Computer Security Laboratory Assignment 1 - Network Scanning and Sniffing

1. Introduction
1.1. Purpose: This lab will show how easy it is to get unauthorized access to information about a network and its computers and users in a local network by using scanning and sniffing techniques. The lab will also show insecure common protocols like POP3 and FTP and how encrypted protocols like SSL can improve security. Students need to understand how and why computers and networks are insecure is important because society is becoming very computerized. This laboratory assignment must be performed individually. 1.2. Preparation Before the laboratory, look through the relevant parts of the course literature along with relevant software manual pages and referenced information resources on the web. How to rudimentary navigate on a Unix system is outside the scope of this assignment. So if you are new to Unix systems we recommend that you read one or more of the many Unix tutorials available.

2. Network scanning
Computer networks basically consist of a number of nodes. A node can be a computer (e.g. workstation or server) or some network hardware like a router or firewall. Probing such networks can be made for both good and evil purposes. Organisations can scan themselves to look for security risks or dead computers. Hackers planning an attack may be scanning multiple networks for computers running unpatched software to use in an attack (e.g. a DDoS – Distributed Denial of Service attack). We will use the widely spread (active) tool Nmap. It has several good features which we will use in the lab, e.g. OS identification (even routers and network printers can be identified). Network scanning means probing the nodes in a network to lay out a map of the network topology. It involves finding alive network nodes (IP address, MAC address, hostname) and determining their functions (e.g. workstation, mail server, router etc). By analyzing packet routes and firewall filtering rules you can see if the network is secured in any way and how.

Tasks 2.1: (a) Discover hosts on the network. (Nmap)

However. Generate some traffic by browsing a few web pages. 25 (SMTP) and 80 (HTTP). web servers etc. Next. use Telnet to connect to port 21 (FTP). what differs and why? (c) For each unique service detected on the network using Nmap. (d) Some of the machines you scanned might be servers of some kind. (c) Can you recognise any traffic from your own machine? Can you identify any servers on the network? (d) If you capture very few packets. why are there differences between the results? (b) Next. Another way to improve security would be to use only encrypted communication like HTTPS. use an FTP or SSH client to connect to a couple of computers.1: (a) Start WinDump or tcpdump without any parameters to get a quick view of the network traffic. Solutions like VPN have the drawback that traffic can still be sniffed in the end nodes (workstations. Compare the two files. First. SFTP and SSH. Switched networks are better but can still be tricked to forward the traffic belonging to some other computers to itself. do a ping sweep and try the different ping types (ICMP and/or TCP) and save the output in a text file. Try to find out what software and what versions are running on these machines. Network Sniffing Hubbed networks are insecure because of the way they copy all traffic to all ports.g.) and is not a replacement for switches or encrypted traffic protocols. Compare the results for TCP ping. that is not a popular policy. 3. Questions After doing the lab. If any. For example. close the current capture file and start capturing again. answer the following questions: (a) What is the purpose of sniffing network traffic? (b) How can you lower the risk of being discovered when using a scanner tool like Nmap? . ping machines or portscan a machine on the Lab network. (e) Repeat tasks (a) to (d) above using Wiresharks. scan all the hosts on the network and try to determine their operating systems. Imagine a corporate network switch that stops all traffic on a certain cable when an employee connects one of the departments laptops. investigate what are the known bugs and issues and briefly summarize them. web servers or ftp servers (check your Nmap logs for open ports). Are there any differences? If so. (Nmap) Start with the TCP Connect method and save the output to a text file. One security measure could be to let the switch automatically lock a port when the MAC address changes. TCP+ICMP ping and ICMP ping. Then do a SYN scan and save the output to another text file. 4. e. (b) Now use some parameters to filter the traffic. try to look at only HTTP protocol traffic. Tasks 3. for administrative reasons.First.

sniffer) FAQ http://www.html Wiresharks User guide http://www.pdf Sniffing (network wiretap.org/nmap/docs.wireshark.robertgraham.insecure.html .com/pubs/sniffing-faq.(c) How can network scanning and sniffing be made harder? (d) What are the differences between active and passive fingerprinting? Reference Documents Nmap network security scanner man page http://www.org/download/docs/user-guide-a4.