Ceh v8 labs module 17 evading ids, firewalls and honeypots

C E H

Lab M a n u a l

Evading IDS, Firewalls,
and Honeypots
M o d u le 17

M odule 17 - Evadin g ID S, F ire w a lls and H oneypots

Intrusion D e t e c t i o n S y s t e m
A n

in tr u s io n

m o n ito rs

d e te c tio n s y s te m

n e tir o r k

a n d /o r

( ID S )

s y s te m

is

a

d e ric e

a c tiv itie s f o r

o r s o ftw a re a p p lic a tio n
m a lic io u s

a c tiv itie s

th a t

o r p o lic y

v io la tio n s a n d p ro d u c e s re p o rts to a M a n a g e m e n t S ta tio n .

I CON

KEY

[£ Z 7 V a lu a b le
in fo rm a tio n

S

T est your
k n o w le d g e

=

W e b e x e rc is e

m

W o r k b o o k r e v ie w

L a b S c e n a r io

Due to a growing number of intrusions and since the Internet and local networks
have become so ubiquitous, organizations increasingly implementing various
systems that monitor IT security breaches. Intrusion detection systems (IDSes) are
those diat have recently gained a considerable amount of interest. An IDS is a
defense system that detects hostile activities 111 a network. The key is then to detect
and possibly prevent activities that may compromise system security, 01‫ ־‬a hacking
attempt 111 progress including reconnaissance/data collection phases that involve, for
example, port scans. One key feature of intrusion detection systems is their ability to
provide a view of unusual activity and issue alerts notifying administrators and/or
block a suspected connection. According to Amoroso, intrusion detection is a
“process ot identifying and responding to malicious activity targeted at computing
and networking resources.” 111 addition, IDS tools are capable ot distinguishing
between insider attacks originating from inside the organization (coming from own
employees or customers) and external ones (attacks and the threat posed by hackers)
(Source: http://www.windowsecurity.com)
111 order to become an expert penetration tester and security administrator, you
must possess sound knowledge of network intrusion prevention system (IPSes),
IDSes, malicious network activity, and log information.

L a b O b je c tiv e s
&

Too ls

D e m o n s tra te d in
th is lab a re
lo c a te d a t D:CEHT oo lsC E H v8
M o du le 17
Evading IDS,
F ire w a lls , and

The objective ot tins lab is to help students learn and detect intrusions
network, log, and view all log tiles. In tins lab, you will learn how to:
■ Install and configure Snort

111

a

IDS

■ Run Snort as a service
■ Log snort log files to Kiwi Syslog

server

■ Store snort log files to two output sources simultaneously

H o n eyp o ts

L a b E n v ir o n m e n t

To earn‫ ׳‬out tins lab, you need:
■ A computer mnning Windows Seiver 2012 as a host machine
■ A computer running Windows server 2008, Windows 8, 01‫־‬Windows 7 as a
virtual maclnne
WniPcap drivers nistalled 011 the host maclinie

C E H Lab Manual Page 847

Ethical Hacking and Countemieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


■ Notepads-+ installed 011 the host machine
■ Kiwi Svslog Server installed 011 the host machine
■ Active Perl installed 011 the host machine to mil Perl scnpts
■ Administrative pnvileges to configure settings and run tools
■ A web browser with Internet access
L a b D u r a t io n

Time: 40 Minutes
O v e r v ie w

o f In tr u s io n

D e te c tio n S y s te m s

An intrusion detection system (IDS) is a device 01‫ ־‬software application that
monitors network and/01‫ ־‬system activities for malicious activities 01‫ ־‬policy
violations and produces reports to a Management Station. Some systems may
attempt to stop an intrusion attempt but tins is neither required 1101‫ ־‬expected of a
monitoring system. 111 addition, organizations use intrusion detection and
prevention systems (IDPSes) for other purposes, such as identifying problems with
security policies, documenting existing threats and deterring individuals from
violating security policies. IDPSes have become a necessary addition to the security
infrastructure of nearly even* organization. Many IDPSes can also respond to a
detected threat by attempting to prevent it from succeeding. They use several
response techniques, which involve the IDPS stopping die attack itself, changing the
security environment.
IDPSes are primarily focused 011 identifying possible incidents, logging information
about diem, attempting to stop them, and reporting them to security administrators.

Pick an organization diat you feel is worthy of your attention. Tins could be an
educational institution, a commercial company, 01‫־‬perhaps a nonprofit charity.

O v e rv ie w

Recommended labs to assist you 111 using IDSes:
■ Detecting Intrusions Using Snort
■ Logging Snort Alerts to Kiwi Svslog Server
■ Detecting Intruders and Worms using KFSensor Honeypot IDS
■ HTTP Tunneling Using HTTPort
L a b A n a ly s is

Analyze and document the results related to tins lab exercise. Give your opinion 011
your target’s security posture and exposure.


Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.


PLE A SE


TA LK

TO

Y O U R IN S T R U C T O R IF Y O U
R E L A T E D TO T H IS LAB.

H A V E

Q U E ST IO N S



D e l e c t i n g

Intrusions u s i n g S n o r t

S n o r t is a n o p e n s o u rc e n e tir o r k in tr u s io n p r e v e n tio n a n d d e te c tio n s y s te m
( ID S /IP S ) .

I C ON

KEY

/ V a lu a b le
in fo rm a tio n

T est your
k n o w le d g e
□

W e b e x e rc is e

m



The trade of die intrusion detection analyst is to find possible attacks against their
network. The past few years have witnessed significant increases in DDoS attacks
011 the Internet, prompting network security to become a great concern. Analysts do
tins by IDS logs and packet captures while corroborating with firewall logs, known
vulnerabilities, and general trencUng data from the Internet. The IDS attacks are
becoming more culuired, automatically reasoning the attack scenarios ni real time
and categorizing those scenarios becomes a critical challenge. These result ni huge
amounts of data and from tins data they must look for some land of pattern.
However, die overwhelmnig dows of events generated by IDS sensors make it hard
for security adnnnistrators to uncover hidden attack plans.
must possess sound knowledge of network IPSes, IDSes, malicious network activity,
and log information.

&

Too ls

D e m o n s tra te d in


th is lab a re
lo c a te d a t D:CEH-

The objective of tins lab is to familiarize students widi IPSes and IDSes.

Too lsC E H v8

111 tliis lab, you

M o du le 17
Evading IDS,
F ire w a lls , and
H o n eyp o ts

need to:

■ Install Snort and verify Snort alerts
■ Configure and validate snort.conf file
■ Test the worknig of Snort by carrying out an attack test
■ Perform mtmsion detection
■ Configure Omkmaster

To earn‫ ־‬out dns lab, you need:


Ethical Hacking and Countenneasures Copyright © by EC-Council


■ A computer running Windows Server 2012 as a host machine
■ Windows 7 running on virtual macliuie as an attacker macliuie
■ WmPcap dnvers installed on die host machine
■ Notepad++ installed on the host macliuie
■ Kiwi Svslog Server installed on the host macliuie
■ Active Perl installed on the host machine to nui Perl scripts
■ Administrative privileges to configure settings and run tools

Time: 30 Minutes
O v e r v ie w
In tr u s io n
Y ou can also
download Snort from
http://www.s rt. g.

110 01

o f

In tr u s io n

P r e v e n tio n

S y s te m s

a n d

D e te c tio n S y s te m s

A11 IPS is a n e tw o r k s e c u rity appliance that m o n ito rs a network and system
activities for m a lic io u s activity. The main functions of IPSes are to id e n tify
malicious activity, log in fo rm a tio n about said activity, attempt to b lo c k /s to p
activity, and report activity.
A11 IDS is a device or software application that m o n ito rs network and/or system
activities for m a lic io u s activities or p o lic y v io la tio n s and produces re p o rts to a
Management Station. It performs intrusion detection and attempt to s to p detected
possible in c id e n ts .
L a b T a s k s
1.

Start W in d o w s

2.

To uistall Snort, navigate to

In s tall S nort

S e rv e r 2 0 1 2

on the host machine. Install Snort.
D :CEH -ToolsC EHv8 M o du le 17 Evading IDS,

F ire w a lls , and H o n eyp o tsln tru sio n D e te c tio n ToolsSnort.

3. Double-click the
wizard appears.

Snort_2_9_3_1_ln staller.exe

file. The Snort mstallation

4. Accept the L ic en se A g re e m e n t and install Snort with the
diat appear step -b y-step 111 the wizard.

.

l__ Snort is an open
source network intrusion
prevention and detection
system (ID S / IP S ).


d e fa u lt options

5. A window appears after successful installation of Snort. Click the
button.
6.

Click O K to exit the S n ort

In s ta lla tio n

C lose

window.



Snort 2.9.3.1 SetuD

‫ °' ־‬I

Snort 2.9.3.1 Setup

(&

*

*

Snort has successfully been installed.

r

Snort also requires WinPcap 4.1.1 to be installed on this machine,
WinPcap can be downloaded from:
http://www.winpcap.org/

It would also be wise to tighten the security on the Snort installation
directory to prevent any malicious modification of the Snort executable.

Next, you must manually edit the 'snort.conf file to
specify proper paths to allow Snort to find the rules files
and classification files.

OK

Figure 1.1: Snort Successful Installation Window

7. Snort requires W in P ca p to be installed on your machine.
8. Install W inPcap by navigating to D :C EH -ToolsC EH v8
IDS,

F ire w a lls ,

and

HoneypotsM ntrusion

double-clicking W in P ca p
V^/ W inPcap is a tool for
link-layer network access
that allows applications to
capture and transmit
network packets bypass the
protocol stack

M o du le 17 Evading

D e te c tio n

Too lsS no rt,

and

4 1 _2.exe.

9. By default, Snort installs itself in
disk drive in which OS installed).

C:Snort

(C: or D: depending upon die

10. Register on die Snort website h ttp s ://w w w .sn o rt.o rg /sig n u p 111 order to
download Snort Rules. After registration comples it will automaticallv
redirect to a download page.
11. Click die G et R ules button to download die latest mles. 11tins lab we have
1
downloaded sn o rtru les-sn ap sh ot-2931 ■tar.gz.
12. Extract die downloaded rales and copy die extracted folder 111 tins padi:
D:CEH -ToolsC EHv8

M o du le

17

E vading

IDS,

F ire w a lls ,

and

H o n eyp o tsln tru sio n D e te c tio n ToolsSnort.

13. Rename die extracted folder to snortrules.
14. Now go to die

e tc

folder

111

die specified location

D:CEH -ToolsC EHv8

M o du le 17 Evading IDS, F ire w a lls , and H o n eyp o tsln tru sio n D e te c tio n

of die extracted Snort rales, copy die s n o rt.c o n f
tile, and paste diis tile 111 C:Snortetc.

T o o lsS n o rtsn o rtru lese tc

15. The S n o rt.c o n f file is already present 111
die Snort rales S n o rt.c o n f file.

C:Snortetc;

16. Copv die so_rules folder from D :C EH -ToolsC EH v8

replace diis file with

M o du le 17 Evading

IDS, F ire w a lls , and H o n eyp o tsln tru sio n D e te c tio n
T oo lsS no rtsn o rtru les


and paste it 111

C:Snort.



17. Replace die p rep ro c

r u le s

folder trom D:CEH -ToolsC EHv8

M o du le 17

Evading IDS, F ire w a lls , and HoneypotsM ntrusion D e te c tio n
T oo lsS no rtsn o rtru les

and paste it 111 C:Snort.

18. Copy all die tiles from dus location:
E vading

IDS,

F ire w a lls ,

T oo lsS no rtsn o rtru lesrules

H

TASK

2

V e rify S n ort A le rt

and

D :CEH -ToolsC EHv8 M o du le 17
H o n eyp o tsln tru sio n

D e te c tio n

to C:Snortrules.

19. Now navigate to C:Snort and right-click folder bin, and click
trom die context menu to open it 111 a command prompt.

C m d H ere

20. Type sn o rt and press E nter.
Administrator: C:Windowssystem32cmd.exe - snort
C:Snortbin/snort
Running in packet dunp node
— ■ In it ia liz in g Snort ■
■
‫—יי‬
In it ia liz in g Output Plugins?
pcap DAQ configured to passive.
The D uersion does not support reload.
AQ
Acquiring network t r a f f i c fron "DeuiceNPF_<0FB09822-88B5-411F-AFD2-FE3735A9?7B
B> _
Decoding Ethernet
— -- In it ia liz a t io n Conplete --—

y

To print out the
T C P / IP packet headers to
the screen (i.e. sniffer
mode), type: snort —
v.

o'‫׳‬
‫״ ״‬
■an

— Snort? <*‫־‬
»>
Uersion 2.9 .3 .1-WIN32 GRE <Build 40)
By Martin Roesch 8 The Snort Tean: http://www.snort.org/snort/snort-t
r
Copyright < > 1998-2012 So u rce fire, In c ., et a l.
C
Using PCRE uersion: 8.10 2010-06-25
Using ZLIB uersion: 1.2.3

Connencing packet processing <pid-756>

Figure 1.2: Snort Basic Command

21. The In itia liza tio n C o m p le te message displays. Press C trl+C. Snort exits and
comes back to C:Snortbin.
22. Now type sn o rt -W . Tins command lists your machine’s physical address,
IP address, and Ediernet Dnvers, but all are disabled by default.
Administrator: C:Windowssystem32cmd.exe

Snort exiting
C:Snortbin‫ נ‬snort -W
-*> Snort! <*—
Uersion 2.9.3.1-WIN32 G E (Build 40>
R
By Martin Roesch 8 The Snort Team: http://www.snort.org/snort/snort-t
r
Copyright < > 1998-2012 Sourcefire, Inc., et al.
C
Using P R version: 8.10 2010-06-25
CE
Using ZLIB uersion: 1.2.3
Index Physical Address
IP Address
Deuice N e
am
Description
1 00:00:00:00:00:00
disabled
DeuiceNPF_<0FB09822-88B5-41IFAFD2-FE3735A977BB>
Microsoft Corporation
2 00:00:00:00:00:00
disabled
De‫ ״‬iceNPF_<0BFD2FA3-2E17-46E3B614-0FC19B5DDA25>
3 00:00:00:00:00:00
disabled
DeuiceNPF_<lD13B78A-B411-4325rQRA<JRFOP?JM ‫־‬
V
M
4 D4:BE:D9:C3:C3:C
C
disabled
DeuiceNPF_<2A3EB470-39FB-48809A79-77E5AE27E530>
Realtek PCIe G E Family Controller
B
C:Snortbin>
Figure 1.3: Snort -W Command

23. Observe your Ediernet Driver in d ex n u m b er and write it down; 111 dus lab,
die Ediernet Driver index number is 1 .
24. To enable die Ediernet Driver, 111 die command prompt, type sn o rt
2 and press Enter.

