Computer and Information Security Lab 4

Scanning for system vulnerabilities

t

Needed Components

  1. Installation of VMWare Workstation 10 (for Linux or Windows, depending on host). The image and the key can be provided by Dr. Kasper or Dr. Skon.
  2. Metiploitable 2. A linux system for penetration testing. can be found here, or from Dr. Skon. This is a virtual machine. You need to extract the folder, and move it into your folder with your other VM's (usually /home/vmware). Then you simply open the .vmdk file in the folder from VMWare Workstation. You DO NOT need to install anything.
  3. Windows Server Datacenter 2008 R2. This is a also for penetration testing. It needs to be installed as above. This is a .tar.gz file. You can expland it with the "tar -zxvf {file.tar.gz}" command. Put is you VM folder, and launch as above.
  4. nmap and zenmap. zenmap is merely a GUI wrapper for nmap. Install on Linux using these [[http://namhuy.net/32/how-to-install-nmap-into-ubuntu.html][instructions]. An installer for Windows for both is here.
  5. Wireshark. You should already have it, but follow the link if not.

Instructions

  1. Do using the Linux OS running on the hardware, and the Windows and Metasploitable OS's running in VMWare
  2. You must set VMWare to to either bridge or create a local network.
  3. Complete the steps of the lab.
  4. In a word document answer all the questions.
  5. Turn your work (answers to the questions) in at Moodle.

Scanning and Enumerating the Network for Targets

Enumerating a network, to discover what machines are attached and operating, is a useful task for both an intruder and a system administrator. The information gained from a network scan assists in the determination of the actual current layout. Several tools and techniques exist for both the Windows and Linux platforms to perform these tests.

Lab 1: IP Address and port Scanning, Service identity Determination

NMAP is a popular scanning utility that is available to download from the Internet at no cost. It is a powerful tool that includes many functions. The NMAP utility can quickly and easily gather information about a network's hosts, including their availability their IP addresses, and their names' This is useful information not only for a network administrator, but for an attacker as well, prior to an attack. One of the first tasks a hacker will carry out is to perform a scan of the network for hosts that are running. 0nce the user knows what hosts are accessible; he or she will then find a means to gather as much information about the host as possible. Once an attacker has identified the hosts, ports, and services that are available, he or she will want to identify the operating system that is running on the host. NMAP achieves this by using a technique called stack fingerprinting. Different operating systems will implement TCPIIP in slightly different ways. Though subtle, the differentiation of these responses makes it possible to determine the operating system.

In addition to identifying the operating system, the attacker will want to gain more information about the services that are running on the target computer, such as the type of server and version (for example, Internet Information Server [IIS] version 4 or version s). This information is contained in the service's banner. The banner is usually sent after an initial connection is made. This information greatly improves the ability of the attacker to discover vulnerabilities and exploits.

The network traffic that is generated by NMAP can have distinct qualities. These qualities might be the number of packets that are sent or the timing between packets, which do not resemble "normal" traffic. These qualities make up its signature. NMAP can be configured to hide its activity over time, attempting to mask its signature from being easily observed.

In this lab you whirl use NMAP to identify the computers that are on the network, enumerate the ports on the computers that were located., and then look at the network traffic generated by these actions. You will then use NMAP to scan the ports stealthfully and compare the method to the previous scan. To observe service banners telnet will be used to obtain the banners from IP port combinations obtained from NMAP Scans.

Learning Objectives

After completing this lab, you will be able to:

Use NMAP to scan a network for hosts that are up'

use NMAP to enumerate the ports and' services available on a host'

Identify the qualities of the NMAP Ping sweep signature.

Explain the different methods NMAP uses to enumerate the ports normally and stealthfully

Determine and interpret service information from banners obtained via telnet.

30 MINUTES

Lab 1a: NMAP--IP scanning in Windows

In this lab you will be scanning a Windows Server 2008 system from the Windows 7 OS.

