CND Lab Manual Secure IDS Configurations and Management Module 08‘Module 08 - Socure IDS Configuration and Managemont Lab Configuring Snort IDS Snort is an open-source network IDS/IPS. “Tron key Lab Scenario > vanahe An IDS/IPS is an important network secutity measure which is used behind a information firewall and works from inside the network. An ID inspects the network traffic and P tenyou looks for hensistics and pattern matches for the intrusions. However, improper IDS 5 configuration and management can make IDPS unworthy. So, IDS configuration and deployment should be performed with careful planning, preparation, G2. Web esescie __ prototyping, testing, and specialized training, As a netwock administrator, you Al Workbook sevew should be able to configure IDS/IPS in your organization’s network Lab Objectives ‘The objective of this lab is to demonstrate how to configure snort IDS in a network. In this lab, you will need to: * Tostall Snort and verify Snort alerts * Contignce and validate the snort.contf file Test Suostis working by canying out a test attack Perform Intmision detection Lab Environment ‘To complete this ab, you will need: A vvierual machine running Windows Secver 2012 * A virtual machine maning Windows 10 = Snost located at ZACND-Tools\CND Module 08 Secure IDS Configuration and ManagementiIDS and IPS Solutions\Snort * You can download the latest’ version of Snoxt fiom https://swwsisnortorg/downloads. If you decide to download the latest version, sexeenshots may differ = WinPcap divers installed in Windows Server 2012 virtual machine ‘END Lab Mannal Page 28 ‘Gaited Nero Defender Coprsit © by EE Counell ‘AU Rights Revd Repeehcton Skt PeteTotasK + Install Snort ‘Module 08 - Socure IDS Configuration and Managemont © Notepad++ installed in Windows Server 2012 viensal machine Administrative privileges to configure settings and run tools Lab Duration Time: 25 Minutes Overview of IPSs and IDSs ‘An intrusion prevention system is a network secutity appliance that monitors a network and systems for malicious activity. The IPS's main functions are to identify malicious activity, log information about any activity, attempt to block/stop it, and report it An intrusion detection system is a device or software application that monitors a network and/or systems for malicious activity or policy violations and produces reports to a management station. The TDS performs intrusion detection and attempts to stop detected incidents. Lab Tasks Note: Before starting this lab Tum off Windows Firewall in the Administrator's machine i., Windows Server 2012, for the lab demonstration purpose. Later you can tum on the Firewall 1. Launch Windows server 2012 Virtual machine. 2. To install Snort, navigate to Z#\CND-Tools\CND Module 08 Secure IDS Configuration and ManagementiDS and IPS SolutionsiSnort 3. Doubleclick the Snort 29 8 3 Installer.exe file. The Snort instalation wizard appears 4, TE Open File - Security Warning pop-up appears, click Run ‘END Lab Maal Page 207 ‘Gaited Nero Defender Coprsit © by EE Counell ‘AU Rights Revd Repeehcton Skt Pete‘Module 08 - Socure IDS Configuration and Managemont 5, Accept the License Agreement, and install Snort by selecting the default options that appear step by step in the wizard seein an open sou toot tron peventan md econ Soom OS 1 you acept the tems ofthe agreement, dckT Agre to continue. You must accent the ‘agreement to instal Snort 2.9.8.3. FIGURE LI Lise Ageemest 6. Avwindow appears after the successfl installation of Snort. Click Close 2) ven can ato dowalad Set fan ap / fanart ong ‘END Tab Manna Page 252 wareap isa ot fe Ik inee seve seme Satalowrsppstcon cape tarot some putes fe poten ck To pot othe ‘TPA pct ben fo she seten Ge. ie ‘node, pe sot ‘Module 08 - Socure IDS Configuration and Managemont 7. Snost requices WinPeap to be installed on your machine, 8 If you have alseady installed the application click OK to exit the Snort Installation window and skip to the next step ‘Snort has successfully been installed. ‘Snort also requires Win cap 4.1.1 to be installed on this machine. WinPcap can be downloaded from: http://www.winpcap.ora/ It would alge be wize te tighten the security on the Snort installation directory to prevent any malicious modification of the Snort executable. Nex. you must manually edit the ‘snort.conf file to specify proper paths to allow Snort to find the rules files ‘and classification files. == 9. By definit, Snow installs itself in €#8nort (depending on the disk deive in which the OS is installed) 10. Navigate to the ete folder in the specified location, 2:\CND-Tools\CND ‘Module 08 Secure IDS Configuration and Management\IDS and IPS Solutions\Snort'snortrulesiete copy snort.cont, and paste iin ciSnortiete LL. IF Snort.conf is already present in C4Snorttete; replace it with the snortmle’s snort.conf fle 12. Copy the so rules foldes fiom Z:!€ND-ToolsiGND Module 08 Secure IDS Configuration and ManagementIDS and IPS Solutions\Snort'snortrules, and paste it in €4Snort 15. Copy the preproc.rules folder from ZACND-ToolsiCND Module 08 Secure IDS Configuration and Management\IDS and IPS Solutions\Snortsnortrules, and paste it in C:Snort. ‘The preproc rules folder is already preseat in CaSnort; replace this folder with the preproc_rules folder taken fiom snortmules 14, Tn the same way, copy the rules folder from ZACND-ToolsiCND Module 08 ‘Secure IDS Configuration and ManagementlIDS and IPS. Solutions\Snortisnortrules, and paste it in €\Snort. The rules folder is already present in €28nort; replace the folder ‘END Lab Maal Page 209 ‘Gaited Nerwok Defender Copii © by EE Counel ‘A Rights Reevd Repeshcoon Stl Pred‘Module 08 - Socure IDS Configuration and Managemont 15, Now navigate to 6A8nort, and press Shift + rightellck on bin; click Open ‘command window here from the context ments to open it in a command prompt "UB x4 + (CTR eS oe Sete Boers “does = f— 7 Bowe | Oolahe ee on ren ee FIGURE 1+ Sting Command Pome om Seon 16. The Command Prompt window appears. Type snort and press Enter 17. A rapid scrolling text will appear in the command terminal, scroll up. This command will show you that snort is configused in your machine successfully. The Process ID wall differ in your lab environment, CUE a RreECy 18. The initialization Complete message displays. Press Ctri#C. Snoxt exits and comes back to CA8nertibin ‘END Tab Maal Page 250 ‘Gaited Nerwok Defender Copii © by EE Counel ‘A Rights Reevd Repeshcoon Stl Pred‘Module 08 - Socure IDS Configuration and Management 19. Now type snert -W ‘This command lists your machine’s Physical Address, IP Address, and Ethesnet Deivers, but all are disabled by default ‘Rammnisrator CWindows\ejstema\cmaae jo | @ Pog ta ta te coms [aes £9 E277 [eTOS fe coms coun] boat Ee | EE ‘est E> neo] FIGURE 16 Son Cones 20, Observe your Ethernet Driver index number and write it down (in this lab, itis) Note: Ethemet Indes: numbers may vary in your lab envizonmeat, if two ox more chivers are installed. 21. To enable the Ethemet Diiver, in the command prompt, ype snort dev 4 and peess Enter Note: In the command 1 is nothing but the Index number of the Ethernet adapter installed in your machine. 22. You sec a sapid scroll text in the command prompt, which means that the Ethernet Driver is enabled and working properly Taminntator C\WnconsaniemsAcra ae. cron der aT F° To sable Neves Tetons Dei ‘END Lab Mannal Fy Bi ‘Casfied Nenvonk Dotonder Copii © br E-Counell Tl Rights Reesved: Repco Stacy Pratt‘Module 08 - Socure IDS Configuration and Managemont 23, Leave the Snost command prompt window open, and launch another command prompt. Right-dick on the Start icon and click the Command Dr tags Prompt fiom the context menn, pepeoomnen nig EieliPdecogeectice 24, Ina new command prompt type ping 10.10.10.10 and press Enter ‘one or Sone Note: 10.10.10.10 is the IP address of Windows 10 machine. FIGURE 1 Pg Coumadin New Commu Poapt souce col tea 3 Soaps tat apes steal iagege FIGURE 19 Soon Showing apne Png Respect 26. Close both command prompt windows. The verification of the Snort installation and triggering alerts is complete, and Snoct is working cosrecdy ia verbose mode. ‘END Tab Maal Page 259 ‘Catfied Nenvonk Dafonder Cops © by EP Counell ‘A Rights Reevd Repeshcoon Stl Pred‘Module 08 - Socure IDS Configuration and Managemont 27. Configuce the snort.cont fle located at CASnortiete 28. Open the snort.cont file with Notepad++ using the rightclick men 29. The snert.conf file opens in Notepad++, as shown in the screenshot Note: If any Notepad ++ update pop-up appears close them FIGURE 10 Soa seafFlsinNowpads+ 30, Scroll down to Step #1: Set the network variables section (Line 41) of snortconf file. In the HOME_NET line (Line 45), replace any with the IP address of the machine (Network Administrator Machine) on which Snost is running, Here, the Network Administrator Machine is Windows Server 2012, and the IP address is 10.10.10.12 ‘Note: This IP address may vary in your lab environment FIGURE 111 Config Sct conf Fein Nod + 31. Leave the EXTERNAL NET any line as it is. ‘END Tab Maal Page 253 ‘Gaited Nerwok Defender Copii © by EE Counel (ALRigbts Reserved Repredcaon Stat Pred‘Module 08 - Socure IDS Configuration and Managemont 32. If you have a DNS Server, then make changes in the DNS_SERVERS line by seplacing SHOME_NET with your DNS Secver IP addsess; otherwise, leave this line as it is A Log paces in ‘pun foot an to pos minima ales, pe saad boa ast [FIGURE 112 Calg Sacto is Nota + 33. The same applies to SMTP_SERVERS, HTTP_SERVERS, SQL SERVERS, TELNET SERVERS, and SSH_SERVERS 34, Remember that if you don’t have any servers running on your machine, leave the line as itis. DO NOT make any changes in that line 35, Scroll down to RULE_PATH (Line 104). In Line 104 seplace «rules with, CaSnortirules, in Line 105 .isorules replace with C:Snortiso_rules, and in Line 106 replace -Jpreproc_rules with C:\Snort\preproc_rules Ta ogee unser (aa) RBA) Sole 2 teva mes ie canbe moe in sereat eu 08 ponte you can az9 arses a Sip Vonsnndeiec ete fonts Sh foes (oen,s06: 500), Ties ng ef Theeacte tun of ste aca pce soe ene pene Te fousae sin ta soars ewes spots opetrs “and nie ot axe pce sor cep puupecuenne ‘END Tab Manna Page 254‘Module 08 - Socure IDS Configuration and Managemont 36. In Lines 109 and 110, replace «rules with €28nortirules: Wee saa) FeO Seley) 4 e[Ga) = 17M A] Sea alma FIGURE 114 Coniging Sot cot Fein Notepad + 37. Navigate to CASnortirules, and create two text files; name them white list and black list and change their file extensions from .txt to .rules 38. While changing the extension, if any pop-up appears, click Yes 39, Switch back to Notepad ++, scroll down to Step #4: Configure dynamic. loaded libraries section (Linc 238). Configure dynamic loaded libraries in this section. 40. At the path to dynamic preprocessor libraries (Line 243), seplace justilocalliblsnort_dynamicpreprocessor! with your dynamic preprocessor libraties folder location ED Ppeoctton ae th fect of Sat Al. In this lab, dynamic preprocessor libraries are located at ‘Ses ta popes C:Snortilibisnort_dynamicpreprecessor Seem? 42. At the path to base preprocessor (or dynamic) engine (Line 246); replace Jusrlocallibisnort dynamicenginelibsf engine.so with your base preprocessor engine C:\Snortiibisnert dynamicengine'sf engine.dll ‘END Tab Maal Page 255 ‘Gaited Nerwok Defender Copii © by EE Counel ‘A Rights Reevd Repeshcoon Stl Pred‘Module 08 - Socure IDS Configuration and Managemont 43, Comment (#) the dynamic mules librasies line as you alseady configured the libeacies in dynamic preprocessor librasies (Line 249) [oe tat Sere Yor trot Urge Mow. 1aG0 ea] @mE|pelay| + |G) 1 25Ba) FIGURE 115: Couiging Sanco Fein Notepad + Zi dee Peecener 44, Sczoll down to Step #5: Configure Preprocessors section (Line 252), the proper l listed preprocessor. Do nothing in TDS mode, but generate exxors at Sorsier toner suntime ee coed. The pakat ceibemodited 49. Comment all the preprocessoss listed in this section by adding # before Soogae cach preprocessor mule (261-265) pecan, ‘END Tab Maal agp 5 ‘Cabed Nework Defender Coprieit © by Ee Council (ALRigbts Reserved Repredcaon Stat Predae vse Ra gee Wasnt as) 24/3)2 1 Er sA|oe0e se 23H8 328) 4eP] ae) FIGURE 11: Conignte San cou Flea Notepad + DSGes 55 4 RE) SelaNl <<) aal= ez Bal Om wale 4 agg pecpeomssoc, foe oe itoomeon tee SERINE gb FIGURE 115 Consign Sortont Fein Nompad-+ 48, Scaoll down to Step #8: Configure output plugins (Line 510). In this step, provide the location of the elassification.config and referenee.config files ‘END Tab Manna Page 257 ‘Gaited Nerwok Defender Copii © by EE Counel (ALRigbts Reserved Repredcaon Stat Pred‘Module 08 - Socure IDS Configuration and Managemont 49. These two files are in G\Snortiete. Provide this location of files in configure ‘output plugins (in Lines 529 and 530) ic,, C:Snortieteiclassification.config, a) SHOMELNET 10.10.1012 (msgi"ICMP-INFO PING"; icode:0; itype:8; reference:arachnids,1355 reference:cve,1999-0265; classtype:bad-unknowns sid:4725 rev:7;) in line 21, andl save it A TormSaodaes Note: The IP address (10.10.10.12) mentioned in $HOME_NET may vary in your lab environment si seats FIGURE 121: Congngiomp i bs Fin Nowpe-+ Drase se 55. Minimize all the windows that were open and navigate to CASnert and Te select bin folder, and press Shift + right-click, and then click Open ‘command window here from the context menn to open it in the command Prompt 56. Type snort 4X -A console -c C:\Snortieteisnort.conf -1 C:Snortilog -K ascii and press Enter to start Snort «replace X with your device index number; in this lab: Xs 1) Validate Configurations FIGURE 122 Comma to acta See ae ae tent og le 57. Tf you receive a fatal error, you should first verify that you have typed all ‘modifications comectly into the snert.conf file, and then Search through the {ile for entries matching your fatal error message 58, If you receive an error stating “Could not create the registry key,” then sun the command prompt as an Administrator ‘END Tab Maal Page 259 ‘Gaited Nerwok Defender Copii © by EE Counel ‘A Rights Reevd Repeshcoon Stl Pred‘Module 08 - Socure IDS Configuration and Managemont 59, Snort starts mnning in IDS mode. It first initializes ontpat plug-ins, ppreprocessors, plug-ins, load dynamic prepsocessoxs libraries, rule chains of Snort, and then logs all signanares fa se a command information comectly, you seceive a Papcoean 60.1 you eater all the information conrecty, Se comment stating Commencing packet processing (the Sea mee value of xxxx may be any aumbes; in this lab, itis 2616), as shown in EXntnkeden the screenshot FIGURE 123 lasing Son Ru Cans Wow 61. After initializing the interface and logged signatures, Snort starts and waits for an attack and triggers an alert when attacks occur on the machine .. Leave the Snort command prompt ranning Attack your own machine, and check whether Snost detects it or not . Launch the Windows 10 virtual machine and login EB orasK s ‘Open the command prompt and issu the command ping 1040.10.12 -t Ping the host leche ‘from the Windows 10 machine Note: 10.10.10.42 is the IP address of the Windows Server 2012 machine. This TP address may differ in your lab environment FIGURE 2¢ gee tat acne fom ost machine ‘END Tab Mannal Figs 250 ‘Cabed Nework Defender Coprieit © by Ee Council ‘A Rights Reevd Repeshcoon Stl Pred1) ne Sanet a0 Daseon set josie 000 A wonw/4\ 1 (og onto © 2 wen Sot is man as Daemon the daa renee a PID fle nthe og ‘Module 08 - Socure IDS Configuration and Management ake may Sree FIGURE 125 Sat alae Window Lig Soot et 67. Press Ctrl+C to stop Snort. Snort exits. ‘Administrator GWindows\systemsA crore Era ar FIGURE 126: ting saat by png Ckl¥C 66. Switch back t the Windows Server 2012 machine. Observe that Snost ‘triggers an alarm, as shown ia the sexcenshot baa eee ee ieee ee eee "console -c C\snor. = ‘END Lab Manna Page 251 ‘Casfied Nenvonk Dotonder Copii © br E-Counell ‘AU Rigs Reweved Repeshcoon Stic Potted‘Module 08 - Socure IDS Configuration and Managemont 68. Go to the C28nertilog\10.10.10.10 folder, and open the IEMP_ECHO.ids file with Notepad++. You sce that all the log entsies ase saved in the ICMP_ECHO.ids file Note: The folder name 10.10.10.10 might vasy in your lab environment, depending on the TP acidress of Windows 10 machine Yet) Seles) <3] Sai = 0 EF Balam ae FIGURE 127 Seed Seat Se 69. This means, whenever an intruder attempts to connect or communicate with the machine, Snort immediately triggers an alarm. 70, So, you ean become alert and take certain secusity measures to break the communication with the organization setwork Lab Analysis Analyze and document the cesults of the lab exercise. Give your opinion on your target’s secutity posture and exposure through fice public information, PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS ABOUT THIS LAB ‘END ab Maal Page 259 ‘Gaited Nerwok Defender Copii © by EE Counel ‘A Rights Reevd Repeshcoon Stl PredON REY avails information f° Tetyone —_tnowledge Web esescive (2 Wortboot review You an ako Ip foe heya act ‘Module 08 - Socure IDS Configuration and Managemont Detecting Intruders and Worms using KFSensor Honeypot IDS KF Sensor is a Windows-based honeypot IDS. Lab Scenario Intzusion detection plays a key sole in ensusing the integsity of a system's secusty. ‘Nenwodk Intrusion Detection Systems (NIDSs) have long been the best method foe identifying assaults. KFSensor is an NIDS that is easy to install and configure. No special hardwace is sequied, and its efficient design enables it to maa even on low- specification Windows machines. AS a network administeator, you must possess sound knowledge of netwouk IPSs and IDSs, identity necwork malicious activity and log information, and stop ox block malicious network activity. Lab Objectives ‘The objective of this Iab is to demonstrate the use and configuration of KFSensor Honeypot IDS. Inthis kb, you will Detect hackers and woums in a newwork Provide network secutity Lab Environment To complete this lab, you will need: © KF Sencor is located at 2ACND-ToolsiCND Module 08 Secure IDS Configuration and Management\Honey Pot and Padded Cell System Tools\KFSensor = KF Seasor installed in Windows Server 2012 * MegaPing located at ZACND-ToolsiCND Module 08 Secure IDS Configuration and Management!Honey Pot and Padded Cell System Tools\MegaPing ‘END Lab Maal Page 265 ‘Gaited Nero Defender Coprsit © by EE Counell ‘AU Rights Revd Repeehcton Skt PeteTASK 4 Configure KFSensor ‘Module 08 - Socure IDS Configuration and Managemont + MegaPing is installed in Windows 10 © Tf you have decided to download the latest of version of these tools, then the sereen shots may differ * Administrative privileges to configure settings and nan tools Lab Duration Time: 25 Minutes Overview of the Lab KFSensor contains a powerful intemet daemon service that is built to handle multiple ports and IP addresses. It is wuitten to resist denial of service and bufier overflow attacks, Building on this flexibility KFSensor can respond to connections in a vasiety of ‘ways, fiom simple port listening and basie services (such as echo), to complex simulations of standard system services. For the HTTP protocol KFSensor accusately simulates the way Microsoft's web server (IIS) responds to both valid and. invalid sequests. As well as being able to host a website it also handles complexities such as range requests and client side cache negotiations. This makes it extremely difficult for an attackes to fingesprint, or identify KFSensos as a honeypot. Lab Tasks Note: Ensure that WinPeap is installed before cunning this lab. Before starting this lb make sure that Windows Firewall is turned off in the Windows Server 2012 machine for demonstration purposes. After the completion of this exercise ‘you can tn on the Windows Firewall To turn off Windows Firewall navigate to Control Panel, in the Control Panel ‘window click on the Windows Firewall, and in the Windows Firewall window lick the Tun Windows Firewall on/offlink fiom the left hand-side. Customize Settings window appears, select Tum off Windows Firewall (not recommended) sadio button for both the protiles and click OK. 1. Log into Windows Server 2012 virtual machine. 2. Navigate to ZACND-Tools\CND Module 08 Secure IDS Configuration and ManagementiHoney Pot and Padiled Cell System ToolsiKFSensor, double-click kfsens40.msi and follow the wizard diiven installation steps to install KFSensor. Note: Aficr installation if it prompts to scboot the system. Reboot the vvistual machine ‘END Lab Maal Page 357 ‘Gaited Nero Defender Coprsit © by EE Counell ‘AU Rights Revd Repeehcton Skt Pete‘Module 08 - Socure IDS Configuration and Managemont 3. Once the installation is finished make sure that the Launch KFSensor option is checked and clicks Finish. To launch KFSensor automaticaly. ‘Completed the KFSensor Evaluation ‘Setup Wizard Er me srnp Wands Ene setop Ten cine Pn buston toe te Seb rd Sle of See FIGURE 2: Leming Senor 4. On first launch of KFSensor, the setup wizard appears; click Next “The KFSensor Set Up Wizard alte you though a srunbercl steps corégue you sete a ‘Allof these can configurations can be modified later Monit a mote dat ees ea comme ‘prste te rree fo the KFSensor system. ‘You might like to read the manual at this point to leam Wabi nee bow KFSentor works and the concepts behind & came tee ta cue Gating Sted Forhelp onthe options inthe Set Up Wizard, Wizard Help ‘END Tab Maal Page 255 ‘Gaited Nerwok Defender Copii © by EE Counel ‘A Rights Reevd Repeshcoon Stl Predaspen series ‘pec pe of aptiaton Ee Wedowe ne te Tekgioue sod ala eenneeptto 1 UNC ‘Module 08 - Socure IDS Configuration and Managemont 5. Uncheck all the ports with all active native services to inchde, and click [OTP 49182 - Vista win | _ITCP 49183 - Vista EventLog Firce asi54- visa na [EITCe 48155 ve ‘These pots ae curenty running native services Sensor can montis the activity ofthese exsing services, choose ths by Checking the pot. This the recomended option for sensors located within an orgarzaton'snetwerk. ‘To alow KFSentor to monitor 2 pot drecty then uncheck the pot. This the recomended opto fora sensor exposed rect tothe intoret va public IP addres Weard Hop oa Te] 6. TEyou want to send KFSensor alerts by email, specify email address details, ‘or leave the fields empty and click Next FIGURE24 KFSoo Ena Alas ‘END Tab Manna Page 255 ‘Gaited Nerwok Defender Copii © by EE Counel (ALRigbts Reserved Repredcaon Stat Pred‘Module 08 - Socure IDS Configuration and Managemont 7. Click Finish to complete the setup ‘The KFSensor Set Up Wizard has now got athe fomatin t needs to corigure your system To read up on where to go from here cick the buton below ‘Geting Stated Note en the Evaluation Version We hope that youn the KFSnsor evaluation tl prod sufficient to evaluste KFSensor. Fyou woud ike to have an ‘extended tia period, or have questions rested to the product then gelintouch wh uee at tp //www keylocus net/cortact/. C2 tae Poets View is gaged on he et pact compan of ue peroneal FIGURE25:KFSou Sep Fated oo 8. The KFSensor muin window appeass. It displays a list of ID protocols, Erin, Visitor, anc Received automatically when it starts. Tn the window (shown Ibelow), all the nodes in the Left block cxossed with blue lines are the ports cucreaty in use 10 snes TOS nen sens resins La Osage 1O5pee rates, 1 Ord Pat reve 305m ‘END Tab Maal Page 257‘Module 08 - Socure IDS Configuration and Managemont 9. Launch the Command Prompt fiom the Apps sexeen 10. In the command prompt, type netstat -an and press Enter 1. This will display a lst of istening ports ct FIGURE 27 Command Pompe vi eot-an 112, Loginto Windows 40 virtual machine as a local Administrator. 15, Navigate to ZACND-Tools|CND Module 08 Secure IDS Configuration and ‘ManagementiHoney Pot and Padded Cell System Tools\MegaPing and double-click megaping setup.exe and follow the wizard diiven instalation steps to install MegaPing. 14, Once the installation is completed make suse the Lannch the peogram option is checked and then click Finish, so that MegaPing will launch automatically. i iipons TENTS %] snstalshield Wizard Completed ‘The Ista vizard has sucess etal MegaPg. Gckfrah toed he ward [Elan the progam (stew the ead He FIGURE 28 Lanehing MepPig in Wisk 10 ‘END Tab Manna Page 255 ‘Gaited Nerwok Defender Copii © by EE Counel ‘A Rights Reevd Repeshcoon Stl Pred‘Module 08 - Socure IDS Configuration and Managemont 15, The About MegaPing pop-up appears; click | Agree to continue Fabout MegoPing hm ras 2 Configure = MEGAPING MegePing 49 Copyight®Macneto Software 2016 FIGURE 20. Map Lie Agent £0 re powcameator Senos atte up [ple ve Took Hap poacher TOP ot BGAksg/29a/eH2 97 B/D Be Faye ‘4791070101, tsrevnis 72000086 UsTeNS 110 000.2486 sre wns D Sect eae ‘sie 000046867 sre N WF Porscanrer "0002s sien Bicone ‘cand sie wns 7000.55 Usrens ‘pons 53453 FIGURE 210 MepPig Mea Window ‘END Tab Maal Page 259 ‘Gaited Nerwok Defender Copii © by EE Counel (ALRigbts Reserved Repredcaon Stat PredCD Wnts ctinaty serene DNS notpcn Sheed became comesede te manee teed Viewean be apie by edeting ‘he Pot opin frm he ‘Module 08 - Socure IDS Configuration and Managemont ‘17. Select Port Scanner in the left pane 18. Enter the IP addcess of the Windows Secver 2012 (10.10.10.12 ) ia the ‘Destination Address List field and click add Tigaragumgace Tae ew Took Hee acjaes esver eo Bisomer Brucwosserwer Bho sone LD scorn Some 1 onsen Biocon Pesta, FIGURE 211: MepPugPoa Sommer 19, Checke the IP addcess in the Host section, and click the Start button to start listening to the traffic on 10.10.10.12. ‘Note: This IP addsess may vary in your lb envizonment EW OO Bagaand 3% aes eer ialD (re ceone oss So = [Qa some | doticwce res FIGURE 212 Bagning he Sano 10101012 ‘END Lab Manna Page 270 ‘Gaited Nerwok Defender Copii © by EE Counel (ALRigbts Reserved Repredcaon Stat Pred‘Module 08 - Socure IDS Configuration and Managemont 20, "The image below shows the identification of Telnet on port 23 21, MegaPing begins to scan for open ports and displays a list of ports 22, You can observe Telnet on port 23, which allows hackers to connect to a semote machine through Telnet 1Bioean BP deme a Bconcro TP ay puetantucen. etd FIGURE 219 Meg Tot Post 23, Now, switch back to the Windows server 2042 virmal machine. Observe RirasK 4 ‘that KFSensor has detected port 23 is open. ‘Analyze the 24, Seeing this port open, you can take proper secuity measures to close the Result FIGURE 216 Tent pa open Metin KFS ‘END Tab Nannal agp ‘Cabed Nework Defender Coprieit © by Ee Council (ALRigbts Reserved Repredcaon Stat Pred‘Module 08 - Socure IDS Configuration and Managemont 25, "The image below displays the data of a Death Trojan on port 2. Seeing this port open, a network administrator can add a firewall rule to block port 2, thereby securing the system fiom being affected by Death Trojan Ce it Vere Qi —risareaina. cont Ter Jkadto te Ets View Gia Frsaveaatsmn. Came Tor todo osafine ton If Bie risareuam, cam To Tp ow event ed to ‘af vec al be aap, (bthe Even View rs Lab Analysis ‘Analyze and document the results related to this lab exercise. Provide your opinion ‘of your targets secusity posture and expose. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB Tene ere ‘END Tab Manval Fagg ‘Cabed Nework Defender Coprieit © by Ee Council ‘A Rights Reevd Repeshcoon Stl Pred