-d e v - i



25.
E 7

To specify a log into

logging directory, type
snort —
dev —
1
/logdirectorylocationand,
Snort automatically knows
to go into packet logger
mode.

You see a rapid scroll text
Ethernet Driver is enabled and working properly.

111

die command prompt. It means

Administrator: C:Windowssystem32cmd.exe - snort -dev - 4
i
C:Snortbin,sno rt -dev - i 4
Running in packet uu11‫׳‬p 1'iuut;
— = In it ia liz in g Snort = —
=
=
In it ia liz in g Output Plugins?
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network t r a f f i c fron "DeviceNPF_<2A3EB470-39FB-4880-9A7977‫ ־‬E5AE27E53

B
>".

Decoding Ethernet
— ■ In it ia liz a t io n Conplete ■*—
■
o'‫~> ׳‬
‫״״״״‬
r .u i

-»> Snort? <*Uersion 2 .9 .3 .1-WIN32 GRE <Build 40>
By Martin Roesch 8 The Snort Tean: http://www.snort.org/snort/snort-t
r
Copyright < > 1998-2012 So u rce fire, In c ., et a l.
C
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3

Connencing packet processing <pid=2852>
11/14-09:55:49.352079 ARP who‫ ־‬has 10.0.0.13 t e l l 10.0.0.10

Figure 1.4: Snort — — 4 Command
dev i

26. Leave die Snort command prompt window open, and launch anodier
command prompt window.
27. Li a new command prompt, type ping

g o o g le .c o m

and press Enter.

£ Q Ping [-t] [-a] [-n
count] [- size] [-£] [-i T T L]
1
[-v TO S] [-r count] [-s
count] [[-j host-list] | [-k
host-list]] [-w timeout]
destination-list

Figure 1.5: Ping googje.com Command

28. Tliis pmg command triggers a Snort alert in the Snort command prompt
with rapid scrolling text.

To enable Network
Intrusion Detect ion
System (N ID S ) mode so
that you don’t record every
single packet sent down the
wire, type: snort -dev 1
./log-h 192.168.1.0/24-c
snort.conf.

Administrator: C:Windowssystem32cmd.exe - snort -dev - 4 ‫־‬TTD
i
'4.125.236.85:443 10.0.0.10:51345 < TCP TTL:56 TOS:0x0 ID:55300 IpLen:20 DgnLe
‫־‬
95
nM
.flP.M • Seq: 0x81047C40 Ack: 0x4C743C54 Win: 0xFFFF TcpLen: 20
M
7 03 02 00 32 43 3F 4C 22 B4 01 69 AB 37 FD 34
2C?L‫ . . ״‬i. 7 . 4
IF 3F 70 86 CF B8 97 84 C9 9B 06 D7 11 6F 2C 5B .? p
o ,[
D 8A B0 FF 4C 30 5B 22 F4 B9 6C BD AE E8 0E 5A
L0[‫ . . ״‬l
Z
F F6 7D 55 31 78 EF
..>Ulx.
11/14-09:58:16.374896 D4:BE:D9:C3:C3:CC 00:09:5 < B: AE: 24: CC type:0x800 len:0x36
‫־‬
10.0.0.10:51345 -> 74.125.236.85:443 TCP TTL:128 TOS:0x0 ID:20990 IpLen:20 DgnLe
n:40 DF
Seq: 0x4C743C54 Ack: 0x81047C77 Win: 0xFB27 TcpLen: 20
.1/14-09:58:17.496035 ARP who-has 10.0.0.13 t e l l
.1/14-09:58:18.352315 ARP who-has 10.0.0.13 t e l l
.1/14-09:58:19.352675 ARP who-has 10.0.0.13 t e l l

1 .0.0.10
0
1 .0.0.10
0
1 .0.0.10
0

Figure 1.6: Snort Showing Captured Google Request




29. Close both command prompt windows. The verification of Snort
installation and triggering alert is complete, and Snort is working correcdy 111
verbose mode.
T A S K

3

C o nfigure
sn o rt.c o n f File

30. Configure die sn o rt.c o n f file located at C :Snortetc.
31. Open die s n o rt.c o n f file widi Notepad++.
32. The s n o rt.c o n f file opens
screenshot.

Notepad++ as shown

111

111

the following

&
Make sure to grab
the rules for the version
you are installing Snort for.

m

Log packets in
tcpdump format and to
produce minimal alerts,
type: snort -b -A fast -c
snort.conf
Figure 1.7: Configuring Snortconf File in Notepad++

33. Scroll down to die S te p #1: S e t th e n e tw o rk v a ria b le s section (Line 41) of
snort.conf file. 111 the H O M E_N ET line, replace any widi die IP addresses
(Line 45) of die machine where Snort is mnning.
-!□ X '

*C:Sn0ftetc$n0rtx0nf - Notepad+
Be Edit Search 'iict* Encoding Language Settings Macro Run Plugns frndcw
o

10 % ‫& » ד‬
«

JS

* C|

9

»‫* » צ‬fe

*

x

33 5 |

I

HJ □

I I

I i |

!» '?‫׳‬

H molcwf |

Xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxx

4
4
4 # Se # : Sec c e n o variables. F x itoie m
1
ep 1
h etw rk
o
roraaclon.

□

» setup tne n
ecvcrx aaarcaaca yo are crotectino
u
ir v a r HOME_»ET 110.0.0.101

: *cat situations

m

Notepad++ is a free
source code editor and
Notepad replacement that
supports several languages.
It runs in the M S Windows
environment.

ygth: 25421 lines :657

4:‫ ת‬C l:2 S 0
5 e 5 d


34. Leave die EX TER N A L_N ET


any

line as it is.

All Rights Reserved. Reproduction is Strictly Prohibited.


m

The element ’any’ can
be used to match all IPs,
aldiough ’any’ is not
allowed. Also, negated IP
ranges diat are more
general dian non-negated
IP ranges are not allowed.

35. If you have a DNS Server, then make changes 111 the DNS_SERVERS line bv
replacing $H O M E _N E T with your DNS Server IP address; otherwise, leave
diis line as it is.
36. The
same applies to
SAITP_SERTE,RS, HTTP_SERTE.RS,
SQL_SERrERS, TELNET_SERVERS, and SSH_SERTRS.
37. Remember diat if you don’t have any servers running on your machine,
leave the line as it is. DO N O T make any changes 111 diat line.
38. Scroll down to R U LE_PATH (Line 104). 111 Line 104 replace ../rales widi
C:Snortrules, 111 Line 105 ../so_rules replace with C:Snortso rules, and 111
Line 106 replace ../p rep ro c ru les with C:Snortpreproc rules.
_ |a

Ptcs1x x tc o n f Notepad♦ ♦
Erie Ldit Search *1e« Encoding Language SetDngi

0

M e

s a i i J f

Macro R
u

‫[ ! . ־‬IF □

ft fl| P C

x ‫ך‬

Piugnj ftmdow I

X
a

i l i f l

*9‫׳‬

H cnoccorf |
♦ Kote r o r Wir.dowa usera: You are aavisea to r a re tm a ar. absolute pa tn .
♦ such as: c :3 n o r tr u le s
var RU1X_PUH C :S n o rtru le s
v a r SO RULE PATH C :S n o rta o ru le a
■war PRrPROC R^LE PATH C: S n o rtp r ‫ ־‬pro=_xrule3
10‫ד‬
# I f you are usin g re p u ta tio n preprocessor a c t these
1:9 # C u rre n tly tiie re i s a bug w ith r e la t iv e paths, th ey are r e la t iv e to where sno rt i3
# n o t r e la t iv e to s n o rt.c o n f lilc e the above v a ria b le s
4 Thia i s caa ple cely in c o n s is te n t w ith how oth e r ▼ars work, BCG 5 9986
l- l
t s e t th e anaciute patn a p p ro p ria te ly
1*3 v a r HHTTELISTPATH . . / r u le s
114 var BUICK_LI5T_PAIK . ./ r u le s

ua Rule variable names
can be modified in several
ways. You can define metavariables using die $
operator. These can be
used with the variable
modifier operators ? and -

t step #2: con n a u re tr.c decoder.

For sore in d o rs a tio n , see rta im e .decode

1
1
?

* Stop gene ric decode events;
c o n fig disable_decod«_alerts

:;4

• Stop A le rta on experim ental TCP option a
ccr.Tlg dl**ble_copopt_experim ent» !_ • 1 * 1 ‫* ־‬
.

1‫־‬
2
‫״‬

4 Stop A lc r ta on obaolet■ TCP option■
c c r.ria d19anie_t cpo pt_cb ao le te _a ie rt ‫ג‬

1:9 1 Stop A le rts on T/TCP a le rts
<i______________________ !1______________________
Ncirrwl Ltil file
length: 25439 lines: 657

V
Ln: 106 Cot :iS S*1:0

UNIX

ANSI

>
N
S

I


39.

111 Line

113 and 114 replace ../rules widi C:Snort

rules.

C:Snortetcsnort.conf - Notepad*
file

tdit Search View Encoding Longuogc Settings Macro Run Plugre ftmdcvr

! o‫׳‬MS d 83 4 * B| ♦ < ft *a -* - ‫ ז‬nil S 1
1
»‫צ‬
3
*

J

l i i i i f l ‫«י‬

H noco&rf I
103 f aucn a3:
c 1 a n o rtru ie a
104 var RtJLEPATfl C :3 n o rtru le a
105 var SC_ROLE_PAIH C :3 n o rtso _ ru l« »
:06 var PREPROCRULEPATH C :S nortN preproc_rulea
108
*.09
110
111
t*.?
‫דלל‬

f z r you are uaina re p u ta tio n preprocessor act tneae
$ C u rre n tly th ere ia a bug w ith r e la t iv e paths, th ey
are r e la t iv e to whereanort ia
f no t r e la t iv e co •n ort.co nX l i k « th e above v a ria b le s
• Thia 1 a com pletely ine on aia ten t w ith hew eth e r vara werlr, BUG 89986
4 Smt th • absolute path a p p ro p ria te ly
var white L IS I PAIH c :s n o r t r u ie a l

117

4 Seen #3: Configure the decoder.

71: B cm A ciM
m si.E iii aaalm
ltal

Foe ‫״־‬ore information, 9 .. BSirME. decade

angth: 25d51 lines:657_______ Ln:1» Col:35 S«l:0

Figure 1.10: Configuring Snort.conf File in Notepad++


Etliical Hacking and Countermeasures Copyright © by EC-Council


40. Navigate to C :Snortrules and create two tiles and name them
w h ite jis t.r u le s and b la c k jis t.r u le s make sure die two tiles extensions are
m

The include keyword
allows other rule files to be
included within the rule file
indicated on die Snort
command line. It works
much like an #include
from die C programming
language, reading the
contents o f the named file
and adding the contents in
the place where die include
statement appears in die
file.

.rules.

41. Scroll down to S tep #4 : C o nfigure d yn am ic loaded lib ra ries section (Line
242). Configure d yn am ic loaded lib ra ries in this section.
42. At padi to dynamic preprocessor libraries (Line 247), replace
/usr/lo cal/lib/sn o rt_d yn am icp rep ro cessor/ with your dynamic preprocessor
libranes tolder location.
43.

111 tins lab,

dynamic preprocessor libraries are located at

C :Snortlibsnort_dynam icpreprocessor.
.‫־ ־ן‬

C:Sn0rletcs1x x U 0nf Notepad ♦♦
7‫־ ־‬
Erie Ld!t Search Vie* Incoding Language Settings Macro Run P 1 < 3 ftmdew J
Kg 1
O

IM e

%

l ‘l|

M *a

*

*

x

‫ז‬
X

[E 3

V

H tno*.coti j

2
•
U

245
246
242
2‫9ז־‬
250
2‫צ‬252
253

H U Preprocessors are
loaded and configured
using the ‘preprocessor’
keyword. The format o f die
preprocessor directive in
the Snort rules file is:
preprocessor <name>:
<options>.

Step *4: Configure dynamic loaded lib ra rie s .
70- e o ii In fo !station, see Snore Manual, Configuring 5r.cn - Dynamic Modules

♦ pat& to dynamic preprocessor lib ra rie s
f patn to dynamic preprocessor lib ra rie s
dytlMacpreprocessor directory C:Sncrtlib3nort dynaai ^preprocessor|
* path to base preprocessor engine
ciyr.anlceng 1 ne /u9r/10cal/llb/sn0rL_£iyna»lcer.glne/ilbsr_er.gir.e.30
V

t path to dynamic rules lib ra rie s
dynamlcdetecclon directory /u sr/local/1lb/anort_dynamlcr ulea

255
? 5‫־‬

4 step fs : Contiaure preprocessors
4 For more information, see the Snort Manual, Configuring Snort ‫ ־‬Preprocesso »

4 GTP Control Channle Preprocessor. For note information, see RFA2ME.OTP
V preprocessor aces porta 1 2123 3386 2152 >
2»‫צ‬

f In lin e packet normalization. For mozt information, see R£AD2. normalize
4 Does notfting in IOS node
r«pr0c«110r nornmlixe_ip4
preprocessor r.crmai1 se_top1 1p9 eon scream
preprocessor norma lie e ic m p i
czeproceaaor normalize lp«

3

25
<i

N.mul u»t file

length: 25 S linttt: 6 7
44
5

In :247 Col :69 S*i:0

UNIX

ANSI

1
NS

Figure 1.11: Configuring Snort.coiif File in Notepad++

44. At padi to base preprocessor (or dvnamic) engine (Line 250), replace
/usr/lo cal/lib/sn o rt_d yn am icen g in e/lib sf_en gin e.so
witii your base
preprocessor engine C :Snortlibsnort_dynam icenginesf_engine.dll.

m

Preprocessors allow
the functionality o f Snort
to be extended by allowing
users and programmers to
drop modular plug-ins into
Snort fairly easily.





45.

C o m m en t (#) die dynamic rules libraries line as you already configured die
libraries 111 dynamic preprocessor libraries (Line 253).
C:Snortet*V r c f < • Notepad♦♦
f
Be Ldit Scorch View Encoding Language Settings Macro Run Piugns ftndcvr Z

o 'He 1 *•‫^0 ־‬
!3

1[f3

b is b

-

o

x

^ !« ‫•׳‬
,9

******** w**************
*******mm*************

* Step *4 : C onfinure dynamic loaded lib r a r ie s .
t For core ln lc rm a cio n , see Snore Manual, C on figu rin g Snort - Dynanlc Modules
# ***# # ***** **tM M # # # # # # # **# # **M ****M M *# # t**** **

.*
-r

Note: Preprocessor
code is nrn before the
detection engine is called,
but after the packet has
been decoded. The packet
can be modified or
analyzed in an out-of-band
manner using this
mechanism.

■‫י‬g|

249
250

* r a th to base preprocessor engine
dyr.anu.ceng in - C :3 n o rtlib s n o rt_ d y n s n 1 ic e n g in e s f_ e n g in e .d ll
♦ path to dynamic ru le s lib r a r ie s
> dynagu.c‫ ;׳‬l«c«cclon d lr « c to r y /u s r/lo c a l/'llb /s n o rt^ a y n a .-v l::!. 1««1

V step *M C onriaurc preprocessors
* Por more m fonkaeion, see the Snore Manual, C o n figu rir.c Snort ‫ ־‬Preprocesso

* GTP C on trol C h.n nl• Preprocessor. For * o r . in fo rw a tio n , ‫ • • י‬RZASME.OTP
* preprocessor 0 -c : p o rts ( 2123 3386 2152 )
I In lin e packet n o rm a liz a tio n . For store in£ on aa tlon , sec ?*1 !‫. ב ג‬norm alize
* Does no tm na in IDS mode
preprocessor norm elize_ip4
preprocessor r.c rx a l1 ze_‫ ־‬cp: ip s ecr. 3‫ ־‬rear:
preprocessor n c r» o l1 ze_1 cmp1
preprocessor norm alize l p 6
I teal fie

length :25446 ling :557

Ln:253 Col ;3 Sd :0

I

Figure 1.13: Configuring Snortconf File in Notepad‫—!־‬
1
‫־‬

46. Scroll down to S te p #5: C o nfigure P reprocesso rs section (Line 256), die
listed preprocessor. Do nothing 111 IDS mode, but generate errors at
mntime.
m

IPs may be specified
individually, in a list, as a
C ID R block, or any
combination o f die duee.

47. Comment all the preprocessors listed
each preprocessors.

111

diis section by adding #

‫1 *1 ־ רי‬

C:Sn0rtetcsnort conf Notepad*
lit

befo re

L3t Search View Encoding Language Settings Macro Run Plugre Aatdcw I

o ‫ י‬e » ‫־‬i * f r|» e * ‫ - > ׳‬BQ| s»‫י‬f l s ■ ‫ ש‬e ^ a >
h
i t!
& ‫ז‬
f■
liltllttttttttitiitlllllttttttttttttttttllllltttttl
Preprocessor

*¥¥¥*¥f T WWf ¥¥¥¥¥f *TT¥¥ ¥¥¥r
t ¥¥¥¥TWWWT ¥¥¥r ¥ TT¥¥W¥TTT
T

> REAnJE.GTP

♦
4
♦
♦
I
♦

In lin e packet n o rm a liz a tio n . For 1
Does noth in g in ZDS node
preprocessor normal1ze_1p4
preprocessor n o rm a lis e tc p : ip s e!
preprocessor normalize_lcmp4
preprocessor normal1 se_1 p6

: in fo rm a tio n , see R£AI»‫׳‬E. norm alize

♦preprocessor norjralire ic p
mC

• Target-based IP de fragm entation. For more information, see BLADME. frag3
preprocessor tra g 5 _ g lo b a l: max_Irags 6SSS6
preprocessor troa3 engine: p o lic y windows dete ct_a r.*1 a i 1 es cverlap_1 1 a n t 10 ann_fra01r.cnt_length 100 tim eout

m

Many configuration
and command line options
o f Snort can be specified in
the configuration file.
Format: config <directive>
[: <value>]

V la r g c t s is c a scacecul insp e ctio n /o trca m reassembly.
preprocessor serea»S_global; tr a c k e c p yes,
tr*ck_u dp yaa,
tra c k _ 1 cnc no,

fo r xcrc m ro ra tio n , ace RLADKt.streanb

MX_tcp 3 2 4 ,
614

rax_uap 131072,
max_act1 ve_responses 2,
m in response aaconda 5_________________

mth246 lin.:57
y : 55 e 5

1:269 Col:3 Sd 0

Figure 1.14: Configuring Snort.conf File in Notepad‫־‬l—
1
‫־‬

48. Scroll down to S te p #6 : C o nfigure o u tp u t plugins (Line 514). 111 tins step,
provide die location of die c la s s ific a tio n .c o n fig and re fe re n c e .c o n fig files.
49. These two files are 111 C :Snortetc. Provide diis location of files 111 configure
output plugins (111 Lines 540 and 541).




lit
0

CASnortettsnmconf Notepad* ♦
idit Jjcareh view Incoding Language Settings Macro Run Plugns ftmdcw

'- I‫ם‬

I

‫ י‬hh« a , & * * r !| ‫ ס‬e m% > * ‫ ז -־ ־ י י‬djae s i s c e

)"B •ncCcorf
‫ ף‬step 46: cor.riou re c utpu t p lu gin s
4 5 *‫׳‬j ?or more in fo rm a tio n , see Snort Manual, C on figu rin g Snort - Output Modules[
5!«

=j r —
il< "
51fl
519
520
521
Si'i4
523
524

ca

Tlie frag3
preprocessor is a targetbased IP defragmentation
module for Snort.

* u n ifie d ?
4 aeeonsenaaa r c r !cost i n s t a lls
4 c u tp u t u n ifie d 2 : filenam e m erged.log, l i m i t 128, nosts3«r, wpl3_CTrent_type3, vlan_event_type3
‫ ־‬A d d itio n a l c o n fig u ra tio n fo r s p e c ific tjp e s o f i n s t a lls
# c utpu t a le rt_ u n i£ ie d 2 : filenam e s n o r t.a le r t , l i i a i t 125, nosCaap
f o u tp ut lo g un1r1ed2: rilenarae sn a re .lo o , l i m i t 123, ncatamp

4 oatafcass
4 ou tp ut database: a le r t , <db_type>, us?r«<usernan!> pa3 3w=rd“ <pa3svord
V c u tp u t aatacasei 100, <dto_typ«>, u9er‫< ־‬uacma&e> paaav:rs‫< ־‬Eaaavord>

•
lii

» * c ta d a ti rercrcr.ee aata. do not * e a itv t£e
include C:Snarceceelas31f1eat1on.e0nt10l
lac lu d # C; Sac r «c c r »C«r«nc«. co n fi g_|
length :25482 lina:6S7________In :541 Co) :22 S*l:0

Figure 1.15: Configuring Snort.coiif File in Notepad++
lrigure 1 i ‫ :כ‬Uonngunng inort.com rile in !Notepad^ ‫1־‬
.
‫־‬

50.

this s te p #6 , add the line o u tp u t
dump all logs 111 die a le rts .id s file.
111

ale rt_fa st: a le rts.id s .

for Snort to

*C 00flelcsnoM
:S
-conf - N
otepad*
file £d!t Search Ukw Encoding Language Settings Macro Run PHigns ftmdcvr I

o

0

*‫ % * |&־ ^ ₪ ׳‬C 9 c
)|

» ‫ ו ?״ 931 > 4 8ף‬Wz 2 ‫ן ! ו $ י ו‬

*H «nc< corf ‫ן‬
b.A
4 step te : c on no ure outp ut p lu gin s
515
4 For more in fo rm a tio n , see Snort Manual, C on figu rin g Snort ‫־‬
517
'*.fi
519
S?0
521
525
524

‫?׳ »׳‬

C utput Modules

4 u n ifie d :
V ;■ccorr.cr.ici cor !coat i n s t a lls
4 o u tp ut u n ifie d 2 : filenam e merged. 100, l i m i t 128, n03ta*p» « p ls _ e ^ n t_ ty p e s , vlan_event_types

4

A d d itio n a l c o n fig u ra tio n fo r s p e c ific types o f in s t a lls
4 c utpu t a lo rt_ u n ifi» d 2 : fila n a a » a n o r c .a le r t, l i m i t 129, r.oxaap
4 cu tp u t lo g un1E1ed2: rilenarae s n o r t.is o , l i m i t 126, r.: ‫ ־ י‬axt

m

N ote: ’ipvar’s are
enabled only with IPv6
support. W ithout IPv6
support, use a regular ’var.’

- -533
534

4 oatafcass
4 c utpu t database: a le r t , <db_type>, uaer-<usemane> pe a3 *:rc‫<־‬fa3sw ord
4 c u tp u t ia ta £3 3e: lo o , <db type>, u3er=<uaemaEe> pa33wcr2=<pa33word> ‫׳‬

539
540
541

|c-;‫־‬p u t « le r t _ fa 3 t : a le r t s . id s |
.
4 metadata refe re nce da ta , do not m odify tcese lin e s
inc lu d e C :S no rtecccla 33 1f1 cat1o n.c0 nf1 0
ln c lu d a C :3nQ rt8ccreC arenca.conf l q

|hc«nwl U*t fil«

‫׳‬

Itngth: 25511 lin»:657

1 6 ?5: ‫מ‬

Co<:30 S«l:0


51. By default, die C:Snortlog folder is empty, widiout any files 111 it. Go to die
C:Snortlog folder, and create a new text file with die name alerts.ids.
Ii=yj Frag3 is intended as a
replacement for die &ag2
defragmentation module
and was designed with the
following goals:
1. Faster execution than
frag2 with less complex
data management.
2. Target-based host
modeling anti-evasion
techniques.


52. Ensure diat extension of diat file is .ids.



_

log
v

Search log

C

P

alerts.ids

Favorites
■

‫ם‬

Desktop
Downloads

M i Recent places

Libraries

)=
‫יז‬

‫״‬

1 item

53.

die s n o rt.c o n f tile, find and replace die ip v ar string widi var. By default
die string is ipvar, which is not recognized by Snort, so replace it widi die
v a r string.
111

N o te: Snort now supports multiple configurations based 011 VLAN Id 01‫ ־‬IP
subnet widiui a single instance of Snort. Tins allows administrators to specify
multiple snort configuration files and bind each configuration to one 01‫ ־‬more
VLANs or subnets radier dian ninning one Snort for each configuration
required.
Replace

m

Find

Three types o f
variables may be defined in
Snoit:

Replace

‫ש‬

Find in Files | Mark
| ■ S

Find Next

v l

|v a r

‫ ־‬Var

Replace
□ in selection

■ Portvar

Replace A|l
Replace All in All Opened
Documents

■ ipvar
I IMatch ra s e
@ W rae around
Search Mode

Direction

(•> Normal

O u>

(§) On losing focus

C Extended Op, V, t, V , x ...)
O

® Dawn

O Always

O Regular expression

Q L m atches newline

0 Transparency

=

0=


54. Save die sn o rt.c o n f file.
55. Before running Snort you need to enable detection niles 111 die Snort niles
file; for diis lab we have enabled ICMP mle so diat Snort can detect any
host discovery ping probes to die system running Snort.
56. Navigate to

C :Snortrules

and open die

icm p -info .ru les

file widi Notepad

++.

57.


Uncom m ent

the Line number 4 7 and save and close die file.



C:5nortrulesicmp info.rules Nofepad♦
E*e Edit Search View Encoding Language SetDngs Macro Run Plugns
0

■H « ft
1

4m* r!| P c* ft * - ta t ‫ז‬

I

>

r‫ ,פ |״‬T,[ | ‫ כ‬S i l i f l

« >

P i— !<■1 H trp+Tfo 1ute« |

‫♦ נ‬alert isrsp $ E N L N T an - $ 0 E NT an cnsj:‫״‬IC E-IN I R P router advertisem
EXI R A _ E y > H K _ E y
X FC E
ent"; 1type:9; rereren‫׳‬29 * a le r t leap
3 # a le r t leap
0
31 * a le r t lc n p
32 * a le r t i=r^>

SEXTERNAL_NET any ‫ > ־‬SHOMEKET any
$ X R A _ E any - $ O E NT any
S IE N 1 N T
> H K_ E
SEXTERNAL_NET any -> SH0HE_KET any
SEXTERNALNET any -> SH0KE_NET any

(msg:‫ ־‬ICXP-IKyC IRDP
(nsg :'I-X ^-IK F C FUJG
(rsg:‫ ״‬ICMP‫ ־‬INF0 PING
(osg: ‫ ״‬IS 'P-INTC PING

ro u te r s e le c tio n "; ity p e :1 0 ; reference :‫ו‬
*H IX•; lcype :S ; co n te n t :
1
13 12 1 1 1 1 ‫■״‬
0
BSDtype"; 1 ty p e :8; c o n te n t:‫| ״‬O0 09 OA 0
1
BayR3 R ou ter"; ity p e :8; co n te n t:■ | 01 02

34 # a le r t icnj?

SEXTERNAL_NET any -> £H0KE_NET any (nsg:‫ ״‬ICM?-IK7C ?IUG Cisco Type. x " ; ity p e :8 ; co n te n t:"|A B CD

3 * alert re © SE IE N L_N Tan - $ 0 E NT an (m ?:"X X lN rIUG SeOSI.x"; ltype:8; content:"| Q 0 0 0
3
s
X R A E y > H K _ E y 3 C P- FO
Q 0 0 ‫׳‬

- $H0KE_KET any (nsg:‫־‬irxP-IKFCPING DelpiH-PieLte Windowsltype:8; conien
>

3 # alert leap $ X E N L NTa y
5
E T R A_ E n

4

36 * a le r t ic n p

SEXTERNAL~NET any -> SH0HE~NET any (msg:‫ ״‬ICHP-INF0 PIHG Flo*pom t2200 o r Network Management Scf‫־‬

3 ‫ ־‬alert icnp SE T R A E a y - SH K N T a y (x s :‫״‬IC P-IK C P G IP H onitor M
X E N LN T n > O E E n a g X 7 IN
etM
acintosh‫ ;״‬itype:B; c n ■
o t•
3 t alert 1st® $exiernal_net an - Shoke_n an cn3g:1‫״‬cxp F0pibg li2tjx/35‫״‬d d 1ze:8; 1 :1 1 0 1
8
y>
ei y
-lK
‫3 ;״‬
d 3 7 ; type:8

♦ a le r t ic n p SEXTERNAL_NET any -> SH0XE_NET any (msg:*ICKP-IK?C PIHG M ic ro s o ft X indovs"; i ty p e :8; c o n te n t:"0
40 I a le r t lea p $EXIERNA1_NET any -> $HOXE_KET any (nsg :‫ ״‬I3 (P ‫ ־‬XKFC POTG network Toolbox 3 Window*‫ ; ״‬l type 8; coi
:
* a le r t ic n p SEXTERNAL_NET any ‫ > ־‬SH0KE_NET any (msg:‫ ״‬ICMP-INF0 PIHG Pmg-O-HeterWindows"; ity p e :0 ; content:
42 « a le r t ict*> SEXTERNAL~NET any ‫ > ־‬SH0KE~NET any (rasg:‫ ״‬ICKP-IKFC PIHG Pinger Windows"; it y p e : 8; c o n te n t: "Oata
43 * a le r t 1 cnp cexie rn a l_ n e t any ‫ > ־‬Shoke_nei any (cs3 : 1 ‫ ״‬cxp-1 k fo pih c seer windows"; 1 ty p e i8; con t e n t « 1 8 ‫ ״‬a 04
44 • a le r t 1 a 1p SEXTERNAL NET any ‫ > ־‬SHOKE NET any (msg:‫ ״‬ICKP-INF0 PING O racle S o la n s "; ds18e : 8; 1 type«8 ; clas.
45 f a le r t lea p $EXTERNAL_NET any -> $H0XE_KIT any ( n » g :2 ‫ ״‬CXff-IKFC PIHG Window•‫ ; ״‬lc y p e :8 ; co n te n t: ‫ ״‬abcdergfcljk.
9 a le r t !;rap SEXIERNAI_NEI any > SH0KE_KEI any !f» a :*1 a tP -lN fC tra c e ro u te 1 ;‫ ״‬svce: 8 ; t t l i l ; c la a a t ! t t : a t t c n
“
a le r t icnp SFXTERXAL NFT any -> SHO _KET any (mag: ‫ ״‬TCMP-IKFC PINO‫ ; ״‬ic o d e :0 ; ity p e :8 ; e la s s ty p - :» ia c - a c tiv 1 |
XR
» a le r t isno SHOKEJJET any -> CEXTERNAL_NET any ( n a a i- io t f - 1K5C Address mask R « ly "> ic o d c io ; lt v p e u s ; cia®.
49 • a le r t 1 cnp SEXTERNAL_NET any ‫ > ־‬SH0KE_NET any (msg:‫ ״‬ICKP-INF0 Address Maslr Reply undefined code"* 1 eode:>0
50 t a le r t lea p $SXTERKAL_NET any -> $K0XE_KET any ( e * g : 2 ‫(^ ״‬P-Z>:FC Add:««a Ka»k Rvquaat"; lc o d « :0 ; lty p e :1 7 ; cl•
51 ♦ a le r t 1 ‫ סגמ‬SEXIERNAL_NET any ‫$ > ־‬H0KE_NET any (ns3 : ‫ ״‬ICJ4
P‫־‬IN f0 Address Mask Reaucst undetined code‫! ; ״‬code::

5 « alert
2
S X E N L NT a y- $ O E NT a y (M
E T R A ~ E n > H K~ E n
gr-ICVP-IKFCAlternate H «t A d
o d re‫ ;״״״‬icode:0; itype:6; c
f alert isnp «exiernal_net an ‫«>־‬ho e_net an (nsg:1‫״‬c p 1 F Alternate H st A aress u d ed c d ‫ ;״‬ic d
y
k
y
x - NC
o d
n erm o e e •

>4
55
<|

* a le r t 1 cnp SEXTERNAL_NET any -> 8H0KE_NET any (e1sj:*IC H P ‫ ־‬INF0 Dataarati Conversion E r r o r "; icodesO; 1 ty p e :3
f a le r t lea p fEXTERNAL NET any -> <H0KE NET any (tasg: ‫ ״‬ZCXP-IKFC Satagraa Converalon E rro r undefined code"; i■ v
11
1
>

NcinwlUxlfile

le g : 17357 lins 123
n th
e:

Ln:47 Cc4:1 SeJ:0

UMX

ANSI

IM
S

Figure 1.19: Configuring Snort.coiif File iti N’otepad+‫־‬
f‫־‬

58. Now navigate to C:Snort and nght-click folder bin, select
die context menu to open it in die command prompt.
V a lid a te

59. Type

C o n fig uratio ns

C m d H e re

from

sn o rt -iX -A co n so le -c C :S n o rtetcsn o rt.co n f -I C:Snortlog -K

and press E n te r to start Snort (replace
number; 111 dus lab: X is 1).
as cii

X

with your device index

60. If you enter all the command information c o rre c tly , you receive a g rac efu l
e x it as shown 111 the following figure.
y ’ To run Snort as a
daemon, add -D switch to
any combination. Notice
that if you want to be able
to restart Snort by sending
a S IG H U P signal to die
daemon, specify the full
path to die Snort binary
when you start it, for
example:
/usr/local/bin/snort -d
192.168.1.0/24 -l
/var/log/snordogs -c
/usr/local/etc/snort.conf s-D

-11

61. If you receive a fa ta l error, you should first ve rify diat you have typed all
modifications correcdy into the s n o rt.c o n f tile and then search dirough the
tile for e n trie s matching your fatal error message.
62. If you receive an error stating “ Could n o t c r e a te
run the command prompt as an A d m in is trato r.

th e re g is try ke y ,”

then


C:SnortbirOsnort -i4 -A console -c C:Snortetcsnort.conf -1 C:Sno1
*tlog -K
ascii

Figure 2.18: Snort Successfully Validated Configuration W indow

tasks
S ta rt Snort


63. Start Snort in IDS mode,

111

the command prompt type
and dien press Enter.

snort

C :S n o rtetcsn o rt.co n f - I C:Snortlog - i 2

Ethical Hacking and Countenneasures Copynght © by EC-Council


Figure 2.19: Start Snort in ID S Mode Command

64. Snort starts rumung in IDS mode. It first initializes output plug-ins,
preprocessors, plug-ins, load dynamic preprocessors libranes, nile chains of
Snort, and dien logs all signatures.
GO
C:Snortetcsnort.conf is
the location o f the
configuration file

65. After initializing interface and logged signauires, Snort starts and waits for
an attack and tngger alert when attacks occur on the machine.
- * > Sn o rt T <*-

Uersion 2.9.3.1-UIN32 G E <Build 40>
R
B Martin R
y
oesch 8 The Snort Team http://www.snort.org/snort/snort-t
r
:
Copyright < > 1998-2012 Sourcefire, Inc., et al.
C
Using P R version: 8.10 2010-06-25
CE
Using ZLIB version: 1.2.3
Rules Engine: S _ N R _ E E T N N I H Uersion 1.16 <Build 18>
F S O T D T C IO _E G E
F S P
Preprocessor Object S _S LP Uersion 1.1 <Build 4>
F S H Uersion1.1 <Build 3>
Preprocessor Object S _ S
F M P Uersion 1.1 <Build 9>
Preprocessor Object S .S T
Preprocessor Object SF_SIP Uersion1.1 <Build 1>
F.S F Uersion1.1 <Build 1>
Preprocessor Object S D
F E U A IO
Preprocessor Object S _R P T T N Uersion 1.1 <Build 1>
F P P Uersion1.0 <Build 1>
Preprocessor Object S _ O
FT0 B S
Preprocessor Object S _ 1 D U Uersion 1.1 <Build 1>
F A
Preprocessor Object S _IM P Uersion1.0 <Build 1>
F G P Uersion1.1 <Build 1>
Preprocessor Object S _ T
F T T LN T
Preprocessor Object S JF P E E Uersion 1.2 <Build 13>
F D S Uersion1.1 <Build 4>
Preprocessor Object S _ N
FD P
Preprocessor Object S _ N 3 Uersion 1.1 <Build 1>
FP E P 2
Preprocessor Object S _ C R C Uersion 1.0 <Build 3>
C m
om encing packet processing <pid=6664>

■ Option: -l to log the
output to C:Snortlog
folder
‫י‬

Option: -i 2 to specify
die interface

m

Run Snort as a
Daemon syntax:
/usr/local/bin/snort -d -h
192.168.1.0/24 1
/var/log/snortlogs -c
/usr/local/etc/snort.conf s- D .
£01 When Snort is run as
a Daemon, the daemon
creates a P ID file in the log
directory.

Figure 1.20: Initializing Snort Rule Chains Window

66 .

67. Leave die Snort command prompt running.
68 .

^

TASK

6

A tta c k H o st
M a c h in e

After initializing the interface and logged signatures. Snort starts and waits
for an attack and trigger alert when attacks occur on the macliuie.
Attack your own machine and check whedier Snort detects it or not.

69. Launch your Windows 8 Virtual Macliuie (A tta c k e r

M achin e).

70. Open die command prompt and type ping X X X .X X X .X X X .X X X -t from die
A tta c k e r M a c h in e (XXX.XXX.XXX.XX is your Windows Server 2012 IP
address;.

71. Go to W in d o w s S e rv e r 2 0 1 2 , open die Snort command prompt, and press
C trl+ C to sto p Snort. Snort exits.
72. Now go to die C :S n o rtlo g 10 .0 .0 .12 folder and open the
text file.

ICM P_EC HO .ids

m

Note that to view the
snort log file, always stop
snort and dien open snort
log file.




ICMP.ECHO.idT- Notepad
File

Edit

Format

View

!

‫ ' ’ם‬x
‫־‬

Help

|[* * ] ICMP-INFO PING [ * * ]

11/14-12:24:17.131365 10.0.0.12 -> 10.0.0.10
IC P TTL:128 T S x0 ID
M
O :0
:31479 IpLen:20 D m e :6
g Ln 0
Type:8 C
ode:0 ID:1 S
eq:198 EH
CO
[**] IC P F P G [**]
H -IN O IN
11/14-12:24:18.146991 10.0.0.12 -> 10.0.0.10
IC P T L:128 T S ID:31 8 IpLen:20 D m e :6
M T
O :0x0
40
g Ln 0
Type:8 C
ode:0 ID:1 S
eq:199 EH
CO
[••] IC P F P G [**]
M -IN O IN
11/14-12:24:19.162664 10.0.0.12 -> 10.0.0.10
IC P T L:128 T S ID:3 4 1 IpLen:20 D m e :6
M T
O :0x0
18
g Ln 0
Type:8 C
ode:0 ID:1 S
eq:200 EH
CO
[••] IC P F P G [**]
M -IN O IN
11/14-12:24:20.178236 10.0.0.12 -> 10.0.0.10
IC P TTL:1 8 T S ID
M
2 O :0x0 :31482 IpLen:20 D m e :6
g Ln 0
Type:8 C
ode:0 ID:1 S
eq:201 EH
CO
[**] IC P F P G [**]
M -IN O IN
11/14-12:24:21.193933 10.0.0.12 -> 10.0.0.10
IC P T L:128 T S X 0 ID:31 8 IpLen:20 D m e :6
M T
O :0
43
g Ln 0
Type:8 C
ode:0 ID:1 S
eq:202 EH
CO
[**] IC P F P G [**]
M -IN O IN
11/14-12:24:22.209548 10.0.0.12 -> 10.0.0.10
IC P T L:128 T S ID:31 4 IpLen:20 D m e :6
M T
O :0x0
48
g Ln 0
Type:8 C
ode:0 ID:1 S
eq:203 EH
CO
Figure 1.21: Snort Alertsids Window Listing Snort Alerts

73. You see that all the log entries are saved 111 die ICM P_EC HO .ids hie. Tins
means that your Snort is working correctly to trigger alert when attacks
occur 011 your machine.
L a b A n a ly s is

Analyze and document die results related to diis lab exercise. Give your opinion 011

PLE A SE

TA LK

Tool/Utility
Snort

TO

Y O U R IN S T R U C T O R IF YO U

H A VE

Q U E ST IO N S

Information Collected/Objectives Achieved
Output: victim machine log are capuired

Q u e s t io n s

1. Determine and analyze die process to identify and monitor network ports
after intnision detection.



2. Evaluate how you process Snort logs to generate reports.
Internet Connection Required
□ Yes
Platform Supported
0 Classroom


0 !Labs



Lab

L o g g i n g S n o r t Alerts to K i w i
S y s l o g S e r v e r
S n o / t is a n o p e n s o u rc e n e tw o rk in tr u s io n p r e v e n tio n a n d d e te c tio n s y s te m
( ID S /IP S ) .

I CON
___

KEY

in fo rm a tio n

T est your
k n o w le d g e

W e b e x e rc is e

m


V a lu a b le


Increased connectivity and the use ot the Internet have exposed organizations to
subversion, thereby necessitating the use ot mtnision detection systems to protect
information systems and communication networks from malicious attacks and
unauthorized access. An intrusion detection system (IDS) is a security system diat
monitors computer systems and network traffic, analyzes that traffic to identity
possible security breaches, and raises alerts. A11 IDS tnggers thousands of alerts per
day, malting it difficult for human users to analyze them and take appropriate
actions. It is important to reduce the redundancy of alerts, uitelligendy integrate and
correlate diem, and present lugh-level view of the detected security issues to the
administrator. A11 IDS is used to inspect data for malicious 01‫ ־‬anomalous activities
and detect attacks 01‫־‬unaudionzed use of system, networks, and related resources.
must possess sound knowledge ot network intrusion prevention system (IPSes),
IDSes, identify network malicious activity, and log information, stop, or block
malicious network activity.

H

Too ls

d e m o n s tra te d in
th is lab a re

The objective of tins lab is to help smdents learn and understand IPSes and IDSes.
111 tins lab, you need

to:

lo c a te d a t D:CEH-

■ Install Snort and configure snort.conf file

Too lsC E H v8

■ Validate configuration settings

M o du le 17
Evading IDS,

■ Perform an attack 011 the Host Machine

F ire w a lls , and
H o n eyp o ts

■ Perform an intrusion detection
■ Attempt to stop detected possible incidents


Ethical Hacking and Countenneasures Copyright © by EC-Comicil



To carry-out tins lab, you need:
■ A computer running Windows Server 2012 as a host machine
■ Windows 8 running on virtual machine as an attacker machine
■ WinPcap drivers installed on die host machine
£ 7 You can also
download K iw i Syslog
Server from
http://www.kiwisyslog.co
m

■ Kiwi Svslog Server installed on die host machine
■ Admnnstrative privileges to configure settings and nin tools

Tune: 10 Minutes
O v e r v ie w

o f o f IP S e s a n d

ID S e s

An intrusion detection system (IDS) is a device or s o ftw a re application diat
monitors network and/or system activities for m a lic io u s activities or polio,’
violations and produces reports to a management station.
Intrusion detection and prevention systems (IDPS) are primarily tocused on
identifying possible incid en ts, logging information about them, attempting to stop
diem, and reporting diem to s e c u rity administrators.
S

TASK 1

Log S nort A lerts
to Syslog S e rv e r

L a b T a s k s

1. Navigate to

D :CEH -ToolsC EHv8 M o du le 17 Evading IDS, F ire w a lls , and

H o n eyp o tsln tru sio n D e te c tio n T o o lsK iw i Syslog S e rv e r
K iw i_ S ys lo g _S erve r_ 9.3.4.E va l.se tu p .ex e

and install

double click on

K iw i Syslog S erve r

on die Windows Server 2012 host machine.
2. The L ic en se

A g re e m e n t

window appears, Click I A g ree.

Figure 2.1: kiwi syslog server installation




3.

111

die

wizard, check the
check box and click N e x t >.

Choose O p e ra tin g M o de

S e rv e r as an A p p lic a tio n

In s ta ll K iw i Syslog

‫ז °ן ־‬

Kiwi Syslog Server 9.3.4 Installer

x

C h o o s e O p e ratin g M ode

so larw ind s ‫־׳‬

The program can be run as a Service or Application

O In stall Kiwi S yslog S e iv e i a s a S e iv ic e
This option installs Kiwi Syslog Server as a Windows service, alowing the
program to run without the need for a user to logn to Windows. This option also
retails the Kiwi Syslog Server Manager which is used to control the service.

|(* In stall Kiwi S yslog S e iv e r a s a n A pplication |
This op bon retails Kiwi Syslog Server as a typical Windows appkcabon,
requnng a user to login to Windows before r i m n g the application.

&

Too ls

th is lab a re

SolarWinds, Inc.

lo c a te d a t D:CEH■
Too lsC E H v8
Figure 22: K rai Syslog seiver installation

M o du le 17
Evading IDS,
F ire w a lls , and

4.

die In s ta ll K iw i Syslog
selected and click N e x t >.

111

W eb A c c e s s

wizard, uncheck die option

H o n eyp o ts

X

Install Kiwi S yslog W eb A c c e s s

solarw ind s

Remote viewing, filtering and highlighting of Syslog events...

I I In stall Kiwi S yslog W e b A c c e s s
V C re a te a n ew W e b A c c e s s logging ■ule in Kiwi S yslog S e iv e i

Kiwi Syslog Web Access can be enabled in the licensed or evaluation versions of Kiwi
Syslog Server.

SolarWinds, Inc.

Figure 23: kiwi syslog seiver

5. Leave die settings as their defaults in the
click N e x t >.


Choose C o m p o nents

wizard and




solarwinds

I ‫ ־־‬I

C h o o s e C o m p o n e n ts
Choose which features of Kiwi Syslog Server 9 .3.4 you
install.

a ant

to

This wll install Kiwi Syslog Server version 9.3.4

Select the type o f install:

Normal

Or, select the optional
components you wish to
instal:

Program files (required)
0 Shortcuts apply to all users
0 Add Start menu shortcut
b^J Add Desktop shortcut
p i Add QuickLaunch shortcut
O Add Start-up shortcut

Space requred: 89.5MB

Position your mouse over a component to see its
description.

V

Description

SolarWinds, I n c .----------------------------------------------------------------------------------------------------------< Back

|

Next >

|

[

Cancel

|

Figure 2.4: adding components

6.

die C hoose In s ta ll L o c atio n wizard, leave die settings as dieir defaults
and click In s ta ll to continue.

111

C h o o s e Install L ocation

so larw ind s ‫׳׳‬

Choose the folder n whkh to n s ta l Kiwi Syslog Server 9.3.4 .

Setup w l n s ta l Kiwi Syslog Server 9.3.4 n the folowng folder. To n s ta l in a different
folder, dick Browse and select another folder, dick Instal to start the installation.

Destination Folder

Space requred: 89.5MB
Space available: 50.1GB
SolarWinds, Inc.

1
Figure 2.5: Give destination folder

7. Click Finish to complete the installation.
You should see a test
message appear, which
indicates K iw i is working.





[_“ I 1‫ם‬

x

Completing the Kiwi Syslog S erver
9.3.4 S e tu p Wizard
Kiwi Syslog Server 9 .3.4 has been installed on your
computer.
Click Finish to dose this wizard.
@ Run Kiwi Syslog Server 9.3.4

Visit the SotorWmds website

< Back

|

Ftnoh

|

Cancel

j

Figure 2.6: kiwi syslog server finish window

8.

Click O K ill the K iw i

Syslog S e rv e r - D e fa u lt S e ttin g s A p p lied

Kiwi Syslog Server - Default settings applied

dialog box.

T U

Thank you for choosing Kiwi Syslog Server.
This is the first time the program has been run on this machine.
The following default 'Action' settings have been applied...
’ Display all messages
* Log all messages to file: SyslogCatchAll.txt
These settings can be changed from the File | Setup menu.

Happy Syslogging...

OK

Figure 2.7: Default setting applied window

9. To launch die K iw i Syslog S e rv e r C onsole move your mouse cursor to
lower-left corner of your desktop and click S tart.

Q j

Yiiw Syslog Server is
i

a free syslog server for
Windows.
logs.
Windows. It receives logs,
displays and forwards
syslog messages from hosts
such as routers, switches,
U N IX hosts and other
syslog-enabled devices.


Figure 2.8: starting menu in windows server 2012

10.

111

die

S ta rt

menu apps click
r r

K iw i Syslog S e rv e r C onsole

J

J

to launch die

app



M jiB
o *

'‫׳״יי״‬
*

ta g
n le
Cio o
hm

©

•

x '

Cmad
om
n

Nt pd
oe a•

Jnmtdl

s^r1091

R

a

5

C
o
Pntrol
ae
n
l

Eyxf
/ke

V

O

pr

M wY
)p Mng!
aae

■

■

N!a s
eu
wbC n
e lie t

h

S i5
1
*9

<
k

V
KKl
Package

I

C -‫־‬T
*‫׳‬

1

Figure 2.9: click kkvi syslog server application

11. Configure Syslog alerts 111 die s n o rt.c o n f file.
12. To configure Syslog
(press Ctrl+C).

a le rts ,

first exit from die Snort command prompt

13. Go to C :S n ortetc and open die s n o rt.c o n f file widi N o tep ad + +.
14. Scroll down to S te p #6: C o n fig ure o u tp u t plugins, in the syslog section
(Line 527), remove # and modify die line to o u tp u t alert_syslog:
h o s t= 1 2 7 .0 .0 .1 :5 1 4 , LOG _AUTH LOG ALERT.

Snort.conf before modification Syslog
CSn0rt«csrx>ftc<y»f Notewd■r [< Seaw yicw tvcMq
H
*t
ti

fectng* M
arre Run Pluglni W
indow J

«‫ ׳‬mc . >a >‫■׳‬r 3c •‫ > יו‬q 7!11‫■ @ י ן•ן‬b wa a 11
j5
w j
3*

t Step te: Coaflgrare output plugins

* Additional configuration fo r s!:eclflc types or In sta lls
* output alert_unlfled2: filename s n o rt.a le rt. U n it 128, n09ta*p
* output loc_3n1 r1ea2: niecaae snort. I 09, lu u t 128, rostairp
flog; LO AJIg 100 ALERT|
O
I output log.topdja

m

The reason why you
have to run snortstart.bat
batch file as an
administrator is that, in
your current configuration,
you need to maintain rights
to not only output your
alerts to K iw i, but to write
them to a log file.


I output aatarase:
I output aatanse:

»t-<
B03tnaa1e>

Figiue 2.10: Snortconfig before modification

Snort.conf after modification Syslog



C:Sn0rtetcVsrxyt cof't Notepad-•
Filf fdt Sea
rch V
iew f‫׳‬w
eSrf»g .‫^ ץ׳ל.1 ן־י‬flnqi Mam Run Pluqin W do
in w

13H • » ‫* | & . .־‬

fe| 3 c

•

‫־ -ן‬g

3

‫יי ) | י - י‬Cv 3 ‫)§[) י‬
S

iC5 preprocessor reputation:
<

013 **#**#**«**«#*»*#*«##*«#*«*#•*#*«****#»**#•*#»*#**
pi4 # Step *€: Coaflarare output plugins
pis * For *ore information, see Snort Manual, Conflouring Snore - Output Modules
5

l output uniiieai: £ile:;«*e se;aec.ica, lu u t 128. nostanp, npls_e5
‫ ז‬Additional configuration for specific types 0C installs
1 output alert_unlfled2: filename snort.alert. U n it 128, nostajip
» output log_unlfled?: fllenaae snort.log, lljtlt 128, nostaxp

» database
I output database! alert, <db_typ«>, users<usernane> pa8avford=<pa»sv0rd> test dbnaa!e-<
r.a1*e> h0st*<
S10atnam
e3
I output databasei log. <db_typ«>. usera<usernane> password»<passv‫׳‬ord> test d as> naae> bo»t*<hostnaae>
bn es<

U
.

‫׳‬

a M:l»
.li

C

Figure 2.11: Snortconfig after configuration

15. S av e die tile and close it.
16. Open K iw i Syslog S e rv e r
Syslog Server alert logs.
File Edit Vic*
'

and press

C trl+T.

Tlus is to test Kiwi

Kiwi Syslog Server (14 Day evaluation - Version 93)

R*

1

C onsole

■‫ ׳‬E
1

1-1‫״‬

-

'

Hdp

it ©

H Day* luttin wsluslion

Di.pl., 00 |Drf‫״‬Jl]

Dale
Tun*
P-o‫״‬ly
lla*ln«m1 14 2012 1621 30 Lwal7.D»U1g 127.0.01 Kiwi Sytloy S*1vv1 •T*t< latfTtayw nuaibei 0001
1

1
1

J
1 0% 1MPH
0

1 2 11142012
61

1

Figure 2.12: Kiw i Syslog Service Manager window

17. Leave die Kiwi Syslog Server Console. Do not close die window.
18. Now open a command prompt with Snort and type diis command:

sn o rt -

iX - A co n so le - c C :S n o rte tcsn o rt.c o n f - I C:Snortlog - K a s c ii - s

and

press E n te r (here X is index number of vour Ediernet card) .


Etliical Hacking and Countermeasures Copyright © by EC-Council



_

□

x

ua K iw i Syslog Server
filtering options:
■ Filter on IP address,
hostname, or message
text
■ Filter out unwanted host
messages or take a
different logging action
depending on the host
name

Figure 2.13: Snort Alerts-ids Window Listing Snort Alerts

■ Perform an action when
a message contains
specific keywords.

19. Open a command prompt 111 your Windows 8 virtual machine and type
tins command: ping 1 0 .0 .0 .1 0 (IP address of your host machine where
Kiwi Svslog Server Console is running).
20. Go to K iw i Syslog S e rv ic e M a n a g e r window (diat is already open) and
observe die triggered alert logs.
n 1 x

Kiwi Syslog Server (14 Day evaluation - Ve'sion 93)
File Edit
-‫£ ׳‬
1
I

1€
‫י‬

'

Help

A 88

D.tpk* 00 (Dvfdull)

l,mr
Dale
P. m.4.
11-14-2012 184012 Auth Ale.!
1 14 ?01? 104011 AuHt Air.1
1
II 1 2012 18 4010 Auth Alcit
4
11-14-201? 18 40 09 Auth Alrll
1 14 ?01? 104*00 AuHt Alr.l
1
11-14-2012 184007 Auth Ale11
11-14-201? 18 40 nc Auth Alr.l
1 14 ?012 10.40.Ub Auth Alcit
1
11-14-2012 18:4004 Auth Aleu
11-14201? 18 40 03 Auth Alr.l
11-14 2012 18:4002 Auth Alcit
11-14-2012 18.40.01 Auth Ale.l
11-14-201? 18 40 (1 AulhAlril
0
1 14 2012 18:39:59 Auth Alcit
1
11-14-701? 1839 58 Auth Alr.l
1 14 201? 103*57 Aulh Alr.l
1
1 14 2012 18:3958 Auth Alcit
1

1 Days left in ev‫־‬Dluotun
4

llo1ln1
‫׳‬rw Menage
127.0.01 Nvv 14 18 40.12 W1N-2N9SIOSGIEN w.ort |1 384 6| ICMP INF: PING |CU«ti»calion. Mbc activitf) [Piiuiily. 3] (ICMP) 10.0.0.12
1000.10
1 (1
1
.n..ly- 3] (ICHP) 11II 111?
1
127 001 Nnv 14 114 11 WIN 2N9!iTOSGI( N mart |1 304 C| II Ml' INI 1 I1NG [ClauArahor Mur. nohvilyl U1‫־‬
10.0.0.10
4
ct
2
127.0.0 1 Nov 1 18:40:10 WIN 2N9STOSGIEN mort |1 384 6| ICMP INFO PING (ClMstficd'ion: M.sc 0 1vity| (Piioiily: 3) (ICHP) 10.0.0 1
10.0.0.10
12700 1 Nuv 14 18 40 O WIN ?NSS10SGIFN tnurt |1 384 6| ICMP INFO PING (n«nii.:4l<ar• Mac adivi(•) (Piimily 3] (ICMP) 10 0 0 1?
')
10 0 n 1 n
127 001 Nov 14 11 4 1 O WIN 2N9!:TOSUK N •no* |1 304 C| 1 Ml‫־‬INI II I1NG (Clou*ration Mur. nr.hvityl [1'im
1 1 ■ il
(
trijr 3) IIIMPI 10 0 111?
I0.0.U.IU
127.0.0.1 Nov 1 18:40:07 WIN 2N9STOSGIEN tnort |1 384 6| ICMP4NF0 PING (ClMtWcatiwi: Hite activity (Plioiity: 3] (ICHP) 10.0.0 1
4
2
10.0.0.10
|
1270 0 1 Nuv 14 10 40 on WIN-?N9r.1nSG1rN tnatl |1 384 G IfMP INm PING (CUsifirolian Mbc activity) [Piitxily: 3] IICMP) 10 0 01?
1000.10
127.0.0 1 Nov 1 10:40:0b WIN 2N91>1USGILN *noit: |l. J84:b| ILMI‫־‬INI U I1NG (Llasiiication: Hue nctivitvl H'noiity: 3 (ICHP) 10.0.0.12
4
1
10.0.0.10
4
1
127.0.0.1 Nov 1 18:40:04 WIN-2N9STOSGIEN tnort |1:384 6| ICMP-INF0 PING (Clact«cation: Hite activity [Plioiity: 3 {ICHP) 10.0.0.12
10.0.0.10
12700 1 Nov 14 10 40 01 WIN-2N9r.TOSGIFN mart |1 384 C| ICMP-INFO PING [Claxiilicatian Mbc activity] [Pliaiity: 3] (ICHP) 10 0 01?
10 00.10
127.0.0.1 Nov 1 18:40:02 WIN 2N9S1USGIEN tnort: |l:384:6| ICMP INFO PING [Lla**41cat10n: Mac actovitrl [Pnonty: 3] (ICHP) 10.0.0.12
4
10.0.0.10
127.0.0.1 Nov 14 18.40:01 WIN-2N9STOSGIEN tr.ort. [1.384.6] ICMP-INF0 PING [Cla*t«cation. Mbc activity] [Piioiily: 3) (ICHP) 10.0.0.12
10 00.10
127 0.01 Nov 14 18 40:00 WIN-2N9STOSGIEN snort [1 384 6j ICMP-INFO PIHG IClasirtcahon Mbc activity! [Piioiily: 3j ilCHP110 0 0 12
10 0 0.10
127.0.0.1 Nov 1 18:39:53 WIN 2N9510SGIEN snort |1:384:61 ICMP INFU PING [Clat*Scati«n: Mnc acbvitrl [Prioiity: 3) (ICHP) 10.0.0.12
4
10.0.0.10
1270 0 1 Nov 14 18 39:58 WIN-7N9STC1SGIFN tnort [1 384 6| ICMP-INFO PING [CLmificalian Mbc activity] [Plioiity: 3] (ICMP) 10 0 012
1000.10
127 001 Nov 14 10•39:57 WIN 2N9S10SGICN *nort |1 304 K| ICMP INFO PIHG ICUmrfirafiorv Mur. activityl [Pnoiitjr 3] IICMP110 0 0 12
10.0.0.10
127.0.0.1 Nov 1 18:39:56 WIN 2N9STOSGIEN *nort [1:384:6| ICMP INFO PING [□***ificalior: Mbc activilrl [Plioiity: 3] (ICMP) 10.0.0.12
4

fsiw5/jlooWebAcc«5 ■ m oled
‫־‬ol

100* OMFH

1 :4 1 142D
80 1
12

J
*

II

1

j
|

Figure 2.14: Kiw i Syslog Service Manager widi Snort Logs

21.

111 K iw i Syslog,

you see the Snort alerts outputs listed

111

Kiwi Syslog

Service Manager.
22. You have successfully output Snort Alerts to two sources.
L a b A n a ly s is

Analyze and document die results related to diis lab exercise. Give your opinion on




PLE A SE

TA LK

TO

Tool/U tility
Kiwi Syslog
Server

Y O U R IN S T R U C T O R IF Y O U

H A V E

Q U E ST IO N S

Information Collected/Objectives Achieved
Output: The Snort alerts outputs listed 111 Kiwi Syslog
Service Manager.

Q u e s t io n s

1. Evaluate how you can capture a memory dump to confirm a leak using
Kiwi Syslog Server.
2. Determine how you can move Kiwi Syslog Daemon to another machine.
3. Each Syslog message includes a priority value at die beginning of the text.
Evaluate die priority of each Kiwi Syslog message and on what basis
messages are prioritized.
Internet Connection Required
□ Yes

0 No

Platform Supported
0 Classroom


0 !Labs

A ll Rights Reserved. Reproduction is Strictly Prohibited.


3

D e t e c t i n g
U s i n g

Intruders a n d

W o r m s

K F S e n s o r H o n e y p o t

I D S

K F S e n s o r is a W in d o w s b a s e d h o n e y p o t In tr u s io n D e te c tio n S y s te m ( ID S ) .

I C ON

KEY

l~ V a lu a b le
^/
in fo rm a tio n

T est your
k n o w le d g e
mm

W e b e x e rc is e

ca



Intrusion detection systems are designed to search network activity (we are
considering both host and network IDS detection) for evidence ot malicious abuse.
When an IDS algontlmi “detects” some sort of activity and the activity is not
malicious or suspicious, tliis detection is known as a false positive. It is important to
realize diat from the IDS’s perspective, it is not doing anything incorrect. Its
algoridim is not making a mistake. The algontlmi is just not perfect. IDS designers
make many assumptions about how to detect network attacks.
A11 example assumption could be to look for extremely long URLs. Typically, a
URL may be onlv 500 bytes long. Telling an IDS to look for URLs longer dian 2000
bytes may indicate a denial of service attack. A false positive could result from some
complex e-commerce web sites that store a wide variety of information 111 the URL
and exceed 2000 bvtes.
must possess sound knowledge of network intrusion prevention systems (IPSes),
intrusion detection systems (IDSes), identity network malicious activity and log
information, and stop or block malicious network activity.

H

Too ls

th is lab a re
lo c a te d a t D:CEHToo lsC E H v8
M o du le 17

The objective of tins lab is to make students learn and understand IPSes and IDSes.
111 tins lab,

you need to:

■ Detect hackers and worms 111 a network
■ Provide network security

Evading IDS,
F ire w a lls , and


H o n eyp o ts

To carry-out tins lab, you need:




■

KF S en sor

located at D :CEH -ToolsC EHv8

M o du le 17 E vading IDS,

F ire w a lls , and H o n eyp o tsH o n eyp o t T oo lsK F S en so r

■ Install KF Sensor 111 W in d o w s
■
^__ You can also
download KFSensor from
http://www.keyfocus.net

M eg aP in g

8

located at D:CEH -ToolsC EHv8

M o du le 0 3 S can ning

N e tw o rk s S c a n n in g T oo lsM eg aP ing

■ Install Mega ping 111 W in d ow s

S e rv e r 2 0 1 2

■ It vou have decided to download latest of version ol these tools, then screen
shots would be differ
■ Administrative privileges to configure settings and run tools

Time: 10 Minutes
O v e r v ie w

o f IP S e s a n d

ID S e s

An intrusion prevention system (IPS) is a n e tw o r k s e c u rity appliance that
m o n ito rs network and system activities tor m a lic io u s activity. The main functions
ot IPSes are to id e n tify malicious activity, log re la te d in fo rm a tio n , attempt to
b lo c k /s to p activity, and report activity.
An IDS is a software device or application that m o n ito rs network and/or system
activities for m a lic io u s activities or p o lic y v io la tio n s and delivers re p o rts to a
Management Station. It performs intrusion detection and attempts to s to p detected
possible in c id e n ts .
^

TASK

1

C o nfigure
K F S en so r

L a b T a s k s

1. Launch W in d o w s 8 virtual machine and follow the wizard-driven
installation steps to install KFSensor.
2. After installation it will prompt to reboot die system. R ebo o t the system.
3.


111 Windows 8 launch KFSensor.

To Launch KFSensor move your mouse
cursor to the lower-left corner of your desktop and click S tart.

A ll Rights Reserved. Reproduction is Strictly Prohibited.


u

►.'crla

€

C*‫׳‬e~s

Windows 8 Release Previev.
Evaluation copy. Build WOO

,

=
‫־‬
____

m

‫יי‬

1

«.

.
F IG U R E 3.1: KFSensor Window with Setup Wizard

m

To set up common
ports KFSensor lias a set of
pre-defined listen
definitions. They are:

m o

4. In die S ta rt menu apps, right click die K F S en so r app, and click Run
A d m in is tra to r at die bottom.

as

■ Windows Workstation
■ Windows Server

Admin

S ta rt

^

■ Windows Internet
Services
■ Windows Applications

m

m

■ Linux (services not
usually in Windows)

Vriro

1
1
I ®

m‫יז‬
‫ל׳‬
&

H

Internet F«pfcvr‫׳‬

@

®

a
Store

services

Command
Prompt

KFSensor

FI

m

%

VV
»
as;

®

o

Mozilla
Firefox

W
eather

Calfrdar

Google
Chrome

Cam
ara

* Trojans and worms
M
essaging

p

(S)
edm
inh*r«t©
r

tasoon


5. At die first-time launch of die K F S en so r S e t


Up W izard ,

click N e xt.