Materials and Setup

You will need the following computers set up as described in the appendix:

Windows 7 Professional

Wondows server 2008. You will need to use the "ipconfig" command to find out it's IP address.

Lab Steps at a Glance

Step 1 Install NMAP for Windows on your Windows 7 system.

Step 2 Start WireShark (In the start menu)

Step 3 Use NMAP to scan the network.

Step 4 Analyze the output from WireShark.

Step 5 Use NMAP to scan open TCP ports.

Step 6 Use WireShark to analyze the scan.

Step 7 Use NMAP to do a stealth scan on the computer.

Step 8 Use WireShark to analyze the scan.

Step 9 Use NMAP to enumerate the operating system of the target computer.

Step 10 Use Telnet to connect to grab the web server, FTP server, and SMTP banner.

Step 11 Log off from the Windows 7 professional pc.

Lab 1a Steps

Step 1 Install NMAP for Windows on your Windows 7 system.

1) Install NMAP for Windows and WireShark on your Windows 7 system.

a) Go to http://nmap.org/download.html

b) Find “Latest stable release self-installer: nmap-5.51-setup.exe”. Click to down load installer.

c) Find “nmap-5.51-setup.exe” in your download directory.

d) Run the installer with default options.

e) Use the Start menu to find and start this GUI version of NMAP

f) Go to http://www.=WireShark=.org/

g) Click on the Download WireShark button.

h) Select the Windows Installer (32-bit) file to download and save

i) Find WireShark -win64-1.6.5.exe in your download directory, and run to install.

Step 2 Start =WireShark= (if needed)

We are going to launch Ethereal to capture NMAP-generated network traffic and analyze how it discovers active hosts.

1) On the Windows 7 Professional Desktop, double-click WireShark

2) On the WireShark Capture menu select Interfaces.

3) Select the “start” button for the Ethernet adapter.

Step 3 Use NMAP to scan the network'

1) On the Start menu, find and select “Zenmap

2) In the Open: box, type cmd and click OK

3) Select Help/About from the menu.

a) Observe the output

b) What version of NMAP are you running?

4) Set the target to the IP address of your Windows 2008 server instance. You can find this by launching a command prompt, and entering "ipconfig". Find the ip address. This will be called win7ipaddress. This is what you will scan. Set the VM network to NAT mode, or you will not be able to ping it. I suggest just putting it in bridge mode.

You also need the network address. On the Linux host (not the VM) open a terminal and do a "ifconfig". You will see something like:

inet addr:149.143.3.144 Bcast:149.143.3.255 Mask:255.255.240.0

If you any the "inet addr" with the "Mask", you will get the network address. If you count the number of 1's in the Mask, you will get the classless network mask. IN this case you would get:

149.143.3.0/24

Below we will call this address the networkAddress.


Select “Ping Scan” for the profile. Note that the NMAP command line is shown “nmap -sn win7ipaddress”. Hit the scan button.

The -sn option te1ls NMAP to perform a Ping scan. The 0 at the end of the address means to scan for every host address on the 149.143.3.0/24 ( networkAddress) network. The scan should take about 20 to 30 seconds.

a) Observe the output

b) How many hosts did it find?

c) What are the IP address of the hosts?

d) How long did the scan take?

image001.png

Figure 1 - Using NMAP to scan a network

Step 4 Analyze the output from =WireShark= .

1) Click on the WireShark capture screen and click stop. Refer to Figure 2.

Let's identify the qualities of the ping sweep signature.

a) Observe the output.

b) Why are there so many ARP broadcasts?

c) What can you tell about the timing between broadcasts?

d) What do you notice about the source addresses?

e) What do you notice about the broadcast addresses?

2) On the WireShark menu, click Capture, Start.

a) On the Save capture file before starting a new capture dialog box, click Continue without saving.

3) On the WireShark: Capture options screen for Interface: select the Fast Ethernet Adapter and click OK.

image003.png

Figure 2 - WireShark

Step 5 Use NMAP to scan open TCP ports.

1) At the command input line for Zenmap line, type “nmap -sT win7ipaddress”. Hit the scan button. The -sT option tells NMAP to perform a TCP port scan. This is a full connection scan. The scan should take about 8 to 10 minutes.

a) Observe the output.

b) How many ports did it find?

c) How long did the scan take?

Step 6 Use =WireShark= to analyze the scan.

1) Click on the WireShark Capture screen and click Stop.

a) Observe the output.

b) How many packets did WireShark capture?

Look at the signature of the scan. Notice that there are many SYN packets sent from the computer doing the scanning and RST/ACK being sent back. RST/ACK is the response for a request to connect to a port that is not open.

Let's look at what happens when an open port is discovered. If we look at the output from the NMAP scan we know that port 80 the HTTP service port, is open. To find those particular packets out of the thousands of packets captured, we will need to filter out the unwanted traffic.

2) In the Filter box type “tcp.port==8o” and press ENTER. (Note: There should be no spaces between any of characters typed in the Filter box.)

Look at the last four packets captured. Note the SYN, SYN/ACK, and ACK packets. A three-way handshake was competed so that the port could be established as open. This is okay, but it is very noisy and can show up in the server logs. The last of the four packets is an RST sent by the scanning computer.

3) Click Clear next to the Filter: box.

4) On the WireShark menu, click Capture, Start.

5) On the “save capture file before starting a new capture??” dialog box, click “continue without saving”.

6) On the WireShark: Capture Options screen for Interface: select the Intel DC21140 Fast Ethernet Adapter and click OK.

Step 7 Use NMAP to do a stealth scan on the computer.

1) At the command 1ine, type NMAP -sS win7ipaddress and press ENTER.

The -sS option tel1s NMAP to perform a TCP SYN stealth port scan. Since this type of

scan requires NMAP to behave on the network in an atypical manner, you must have administrative rights. The scan should take about one second.

a) Observe the output.

b) How many ports did it find? Compare this to the number of ports found with a TCP scan.

c) How long did the scan take? Compare this to the amount of time it took with the TCP scan.

Step 8 Use =WireShark= to analyze the scan.

1) Click on the WireShark Capture screen and click Stop.

a) Observe the output.

b) How many total packets were captured? How does this compare to the previous capture?

2) In the Filter: box, type tcp.port==8o and press ENTER. (Note: There should be no spaces between the characters.)

Look at the last three packets and this time, note that the three-way handshake is not completed. The SYN packet is sent and the SYN/ACK is returned, but instead of sending back an ACK, the scanning computer sends an RST. This will allow the scanning computer to establish that the port is in fact opened but is less likely to be registered in the logs.

3) Close WireShark and do not save the results.

Step 9 Use NMAP to enumerate the operating system of the target computer.

1) On the Start menu, click Run.

2) In the Open box, type cmd and click OK.

3) At the command line, type NMAP -O win7ipaddress and press ENTER.

The -O option tells NMAP to perform the scan and guess what operating system is on the computer. The scan should take about four seconds.

a) Observe the output.

b) What was the guess made by NMAP? Was it correct?

Step 10 Use Telnet to connect to the web server, FTP server, and SMTP banner.

NOTE: In order to enable telnet on Windows 7, you must follow the instructions here: http://social.technet.microsoft.com/wiki/contents/articles/910.enabling-telnet-client-in-windows-7.aspx

1) At the command 1ine, type telnet win7ipaddress 8o and press ENTER.

2) At the prompt type get and press ENTER. (Note that you will not see the characters as you type.)

a) Observe the output.

b) What Web server is being used?

c) What version of the Web server is being used.?

3) At the command line, type telnet win7ipaddress 21 and press ENTER.

a) Observe the output.

b) What FTP server is being used?

c) What version of the server is being used?

d) At the prompt, type quit and press ENTER.

4) At the command line, type telnet win7ipaddress 25 and press ENTER.

a) Observe the output.

b) What version of SMTP is being used?

c) Type quit and press ENTER.

d) Close the command prompt.

Step 11 Log off from the Windows 7 professional PC.

To exit from the Windows 7 professional PC:

1) On the Start menu, click Log Off.

2) At the Logoff screen, click on Log off.


Lab 1b: NMAP-IP Scanning in Linux

30 MINUTES

Materials and Setup

You will need the following computer OS set up:

Linux Metasploitable 2 VM

Linux (running on your lab computer!)

Lab Steps at a Glance

Step 1 Start both the Linux Laptop and Linux Metasploitable systems. 0nly log on to the Linux Client pc. Make sure the Metasploitable VM is on a bridged network, as with Window server 2008.

Step 2 Start =WireShark= .

Step 3 Use NMAP to scan the network.

Step 4 Analyze the output from =WireShark= .

Step 5 Use NMAP to scan open TCP ports.

Step 6 Use =WireShark= to analyze the scan.

Step 7 Use NMAP to do a stealth scan on the computer.

Step 8 Use =WireShark= to analyze the scan.

Step 9 Use NMAP to enumerate the operating system of the target computer.

step 10 Use Telnet to connect to grab the web server, FTP server, and SMTP banner.

Step 11 Log off from the Linux Client PC.

Lab Steps

Step 1 Start both the Linux client and Metasploitable and log on to Both.

1) On each system, use "ifconfig" to find the IP address. If they are NOT in the same network, then you must change VMWare to use a bridged network connection for Metasploitable. We shall call the Linux Client IP address LinuxClientIP and Metasploitable's IP address MetasploitableIP

Step 2 Start =WireShark= on the Linux system.

Using the Linux Client PC, we are going to launch WireShark to capture NMAP-generated network traffic and analyze how it discovers active hosts.

1) Right-click the desktop and select New terminal.

2) On the command line, type WireShark & and press ENTER.

3) 0n the WireShark menu, click Capture and Start.

4) On the WireShark: Capture Options screen, click OK.

5) Minimize WireShark.

Step 3 Use NMAP to scan the network.

1) At the command line, type NMAP and Press ENTER.

a) Observe the output.

b) What version of NMAP are you running?

c) What is the option for a ping scan?

2) At the command line, type NMAP -sP networkAddress (e.g. 149.143.3.0 at MVNU) and press ENTER.

The -sP option tells NMAP to perform a ping scan. The * at the end of the address notifies NMAP to scan for every host address on the networkAddress (149.143.3.0) network. The scan should take about 20 to 30 seconds.

a) Observe the output.

b) How many hosts did it find?

c) What is the IP address of the host?’

d) How long did the scan take?

Step 4 Analyze the output from =WireShark=.

1) Click on the WireShark capture screen and click stop.

Use the following questions to identify the qualities of the ping sweep signature:

a) Observe the output from Ethereai.

b) Why are there so many ARP broadcasts?

c) What can you tell about the timing between broadcasts?

d) What do you notice about the source addresses?

e) What do you notice about the broadcast addresses?

2) On the WireShark menu, click Capture and Start.

3) On the WireShark: Capture Options screen, click OK.

Step 5 Use NMAP to scan TCP open ports

1) At the command line, type TCP ports NMAP -sT MetasploitableIP and press ENTER.

The -sT option tells NMAP to perform a TCP port scan. This is a full connection scan.

a) 0bserve the output.

b) How many ports did it find?

c) How long did the scan take?

Step 6 Use =WireShark= to analyze the scan.

1) Click on the WireShark capture screen and click stop.

a) 0bserve the output.

b) How many packets did WireShark capture?

c) Look at the signature of the scan. Notice that there are many SYN packets sent from our computer doing the scanning and RST/ACK being sent back. RST/ACK is the response for a request to connect to a port that is not open.

Let's look at what happens when an open port is discovered. If we look at the output from the NMAP scan, we know that port 80, the HTTP service port, is open. To find those particular packets out of the thousands of packets captured, we will need to filter out the unwanted traffic.

