta- t s e t th e a n sc iu c e p a th a p p r o p r ia te ly
variables using the $ 1 *3 v a r HHTTELISTPATH . . / r u l e s
114 v a r BUICK_LI5T_PATH . . / r u l e s
operator. These can be
used with the variable t s te p #2: c o n n a u r e th e d e co d e r. For s o r e in d o r s a tio n , aee re a im e . decode
modifier operators ? and -
119
* Sto p g e n e r ic decode e v e n ts ;
e o n fig d i s a b l e d e c o d e a l e r t s
• Sto p A le r ts on e x p e rim e n ta l TCP opc iona

1:4 c c r.riq d l« * b l« _ c opopc_exp«rinwmc» !_ • 1e ic a
4 Sto p A lv r ta on obaolw t■ TCP option■

12 ‫״־‬ c c r .ria a 1 aab ie _ c c co p t_ o & s o ie te _ a ie r z a
1:9 1 Scop A le rc s on T/TCP a le r c s V

> 1___________________ !1___________________ < ‫ן‬
Ncirrwl Ur! file length: 25439 lines: 657 Ln: 106 Cot :45 S*l:0 UNIX ANSI NS
Figure 1.9: Configuring Snoitconf File in Notepad++
39. Li Line 113 and 114 replace ../rules widi C:\Snort\ rules.
C:\Snort\etc\snort.conf - Notepad*
file tdit Search View Encoding Longuogc Settings Macro Run Plugre ftmdcvr J
! o 1‫ ׳‬MS a 4 * B| ♦» <‫ ^ * * יו ^ צ‬n!| ‫ו ?פ‬ liiiiB 1* '9‫־‬
H nato&rf I
103 f aucn a 3: c ! \ a n o r t \ r u i e a
104 v a r RtJLEPATfl C : \3 n o r t \r u le s
105 v a r SC_ROLE_PAIH C :\3 n o rt\s o _ r u l« »
:0 6 v a r PREPROCRULEPATH C :\S n o rtN p re p ro c _ ru le s
108 f z r you a re u a in a r e p u ta tio n p r e p r o c e s s o r a c t tn e a e

*.09 $ C u r r e n tly th e r e i s a bug w ith r e l a t i v e p a th s , th e y a r e r e l a t i v e to where anore ia
110 f n o t r e la c i v * co •norc.conX l i k e che above v a r ia b le •
111 • T h is 1a c o n p le e e ly in c o n a ia te n t w ith how e th e r v a ra w or*, BUG89986
1*.? 4 Smt th • abaoluta path a p p ro p ria te ly
77‫־‬ v a r white LISI PAIH c : \ s n o r t \ r u i e a l
71: Bmcmsi.EAii ciMaaalmltaJ
117 4 Seen #3: C onfigure Che decoder. For More in fo rm a tio n , 9ee BSASME. decode
angth: 25d51 lines:657_______ Ln:1» Col:35 S«l:0
Figure 1.10: Configuring Snort.conf File in Notepad++

40. Navigate to C:\Snort\rules and create two tiles and name them
w h itejist.ru les and blackjist.rules make sure die two dies extensions are
m The include keyword .rules.
allows other rule files to be
included within the rule file 41. Scroll down to Step #4: Configure dynamic loaded libraries section (Line
indicated on die Snort 242). Configure dynamic loaded libraries in this section.
command line. It works
much like an #include
from die C programming
42. At padi to dynamic preprocessor libraries (Line 247), replace
language, reading the /usr/local/lib/snort_dynamicpreprocessor/ with your dynamic preprocessor
contents of the named file
and adding the contents in
libranes tolder location.
the place where die include
statement appears in die 43. 111 tins lab, dynamic preprocessor libraries are located at
file. C:\Snort\lib\snort_dynamicpreprocessor.
7‫־ ־‬ C:\Sn0rl\etc\s1xxU 0nf Notepad ♦ ♦ .‫־ ־ן‬ x ‫ז‬
Erie Ld!t Search Vie* Incoding Language Settings Macro Run PK1g<13 ftmdew J X
O IM e % l ‘ l| M *a * * [E 3 V
H tno*.coti j
S tep * 4: C o n fig u re dynamic lo a d ed l i b r a r i e s .

2•U 70- e o i i in f o r m a tio n , se e Snore M anual, C o n fig u rin g Snore - Syna c ic Modules
♦ e a r n t o dynamic p r e p r o c e s s o r l i b r a r i e s
245
246 f p a tn t o dynamic p r e p r o c e s s o r l i b r a r i e s
c i-a n ic p re p ro c e a a o r d ir e c to r y C : \ S n c r t \ l i b \ 3 n o r t dy n a ai ^ p re p ro c e s s o r |
242
2 ‫ז־‬9 * p a th t o b ase p r e p r o c e s s o r e ngine
2 S0 ciyr.anlceng 1 ne /u 9 r/1 0 c a l/llb /sn 0 rL _ £ iy n a m lc e n g ln e /llb sr_ e r.g ir.e .3 0
2 ‫צ‬-
V
252 t p a th t o dynamic r u l e s l i b r a r i e s
253 d y n a n lc d e te c c lo n d i r e c to r y / u s r / l o c a l / 1 lb /a n o rc_ d y n a m lc r u lea
255
H U Preprocessors are 4 s te p t s : C o n tia u re p r e p r o c e s s o r s
4 For more in fo rm a tio n , se e th e Snore M anual, C o n fig u rin g S n o rt ‫ ־‬P re p ro c esso »
loaded and configured
using the ‘preprocessor’
4 STP C o n tro l C hannle P re p ro c e s s o r. For n o te in f o r m a tio n , se e PFA2ME. OTP
keyword. The format of die V p r e p r o c e s s o r oe ci p o r ta 1 2123 3386 2152 >
preprocessor directive in 2 »‫צ‬ t Z n lm « p a ck e t n o r m a liz a tio n . For moz• in f o r m a tio n , se e R £A D 2.norm alise
the Snort rules file is: 4 Does n o tn in a in IDS node
3r«pr0c«110r n o rnm lixe_ip4
preprocessor <name>: p r e p r o c e s s o r r.crm ai1 s e _ to p 1 1p9 eon seream
p r e p r o c e s s o r norma l i e e i c m p i
<options>. 2<5i p r e p r o c e s s o r n o rm a liz e lp «
N.mul u»t file length: 2544S linttt: 657 In :247 Col :69 S*i:0 UNIX ANSI 1NS
Figure 1.11: Configuring Snort.couf File in Notepad++
44. At padi to base preprocessor (or dynamic) engine (Line 250), replace
/usr/local/lib/snort_dynamicengine/libsf_engine.so witii your base
preprocessor engine C:\Snort\lib\snort_dynamicengine\sf_engine.dll.
m Preprocessors allow
the functionality of Snort
to be extended by allowing
users and programmers to
drop modular plug-ins into
Snort fairly easily.

45. Comment (#) die dynamic mles libraries line as you already configured die
libraries 111 dynamic preprocessor libraries (Line 253).
C:\Snort\et*V r c f < •f Notepad♦♦ - o x
Be Ldit Search View Encoding Language Settings Macro Run Pfcjgns ftndcvr Z
' H e o‫־‬0 ^ ■‫ *•י‬31 ‫י‬f 3 b i s b [1
***************mwm***************************
* S tep * 4 : C o n fin u re dynamic lo a d ed l i b r a r i e s .
Note: Preprocessor t For c o re ln lc rm a c io n , se e Snore M anual, C o n fig u rin g S n o rt - Dynamic Modules
###*#******#t«MM#####*********M****tM**********
code is run before the
detection engine is called,
but after the packet has
249 * r a t h t o b ase p r e p r o c e s s o r eng ine
been decoded. The packet 250 dyr.anu.ceng in - C : \3n o r t\li b \s n o r t_ d y n s n 1ic e n g in e \s f _ e n g i n e .d ll
can be modified or ♦ path to dynamic rules libraries
analyzed in an out-of-band > d y n a c ic d e te c tlo n d ir e c to r y /u » r /lo c a l /'ll b /s n o r t_ a y n a » ls t..l e a |
manner using this

V >t e c *M c o n ria u r e p r e p r o c e s s o r s
mechanism. * Por more m fo rm ac io n , se e th e Snore M anual, C o n fig u rir.c S n o rt ‫ ־‬P rep ro c esso
4 GTP Control Chmnnlm Preprocessor. For *or. inforwation, ‫ ••י‬RSADME.GTP

t p r e p r o c e s s o r a sp : p o r t s ( 2123 3386 2152 )
I I n lin e p a ck e t n o r m a liz a tio n . For more ing o z m atio n , se a ZZZZXZ. n o rm alize

♦ Does n o ta in a in IDS mode
preprocessor normelize_ip4
p r e p r o c e s s o r r .c r x a l1 ze_‫ ־‬c p : ip s ecr. stream
p r e p r o c e s s o r ncrm011ze_1 cmp4
p r e p r o c e s s o r n o rm a liz e l p 6________________________________________________________
I teal fie length :25*146 ling :557 Ln:253 Col ;3 Sd :0 ________________ I
Figure 1.13: Configuring Snortconf File in Notepad++
46. Scroll down to Step #5: Configure Preprocessors section (Line 256), die
listed preprocessor. D o nothing 111 IDS mode, but generate errors at
mntime.
m IPs may be specified 47. Comment all the preprocessors listed 111 diis section by adding # before
individually, in a list, as a
CIDR block, or any each preprocessors.
combination of die duee.
C:\Sn0rt\etc\snort conf Notepad* ‫־ רי‬ 1 *1
lit L3t Search View Encoding Language Settings Macro Run Plugre Amdcw I
o ‫ י‬h e » ‫ ־‬ii * ft r!| » e * ‫ > &׳‬-‫ ז‬BQ| s» ‫ י‬2 3 ® ■ ‫ ש‬e ^ !‫״‬, ‫■?־‬
lilt llt t t t t t t t it iit lllllt t t t t t t t t t t t t t t t lllllt t t t t l
P re p ro c e ss o r
***************************************************
> README.GXP
* I n lin e p a c k e t n o r m a liz a tio n . For 1 : in f o r m a tio n , se e REAEKE.normalize

* Does nothing in ZDS node
♦ p r e p r o c e s s o r normal1ze_1p4
♦ p r e p r o c e s s o r n o r m a l is e t c p : ip s e!
I p re p r o c e s s o r norm allze_lcm p4
* p r e p r o c e s s o r norm al1 s e _ 1p 6
♦ preprocessor norjralire icmpC
• T a rg e t-b a se d IP d e fra g m e n ta tio n . For more inform ation, see RLADME. fra g 3
p r e p r o c e s s o r £ ra g S _ g lo b al: m ax_Iraga 6SSS6
p r e p r o c e s s o r tr o a 3 e n g in e: p o lic y windows d e te c t_ a r .* 1a i 1es c verlap_11m 1t 10 a 1 n _ fra o m e n t_ len g th 100 tim eo u t
V l a r g e t s is e a a e a te c u l in s p e c tio n /o tr c a m rca sse e D iy . f o r mere m r o r a tio n , ace h u .'j I'.l . s tr e a n b

p r e p r o c e s s o r s c re o » S _ g lo b a l; t r a c k e c p y e s, \
m Many configuration tr* ck _ u d p y e a, \
t r a c k _ 1cnc no, \
and command line options MX_tcp 362144, \
rax_uap 131072, \
of Snort can be specified in rax _ a c t1 v e _ re 3 p o n se s 2, \
the configuration file. m in re sp o n se seconds 5___________________
Format: config <directive> myth:25456 line.:557 1:269 Col :3 Sd 0

[: <value>]
48. Scroll down to Step #6: Configure output plugins (Line 514). 111 tins step,
provide die location ol die classification.config and reference.config files.
49. These two files are 111 C:\Snort\etc. Provide diis location o l files 111 configure
output plugins (111 Lines 540 and 541).

CASnort\ett\snm conf Notepad* ♦ '- I‫ם‬

lit idit Search view Encoding language Settings Macro Run Plugns ftmdcw I
0 ‫ י‬hh« a , & * * r !| ‫ ס‬e m % > * ‫־ ־ י י‬- ‫ ז‬djae s i s c e
)"B •ncCcorf
=j r — ‫ ף‬step 46: cor.rioure cutput plugins
il<"
4 5 *‫׳‬j ?or more information, see Snort Manual, Configuring Snort - Output Modules[
5!«
51fl * unified?
519 4 aeeonsenaaa rcr !cost installs
520 4 cutput u n ified 2: filename merged.log, lim it 128, nosts3«r, wpls_eTrent_types, vlon_event_type3
521
Si'i4 ‫ ־‬A d d itio n a l c o n f ig u r a tio n f o r s p e c i f i ctjp e s of in s t a ll s
c a Tlie frag3 523 # cutput alert_uni£ied2: filename snort.alert, liiait 125, nosCaap
524 f o u tp u t lo g un 1 r1 ed 2 : rile n arae s n a r e .lo o , l i m i t 123, n c s ta s p
preprocessor is a target-
based IP defragmentation
module for Snort.
4 o a ta ta s e
4 o u tp u t d a ta b a s e : a l e r t , <db_type>, us?r« pa9 9wsrd~<pass«10rd
V cutput aatacasci 100, <dto_type>, u9er‫<־‬uacma&e> passvsr3^<paaswo?d>
» *e ta d a ti rercrcr.ee aata. do not *e a itv t£e

-• include C:\Snarc\ece\elass f eat on.e nf 11 1 0 10l
lii_________ laclud# C; \Sac r \ «c c \r»C«r«nc«. eonti g_|
length :25482 lina:6S7________In :541 Co) :22 S*l:0
Figure 1.15: Configuring SnorT.coiif File in Notepad++
lrigure 1 .i ‫כ‬: V_on11gunng snort.coni rile in !Notepad1 ‫־!־‬-
50. 11 1 th is step #6, a d d th e lin e output alert_fast: alerts.ids. fo r S n o rt to

d u m p a ll lo g s 111 d ie alerts.ids d ie .
*C:\Soon\elc\snoM-conf - Notepad *
file £d!t Search Ukw Encoding Language Settings Macro Run PHigns ftmdcvr I
o ‫ ׳‬₪ ^ ‫ *־‬e&| * % d 9 c » ‫ף‬8 4 > 139 ‫\ ו?״‬Wz2 ‫ י ו‬$ ‫ן ! ו‬ ‫?׳ »׳‬
*H «nc< corf ‫ן‬
6 .1 4 s te p t e : c o n n o u re o u tp u t p lu g in s
515 4 For more information, see Snort Manual, Configuring Snort ‫ ־‬Cutput Modules
517
'*.fi 4 u n if ie d :
519 V ftccoescnaca co r !coat i n s t a l l s
S?0 4 c u tp u t u n if ie d 2 : file n am e m erged. 100, l i m i t 128, nosta*p» * p ls _ e 'r e n t_ ty p e s , v la n _ e v e n t_ ty p e s
521
4 A d d itio n a l c o n f ig u r a tio n f o r s p e c i f i c ty p e s o f i n s t a l l s
525 4 c u tp u t a lo r t _ u n if i » d 2 : fila n an w a n o rt . a l . r t , l i m i t 129, r.o>ca>p
524 4 c u tp u t lo g un1E1ed2: rile n arae s n o r t . is o , l i m i t 126, r.: ‫ ־ י‬axt
m Note: ’ipvar’s are

enabled only with IPv 6
support. Without IPv6 - -- 4 catafcase
533 4 cutput database: alert, <db_type>, uaer-<useman-> pea3*:rc‫<־‬fa3sword
support, use a regular ’var.’ 534 4 cutput dataoa3e: loo, <db type>, u3er=<u3emaEe> pa33w:ro=<pa33word> ‫׳‬
|c-;‫־‬. p u t a l e r t _ f a 3 t : a l e r t s . id s |
539 f m e ta d a ta r e f e r e n c e d a ta , do n o t m odify t c e s e l i n e s
540 include C:\Snort\ecc\cla331f1cat1on.c0nf10
541 ln c lu d • C :\3 n Q rt\8 c c \re C e re n c e .c o n f l q
‫׳‬
|hc«nwl U*t file Itngth: 25511 lin»:657 1 6 ?5: ‫מ‬ CoJ:30 S«l:0
5 1 . B y d e fa u lt, d ie C:\Snort\log f o l d e r is e m p t y , w i d i o u t a n y f ile s 111 it. G o t o d i e

C:\Snort\log f o l d e r , a n d c r e a t e a n e w t e x t file w i t h d i e n a m e alerts.ids.
Ii=yj Frag3 is intended as a
replacement for die &ag2 5 2 . E n s u r e d i a t e x t e n s i o n o f d i a t file is .ids.
defragmentation module
and was designed with the
following goals:
1. Faster execution than
frag2 with less complex
data management.
2. Target-based host
modeling anti-evasion
techniques.

_ ‫ם‬
log
v C Search log P
Favorites alerts.ids
■ Desktop
£ Downloads
M i Recent places
Libraries
)=‫״ יז‬
1 item
53. 111 die snort.conf tile, find and replace die ipvar string widi var. By default
die string is ipvar, which is not recognized by Snort, so replace it widi die
var string.
Note: Snort now supports multiple configurations based on VLAN Id or IP
subnet widiui a single instance o f Snort. Tins allows administrators to specify
multiple snort configuration files and bind each configuration to one or more
VLANs or subnets radier dian running one Snort for each configuration
required.
Replace ‫ש‬
m Three types of Find Replace Find in Files | Mark
variables may be defined in
| ■S vl Find Next
Snoit:
|var Replace
‫ ־‬Var
□ in selection Replace A|l
■ Portvar
Replace All in All Opened
■ ipvar Documents
I IMatch rase
@ Wrae around
Search Mode Direction 0 Transparency

(•> Normal O u> (§) On losing focus
C Extended Op, V, \t, VO, \x...) ® Dawn O Always
O Regular expression Q Lmatches newline = 0 =
54. Save die snort.conf file.

55. Before running Snort you need to enable detection mles 111 die Snort mles
tile; for diis lab we have enabled ICMP mle so diat Snort can detect any
host discovery ping probes to die system running Snort.
56. Navigate to C:\Snort\rules and open die icmp-info.rules file widi Notepad
++.
57. Uncomment the Line number 47 and save and close die file.

C:\Srxwi\rules\icrnp info.rules Nofepad♦

E*e Edit Search View Encoding Language SetDngs Macro Run Plugns ftndcw J >
0- > H « o ‫־‬a 4m * ‫ורו‬ P c* f t *ta -t -‫ז‬ r ‫ פ |״‬, T,[ | ‫כ‬ S i l i f l « >
Pi—!<■1 H trp+Tfo1ute«|
‫נ‬ ♦ isrsp $EXI ERNAL_NET any ->
a le r t $H0KE_NET any cnsj:"ICXE-INFC I REP r o u te r a d v e r tis e m e n t" ; 1 ty p e :9 ; r e r e r e n ‫ ׳‬--
29 * a le r tle a p SEXTERNAL_NET any ‫> ־‬ SHOMEKET any (m sg:‫ ־‬ICXP-IKyC IRDP r o u te r s e le c tio n " ; ity p e :1 0 ; r e f e r e n c e :‫ו‬
30 # a le r t leap $SXIERNA_NET -> $HOKE_NETany
1 any (nsg: ■‫־‬I-XP-IKFC FUJG*HIX•;
lc y p e :S ; c o n te n t : 1 13 12 11 1 10‫■״‬
31 * a le r tlc n p SEXTERNAL_NET any -> SH0HE_KET any (r\sg:‫ ״‬ICMP‫ ־‬INF0 PING BSDtype"; 1ty p e : 8; c o n te n t:‫| ״‬O0 09 0A 01
32 * a le r ti=r^> SEXTERNALNET any -> SH0KE_NET any (o sg : "IS 'P -IN T C PING BayRS R o u te r"; i t y p e : 8; c o n te n t:■ | 01 02
33 * alert res© EXIERNAL_NETany-> $H0KE_NETany (m3?:"XCXP-lNFOrIUGSeOSI.x"; ltype:8; content:"|QQ00 00 0‫׳‬
S
34 # a l e r t icnj? SEXTERNAL_NET any -> £H0KE_NET any (n s g :‫ ״‬ICM?-IK7C ?IUG C isco T ype. x " ; i t y p e : 8; c o n te n t:" |A B CD
35 # a l e r t le a p $EXTERNAL_NET any -> $HOKE_NET any (n s g :‫ ־‬irxP-IKFC PING D elpiH -P iecL e Windows"; lty p e :S ; c o n ien
36 * a l e r t ic n p SEXTERNAL~NET any -> SHOHEJJET any ( n s g :‫ ״‬ICMP-INF0 PIHG F lo *pom t2200 o r Networlc Management Sof‫־‬
34 ‫ ־‬alert icnp SEXTERNALNETany -> SHOKENET any (xasg:"ICXP-IK7C PIHGIP HetMonitor Macintosh"; itype:B; cont•■
38 t alert 1st® $exiernal_net any ->Shoke_nei any (n3g:1‫״‬cxp-lKFCpibg li2i‫־‬jx/35‫״‬d‫ ;״‬a31ze:8; 1a:13170; 1type:8
♦ a le r t ic n p SEXTERNAL_NET any -> SH0XE_NET any (msg:*ICKP-IK7C PIHG M ic ro so ft Windows"; i t y p e : 8; c o n te n t:"0
40 I a le r t le a p $EXIERNA1_NET any -> $HOXE_KET any ( n s g :" I 3 ( ? ‫ ־‬XKFC POTG n etw ork T oolbox 3 Windows"; 1 typ e : 8; coi
*a le r t ic n p SEXTERNAL_NET any ‫ > ־‬SH0KE_NET any (msg:"ICMP-INF0 PIHG Pm g-O -H eterW indow s"; lty p e :9 * c o n te n t:
42 « alert SEXTERNAL~NETany ‫>־‬SH0KE~NETany (rasg:‫״‬ICKP-IKFCPIHG Pinger Windows"; itype:8; content:"Oata
43 * alert 1cnpcexiernal_net any‫ >־‬Shoxe_nei any (n93:”1cxff-iKF0pihg seer wmdowa‫ ;״‬ltypese; content«18‫״‬a 04
44 • a l e r t 1 a 1p SEXTERNAL NET any ‫ > ־‬SHOKE NET any (m sg:‫ ״‬ICXP-INF0 PING O ra c le S o l a n s " ; d s 1 s e : 8; 1ty p e « 0j c la s .
45 f a l e r t le a p $EXTERNAL_NET any -> $H0XE_KIT any ( n » g :2 ‫ ״‬CXff-IKFC PIHG Window•": lc y p e :8; c o n te n t: "abcderg fcljk.
“
9
a l e r t icrap
alert icnp
SEXIERNAI_NEI
any >SH0KE_KEI any !naa:*1atP-lNfCtr a c e r o u te " ; 1 s v c c :8; t t l i l ; claaat!tt: a t t c n
SFXTRRXALNFTany SH0XE any (mag:•‫׳‬:CMP-IKFC PIKG"; icode:0; itype:8; classtyp-:»iac-activ1|
-> KET
»
a le r t isno
S m o x ejjet any ->
CEXTERNAL_NET
49 • a l e r t 1cr«p SEXTERNALNET any ‫ > ־‬SH0KE_NET
any i.src Aaareaa mask Rcpiv"> ic o d c io ; l t v p e u s ; cia®.
any (m sg:‫ ״‬ICKP-INF0 A ddress Maslr Reply u n d e fin e d code"* 1 eode:>0
50 t a l e r t le a p $SXTERKAL_NET any -> $K0KE_KET any ( e s g :” Z:X9-X):FC Add:««« Ka»k R vquest"; lc o d « :0 ; lty p e :1 7 ; cl•
51 ♦ a l e r t 1 ‫ סג מ‬SEXIERNAL_NET any ‫ > ־‬SH0XE_NET any (ns3:"ICJ4P‫ ־‬lNfO A ddress Mask R eauest u n d e tin e d c o d e"; !co d e ::
52 « alert SEXTERNAL~NET any-> $HOKE~NET any (Mgr-ICVP-INFCAlternate Ho«t Addre‫ ;"״״‬icode:0; itype:6; c
f alert isnp «exiernal_net any ‫« >־‬hoxe_net any (nss:1‫״‬cxp-1NFCAlternate Host ‫״‬aareaa undermed code‫ ;״‬iced•
>4 * a l e r t 1 cnp SEXTERNAL_NET any -> SH0KE_NET any (e1sj:*IC H P‫ ־‬INF0 D atagrati C onversion E r ro r " ; lcodesO ; 1ty p e :3
55 f a l e r t le a p fEXTERNAL NET any -> <H0KE NET any (tasg: "ZCXr-IKFC S a ta g ra a C onveralon E r ro r u n d e fin e d c o d e" ? 1■v
<| 111 >
NcinwlUxlfile length: 17357 lines: 123 Ln:47 Cc4:1 S«1:0 UMX ANSI IMS
Figure 1.19: Configuring Snort.coiif File iti N’otepad++
58. N o w navigate to C:\Snort and nght-click folder bin, select CmdHere from
die context menu to open it 111 die command prompt.
Validate
Configurations 59. Type snort -iX -A con sole -c C:\Snort\etc\snort.conf -I C:\Snort\log -K
ascii and press Enter to start Snort (replace X with your device index
number; 111 diis lab: X is 1).
60. If you enter all the command information correctly, you receive a graceful
exit as shown 111 the following figure.
y ’To run Snort as a
daemon, add -D switch to 61. If you receive a fatal error, you should first verify diat you have typed all
any combination. Notice
that if you want to be able
modifications correcdy into the snort.conf tile and then search dirough the
to restart Snort by sending tile for entries matching your fatal error message.
a SIGHUP signal to die
daemon, specify the full 62. If you receive an error stating “Could not create the registry key,” then
path to die Snort binary
when you start it, for run the command prompt as an Administrator.
example:
/usr/local/bin/snort -d -11 Administrator: C:\Windows\system32\cmd.exe
192.168.1.0/24 \ - l
C :\S n o r t \ b ir O s n o r t - i4 -A c o n s o le -c C :\S n o rt\e tc \s n o rt.c o n f -1 C : \ S n o 1* t \ l o g -K
/var/log/snordogs -c a s c ii
/usr/local/etc/snort.conf -
s-D
Figure 2.18: Snort Successfully Validated Configuration Window
t a s k s 63. Start Snort in IDS mode, 111 the command prompt type snort
C:\Snort\etc\snort.conf -I C:\Snort\log -i 2 and dien press Enter.
Start Snort
C E H L ab M anual Page 861 E th ical H a ck in g a nd C ounterm easures Copynght © by EC-Council

Figure 2.19: Start Snort in IDS Mode Command
64. Snort starts running in IDS mode. It first initializes output plug-ins,
preprocessors, plug-ins, load dynamic preprocessors libranes, rale chains o f
Snort, and dien logs all signatures.
65. After initializing interface and logged signatures, Snort starts and waits for
GO an attack and tngger alert when attacks occur on the machine.
C:\Snort\etc\snort.conf is
the location of the
configuration file
- *> Snort T <*-
■ Option: -l to log the Uersion 2.9.3.1-UIN32 GRE <Build 40>
By Martin Roesch 8r The Snort Team: http://www.snort.org/snort/snort-t
output to C:\Snort\log
folder Copyright <C> 1998-2012 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
‫י‬ Option: -i 2 to specify
the interface Rules Engine: SF_SNORT_DETECTION_ENGI HE Uersion 1.16 <Build 18>
Preprocessor Object SF_SSLPP Uersion 1.1 <Build 4>
Preprocessor Object SF_SSH Uersion 1.1 <Build 3>
Preprocessor Object SF.SMTP Uersion 1.1 <Build 9>
Preprocessor Object SF_SIP Uersion 1.1 <Build 1>
Preprocessor Object SF.SDF Uersion 1.1 <Build 1>
Preprocessor Object SF_REPUTATION Uersion 1.1 <Build 1>
Preprocessor Object SF_POP Uersion1.0 <Build 1>
Preprocessor Object SF_T10DBUS Uersion 1.1 <Build 1>
Preprocessor Object SF_IMAP Uersion1.0 <Build 1>
m Run Snort as a Preprocessor Object SF_GTP Uersion 1.1 <Build 1>
Preprocessor Object SFJFTPTELNET Uersion 1.2 <Build 13>
Daemon syntax: Preprocessor Object SF_DNS Uersion 1.1 <Build 4>
/usr/local/bin/snort -d -h Preprocessor Object SF_DNP3 Uersion 1.1 <Build 1>
Preprocessor Object SF_PCERPC2 Uersion 1.0 <Build 3>
192.168.1.0/24 \ -1 Commencing packet processing <pid=6664>
/var/log/snortlogs -c
/usr/local/etc/snort.conf -
s -D . Figure 1.20: Initializing Snort Rule Chains Window
£ 0 1 When Snort is run as 66. After initializing the interface and logged signatures. Snort starts and waits
a Daemon, the daemon for an attack and trigger alert when attacks occur on the maclune.
creates a PID file in the log
directory. 67. Leave die Snort command prompt mnning.
68. Attack your own machine and check whedier Snort detects it or not.
^ TASK 6
69. Launch your Windows 8 Virtual ]Maclune (Attacker Machine).
70. Open die command prompt and type ping XXX.XXX.XXX.XXX -t from die
Attack Host Attacker Machine (XXX.XXX.XXX.XX is your Windows Server 2012 IP
Machine
address;.
71. G o to Windows Server 2012, open die Snort command prompt, and press
Ctrl+C to stop Snort. Snort exits.
72. N ow go to die C:\Snort\log\10.0.0.12 folder and open the ICMP_ECHO.ids
text file.
m Note that to view the

snort log file, always stop
snort and dien open snort
log file.

ICMP.ECHO.idT- Notepad ! ‫ ' ־’ ם‬x

File Edit Format View Help
|[* * ] IC M P -IN F O PING [ * * ]

11/14-12:24:17.131365 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0
ICMP TTL:128 TOS:0x0 ID:31479 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1 Seq:198 ECHO
[ * * ] ICHP-INFO PING [ * * ]
11/14-12:24:18.146991 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0x0 ID :31480 IpLen:20 DgmLen:60
[ • • ] ICMP-INFO PING [ * * ]
11/14-12:24:19.162664 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0
[ • • ] ICMP-INFO PING [ * * ]
11/14-12:24:20.178236 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0
ICMP TTL:128 TOS:0x0 ID:31482 IpLen:20 DgmLen:60
[ * * ] ICMP-INFO PING [ * * ]
11/14-12:24:21.193933 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0X0 ID :31483 IpLen:20 DgmLen:60
[ * * ] ICMP-INFO PING [ * * ]
11/14-12:24:22.209548 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
Figure 1.21:Snort Alertsids Window Listing Snort Alerts
73. You see that all the log entries are saved 111 die ICMP_ECHO.ids die. Tins
means diat your Snort is working correcdy to trigger alert when attacks
occur 011 your maclune.
Lab Analysis
Analyze and document die results related to dus lab exercise. Give your opinion 011
yoiu‫ ־‬target’s security posture and exposure.

T o o l/U tility Information C o llected /O b jectives Achieved
Snort Output: victim maclune log are capuired
Questions
1. Determine and analyze die process to identify and monitor network ports
after intnision detection.

2. Evaluate how you process Snort logs to generate reports.
Internet Connection Required
□ Yes 0 No
Platform Supported
0 Classroom 0 !Labs

Lab
Logging Snort Alerts to Kiwi

Syslog Server
Sno/t is an open source network intrusionprevention and detection system
(IDS/IPS).
I CON KEY
Lab Scenario
_ Valuable
information Increased connectivity and the use ot the Internet have exposed organizations to
subversion, thereby necessitating the use ot mtnision detection systems to protect
Test your
knowledge information systems and communication networks from malicious attacks and
unauthorized access. An intrusion detection system (IDS) is a security system diat
Web exercise monitors computer systems and network traffic, analyzes that traffic to identity
m Workbook review possible security breaches, and raises alerts. An IDS tnggers thousands o f alerts per
day, making it difficult for human users to analyze them and take appropriate
actions. It is important to reduce the redundancy of alerts, mtelligendy integrate and
correlate diem, and present high-level view of the detected security issues to the
administrator. An IDS is used to inspect data for malicious 01‫ ־‬anomalous activities
and detect attacks 01‫ ־‬unaudiorized use of system, networks, and related resources.
must possess sound knowledge ot network mtnision prevention system (IPSes),
IDSes, identify network malicious activity, and log information, stop, or block
malicious network activity.
Lab Objectives
Tlie objective of tins lab is to help students learn and understand IPSes and IDSes.
H Tools
dem onstrated in 111 tins lab, vou need to:
this lab are
located at D:\CEH- ■ Install Snort and configure snortconf file
Tools\CEHv8 ■ Validate configuration settings
Module 17
Evading IDS, ■ Perform an attack 011 the Host Machine
Firewalls, and ■ Perform an intrusion detection
Honeypots
■ Attempt to stop detected possible incidents

Lab Environment
To carry-out tins lab, you need:
■ A computer running Windows Server 2012 as a host macliine
■ Windows 8 running on virtual machine as an attacker macliine
■ WinPcap drivers installed on die host macliine
£ 7 You can also ■ Kiwi Syslog Server installed on die host macliine
download Kiwi Syslog
Server from ■ Admniistrative privileges to configure settings and mil tools
http://www.kiwisyslog.co
m
Lab Duration
Tune: 10 Minutes
Overview of of IPSes and IDSes

An intrusion detection system (IDS) is a device or softw are application diat
monitors network and/or system activities for m alicious activities or polio,’
violations and produces reports to a management station.
Intrusion detection and prevention systems (IDPS) are primarily tocused on
identifying possible incidents, logging information about them, attempting to stop
diem, and reporting diem to security administrators.
™ TASK 1 Lab Tasks

Log Snort Alerts 1. Navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and
to Syslog Server Honeypots\lntrusion Detection Tools\Kiwi Syslog Server double click on
Kiwi_Syslog_Server_9.3.4.Eval.setup.exe and install Kiwi Syslog Server
on die Windows Server 2012 host machine.
2. The L icense Agreement window appears, Click I Agree.
Figure 2.1: kiwi syslogserverinstallation

3. 111 die Choose Operating Mode wizard, check die Install Kiwi Syslog
Server a s an Application check box and click Next >.
Kiwi Syslog Server 9.3.4 Installer ‫ן ־‬° ‫ ז‬x
C h o o s e O p e r a t in g M o d e
solarwinds ‫־׳‬ The program can be run as a Service or Application
O I n s t a l l K iw i S y s lo g S e i v e i a s a S e i v ic e
This option installs Kiwi Syslog Server as a Windows service, alowing the
program to run without the need for a user to logn to Windows. This option also
retails the Kiwi Syslog Server Manager which is used to control the service.
| ( * I n s t a l l K iw i S y s lo g S e i v e i a s a n A p p l i c a t io n |
This op bon retails Kiwi Syslog Server as a typical Windows appkcabon,

requrng a user to login to Windows before rim n g the application.
& Tools
dem onstrated in
SolarWinds, Inc.
this lab are
located at D:\CEH■
Tools\CEHv8
Module 17 Figure22: Kiwi Syslogserverinstallation
Evading IDS, 4. 111 die Install Kiwi Syslog Web A c c e ss wizard, uncheck die option
Firewalls, and selected and click Next >.
Honeypots
Kiwi Syslog Server 9.3.4 Installer X
I n s ta ll K iw i S y s lo g W e b A c c e s s
solarwinds Remote viewing, filtering and highlighting of Syslog events...
I I I n s t a l l K iw i S y s lo g W e b A c c e s s
V C r e a t e a n e w W e b A c c e s s lo g g in g ■ u le in K iw i S y s lo g S e i v e i
Kiwi Syslog Web Access can be enabled in the licensed or evaluation versions of Kiwi
Syslog Server.
SolarWinds, Inc.
Figure 23: kiwi syslogserver

5. Leave die settings as their defaults in the Choose Components wizard and
click Next >.

Kiwi Syslog Server 9.3.4 Installer I ‫ ־־‬I

C h o o s e C o m p o n e n ts
s o la r w in d s Choose which features of Kiwi Syslog Server 9.3.4 youwantto
install.
This wll install Kiwi Syslog Server version 9.3.4
Select the type of install: Normal V
Or, select the optional Program files (required)

components you wish to
0 Shortcuts apply to all users
instal:
0 Add Start menu shortcut
b^J Add Desktop shortcut
p i Add QuickLaunch shortcut
O Add Start-up shortcut
Desa 1ptx>n
Space requred: 89.5MB Position your mouse over a component to see its
description.
SolarWinds, In c .--------------------------------------------------------------------------------------------------
< Back | Next > | | Cancel |
Figure 2.4: addingcomponents

6. 111 die Choose Install Location wizard, leave the settings as their defaults
and click Install to continue.
Kiwi Syslog Server 9.3.4 Installer
C h o o s e In s ta ll L o c a t io n
solarwinds ‫׳׳‬ Choose the folder n whkh to nstal Kiwi Syslog Server 9.3.4 .
Setup w! nstal Kiwi Syslog Server 9.3.4 n the folowng folder. To nstal in a different
folder, dick Browse and select another folder, dick Instal to start the installation.
Destination Folder
41'
Space requred: 89.5MB

Space available: 50.1GB
SolarWinds, Inc.
Figure2.5: Givedestinationfolder
7. Click Finish to complete the installation.
You should see a test
message appear, which
indicates Kiwi is working.

Kiwi Syslog Server 9.3.4 Installer [_“ I 1 ‫ם‬ x
C o m p le tin g th e Kiwi S yslo g S e rve r

9 .3 .4 S e tu p W iza rd
Kiwi Syslog Server 9.3.4 has been installed on your

computer.
Click Finish to dose this wizard.
@ Run Kiwi Syslog Server 9.3.4
Visit the SotorWmds website
< Back | Ftnoh | Cancel j
Figure 2.6: kiwi syslogserverfinishwindow

8. Click OK ill the Kiwi Syslog Server - Default Settings Applied dialog box.
Kiwi Syslog Server - Default settings applied TU

Thank you fo r choosing Kiwi Syslog Server.
This is the first tim e the program has been run on this machine.
The follow ing default 'A ction' settings have been applied...
’ Display all messages
* Log all messages to file: SyslogCatchAll.txt
These settings can be changed fro m the File | Setup menu.
Happy Syslogging...
OK
Figure2.7: Default settingappliedwindow

9. To launch die Kiwi Syslog Server Console move your mouse cursor to
lower-left corner o f your desktop and click Start.
Q j Yiiwi Syslog Server is Figure2.8: startingmenuinwindows server 2012

a free syslog
indow server forlogs.
s. It receives 10. 111 die Start menu apps
r r click Kiwi Syslog
J J Server Console to launch die
Windows. logs,
displays and forwards app
syslogmessages fromhosts
such as routers, switches,
UNIX hosts and other
syslog-enabled devices.

MojiB* Google
'‫׳ ״ יי ״‬ S i 51* 9
Chiomo
* © • x ' ■
Control Command Notepad• Jnmtdl
?artel E/ykxef 5 ^ r >,Sl09 |
V O pr
R a 5
M)pw-Y Ne!aus
Manage! web Client
a. h ■ V
KKl
Package
C*‫ ׳‬-‫־‬T I 1
Figure2.9: clickkkvi syslogserver application

11. Configure Syslog alerts 111 die snort.conf file.
12. To contigiire Syslog alerts, first exit from the Snort command prompt
(press Ctrl+C).
13. Go to C:\Snort\etc and open die snort.conf file widi Notepad++.
14. Scroll down to Step #6: Configure output plugins, in the syslog section
(Line 527), remove # and modify die line to output alert_syslog:
host=127.0.0.1:514, LOG_AUTH LOG ALERT.
Snort.conf before modification Syslog
0
C\Sn rt\«c\srx>ftc<y»f Notewd-
■Hr [<*t SmtHi yicw tvcM q fectng* Marre Run Pluglni Window J
«‫ ׳‬mc . >a >‫■׳‬r 3c •‫ > יו‬qj75!11‫@ י ן•ן‬w■bj wa a 131*
t Step te: Coaflgrare output plugins
* Additional configuration for 9E«c1r1c typea or lnatalla
12 128
* output al*rt_unlfled2: filename snort.alert. U n it 128, n08ta*p
* output log_«UT ea : niecaae 9rtort.log, u n i t , rostairp
flo g ; LOO AJIg 100 ALERT|
I output log.topdja
I output aaratase: »t-<B03tnaa1e>

I output aataease:
‫ ט‬The reasonwhy you
have to run snortstart.bat
batch file as an
administrator is that, in
your current configuration, Figiue 2.10: Snortconfigbeforemodification
you need to maintain rights
to not only output your Snort.conf after modification Syslog
alerts to Kiwi, but to write
themto a log file.

C:\Sn0rt\etcVsrxyt cof't Notepad-• ‫ן‬- ‫־‬g

Filf fdt Search View f‫׳‬weSrf»g .‫ ן ־י‬1.‫ ^ ץ׳ל‬flnqi Mam Run Pluqin Window
13H • » ‫־‬. . &| * fe| 3 c • ‫ י‬-‫) | י‬S ‫יי‬Cv 3 ‫)§[) י‬3
iC<5 preprocessor reputation: \
013 **#**#**«**«#*»*#*«##**#*«*#•*#*«****#»**#•*#»*#**
pi4 # Step *€: Coaflarare output plugins
pis * For *ore Infomatlon, see Snort Manual, Conflouring Snore - Output Modules
5
l output u n iiie a i: £ile:;«*e se;aec.ica, l u u t 128. nostanp, npls_e5
‫ ז‬Additional configuration fo r sp e cific types of in s ta lls

1 output a lert_ u n lfle d 2: filename s n o r t.a le r t. U n it 128, nostajip
» output log_unlfled?: fllen aae s n o r t.log, llj tlt 128, nostaxp
» database
I output database! a le r t, <db_t/pe>, users<usernan«> pa8avford=<pa»sv0rd> te s t dbnaa!e-<r.a1*e> h0st*<S10atname3
I output databasei log. <db_typ«>, usera<usernane> password»<passv‫׳‬ord> te s t dbna»es<naae> bo»t*<ho*tnaae>
U. Ca . li M:l»
‫׳‬
Figure 2.11: Snortconfigafter configuration
15. Save die die and close it.
16. Open Kiwi Syslog Server Console and press Ctrl+T. Tins is to test Kiwi
Syslog Server alert logs.
R* Kiwi Syslog Server (14 Day evaluation - Version 93) 1 -1 ‫״‬ - '
File Edit Vic* Hdp
1' ■1‫ ׳‬E it © Di.pl., 00 |Drf‫״‬Jl] H Day* luttin wsluelion
Dale Tun* P-o‫״‬ly lla*ln«m-
11 14 2012 1621 30 Lwal7.D»U1g 127.0.01 Kiwi Sytloy S* 1vv1 • T*t< latfttayw nuaibei 0001
11
J
100% 1MPH 1621 11142012 1
Figure 2.12: Kiwi SyslogServiceManagerwindow

17. Leave die Kiwi Syslog Server Console. D o not close die window.
18. Now open a command prom pt with Snort and type diis command: snort -
iX -A con so le - c C:\Snort\etc\snort.conf -I C:\Snort\log -K ascii - s and
press Enter (here X is index number o f your Ediernet card) .

_ □ x
Administrator: C:\Windows\system32\cmd.exe
ua Kiwi SyslogServer
filtering options:
■ Filter on IP address,
hostname, or message
text
■ Filter out unwanted host
messages or take a
different logging action
depending on the host
name Figure 2.13: Snort Alerts-idsWindowListingSnort Alerts
■ Perform an actionwhen 19. O pen a com m and prom pt 111 your W indows 8 virtual machine and type
a message contains
specific keywords. tins command: ping 10.0.0.10 (IP address o f your host machine where
Kiwi Svslog Server Console is running).
20. Go to Kiwi Syslog Service Manager window (diat is already open) and
observe die triggered alert logs.
Kiwi Syslog Server (14 Day evaluation - Ve‫ ׳‬s»on 93) n 1 x '
File Edit 1€‫\י‬ Help

-1‫ ׳‬£ A 88 D.tpk* 00 (Dvfdull) 14 Days left in evDluotun
I Dale Time P.m.4.
11-14-2012 184012 Autf. Aleil
lloilnmne He11age
127.0.01 Nvv 14 18 40.12 WIN-2N9STOSGIEN w.ort |1 384 6| ICMP INF: PING |CU«*i»c*tion. Hhc activity) [Piiuiily. 3] {ICHP) 10.0.0.12
J
100010
11 14 ?01? 104011 Autf. Alril 127 001 Nov 14 111 411 11 WIN 2N9!iTOSGI( N inort |1 104 K| II Ml'INI 11 I1NG [ClauArahor Mur. nohv1(y| U‫״־‬n..ty- 3] (ICHP) 111 II 111?
1u.au.1u
II 14 2012 18 4010 Autf. Alert 127.0.0 1 Nov 14 18:40:10 WIN 2N9SIOSGIEN •nort |1 384 6| ICMP INFO PING fCIJMtficdtion: H.sc 0ct1vi(y| (Piioiity: 3) (ICMP) 10.0.0 12
11-14-201? 18 40 09 Autf. AW-ll

10.0.0.10
12700 1 Nuv 14 18 40 O') WIN ?NSSTOSGIFN tnurt |1 384 6| ICMP INFO PING (rianii! 4l<ar• Mac adivi(•) [PiNiiity 3] {IPHP) 10 0 0 1?
* II
1000 10
11 14 ?01? 1840110 AuHt Alrit 127 001 Nov 14 111 411 Oil WIN 2N9!:TOSUK N •nort |1 104 K| II Ml‫־‬INI II I1NG (Claurfirahor. Mur. nchv1ty| IPimirijr 3) IICHP) 10 0 111?
IU.0.U.IU
11-14-2012 184007 Autf. Ale11 127.0.0.1 Nov 14 18:40:07 WIN 2N9STOSGIEN *nort |1 384 6| ICMP4NF0 PING (ClMtiffcatiwi: Hite activity (Plioiity: 3] (ICHP) 10.0.012
10.0.0.10
11-14-201? 18 40 0C Autf. Air,I 1270 0 1 Nov 14 10 40 on WIN-?N9r.1nSG1rN tnatl |1 384 G| ICMP-INFO PING (CtasiKcalian Mbc n«:tivil*| [PiKnityr 3] (irMPJ 10 0 01?
1000.10
11 14 ?012 10.40.Ub Autfi Alcit 127.0.0 1 Nov 14 10:40:0b WIN 2N91>1USGILN *nort: |l. J84:b| ILMI‫־‬INI U I1NG ILIautfication: Hue nctivitvl H'noiity: 31 (ICMP) 10.0.0.12
10.0.0.10
11-14-2012 18:4004 Autf. Aleu 127.0.01 Nov 14 18:40:04 WIN-2N9STOSGIEN tnort |1:384 6| ICMP-1NF0 PING ICIattificalion: Hite activity [Piioiity: 3] {ICMP) 10.0.0.12
11-14201? 18 40 03 Autf. Air.1

10.0.0.10
12700 1 Nov 14 10 40 01 WIN-?N9r.TnSGIFN mart |1 384 C| ICMP-INTO PING (CUsiKcalian Mbc activity] [Piiaifty: 3] (IPMP) 10 0 01?
1
10 00.10
11-14 2012 18:4002 Autf. Alcit 127.0.0.1 Nov 14 18:40:02 WIN 2N9S1USGIEN *nort: |1:384:6) ICMP INF (J PING (Ua3*tf1cat10n: Mac acbvitrl [Pnonty: 3] {ICHP) 10.0.0.12
10.0.0.10
11-14-2012 18.40.01 Autfi Ale. J 127.0.0.1 Nov 14 18.40:01 WIN-2N9STOSGIEN w.ort. [1.384.6] ICMP-1NF0 PING |CU«*c*tion: H‫ ״‬c activity) [Piioiily: 3) {ICHP) 10.0.0.12
10 00.10
11-14-201? 18 40 (10 AutfiAlril 127 0.01 Nov 14 18 40:00 WIN-2N9STOSGIEN snort |1 384 6| ICMP-INF0 PIHG IClasirtcahan Mbc activity) [Piioiily: 3J ilCHP110 0 0 12
10 0 0.10
11 14 2012 18:39:59 Autf* Alert 127.0.0.1 Nov 14 18:39:53 WIN 2N9510SGIEN *nort |1:384:61 ICMP INFU PING [CIroiication: Mnc acbvitrl [PrioiKy: 3) {ICHP) 10.0.0.12
10.0.0.10
11-14-701? 1839 58 Autf. Aletl 1270 0 1 Nov 14 18 39:58 WIN-7N9STC1SGIFN tnort [1 384 6| ICMP-INFO PING [CLmificatian Mbc activity) [Pifciiily: 3] {ICHP) 10 0 012
1000.10
11 14 201? 103*57 Autf. Alert 127 001 Nov 14 10•39:57 WIN 2N9S10SGICN *nort |1 304 K| ICMP INFO PIHG U:U»1 *r,ahon Mmc cebvitj‫[ )׳‬Pnoiiljr 3] IICMP110 0 0 12
10.0.0.10
11 14 2012 18:3958 Autfi Alcil 127.0.0.1 Nov 14 18:39:56 WIN 2N9STOSGIEN *nort )1:384:6) ICMP INFO PING )□***ification: Mbc activitrl [Piioiity: 31 {ICMP) 10.0.0.12
j
fsiw5/jloo WebAcc«3 ■
‫־‬ol m oled 100* OMFH 18:40 11 142D12 |
Figure2.14: Kiwi SyslogServiceManagerwidi Snort Logs

21. 111 Kiwi Syslog, you see the Snort alerts outputs listed 111 Kiwi Syslog
Service Manager.
22. You have successfully output Snort Alerts to two sources.
Lab Analysis
Analyze and document die results related to diis lab exercise. Give your opinion on
your target’s security posture and exposure.


T o o l/U tility In fo rm atio n C o lle c te d /O b je c tiv e s A chieved
Kiwi Syslog O u tp u t: The Snort alerts outputs listed 111 Kiwi Svslog
Server Service Manager.
Questions
1. Evaluate how you can capture a memory dump to confirm a leak using
Kiwi Svslog Server.
2. Determine how you can move Kiwi Svslog Daemon to another machine.
3. Each Svslog message includes a priority value at die beginning ot the text.
Evaluate die priority o f each Kiwi Syslog message and on what basis
messages are prioritized.
In te rn e t C o n n ectio n R eq u ired
□ Yes 0 No
P latform S upported
0 C lassroom 0 !Labs

Detecting Intruders and Worms

Using KFSensor Honeypot IDS
KFSensor is n Windows based honeypot Intrusion Detection System (IDS).
I CON KEY
Lab Scenario
l^~/ Valuable
inform ation Intrusion detection systems are designed to search network activity (we are
considering both host and network IDS detection) for evidence of malicious abuse.
T est your
knowledge When an IDS algontlmi “detects” some sort o f activity and the activity is not
malicious or suspicious, tliis detection is known as a false positive. It is important to
mm W eb exercise realize that from the IDS’s perspective, it is not doing anything incorrect. Its
ca W orkbook review algontlmi is not making a mistake. The algontlmi is just not perfect. IDS designers
make many assumptions about how to detect network attacks.
A 11 example assumption could be to look for extremely long URLs. Typically, a
URL may be only 500 bytes long. Telling an IDS to look for URLs longer than 2000
bytes may indicate a denial of service attack. A false positive could result from some
complex e-conmierce web sites that store a wide variety of information 111 the URL
and exceed 2000 bvtes.
must possess sound knowledge of network intrusion prevention systems (IPSes),
intrusion detection systems (IDSes), identify network malicious activity and log
information, and stop or block malicious network activity.
Lab Objectives
H Tools The objective of tins lab is to make students learn and understand IPSes and IDSes.
dem onstrated in
111 tins lab, you need to:
this lab are
located at D:\CEH- ■ Detect hackers and worms 111 a network
Tools\CEHv8
Module 17 ■ Provide network security
Evading IDS,
Firewalls, and Lab Environment
Honeypots
To carry-out tins lab, you need:

■ KF Sensor located at D:\CEH-Tools\CEHv8 Module 17 Evading IDS,

Firewalls, and Honeypots\Honeypot Tools\KFSensor
■ Install KF Sensor 111 Windows 8
■ MegaPing located at D:\CEH-Tools\CEHv8 Module 03 Scanning
^_ You can also Networks\Scanning Tools\MegaPing
download KFSensor from
http://www.keyfocus.net ■ Install Mega ping 111 Windows Server 2012
■ It you have decided to download latest of version ot these tools, then screen
shots would be differ
■ Administrative privileges to configure settings and m n tools
Lab Duration
Time: 10 Minutes
Overview of IPSes and IDSes

An intrusion prevention system (IPS) is a network secu rity appliance that
m onitors network and system activities tor m alicious activity. Tlie main functions
ot IPSes are to identify malicious activity, log related information, attempt to
block/stop activity, and report activity.
An IDS is a software device or application that m onitors network and/or system
activities for m alicious activities or policy violations and delivers reports to a
Management Station. It performs intrusion detection and attempts to sto p detected
possible incidents.
^ TASK 1 Lab Tasks

Configure 1. Launch Windows 8 virtual maclune and follow the wizard-driven
KFSensor installation steps to install KFSensor.
2. After installation it will prom pt to reboot die system. Reboot the system.
3. 111 Windows 8 launch KFSensor. To Launch KFSensor move your mouse
cursor to the lower-left corner of your desktop and click Start.

►.'crla
€
C*‫׳‬e~s
Windows 8 Release Previev.

, Evaluation copy. Build WOO
=‫־‬ m 1 ‫יי‬ m o «.
____ .
FIGURE3.1: KFSensorWindowwithSetupWizard
m To set up common
ports KFSensor lias a set of 4. In die Start menu apps, right click die KFSensor app, and click Run as
pre-defined listen
definitions. They are: Administrator at die bottom.
■ Windows Workstation
■ Windows Server Admin ^
S ta rt
■ Windows Internet
Services
■ Windows Applications Google
p Chrome
■ Linux (services not m m
usuallyin Windows) Vriro Camera o
* Trojans and worms 1 Mozilla services
1 Firefox
m
‫יזל׳‬
Messaging Weaiha I ®
Command KFSensor
Prompt
H & a
Calendar Interne* Stw FI m
as;
V\«\
® @ ® (S)
edminh*f«©r Iccsoon
5. At die first-time launch o f die KFSensor Set Up Wizard, click Next.

KFSensor Professional - Evaluation Trial

File View Scenario Signatures Settings Help____________________________________
i l ?t!l U
-L
a , kfsensor - localhos Visitor
z ta tcp )atagram.. WindowsS
q *îcccd TC ^
The KFSensor Set Up Wizard will take you through )atagram.. WIN-ULY358K
g 21 FTP a number of steps to Donfigure you systen.
All of these can configurations can be mcdfied later )atagram.. WIN-D39MR5I
.._ Tlie Set up Wizard is I
j S 25 SMTP. !
j. J 53 DNS
using the menj option. )atagram.. WIN-LXQN3W
used to performthe initial I L § 63 DHCP You might like to read the rrarwal at this port to team )atagram.. WIN-MSSELG
configuration of KFSensor. i J § 80 IIS how KFSenso‫־‬works and the concepts behind t. )atagram..
)atagram..
WIN-2N9STO?
WIN-2N9STO?
POP3 110
,g 119 NMTP )atagram.. WIN-ULY358K
n the options in th& Set Up Wizard. )atagram.. Windows^
‫־‬ M i RPC 135
g 139 NET Se Wizard Heb )atagram.. WINDOWS8
LDAP 339 &
HTTPS 443 $
i| .US-M
BT-SE,
i 593 CIS
jjj 1028 MS Cl!
5 1080 SOCK!
3( 1433 SQL S<
g 2234 Direct!
j § 3128 IIS Pro
g 3268 Global Calal
Server: Status Visitors: 0
FIGURE3.3: KFSensor mainWuidow

6. Check all die port c la s s e s to include and click Next.
Set Up W izard - Port Classes
Port classes to include:

/ j Windows Workstation
@ Windows Applications
@ Windows Server
@ Windows Internet Services
0 Linux (services not usually in Windows)
@ Trojans and woims
KFSensor can detect irrtiusions on many many different ports

and simulate different types of services.
These ports are grouped by class.
m Domain Name is die Checked classes will be added to the scenario.
domain name used to Unchecked classes will be removed the scenario.
Wizard Help
identifythe server to a
visitor. It is used in several
SimServers.
< Back Next > Cancel
FIGURE3.4: KFSensor WindowwithSetupWizard

7. Live die domain name Held as default and click Next.
C E H L ab M an u al Page 877 Etliical H a ck in g a nd C o untenneasures Copyright © by EC-Council

Set Up Wizard - Domain D
Domain Name: [networksfonj.com|
This is the domain name used to identify the server to a visitor.

This could be the real domain name of the machine or a fictious one.
If you pick a fictious one. try not to use a real domain belonging
somebody else.
e=yi KFSensor can send

alerts by email. The settings
in the wizard are the
minimumneeded to enable
this feature.
Wizard Help
< Back | Next > Cancel
It you want to send KFSensor alerts by email and dien specify die email
address details and click Next.
Set Up Wizard - EMail Alerts
systems service is a Send to: [I
special type of application Send from:

that Windows runs in the
background and is similar If you want KFSensor to send alerts by email then fill
in concept to a UNIX in the email address details
daemon.
Wizard Help
< Back Next > Cancel
FIGURE 3.6: KFSensorWindowwithSetupWizard-email alerts

9. Choose options for Denial of Service. Port activity. Proxy Emulation, and
m The KFSensor Server Network Protocol Analyzer and click Next.
becomes independent of
the logged on user, so the
user canlog off and
another person can log on
without affecting the
server.

Set Up Wizard - Options D

Denial Of Service Options
Cautious v
Controls how many events are recorded before the server locks up
Port Activity
1 Hour v
How long a port should indicate activity after after an event
Proxy Emulation
Allow banner grabs and loop backs v

Controls if KFSensor is allowed to make limited external connections
Network Protocol Analyzer
!Enable packet dump files j v
Dump files are useful for detailed analysis but take up a lot of disk space
Wizard Help
m The KFSensor
Monitor is a module that
provides the user interface
to the KFSensor system. < Back Next > Cancel
With it you can configure
the KFSensor Server and .
examine die events diat it FIGURE3.7: KFSensorWindowwithSetupWizard-options
generates.
10. Check die Install a s system service opdon and click Next.
Set Up Wizard - Systems Service
[7| Install as systems service

A systems service is a special type of application that Windows runs in the
background and is similar in concept to a UNIX daemon
The KFSensor Server becomes independent of the logged on user, so you can
log off and another person can log on without affecting the server
The KFSensor Server can be configured to start automatically when the systems
starts, even before you log on.
You must be logged in a the Administrator to install a systems service
Wizard Help
m The Ports Viewis

displayed on the left panel < Back Cancel
of the main window. It
comprises of a tree
structure that displays the FIGURE 3.8: KFSensor WindowwithSetupWizard-systemservice
name and status of the
KFSensor Server and the 11. Click Finish to complete the Set Up wizard.
ports on which it is
listening.

Set Up Wizard - Finish ‫ו‬0 ‫ו‬
The KFSensor Set Up Wizard has now got all the

information it needs to configure your system.
To read up on where to go from here dick the button below
Getting Started
Note on the Evaluation Version

I
There are a number of restrictions set for the ten day duration
of the evaluation period
The export functionality is unavailable and the details of
some events are deliberately obscured
I The Ports Viewcan

be displayed by selecting < B ack Finish Cancel
the Ports option fromthe
ViewTmenu.
FIGURE3.9: KFSensor finishinstallation
12. The KFSensor main window appears. It displays list ol ID protocols.
Visitor, and Received automatically when it starts. 111 the following
window, all die nodes 111 die left block crossed out with blue lines are die
ports that are being used.
F Settings Help
Ci ■i 2 4 1 Jt ;1
, kfsensor - local host - M...
‫־‬1 3 ° i @ 151a
Start
a ! ‫מ‬ ‫ש‬
Duration Pro... Sens... Name Visitor
TCP ID
9/27/2012 5:27:41 PM... 0.000 UDP 138 NBT Datagram... WIN-ULY358K
^ & C tos«lICP Por...
! ‫״‬
9/27/2012 S:27:3S PM.‫״‬ 0.000 UDP 138 NBT Datagram... WIN-LXQN3\*
g 21 FTP
|§ 1 4
9/27/2012 5:27:36 PM... 0.000 UDP 138 NBT Datagram... WIN-MSSELCI
1 ‫י‬3
25 SMTP
9/27/2012 5:27:3C PM... 0.000 UDP 138 NBT Datagram... WIN-D39MR5I
3 53 DNS
g
111
'2
9/27/2012 5:27:15 PM... 0.000 UDP 138 NBT Datagram... Windows3
3 63 DHCP
§ 1 0 ___ 9/27/2012 5:16:15 PM... 0.000 UDP 138 NBT Datagram... Windows^
- g 80 IIS
110 POP3 U 9 9/27/2012 5:15:4^ PM... 0.000 UDP 138 NBT Datagram... WIN-ULY358K]
j § 119 NNTP 1 8 9/27/2012 5:15:35 PM... 0.000 UDP 138 NBT Datagram... WIN-D39MR5I
g 155 MS RPC— B m 1 7 9/27/2012 5:15:3£ PM... 0.000 UDP 138 NBT Datagram... WINLXQN3'A
5 } 139 NBT Session ... 1 6 9/27/2012 5:15:35 PM... 0.000 UDP 138 NBT Datagram... WIN-MSSELCI
j j 339 LDAP 1 5 9/27/2012 5:15:31 PM... 0.000 UDP 138 NBT Datagram... WIN-2N9STO<
g 443 HTTPS 1 4 9/26/2012 3:41:32 PM... 0.000 UDP 138 NBT Datagram... WIN-2N9STO!
■ j 4.15 NBT SM8— E~ 1 3 9/26/2012 3:37:16 PM... 0.000 UDP 138 NBT Datagram... WIN-ULY358K
g 593 CIS m ? 9/26/2012 3:36:57 PM... 0.000 UDP 138 NBT Datagram... Windows^
g 1028 MS CIS 9/26/2012 3:36:57 PM... 0.000 UDP 138 NBT Datagram... WINDOWS8
1 1
5 1080 SOCKS
§ 1433 SQL Server
^ 2234 Dircctplay
^ 3128 IIS Proxy
J 3268 Gtobdl Catal..
Ser/en Running Visitors: 8
FIGURE3.10: KFSensor MainWindow

13. Open a command prom pt from the Start menu apps.

The top level itemis

the server. The IP address
of the KFSensor Server
and the name of the
currently active Scenario
are displayed. The server
icon indicates the state of
the server:
14. 111 die command prom pt window, type netstat -an.

Command Prompt
M ic ro s o ft Windows CUersion 6.2 8400]
l<c> 2012 M ic ro s o ft C orporation A l l r ig h ts reserved.
|C :M Jsers\A dnin)netstat -an
R c tiv e Connections
Proto Local Address Foreign Address State
TCP 0 .0 .0 .0 :2 0 .0 .0 .0 :0 LISTENING
TCP 0.0.0 .01 7 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :9 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :1 3 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :1 7 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :1 9 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :2 1 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :2 2 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :2 3 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :2 5 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :4 2 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :5 3 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :5 7 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :6 8 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :8 0 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :8 1 0 .0 .0 .0 :0 LISTENING
TCP 0 .0 .0 .0 :8 2 0 .0 .0 .0 :0 LISTENING
FIGURE3.11: CommandPromptwithnetstat -an

15. Tins will display a list of listening ports.
Command Prompt E 3|
m The protocol level of I35TCP 0 .0 .0 .0 :8 2 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :8 3 0 . 0 .0 .0 : 0 LISTENING
KFSensor is used to group TCP 0 .0 .0 .0 :8 8 0 . 0 .0 .0 : 0 LISTENING
the ports based on their TCP 0 .0 .0 .0 :9 8 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :1 1 0 0 . 0 .0 .0 : 0 LISTENING
protocol; either TCP or TCP
TCP
0 .0 .0 .0 :1 1 1
0 .0 .0 .0 :1 1 3
0 . 0 .0 .0 : 0
0 . 0 .0 .0 : 0
LISTENING
LISTENING
UDP. TCP 0 .0 .0 .0 :1 1 9 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :1 3 5 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :1 3 9 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :1 4 3 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :3 8 9 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :4 4 3 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :4 4 5 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :4 6 4 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :5 2 2 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :5 4 3 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :5 6 3 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :5 9 3 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :6 3 6 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :9 9 9 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :1 0 2 4 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :1 0 2 8 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :1 0 8 0 0 . 0 .0 .0 : 0 LISTENING
TCP 0 .0 .0 .0 :1 2 1 4 0 . 0 .0 .0 : 0 LISTENING
FIGURE3.12: CommandPromptwithnetstat -an

16. Leave die KF Sensor tool running.

17. Follow die wizard-driven installation steps to install MegaPing in Windows
m The Visitors Viewis Server 2012 (Host Machine).
displayed on the left panel
of the mainwindow. It 18. To launch MegaPing move your mouse cursor to die lower-left corner of
comprises of a tree
structure that displays the your desktop and click Start.
name and status of the
KFSensor Server and the
visitors who have
connected to die server.
FIGURE3.13: startupwindowsinwindows server 2012

19. Click die MegaPing app 111 die Start menu apps.
Start Administrator £
Mo/11la Googfc
Firefox awane
*‫ג‬ * © 6
HTTPort Conmand
3.SNFM Prompt
£ 1* ‫ף״י‬
m Each visitor detected
by the KFSensor Server is Admnktr...
Tools
Hyper•V
Manager
ktogaPng Notepad*
listed. The visitor's IP

address and domain name ‫«י‬ *S B
are displayed.
FIGURE3.14: clickon megaping

20. The main window of MegaPing appears as shown in die following
screenshot.

2* MegaPirvg (Unregistered) I- n ' x

File View Tools Help
A A f l a l A A 4 =5 4 **■**‫ ע‬H ©
® DNS List Hods
DNS Lookup Name
J ? Finger
A,______
Network Time DNS Ust Hosts ^ DNS List Hosts Settings
A Pin9
| | Traceroute Destnabon:
^ Whois <None>
^ 5 Network Resources
% Process Info
^ System Info
f IP Scanner □ Select Al
'4^ NetBIOS Scanner I Add

V Share Scanner
^ Security Scanner
J Port Scanner
^ Host Monitor
FIGURE3.15: MegaPingonWindows Server 2012

c a The Visitors View
can be displayed by 21. Select Port Scanner Irom left side o f die list.
selecting the Visitors
option fromthe View 22. Enter die IP address ot Windows 8 (111 diis k b IP address is 10.0.0.12
menu. machine 111 which IvFSensor is running 111 Destination Address List and
click Add.
‫־‬7 MegaPing (Unregistered) n ^ i
file Yiew Tools Help
A a S a) A A o 3 % 4 ‫י‬3
4 ©
A DNS List Hosts
* DNS Lookup Name
Finger
J‫׳‬ Port Scanner
Network Time $ Port Scanner > Port Scanner Settings

A Pin9 Protocob TCP and UDP v
2 2 Traceroute Destnabon:
^ Whois 10.0.0.12 Scan Type Range of Ports ♦ Custom Ports L v | Start
3 Network Resources Destnabon Address List

<$> Process Info
.J | System Info
^ IP Scanner □ Select P
i
NetBIOS Scanner
Share Scanner
£ Security Scanner
Host Monitor
Type Keyword Description
| »Vw.
FIGURE3.16: MegaPing: Select 10.0.0.12fromHost, Press Start button

23. Check die IP address and click die Start button to start listening to die
traffic 0 11 10.0.0.12,

ry MegaPing (Unregistered) l-'» F *

1File yiew Tools Help
3 >‫ <יז‬4 < £ v i .y ^ 0

DNS List Hosts
^5, DNS Lookup Name
Finger
ca Visitor is obtained by f t pin9

Network Time $ Port Scanner Port Scanner Settings
a reverse DNS lookup on g g Traceroute

Protocob TCP and UDP v
the visitor's IP address. An Whols 10.0.0.12 Scan Type: Range of Ports ♦ Custom Ports L v 1 a t 1
icon is displayed indicating 1 3 Network Resources
% Process Info
Destnation Address List
the last time the visitor ^ System Info

connected to the server: $ IP Scanner
Host
₪al 10.0.0.12 JSelect AI
NetBIOS Scanner Add

Share Scanner
£ Security Scanner Delete
Host Monitor
Type Keyword Description
FIGURE3.17: MegaPingData ofdiepackets recieved

24. The following image displays die identification of Telnet on port 23.
MegaPing (Unregistered)
File yiew Jools Help
i. A S Oi 1*i A #
DNS List Hosts
J j, DNS Lookup Name
£ Finger
J i Network Time Port Scanner IF Port Scanner Settings
t i p'" 9
Destnabon: Protocols TCP and UDP v
f f Traceroute
Whols 10.0.0.12 Scan Type Range of Ports ♦ Custom Ports L v ‫ ס‬a‫־‬p ‫כ‬
" 3 Network Resources Destination Address bat
/ The Visitors Viewis <3> Process Info
linked to the Events View ^ System Info

Host
□ Select AI
and acts as a filter to it. If ^
f IP Scanner
NetBIOS Scanner
0 S 10.0.0.12
you select avisitor then ^ Share Scanner
I Add
only diose events related to £ Security Scanner
that visitor will be displayed

in die Events View. £ } Host Monitor
Type Keyword Descnption Risk
TCP High
- < ‫ ׳‬123 TCP telnet Telnet Elevated |
‫ע׳י ג‬ TCP smtp Simple Mail Transfer Elevated
‫ע‬ 42 TCP nameser... Host Name Server Low
f 53 TCP domain Domain Name Serv... Low
FIGURE3.18: MegaPing: Telnet port data

25. The following image displays die ldentihcation of Socks on port 1080.

rST MegaPing (Unregistered)

file View Tools Help
| 4. A S aj it t i 4 %3 3‫־‬ •t t i V 3 y 44 3‫י‬
DNS List Hosts
jS, DNS Lookup Name
! The events are sorted ^ Finger

a i Network Time Port Scanner Settings
in eitlier ascending or
descending chronological
A Pin9
g g Traceroute Destnabon: Protocob: TCP and UDP v
Scan Type
order. This is controlled by ^ Whols 10.0.0.12
Destination Address List
Range of Ports + Custom Ports L v Sop
options on the ViewMenu. 13 ‫ ־‬Network Resources

Process Info
^ System Info
Host
□ Select fll
$ IP Scanner
01S1O.O.O.12
NetBIOS Scanner
jj* Share Scanner
I *A
<0 Security Scanner [ Delete
EE
Jgj Host Monitor
Ports Type Keyvwrd Descnption
£ 1214
080‫ ג‬/ | ‫ו‬ TCP socks Socks
£ 1433
TCP Low
M 1crosoft-SQL‫־‬Ser...
£ 1494
TCP ms-sql-s Low
TCP ica Citrix ICA Client Low
JT 1801 TCP Low ' [ Bepoit
FIGURE3.19: MegaPing: Blackjackvirus

26. N ow come back to Windows 8 virtual machine and look for Telnet data.
File View Scenario Signatures Settings Help
J 9 a T |‫ ־‬e|1 °I ° i @ I 5 » a ! d a > a a l f c t * I
J kfsensor - localhost - M... • Duration Pro... Sens... Name
B*-JTCP •1 31 9/27/2012 6:24:13 PM. 0. 000 ‫״‬ TCP 23 Telnet
^ 0 Closed TCP Per■■
0 2 Death, Trojan ...
7 Echo - Recent...
*I 9 Discard - Rec...
^ 13 Daytime - R...
^ 17 Quote o f th e ..
^ 19 chergcn R c.
21 FTP - Recent..
^ 22 SSH - Recen...
/ The events that are A 123 Telnet - R eel]

j § 25 SMTP - Rece..
displayed are filtered bythe g 42 WINS • Rece..
currently selected itemin g 53 DNS • Recen..
the Ports Viewor the ^ 57 Mail Transfer..
g 68 DHCP • Rece...
Visitors View. 80 IIS • Recent...
j§ 8 1 IIS 81 - Rece..
82 IIS 82 ■ Rece..
83 IIS 83 - Rece..
J 88 Keiberos - R... ^
FIGURE3.20: Telnet dataonKFSensor

27. The following image displays die data o f a Death Trojan.


File View Scenario Signatures Settings Help
j a a if^]a ifrtln Tpili

0- kfsensor - localhost - M... <‫<״‬ Duration Pro... Sens... Name
TCP
9/27/2012 624:12 PM...
j- ^ Q Closed TCP-PofTr
Q 12 Death, Trojan ...|
I £ 7 Echo - Recent...
U £ 9 Discard - Rec...
& 13 Daytime - R...
^ 17 Quote of th e ..
Exit: Shuts down the ^ 19 chargcn - Rc...
KFSensor Monitor. If the 21 FTP - Recent...
KFSensor Server if not £

^
22 SSH - Recen...
23 Telnet ‫ ־‬Rec...
installed as a systems 25 SMTP - Rece..
service then it will be shut r=| 42 WINS - Rece..
down as well. g
^
53 DNS - Recen..
57 Mail Transfer..
g 68 DHCP - Rece..
80 IIS - Recent...
j § 8 1 IIS 81 - Rece..
^ 82 IIS 82 - Rece..
j § 83 IIS 83 - Rece..
= j 88 Kerberos - R... y
FIGURE3.21: Deadi Trojandataon KFSensor
Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on
your target’s security‫ ־‬posture and exposure.
P L E A S E TA LK T O Y O U R I N S T R U C T O R IF YOU H A V E QUESTIONS
R E L A T E D T O T H IS LAB.
Output:
KFSensor
Infected Port number: 1080
Honeypot IDS
N um ber ot Detected Trojans: 2
□ Yes 0 No
Platform Supported
0 Classroom 0 !Labs

HTTP Tunneling Using HTTPort

HTTPo/f is aprogramfrom HTTHost that creates a transparent tunnel through a
proxy server orfirewall.
I C O N K E Y Lab Scenario
/ Valuable Attackers are always in a hunt for clients that can be easily com prom ised and
inform ation they can enter your network by IP spoofing to damage or steal your data. Tlie
attacker can get packets through a firewall by spoofing the IP address. It
S T est t o u t
knowledge attackers are able to capture network traffic as you have learned to do in the
previous lab, they can perform Trojan attacks, registry attacks, password
W eb exercise
hijacking attacks, etc., which can prove to be disastrous for an organization’s
ea W orkbook review network. A 11 attacker may use a network probe to capture raw packet data and
then use tins raw packet data to retrieve packet inform ation such as source and
destination IP address, source and destination ports, flags, header length,
checksum. Time to Live (TTL), and protocol type.
Hence, as a network administrator you should be able to identity attacks by
extracting inform ation from capuired traffic such as source and destination IP
addresses, protocol type, header length, source and destination ports, etc. and
compare these details with modeled attack signatures to determine if an attack
has occurred. You can also check the attack logs tor the list ot attacks and take
evasive actions.
Also, you should be familiar with the H TTP tunneling technique by which you
can identity additional security risks that may not be readily visible by
conducting simple network and vulnerability scanning and determine the extent
to which a network IDS can identify malicious traffic widiin a communication
channel. 111 tins lab, you will learn H TTP Uuineling using H TTPort.
Lab Objectives
Tins lab will show you how networks can be scanned and how to use HTTPort
and HTTHost.
Lab Environment
111 the lab, you need die HTTPort tool.

■ HTTPort is located at D:\CEH-Tools\CEHv8 Module 16 Evading IDS,

Firewalls and Honeypots\HTTPort
& Tools ■ You can also download the latest version o f HTTPort from the link
dem onstrated in h ttp :/ Avww.targeted.org
this lab are
■ If you decide to download the latest version, then screenshots shown 111
available in
the lab might differ
D:\CEH-
Tools\CEHv8 ■ Install H T T H ost on W indows 8 Virtual Machine
Module 16
Evading IDS, ■ Install H TTPort on W indows Server 2012 H ost Machine
Firewalls and ■ Follow the wizard-driven installation steps and install it
Honeypots
■ Adm inistrative privileges are required to run tins tool
Lab Duration
Tune: 20 Minutes
Overview of HTTPort
HTTPort creates a transparent tunnel through a proxy server or firewall. HTTPort
allows usmg all sorts of Internet software from behind die proxy. It bypasses HTTP
proxies and HTTP, firewalls, and transparent accelerators.
TASK 1
Lab Tasks
Stopping IIS 1. Before running tool you need to stop IIS Admin Service and World Wide
Services Web services on Windows Server 2008 virtual machine.
Select Administrative Privileges ‫ ^־־‬Services ‫ ^־־‬IIS Admin Service, nght-

click and select Stop.
^
File A *on View Help
₪ Cff ₪ e■ d? HD
IIS Admin Service 1 Description | Status I Startup Type 1

^H um aT Interface D.. Enables ge... Disabled Local Syste
KJ HTTPort Stco the service
Pan“;* the service
^jHypet-V Data Exch.. Provides a ... Started Automatic Local Syste I
^jHyper-V Guest !hu.. Provides a ... Started Automatic Local 5yste 1
crea tes a Restart the service
% Hyper‫־‬V Heartbeat... Monitors th. . Started Automatic Local Syste I
*^Hyper-V Time Sync... Synchronc... Started Automatic Local Syste
transparent tunnel Description:
Enoblcs this uorvor to administer Web
t^Hypw-V Volume Sh Antnmahr I or al 5y<t<*
through a proxy and FTP servces. If this service is %BME3ESH■" P"

stepped, the server will be unable to run 4ÎM A P l CD'Burnirtg ... Disabled Local Syste
Web, FTP, NNTP, or SNTP sites cr ^ In d e x n g Service Disabled Local Syste
server or firewall. configure 115. If this service is disced,
anv services chat expliatly depend on it ^ Intersite Messagng
Pause
Disabled Local Syste__I
Resume
This allow s you to will fail to start. %IPSEC Services
^Kerberos Key Distri...
Restart
Automatic
Disabled
Local Syste
Local Syste
use all sorts of 4^JJLC Remote Agent

License Logging
Al Tasks Manual
Disabled
Local Syste
Networks,
j
j
Refresh
Internet softw are % Logical Disk Manager
% Logical Disk Manag... Properties
Automatic
Manual
Local Syste
Local Syste j
from behind the ^Messenger
Help
Disabled Local Syste
^Microsoft Software ... Manual Local Syste
proxy. ^t&Net Looon Maintainsa. . Manual Local Syste
^N e t.T cp Port Sharin... Provides a... Disabled Local Servic j
^ NetMeeting Rerrot... Enables an... Disabled Local Syste j
^ N etw o rk Connections Manageso... Started Manual Local Syste ▼I
_ J jJ
\ Extended X Standard /
top servce IIS Adrm Service on Local Computer
FIGURE4.1: StoppingIISAdminServiceinWindows Server 2008

3. Select Administrative Privileges Services World Wide Web

Services, right-click and select Stop.
& it b yp asses JJ3Jxf
File Action View Help

HTTPS and HTTP ‫ן‬
«- -► H g? B [ S i ► ■ ‫וו‬
proxies, Ser/ices (Local) % Services (Local)
transparent Name | Description | Status | Startup Type 1 LoqOnAs
accelerators, and Stop the service

Termiial Services Alows user
%Termhal Services S... Enables a.
Started Manual
Disabled
Local Syste
Local Syste
Pause the service
firewalls. It has a Restart the service
^Themes Provides u.
^jUnintcrruptiblcPow... Manages a.
Disabled
Manual
Local Syste
Local Servic i]
built-in SOCKS4 Descript on:
^ Virtual Disk Service Provides s. Manual Local Syste
Volurre Shadow Copy Manages a, Manual Local Syste
Provides Web connectivity and
server. administration through the Internet 4 kwebCI1ent -nabtes W1, Disabled Local Servic
Information Services Manager Windows Autk Manages a, Started Automatic Local Syste
^Windows CardSpace Securely e. Manual Local Syste
^Windows Firewal/I... Provides n. Started Automatic Local Syste
^Windows Imai Disabled Local Servic
Windows I n s t | ^ ^ ^ ^ ^ ^ Manual Local Syste
Started Automatic
^ Windows Man r1 c. Manual Local Syste
^Windows Pres Kesta't Manual Local Servic j
^ Windows Tim* Started Automatic Local Servic
% Windows Usei * Manual Local Servic 1
%w.nHTTPWet R efre* Manual Local Servic
Wireless Conf ‫־‬ Automatic Local Syste
% W M I Perform* Properties Manual Local Syste
^ Workstation .. Started Automatic Local Syste
.. Started Automatic Local SysteHl
<1 ______ 1‫ע‬
\ Extencfcd / Standard /
|Rop ser/ice Worid Wide Web Publishing Service on Local Computer
J
FIGURE4.2: StoppingWorldWideWebServicesinWindows Server 2008
4. Log in to Windows Server 2008 virtual machine.
5. Open Mapped Network Drive CEH-Tools at Z:\CEH-Tools\CEHv8 Module
16 Evading IDS, Firewalls and Honeypots.
£9 It supports 6. Open the HTTHost folder and double-click htthost.exe.
strong traffic
7. A HTTHost wizard will open; select die Options tab.
encryption, which
m akes proxy 8. O n die Options tab leave all die settings as their defaults except die
logging u seless, Personal Password held, which should be tilled widi any odier password,
and supports hi diis Lab die Personal Password is “m agic.”
NTLM and other
authentication 9. Check die Log Connections option and click Apply.
sch em es.

: HTTHost 1.8.5
—Network
Bind listening to: Bind external to:
|0.0.0.0 |80 |0,0,0.0
Tools
dem onstrated in Allow access from: Personal password:
|0.0.0.0 n*****
this lab are
available in Z:\ Passthrough unrecognized requests to:
Mapped Network Host name or IP: Port: Original IP header fiel
Drive |127.0.0.1 | S1 |x-Original-IP
Max. local buffer: Timeouts:
1256K | 0:1:2 ^‫[־‬
Reualidate DNS names
1✓ Log connections Apply
Statistics | Application log :|security ) Send a Gift )
FIGURE4.3: HTTHost Options tab

10. Now leave HTTHost intact, and don’t turn oil Windows Server 2008
Virtual Machine.
11. Now switch to Windows Server 2008 Host Machine, and install HTTPort
trom D:\CEH-Tools\CEHv7 Module 16 Evading IDS, Firewalls and
Honeypots.
12. Follow die wizard-driven installation steps.

13. Now open HTTPort from Start ‫ ^־־‬All Programs ‫ )־‬HTTPort 35NFM ‫^־־‬
HTTPort 35NFM.
14. The HTTPort window appears as shown 111 die following figure.
H TTP ort 3.SNFM
S y s te m P roxy j P o rt m a p p in g | A b o u t ) R e g is te r j
‫ ־־‬HTTP p ro x y to b y p a s s ( b la n k = d ire c t o r fire w a ll)
H o s t n a m e o r IP a d d re s s ! P o rt:
I P ro x y re q u ire s a u th e n tic a tio n

& To s e t up
U s e rn a m e ! P a ssw ord:
HTTPort need to
point your browser
to 127.0.0.1 ‫ ־‬Misc. o p tio n s
U s e r-A g e n t: B ypass m o d e :
‫ פ ו‬rR e m o te host ‫־‬31
Use p e rs o n a l re m o te h o s t a t ( b la n k = u s e p u b lic )
H o s t n a m e o r IP a d d re s s : P o rt: P a ssw ord:
|5----- I-----------
<— T h is b u tto n h e lp s
FIGURE4.4: HTTPort MainWindow

15. Select the Proxy tab and enter the Host nam e or IP address o f die targeted
machine.
16. Here, as an example, enter die Windows Server 2008 virtual machine IP
& HTTPort g o es
address, and enter Port number 80.
with the
predefined 17. You cannot set die U sem am e and Password fields.
mapping "External
HTTP proxy" of 18. 111 User personal remote host at section, enter die targeted Host
local port machine IP address and die port should be 80.
19. Here any password could be chosen. Here as an example the password is
magic.
H TTP ort 3.SNFM IE !* ]
S y s te m P roxy j p 0 rt m a p p in g | A b o u t | R e g is te r j
HTTP p ro x y to by p a s s ( b la n k = d ire c t o r fir e b a ll)
H o s t n a m e or IP a d d re s s : P o rt:
180
I P roxy re q u ire s a u th e n tic a tio n
U s e rn a m e : P a ssw ord:
n For each software to

create custom, given all the
addresses fromwhich it ‫ ־־‬Misc. o p tio n s
operates. For applications U s e r-A g e n t: B ypass m o d e :
that are dynamically ‫[ פ ו‬R e m o te
changing the ports there
IE 6 .0 host ‫פו‬
Socks4-proxy mode, in
which tlie software will Use p e rs o n a l re m o te h o s t a t !.b la n k = u s e p u b lic )
create a local server Socks H o s t n a m e o r IP a d d re s s : P o rt: P a ssw ord:
(127.0.0.1) 110.0.0.31 80 * * * * *
j j ^— T h is b u tto n h e lp s
FIGURE4.5: HTIPort Proxysettingswindow

20. Select die Port Mapping tab and click Add to create New Mapping.
In real world
environment,
people som etim es
u se password
protected proxy to
make company
em ployees to
a c c e s s the
Internet.

■* H TTP ort 3.SNFM W ' J s jx f

S y s te m | P roxy P o rt m a p p in g j About j R e g is te r j
‫ ־־‬S ta tic T C P /IP p o rt m a p p in g s ( tu n n e ls )
0• New m a p p in g IIf...A'dtJ... !|
0 Local p o rt
| !.... 0 R em ove |
0 ‫ ׳‬R e m o te host
re m o te .h o s t.n a m e
0• R e m o te p o rt
I.... 0
S e le c t a m a p p in g to s e e s ta tis tic s : LEDs:

No s ta ts ‫ ־‬in a c tiv e ‫□ □ □ם‬
n /a x n /a B /s e c n /a K O P roxy
‫ ־־‬B u ilt-in S 0 C K S 4 s e rv e r
[7 Run SOCKS s e rv e r ( p o r t 1 0 8 0 )
A v a ila b le in " R e m o te H o s t" m o d e :
V Full SOCKS4 s u p p o rt (B IN D )
*— T h is b u tto n h e lp s
FIGURE4.6: HTIPort creatingaNewMapping

21. Select New Mapping Node, and right-click New Mapping, and select Edit.
S y s te m | P roxy P o rt m a p p in g j About j R e g is te r j
p S ta tic T C P /IP p o rt m a p p in g s (tu n n e ls )
* ------------------------------------ ‫ז‬
I Edit ■ H
[ 0 Local p o r
I-----------------------1 J
0 • R e m o te h o s t
r e m o te .h o s t.n a m e
0 R e m o te p o rt
Q HTTHost supports the I.... 0
registration, but it is free and
password-free - youwill be
issued a unique ID, which S e lect a m a p p in g to s e e s ta tis tic s : LEDs:
you can contact the support No s ta ts - in a c tiv e ‫□ □ □ם‬
teamand askyour questions. n /a x n /a B /s e c n /a K O P roxy
‫ ־־‬B u ilt-in SOCKS4 s e rv e r
[ 7 Run SOCKS s e rv e r ( p o r t 1 0 8 0 )
A v a ila b le in "R e m o te H o s t" m o d e :
I- Full SOCKS4 s u p p o rt (B IN D )
FIGURE4.7: HTTPort Editingto assignamapping

22. Rename it to ftp certified hacker, and select Local port node, right-click to
Edit and enter a Port value to 80.
23. N ow Hght-click Remote host node to Edit and rename it as
ftp.certifiedhacker.com .
24. Now right click Remote port node to Edit and enter die port value of 21.

> H TTP ort 3.SNFM

S y s te m | P ro x y P o rt m a p p in g | A b o u t | R e g is te r |
Tools
S ta tic T C P /IP p o rt m a p p in g s (tu n n e ls )
dem onstrated in
this lab are ‫ ־‬31
E|•‫ ׳‬Local p o rt
available in 1-21
D:\CEH- g R e m o te h o s t
I— ftp .c e rtifie d h a c k e r.c o m
Tools\CEHv8 0 R e m o te p o rt
Module 16 !....21
Evading IDS,
S e le c t a m a p p in g to s e e s ta tis tic s :
Firewalls and No s ta ts - in a c tiv e □ □□□
Honeypots n /a x n /a E /sec n /a K O P roxy
E u ilt‫ ־‬in SOCKS4 s e rv e r

W Run SOCKS s e rv e r ( p o r t 1 0 8 0 )
A v a ila b le in "R e m o te H o s t" m o d e :
Full SOCKS4 s u p p o rt (B IN D )
FIGURE4.8: HTIPort StaticTCP/IPport mapping

25. Click Start 011 die Proxy tab o f HTTPort to run die HTTP tunneling.
H In this kind of
environment, the H TTP ort 3.SNFM ]□ T x i
federated search S y s te m P ro x y | P o rt m a p p in g | A b o u t) R e g is te r)
webpart of r ‫ ־‬HTTP p ro x y to b y p a s s ( b la n k = d ire c t o r fire w a ll)
Microsoft Search H o s t n a m e o r IP a d d re s s : P o rt:

Server 2008 will jio .o .o .:
not work out-of- I- P ro x y re q u ire s a u th e n tic a tio n
the-box b eca u se U s e rn a m e : P a ssw ord:
w e only support
non-password
— Misc. o p tio n s
protected proxy.
U s e r-A g e n t: B yp ass m o d e :
‫[ פ ־‬R e m o te host ‫פ־‬
‫ ־־‬Use p e rs o n a l re m o te h o s t a t ( b la n k = u s e p u b lic ) —
H o s t n a m e o r IP a d d re s s : P o rt: P a ssw ord:

110.0.0.:
1 1 0 .0 .0 .3 [8 0 I‫* * * * ״‬
j J <— T h is b u tto n h e lp s
FIGURE4.9: HTTPort to start tunneling

26. N ow switch to Windows Server 2008 virtual machine and click die
Applications log tab.
27. Check die last line. If Listener: listening at 0.0.0.0:80, then it is running
properly.

: : H TTHost 1.8.5
Application log:
MAIN HTTHOST 1,8,5 PERSONAL GIFTWARE DEMO starting
MAIN Project codename: 99 red balloons
MAIN Written by Dmitry Dvoinikov
MAIN (c) 1999-2004, Dmitry Dvornikov
MAIN 64 total available connection(s)
MAIN network started
MAIN RSA keys initialized
MAIN loading security filters...
MAIN loaded filter "grant.dM" (allows all connections within
MAIN loaded filter "block,dll" (denies all connections withir
MAIN done, total 2 filter(s) loaded
MAIN using transfer encoding: PrimeScrambler64/SevenT‫־‬
grant.dll: filters conections
block,dll,:_£iIters conection.s--------
LISTENER: listening at 0,0,0.0:80]
I 1 d
S t a t is t ic s A p p li c a t i o n lo q [ O p t io n s S e c u r ity S e n d a G if t |
1
FIGURE4.10: HTTHost Applicationlogsection
28. N ow switch to Windows Server 2008 host machine and turn ON die
Windows Firewall.
29. Go to Windows Firewall with Advanced Security.
30. Select Outbound rules from die left pane o f die window, then click New
Rule 111 die right pane of die window.
Fib Anon View ■tec
«‫־ י‬M IB[h

ire | G'Oup - 1 n‫־‬ofle 1 Enabled 1 ■actt‫'״‬ 1 p-~ Outbound Rules
©EIT5 Peerc a n r‫־‬c (Content-Out] BITS see‫־‬ceding fir T No 4110a S\
B
N ? Ce--g:-Cr- !
Moniwing 1
<9 1BITS Pee ccc‫־‬irg 0,',SC-Cut) BITS 3ee'CBching fr y
firy
No *JlOft
*JI0A
Vt
S‫׳‬t
[ j g NeARic■■■
V Fiterbv P 0‫־‬fifc
]
® ae rtfc rN F S r^-O ut} de n t far NFS ves

* 1C le t for NFS (UZP-OjtJ Cient 'or NFS tr y ves AIIoa % V Fiterbv Sate
<9 Core Networking - DNS (LDP■Out) ca‫׳‬e \etA0r<re cry ves allaA %
& Tools core Networking - Dynamic Most Configuratl... Co‫׳‬e ‫־‬setAorxrc tr y ve? Albft %
7 Fitr■‫ ־‬bv 5 quo
dem onstrated in 0 1Core Networking - Group Poky (LSASS-Out)

© Core Networking ‫ ־‬Group Pokv (NP-Out)
0
Co‫־‬e f>ctA rM‫־‬c
C9‫׳‬e 'ctAorxrc
Conor
Ccnar
ves
ves
aJIoA
AIIoa
%
£$ Re'resr
ilCore Networking - Group ôicy £‫ז‬0 *‫י‬-Out) Co‫׳‬e '■ct‫ ׳‬.or<rc Ccnar AIIoa a:
this lab are *
Core Networking - lrte‫׳‬net Group Managen .. 1
Ca‫׳‬e \* t‫\׳‬or< ‫־‬s tr y
v«
’« AIIoa $\ Export Lie
available in Z:\
Core Networbng • IPv6 (P*5-Out)
©Co*e Networking ‫ ־‬Metcast istener Co‫־‬e (I...
Ca‫׳‬e ■^tAcryrg
0
C ‫׳‬e MftAOhcrc
try
Or ‫ץ‬ ve5
AIIoa
AIIoa
5\
Ai
Q Hep
© C ore Networking • MultttBt Latener Query (... Co‫־‬e Nfct»wrxrc Arr ves AIIoa A1
Mapped Network O Core Networbng • M jtaot Latene‫ ׳‬Report...
© Core Networking ■Mjtcaot Lotcnc‫ ׳‬Report...
C0‫־‬e
C0'C ‫־‬sctAOrxr^
tr y
fir y
yea
ve*
AIIoa
AIIoa
Ar
Ar
Drive in Virtual © C o r• Networking • Neighbor Discovery Adv‫׳‬e .. 0 1

C ‫״‬e \#tworxrg fir y ve« AIIoa Ar
CO‫\• •־‬et ‫־‬.orvr<;
* cor# Networking • Negroy Dlteovery Solat. . fir y ‫»״‬ AllOA Ar
<3 Co*e Networking • Packet Too Bo 0CMPv6•‫ ״‬. CD't NttAOrHrc fir ‫ץ‬ AIIoa Ar__|
Machines © c« f« N.tws- tung • p.. P. ou4«r< aC'-T... C»‫ «׳‬M iv o w e firy v«t AIIoa Ai
Cf Core Networking • Router Adverfcjement (IC... C»‫׳‬e Netôrxrg firy Ve3 AIIoa Ar
&Core Networking • Router Solctator !ICMP... Ca‫׳‬e NetAorcrg ve« AIIoa Ar
Core Networking ■'ereco (UDP-Out) 0
C ‫׳‬e NetAorxr^
firy
tr y AIIoa V,
1
core Networking • ‫׳־‬ire Exceeded (!CVP /&• .. Ca‫׳‬e ‫^־‬TAcr<rc try
,M
‫א־‬ AIIoa Ar
©Distrbctec Transaction Cootdinaioi (TCP-Out) Dstilbutec T‫ ׳‬ansae tor cocrA fin NO AIIoa %
© Fife and Pr rte ‫ ־‬Sharhj (Edo Regjest ‫ ־‬ICM... Fie and Pnrter Shorrc Cono... Yea AIIoa Ai
f il'fe and Frrte‫ ׳‬Sharng (Ec‫־‬o Reqjest - ICM... Fie and Prrter Sl‫«־‬rrg Ccna... vea AJIoa Ar
File and Prrte‫ ׳‬Snarng (NB-06t3g‫־‬am-0ut) Fie and Prrter Sfarrg Ccn3... ves AIIoa s>
File and Prrte‫ ׳‬i‫׳‬na‫־‬ng (NBAsme-Out) Fie and Prrter Sf‫־‬arrc Ccna... ves AIIoa s>
Fite and Frrts‫ ׳‬Snarrg (NB-Sesscr-Cut) Fie and Prrter st-arrc Ccna. . ves AIIoa s\
@ Fife and Frrte‫ ׳‬SharhQ (SMBOut) Fie and Prrter Sfcarrc Cons... Yes AIIoa Si
a Hvper‫־‬/ - WM: (TCP‫־‬Out) Hyset-V firy VC5 AIIoa
®Hyper-v' Managerent Clients ‫\ ־‬VNI (TCP•Out) H/ac'-V Kfarogen*ent Cients firy VC5 aJI0A ‫׳‬H
€ iSCSI Ser/ce (TCP-Out) SCSI Sen‫ ׳‬oe firy No *JI0A
« ilietwock Dea)‫׳‬/ery (LLMNR-UDP-CUt) Network ^scc«w«r/ Ccna... No AIIoa
‘ ■ ■ ■ f .... ► r1
FIGURE 4.11: Windows Firewall with Advanced Security window it! Windows Server 2008
31. 111 the New Outbound Rule Wizard, check die Port option in die Rule Type
secdon and click Next.
C E H L ab M anual Page 894 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

9 New O utbound Rule W izard

R u le T y p e
Select the type of fiewal rule to create.
Steps:
Rule Type What type of njle would you like to create’’
£HHTTPort doesn't really * Protocol and Ports

care for die prosy as such, it * Action C P ro g ra m
works perfecdywidi * Profile
Rule that controls connections for a program
firewalls, transparent (ff port ]
* Name
accelerators, NATs and
basicallyanything diat lets
HTTP protocol through. r P r e d e f in e d :
‫פר‬
Rule that controls connections for a Windows experience.
C Custom
Custom lule.
Leam more about rule types
Next >
FIGURE4.12: WindowsFirewall selectingaRuleType

32. Now select All local ports in the Protocol and Ports section.
* New Outbound Rule W izard
P r o t o c o l a n d P o rts
Specify the protocol and ports that this rule matches.
Steps:
S Y o u need to install htthost « Rule Type Does this lule apply to TCP or UDP^
on a P C , w h o is generally
<* Protocol and Ports <‫ז‬ tcp
accessible on the Internet ‫־‬
typically you r "hom e" P C . This * Action r udp
means that i f you started a « Profile
Webserver o n the hom e P C ,
everyone else m ust be able to # Name
Does this rule apply to all local ports or specific local ports'’
connect to it. There are two
shows toppers fo r htthost on [< • A ll l o c a l p o r t s j
hom e P C s C S p e c i f i c lo c a l p o r t s : |
Example: 80.443.1
Leam more about protocol and ports
<Back || Next > | Cancel |
FIGURE 4.13: Windows Firewall assigning Protocols and Ports
33. 111 the Action section, select Block the connection and click Next.

1■**N e w Outbound Rule Wizard _x]

1 A c t io n
1 Specify the action thatistaken when a connection matches the conditions specified n the rule.
Step s:
m NAT/firewall
# Rule Type '//hat action should be taken when a connection matches the specified conditions‫ל‬
issues: You need «# Protocol and Ports
to enable an •‫ י‬/®ction C A llo w t h e c o n n e c tio n
incoming port. For <# Pnofie Alow connections that have been protected with IPsec as well as those that have not.
HTThost it will 1# Name C A llo w th e c o n n e c tio n if it is s e c u r e

Aflow only connections that have been authenticated and integnty■protected through the use
typically be of IPsec. Connections w i be secured usmg the settings m IPsec properties and rules in the
Connection Security Rule node
80(http) or
V Require the connections to be encypted
443(https), but any Require pnvacy m addtion to rtegnty and authentication
port can be used ■
IF the HTTP proxy
at work supports it
(• B lo c k t h e c o n n e c tio n
- som e proxy’s are
configured to
allow only 80 and Leam more about actions
443.
<Back || Next‫־‬ || Cancel |
FIGURE4.14: Windows Firewall settinganAction

34. 111 die Profile section, select all the three options. The mle will apply to:
Domain. Public, Private and click Next.
** New Outbound Rule Wizard
P ro file
Specify the profiles for wf»ch this rule applies
Steps:
& Tools <• Rule Type When does this rule apply 7
dem onstrated in * Protocol and Ports
this lab are « Action 17 Domain
.Applies wh< n a computer is connected to its corporate domain
available in * PrnfJe
17 Private
D:\CEH- Applies win n a computer is connected to a private network location.
Tools\CEHv8 17 Public
Module 16 Applies win n a computer is connected to a public network location.
Evading IDS,
Firewalls and
Honeypots
Leam more about profiles
‫ ־‬Back Next ‫ג‬ I Cancel
FIGURE4.15: Windows Firewall Profilesettings

35. Type Port 21 Blocked 111 die Name held, and click Finish.

Nam e
Specify the name and description of this rule
S te p s :
* Riie Type
Protocol and Ports
Q The default TCP port Action

for FTP connection is port Profie Name:
21. Sometimes the local * Name
|Port 21 Blocked
Internet Service Provider Description (optional):
blocks this port and this will
result in FTP connection
issues.
<Back | Finish Cancel |
FIGURE4.16: Windows Firewall assigninganame toPort

36. New Rule Port 21 Blocked is created as shown in die following tigure.
j=iir
Fie Acaor View Help
^ i‫׳‬V1nco/ts Freival Advanced S

t 3 Iroourc RuJes
Outbound Rules -
HTTPort doesn't really ; ‫ ־‬. ::
Come:t>on Sea*1ty Rues KFat21Bkxked Any New Rule...
care for die proxy as such: it F % r‫־‬ioni1a i‫׳‬x)
© EI"S 3eeriocing (WSD‫־‬Out)
BrS 5eer:scnrg
BI” S ^ccrcccnrg
Any
Any
No
No
AIc‫׳‬a
AIoa
S\
% V Piter by Profile ►
works perfectlywith © Client f y N=S CTCP-Out) Client ft)‫ ׳‬NFS Any Yes AlOA % "\7 FiterbySta:e >
firewalls, transparent Q Client for M=S (UDP-Out)
Ccrc Ner//crbng - DUS (UDP-Out)
Client fo‫ ׳‬NFS
Core Nc:wa‫־‬king
Any
Any
Yes
Yes
AIoa
AIoa
%
%
*7 Fiter by Group ►
accelerators, NATs and
basicallyanything diat lets
B Cere Networklno ‫ ־‬Dynamic hostConfiecrat...
© C ere Networking - Grouo Palcy (LSASS-Out)
Cae Netwafcino
Core Ne:warbng
Any
Domain
Yes
Y‫־‬K
AIoa
AIoa
Vc
%
view
[($] Refresh
►
Cere Netvcrbng GrousPolcy (UP‫־‬Cut) Core ■,Jer/'orbng Domain Yes AIoa

the HTTP protocol through. © Cere Ner/.-orfcing • Gicud Polcy fTCP-Out)
Q Cere Networking • Internet Group Yanagerr. .
Cae Netwabng
Core Networking
Domain
Any
Yes
Yes
AIoa
Alow
°‫׳‬c |3» Export List...
Q Heb
Ccre Networking ■IPv6 ( I P v 0 6‫׳‬ut) Core Networking Any Yes AIoa
e Cae Networking ■Multicast Listenei D01‫־‬e (I... Core Networking Any Yes AIg‫׳‬a Ai Port 21 Bbckcd -
Q) ( ‫־׳‬re Networking • Multicast Listener Query (... Core Networking Any Yes AIoa Ar (♦ Disable Rjle
Q ccre Netwcrbng Multicast Listener Repo‫׳‬t ... Core Networking Any Yes AIoa
© C a e Networking • Multicast Listenei Reixrt... Core Netwaking Any Yes AIoa Ai x Delete
Q cere Netv‫׳‬crkmg • Neighbor Qscovery Adve. . Core Networking Any Y#S AIoa Ar lal PlOUCI t o
©Cere Netwcrbng Neighbor Oocovery Soleit... C ae Networking Any Yea AIoa
Q C a c Neiworbng ‫ ־‬Packct TooBg {ICMPvfi•... Core Networking Any Yes AIoa Ai Q Heto
Q Cere Networking • P*r*m#t*‫ ־‬Pretolem (ICMP... Cor# Merwortang Any Y#« AIoa Ai
© C ereNetwcrbng Rotter Adverbccment :1C... Core Networking Any Yes Alovs Ar
Coe Netwcrbng * Router Sokiletbn (JCNP... Cor e Networking Any Yes AIoa Ai
Ccre Me?/‫׳‬ortano • Teredo (UOP‫־‬Out) Core Networking Any Yes AIoa %
g Cere Netwcrbng Time Exceeded (IC M \6‫׳‬. .. Core Networking Any Yes AIoa Ar
©Distributed Transaction Cooidnatoi (TCP•Out) Distributed Trensocton Coord... Any No AIoa ‫*י‬
© File and *inter Shwng (Echo Request ■ICM... File and *irter $h#rng Donai.. Yes AIoa Ar
Q HTTP is the basis for © File and *inter Sharing (Edno Request - !CM...
© n e and *inter Sharing (NB-Dalagrair-Out)
File and * r te r Sharng
File and *inter Sherhg
Domai...
Domai...
Yes
Yes
Alovs
AIoa
Ar
5\
Web surfing, soif you can © File and Winter shjrng (NB-Name-Out) File and îrter sharng Dom*.. Yes AlOA 5\
freely surf die Web from © File and *inter Sharing (NE-Sesson-Out)
© File and *inter Sherhg (SMB-Out)
File and * r te r Sharng
File and *irter Sherhg
Domai..
Donai...
Yes
Yes
AIoa
AIoa
Sy
5\
where you are, HTTPort will ©Hype‫־׳‬/ *V/MI acp-out) Hype‫׳‬-v Any Yes AlOA °c
bringyou die rest of the © Hyper-v Vsn3gernert Gierts ‫' ־‬/WI (TCP-Out)
© iSCSI Se‫\־‬ice (TCP-Cut)
Hype‫ ־׳‬/ Vanagerriert Cierts
iSCSI Se‫־‬vioe
Any
Any
Yes
No
AIoa
AIoa
Internet applications. a I 1
FIGURE 4.17: Windows Firewall New rale
37. Right-click the newly created rale and select Properties.

| *WVuwkyws h r m t l vwtti /U tvitnrrd Sfninry

Pile Acoor Ve« ndp
B HTTPort then * ■»! » [P1U ‫ ם‬TT_
P Whdovts Frevrdl ■vth Ad.oxed S
intercepts that KQ !rbourdRjbs Outbound Rules
g g Outbound Rjtes
connection and Jiu Correcton Secjrity 3_ies
® SITS Peercecihg (Content-Out)
New Rule...
3 Monito'irg
,‫ ?י‬FIter by P‫־‬cfie
runs it through a ®BIT5 Pcerêcihg (WSD-Out)
® C ie n t St 1‫־‬TS (TCP-Out) V Fiter by State
tunnel through the © C fen t *6‫ ־‬NFS (UDP-Out)
©CCKer\e:v‫׳‬crkirg -CNS (UDP-Out)
V Piter by Grouo
proxy. ®Core he:v‫׳‬crkirg - Dynanic host ConflQu‫־‬ati... Core W L\*K 1‫'^־‬ vew
®Core r1e»‫׳‬akirg -Gouo Poky (LSASS-Out) Core NetAOikng Daren
id ReYesh
Q c x e networking - GrouoPolcy (I'P-Out) core NetAOrtcng Dcman
® core hecwcrlarg - Grouo poIcy (TCP*Ou:) core NetAOrtcng Dorian © Export bst...
© core 1ser/>crk]ra - internet Group rânacen. ‫״‬ core NetAoricno
Q tisb
®cofefcewcrkira - ipvO OPVft-OuO core NetAorkno
® c o re her/‫׳‬ak 1ra -M j 0:as: Listener Done a... core NetAOrtTKJ Pori 21 Dbckcd
®Core 1se:vcrlurQ •Miticas: Listener Query (... Core NetAOrtaTO (♦' D»ablc Rule
®Coretserv‫׳‬crk1rg •Miticast Listener Ret»rt... Core MetAOrtcng
®Coreiserv‫׳‬crk1rg • Miticas; listener Recort... Core NJetAortcng ‫ א‬D‫־‬te*
®CoreNe;v‫׳‬crk1rg •Neghto‫ ׳‬Discovery Adve... Core MetAortcno p‫׳‬cPCtt)C3
® C o reNerv‫׳‬erk1r0‫• ־‬Nefchbof Discovery Solicit... Core MetAortcno
®Core IServ‫׳‬crk1rg ‫־‬Packet Too 80 QCMPv6-... Core SJetAOrtcno U H‫־‬b
® Car# N#rv‫׳‬erk1ng •P»r*^#t»f Problem (ICMP... Core VJetAorteng
®Car# Nerv<erk1rg •Ranter Aev#rticem»M (IC. . Core VletAortcng
®Car# N#rv!erk1rg •Ranter Solicitation (ICVP... Cor* MetAOficng
CJ Cv# Nerv/erkirg • Teredo (UDP■Out) Cor# VletAorkng
^ C o r e Ne?‫׳־״‬crlurg • Tire Exceeded (ICNP6/ ‫•׳‬.. Cor# MetAoricng
® D crb u ted Transa:ton Coordinator (TCP-Out) Di!t‫׳‬ib1.tec Trareactoor Coord. Ary
(J =le and 3rirter Sharrg (Ecno Request - ICM... File anc Prn:er Shares
Fie 3rd ^rirter Siarrg (Ecno Request - ICM... File anc Prn:er Shanng
=le 3rd 3rirter Siarrg (NE-DatagramOut) Fite anc Prn:er Sharing
& Enables you to (J -ie 3rd 3rir ter Sharng (MB-Name-Out' Fite anc Prn:e‫ ־‬Sharing Mom
® F ie 3rd 3rirter Sharng (MB‫־‬Session‫־‬Out ‫׳‬ Fite anc Prr>:e‫ ־‬Sharing Mom
bypass your HTTP ® F ie 3rd 3rirter Sharng (SMB-Out; Fite 3nc Prn•jet Sharing Mom
® H yper-V- VYNI (TCP-Out} Hyper-V Ary Mom
proxy in c a s e it (J -typer-V Ncnogc-ncnt Clients ‫ ־‬V/MI (TCP-Out)
®!SCSI Service (TCP-Out)
Hvper-V MDrogcncn: Cle‫־‬tis
SCSI Ssrvce
Mom
Mom
blocks you from ‫_______; _______ ע‬
!p 5‫־‬cperbes c&iogbox ‫־־‬or i ‫־‬e current selec‫ר‬cn.
the Internet
FIGURE4.18: Windows Firewall newruleproperties
38. Select tlie Protocols and Ports tab. Change die Remote Port option to
Specific Ports and enter die Port number as 21.
39. Leave die odier settings as dieir defaults and Select Apply ‫ ^־־‬OK.
& With HTTPort,

G e ne ra l P rogram s a n d S e rv ic e s C o m p u te s
you can use P ro to co ls a n d Ports | S cope j Advanced
various Internet
Protocols and ports
softw are from r Protocol type: ■‫ע‬
behind th e proxy, Protocol number:
l
e.g., e-mail,
instant local port: |.AII Ports zi
m essen gers, P2P 1
FMmn1« an m anan
file sharing, ICQ,
N ew s, FTP, IRC Remote port: ]Specific Ports d
etc. The basic I21
Example: 80.445. 8080
idea is that you
Internet Control Message Protocol
se t up your (ICMP) settings: ------
Internet softw are
Leam more about protocol and ports
OK | Cancel | fipply
FIGURE4.19: Firewall Port 21BlockedProperties

40. Tvpe ftp 127.0.0.1 111 the command prompt and press Enter. Tlie
connection is blocked at die local host 111 Windows Server 2008.

Q HTTPort does neither

freeze nor hang. What you
are experiencingis known as
"blocking operations"
FIGURE4.20: ftpconnectionisblocked
41. Now open a command prompt 111 Windows Server 2008 host machine and
type ftp ftp.certifiedhacker.com and Press Enter
c\.Admmrstrator Command Prompt - ftp ftp.certmedhacker.com
IC :\U s e rs \A d n in is tr a to r> ftp f t p . c e r t ifie d h a c k e r.c o n
C o n n e c te d to f tp .c e r tifie d h a c k e r .c o n .
2 2 0 -h ic ro s o ft FTP S eruice
220 We leone TO FTP Account
User < ftp .c e rtifie d h a c k e r.c o n :< n o n e > > : _
2^7 HTTPort makes it
possible to open a client side
of a TCP/IP connection and
provide it to any software.
The keywords here are:
"client" and "any software".
FIGURE4.21: Executingftpcommand
Lab Analysis
Document all die IP addresses, open ports and running applications, and protocols
you discovered during the lab.


Proxy server U sed: 10.0.0.4
H T T P o rt P o rt scanned: 80
R esult: ftp 127.0.0.1 connected to 127.0.0.1

Questions
1. How would you set up an HTTPort to use an email client (Outlook,
Messenger, etc.)?
2. Examine if the software does not allow editing the address to connect to.
0 Yes □No
P latform S upported
□ iLabs

Evading IDS, Firewalls, and Honeypots: CEH Lab Manual

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Evading IDS, Firewalls, and Honeypots: CEH Lab Manual

Uploaded by

Copyright:

Available Formats

CEH Lab Manual

Evading IDS, Firewalls,

Intrusion Detection System

I CON KEY Lab Scenario

■ A computer miming Windows Server 2012 as a host machine

■ A computer running Windows server 2008, Windows 8, 01‫ ־‬Windows 7 as a

WniPcap drivers installed 011 the host machine

C E H L ab M an u al P ag e 847 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

■ Notepads-+ installed 011 the host macliine

■ Kiwi Svslog Server installed 011 the host machine

■ Administrative pnvileges to configure settings and run tools

■ A web browser with Internet access

Overview of Intrusion Detection Systems

C E H L ab M an u al Page 848 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

PLEASE TALK TO Y O U R I N S T R U C T O R IF YOU HAVE QUESTIONS

C E H L ab M an u al Page 849 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

Delecting Intrusions using Snort

I CON KEY Lab Scenario

■ Perform intrusion detection

C E H L ab M an u al P ag e 850 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

■ A computer running Windows Server 2012 as a host machine

■ Windows 7 running on virtual maclune as an attacker maclune

■ WinPcap dnvers installed on die host machine

■ N otepad++ installed on the host maclune

■ Kiwi Svslog Server installed on the host maclune

■ Active Perl mstalled on the host macliuie to nui Perl scripts

■ Adnunistrative privileges to configure settings and run tools

Overview of Intrusion Prevention Systems and

2. To uistall Snort, navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS,

3. Double-click the Snort_2_9_3_1_lnstaller.exe file. The Snort mstallation

C E H L ab M an u al Page 851 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

Snort 2.9.3.1 SetuD ‫ ' ־‬° I *

Snort has successfully been installed.

Snort also requires W inPcap 4 .1 .1 to be installed on this m achine,

It w ould also be wise to tighten th e security on th e Snort installation

Next, you m ust m anually edit th e 'sn o rt.co n f file to

Figure 1.1: Snort Successful Installation Window

7. Snort requires WinPcap to be installed 011 your machine.

9. By default, Snort installs itself in C:\Snort (C:\ or D :\ depending upon die

13. Rename die extracted folder to snortrules.

C E H L ab M an u al Page 852 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

17. Replace die preproc rules folder trom D:\CEH-Tools\CEHv8 Module 17

Verify Snort Alert 20. Type snort and press Enter.

Figure 1.2: Snort Basic Command

- * > S n o rt! < *—

Figure 1.3: Snort -W Command

C E H L ab M an u al Page 853 E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council

Figure 1.4: Snort —dev —i4 Command

£ Q Ping [-t] [-a] [-n

Figure 1.5: Ping googje.com Command

Figure 1.6: Snort Showing Captured Google Request

C E H L ab M anual Page 854 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

29. Close both command prompt windows. The verification o f Snort

Configure 31. Open die snort.conf file with N otepad++.

& Make sure to grab

ygth: 25421 lines :657 45: ‫ ת‬Cel: 25 Sd 0

Figure 1.8: Configuring Snortconf File in Notepad‫־־(־‬1‫־‬

34. Leave die EXTERNAL_NET any line as it is.

C E H L ab M anual Page 855 Etliical H a ck in g a nd C o untenneasures Copyright © by EC-Council

• Sto p A le r ts on e x p e rim e n ta l TCP opc iona

4 Sto p A lv r ta on obaolw t■ TCP option■

1:9 1 Scop A le rc s on T/TCP a le r c s V

Figure 1.9: Configuring Snoitconf File in Notepad++

» e ta d a ti rercrcr.ee aata. do not e a itv t£e