K Sn o P fe s n l - Ea a nT l
F e s r ro s io a v lu tio ria
File

View

Scenario

Signatures

Settings

Help_______________________________________

i l ?t!l U
-L
a

, kfsensor - iocalhos

Visitor

z ta tcp

q^ c T ^
*ic dC
c
g

)atagram..

j S 25 SMTP. !

..__ Tlie Set up Wizard is
used to perform the initial
configuration o f KFSensor.

I

j. J

I

L

§

53 DNS
63 DHCP
SO IIS

)atagram..

WIN-ULY358K

)atagram..

WIN-D39MR5J

)atagram..

WIN-LXQN3W

You m
ight like to read the rrenual at this port to team
how KFSenso‫־‬works and the concepts behind t.

2 FTP
1

WindowsS

The KFSensor Set Up Wizard will take you through
a number of steps to Donfigure you systen.
All of these can configurations can be modfied later
using the menj option.

)atagram..

WIN-MSSELG

)atagram..

WIN-2N9STO?

POP3 110

)atagram..

WIN-2N9STO?

)atagram..

WIN-ULY358K

)atagram..

Windows^

)atagram..

WINDOWS8

,
g

119 NNTP

‫־‬

M i RPC 1
35

g

139 NET Se

n the options in th& Set Up Wizard.
Wizard Heb

LDAP 339 ^
HTTPS 443 $
i | J4.
5-NB. -St<
T
i 593 CIS
jjj 1028 MS Cl!
5

1080 SOCKi

3( 1433 SQL S
<
g

2234 Direct!

j § 3128 IIS Pro
g 3268 Global Calal

Ser/en Status

Visitors: 0

F IG U R E 3.3: KFSensor main Window

6.

Check all die port

c la s s e s

to include and click N e xt.
Set Up Wizard - Port Classes

Port classes to include:
/j Windows Workstation
@ Windows Applications
@ Windows Server
@ Windows Internet Services
0 Linux (services not usually in Windows)
@ Trojans and woims
KFSensor can detect irrtiusions on many many different ports
and simulate different types of services.

m

Domain Name is tlie
domain name used to
identify the server to a
visitor. It is used in several
Sim Servers.

These ports are grouped by class.
Checked classes will be added to the scenario.
Unchecked classes will be removed the scenario.

<Back

Wizard Help

Next >

Cancel


7. Live die domain name Held as default and click N ext.




Set Up Wizard - Domain

D

Domain Name: [networksfonj.com|
This is the domain name used to identify the server to a visitor.
This could be the real domain name of the machine or a fictious one.
If you pick a fictious one. try not to use a real domain belonging
somebody else.
e=yi KFSensor can send
alerts by email. The settings
in the wizard are the
minimum needed to enable
this feature.
Wizard Help

<Back

|

Next >

Cancel


It you want to send K F S en so r a le rts by email and then specify die email
address details and click N e xt.
Set Up Wizard - EMail Alerts

systems service is a
special type o f application
that Windows runs in the
background and is similar
in concept to a U N IX
daemon.

Send to:

[I

Send from
:
If you want KFSensor to send alerts by email then fill
in the email address details

Wizard Help

<Back

Next >

Cancel

F IG U R E 3.6: KFSensor Window with Setup Wizard-email alerts

9. Choose options for D enial
m

The KFSensor Server
becomes independent o f
the logged on user, so the
user can log o ff and
another person can log on
without affecting the
server.


o f S ervice . Port a c tiv ity . Proxy Em u lation ,

N e tw o rk Pro to co l A n a ly ze r

and

and click N e xt.



Set Up Wizard - Options

D

Denial Of Service Options
Cautious

v

Controls how many events are recorded before the server locks up
Port Activity
1 Hour

v

How long a port should indicate activity after after an event
Proxy Emulation
Allow banner grabs and loop backs

v

Controls if KFSensor is allowed to make lim external connections
ited
Network Protocol Analyzer
!Enable packet dump files
j v
Dump files are useful for detailed analysis but take up a lot of disk space
Wizard Help

m

The KFSensor
M onitor is a module that
provides the user interface
to the KFSensor system.
W ith it you can configure
the KFSensor Server and
examine die events that it
generates.

<Back

Next >

Cancel

.
F IG U R E 3.7: KFSensor Window with Setup Wizard-options

10. Check die In s tall

as sy s te m s e rv ic e

opdon and click N e xt.

Set Up Wizard - Systems Service
[v ] Install as systems service
A systems service is a special type of application that Windows runs in the
background and is similar in concept to a UNIX daemon
The KFSensor Server becomes independent of the logged on user, so you can
log off and another person can log on without affecting the server
The KFSensor Server can be configured to start automatically when the systems
starts, even before you log on.
You must be logged in a the Administratorto install a systems service

Wizard Help

m

The Ports View is
displayed on the left panel
o f the main window. It
comprises o f a tree
structure that displays the
name and status o f the
KFSensor Server and the
ports on which it is
listening.


<Back

Cancel

F IG U R E 3.8: KFSensor Window with Setup Wizard-system service

11. Click Finish to complete the S e t

Up w izard .



Set Up Wizard - Finish

‫0ו‬

‫ו‬

The KFSensor Set Up Wizard has now got all the
information it needs to configure your system.
To read up on where to go from here dick the button below
Getting Started

Note on the Evaluation Version

I

There are a number of restrictions set forthe ten day duration
of the evaluation period
The export functionality is unavailable and the details of
some events are deliberately obscured

/ The Ports View can
be displayed by selecting
the Ports option from the
ViewTmenu.

<B ck
a

Finish

Cancel

F IG U R E 3.9: KFSensor finish installation

12. Tlie K F S en so r main window appears. It displays list ol ID protocols.
V is ito r and R e ce iv ed automatically when it starts. 111 the following
window, all die nodes 111 die left block crossed out with blu e lin es are die
ports that are being used.

F

Settings

i i
C ■2
,

4 1 tt ;1

kfsensor - local host - M...
TCP

^ &to s « lIC P Por...
C
g

3
3

21 FTP
25 SMTP
53 DNS
63 DHCP

-g 80 IIS

K Sn o P fe s n l - Ea a nT l
F e s r ro s io a v lu tio ria
Hlp
e

‫3 1־‬

° i @ 151a

ID
1 ‫5י‬
|§14
1 ‫3י‬

^

a! ‫מ‬

Start

‫ש‬

^

Duration

Pro...

Sens...

Name

Visitor

9/27/2012 5:27:41 PM...

0.000

UDP

138 NBT Datagram...

WIN-ULY358K

9/27/2012 S:27:3S PM .‫״‬

0.000

UDP

138 NBT Datagram...

WIN-LXQN3*

9/27/2012 5:27:36 PM...

0.000

UDP

138 NBT Datagram...

'2

9/27/2012 5:27:3C PM...

0.000

UDP

138 NBT Datagram...

WIN-D39MR5I

111
§10__

9/27/2012 5:27:15 PM...

0.000

UDP

138 NBT Datagram...

Window^

9/27/2012 5:16:15 PM...

0.000

UDP

138 NBT Datagram...

Windows^

g

WIN-MSSELCI

110 POP3

U 9

9/27/2012 5:15:4^ PM...

0.000

UDP

138 NBT Datagram...

WIN-ULY358K]

j § 119 NNTP

1 8

9/27/2012 5:15:35 PM...

0.000

UDP

138 NBT Datagram...

g

155 MSRPC— B m

1 7

9/27/2012 5:15:3£ PM...

0.000

UDP

138 NBT Datagram...

WIN-D39MR5I
WINLXQN3'A

5 } 139 NBT Session ...

1 6

9/27/2012 5:15:35 PM...

0.000

UDP

138 NBT Datagram...

WIN-MSSELCI

j j 339 LDAP

15
14
13

9/27/2012 5:15:31 PM...

0.000

UDP

138 NBT Datagram...

WIN-2N9STO<

9/26/2012 3:41:32 PM...

0.000

UDP

138 NBT Datagram...

WIN-2N9STO!

9/26/2012 3:37:16 PM...

0.000

UDP

138 NBT Datagram...

WIN-ULY358K

m?

9/26/2012 3:36:57 PM...

0.000

UDP

138 NBT Datagram...

Windows^

1 1

9/26/2012 3:36:57 PM...

0.000

UDP

138 NBT Datagram...

WINDOWS8

g

443 HTTPS
■ j 4.15 NBT SM 8—
g

593 CIS

g

1028 MS CIS

5

1080 SOCKS

§

1433 SQL Server

^

2234 Dircctplay

^

3128 IIS Proxy

J

3268 Gtobdl Catal..

Ser/en Running Visitors: 8

F IG U R E 3.10: KFSensor Main Window

13. Open a command prompt from the S ta rt menu apps.




The top level item is
the server. The IP address
o f the KFSensor Server
and the name o f the
currently active Scenario
are displayed. The server
icon indicates the state o f
the server:

14.

111 die

command prompt window, type n e ts ta t -an.
Command Prompt

Microsoft W d w C ersion 6.2 8400]
in o s U
l< 2 1 Microsoft Corporation All rights reserved.
c> 0 2
|C:M
JsersAdnin)netstat -an
Rctive C
onnections
Proto Local A
ddress
Foreign A
ddress
T P 0.0.0.0:2
C
0.0.0.0:0
T P 0.0.0.017
C
0.0.0.0:0
T P 0.0.0.0:9
C
0.0.0.0:0
T P 0.0.0.0:13
C
0.0.0.0:0
T P 0.0.0.0:17
C
0.0.0.0:0
T P 0.0.0.0:19
C
0.0.0.0:0
T P 0.0.0.0:21
C
0.0.0.0:0
T P 0.0.0.0:22
C
0.0.0.0:0
T P 0.0.0.0:23
C
0.0.0.0:0
T P 0.0.0.0:25
C
0.0.0.0:0
0.0.0.0:0
T P 0.0.0.0:42
C
T P 0.0.0.0:53
C
0.0.0.0:0
T P 0.0.0.0:57
C
0.0.0.0:0
0.0.0.0:0
T P 0.0.0.0:68
C
T P 0.0.0.0:80
C
0.0.0.0:0
T P 0.0.0.0:81
C
0.0.0.0:0
T P 0.0.0.0:82
C
0.0.0.0:0

State
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN

F IG U R E 3.11: Command Prompt with netstat -an

15. Tins will display a list ol listening ports.
m

The protocol level o f
KFSensor is used to group
the ports based on their
protocol; either T C P or
U D P.

I 35

TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C
TP
C

E 3 |

Command Prompt

0.0.0.0:82
0.0.0.0:83
0.0.0.0:88
0.0.0.0:98
0.0.0.0:110
0.0.0.0:111
0.0.0.0:113
0.0.0.0:119
0.0.0.0:135
0.0.0.0:139
0.0.0.0:143
0.0.0.0:389
0.0.0.0:443
0.0.0.0:445
0.0.0.0:464
0.0.0.0:522
0.0.0.0:543
0.0.0.0:563
0.0.0.0:593
0.0.0.0:636
0.0.0.0:999
0.0.0.0:1024
0.0.0.0:1028
0.0.0.0:1080
0.0.0.0:1214

0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0

L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN
L TN G
IS E IN

F IG U R E 3.12: Command Prompt with netstat -an




KF S e n so r

1 6 . L e a v e d ie
17.
m

F o llo w

t o o l r u n n in g .

d ie w iz a r d - d r iv e n in s ta lla t io n s te p s t o in s ta ll M e g a P in g i n

Windows

S erver 2012 (Host Machine).

T h e V is ito rs V ie w is

displayed o n the le ft panel
o f the m ain w in d o w . I t
com prises o f a tree

M egaPing

1 8 . T o la u n c h

m o v e y o u r m o u s e c u r s o r to d ie lo w e r - le f t c o r n e r o f

y o u r d e s k to p a n d c lic k

structure th a t displays the
nam e and status o f the

Start.

K F S ensor Server and the
visito rs w h o have
connected to the server.

F IG U R E 3.13: starting window s in w indow s server 2012
19.

C lic k d ie

MegaPing

a p p 11 1 d ie

S ta rt

m e n u apps.

Start

Administrator

Mo/11la
Firefox

*‫ג‬

©

£
m

Googfc

awane

6

HTTPort
3.SNFM

*

Conmand
Promp*

1
*

‫ף״י‬

Hyper•V
Manager

v/ogaPrv;

Notepad*

‫«י‬

*
S

B

E ach v is ito r detected
Admnktr...
Tools

b y the K F S ensor Server is
listed. T he visito r's IP
address and d om ain name
are displayed.

£

F IG U R E 3.14: click on megaping
20. T h e

m a in

w in d o w

o f

M egaPing

a p p e a rs

as

show n

in

d ie

f o llo w in g

s c r e e n s h o t.




2*
Help

A A fl (3 A A
J
DNS Lookup Name
J ? Finger
Network Time

= <>4 * * ■ * * ‫ ע‬n ©
53
® DNS List Hods
A,______
DNS Ust Hosts

A Pin9
||
^
^5
%
^
f
'4^
V
^
J

ca

I- n ' x

MegaPirvg (Unregistered)

File View Tools

^

DNS List Hosts Settings

Destnabon:
<None>

Traceroute
Whois
Network Resources
Process Info
System Info
IP Scanner
NetBIOS Scanner
Share Scanner
Security Scanner
Port Scanner
Host Monitor

□ Select Al
I

Add

F IG U R E 3.15: MegaPing o n W indows Server 2012
T h e V is ito rs V ie w

can be displayed b y
selecting the V isito rs
o p tio n fro m the V ie w
m enu.

21.
22.

S e le c t

Port S c a n n e r

E n te r d ie I P

fro m

a d d re s s o f

l e f t s id e o f d i e lis t .

W indows 8 ( 1 1 1

d iis la b I P

10 .0.0.12

a d d r e s s is

m a c h in e 1 1 1 w h i c h I v F S e n s o r is r u n n i n g 1 1 1 D e s t i n a t i o n A d d r e s s L i s t a n d
c lic k

Add.

‫7־‬

n ^ i

MegaPing (Unregistered)

file

Yiew

Tools

Help

3
4 ‫י‬
©

A a g ai A A o 3 % 4
A DNS List Hosts
* DNS Lookup Name
Finger
Network Time

J ‫׳‬

Po»l Scanner

J2f Port Scanner

A Pin9
22 Traceroute
^ Whois
3 Network Resources
<$> Process Info
.J | System Info
^ IP Scanner
NetBIOS Scanner
Share Scanner
£ Security Scanner

Destnabon:
. .

100 .12
0

>

Port Scanner Settings

Protocob
Scan Type

TCP and UDP

v

Range of Ports ♦ Custom Ports L v

|

Start

Destnabon Address List

□ Seiect Al

Host Monitor
Type Keyword

Description

|

»Vw.

F IG U R E 3.16: MegaPing: Select 10.0.0.12 fro m H ost, Press Start button
23.

C h e c k d ie I P

a d d re s s a n d c lic k d ie

S ta rt

b u t t o n t o s ta r t lis t e n in g t o d ie

tr a ffic 0 1 1 1 0 .0 .0 .1 2 .




ry


‫ז ״י - ו‬

*

1

1

1 File yiew Tools Help
3

ca

DNS List Hosts
^5, DNS Lookup Name
Finger
Network Time

V is ito r is obtained by

f t pin9
gg Traceroute
Whols
1 3 Network Resources
% Process Info
^ System Info
$ IP Scanner
NetBIOS Scanner
Share Scanner
£ Security Scanner

a reverse D N S lo o k u p on
the visito r's IP address. A n
ic o n is displayed in dicatin g
the last tim e the v is ito r
connected to the server:

i ti V

>‫4 <יז‬

$

<$ 0

■*
<

Port Scanner

‫צ‬

Protocols
Scan Type:

100 .12
. .0

TCP and UDP

v


a t

Destnation Address L
ist
Ho*

JSelect Al

₪al 1.0 .1
0 .0 2

Add
Delete

Host Monitor
Type Keyword

Description

F IG U R E 3.17: MegaPing: Data o f die packets recieved
24.

T h e f o l l o w i n g im a g e d is p la y s d i e i d e n t i f i c a t i o n o f T e l n e t o n p o r t 2 3 .
File yiew Jools

Help

i. A S al 1*1 A #
DNS List Hosts
Jj, DNS Lookup Name
£ Finger
J i Network Time
t i p'"9
f f Traceroute
Whols
" 3 Network Resources
<3> Process Info
^ System Info
f IP Scanner
^ NetBIOS Scanner
^ Share Scanner
£ Security Scanner

/ T h e V is ito rs V ie w is

lin ke d to the E ve nts V ie w
and acts as a filte r to it. I f
yo u select a v is ito r then
o n ly diose events related to
th a t v is ito r w ill be displayed

Port Scanner
Destnabon:

1 .0 .1
0 .0 2

IF


Protocols
Scan Type

TCP and UDP

v


Destination Address bat
Host

‫ ס‬a‫־‬p ‫כ‬
□ Select Al

0 S 1 .0 .1
0 .0 2

I

Add

£ } Host Monitor

in d ie E vents V iew .

£ 2 2

‫321 צ‬
^42
f 53

Type
TCP
TCP
TCP
TCP
TCP

Keyword
telnet
smtp
nameser...
domain

Descnption
Risk
High
Telnet
Elevated |
Simple Mail Transfer Elevated
Host Name Server
Low
Domain Name Serv...
Low

F IG U R E 3.18: MegaPing: Telnet po rt data
25.


T h e f o l l o w i n g im a g e d is p la y s d i e i d e n t i f i c a t i o n o f S o c k s o n p o r t 1 0 8 0 .



r<
$
file

l- T 0 ■ *

View Tools

|4. A

S

Help

aj it ti 4 % 3 3‫־‬

• ti V 3 y
t

DNS List Hosts
DNS Lookup Name
^ Finger
a i Network Time

4 3‫י‬
4

jS,

T h e events are sorted


A

in e itlie r ascending o r
descending chronological

Pin9
gg Traceroute
^ Whols
13‫ ־‬Network Resources
Process Info
^ System Info
$ IP Scanner
NetBIOS Scanner
jj* Share Scanner
<0 Security Scanner

order. T h is is co n tro lle d by
o p tio n s o n the V ie w M enu.

Protocob:
Scan Type

Destnabon:
. .

100 .12
0

TCP and UDP

v
Sop

Range of Ports + Custom Ports L v

Destination Address L
ist
Host
0S1O.O.O.12

□ Select fll

I *
A
[

Delete

[

Bepoit

EE

Jgj Host Monitor
Ports
080‫ו| / ג‬
£ 1214
£ 1433
£ 1494
JT 1801

Type Keyvwrd Descnption
TCP socks
Socks
TCP
TCP ms-sql-s M crosoft-SQL‫־‬Ser...
TCP ica
Citrix ICA Client
TCP

1

Low
Low
Low
Low

'

F IG U R E 3.19: MegaPing: Blackjack virus
26.

N o w

c o m e b a c k to

Windows 8 v i r t u a l

m a c liu ie a n d lo o k f o r T e ln e t d a ta .

KFSensor Professional - Evaluation Trial
File View Scenario Signatures
J

9 a
T |‫ ־‬e ° I ° i @ I 5 » a
|1
J kfsensor - localhost - M... •

B *-J T P
C
^ 0 Closed TCP Per■
■
0 2 Death, Trojan ...
7 Echo - Recent...
*I 9 Discard - Rec...
^ 15 Daytime - R...
^ 17 Quote of the..
^ 19 chergcn R c.
21 FTP - Recent..
^ 22 SSH - Recen...
A 123 Telnet - Reel]
j § 25 SMTP - Rece..
g 42 WINS • Rece..
g 53 DNS • Recen..
^ 57 Mail Transfer..
g
DHCP • Rece...
80 IIS • Recent...
j§ 8 1 IIS 81 - Rece..
82 IIS 82 ■Rece..
83 IIS 83 - Rece..
J
Keiberos - R... ^

/ T h e events th a t are
displayed are filte re d b y the
c u rre n tly selected ite m in

Settings Help

•1 31

!d a > a a lfc t * I

9/27/2012 6:24:13 PM
.0.000

Duration Pro...

Sens... Name

‫ ״‬TCP

23 Telnet

6
8

the P orts V ie w o r the
V is ito rs V iew .

8
8

Ser/er Running Visitors:

8

F IG U R E 3.20: Telnet data o n KFSensor
27.


T h e t o l l o w u i g im a g e d is p la y s d i e d a t a o f a D e a d i T r o ja n .



KFSensor Professional - Evaluation Trial
File View

Scenario

Signatures

Settings

Help

j a a if^]a ifrtln Tpili

0-

kfsensor - localhost - M... <
‫<״‬

Duration Pro...

TCP

Sens... Name

9/27/2012 624:12 PM...

j ^ QC se T P P r
lo d C - ofT
Q 1 Death, Trojan ...|
2
I £ 7 Echo - Recent...
U £ 9 Discard - Rec...
& 13 Daytime - R...

^
^

E x it: Shuts d o w n the
KF S ensor M o n ito r. I f the

£
^

KF S ensor Server i f n o t
installed as a systems
service then it w ill be shut
d o w n as w ell.

r=|
g
^
g

17
19
21
22
23
25
42
53
57

Quote of the..
chargcn - Rc...
FTP - Recent...
SSH - Recen...
Telnet ‫ ־‬Rec...
SMTP - Rece..
WINS - Rece..
DNS - Recen..
Mail Transfer..
DHCP - Rece..

6
8

80 IIS - R ecent...

j§ 8 1
^ 82
j § 83
=j

IIS 81 - Rece..
IIS 82 - Rece..
IIS 83 - Rece..
Kerberos - R... y

8
8

Ser/en Running Visitors: 8

F IG U R E 3.21: Death Trojan data on KFSensor

Lab Analysis
A n a l y z e a n d d o c u m e n t d i e r e s u lt s r e la t e d t o d i e la b e x e r c is e . G i v e y o u r o p i n i o n o n
y o u r t a r g e t ’ s s e c u r it y ‫ ־‬p o s t u r e a n d e x p o s u r e .

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R

R E L A T E D

T o o l/U tility

I n f o r m

a tio n

T O

I F

T H I S

Y O U

H A V E

Q U E S T I O N S

L A B .

C o lle c te d /O b je c tiv e s

A c h ie v e d

O u tp u t:
K F S e n s o r

In fe c te d P o rt n u m b e r:
H o n e y p o t

1080

ID S

N u m b e r o t D e te c t e d T r o ja n s : 2

I n te r n e t

□


R e q u ir e d

0

Y e s

P la tf o r m

0

C o n n e c tio n

N o

0

!L a b s

S u p p o r te d

C la s s r o o m



H T T P

T u n n e lin g

U s in g

H T T P o r t

HTTPo/fisapo r m HTTHostthatce t sa tr n p re ttu n lt r u ha
r ga from
r ae a s a n n e ho g
proxys r e ofirewall.
ev r r
I C O N

K E Y

/ V a lu a b le
in f o r m a tio n

S

T est to u t
k n o w le d g e

Lab Scenario
A tta c k e rs

a re

a lw a y s

in

a h u n t

th e y c a n

e n te r y o u r n e tw o r k

a tta c k e r

can

get

a tta c k e rs

a re

a b le

p r e v io u s

la b ,

h ija c k in g

p a c k e ts

a tta c k s ,

to

th e y

c lie n t s

IP

th a t c a n

s p o o fin g

th ro u g h

c a p tu re
can

fo r

b y

a

fir e w a ll

n e tw o rk

p e rfo rm

to

tr a ffic

T r o ja n

be

e a s ily

dam age
b y

o r

s p o o fin g

as y o u

a tta c k s ,

have

c o m p r o m is e d

and

s te a l y o u r d a ta . T h e
th e

IP

le a r n e d

r e g is t r y

a d d re s s .
to

d o

a tta c k s ,

in

It
th e

p a s s w o rd

W e b e x e r c is e

ca


n e tw o rk . A n

e tc ., w h ic h

a tta c k e r m a y u s e

t h e n u s e tin s r a w
d e s t in a tio n

IP

as

e x tr a c tin g

a

p a c k e t d a ta

a d d re s s ,

c h e c k s u m . T im e
H ence,

can

to L iv e

n e tw o rk

p ro v e

a n e tw o rk
to

r e tr ie v e

s o u rc e

and

c o m p a re

th e s e

d is a s tr o u s

p ro b e

to

fo r

c a p tu re

p o rts ,

an

ra w

p a c k e t in fo r m a tio n

d e s t in a tio n

fro m

yo u

c a p u ir e d

d e t a ils w i t h
c a n a ls o

m o d e le d
c h e c k th e

s h o u ld

tr a ffic

a d d re s s e s , p r o t o c o l ty p e , h e a d e r le n g th ,

has o c c u rre d . Y o u

be

o r g a n iz a t io n ’s

p a c k e t d a ta

and

s u c h as s o u rc e

and

f la g s ,

header

le n g th ,

( T T L ) , a n d p r o t o c o l ty p e .

a d m in is t r a t o r

in fo r m a tio n

to

s o u rc e

a tta c k

be

such

a b le

and

id e n t if y
and

d e s t in a tio n

s ig n a t u r e s

a t t a c k lo g s

to

as s o u rc e

to

t o r th e

a tta c k s

d e s t in a tio n
p o r t s , e tc .

d e te r m in e

if

an

lis t o t a tta c k s

b v
IP
and

a tta c k

and

ta k e

b y w h ic h

you

e v a s iv e a c t io n s .
A ls o , y o u
can

s h o u ld

id e n t if y

c o n d u c tin g
to

w h ic h

be

fa m ilia r w it h

a d d it io n a l

s e c u r it y

s im p le n e t w o r k

a n e tw o rk

ID S

th e

H T T P

r is k s

th a t

a n d v u ln e r a b ilit y

c a n id e n t if y

t u n n e lin g
m ay

be

r e a d ily

s c a n n in g a n d d e t e r m in e

m a lic io u s

c h a n n e l . 111 t i n s l a b , y o u w i l l l e a r n H T T P

te c h n iq u e

n o t

tr a ffic

w id iin

v is ib le

by

th e e x te n t

a c o m m u n ic a t io n

n u in e liiig u s in g H T T P o r t .

Lab Objectives
T in s la b w i l l s h o w y o u h o w
and

n e tw o rk s c a n b e s c a n n e d a n d h o w

to use

HTTPort

HTTHost.

Lab Environment
11t h e
1

la b , y o u n e e d d ie H T T P o r t t o o l.


Ceh v8 labs module 17 evading ids, firewalls and honeypots

Ceh v8 labs module 17 evading ids, firewalls and honeypots

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Ceh v8 labs module 17 evading ids, firewalls and honeypots

Similaire à Ceh v8 labs module 17 evading ids, firewalls and honeypots (20)

Dernier

Dernier (20)

Ceh v8 labs module 17 evading ids, firewalls and honeypots