2) In the Filter: box, type tcp.port== 80 and press ENTER.

Look at the last four packets captured. Note the SYN, SYN/ACK, ACK packets. A three- way handshake was completed so that the port could be established as open. This is okay, but it is very "noisy." Whenever a three-way handshake is completed, it can show up in the server logs. The last of the four packets is an RST sent by the scanning computer.

Now let's try a scan, but this time let's not complete the three-way handshake. we will do this with a SYN stealth scan.

3) Click Reset next to the Filter: box.

4) 0n the WireShark menu, click Capture and Start.

5) 0n the WireShark: capture options screen, crick OK.

Step 7 Use NMAP to do a stealth scan on the computer.

1) At the command line, type NMAP -sS MetasploitableIP and press ENTER.

The -sS option tells NMAP to perform a TCP SYN stealth port scan. Since this type of scan requires NMAP to behave on the network in an atypical manner, you must have administrative rights. The scan should take about one second.

a) Observe the output.

b) How many ports did it find? Compare this to the number of ports found with a TCP scan.

c) How long did the scan take? Compare this to the amount of time it took with the TCP scan.

Step 8 Use WireShark to analyze the scan.

1) Click on the WireShark Capture screen and click Stop.

a) 0bserve the output.

b) How many total packets were captured? How does this compare to the previous capture?

2) In the Filter box, type tcp.port==80 and press ENTER.

Look at the last three packets and note that this time, the three-way handshake is not completed. The SYN packet is sent and the SYN/ACK is returned, but instead of sending back an ACK, the scanning computer sends an RST. This will a1low the scanning computer to establish that the port is in fact opened but is less 1ikely to be registered in the logs.

3) Close WireShark.

Step 9 Use NMAP to enumerate the operating system of the target computer.

1) At the command line, type NMAP -O MetasploitableIP and press ENTER.

The -O option tells NMAP to perform the scan and guess what operating system is on the computer. The scan should take about four seconds.

a) Observe the output.

b) What was the guess made by NMAP?

c) Was it correct?

Step 10 Use Telnet to connect to grab the Web server, FTP server, and SMTP banner.

1) At the command 1ine, type telnet MetasploitableIP 8o and press ENTER.

2) At the prompt, type get and press ENTER.

a) Observe the output.

b) What Web server is being used?

c) What version of the Web server is being used?

3) At the command line, type telnet MetasploitableIP 21 and press ENTER.

a) Observe the output.

b) What FTP server is being used?

c) What version of the server is being used?

d) Type quit and press ENTER.

4) At the command line, type telnet MetasploitableIP 25 and press ENTER.

a) Observe the output.

b) What version of SMTP is being used?

c) Type quit and press ENTER.

5) Close the terminal session.

Step 11 Log off from the Linux Client PC.

Lab Review

In this lab, we observed that NMAP uses the Address Resolution protocol to quickly and easily scan a network and discover which hosts are running. We also noticed some of the qualities that make up the signature of a scan. This knowledge wil1be practical in future labs when we look at methods that prevent NMAP from accessing information from a scan.

Completing this lab has taught you:

That knowledge of the three-way handshake helped to understand how NMAP can exploit that process.

To see how the three-way handshake is used to enumerate ports.

To see how the three-way handshake can be exploited to conduct a stealthful scan.

How to devise ways to prevent exploitation.

To detect different types of scans, which usually precedes an attack.

Turn in:

  1. Complete answers to all the questions asked above.
  2. Embedded screenshots of the results of each major operation.
  3. A paragraph about the what you thought was most meaningful about the lab. Was there anything that you felt was a waste. How would you change the assignmetn to improve it?
-- JimSkon - 2012-02-23

  • 1:

  • 2:

  • 3:
    image003.png

  • 4:
Topic revision: r8 - 2014-03-07 - JimSkon
 
This site is powered by the TWiki collaboration platformCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback