Computer and Information Security Lab 1

Instructions

  1. Do this lab in the advnaved computer science lab (required, do NOT do this lab outside of the lab, or and any other network other than the 149.143.3.0/24 network.)
  2. Complete the steps of lab 1a. In a word document asnswer all the questions.
  3. Complete the steps of lab 1b. In a word document asnswer all the questions.
  4. Turn your work (answers to the questions) in at Moodle.

Scanning and Enumerating the Network for Targets

Enumerating a network, to discover what machines are attached and operating, is a useful task for both an intruder and a system administrator. The information gained from a network scan assists in the determination of the actual current layout. Several tools and techniques exist for both the Windows and Linux platforms to perform these tests.

Lab 1: IP Address and port Scanning, Service identity Determination

NMAP is a popular scanning utility that is available to download from the Internet at no cost. It is a powerful tool that includes many functions. The NMAP utility can quickly and easily gather information about a network's hosts, including their availability their IP addresses, and their names' This is useful information not only for a network administrator, but for an attacker as well, prior to an attack. One of the first tasks a hacker will carry out is to perform a scan of the network for hosts that are running. 0nce the user knows what hosts are accessible; he or she will then find a means to gather as much information about the host as possible. Once an attacker has identified the hosts, ports, and services that are available, he or she will want to identify the operating system that is running on the host. NMAP achieves this by using a technique called stack fingerprinting. Different operating systems will implement TCPIIP in slightly different ways. Though subtle, the differentiation of these responses makes it possible to determine the operating system.

In addition to identifying the operating system, the attacker will want to gain more information about the services that are running on the target computer, such as the type of server and version (for example, Internet Information Server [IIS] version 4 or version s). This information is contained in the service's banner. The banner is usually sent after an initial connection is made. This information greatly improves the ability of the attacker to discover vulnerabilities and exploits.

The network traffic that is generated by NMAP can have distinct qualities. These qualities might be the number of packets that are sent or the timing between packets, which do not resemble "normal" traffic. These qualities make up its signature. NMAP can be configured to hide its activity over time, attempting to mask its signature from being easily observed.

In this lab you whirl use NMAP to identify the computers that are on the network, enumerate the ports on the computers that were located., and then look at the network traffic generated by these actions. You will then use NMAP to scan the ports stealthfully and compare the method to the previous scan. To observe service banners telnet will be used to obtain the banners from IP port combinations obtained from NMAP Scans.

Learning Objectives

After completing this lab, you will be able to:

Use NMAP to scan a network for hosts that are up'

use NMAP to enumerate the ports and' services available on a host'

Identify the qualities of the NMAP Ping sweep signature.

Explain the different methods NMAP uses to enumerate the ports normally and stealthfully

Determine and interpret service information from banners obtained via telnet.

30 MINUTES

Lab 1a: NMAP--IP scanning in Windows

Materials and Setup

You will need the following computers set up as described in the appendix:

Windows 7 Professional

Windows 2008 RC2 Server (Already running at 149.143.3.62)

Lab Steps at a Glance

Step 1 Install NMAP for Windows on your Windows 7 system.

Step 2 Start WireShark (In the start menu)

Step 3 Use NMAP to scan the network.

Step 4 Analyze the output from WireShark.

Step 5 Use NMAP to scan open TCP ports.

Step 6 Use WireShark to analyze the scan.

Step 7 Use NMAP to do a stealth scan on the computer.

Step 8 Use WireShark to analyze the scan.

Step 9 Use NMAP to enumerate the operating system of the target computer.

Step 10 Use Telnet to connect to grab the web server, FTP server, and SMTP banner.

Step 11 Log off from the Windows 7 professional pc.

Lab 1a Steps

Step 1 Install NMAP for Windows on your Windows 7 system.

1) Install NMAP for Windows and WireShark on your Windows 7 system.

a) Go to http://nmap.org/download.html

b) Find “Latest stable release self-installer: nmap-5.51-setup.exe”. Click to down load installer.

c) Find “nmap-5.51-setup.exe” in your download directory.

d) Run the installer with default options.

e) Use the Start menu to find and start this GUI version of NMAP

f) Go to http://www.=WireShark=.org/

g) Click on the Download WireShark button.

h) Select the Windows Installer (32-bit) file to download and save

i) Find WireShark -win64-1.6.5.exe in your download directory, and run to install.

Step 2 Start =WireShark=

We are going to launch Ethereal to capture NMAP-generated network traffic and analyze how it discovers active hosts.

1) On the Windows 7 Professional Desktop, double-click WireShark

2) On the WireShark Capture menu select Interfaces.

3) Select the “start” button for the Ethernet adapter.

Step 3 Use NMAP to scan the network'

1) On the Start menu, find and select “Zenmap

2) In the Open: box, type cmd and click OK

3) Select Help/About from the menu.

a) Observe the output

b) What version of NMAP are you running?

4) Set the target to 149.143.3.0/24. Select “Ping Scan” for the profile. Note that the NMAP command line is shown “nmap -sn 149.143.3.0/24”. Hit the scan button.

The -sn option te1ls NMAP to perform a Ping scan. The * at the end of the address means to scan for every host address on the 149.143.3.0/24 network. The scan should take about 20 to 30 seconds.

a) Observe the output

b) How many hosts did it find?

c) What are the IP address of the hosts?

d) How long did the scan take?

image001.png

Figure 1 - Using NMAP to scan a network

Step 4 Analyze the output from =WireShark= .

1) Click on the WireShark capture screen and click stop. Refer to Figure 2.

Let's identify the qualities of the ping sweep signature.

a) Observe the output.

b) Why are there so many ARP broadcasts?

c) What can you tell about the timing between broadcasts?

d) What do you notice about the source addresses?

e) What do you notice about the broadcast addresses?

2) On the WireShark menu, click Capture, Start.

a) On the Save capture file before starting a new capture dialog box, click Continue without saving.

3) On the WireShark: Capture options screen for Interface: select the Fast Ethernet Adapter and click OK.

image003.png

Figure 2 - WireShark

Step 5 Use NMAP to scan open TCP ports.

1) At the command input line for Zenmap line, type “nmap -sT 149.143.3.62”. Hit the scan button. The -sT option tells NMAP to perform a TCP port scan. This is a full connection scan. The scan should take about 8 to 10 minutes.

a) Observe the output.

b) How many ports did it find?

c) How long did the scan take?

Step 6 Use =WireShark= to analyze the scan.

1) Click on the WireShark Capture screen and click Stop.

a) Observe the output.

b) How many packets did WireShark capture?

Look at the signature of the scan. Notice that there are many SYN packets sent from the computer doing the scanning and RST/ACK being sent back. RST/ACK is the response for a request to connect to a port that is not open.

Let's look at what happens when an open port is discovered. If we look at the output from the NMAP scan we know that port 80 the HTTP service port, is open. To find those particular packets out of the thousands of packets captured, we will need to filter out the unwanted traffic.

2) In the Filter box type “tcp.port==8o” and press ENTER. (Note: There should be no spaces between any of characters typed in the Filter box.)

Look at the last four packets captured. Note the SYN, SYN/ACK, and ACK packets. A three-way handshake was competed so that the port could be established as open. This is okay, but it is very noisy and can show up in the server logs. The last of the four packets is an RST sent by the scanning computer.

3) Click Clear next to the Filter: box.

4) On the WireShark menu, click Capture, Start.

5) On the “save capture file before starting a new capture??” dialog box, click “continue without saving”.

6) On the WireShark: Capture Options screen for Interface: select the Intel DC21140 Fast Ethernet Adapter and click OK.

Step 7 Use NMAP to do a stealth scan on the computer.

1) At the command 1ine, type NMAP -sS 149.143.3.62 and press ENTER.

The -sS option tel1s NMAP to perform a TCP SYN stealth port scan. Since this type of

scan requires NMAP to behave on the network in an atypical manner, you must have administrative rights. The scan should take about one second.

a) Observe the output.

b) How many ports did it find? Compare this to the number of ports found with a TCP scan.

c) How long did the scan take? Compare this to the amount of time it took with the TCP scan.

Step 8 Use =WireShark= to analyze the scan.

1) Click on the WireShark Capture screen and click Stop.

a) Observe the output.

b) How many total packets were captured? How does this compare to the previous capture?

2) In the Filter: box, type tcp.port==8o and press ENTER. (Note: There should be no spaces between the characters.)

Look at the last three packets and this time, note that the three-way handshake is not completed. The SYN packet is sent and the SYN/ACK is returned, but instead of sending back an ACK, the scanning computer sends an RST. This will allow the scanning computer to establish that the port is in fact opened but is less likely to be registered in the logs.

3) Close WireShark and do not save the results.

Step 9 Use NMAP to enumerate the operating system of the target computer.

1) On the Start menu, click Run.

2) In the Open box, type cmd and click OK.

3) At the command line, type NMAP -O 149.143.3.62 and press ENTER.

The -O option tells NMAP to perform the scan and guess what operating system is on the computer. The scan should take about four seconds.

a) Observe the output.

b) What was the guess made by NMAP? Was it correct?

Step 10 Use Telnet to connect to the web server, FTP server, and SMTP banner.

1) At the command 1ine, type telnet 149.143.3.62 8o and press ENTER.

2) At the prompt type get and press ENTER. (Note that you will not see the characters as you type.)

a) Observe the output.

b) What Web server is being used?

c) What version of the Web server is being used.?

3) At the command line, type telnet 149.143.3.62 21 and press ENTER.

a) Observe the output.

b) What FTP server is being used?

c) What version of the server is being used?

d) At the prompt, type quit and press ENTER.

4) At the command line, type telnet 149.143.3.62 25 and press ENTER.

a) Observe the output.

b) What version of SMTP is being used?

c) Type quit and press ENTER.

d) Close the command prompt.

Step 11 Log off from the Windows 7 professional PC.

To exit from the Windows 7 professional PC:

1) On the Start menu, click Log Off.

2) At the Logoff screen, click on Log off.


Lab 1b: NMAP-IP Scanning in Linux

30 MINUTES

Materials and Setup

You will need the following computer OS set up as described in the appendix:

Linux Server (Ubuntu 11.10 Test Server 149.143.3.61)

Linux Client (on your lab desk!)

Lab Steps at a Glance

Step 1 Start both the Linux Client and Linux server PCs. 0nly log on to the Linux Client pc.

Step 2 Start =WireShark= .

Step 3 Use NMAP to scan the network.

Step 4 Analyze the output from =WireShark= .

Step 5 Use NMAP to scan open TCP ports.

Step 6 Use =WireShark= to analyze the scan.

Step 7 Use NMAP to do a stealth scan on the computer.

Step 8 Use =WireShark= to analyze the scan.

Step 9 Use NMAP to enumerate the operating system of the target computer.

step 10 Use Telnet to connect to grab the web server, FTP server, and SMTP banner.

Step 11 Log off from the Linux Client PC.

Lab Steps

Step 1 Start both the Linux client and log on to the Linux Client PC.

To log on to the Linux Client PC:

1) At the Login: prompt, type root and press ENTER.

2) At the Password: prompt, type password and press ENTER.

Step 2 Start =WireShark=.

Using the Linux Client PC, we are going to launch WireShark to capture NMAP-generated network traffic and analyze how it discovers active hosts.

1) Right-click the desktop and select New terminal.

2) On the command line, type WireShark & and press ENTER.

3) 0n the WireShark menu, click Capture and Start.

4) On the WireShark: Capture Options screen, click OK.

5) Minimize WireShark.

Step 3 Use NMAP to scan the network.

1) At the command line, type NMAP and Press ENTER.

a) Observe the output.

b) What version of NMAP are you running?

c) What is the option for a ping scan?

2) At the command line, type NMAP -sP 149.143.3.0 and press ENTER.

The -sP option tells NMAP to perform a ping scan. The * at the end of the address notifies NMAP to scan for every host address on the 149.143.3.0 network. The scan should take about 20 to 30 seconds.

a) Observe the output.

b) How many hosts did it find?

c) What is the IP address of the host?’

d) How long did the scan take?

Step 4 Analyze the output from =WireShark=.

1) Click on the WireShark capture screen and click stop.

Use the following questions to identify the qualities of the ping sweep signature:

a) Observe the output from Ethereai.

b) Why are there so many ARP broadcasts?

c) What can you tell about the timing between broadcasts?

d) What do you notice about the source addresses?

e) What do you notice about the broadcast addresses?

2) On the WireShark menu, click Capture and Start.

3) On the WireShark: Capture Options screen, click OK.

Step 5 Use NMAP to scan TCP open ports

1) At the command line, type TCP ports NMAP -sT 149.143.3.61 and press ENTER.

The -sT option tells NMAP to perform a TCP port scan. This is a full connection scan.

a) 0bserve the output.

b) How many ports did it find?

c) How long did the scan take?

Step 6 Use =WireShark= to analyze the scan.

1) Click on the WireShark capture screen and click stop.

a) 0bserve the output.

b) How many packets did WireShark capture?

c) Look at the signature of the scan. Notice that there are many SYN packets sent from our computer doing the scanning and RST/ACK being sent back. RST/ACK is the response for a request to connect to a port that is not open.

Let's look at what happens when an open port is discovered. If we look at the output from the NMAP scan, we know that port 80, the HTTP service port, is open. To find those particular packets out of the thousands of packets captured, we will need to filter out the unwanted traffic.

2) In the Filter: box, type tcp.port== 80 and press ENTER.

Look at the last four packets captured. Note the SYN, SYN/ACK, ACK packets. A three- way handshake was completed so that the port could be established as open. This is okay, but it is very "noisy." Whenever a three-way handshake is completed, it can show up in the server logs. The last of the four packets is an RST sent by the scanning computer.

Now let's try a scan, but this time let's not complete the three-way handshake. we will do this with a SYN stealth scan.

3) Click Reset next to the Filter: box.

4) 0n the WireShark menu, click Capture and Start.

5) 0n the WireShark: capture options screen, crick OK.

Step 7 Use NMAP to do a stealth scan on the computer.

1) At the command line, type NMAP -sS 149.143.3.61 and press ENTER.

The -sS option tells NMAP to perform a TCP SYN stealth port scan. Since this type of scan requires NMAP to behave on the network in an atypical manner, you must have administrative rights. The scan should take about one second.

a) Observe the output.

b) How many ports did it find? Compare this to the number of ports found with a TCP scan.

c) How long did the scan take? Compare this to the amount of time it took with the TCP scan.

Step 8 Use WireShark to analyze the scan.

1) Click on the WireShark Capture screen and click Stop.

a) 0bserve the output.

b) How many total packets were captured? How does this compare to the previous capture?

2) In the Filter box, type tcp.port==80 and press ENTER.

Look at the last three packets and note that this time, the three-way handshake is not completed. The SYN packet is sent and the SYN/ACK is returned, but instead of sending back an ACK, the scanning computer sends an RST. This will a1low the scanning computer to establish that the port is in fact opened but is less 1ikely to be registered in the logs.

3) Close WireShark.

Step 9 Use NMAP to enumerate the operating system of the target computer.

1) At the command line, type NMAP -O 149.143.3.61 and press ENTER.

The -O option tells NMAP to perform the scan and guess what operating system is on the computer. The scan should take about four seconds.

a) Observe the output.

b) What was the guess made by NMAP?

c) Was it correct?

Step 10 Use Telnet to connect to grab the Web server, FTP server, and SMTP banner.

1) At the command 1ine, type telnet 149.143.3.61 8o and press ENTER.

2) At the prompt, type get and press ENTER.

a) Observe the output.

b) What Web server is being used?

c) What version of the Web server is being used?

3) At the command line, type telnet 149.143.3.61 21 and press ENTER.

a) Observe the output.

b) What FTP server is being used?

c) What version of the server is being used?

d) Type quit and press ENTER.

4) At the command line, type telnet 149.143.3.61 25 and press ENTER.

a) Observe the output.

b) What version of SMTP is being used?

c) Type quit and press ENTER.

5) Close the terminal session.

Step 11 Log off from the Linux Client PC.

Lab Review

In this lab, we observed that NMAP uses the Address Resolution protocol to quickly and easily scan a network and discover which hosts are running. We also noticed some of the qualities that make up the signature of a scan. This knowledge wil1be practical in future labs when we look at methods that prevent NMAP from accessing information from a scan.

Completing this lab has taught you:

That knowledge of the three-way handshake helped to understand how NMAP can exploit that process.

To see how the three-way handshake is used to enumerate ports.

To see how the three-way handshake can be exploited to conduct a stealthful scan.

How to devise ways to prevent exploitation.

To detect different types of scans, which usually precedes an attack.

-- JimSkon - 2012-02-23

  • 1:

  • 2:

  • 3:
    image003.png

  • 4:
Topic attachments
I Attachment Action Size Date Who Comment
Xmlxml filelist.xml manage 0.3 K 2012-02-23 - 18:29 JimSkon xml
Htmhtm header.htm manage 2.7 K 2012-02-23 - 18:29 JimSkon head
Pngpng image001.png manage 95.3 K 2012-02-23 - 18:30 JimSkon 1
Pngpng image002.png manage 92.5 K 2012-02-23 - 18:30 JimSkon 2
Pngpng image003.png manage 115.8 K 2012-02-23 - 18:30 JimSkon 3
Pngpng image004.png manage 177.3 K 2012-02-23 - 18:30 JimSkon 4
Topic revision: r4 - 2014-01-15 - JimSkon
 
This site is powered by the TWiki collaboration platformCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback