Practical Training in. IT-Security. Information gathering. - Experiment manual - Tasks. B.Sc. BG 24 M.Sc. AI MN 1 M.Sc. EB 10

Size: px

Start display at page:

Download "Practical Training in. IT-Security. Information gathering. - Experiment manual - Tasks. B.Sc. BG 24 M.Sc. AI MN 1 M.Sc. EB 10"

Samuel Cook
5 years ago
Views:

IT-Security Practical Training in IT-Security - Experiment manual - Before an

where are the weak points of the There are various possibilities to find this

1 IT-Security Practical Training in IT-Security - Experiment manual - Before an attacker can intrude into the system, he must obtain information about this system. He must know, which ports are open, which applications run on these ports and where are the weak points of the system. There are various possibilities to find this out, you will get to know them in this experiment. Moreover, some countermeasures for confusing the attacker will be presented. B.Sc. M.Sc. AI MN 1 M.Sc. EB 10

2 Task 1 Recognizing operating system User@angreifer: angreifer Password@angreifer: angreifer User@zielsystem1: zielsystem1 Password@zielsystem1: zielsystem1 User@zielsystem2: zielsystem2 Password@zielsystem2: a) What do you understand under a term stack fingerprinting? b) Using active stack fingerprinting, determine which operating systems run on both target systems. Use the program nmap for this. c) Active stack fingerprinting is recognized by most of the IDS / IPS systems. Therefore a passive stack fingerprinting should be used instead. For this use the program p0f. Start the program p0f on the Angreifer using the command: sudo p0f. Now change to the target system and access the website of the attacker (Zielsystem1: wget). Look at the attacker's system, which operating system is recognized. 2

3 Task 2 Questions for port scanning a) What is a port scan? b) Which different types of port scans do you know? c) Which states can a port have? d) Explain the operation of a TCP-SYN, a TCP-FIN and a TCP-Xmas scans? 3

4 Task 3 Performing various port scans a) Perform a TCP-SYN scan from attacker's system on Windows and Linux target systems. Use the program nmap for this and scan only the TCP-Ports in range Which ports are open on which system? b) Perform a TCP-Xmas scan on both target systems. Scan again the port range Do you get the same results? State reasons for your answer. Tip: Look at the communication with wireshark. c) Perform an Idle scan with nmap. Scan the Linux target system with the help of the Windows target system. The TCP ports should be scanned. What is the great advantage of an Idle scan? 4

5 d) Change to the Linux target system and setup the firewall (iptables) so that it's not possible to recognize whether the port is open or closed. Use the following command for this: sudo iptables -I OUTPUT 1 -p tcp -tcp-flags RST,ACK RST,ACK -j DROP e) Now we want to confuse the attacker, by making him believe that all scanned ports are open. For this purpose we use the program shroud.c. Compile the program by running the following command in the terminal of the Linux target system: sudo gcc $(libnet config defines) o shroud shroud.c lnet lpcap By running this command you will get the executable program shroud. Now run this program: sudo./shroud <own IP address> Now that the program shroud runs, change to the attacker system and perform a TCP-SYN scan on the Linux target system. How can you explain the result? What does the shroud program do? 5

6 Task 4 Banner grabbing a) What do you understand under banner grabbing? b) The port scans in Task 1 already show, which service runs on which port. Why is it still necessary to apply banner grabbing? c) Perform a TCP-SYN scan on the Linux target system. Scan only the TCP port 21. What does nmap show, which service does run at the port 21? d) Now perform the banner grabbing on the same port. Use the program amap for this (with the option -d). What does really run on that port? Why did the scan performed in section (c) show another service? 6

7 Task 5 Weak points scan a) What do you understand under a weak points scan? b) Both target systems should be checked for possible weak points. The program Nessus will be used for this. Run this command in the terminal: NessusClient /home/angreifer/nessus/win_lin_scan.nessus The GUI for Nessus will run with a preset Profile (Win_Lin_Scan.nessus). Click at the Connect button in the lower left corner and connect with the local connection. (if questioned: Password = nessus) If this all went successfully, choose the IP address of at the left side, and Windows Policy at the right side. Now start the scan and take notice, which critical (marked red) weak points were found. (The scan can take up to 5 minutes.) 7

8 c) At the Zielsystem2 runs an FTP server, which wasn't checked for weak points yet. Change the Windows Policy so that FTP server is also included. Before you perform the scan, change to the Zielsystem2 and restart the FTP server (FileZilla) there. Use the XAMPP Control Panel for this, which you can find on the Desktop. Now start the new scan. Will there be new critical weak spots recognized? If so, then which? 8

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE UNIT III STUDY GUIDE Course Learning Outcomes for Unit III Upon completion of this unit, students should be able to: 1. Recall the terms port scanning, network scanning, and vulnerability scanning. 2.