Embed Size (px)
DESCRIPTION
Network Defense
Citation preview
Student name: ______________________
Date: _____________________________
LAB 6 – Network Analysis and Passive Fingerprinting (Revised SM2010 1.5 to 2 hours)
General Instructions: The purpose of this Lab exercise is to get the student familiar with the basic concepts and procedures for conducting network analysis, network forensics and passive network fingerprinting.
Record your results directly on the lab sheets for submission. They will be returned to you after grading. Information you may find useful when completing this Lab.
1. BackTrack: http://www.backtrack-linux.org/
a. BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking.
2. WireShark: http://www.wireshark.org/
a. Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.
3. Wireshark User Guide: http://www.wireshark.org/docs/wsug_html/
4. Wireshark Manual Pages: http://www.wireshark.org/docs/man-pages/
5. Wireshark Display Filters: http://www.wireshark.org/docs/dfref/
6. EtterCap: http://ettercap.sourceforge.net/
a. Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections; content filtering on the fly and many other interesting tricks.It supports active and passive dissection of many protocols (even ciphered ones) and includes many features for network and host analysis.
7. P0f: http://lcamtuf.coredump.cx/p0f.shtml
a. P0f is a versatile passive OS fingerprinting tool.
8. NetworkMiner: http://networkminer.sourceforge.net/
a. NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network.
9. Passive Operating System Identification From TCP/IP Packet Headers Article by Richard Lippmann, David Fried, Keith Piwowarski, and William Streilein from the MIT Lincoln Laboratory: http://www.ll.mit.edu/mission/communications/ist/publications/03_POSI_Lippmann.pdf
10. Passive OS Fingerprinting: Details and Techniques by Toby Miller: http://www.ouah.org/incosfingerp.htm
11. Know Your Enemy: Passive Fingerprinting by Craig Smith and Peter Grudl: http://old.honeynet.org/papers/finger/
12. Remote OS Detection by Gordon Fyodor: http://nmap.org/book/osdetect.html
13. TCP/IP Fingerprinting: http://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting
14. Defeating TCP/IP Stack Fingerprinting: http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html
Starting BackTrack VM
1. Open Virtual Box from the Program Menu and Start the BackTrack VM Image
Note: BackTrack will boot into run level 3, which is simply the Bash Command Environment without a Windows Manager by Default.
2. Login to BackTrack from the command line with the following credentials:
Username: rootPassword: toor
3. Start the default Linux windows manager by typing the following command at the command prompt after logging in:
root@bt:~# startx
4. By default network services are not started with Backtrack, so we need to start these services if we want to connect to the Internet and/or internal networks. To start the network services in backtrack type the following command into a terminal window:
root@bt:~# service networking start
Note: To open a terminal window click the black and white Konsole Icon on the task bar at the bottom of your screen. It is the icon just right of the Firefox icon.
5. BackTrack is now fully booted into run level 5 or the Windows GUI Manager and you can now proceed with your lab.
Getting Familiar with WireShark
1. Click on the WireShark icon located on your Desktop to launch the WireShark application.
Note: An alternative way to launch the WireShark application is to simply type the following command within any terminal window:
root@bt:~# wireshark
NOTE: You can also automatically open a network capture file (PCAP) with wireshark by supplying the file name when launching wireshark from the command line like this:
root@bt:~# wireshark example.pcap
2. Click on the “Edit” Menu Option and then select “Preferences” from the drop down menu to display wireshark’s default application preferences. The following pop up dialog box should be shown:
3. Select “Capture” from the left hand list box to show the capture preferences for wireshark.
a. Ensure the following settings are applied:
Default Interface: eth0All Checkboxes are “Checked” as shown in the following image:
b. Click “Apply” to apply these settings.
4. Explore the “Name Resolution” Settings within wireshark by recording them here:
a. Why would it be important for an Attacker to turn off all Name Resolution settings within a network packet capturing application like wireshark before sniffing packets on a network?
HINT: An attackers main goal is to avoid detection and go unnoticed while conducting his or her activities. Think stealthy!
b. Close the wiresharks “Preferences” dialog box by clicking the “OK” button.
5. Start a network capture session by selecting the “Capture” menu option and then selecting “Start” from the drop down menu.
6. Now open up the web browser FireFox by selecting it from the taskbar at the bottom of your screen and perform the following actions:
a. Goto “www.google.com” by typing the URL directly in the address bar.
b. Search for the term “uah”
c. Click the first search result within your google search results to visit the UAH home page.
d. Close your “FireFox” web browser.
7. Stop the network capture by selecting the “Capture” menu option and then selecting “Stop” from the drop down menu.
8. Verify your network capture session was successful by comparing the following image with your running instance of wireshark. Note: Packet details will not be exactly the same but the general display should be very similar.
9. Apply a display filter to display on DNS related traffic within wireshark to identify the IP address of the DNS server being utilized.Note: Wireshark has numerous built in filtering options making it an extremely powerful network analysis tool. See the cheat sheet provided for this lesson titled: “Wireshark_Display_Filters.pdf” for a few of the more common filtering capabilities.
a. In wiresharks filter bar type the following text:
dns
b. Identify the IP address serving your network and record it here. HINT: DNS Services is provided by a server listening on port 53.
c. Scroll down to the packet captured from your client to the DNS server looking for “www.uah.edu”. Select this packet to ensure it is highlighted. Within wiresharks protocol analysis box expand out the “Domain Name System” query data and then further expand out the “Queries” information to display the DNS query information as shown in the following image:
d. Notice as you select different pieces of information in the protocol analysis window that the packet data analysis window updates and highlights the corresponding specific packet data within the entire network packet. The packet display window shows the entire network packet in both standard ASCII form and HEX form. Select the “Type” field in the protocol analysis window and record the HEX value here:
e. Clear the display filter by clicking the “Clear” button on the filter toolbar at the top of wireshark’s application window.
10. The ability to search a network capture within wireshark is another powerful feature. Click the “Edit” menu and then click “Find Packet” from the drop down menu to show the following dialog box:
a. We are going to search for our first visit to the UAH website. Ensure the radio button “String” is checked and then type in the following text exactly as it appears below:
Host: www.uah.edu
b. Now click find, which should result in the following packet being displayed:
c. As you can see this is our request since it is a HTTP/1.1 GET request. To verify this scroll down in the protocol window and look at the “Referer:” information and select it. Record the domain name of the referrer here.Note: The domain name string is located between the string “HTTP://” and the first “/” occurrence.
11. Wireshark has the ability to follow specific streams within a network packet capture to show both server and client sides of the conversation in an easy to read format. To follow the TCP stream from previous searched packet simply “Right Click” the packet data in the top table/window and select “Follow TCP Stream” from the pop up menu.
a. Notice by default wireshark shows all client side traffic in “Red” and all server side traffic in “Blue”. This is a very useful view to follow a full conversation when performing network analysis.
b. Record the server sides value for the HTTP “Content-Encoding” header specification here:
c. Looking at the server’s response why is the “Content-Encoding” information important for performing a network forensic analysis on the rest of the packets payload? Record your answer here. HINT: Is the packet data readable in it’s current format and by understanding the encoding technique what can we do?
d. Close the “Follow TCP Stream” dialog box.
12. This concludes the introduction to the basic familiarization to wireshark. Through out the rest of the labs these basic skills will not be covered again, so you may need to refer back to this section for reference. Close wireshark and do not save the network capture file.
WireShark Forensic Investigation Example
1. Open wireshark and the following file:
Full Path to file: /root/mis501/lab6/mis501_forensics.pcap
Note: The file open option is located under the “File” menu item and you can use the pop up dialog to drill down into the file system to open this network capture.
2. There are a number of interesting characteristics within this network capture file. Please fill in the following information by analyzing this capture file in wireshark:
Client IP:Client Port:Server IP:Server Port:
3. Based off the above captured information what application layer protocol do you believe we are dealing with in this network capture file?
4. Wireshark has several statistics displays built in that can be very useful when performing network analysis. Let’s look at a few:
a. Summary Statistics: Click on the “Statistics” menu option and then select “Summary” from the drop down menu. Fill in the following information based off the information from this display:
First Packet Time/Date:Last Packet Time/Date:Elapsed Time for Capture File:Total Number of Packets:Average Packet Size:
i. Close this dialog box.
b. Protocol Hierarchy Statistics: Click on the “Statistics” menu option and then select “Protocol Hierarchy” from the drop down menu. Fill in the following information based off the information from this display:
Percentage of TCP Packets:Percentage of HTTP Packets:
i. Based off this new information do you believe you answer to question number 3 is still correct, if not what application layer protocol do you believe is in use now?
ii. Close the protocol hierarchy dialog box.
5. Apply the following display filter to show only HTTP packets within the capture file:
http
a. What is the “info” message column for all HTTP in the top packet analysis window?
b. Expand out the HTTP protocol information for any of the packets within this filtered view. What is the only HTTP protocol subfield available/listed?
c. Now with this new information you can see that HTTP is not the application protocol being utilized in this network packet capture file. Wireshark bases it’s
protocol decoding and analysis off of destination port numbers and since the server port number was port 80 wireshark categorized this capture as HTTP. Wireshark did leave us clues that there was something wrong with the packet decoding with its info message, so this may be something you look at when performing network forensics with wireshark in the future.
d. Clear your display filter to show all network packets in the capture file.
6. Since we discovered that the application protocol was not HTTP lets take a deeper dive into the entire conversation.
a. Follow the TCP Stream and answer the following questions:
i. What is the hostname of the computer infected by the bot?
ii. What is the uptime for the infected host?
iii. What sensitive information is being uploaded by the infected host?
7. Now that we know the attacker was not using the HTTP application layer protocol, why do you think the botnet creator chose port 80 for exfiltrating the sensitive data?
8. Close wireshark and this capture file.
File Carving with Wireshark
1. Open wireshark and the following network capture file:
/root/mis501/lab6/mis501_filecarving.pcap
2. Fill in the following information using what you have learned so far using wireshark:
Client IP:Client Port:Server IP:Server Port:Application Layer Protocol:First Packet Date/Time:Last Packet Date/Time:Elapsed Time for Capture File:Total Number of Packets:Average Packet Size:
3. You may have noticed wireshark uses colors to identify things such as protocols, errors, and other capture related data to the user. To identify what the yellow color is in the packet-listing window we need to look it up on the coloring rules. To do this follow these steps:
a. Click the “View” menu option and then select “Coloring rules” from the drop down menu items.
b. Scroll down to the yellow highlighting with black letters. What protocol does this coloring represent?
c. What does a black highlighting with green letters represent?
d. Close the coloring rules dialog box.
4. Since we know that the SMB protocol is normally used for file transfers lets look at extracting a file out of the network capture file for further analysis. To do this follow these steps:
a. Go to packet number “101” and select it.
b. What is the name of the file being transferred in this SMB request? Hint: Expand
out the SMB protocol details in the protocol analysis window to expose the request details.
c. Now that you have expanded out the details to find the file name scroll further down in the protocol analysis window to the “File Data:” field and highlight it just like in the following image:
d. Right click the “File Data” field and select “Export Selected Packet Bytes” from the pop up menu.
e. Name this file “evidence_file.txt” and click save.
f. Open this file following these steps:
i. Click on the “Konsole” icon located on the task bar at the bottom of your screen. This icon is a black screen with greater than sign in the top left of it.
ii. Type the following on the command line to open “Kate” a text editor:
root@bt:~# kate /root/mis501/lab6/evidence_file.txt
g. What sensitive information was being transferred via the SMB protocol?
h. Close Kate.
5. Close wireshark and the packet capture file.
Getting Familiar with EtterCap
13. To launch EtterCap with its GTK GUI open a console terminal window by clicking the Konsole icon on the lower task bar located to the right of the Firefox icon. The Konsole icon is shown in the following screenshot and highlighted in red:
14. Launch EtterCap with its GTK GUI by executing the following command within the console terminal window:
root@bt:~> ettercap –G
This command will result in the following GUI being displayed:
15. Select “Unified sniffing” from the main menu option located under the “Sniff” menu item.
16. Choose “eth0” from the drop down Network Interface select box. The EtterCap menu options will now be updated and your GUI should look like this:
17. Select the “Start Sniffing” menu option located under the main menu item “Start” on the main menu bar at the top of the GUI. The status box in the lower portion of the GUI should now have the following output:
Starting Unified Sniffing…
18. Select the “Profiles” view menu item located under the main menu option “View” to show the Systems profile view tab within EtterCap. Your GUI should now look like this:
EtterCap is now sniffing all traffic between you and the Internet and will display IP addresses and hostnames within the profile view tab.
19. To generate some traffic and perform some basic familiarization with EtterCap we will use our web browser FireFox within Backtrack. Open FireFox via it’s shortcut located on the main task bar at the bottom of your Backtrack screen. It is the icon with the orange fox wrapped around the blue sphere.
20. Enter the following URL into FireFox’s Address bar: www.uah.edu
21. Now switch over to the EtterCap GUI without closing your FireFox web browser and view the Profiles view tab. Double click any IP address or Hostname within the Profile view tab to display additional details about the host.
22. Display the additional details regarding the hostname “uah.edu” and fill in the following information:
IP Address:Hostname:Type:Fingerprint:Operating System:Port:
23. Notice that EtterCap is capable of fingerprinting specific information regarding the service being run on the remote host right down to the actual version number of the web server being utilized. What could an attacker do with this information and what are
some of the possible methods to prevent EtterCap from being able to gather this information from the web server?
24. EtterCap is not limited to just fingerprinting HTTP traffic or web traffic. To demonstrate this we are going to see what information EtterCap can extract from an encrypted SSH connection attempt. Open up a new console terminal within Backtrack. If you don’t remember how to open a terminal console refer to step one in this lab where you launched a Konsole terminal. Execute the following command within the console terminal:
root@bt:~> ssh uah.edu
When prompted to accept the remote hosts key type “yes” and then press enter. You will be prompted for a password, just press enter three times to be returned back to your console prompt. Your ssh console screen should look something like the following screenshot:
Now close the console terminal by typing “exit” and pressing enter.
25. Switch back to your EtterCap GUI and open the additional options for the “uah.edu” hostname. Now look at the port information for port 22, what version of SSH is running on the host “uah.edu”?
26. This concludes the introduction to EtterCap. Close EtterCap and all associated windows and your FireFox browser windows.
Introduction to P0f
9. Within Backtrack open a console terminal window; if you don’t remember how to do this refer to step 1 of the Introduction to EtterCap instructions.
10. P0f does not have a GUI interface, so we will need to observe the output from the console window. We are going to fingerprint the “uah.edu” host just like we did with EtterCap to compare the results. Launch P0f with the following command within your console window:
root@bt:~> p0f –i eth0 -M -A
You should now see the following in your console window:
11. Now open the FireFox browser within Backtrack and enter the URL “www.uah.edu” into the address bar to visit the default UAH web page.
12. Switch back to your console window where p0f is running and record what OS type p0f thinks UAH is running here:
13. Is this OS fingerprint different from EtterCaps? Why do you think that is?
14. To fix this issue lets update p0f’s signature set for ACK mode detection by creating a custom signature file. First we need to stop the current p0f process by pressing “CTRL-C” in the console window it is running. You should see the following message printed on the console window if you successfully exited p0f:
“^C+++ Exiting on signal 2 +++”
15. P0f can provide us with the signature it detects via a console output message. To do this execute
p0f with the following command:
root@bt:~> p0f –i eth0 -S -A
16. Once p0f is running refresh the UAH webpage within Firefox by pressing the Reload icon or retyping the URL www.uah.edu and pressing enter. Switch back to your console terminal to observe p0f’s output. You should now see a new line under the console output called “Signature”. The signature should look something like this string “65535:64:0:44:M1460:A”. Record your signature here:
17. Once you have the signature recorded stop p0f by pressing “CTRL-C”.
18. Now we need to create a new ACK mode signature file. To do this we will use the nano text editor built into the Backtrack console. Create a new p0f filter by executing the following command to open nano:
root@bt:~> nano new_p0f.p0fa
This will open the nano text editor show in the following screenshot:
Copy and paste your signature into this file or manually type it in. Append the following text to the end of your signature without the quotes: “:Linux 2.6.x:Apache Web Server”. Your screen should look something like this screenshot:
Press “CTRL-O” to writeout your new file. Press enter when prompted for file name to write the file to. Now press “CTRL-X” to exit nano and return to your command prompt.
19. Your new ACK mode filter file should now be in your current director and we can verify this by simply outputting it to the current console window with the following command:
root@bt:~> cat new_p0f.p0fa
Your output should look like the following screenshot:
20. Now we need to verify our signature by executing p0f with this filter file. We can do this by providing the “-f” option. Execute p0f within your console window with the following command:
root@bt:~> p0f -f new_p0f.p0fa -A –i eth0
21. Once p0f is executing/running we need to switch back to our FireFox web browser and reload the “www.uah.edu’ web page. Do this and record p0f’s new output here for the UAH website:
22. This concludes the introduction to p0f lab. Exit and/or close all associated windows and programs such as FireFox, the console windows, and p0f before continuing on with this lab.
Introduction to NetworkMiner
6. NetworkMiner is located within your Windows XP Virtual machine, so you will need to launch your Windows XP VM.
7. Extract the NetworkMiner Zip file from this location: “C:\MIS501\NetworkMiner-0.92”. To extract the zip file within Windows XP double click the “NetworkMiner-0.92” zip file, which will open the zip file within Windows Explorer. Copy the entire folder out of Windows Explorer onto your Desktop. When prompted by Windows Explorer click the yes button.
8. Open the new folder on your desktop and open NetworkMiner by double clicking the purple icon with the pick axe image shown in the following screenshot:
9. The NetworkMiner GUI looks like the following screenshot:
NetworkMiner is a network forensics tool jammed packed with a whole suite of features we won’t be using in this lab, but I encourage you to explore them on your own time.
10. We are going to fingerprint “www.uah.edu” just like we did with both EtterCap and p0f earlier in this lab. To do this first select the first listed Network Adapter from the drop down select box within the NetworkMiner GUI. The IP address for this interface should be something like: 10.0.2.xxx.
11. Now click the “Start” button located next to the drop down box to start your packet capture.
12. Open either Internet Explorer or FireFox and surf to the “www.uah.edu” web page.
13. Now return to your NetworkMiner GUI and find the host associated with “www.uah.edu”. Expand out the additional information associated with this host by clicking on the “+” icon. Expand out the OS information and record the related information here:
14. As you can see NetworkMiner uses common signatures found in EtterCap and also p0f for Operating System fingerprinting. This ensures we can update our signatures just like we did with p0f in the previous lab. We won’t do this exercise for NetworkMiner, but if your curious the signature files are located in the NetworkMiner directory titled “Fingerprints” and I would encourage you to perform this on your own, as it is an
extremely powerful and useful capability.
15. Close and Exit NetworkMiner as this concludes the introduction to NetworkMiner section of this lab.
Applying what you have learned with Passive OS Fingerprinting
1. In most scenarios there are multiple web servers for a domain running different Operating Systems and different Web Applications. In many cases we can discover these new hosts by simply surfing and/or browsing web links from the main domain names web page or site. To put this information into practice we are going to discover 5 new hosts for the uah.edu domain name.
2. Using EtterCap while you are browsing and discovering new hosts fill out the following table. Remember you need at least five new hosts, but feel free to explore even more if you have time. One last hint to make this a little simplier, in most cases subdomains will be hosted on different web servers. An example subdomain for uah.edu would be example.uah.edu, where example is the subdomain name and uah is the main domain name. Mousing over links within your web browser will display the URL on the status bar located at the bottom of your web browser, which could speed up the process of selecting links that could lead you to new hosts.
HostName or IP Discovered EtterCap Port Information Reported
EtterCap OS Reported
3. This concludes tonight’s lab. Remember to close out of all applications and to power down your virtual machines before leaving.
