Scribd Logo
Upload

Welcome to Scribd!

  • Manual - Lab File Practical

    Uploaded by

    nikhil
    36 views113 pages

    Original Title

    manual_lab file practical

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    36 views113 pages

    Manual - Lab File Practical

    Uploaded by

    nikhil

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    of 113
    NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL INDEX Sr. . No. Practicals Page No. 1. [Perform a live network traffic capture using wireshark from 4-9 running the application to saving the file 2. [Identify the following using wireshark of given peap file 10-13 (traffic.peap): Perform DOS attack using LOIC and capture in wireshark 14-19 4. |Make a script to scan the target (Using any programming 20-23 language such as Python, Ruby or others) ° 5. |Use of tepdump tool for capture and analysis of live network 4 y 24-31 traffic 6. __|Perform Man in The Middle attacks using Ettercap 32-55 Use of Network Miner for capture and analysis of network ers 56-57 traffic 8.__|Use tshark to capture live network traffic 58-61 9. _|Install and configure snort and write rules to generate alerts 62-75 10. [Install and configure checkmk and add host for monitoring 76 - 92 11. |Zabbix: Infrastructure Monitoring Tool 93 - 100 12. |Security Onion: Enterprise Security Monitoring and Log 101 - 109 Management tool 13, |Kibana: Search and Data Visualization tool in Elastic Stack 110 - 115 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL actical No: 01 ‘Aim: Perform a live network traffic capture using wireshark from running the application to saving the file 1.1. Tools Used: Wireshark 1.2. Theory: Wireshark is a software tool used to monitor the network traffic through a network interface. It is the most widely used network monitoring tool today. Wireshark is used by system administrators, network engineers, network enthusiasts, network security professionals and black hat hackers. 1.3. Steps: 13.1. Download and install = Wireshark from —official__~—_ website: hitps://www.wireshark.org/ 1.3.2. Run the Wireshark application as administrator so that Wireshark can get all the required permissions and resources Wireshark vee Oo eee oan "ig:1.1: Run Wireshark as administrator NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 1.3.3. Select the interface from which we want to capture the network traffic In this case, select Wi-Fi, as the PC is connected to internet using Wi-Fi A tnt toe - ax ® = ema | Fig:1.2: Network Interfaces 1.3.4. Double click the interface name (Wi-Fi) to start capturing the network traffic: 1s {Soni en ha 9 esx. 987 Sina wary nome oe PTL oes poe 2), a es ON ora a Com RTM OS Ge ENN RNG SESE Fig:1.3: Packet capture started NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 1.3.5. Live network traffic can be seen in the table below which is organized into columns of number, time, source, destination, protocol, length and info Click the packet to see the TCP/IP layer-wise details of the packet in left table and hexadecimal representation in right table ik Ree am ara maT Fig:1.4: Layer wise details of captured packet 1.3.6. Use filter tab to apply various filters to filter packets according to protocols or IP addresses tep.stream eq 1: shows first TCP Handshake NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL arp: to show ARP packets ‘Sree, cestsit, ea (rl Siam dete Gomis Mezeaam eevme Me oP {Sree sees, eae rote Gaia lesan tonne anti Gmail or ‘Sloman, te (oe. LEbitime iets Gitte auntie Guguinecss form foe pig) sly" dase cece 8 a Fae wei Moore owe Gal Hn), 7 Wee care GRE He) wine ereeyw (OG Dr here, Ses Chan cu (cies), tL Db (ens) dns: Borate at Gmmunteat remnant sea Geryaitaias Be 7 tana BSL Gomme ne 87 Fram Bas ire (i Hs, ane cape (Rs) ms rte es [OGRE REDE] ST > Eeteree iy Seen ere Gu froin 58 (etree) 4 tenner) ip.sre== a a Soe a Boseae Laem Gots sa. ary Giew tele Hemapmb@ te “Sy Sauna fet] Stes aris wn Geum ant Sahet Mt badznae er var mane) OFM dem (ona) reaeet oman, n/a Fi Trove 9:70 tes wr ee (AE), 9 Wes care (0 So rere Doce SOW BOOT IGE 2 2 net onan rata a em gs seen) NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL ip.sre== & & ip.dst—= SVU TS Seah = ce Sse SOS — z Bear ed tacts a iat eee see ee Trea ee sty as at far eee ener ‘5 essen 2.30.3.30 a ete vom 1S TT kee) SO = 5 (ak) Se BOSE hee Ecverarar iniesat” —Gmpunstae siamnanm —Seemponss Wt ee Peete. OER Gia iene ara” owen ae fee eee eer Speers crac cer Soin aor eta oe Foe SRG wo oe we GINO), BI De Gate GM) ote ace Bee [OURN HORE Siro eyo tna Geamentny aceon Gs a) Heigl ee i ry, a sy 1.3.7. To save the captured network traffic, click on File > Save As... ons - 2 x =m er NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 1.3.8. Select destination folder where we need to save the file and provide name then click on Save: Mi Wireshark “Save Copture File As x Save in: | ill Desktop: Co Ba ee ren vere Gh | Tj baton 5 m- Livers = g Se This FR vowrince Network ved Fle nane: traic_ capture Save Save ar type: Whrechark/..-poapng (.ntarge:* rar as nat Cancel Helo Li Compress with gzip Fig:1.7: Select destination and save peap file 1.3.9.4. The captured traffic is saved as traffi pture.pcapng: NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL Practical No: 02 : Identify the following using wireshark of given peap file (traffic.peap): . Nature of attack . Name of attack . IP of attacker . IP of victim . Reason of attack wawUVee 2.1. Tools Used: Wireshark 2.2. Steps: 2.2.1. Open traffic.peap file using Wireshark Following network traffic will be displayed: Observe all the packets carefully: All the IP addresses involved in this communication belong to same IP class so it is Internal type of attack eursuseens cede Fig:2.1: Overview of traffic.pcap in Wireshark NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 2.2.2, To identify the First TCP Handshake between attacker and target, apply filter as “tep.stream eq 1” Fig:2.2: Filter: tep.stream eq 1 2.2.3. Apply filter as “arp” and observe the arp packets being sent to the IP address range 192,168.97.0/24 Such large number of arp packets indicate that it is ARP flooding (ARP broadcast) 3: ARP broadcast NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 2.2.4. Apply filter as “tep” and we can observe that large number of SYN packets are being sent from attacker to target and target is sending back RST-ACK packets. It indicates that it is TCP SYN flooding attack which leads to Denial of Service (DoS) Gn card (5 Hi) foe vie (Pn) Fig 2s TCP SYN flooding 2.2.5. Apply filter as “ire” and we can see the communication between two attackers 192.168.97.4, 192.168.97.101) using Internet Relay Chat. tions. - IRC protocol is designed for short communi - Most messages are 20 words or less. - Communication is usually very quick and informal. Mea a Seratha he mano Fig 2.5: Filter- ire NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 2.2.6. Filter: ip.addr==192.168.97.41 shows that TCP SYN flooding is being done by Fig 2.7: Filter- ip.addr—=192.168.97.41 2.2.7. Filter: ICMP shows that ICMP protocol is enabled on this network, so all the connected systems are vulnerable to flooding attack. Risks: - ICMP enable a compromised device to secretly communicate with an attacker, receiving commands or exfiltrating data. - ICMP flood, a ping of death, or a Smurf attack can shut down a network through a distributed denial of service (DDoS). Fig 2.8: Filter - iemp . Nature of attack - Internal attack (LAN) . Name of attack - ARP broadcast/flooding, TCP SYN flood DoS . IP of attacker/intruder — 192.168.97.4, 192.168.97.101 . IP of victims — ARP flooding-192.168.97.0/24, SYN flooding-192.168.97.41 . Reason for attack - ICMP enabled wane NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL actical No: 03 Aim: Perform DoS attack using LOIC and capture in Wireshark 3.1, Tools Used: LOIC (Low Orbit lon Cannon), Wireshark Theory: Low Orbit Ion Cannon (LOIC) is a widely available, open-source application developed by Praetox Technologies used for network stress testing, as well as denial of service (DoS) and distributed denial of service (DDoS) attacks. - DDoS perpetrators use LOIC to flood target systems with junk TCP, UDP and HTTP GET requests - Single LOIC user is unable to generate enough requests to significantly impact a target. - For an attack to succeed, thousands of users must coordinate and simultaneously direct traffic to the same network. 3.3. Steps: 3.3.1. Download LOIC zip file form wwwsourceforge.net and Extract it to get LOIC.exe 3.3.2. To run LOIC.exe, Add it to Exclusions in Antivirus software Exclusions SE ers: Dereon eg Fig 3.1: Add LOIC.exe to Antivirus Exclusions 14 NETWORK SECURITY AND LOG ANALYSIS LAB MANU Run LOIC.exe as administrator eer ieee ee Fig 3.2: Run LOIC.exe as administrator LOIC interface: #2 Lom Oat on Canon then harpoon AL PUNTA RNeasy NONE! Fig 3.3: LOIC interface 15 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 3.3.5. Get IP address of target machine: kali kali 5 ai Bester acts eras eet) ar CLE scopeid 0x20 od 1000 (Ethernet) isc 4 KiB) Cher ee Nie an ot) el) TX errors @ dropped 0 overruns @ carrier 0 collisions 0 Fig 3.4: ifeonfig 3.3.6. Get IP address of local machine: Subnet ul 16 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 3.3.7. Enter target IP address, select attack type as TCP/UDP/HTTP and click on IMMA CHARGIN MAH LAZER to start the attack: Dene tt ec Fig 3.6: LOIC target locked Attack started: Les oiten Conan | hen hapoons i shes ad es Fig 3.7: LOIC attack started NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 3.3.8, Open Wireshark on target machine and apply filter as “ip.addr—=” We can see the TCP SYN flooding in network traffic from attacker (10.0.2.4) to target (10.0.2.5) Fig 3.9: SYN flag NETWORK SECURITY AND LOG ANALYSIS 3.3.10. RST and ACK flag set as 1 (Target to Attacker) see eee) ay) Poo) inher: reece Ee eaitaatetets sum Status: Unverified] Fig 3.10: RST-ACK flags LAB MANUAL 19 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL actical No: 04 ‘Aim: Make a script to scan the target (Using any programming language such as Python, Ruby or others) 4.1, Tools Used: Python on Kali Linux 4.2. Benefit of using Manual Script over Automated tools like Nmap: - Manual script can be modified and configured as per the need of user so we can add some specific features to the script according to our purpose. - Automated tools cannot be modified unless open-source, which limits the flexibility of the tool and it cannot be modified as per the need. 4.3, Steps: 4. Use nano editor to create a shell script named “host-IP-resolver: Fig 4.1: Linux nano editor 4.3.2. Write the script as shown below: GNU nano 7.2 host-IP-resolver.sh Fig 4.2: Writing script 20 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 4.3.3. Make the script executable by following commands: $ nano host-IP-resolver.sh UCB tC C1 SO eats od +x host-IP-resolver.sh kali@ kali)-[~ $ LL | grep host-IP-resolver.sh -rwxr-xr-x 1 kali kali 107 Mar 21 00:04 | Fig 4.3: Make script executable 4.3.4. Run the script and provide domain name or IP address next to it Output is shown below: poubeo Clb rru.ac.in 3.111.164.2110 kali kali)-[~ -IP-resol h 142.250.183.206 PAY PCV lel er) name = bom07s33-in-f14.1e100.net. Authoritative answers can be found from: Fig 4.4: Executing of script 21 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 4.4 Script to scan open ports: 4.4.1 Use nano editor to write the p thon script as shown below: a) Poe File Actions Edit View Help networ! anner. pyf Fig 4.5: Nano editor 4.4.2. Write python script as shown below: GNU nano 7.2 ras reads Setar ee Stee st 0) Tetwork-scanner.py * st a sa fee ee ee tLIP = gethostbyname( target) Peters vest eee we Ma mt) ee UCM (AF_INET, SOC a) conn = s.connect_ex((t_IP, i)) if(conn = 0) eas tae Ee 2 Me ee) s.close() PSUea uci con Fig 4.6: Writing python script 4.4.3. Save the python script and make it executable: Sea eat u See Uae r-x Lkali kali 451 Mar 20 23:30 Fig 4.7: Make python script executable NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 4.4.4, Get the IP address of target machine (metasploitable2) a aS rs Seen ny Cee Le eee LL eee Ceca Coe eae ae] Pe Ctu esc erence es Deca Cet Cac any USM ome SEL eeromr et ea rte a CECE eo Se MELEE EC ECC) errs PEL ec Puma urea tee ele rg Cee ee One aaa eS eee eC eee eae eT perme eecar rere Merry arya y Se ON eee eee Ss) PCO ne tee cece errs rts wert eer toss mete wera Ceres Cr ets Cae ere ae rear ee eee eae) Bere ees COR case eC ee er Cem) PCR o eer ae eee mn peeronies cee Fig 4.8: Get IP address of target 4.4.5. Run the python script and provide target IP Output is shown below: Peto) beat Dae Enter the host to be scanned: 10.0.2.6 Starting scan on host: 10.0.2.6 aa SE ea Lia EM Port 111: OPEN Port 139: OPEN eae eae Bete EL ONC SORE CEL) Fig 4.9: Result of python seript 23 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL actical No: 05 Aim: Use of tepdump tool for capture and analysis of live network traffic 5.1. Tools Used: tcpdump on Kali Linux Theory: ~ tcpdump is a tool used to capture data packets and for network traffic analysis - itis similar to Wireshark but it is a CLI (Command Line Interface) tool - it is useful in operating systems where GUI (Graphical User Interface) is not available e.g. metasploitable2, linux servers, windows servers, etc. 5.3. Steps: 5.3.1. To install tepdump: sudo apt install tepdump tepdump -D : shows all available network interfaces Coes Uh peroneal Pera Gace ee that captures on all interfaces) [Up, Running] -lo [Up, Running, Loopback] -bluetooth-monitor (Bluetooth Linux Monitor) [Wireless] Rats a taclaes uate MO akc Motor Tn Cua asic Same MOSS mene ar roy (D-Bus system bus) [none rare yay ey Fig. 5.1: tepdump -D 24 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL tepdump -i eth0 : to capture network traffic from Ethernet tcpdump: verbose output suppressed, use -v[v]... for full protocol decode aC MeL any as MCh ome eae aa) aaa 57679 1P6 Ceron aaa et 31486 1P6 1 Cer tcae Peer gast eS eerie] omer) ed b Fig. 5.3: tepdump -i lo 25 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL ny : to capture network traffic from all available network interfaces tepdump Fig. 5.4: tepdump -i any tepdump -i eth0 -c : to capture ‘N’ number of packets ‘c= count of packets, N= number) Fig. 5.5: tepdump -i eth0 -c 26 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL tepdump -i eth0 -A : to display output in ASCII format. : ee ae eR Ste Princ ecR De ets ee iC ei ieee iL (0 arent eter RET CED) ace fa Pe me RI eee i} er see ese Paar erent me eter ren eer ereeretrt 22:50:30.127571 IP 12.10.9.177.53020 > dns.google.domain: 6357+ PTR? 251.0.0.224.in-addr.arpa. ae) cre Pree ee oe eee EE BEEBE SUC MS ESE eel et et ace RAO e cca ses Peco tty Bere et Fig. 5.6: tepdump -i eth0 tepdump -i eth0 -XX : to display output in ASCII and Hexadecimal format root 9 kal oso =| A SE Seah erin Eee Pree aaisteo at ome Ree eet ry Pee eee PNR roe Reta tener peer erie er ro aaa Saar Pet inenee seer eee Eee ea ee eveup: af33 563 Pes pee eect ee Penny ae ee Ee racist er aoe A ieee eee ele) (lelcesi, eres : ri Preece SRwae DE ece ea Cy ec eee) Pee ere eer pier sce reser a eer raed é ei ea Sees eee Sea eerie NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL fo capture network traffic of specific IP address oo eed 439612 1 (erate eomncss) 5 ain a/i/o' (129) = length 4¢ Osteraey .9: tepdump -i ethO net 12.10.9.0/24 28 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL tepdump -i eth0 : to capture packets related to given network protocol Ero wea) Seana! eC ons > 12,10.9, . ee oe nmap Perret own ee 10.9 Ce aC cy b a orci. k.rmap @ 53 fori rt} by filter Fig. 5.11: tepdump -i eth0 udp 29 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL tepdump -i eth0 sre : to capture network traffic generating from specified IP address Fig. 5.13: tepdump -i eth0 dst 30 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL Sree ree ee Per sCrey Nes Geer 46519 53+ PTR FOr CayCne ear ercraere oer ene Esty SUMO sUn AT KOE) Fig. 5.14: tepdump -i eth0 port eth0 -v : to display output in verbose format peace ereet eo) Fig. 5.16: tepdump -i eth0 -w NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL fo read output of captured network traffic from a file Fig. 5.17: tepdump ~i eth0 -r eth0 less 64 : to capture packet size below 64 bytes length tcpdump: verbose output suppres: TO Renae SE LTC ai Nearer Pcie et ieee eer eer) een SET Cne cts reece ere Petre nest sa Sy er eer Herr priracettact att Roma rnyTs Preah Sa eae WISP RECOENE OR To) aptured Petras Fig. 5.19: tepdump -i eth0 greater NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL actical No: 06 Aim: Perform Man in The Middle (MiTM) attacks using Ettercap. ‘Tools Used: Ettereap, Yersinia, Wireshark, Windows VM (victim), Kali VM (attacker) Theory: - Ettercap is a free and open-source tool used to perform Man in The Middle attacks - It carries out attacks such as ARP poisoning, DNS spoofing, ICMP redirect, DHCP spoofing to sniff the network traffic flowing from client to server. - Yersinia is a free and open-source tool used to carry out DHCP starvation attack by sending continuous DHCP DISCOVER packets to router. Procedure: 6.1, ARP Poisoning: In ARP Poisoning, attacker injects fake ARP entries into the ARP table of the victim which causes all the network traffic to pass through the attacker’s machine instead of router. 6.1.1. Create NAT Network and add victim VM and attacker VM in same network ee ed Fig 6.1.1: NAT Network 33 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.1.2. Check IP address of victim by ‘ipconfig’ command: Peaster ee Rae tee ie Pee aR aed SiC Se CPC et ed IPv4 Address. . 10.0.2.4 Subnet Mask . 255.255.255.0 Default Gateway 10.0.2.1 Fig 6.1.2: Victim’s IP 6.1.3. Start ettercap in GUI mode (Graphical User Interface) by following command: MM co ettercan =| ettercap 0.8.3.1 copyright 2001-2020 Et! cr Fig 6.1.3: Start Ettereap NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.1.4, Start Unified Sniffing to start monitoring network traffic: Fig 6.1.4: Unified Sniffing 6.1.5. Scan the whole subnet mask for active hosts in the network NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6. We will get active host list Fig 6.1.6: Host list 6.1.7. Add victim IP to target | and router IP to target 2 Fig 6.1.7: Targets 36 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL Click on MiTM and select ARP Poisoning Fig 6.1.8: Al RP Poisoning 6.1.9, Select Sniff remote connections and click OK etre Nera eeu) 2 Fig 6.1.10: View Connections 37 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.1.11. Connections list is shown below, Fig 6.1.11: Connections 6.1.12. If we open Wireshark on victim machine and analyze network traffic, we can see multiple ARP probes by attacker for ARP Poisoning tt Fig 6.1.12: ARP Broadcast sent by attacker te ome) Fig 6.1.13: Fake ARP Reply 38 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.1.14, Fake ARP reply packet details shows attacker’s MAC address and router’s IP \ Address Resolution Protocol (reply) Herewere type: Ethernet (2) Protocol type: Ipv4 (@x0800) Hardware size: 6 Protocol size: 4 Opcede: reply (2) Sender NAC address: PeCompu_bei43:49 (08: Sender IP address: 10.0.2. Target WAC address: PcsCompu_c?:7e:e4 (08:00:27:¢2:7e:e4) Torget IP address: 10.0.2.4 Fig 6.1.14: Fake ARP Reply 6.1.15. Examine ARP table by arp -a command on victim’s machine. Attacker’s MAC address is mapped with router’s IP addre: Caters ern ie) Interface: 10.0.2.4 --- @x4 pone Eee oes 1.0.2.1 @8-00-27-be-43-49 dynamic @8-00-27-90-a2-e0 dynamic 08-00-27-be-43-49__ dynamic FF-FF-FF-FF-FE-FE Fig 6.1.15: ARP table of victim 6.1.16. For testing purpose, open any HTTP website and login by some credentials eee ens x + y) Pn Login Test ‘Username: [tost Password: (Losin | 6.1.16: Login test on http NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.1.17. In Connections tab, look for port 80 (HTTP) and examine packet content of idle state ees Ta ern etd Pers F eT : ees E ear 10.0.24 ene res upp ee rere res Fig 6.1.17: Connections of victim 6.1.18. We have successfully captured the credentials using ARP Poisoning and MiTM attack Fig 6.1.18: Captured Credentials 40 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.2. DNS Spoofing: In DNS spoofing, attacker maps domain names with malicious IP addresses instead of legitimate IP addresses of original servers. So, all the network traffic intended for legitimate website gets redirected to attacker's malicious IP address. 6.2.1. Go to Plugins tab and select dns_spoof plugin irae ee Paes aes Turd ad FL ac} 1 RP activity autoadd 23 id new victim ar W 13 10 CT Pyeng co ea) Sees uel) fmt core finger Fingerprint a remote host casa Submit a fingerprint to ettercap' fraggle_attack E hosts of target one ome Pe RE GC Ta OPA ECs ony caps Fig 6.2.1: dns_spoof plugin 4 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.2.2. Edit etter.dns file and add domain names mapped with attacker’s IP address so that domains will redirect to attacker’s IP address. (A specifies IPv4 | iy pinta betes Ce | Fig 6.2.2: etter.dns 6.2.3, Attacker has hosted a fake website so the victim is redirected to attacker's website. i rare pry Poy Ps Your account is hacked Fig 6.2.3: Redirect to attacker’s wel 42 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.2.4, ettercap shows entries of successful dns spoofing OV ees tcc Ens) CeCe ey Address: 1.1.1.2 Pee Dee ETE Led cT Weeeer peed google.com] spoofed t ite coon es ig 6.2.4: DNS spoofed 6.2.5. Examine network traffic using Wireshark and we will see DNS request getting DNS response with attacker’s IP addresses eects Fig 6.2.5: DNS query 43 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.2.6. DNS query response for spoofed domain is shown below: Fig 6.2.6: DNS query response 44 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.3. ICMP Redirect: In ICMP redirect attack, attacker provides alternative pathway to the network traffic by sending ICMP redirect packets and router assumes it as better pathway (less latency & more bandwidth) so all the network traffic passes through attacker’s machine 6.3.1. Get Router’s MAC address by scanning whole subnet mask for Host List: TCC eC esa Fig 6.3.1: MAC of Router 6.3.2. Select ICMP redirect attack from MiTM tab Err ar foe ICMP redirect. et) Stop Fig 6.3.2: ICMP redirect 45 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.3.3. Enter MAC address and IP address of router va aw / fee en ee cc ee cree ec) Ui fades poraeretes Lua: no scripts were specified, not starting upl Eee eee os lees ere TAnee} Fig 6.3.4: ICMP NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.3.5. Analyze network traffic for ICMP redirect using Wireshark Fig 6.3.5: ICMP redirect traffic 6.3.6. ICMP redirected to 10.0.2.8 (attacker’s IP) Ettercap Fig 6.3.6: ICMP redirected to attacker 47 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.4. DHCP Spoofing: In DHCP spoofing attack, firstly attacker consumes the IP address pool of DHCP server by DHCP Starvation attack (sending fake DHCP DISCOVER packets). Then attacker sets up his/her malicious IP address pool and assigns IP addresses to clients. Once malicious IP address is assigned to a client, all the network traffic passes through attacker’s machine. 6.4.1. Select DHCP spoofing in MiTM tab coy Tere DERE Fig 6.4.1: DHCP spoofing 48 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.4.2. Install yersinia tool for DHCP starvation attack Ere) BpE install yersinia CS er aT Ree emery ne ras information ... Done oIerirn cerca early esi © upgraded, 1 newly installed, 0 to remove and 6 not upgraded. Teac aasc a Pee stay eC S| Sree Sache emis Rete teat seston inia_0.8.2-2. 1+b1_and eeu e csc mre) Sr sce Cs teeta a Processing triggers for kali-menu (2023. Fig 6.4.2: Install yersinia 6.4.3. Run yersinia in GUI mode CI Efiso yersinia Ceeennn meru_attach_to_widget(): menu already attach fenutiser ors eee RC ere me rec ete Fig 6.4.3: Run yersinia 49 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL Go to DHCP tab in Yersinia and click Launch attack Fig 6.4.4: DHCP flooding 6.4.5. Select sending DISCOVER packet and click OK to launch DHCP starvation Choose protocol attack Q OS a SD fener ela d Ppa ta Dee aac Eee ast ra cis creating DHCP rogue server ere giata ares Fig 6.4.5: DHCP DISCOVER 50 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.4.6. DHCP DISCOVER packets are being sent to consume available IP addresses of DHCP server. ya es an CML Ciel (oi) ee)] sae 08 May 12:14:30 ripe) sae 08 May 12:14:30 (oil o)ee) sae CIA etho Pears etho Pe. etho OIDISCOVER ethO BIE a Pat 255.255.255.255 01D! Vi a) BSLV Pate et) 255. 55.255 OIDISCOVER ethO ara ed ig 6.4.6: DHCP DISCOVER traffic 6.4.7. Run ettercap and select DHCP spoofing attack Ettercap prea Fig 6.4.7: Start DHCP spoofing 51 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.4.8. Check IP address of attacker’s machine by ‘ip a’ command SECC ee) $ipa Pemeeeinzy valid lft forever preferred lft forever pa eran Perm reaper mer ere AST, UP, LOWER_UP> mtu 1500 qdisc fq_cadel state UP group def: Link/ether brd oan Cn sence) Fig 6.4.8: IP address of attacker 6.4.9.4. Enter IP Pool, Netmask to allocate fake IP addresses to victims and IP address of attacker as DNS Server IP fete TE Nc tees ei) Re on Fig 6.4.9: MITM Attack 52 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.4.10. DHCP spooofing is started by attacker’s IP as DNS server cry ripts were erties aun rears fired Fig 6.4.10: DHCP spoofing started 6.4.11. Check IP address of victim’s machine before DHCP spoofing Rea Ceeettcry Windows IP Configuration eae Cea a eas C Leet treet) OMT sb fetes Cr ae ae ee fe80::83ed:73e5:1138:F63b%4 IPv4 Address. 1.0.2.9 Subnet Mask . 255.255.255.0 Default Gatewa 1.0.2.1 Fig 6.4.11: IP address of victim before attack NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.4.12. Analyze network traffic for DHCP DORA process in Wireshark 255,255.25. DHCP 582 04K Offer fransaction ID Ox4545Sb11 255,255.25. DHCP 346 0HCP Request _— Transaction 1D Ox45455b11 ~ Dyasic Host Configuration Protocol. (ACK) =) W030 5b 11 ve 00 Bo 00 00 oo on oo ETT os 00 Wessage type: Doct Neply (2) 2 0g o0 Go 2 00 os Go 27 29 38-01 GD G2 9 00 ardvare type: Ethernet” (0x01) 18 00 a0 60 3 60 00 2 80 00 oe 80 a0 62 ee oo ee ein gee 2 00 00 00 00 00 vo 60. G0 oo 60 oo 00 os ev 07 ops: @ {0 0 20 o9 62 80 80 G2 80 BD 60 90 GD Go 80 60 acer Melo Saat 1 9 80 69 62 82 09 62 80 BD 60 90 G0 GO 80 60 Seconds elapsed: 12 ‘Ba nan fa fe mn fn nf an Bh Be An footp Flage: €x0000, Broadcast Flag (Broadcast) pe'tascsias pe echecice | oa ainciae vaeara Client 1P addeess: 0.0.0.0 18 00 99 9 08 H0 9 9 HO BD 9 90 OB 6 02 00 Your (client) 1P address: 10.0.2.12 18 00 00 69 08 0 60 69 BO BD 6 80 OB 89 09 00 Next Server IP address: 10.0.2.8 0 00 89 6 08 HO 69 89 HO BD 9 90 BB 9 88 OD felay agent IP address: 0.0.0.0 10 00 00 9 09 0 0 9 BO BD 60 90 BB 8 09 00 Cent WiC address: PesCompu 19:58:01 (08:00:27:19:30:01) 29 00 00 00 09 60 20 90 80 69 40 90 a0 G0 09 60 {Giient hardware address padiing: Cooevooseeeca0000000 4/129, 8 60 00 00 G0 00 63 82 53 63 35 01 05 36 O4 Oa G7. Wert? xoertaanine ee WA 7 ee TD Fig 6.4.12: DHCP DORA process 6.4.13. DHCP spoofing is successful by sending fake ACK and assigned fake IP address Ettercap Pies: eres De TEEPE DHCP: [10.0.2.3] ACK: 10.0.2. p DNS10.20.40.150 Fig 6.4.13: Fake ACK 54 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 6.4.14. Check IP address of victim after DHCP spoofing. New IP address is allocated by attacker posing as DNS server. Gea Csuget rests i eee Tie rst) Cee Saad eee tse A Link-local IPv6 Address Pe eee eer ee era eld IPv4 Address... ~~... ++ + 10.0.2.12 Subnet Mask... ~~...» : 255.255.255.0 Default Gateway... : 10.0.2.8 a Fig 6.4.14: IP of victim after attack NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL actical No: 07 Aim: Use of Network Miner for capture and analysis of network traffic Tools Used: Network Miner Theory: - NetworkMiner is an open source network forensics tool that extracts artifacts, such as files, images, emails and passwords, from captured network trafic in PCAP files. - NetworkMiner can also be used to capture live network traffic by sniffing a network interface. - Detailed information about each IP address in the analyzed network traffic is aggregated to a network host inventory, which can be used for passive asset discovery as well as to get an overview of which devices that are communicating. - NetworkMiner is primarily designed to run in Windows, but can also be used in Linux. Procedure: 7.1. Open NetworkMiner and click on start. For OS fingerprinting, go to Hosts tab and double click on target IP addre: OS Windows will show the fingerprinting of OS by using databases from Satori ° 56 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 7.2. You can sort hosts by IP, MAC, Hostnames, ete Hosts (232) Fles (483) Imager (736) Messages Credentials (139) Sessions 619) DNS (@2)| Parameter (15457) Keywords Sort Hosts On: [IP Adchess escendng) rarer Gp 2120.68) es 10022 HAG Aeewess (escenang) J) 10.023 | Sert Packets (descending) godt cn ese 4c ES 7 Fig 7.2: Sort Hosts 7.3. Go to Sessions tab to get the details about a session captured by NetworkMiner Fig 7.3: Sessions 57 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 7.4. In DNS tab, you can filter the results by specific keyword (example: hotmail) Fig 7.4: Filter keyword - hotmail 7.5. In Anomalies tab, you can see the malicious behavior detected by NetworkMiner (possible ARP spoofing detected) @ Neitinns 2 Fh) ph Hm Ones) Se 5 OS Fame 6) SH Fig 7.5: Anomalies 58 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL ractical No: 08 Aim: Use tshark command-line tool to capture live network traffic Tools Used: tshark Theory: - TShark is a command-line interface (CLI) based network protocol analyzer. - It is used to capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. Procedure: To install tshark enter following command: sudo apt install tshark 8.1. tshark -D is used to list down all the network interfaces captured by tshark Peto Cee a cad eS - ethd Pay + lo (Loopback) . bluetooth-monitor . nflog at) Ba SEL) Pa ete sa) . ciscodump (Cisco remote capture) . dpauxmon (DisplayPort AUX channel monitor capture) . randpkt (Random packet generator) sdjournal (systemd Journal Export) + sshdump (SSH remote capture) . udpdump (UDP Listener remote capture) . wifidump (Wi-Fi remote capture) ee ey E:) = Fig 8.1: tshark -D 59 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 8.2. To capture network traffic from ethernet interface: hay~(kali® kali )-[~ shark Si etho EW capture. pcap| eras cae ace EEE CyeU Ke EL (ey late mechan 382904) 09:56:00. a eee Fig 8.3: tshark -i eth0 -w capture.peap 8.4. To read network traffic from captured peap file: Sars oe cote pa Fig 8.4: tshark -r capture.peap 60 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 8.5. To capture network traffic for specified duration (10 seconds): Fig 8.5: tshark -i eth0 -a duration:10 8.6. To capture first 10 packets (count = 10): Fig 8.6: tshark -i eth0 -c 10 8.7. To capture network traffic from specific host (10.0.2.8): 61 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 8.8. To capture only ICMP packets: CCT ess os oo pacers Peete ee Bea costars (eee erate Ermey Fig 8.8: tshark -i eth0 -f “icmp” 8.9.4. To capture network traffic of port 80: Fetes Boor Eres) perce en) 62 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL actical No: 09 Aim: Install and configure snort and write rules to generate alerts 9.1. Tools Used: Snort 9.2. Theory: SNORT is a powerfull open-source intrusion detection system (IDS) and intrusion prevention system (IPS) that provides real-time network traffic analysis and data packet logging. SNORT uses a rule-based language that combines anomaly, protocol, and signature inspection methods to detect potentially malicious activity. Using SNORT, network admins can spot denial-of-service (DoS) attacks and distributed DoS (DDoS) attacks, buffer overflows, and stealth port scans. SNORT creates a series of rules that define malicious network activity, identify malicious packets, and send alerts to users. SNORT is a free-to-use open-source piece of software that can be deployed by individuals and organizations. The SNORT rule language determines which network traffic should be collected and what should happen when it detects malicious packets. This snorting meaning can be used in the same way as sniffers and network intrusion detection systems to discover malicious packets or as a full network IPS solution that monitors network activity and detects and blocks potential attack vectors. 9.3. Features: * Real-time Traffic Monitor © Packet Logging * Analysis of Protocol * Content Matching © OS Fingerprinting * Rules Are Easy to Implement 63 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 9.4. Procedure: 9.4.1. To install Snort enter following command: sudo apt install snort (Before installing any tool, update repository by “sudo apt update”) See cic) [sudo] password for msco03 PUP e Am ea ecurity.ubuntu.com/ubuntu jammy Pine mae tna meet Pee Mac HPP URC Ieee Le AT UNC em a cleo Rec r itm act bt Cee CREME se -ito gad ee Rec ie CC1s Cae LT BTN eet ee Mo ieee ee ee ST Ro oes Recerca ee eae Ty CARR Cea isi te ee et Rei eua ls Meee Wma Uric net ican tac ORR Oc OCE ber PBT seem beac es Or MELD Sree MeL LMeL Laas anes Stee Cee ee ee eles Fig 9.4.1: installation of snort 9.4.2, Enter “ip a” command to get IP address of your machine Ce earn nn ce coe) 1:00:09 bré 9:08:00:00:00:09 Preece ce ere Pree Mame ia eicar eas a Fig 9.4.2: IP address of local machine 64 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL ich you want to monitoring sudo cat /etc/snort/snort.debian.conf | grep HOME_NET -A 2 -B 2 STARTUP="boot" "19.0.2.252/24"| aECIS 9.4.5. Edit /etc/snort/snort.conf and do the following changes: To use only local rules written by us, remove comment for “include $RULE_PATH/local.rules” and comment out all other rules GNU nano 6.2 Jetc/snort/snort. cont snort.conf 65 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 9.4.6. Comment out the following line BGNU Nano 6.2 etc /snort/snort cont output _unitied2: titenane snort.log, Umit 128, nostanp, mpls ev Fig 9.4.6: snort.conf 9.4.7. Run snort by command: sudo systemetl start snort eceeee res Sree tes Cree rites Core meric ees GNU nano 6.2 /etc/snort/rules/tocal..rules falert ip any an 1090001; 66 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 9.4.9.4, Restart snort by command: sudo systemetl restart snort Euco aystenctl restart snort prea sreeee ccd Cee eC eee Tes Beles onaana a Ea TES au esse eet pares aeeerrenmartet Fig 9.4.9: Restart snort 9.4.10. ping any website to receive ICMP reply packets Te tease ee sta oor nteuaees icmp Te eet ean cra Siete ues test es : ca ro -in-f14. te cea Te Tree ra si eset e iu ca cir susie ats cra i rast) icmp i esters) ri sir ST asters) i ct from SES anece te! one Fig 9.4.10: ping google.com 67 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 9.4.11, Run snort console to show alerts mo ees pared Fig 9.4.11: Snort console alerts 9.4.12. Write a rule to detect Xmas scan on your machine ‘GNU nano 6.2 Jetc/snort/rutes/ Local. rules * > HONE NET any (msg: "XMAS Scan", flow:stateless; lags: FPU: Fig 9.4.12: Rule to detect Xmas scan 68 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 13. ifconfig to check local IP address ifconfig Cre Pine Cee CEASA Ceiba inet [OMDRPIREE) netmask Tee) mE) aca G eee es oo) Cir ae, Oar) ee RUE ae CaM este) Corel inet6 ::1 prefixlen 1 rd eee tata TX pack apa dane) als Eemsudo fimap =sX 10.0 Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-29 10:51 IST Nmap scan report for 10.0.2.253 Host is up (0.00041s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open|filtered ssh CU Ate mu heles es ae MAC Address: 08:00:27:3D:A9:8D (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds 69 NETWORK SECURITY AND 9.4.15. Run snort console to show alerts rrr teas Coren cree ee ec roe conc nmap HAS nap x Fig 9.4.16: snort.alert.fast LOG ANALYSIS LAB MANUAL one Cnn Lon Cerone CeCe me crue 70 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 9.4.17. Write a rule to detect admin page access on your web server ail nano 6.2 aa ae eater Teste Bert tcp SexTERIAL NET any -> SHOME NET 8D (nsq:"warning access Jedi. convents /adnin 13:3 oe-web-application Fig 9.4.17: Rule to detect admin page access 9.4.18. Run apache? to host local server ea peri cre mysy retary Rares Porat a Rete RO Ie eter ta et Toe evan treey selec yaya} Petionae rere eae DEP come tice ke cee INay 29 10:40:19 akshay apachect Ae on eee mera Fig 9.4.18: Start apache2 server 71 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 19.4. Try to access admin page of hosted web server ee eon Fig 9.4.19: Access admin page 9.4.20. Run snort console to show alerts A console og ou SNOrt og enOFT oc /etc/ snort sNOr tc Fig 9.4.20: Snort console alerts NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 9.4.21. Check status of SSH daemon ee | eC eae i Pre i if Fig 9.4.21: SSH status 9.4.22. Write a rule to detect SSH Brute Force attempts GH nano 6.2 7ete/sn0rt/rules/ Local. fuLeS arr ro ae ett eo ae tcp any any -> SHONE NET 22 (nsg:"Porentiat Sof Brute Force Attack : wld:type threshold, track by src, count 3, seconds 60: sstypesat tempted dos 9.4.22: Rule to detect SSH Brute Force 73 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 9.4.23. Create lists of usernames and passwords tT Osea memcat user. tx’ Er Lri} ie alive ra prey pes Sri ak (recy eae eran ts ECU cee) eee BRAD LLY Bee iL) pein rd User list and password list 9.4.24, Run hydra to perform SSH Brute Force attack on target era fl Soares, oie 74 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 9.4.25. Run snort console to show generated alerts of SSH Brute Force Attack Fig 9.4.25: snort console alerts 75 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL rk 10 Aim: Install and configure checkmk and add host for monitoring. 10.1. Tools Use : Checkmk 10.2. Theory: Checkmk is the IT monitoring platform which is scalable, automated and extensible. It is used to gain a complete view of your entire IT infrastructure: from public cloud providers, to your data centers, across servers, networks, containers, and more. Checkmk enables ITOps and DevOps teams to run your IT at peak performance. Working of Checkmk: © The heart of the Checkmk platform is the High Performance Core, designed to scale up to millions of services monitored while still retaining a small footprint. * Its REST API and many automations, such as the auto-registration of hosts, take manual work off your IT team’s shoulders. * Checkmk not only monitors everything that powers your business, but also keeps it secure, thanks to granular access control, encryption, and 2FA. Features of Checkmk: 1. Monitor everything Monitor your hybrid IT infrastructure out-of- the-box with our leading library of more than 2,000 vendor-maintained monitoring plug-ins 2. Highly automated With its auto-discovery, auto-configuration via a modern REST API, and built-in agent management, Checkmk takes manual work off your hands 76 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 3. Massively scalable Monitor hundreds of thousands of hosts and millions of services across the globe, thanks to a high-performance distributed architecture 4, Extensible Customize or extend the open source code of Checkmk. Use the Check-API to write your own monitoring plug-ins or extend existing ones 10.3. Procedure: 10.3.1. To download Free Trial Version of Checkmk from its official website, Select Version: 2.2.0, Platform: Ubuntu and OS Version: Ubuntu 22.04 6: oa a | 1 Stet eon 2. Choose platform 4. Install Chackmkc 3.1 Downloading Checkmk for Ubuntu or Debian Fig. 10.1: Download Checkmk 7 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.2. Download the Checkmk installation package using wget command: 6/check-mk-cloud-2.2.0 6. janny| ea ee ha n (download. om)... 45.133.11.29 TSEC mk. com) |45.133.11.29| :443. HTTP request sent, awaiting response... 260 OK RT ee Mer CL ete C Lee Cum ec CeCe te. eC eee RCL De Ce oe Coes ae ] 19.02M —396KB/ To val Fig. 10.2: wget checkmk 10.3.3. To install the downloaded package use following command: a Deer Se Peer ae 5] Sc ee ae PwC os ee ROU c ye a tec Cd Note, selecting ‘check-mk-cloud-2.2.0' instead of './check-mk-cloud-2.2.0 0.jamm eee UCC OR nsC ec oe ae cn) Pee ee a eee ce eee Skee See Suey ois eee eo re Cae eee Secs Rete neem MECC etc ge) asa ey Elysee Pec lete Mec) ncn MEL SM steeL cme ete ry Peace COREL aa CMOLT Se ame Lae MET eerie tne gna ire Weel r ce snmel mT emetic er Meme Terie RELLY Ree Re CMe LSC Rar eee eee ey UCR en ee eee a eee ere ran eae See RU ee Meee eee eee ee ec Len} php8.1-xml python3-gpg python3-samba python3-tdb rpcbind rpm rpm-conmon fe Oe es ee eee Cestiac) reece Rea ee ee ees Ua eee ee binutils-doc asfonts graphviz-doc cabextract Libmldbm-perl Ee dee eae) c alien elfutils rpmlint B NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.4. To sign the package, install dpkg-sig_using following command: ee DLO ely) ee Ora caer CoCr Rca to getg eee Reuse eC Lee id mtr tetra cecr om ee USCC etree pice ia Steet rece EE etlaueert omiae The following NEW packages will be installed: Crees Cen eesn ee enn CR eae Uo eR Rate eae Ee Ree gent ieee bee cet CCR Ta cs eee ene Do you want to continue? [Y/n] y Get:1 http://in.archive.ubuntu.com/ubuntu jammy/universe amd64 Libconfig-file-pe oer Ree eer er) Cems PO a me CU ea ee Ce SE} ocrmere eI Fetched 43.3 KB in 1s (55.4 kB/s) Patai ee pcr Nata crete ete iae Ce oc ees ORCC asco aber uo clea Preparing to unpack .../libconfig-file-perl_1.54-1 all.deb . Unpacking Libconfig-file-perl (1.54-1) Fig. 10.4: Install dpkg-sig Sea eT Sa) 9 Resolving download. checkmk.com (download. checkmk.com)... 45.133.11.29 Cas aR LUC eee a ac eS eee EP Eee lonnected. ae eee SU ec eed eee CeO) EETEC Raa eae a ea Cr eet os UT) 1223-05-30 10:12:23 (333 MB/s) - ‘Check MK-pubkey.gpg.1’ saved [4764/4764] Fig. 10.5: wget checkmk pubkey NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.6. Enter following command to import key: Persee Lett) PASS Chrran mr eT) keyb ae See) Pele eee ‘oot/.gnupg/trustdb.gpg: trustdb created Pe etl CMe ee ea ee CCS EC enact) eee eae Ay eH Fig. 10.6: Import checkmk pubkey ¢ using following command: een ee) A AL ALE} padpkg-sig --verify check-mk-cloud-2.2.0 0. jammy amd64. deb Processing check-mk-cloud-2.2.0 0.jammy_amd64.deb... BADSIG _gpgbuilder Fig. 10.7: Verify dpkg-sig ere ae) # Signature made Monday 2: E Rese cr Wms apes Sr eee a ec area | Eres @ ree CU gpg: WARNING: This key is not certified with a trusted signature! fe eC Rete eS Curie Cu Cee et em Me Ua else ae ares eae ee UN Renee Se ig. 10.8: Verify gpg 10.3.8. Enter “omd version ” to know the version of checkmk (eeSO EON MANU YALE) bd OMD - Open Monitoring Distribution Version 2.2.0.cce Fig. 10.9: omd version 80 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.9.Enter following command to create monitoring site: root aksha) PALF , ence Ise CoT saya acd ce ese oe ere ree Ro ae Sat cree monet ist! erst mcr is Ci Cie ams act) Senet Emtec estima ne emacs RC re atria tC} fig enema ee hae bok le Le cole etree arc 2 config. py eee Mla ee Rete eer memes Cie wea cc Mest Re een ee ea ee) eer lee MPC CRE CR ats coy racic ee Oe ee eee Umm eon Cee sas ec eC ue eC Rm eC CR TCE Ree rec ie cr on aCe ee Re eC eS ee cee ey TS ed Fig. 10.10: omd create monitoring 10.3.10. Enter following command to start monitoring: Pees) i Sere Ses erst aed Starting mkeventd. . .OK Sergei met erst me Starting mknotifyd.. .0K Starting rrdcached. . OK Serer eels Sele ieee Starting ded. ..0K Seetme aura Initializing Crontab. ..OK Fig. 10.11: omd start monitoring 81 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.11. To check if the monitoring is started, enter “omd status” Ee) PSC eee e Oy Sees ea Cone ut) ee eoer) running Disha running eee running cS running Pea running cree] running eee re) macy Pur) Pra) Fig. 10.12: omd status 10.3.12. To add password for checkmk, enter following command: ea acle tel eemcmkK-passwd cmkadmin| INew password: Re-type new password: OMD [monitoring] :~$ Fig. 10.13: emd-passwd emkadmin NETWORK SECURITY AND LOG ANALYSIS LAB MANU 10.3.13. Open the created site in browser and login using Username and password: ey Fig. 10.14: checkmk login is shown below Main dashboard Fig. 10.15: Main dashboard AL NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.15. Go to Setup + Agents > Linux and download checkmk agent package Fig. 10.16: Download checkmk agent 84 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.16. Enter following command to copy checkmk package to /tmp: Cae Cee ence eed SULA: Fig. 10.17: Copy checkmk agent 85 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.17. Enter following command to install checkmk package: stench mc ocr Gorienesers Scrat: 10.18: Install checkmk agent 86 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.18. Go to Setup —> Hosts + Add host and enter Hostname and Network address of host then click “Save & go to service configuration” Fig. 10.19: Add host 87 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.19. On services page, click on “Fix all” to add undecided services to monitoring: Fig. 10.20: Services of host monitoring system 88 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.20. Click on 4 changes and “Activate on selected sites” to apply the changes: Fig. 10.21: Activate pending changes 89 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.21. Pending changes are activated and host is added in Overview tab: Fig. 10.22: Changes activated 90 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.21. Services of Host monitoring system are shown below: Hf 91 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 10.3.22. Monitor the host in Service monitoring_system, CPU utilization: Fig. 10.24: Host Monitoring NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL Pr: i Aim: Zabbix: Infrastructure Monitoring Tool 11.1. Tools Used: Zabbix 11.2. Theory: Zabbix is an enterprise-class open source distributed monitoring solution. Zabbix is a software that monitors numerous parameters of a network and the health and integrity of servers, virtual machines, applications, services, databases, websites, the cloud and more. Zabbix uses a flexible notification mechanism that allows users to configure email based alerts for virtually any event. This allows a fast reaction to server problems. Zabbix offers excellent reporting and data visualization features based on the stored data. This makes Zabbix ideal for capacity planning. Zabbix supports both polling and trapping. All Zabbix reports and statistics, as well as configuration parameters, are accessed through a web-based frontend. A web-based frontend ensures that the status of your network and the health of your servers can be assessed from any location, Properly configured, Zabbix can play an important role in monitoring IT infrastructure. This is equally true for small organizations with a few servers and for large companies with a multitude of servers. Zabbix is free of cost. Zabbix is written and distributed under the GPL General Public License version 2. It means that its source code is freely distributed and available for the general public. Features of Zabbix: Data gathering savailability and performance checks *support for SNMP (both trapping and polling), IPMI, JMX, VMware monitoring custom checks sperformed by server/proxy and by agents 93 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL Highly configurable alerting *sending notifications can be customized for the escalation schedule, recipient, media type snotifications can be made meaningful and helpful using macro variables sautomatic actions include remote commands Easy configuration sadd monitored devices as hosts shosts are picked up for monitoring, once in the database apply templates to monitored devices Network discovery sautomatic discovery of network devices agent autoregistration *discovery of file systems, network interfaces and SNMP OIDs Fast web interface +a web-based frontend in PHP saccessible from anywhere *you can click your way through saudit log Zabbix API +Zabbix API provides programmable interface to Zabbix for mass manipulations, third- party software integration and other purposes. Full featured and easily extensible agent *deployed on monitoring targets scan be deployed on both Linux and Windows 94 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 11.3. Procedure: 11.3.1. Download the Zabbix server based on operating system and its version: Download and install Zabbix = : Sn San Fig. 11.1: Downloading Zabbix 11.3.2 Installing and configuring the Zabbix server by installing it from a Zabbix repositon D insta and configure Zabbix for your platform 2 Install ZabbIx repository install zabb0x server, frontend, agent opt foetal eatbicservernyal sbbsefronten-php2itin-aache conf sathinscl-scripte zabba-agent Fig. 11.2: Installing and configuring Zabbix server 95 NETWORK SECURITY AND LOG ANALYSIS LAB 11.3.3 Creating Initial database for Zabbix server MANU AL Fig. 11.3: Creating an initial database for Zabbix server 96 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 11.3.4 Configuring the Zabbix server database password from Zabbix_server.conf and then starting the Zabbix infrastructure monitoring tool 4. Configure the database for Zabbix server nt fnteie/ra Start Zabbix server and agent £ Open Zabbix Ul web page ‘The default URL or ZaBBx UI when using Apache Wab servers Ntp/n# Fig. 11.4: Configuring the password of Zabbix server in its database 11.3.5 To connect to the Zabbix server type http:/ip_server_zabbix:8080 and then Zabbix authentication page will arrive and type the default username as admin and password as Zabbix Fig. 11.5: Zabbix authentication page 97 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 11.3.6 After successful authentication we can see Zabbix server dashboard where it contains details of monitoring, service, configuring settings and many more Fig. 11.6: Zabbix server dashboard 11.3.7 Installation of Zabbix agents based on operating system for windows go to following link -https://www.zabbix.com/fr/download_agents ‘aie ene tm eet erence ter aarti tom holier des 4 Agent installation fed Hat Enterprise Lu Cent0s Fig. 11.7: Zabbix agent installation 98 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 11.3.8 Make changes in the Zabbix_agent2.conf file present in the ete/Zabbix/ path and then enable Zabbix agent service "Now that the agentis installed it must be configured fortis you must edt the le fete/zabbid/20bbix agent2 Fig 15 — Select the mode of accessing the security onion through web interface 107 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 12.3.4 After fully configuring and installing the security onion, open the security onion through web interface by entering https://securityonion_serverip and SSL certificate error so we have insert self-signed certificate Fig 16 — Opening the security onion web interface 12.3.5 Security onion dashboard appears after solving the issues of certificate error Security @nion Fig 17 — Security onion dashboard 108 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 12.3.6 Accessing the security onion server through ssh OM Certara Pee ee ED 3 - ra Dace aes ELE LUTtLaerieaieeeeeeed eeerenernrerne ure nner es CC nent me nt or eesti asst perio ore: matey a NTs CT! ju may need to run so-allow first if you haven't yet) [quardian@vatchtover ~1$ Fig 18 — Accessing the security onion server through ssh 12.3.7 These are the list of security onion commands Fig 19 —List of commands in security onion 109 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL rk 13 Aim: Kibana: Search and Data Visualization tool in Elastic Stack ibana 13.1. Tools Used: 13.2. Theory: Kibana is an free and open frontend application that sits on top of the Elastic Stack, providing search and data visualization capabilities for data indexed in Elasticsearch. Commonly known as the charting tool for the Elastic Stack (previously referred to as the ELK Stack after Elasticsearch, Logstash, and Kibana), Kibana also acts as the user interface for monitoring, managing, and securing an Elastic Stack cluster as well as the centralized hub for built-in solutions developed on the Elastic Stack. Developed in 2013 from within the Elasticsearch community, Kibana has grown to become the window into the Elastic Stack itself, offering a portal for users and companies. Features of Kibana: Kibana’s integration with Elasticsearch and the larger Elastic Stack make it ideal for supporting the following: 1. Searching, viewing, and visualizing data indexed in Elasticsearch and analyzing the data through the creation of bar charts, pie charts, tables, histograms, and maps. A dashboard view combines these visual elements to then be shared via browser to provide real-time analytical views into large data volumes in support of use cases such as: 2 . Logging and log analytics b, Infrastructure metrics and container monitoring, . Application performance monitoring (APM) d. Geospatial data analysis and visualization e. Security analytics f. Business analytics 110 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 2. Monitoring, managing, and securing an Elastic Stack instance via web interface. 3. Centralizing access for built-in solutions developed on the Elastic Stack for observability, security, and enterprise search applications. 13.3. Procedure: 13.3.1 Download Kibana from elastic search and website and then open the kibana.yml file for configuration: Ee) Fig.13.1: Download Kibana and configuring the kibana.yml file 13.3.2 Open command prompt in windows and move to downloaded directory of kibana and run the bat file: Se eet AUREL it NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL Fig.13.2: Running the bat file of Kibana 13.3.3 After running the Kibana bat file we will get the URL for successful logginf into the server: NETWORK SECURITY AND LOG ANALYSIS LAB MANU 13.3.4 Kibana dashboard after input the generated URL from running bat file: D terete Fig.13.4: Kibana server Dashboard 13.3.5 Click on discover option and go to create index pattern: te me nn Create index pattern a sep 16 2:Deneindx pat Fig.13.5: Creating the Index pattern 113 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL 13.3.6 After creating a pattern we can go to discover option; we can see the histogram graph and log entries after creating a pattern: Fig. 13.6: Log entries in Kibana 13.3.7 List of queries we can use in Kibana - Match Query © Multi-Match Query Query String Query ‘Term Query Terms Query Range Query Exists Query Prefix Query Wildcard Query Regexp Query ee eee eee 114 NETWORK SECURITY AND LOG ANALYSIS LAB MANUAL BY astisearcn o Ezy + Add fiter tion nt ses co Q Search field names Time + Document. > Sep 10, 2021 © 14:16:47,091 passage? 147.165.206.35 - Fiter by type (0 v Seal ale ” [aove-oe-exria:tes47.se12] ad —> « aniaars

    You might also like