Professional Documents
Culture Documents
Network Security
Network Security
Network Security
CIS 534
Advanced Network Security Design
Table of Contents
Toolwire Lab 1:Analyzing IP Protocols with Wireshark ........................................................................ 6
Introduction ............................................................................................................................................. 6
Learning Objectives ................................................................................................................................ 6
Tools and Software ................................................................................................................................. 7
Deliverables ............................................................................................................................................. 7
Evaluation Criteria and Rubrics ........................................................................................................... 7
Hands-On Steps ....................................................................................................................................... 8
Part 1: Exploring Wireshark ............................................................................................................... 8
Part 2: Analyzing Wireshark Capture Information .......................................................................... 12
Lab #1 - Assessment Worksheet .............................................................................................................. 19
Analyzing IP Protocols with Wireshark ............................................................................................. 19
Overview ................................................................................................................................................ 20
Lab Assessment Questions & Answers ............................................................................................... 20
Toolwire Lab 2: Using Wireshark and Netwitness Investigator to Analyze Wireless Traffic ........... 22
Introduction ........................................................................................................................................... 22
Learning Objectives .............................................................................................................................. 23
Tools and Software ............................................................................................................................... 23
Deliverables ........................................................................................................................................... 23
Evaluation Criteria and Rubrics ......................................................................................................... 23
Hands-On Steps ..................................................................................................................................... 24
Part 1: Analyzing Wireless Traffic with Wireshark .......................................................................... 24
Part 2: NetWitness Investigator ......................................................................................................... 31
Lab #2 - Assessment Worksheet .............................................................................................................. 34
Using Wireshark and NetWitness Investigator to Analyze Wireless Traffic .................................. 34
Overview ................................................................................................................................................ 34
Lab Assessment Questions & Answers ............................................................................................... 35
Toolwire Lab 3: Configuring a pfSense Firewall on the Client ............................................................ 36
Introduction ........................................................................................................................................... 36
Learning Objectives .............................................................................................................................. 37
Tools and Software ............................................................................................................................... 37
Deliverables ........................................................................................................................................... 37
Evaluation Criteria and Rubrics ......................................................................................................... 37
Learning Objectives
Upon completing this lab, you will be able to:
Use basic features of the Wireshark packet capture and analysis software>
Apply appropriate filters to view only the traffic subset of interest
Be able to reliably and consistently place probes to capture packet traffic>
Determine if timing and clocking is synchronized for better reliability and repeatability
Guarantee that all traffic is being captured and that the interface rate and capture rate are
compatible
Capture and analyze basic Internet Protocol transactions and determine basic
configuration information about the IP hosts from which traffic is captured
Wireshark
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. Lab Assessments file;
2. Optional: Challenge Questions file, if assigned by your instructor.
Use basic features of the Wireshark packet capture and analysis software. - [10%]
Apply appropriate filters to view only the traffic subset of interest. - [20%]
Be able to reliably and consistently place probes to capture packet traffic. - [20%]
Determine if timing and clocking is synchronized for better reliability and repeatability. [20%]
5. Guarantee that all traffic is being captured and that the interface rate and capture rate are
compatible. - [20%]
6. Capture and analyze basic Internet Protocol transactions and determine basic
configuration information about the IP hosts from which traffic is captured. - [10%]
Hands-On Steps
Note: This lab contains detailed lab procedures which you should follow as written.
Frequently performed tasks are explained in the Common Lab Tasks document on the
vWorkstation desktop. You should review these tasks before starting the lab.
1. From the vWorkstation desktop, double-click the Common Lab Tasks file to
open the file in Adobe Reader.
If desired, use the File Transfer button to transfer the file to your local
computer and print a copy for your reference. Instructions for transferring the
file can be found in the file itself.
Figure 1 Student Landing workstation
2. On your local computer, create the lab deliverable files.
3. Review the Lab Assessment Worksheet at the end of this lab. You will find
answers to these questions as you proceed through the lab steps.
Files
Online
Capture Help
10
exactly once. All of these steps are not needed for every packet analysis, but it
is a good way of familiarizing yourself with the various capabilities of
Wireshark.
6. Maximize the Wireshark window.
The Wireshark window opens with the detailed information about the first
packet captured, Frame 1, displayed in the middle pane. Use your mouse to
drag the borders of any pane up or down to change its size.
o
The top pane of the Wireshark window contains all of the packets that
Wireshark has captured, in time order and provides a summary of the
contents of the packet in a format close to English. Keep in mind that the
content will be different depending upon where you capture packets in
the network. Also remember that the source and destination is
relative to where a packet is captured. This area of the Wireshark
window will be referred to as the frame summary.
The middle pane of the Wireshark window is used to display the packet
structure and contents of fields within the packet. This area of the
Wireshark window will be referred to as the frame detail.
The bottom pane of the Wireshark window displays the byte data. All of
the information in the packet is displayed in hexadecimal on the left and
in decimal, in characters when possible, on the left. This can be a very
useful feature, especially if passwords for which you are looking are
unencrypted. This area of the Wireshark window will be referred to as
the byte data.
11
In the next figure, Wireshark is running on the Local Area Network of the IP Host.
Wireshark can also run within the network.
Figure 8 Wireshark capturing packets from a probe or hub
In the final figure, Wireshark is running in a peer-to-peer configuration, as opposed to a
client-server configuration, with Wireshark running on the right IP Host.
Figure 9 Wireshark capturing packets in a peer-to-peer configuration
Where packets are captured and how they are captured has a big impact on how the
packets are analyzed. By running the Wireshark software on the same computer that is
generating the packets, the capture is specific to that machine but Wireshark may impact
the operation of the machine itself and its applications. On the other hand, using a
network probe or hub device, or the capture port (frequently called a SPAN port
(Switched Port Analyzer)) of a LAN switch can provide more accurate timing
information but requires use of filters to identify traffic between the proper endpoints.
7. Click Capture on the Wireshark menu and Stop to stop the packet capture.
Packet Capture must be stopped before packets can be analyzed. You may wish
to look through the packets that have been captured live during this session
before continuing to see the variety of data captured by Wireshark.
8. Drag the frame borders of the frame detail pane to expand it.
Notice, that Wireshark displays the content in the frame detail pane in reverse
order of the Open Systems Interconnection (OSI) Reference Model. In
Wireshark, the physical layer appears at the top of the list and the application
layer appears at the bottom of the list.
Note: Remember, because Wireshark is capturing traffic live, your default
content will be different from the screen captures in this part of the lab. Explore
your Wireshark traffic to see how it compares.
Figure 10 Frame detail pane
9. Click the plus sign at the beginning of the frame number line to expand the
fields. Notice the number of fields related to time.
Figure 11 Expanded frame detail
Note: There are two very important considerations relative to how Wireshark handles
time. Very often certain events are reported relative to clock time. It is important to
12
consider the fact that clock time may or may not be the same as the system time of the
device or devices used to run Wireshark and capture packets. The timestamp used by
Wireshark is the current system time on the machine upon which Wireshark is
running. Attempting to synchronize Wireshark captures made on two different
machines requires consideration of time differences, including time zone. The
potential problems can be alleviated somewhat by using Network Time Protocol
(NTP) on both machines but there are still a myriad issues such as which clocks were
used for synchronization and even if the same clock is used there is propagation delay
for the timing packets which could introduce discrepancies which, though small,
matter a lot especially when capturing packets from high speed interfaces. In order to
overcome time zone mismatches, a common best practice is to use the UTC
(Coordinated Universal Time) time zone.
1. Select File > Open from the Wireshark menu to open the labs capture file.
A pop-up alert will remind you to consider saving your data. Opening any new
capture file will overwrite the packets already in the Wireshark window unless
those packets are explicitly saved.
Figure 12 Wireshark save warning
2. At the prompt, click Continue without Saving for this part of the lab.
3. In the Open Capture File dialog box, navigate to the Desktop, select the
PacketCapture file, and click Open.
13
Note: The MAC address for the source device is 00:22:fa:1c:eb:e6. To the left of the
full MAC address Wireshark shows IntelCor_1c:eb:e6. It means that Wireshark has
interpreted 00:22:fa as the IEEE-assigned manufacturers unique ID. This information
is almost always correct but can be manipulated. The first 6 hexadecimal characters of
the MAC address are called the OUI (Organizationally Unique Identifier) and denote
14
the company that manufactured the devices network card. The company associated
with each unique OUI can be found online at
http://standards.ieee.org/develop/regauth/oui/public.html.
Figure 15 Ethernet II frame detail
1. Record the complete hexadecimal representation for the source and destination
Media Access Control (MAC) addresses. You may choose to make a screen
capture of the data and paste it into a new word processing document for later
reference.
2. Record the code assigned by the IEEE to Intel for use in identifying Intel Core
network interfaces. You may choose to make a screen capture of the data and
paste it into your document for later reference.
3. Record the MAC address used for IPv4 multicast. You may choose to make a
screen capture of the data and paste it into your document for later reference.
4. Click the minus sign at the beginning of the Ethernet II line to close the Data
Link Layer detail.
5. Click the plus sign at the beginning of the Internet Protocol line to expand the
Internet Protocol detail.
Figure 16 Internet Protocol frame detail
6. Record the version of the Internet Protocol is being used. You may choose to
make a screen capture of the data and paste it into your document for later
reference.
A variety of packets can exist on any given network. The IP version will
determine how the rest of the packet is interpreted. Almost all modern
networks, except for academic and research networks, use IP version 4 or IP
version 6. A different number can be faked by malicious software or might
mean that a packet has been corrupted. As IPv6 gains in popularity it is
increasingly likely that IPv4 and IPv6 will be encountered on the same
network. Both IPv4 and IPv6 will use the same lower layer protocols, such as
Ethernet, but may have their own specialized version of higher layer protocols.
7. Record the source IP address number. The source IP address is the IP address
of the local IP host (workstation) from which Wireshark is capturing packets.
You may choose to make a screen capture of the data and paste it into your
document for later reference.
8. Click the minus sign at the beginning of the Internet Protocol line to close the
Internet Protocol detail.
15
9. Click the plus sign at the beginning of the User Datagram Protocol line to
expand the Transport Layer detail.
The information in the User Datagram Protocol confirms that the source port in
this capture file is an ephemeral, or temporary, port on the source computer.
We know this because of its numeric range. The port on the destination
computer, however, is in the range of assigned port numbers. Port number 1900
is assigned to SSDP, the Simple Service Discovery Protocol, and indicates that
SSDP is being queried for the existence of services on the network.
Note: The Internet Assigned Numbers Authority (IANA) maintains the official
list of service names and port numbers for all services such as TCP, UDP, and
SSDOP that run over the Transport Layer. See the complete list at
http://www.iana.org/assignments/service-names-port-numbers/service-namesport-numbers.xhtml.
Figure 17 User Datagram Protocol frame detail
10. Click the minus sign at the beginning of the User Datagram Protocol line to
close the Transport Layer detail.
11. Click the plus sign at the beginning of the Hypertext Transfer Protocol line
to expand the In Application Layer detail.
Figure 18 Hypertext Transfer Protocol frame detail
12. Click the minus sign at the beginning of the Hypertext Transfer Protocol line
to close the Application Layer detail.
Note: In the next steps, you will explore the content of the related frame,
number 545. This too is a UDP SSDP requests. While frame 546 used IPv4,
frame 545 uses IPv6, but both carry a similarly formatted SSDP request.
13. Click frame 545. Use the scrollbar in the frame summary pane to find the
appropriate frame number.
14. In the frame detail pane, click the plus sign at the beginning of the Frame 545
line to expand the fields. If necessary, drag the frame borders of the frame
detail pane to expand it.
Figure 19 Frame detail for frame 545
16
15. Repeat steps 9-20 to explore the content of this packet and note any
differences between the two frames as this information may be needed to
complete the lab deliverables.
Note: In the next steps, you will see how applying filters can make analyzing
your data much easier. Filters are one of the most powerful tools in Wireshark.
They allow a very complex set of criteria to be applied to the captured packets
and only the result is displayed. The rest of the packets are still there, they are
just not included in a filtered analysis but can be restored very easily. It is also
possible to save a filtered view of the packets without the additional packets.
Filter expressions may either be built with the Filter Edit dialog widow or be
typed in directly into the Filter field. For the lab we will start by focusing just
on any packets in the file relating to a visit to Google.com. The IP address for
Google is 74.125.227.112, an IP version 4 address.
16. Click the Expression button next to the Filter text box below the Wireshark
menu to open the Filter Expression dialog box.
Figure 20 The Expression button
17. In the Filter Expression dialog box, use the scrollbars in the Field name box to
locate IPv4 - Internet Protocol Version 4.
18. Click the plus sign at the beginning of the IPv4 - Internet Protocol Version 4
option to reveal the many different fields within IPv4 that can be used in a
filter expression.
19. Click ip.addr to select it.
Figure 21 Starting a filter expression
20. In the Relation box, click == (the double equal sign) to select the equivalent of
equals.
21. In the Value box, type 74.125.227.112 (the IP address for Google.com).
Figure 22 Building a filter expression
22. Click OK to complete the filter and close the Filter Expression dialog box.
Notice that the filter expression that you built now appears in the Filter field
below the Wireshark menu, but there is no change to your data view.
Figure 23 Wireshark filter expression
17
23. Click the Apply button. Notice the change in the frame number column. All of
the packets visible in the frame summary pane now apply only to Google. All
of the other packets still exist, they are just not displayed.
24. Click Statistics from the Wireshark menu, and select Flow Graph to open the
Flow Graph dialog box.
Figure 24 Flow Graph dialog box
25. Click the TCP flow radio button and click OK.
Wireshark opens the Graph Analysis window. By selecting a TCP flow in the
Flow Graph, you are telling Wireshark that you want to see all of the elements
in a TCP three-way handshake (SYN, SYN-ACK, ACK).
In the filter expression that you applied earlier in the lab, you filtered the
packets to show only the traffic with Google.com (IP Address 74.125.227.112).
Figure 25 Wireshark Flow Graph
26. Expand the center pane of the Flow Graph dialog box until you can see both
the local IP host (192.168.1.64) and the Google.com IP address
(74.125.227.112).
Pay attention to the arrows in this pane. The arrows direction indicates the
direction of the TCP traffic, and the length of the arrow indicates between
which two addresses the interaction is taking place.
27. Use the scrollbar on the right side of the Flow Graph to locate the first threeway TCP handshake between the local IP host and Google.
28. In your document, record the time (found in the Time box on the left) that each
step (SYN, SYN-ACK and ACK) occurred. You may choose to make a screen
capture of the data and paste it into your document.
Note: This situation is a bit tricky. You will notice if you look closely at the
flow graph, also known very commonly as a ladder diagram, that the
interaction between 192.168.1.64 (the local IP host) and 74.125.227.112
(google.com) is already occurring when the new connection is requested. What
is seen in the diagram is the SYN for the new connection at -14408.59765 but it
is not followed immediately by the SYN-ACK and ACK. It is followed
immediately by the PSH-ACK, ACK, PSH-ACK which is required to close the
existing connection. Only then can the SYN-ACK and ACK be exchanged to
open the new connection.
18
19
DNSs if it is unable to resolve the current query (in this case issaseries.org). As
this DNS is local it may or may not have the enough information to allow
issaseries.org to be resolved. If the recursion flag is set (as it is in this query),
the local DNS will continue to query higher level DNSs until it is able to
resolve the address. The resolution of this recursive query should appear later
in the frame summary.
Figure 28 Display DNS Detail
39. In the frame summary pane, click Frame 116 (the response to the issaseries.org
query).
In the Queries section of this packet we can confirm that this is the response to
the query for issaseries.org. Further, in the Flags section of this packet, we
learn that the response was No such name indicating that the local DNS
could not find the issaseries.org domain. This does not necessarily mean that
issaseries.org does not exist but, rather, that issaseries.org is not known to any
of the Domain Name Servers that were searched. But, because the recursive
flag is on it is likely that issaseries.org does not exist or no longer exists.
Figure 29 Display DNS Detail
40. Close the virtual lab, or proceed with Part 3 to answer the challenge questions
for this lab.
20
Overview
In this lab, you exercised a wide variety of capabilities of the Wireshark packet capture and
analysis software. In the first part of the lab, you learned about probe placement, clocking/timing
issues, Wireshark traffic capture, and the use of filters. In the second part of the lab, you utilized
a capture file to answer basic questions about key IP protocols and the basic configuration of the
IP hosts from which traffic is captured. Finally, in the third part of the lab, you explored
Wireshark on your own to answer a set of challenge questions.
2. What are the source and destination MAC address in Frame 546?
6. At what times did the various steps of the Google three step TCP handshake occur?
7. A DNS query failure is referred to a higher level Domain Name Server under what condition?
21
8. The descriptive text that accompanies the packet analysis is provided by Wireshark. True or
False?
22
23
Learning Objectives
Upon completing this lab, you will be able to:
Wireshark
NetWitness Investigator
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. Lab Report file including screen captures of the following steps: Part 1 Step 15, Part 1
Step 29, Part 2 Step 8, and Part 2 Step 10;
2. Lab Assessments file;
3. Optional: Challenge Questions file, if assigned by your instructor.
24
Hands-On Steps
Note: This lab contains detailed lab procedures which you should follow as written. Frequently
performed tasks are explained in the Common Lab Tasks document on the vWorkstation
desktop. You should review these tasks before starting the lab.
1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the
file in Adobe Reader.
If desired, use the File Transfer button to transfer the file to your local computer and print
a copy for your reference. Instructions for transferring the file can be found in the file
itself.
Figure 1 Student Landing workstation
2. On your local computer, create the lab deliverable files.
3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to
these questions as you proceed through the lab steps.
25
The main screen of Wireshark include several shortcuts to make your job easier. There
are four categories of shortcuts.
Wireshark Screen Sections
SECTION
DESCRIPTION
TITLE
This section displays a list of the network interfaces, or machines, that
Capture
Wireshark has identified, and from which packets can be captured and
analyzed.
This section displays the most recent list of files that you were analyzing in
Files
Wireshark. The default status for this section is blank because no files have
been opened yet.
Online
This section displays shortcuts to the Wireshark website.
This section displays shortcuts to the Wireshark website for help in using
Capture Help
the tool.
2. Click Open to display a list of files that are on the desktop.
Figure 3 Wireshark Open Capture File
3. Double-click the DemoCapturepcap.pcapng file to load the packet capture data into the
Wireshark window.
Note: Wireshark capture files, like the DemoCapture file found in this lab, have a
.pcapng extension, which stands for packet capture, next generation.
Figure 4 Wireshark Frame Summary
Note: Many people believe that it is necessary to enable the Wireless Toolbar (View >
Wireless Toolbar) any time they are looking at wireless traffic. However, even if you
were to enable the Wireless Toolbar at this point, the option would remain greyed out
because the toolbar is only used when capturing live traffic, and then only if the AirPcap
interface is enabled. In this virtual lab, we are using a pre-captured file and are not
capturing live traffic, so it is not necessary to turn on the Wireless Toolbar.
4. Drag the top border of the Frame Detail pane up to expand it until only the summaries
of frames 1, 2, and 3 are shown.
Figure 5 Wireshark window with enlarged Frame Detail pane
5. Click the plus sign at the beginning of the Frame 1 line in the Frame Detail pane to
expand the fields. Notice the number of fields related to time. This part of the display will
be the same for wired or wireless traffic. However, the Encapsulation type: Per-Packet
Information indicator, a field unique to wireless traffic, confirms that this is a wireless
packet.
26
27
Note: The detailed information the Wireshark provides about the antennae, signal
strengths, and other aspects of the wireless communications environment can be very
useful for installation, antenna placement, and troubleshooting. It can also be very
valuable in terms of computer forensics because it can be used to map who was able to
communicate with whom, the measured strength of signals, what frequencies are used,
and other data. In addition to forensics on standard Wi-Fi and other forms of traditional
wireless communications, this information can also be very useful for jamming certain
frequencies, determining which devices likely were used to set off remote bombs and
Improvised Explosive Devices (IEDs), and a spectrum of other things.
13. If desired, click the minus sign in front of the PPI version 0 line to collapse the
information relative to the Per-Packet Information encapsulation.
You may have to use the scrollbar to return to this header line.
14. Click the plus sign at the beginning of the IEEE 802.11 QoS Data, Flags line to expand
the 802.11 Quality of Service information and Flags fields.
In this group of fields, Wireshark displays information about the transmitters and
receivers of the data, which allow the network administrator to determine which Media
Access Control (MAC) addresses match each transmitter and receiver.
Figure 10 Frame Address Information
15. Make a screen capture showing the receiver address, the transmitter address, the source
address, and the destination address found in the IEEE 802.11 QoS Data fields.
Note: Remember, Wireshark displays transmitter/receiver addresses in both full
hexadecimal (00:14:a5:cd:74:7b) and a kind of shorthand, in this case,
GemtekTe_cd:74:7b. That shorthand code is Wiresharks translation of the first part of
the receiver address (00:14:a5) into the manufacturers name or alphanumeric designation
(GemtekTe_). The IEEE has compiled a list of company names that correspond to the
first six characters of the MAC ID, which can be accessed on their Web site at
http://standards.ieee.org/develop/regauth/oui/public.html).
While Wiresharks translation is most likely correct, it is also possible that some
manufacturers, especially those that have acquired other companies, will have more than
one numeric designation that resolves to their name or alphanumeric designation. It is
therefore better to refer to the entire hexadecimal representation of the address rather than
the shorthand.
It is also possible, though not likely, for sophisticated criminals to spoof, or send false
information to, Wireshark. It is unlikely that common criminals, even savvy
cybercriminals, take into account the receiver and transmitter addresses or, even if they
do, have the knowledge and skills to modify the hardware to spoof this information. It is
much more common that the MAC addresses (source and/or destination addresses) are
28
spoofed, but matching them to their appropriate transmitter and receiver addresses can
provide the needed forensic evidence of which devices were involved in a particular
communication and their role in the suspect activity.
16. Click the plus sign in front of the Frame check sequence line to expand those additional
fields.
17. Click the plus sign in front of the QoS Control line to expand those additional fields.
Study the fields and their values. It is within the scope of this lab to understand that the
fields exist but beyond the scope of this lab to explain what each field means and the
interaction of the fields.
Figure 11 Quality of Service detail
18. Click the minus sign in front of the IEEE 802.11 QoS Data, Flags line to collapse these
fields.
Note: There are literally hundreds of fields of data available, depending upon the wireless
communications protocols that are present and those that are captured, and a thousand
different ways to interpret it.
The fields that have been examined thus far are unique to wireless networking. There are
some important aspects to know about capturing the wireless data with Wireshark.
Wireshark is regularly installed with a packet capture library called WinPcap. Based on
the wireless interfaces and how the capture is set up, Wireshark, using this tool, will
display all of the fields it can capture. However, it is possible that in some cases there is
wireless information that Wireshark cannot capture, or can capture only the essence of
the command and control information, but not the information itself.
For this reason, packet capture add-ons, like AirPcap, are frequently installed with
Wireshark. These add-ons allow you to capture more wireless information than without
it. Most network analysts feel that AirPcap is absolutely required for capturing wireless
traffic between devices or between other devices and, say, a wireless access point
depending on your goals and the objectives of the capture. From this point of the lab
forward, all of the data captured will be common to both wired and wireless networking
and would have been captured with Wireshark using AirPcap or WinPcap.
19. Click the plus sign in front of the Logical-Link Control line to expand the LLC fields
and familiarize yourself with the data available.
20. Click the minus sign in front of the Logical-Link Control line to collapse the LLC
fields.
21. Click the plus sign in front of the Internet Protocol version 4 line to expand the header
and familiarize yourself with the data available.
22. Click the plus sign in front of each subfield and familiarize yourself with the data
available.
29
30
capture, either by linking the Layer 2 Media Access Control address and/or the Layer 3
IP address to specific wireless information. In this case, the wireless information that is
captured becomes the central point of the investigation. As has happened many times,
forensic investigators, often law enforcement, track illegal content, such as child
pornography, to a quiet residential neighborhood, obtain legal search warrants based on
probable cause and execute a search of the premises only to find that there is no illegal
pornographic content, or other content covered by the warrant present. At this point the
investigators could give up, or they could do further research on the wireless portion of
captured traffic to determine that none of the devices owned by the residents of the home,
or their guests mobile wireless devices, were responsible for the traffic. What could have
happened? Criminals sitting in a car outside the homeor a nearby coffee shop, hotel, or
other locationcould have used the wireless access point to transmit/receive illegal
information and then departed the scene. Investigative tools such as video surveillance,
stakeouts, sting operations, and similar law enforcement tools could be brought into play
to further the investigation, but the wireless part of the captured traffic is a critical part of
guiding the investigation and possibly of ultimate prosecution of the suspects.
29. Click the plus sign in front of the www.polito.it line and familiarize yourself with the
data available. Use the scrollbar, if necessary, to reveal all of the data.
Figure 13 Expanded www.polito.it query frame detail
30. Make a screen capture showing the query name (www.polito.it), the Source IP address,
and the Destination IP address.
31. In the Frame Summary pane, click frame 2 to display the related data in the Frame Detail
pane.
Frame 2 is a wireless command and control packet acknowledging receipt of frame 1.
32. If necessary, click the plus sign at the beginning of the IEEE 802.11 Acknowledgement,
Flags line to expand the fields.
Notice that the receiver address for frame 2 (00:14:a5:cb:6e:1a) is the same as the
transmitter address in frame 1.
Figure 14 802.11 command and control packet detail
33. In the Frame Summary pane, click frame 3 to display the related data in the Frame Detail
pane.
34. If necessary, click the plus sign in front of the Domain Name System (response) line to
expand its fields. Use the scrollbar as necessary to locate this header line.
35. If necessary, click the plus sign in front of the Answers line to expand the fields. Use the
scrollbar as necessary to locate this header line.
36. Click the plus sign in front of each line in the Answers section to expand the fields. Use
the scrollbar as necessary to see the details.
31
These fields detail the response to the DNS query. Data shown in these fields includes the
IP address for polito.it (130.192.73.1), and other DNS information such as a DNS time to
live (or, the time before the DNS cache for this entry must be refreshed) of 23 hours, 59
minutes, 25 seconds.
Figure 15 DNS Response for www.polito.it
Note: In Part 2 of this lab, you will analyze these same packets using NetWitness
Investigator. It is important to realize that NetWitness can also be used to capture and
save network traffic without ever using Wireshark, but if you are using Wireshark for
packet capture and a cursory analysis, as you did in Part 1 of this lab, you will need to
save the captured frames in a format that NetWitness can interpret. The current release of
NetWitness Investigator does not support the pcapng file format, so you must first save
the DemoCapture.pcapng file in the older *.pcap format.
37. Click File > Save As from the Wireshark menu. If necessary, click the Desktop icon,
select Wireshark/tcpdump/ from the drop-down option in the Save as type box. Type
DemoCapture in the File name box.
Figure 16 Wireshark Save As dialog box
38. Click Save to save the new DemoCapturepcap file in the preferred format for
NetWitness.
39. Click File > Quit to close Wireshark.
32
the virtual lab does not have access to the Internet, so not all of these links will work on
within this environment.
2. On the NetWitness Investigator menu, select Collection > New Local Collection to open
the New Local Collection dialog box.
3. Type DemoCapture in the Collection Name box and click OK.
Similar to creating a new file folder, creating a new local collection within NetWitness
Investigator provides a place to put the packets from the DemoCapture file. This
collection, DemoCapture, will appear in the left pane, the Collection pane, of NetWitness
Investigator.
Figure 18 New Local Collection Creation Window
4. Double-click DemoCapture in the Collection pane to select it and change the status to
Ready.
Figure 19 NetWitness Investigator Collection pane
5. On the NetWitness Investigator menu, select Collection > Import Packets to open the
Open dialog box.
6. If necessary, click the Desktop icon to display the files from the desktop of the
vWorkstation and double-click the DemoCapture file you created in Step 37 of the last
section to begin the import process.
Figure 20 Open dialog box
The Collection pane will display a progress report while the import progress in underway.
When the import is finished, the DemoCapture collection will again display a status of
Ready.
7. Double-click DemoCapture in the Collection pane to open the packet capture file.
The packets from the capture file have been analyzed by NetWitness and all of the
reports generated by NetWitness are displayed in the right pane. Use the scrollbar as
necessary to view the complete list of reports.
Figure 21 Reports from the DemoCapture Collection
Note: The first thing you may notice about the NetWitness reports is that while you will
not find any of the low- level wireless information, such as command and control, you
will find that the kind of sophisticated analysis that requires some work to accomplish
within Wireshark is automated by NetWitness. For instance, the Layer 2 MAC addresses,
which in this case are Ethernet, and the Layer 3 IP addresses are available in both
Wireshark and NetWitness, but you will not find the transmitter and receiver addresses in
NetWitness. What you will find, easily, in NetWitness is information about the
33
geographic location of the transmitter and receiver which, when plotted on Google Earth,
can aid an investigation.
You should also notice that where both tools provide the same information, such as the
DNS request, the two tools differ in how that information is displayed.
8. In the Service Type report, click DNS to drill down and get further information about the
DNS request.
The (1) that follows the DNS label indicates that there is only one DNS request in this
packet capture file. In the next steps, you will investigate this DNS request and compare
the results against the Wireshark findings.
Figure 22 DNS Query Detail for DemoCapturepcap
9. Make a screen capture of the DNS query showing the host name alias, the source IP
address, and the destination IP address. Compare the information provided by
NetWitness to the screen capture you made in Wireshark (step 29 in Part 1 of this lab).
10. Use the scrollbar to locate the Ethernet Source and Ethernet Destination reports.
Figure 23 Ethernet fields
11. Make a screen capture showing the Ethernet source and Ethernet destination addresses.
Compare the information provided by NetWitness to the screen capture you made in
Wireshark (step 15 in Part 1 of this lab).
12. In the NetWitness navigation bar, click DemoCapture to return to the high-level analysis
of the entire packet capture file.
Figure 24 NetWitness Investigator navigation bar
13. Use the scrollbar to locate the Destination City report.
14. Click turin to reveal additional details from this report.
Figure 25 NetWitness Investigator Destination City Turin report
15. Use the scrollbar to investigate all of the data associated with this report. From the
data, you can determine that the transaction originated in Turin, Italy and was an HTTP
get request in which a Web site was retrieved. NetWitness has done a lot of analysis of
the higher level transaction without revealing the lower level frame or packet detail to the
user.
Note: While it is accurate to say that the Top Level Domain (TLD) .it belongs to
Italy, there is no assurance that the web site is physically located in Italy, only that a
domain name is registered with the appropriate registrar for the .it TLD. Only by
physically finding the server hosting the website, using geolocation technology such as
34
Overview
In this lab, you used two common forensic analysis tools, Wireshark and NetWitness
Investigator, to review wireless traffic in the same packet capture file. You learned to
35
differentiate between the more generalized capabilities of Wireshark and the more specialized
cybersecurity analysis-focused uses of NetWitness Investigator. You also identified those parts
aspects of network traffic that remain the same regardless of the physical transport, be it wired or
wireless. Finally, in the third part of the lab, you explored Wireshark on your own to answer a set
of challenge questions.
36
37
2. In the second part of the lab, you will implement the configuration choices that you
planned in Part 1 of this lab.
3. Finally, if assigned by your instructor, you will explore the virtual environment on your
own in the third part of the lab to answer a set of challenge questions that allow you to
use the skills you learned in the lab to conduct independent, unguided work, similar to
what you will encounter in a real-world situation.
Learning Objectives
Upon completing this lab, you will be able to:
1. Complete a Physical Configuration planning worksheet and understand the general rules
of physical configuration planning for a firewall which protects a client workstation.
2. Complete the Firewall Rules planning worksheet and understand the general rules for
firewall rules planning for a firewall which protects a client workstation.
3. Configure the physical connectivity of a firewall which protects a client workstation.
4. Configure firewall rules for a firewall which protects a client workstation.
pfSense Firewall
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1.
2.
3.
4.
38
1. Complete the Physical Configuration planning spreadsheet for a firewall which protects a
client workstation. - [20%]
2. Complete the Firewall Rules planning spreadsheet for a firewall which protects a client
workstation. - [20%]
3. Configure the physical connectivity of the firewall which protects a client workstation. [30%]
4. Configure the firewall rules for a firewall which protects a client workstation. - [30%]
Hands-On Steps
Note: This lab contains detailed lab procedures which you should follow as written. Frequently
performed tasks are explained in the Common Lab Tasks document on the vWorkstation
desktop. You should review these tasks before starting the lab.
1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the
file in Adobe Reader.
If desired, use the File Transfer button to transfer the file to your local computer and print
a copy for your reference. Instructions for transferring the file can be found in the file
itself.
Figure 1 Student Landing workstation
2. On your local computer, create the lab deliverable files.
3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to
these questions as you proceed through the lab steps.
39
In the next steps, you will complete the pfSenseFirewallPlanner spreadsheet. This spreadsheet
contains two worksheets: Physical Configuration and Firewall Rules. The spreadsheet was
designed to document answers to the questions prompted by the pfSense Firewall Setup Wizard,
in the order you will be required to answer them. You will record the configuration settings for
the pfSense Firewall in this spreadsheet as you proceed through the lab. It is a good idea to scan
Part 2 of this lab if you are unfamiliar with firewall configurations. Seeing how the questions are
posed by the wizard might help you understand how the pfSenseFirewallPlanner spreadsheet
works in conjunction with the wizard.
Many of the steps in this part of the lab follow basic Windows conventions on a Windows 2008
server. If you are an experienced Windows user who is already familiar with these steps, feel free
to write down the information provided and move ahead with the lab exercises. If you are not
familiar with these functions, please follow the steps and see the results but also understand that
they very somewhat between different versions of Windows and vary greatly from the way
similar information is derived in other operating systems.
1. Click the File Transfer button on the vWorkstation desktop to transfer the
pfSenseFirewallPlanner file from the virtual desktop to your local computer.
2. Open the pfSenseFirewallPlanner spreadsheet on your local computer.
The first item on the Physical Configuration worksheet is Hostname. A hostname is the
unique name of the computer (host) on the network capable of originating or responding
to an interaction using the Internet Protocol. The hostname can be found in the Windows
Control Panel.
3. Click Start > Control Panel on the vWorkstation desktop to open the Windows Control
Panel.
Figure 2 Windows Control Panel
4. Click the Network and Internet icon to open the related option list.
Figure 3 Network and Internet options
5. Click View network status and tasks under the Network and Sharing Center heading.
The first icon in the network map at the top of the window indicates that BASEWIN2008 is the name of this computer.
Figure 4 Network and Sharing Center
6. In the Settings column of the Physical Configuration worksheet, type base-win2008.
Note: Because security is heavily influenced by the practices of the Linux and Unix
operating systems, and because Windows does not differentiate between upper and lower
40
case, standard practice in network security is to use the lowercase whenever possible.
Therefore, the hostname of BASE-WIN2008 will be entered in the spreadsheet as basewin2008. You might notice also that this hostname is unusual as it does not include a
unique ID such as a number (besides the year 2008), but it is still a valid name, so it is
added to the worksheet. We may wish to make some special mark, such as an asterisk (*)
or plus sign (+) to indicate that this information will vary for each computer we
configure.
7. In the Comments column of the Physical Configuration worksheet, type *changed for
each configuration to indicate that this information will vary with each computer that
will be configured.
Figure 5 Hostname configuration
8. The next item on the Physical Configuration worksheet is Domain. As this is a local
firewall, type local in the Settings column.
9. The next two items are Primary DNS Server and Secondary DNS Server. The local
DHCP service will provide the IP addresses that work for local DNS, wherever we
happen to turn on this computer. Leave these fields blank, and add a note in the
Comments column.
Note: DNS Server questions are potentially problematic and could leave the local
computer open to various security problems, and could even cause the local PC not to
work properly. There are a number of pieces of malicious software which will change the
Domain Name Server addresses to its own DNS Servers in order to monitor what sites
are being visited, hijack the browser sessions, or other, more nefarious things. If this field
is left blank then the computer will use Dynamic Host Configuration Protocol (DHCP) to
identify the two best DNS servers, and provide the IP addresses for those servers. This
leaves the computer at the mercy of the local DHCP available when the computer
attaches to a local network. If, on the other hand, DNS IP addresses are provided for
internal DNS servers, those servers may not be available at the time the computer needs
them and may not operate properly. This is true for well-known DNS servers, such as
Google, openDNS, or Verizon too.
10. The next item on the Physical Configuration worksheet is the Time Server Hostname.
This information has been provided by the network administrator, so type the IP address
172.21.4.10 in the Settings column. Include a note in the Comments column to indicate
the source of the hostname.
Note: The pfSense firewall timestamps log entries therefore it is essential that all logs use
the same time and date so that they may be easily correlated. Also, one benefit to
specifying an IP address here, as opposed to an actual hostname, is that the Domain
Name Service is not used to resolve an alphanumeric hostname to an IP address and,
therefore, it will be faster and will not be subject to problemsbe it security or any other
problemassociated with DNS. The obvious downside to specifying an IP address is that
whenever the IP address of the server is changed, it must be changed everywhere it
41
appears. Using a hostname instead of an IP address eliminates this step if the IP address
changes.
11. The next item on the Physical Configuration worksheet is Timezone. This information
has been provided by the network administrator, so type Etc/UTC in the Settings
column. Include a note in the Comments column to indicate the source of the Timezone
information.
12. The next item on the Physical Configuration worksheet is the WAN Interface. The
pfSense Firewall wizard allows a choice of DHCP, Static, PPPoE, and PPTP WAN
interface types. According to the network administrator, this computer uses a Point-toPoint over Ethernet connection, so type PPPoE in the Settings column.
In general, this will be the Layer 2 protocol for all local machines, even if the machines
are in travel status or use a wireless physical interface.
13. The next item on the Physical Configuration worksheet is the MAC Address. If required
by your network configuration, enter the source MAC address field. In this lab, there is
no interface that will require this feature. Leave this field blank, and add a note in the
Comments column.
14. The next item on the Physical Configuration worksheet is the MTU (Maximum
Transmission Unit). For compatibility with the widest range of networks pfSense allows
us to specify an MTU size, but in this lab, you have already specified a PPPoE WAN
interface, so you will use the default value of 1,492 octets maximum. Leave this field
blank, and add a note in the Comments column to indicate the default value is accurate.
15. The next items on the Physical Configuration worksheet are the IPv4 address and
Classless Interdomain Routing (CIDR) /n fields. The pfSense Firewall Setup Wizard
automatically fills in these items, so leave these fields blank, and add a note in the
Comments column to indicate that these items are populated automatically.
16. The next item on the Physical Configuration worksheet is the Gateway. The computer on
the virtual lab uses any available gateway, so a specific Gateway name is not required.
Leave this field blank, and add a note in the Comments column.
17. The next item on the Physical Configuration worksheet is the DHCP Hostname. DHCP
hostname is not required in this configuration, though some Internet Service Providers
require it (for security and verification reasons). Leave this field blank, and add a note
in the Comments column.
18. The next items on the Physical Configuration worksheet are a series of fields related to
the PPPoE WAN interface. The PPPoE connection used by the virtual lab is established
as a permanent connection and requires no specific configuration. Leave these fields
blank, and add a note in the Comments column.
19. The next items on the Physical Configuration worksheet are a series of fields related to
the Point-to-Point Tunneling Protocol (PPTP). The virtual lab does not using Point-toPoint Tunneling Protocol. Leave these fields blank, and add a note in the Comments
column.
20. The next item on the Physical Configuration worksheet is requirement to block RFC1918
Private Networks. Type YES in the Settings column to block traffic from those networks,
since they are likely not from requested sources.
42
43
The second consideration is whether the firewall is, by default, permissive or restrictive.
That is to say whether everything is allowed by default (permissive) or not allowed by
default (restrictive). In the first case (permissive), very few support calls are generated
and users are usually happier because everything that they wish to do is allowed by
default as rules exist only for known security problems which rarely interfere with what a
user wants to do. However, this approach also leaves the door open for a wide variety of
security risks. The restrictive approach says that, by default, everything is restricted
unless it is specifically allowed. From a security standpoint, this is the preferred
approach, though it requires more thoughtful configuration of the rules. The second
approach, restrictive, is applied by the pfSense Firewall: every type of packet that is not
explicitly passed is blocked by default. In other words, every packet that comes into the
computer is evaluated by the firewall rules and is blocked by the firewall if it is not
explicitly allowed (or passed).
In the next steps, you will use the Firewall Rules worksheet to plan the configuration of a
local firewall for this virtual computer. You will allow specific actions and block
everything else. You will begin by deciding which actions to allow. You must recognize
that any actions you allow may have security implications in and of themselves, but to be
useful you have to allow the computer to do some actions and have some interactions
with the network.
24. Click the Firewall Rules tab at the bottom of the pfSenseFirewallPlanner spreadsheet to
open the Firewall Rules worksheet.
Figure 6 Firewall Rules worksheet
25. Compare the headings in the Firewall Rules worksheet with the following table.
Each field in the worksheet is described in this table. You will need this information to
complete the firewall rules configuration.
Column
A
Column Title
Action
Description
Action indicates the action you wish the pfSense Firewall
to take when it encounters a certain type of network
traffic. The choices are pass, block, or reject. The
difference between block and reject is important and only
works when the protocol is set to one of the Internet
Protocols: Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP), but not TCP/UDP. In the case
of block, the questionable incoming packet is blocked and
discarded (or logged, based upon the setting for that
option). There is no indication to the sender that the
packet has not reached the intended destination. If reject is
chosen, then a packet is returned to the sender indicating
that the packet or packets they sent were not accepted.
There are numerous cases of the rejected packets being
D
E-H
I-J
L-O
P-Q
R
S
44
Column Title
Description
used by malicious software and malicious individuals to
verify that a computer exists at the designated IP address,
and then to attempt additional infiltration. It is, therefore,
recommended that traffic be rejected only in very specific
cases.
Disabled
Disabled allows a rule to be disabled but not deleted. This
can be used for testing purposes or to temporarily allow a
certain action.
Interface
Interface allows a firewall rule to be applied only to a
specific interface (WAN or LAN) or type of tunnel within
the interface (PPPoE, PPTP or IPSec).
Protocol
Protocol allows rules to be applied only to certain type of
packets which use a specific protocol.
Source IP
Source IP Address allows inverting the address
Address
comparison (if NOT is marked) as well as specification of
the IPv4 address and CIDR (/n) indicator.
Source Port
Source Port Range allows the rule to be applied only to
Range
specific source port ranges or to any source port ranges.
Because the source computer uses the ephemeral ports
(usually port numbers from 49152 to 65535) as the source
port and can use any available ephemeral port, this option
is usually left blank or Any.
Source O/S
Source O/S allows for traffic to be allowed by a certain
rule only from specific operating systems and only for
Transmission Control Protocol (TCP) traffic.
Destination IP Destination IP Address allows inverting the address
address
comparison (if NOT is marked) as well as specification of
the IPv4 address and CIDR (/n) indicator.
Destination Port Destination Port Range allows the rule to be applied only
Range
to specific destination port ranges or to any source port
ranges.
Log
Log indicates if the packets handled by this specific rule
should be logged.
Description
Description allows a brief alphanumeric description of
each rule to be entered.
26.
27. Note: In the next steps, you will use the Firewall Rules worksheet to plan the
configuration of a local firewall for this virtual computer. You will allow specific actions
and block everything else. You will begin by deciding which actions to allow. You must
recognize that any actions you allow may have security implications in and of
themselves, but to be useful you have to allow the computer to do some actions and have
some interactions with the network. In this lab, you will allow the traffic displayed in this
figure.
45
Protocol
TCP
TCP
TCP
ICMP
UDP
46
67-68
47
Notice that there is already a rule on the WAN tab: Block private networks. This rule
was created as a result of running the pfSense Configuration Wizard because of the action
you took in Step 20 of Part 1 of this lab. In that step, you opted to block RFC1918 Private
Networks, and you selected that checkbox during the Configuration Wizard process.
Those actions are reflected here.
Figure 13 pfSense Rules specification screen
13. Refer to the Firewall Rules worksheet of the pfSenseFirewallPlanner spreadsheet and
add the Block private networks rule definition.
Note:The purpose of the pfSenseFirewallPlanner spreadsheet is to plan the firewall
configuration in advance; however, as you learned earlier even the most diligent planner
can overlook something (the rule definition to block private networks, in this case), so
recording any changes to the original plan make the completed pfSenseFirewallPlanner
spreadsheet an excellent starting point for replicating this configuration in the future.
14. Click the LAN tab to begin adding the new rules that you configured in Part 1 of this
lab.
Notice that there is already a rule on the LAN tab: Default LAN -> Any. This rule
allows any traffic that originates on, or goes through, the Local Area Network to which
the computer is attached. This is safe and reasonable on a desktop computer that will not
be moved to a public location such as a coffee shop or airport lounge, but might not be
the wisest choice for a laptop. For the purposes of this lab, leave the rule as is. You will
need to add this existing rule to the pfSenseFirewallPlanner spreadsheet.
15. Double-click the Default LAN -> any row to open the Firewall: Rules: Edit screen.
16. Use the data in the Firewall: Rules: Edit fields to record the rule in the
pfSenseFirewallPlanner.
17. Click Cancel to return to the Firewall Rules screen without making any changes to the
existing rule.
18. Click the Plus button (the Add new rule button) at the bottom right side of the Rules
table on the pfSense Firewall application window to add a new rule.
Figure 14 Add new rule button
19. Use the entries in the Firewall Rules worksheet to create a rule for Internet browsing.
You will notice that there are additional fields in this screen (Advanced Options, State
Type, No XMLRPC Sync, Schedule and Gateway). Do not make any changes to those
fields for the purposes of this lab.
Figure 15 New Firewall Rules: Edit screen
20. Click Save to save the rule and return to the Firewall Rules screen.
48
Overview
In this lab, you first planned a configuration of the pfSense Firewall to protect a client computer
using a spreadsheet, the pfSenseFirewallPlanner. The pfSense Firewall is a current generation
49
product which has most of the functionality and options that will be found in most firewall
products though the implementation may vary somewhat from firewall to firewall. In the second
part of the lab, you configured the pfSense Firewall using the planning spreadsheet that you
created in Part 1 of the lab.
3. The File Transfer Protocol (FTP) uses which transport protocol, TCP or UDP?
7. Hyper Text Transfer Protocol (HTTP) and Secure HTTP (HTTPS) are the same protocol
from a standpoint of passing or blocking them with a firewall. True or False?
50
51
Learning Objectives
Upon completing this lab, you will be able to:
1. Complete a Physical Configuration planning worksheet and understand the general rules
of physical configuration planning for a firewall that protects a server.
2. Complete the Firewall Rules planning worksheet and understand the general rules for
firewall rules planning for a firewall that protects a server.
3. Configure the physical connectivity of a firewall that protects a server.
4. Configure firewall rules for a firewall that protects a server.
pfSense Firewall
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. A completed pfSenseFirewallPlanning_EmailServer.xlsx spreadsheet;
2. Lab Report file including a screen capture of successful local firewall configuration (Part
2, Step 29);
3. Lab Assessments file;
4. Optional: Challenge Questions file, if assigned by your instructor.
52
2. Complete the Firewall Rules planning worksheet and understand the general rules for
firewall rules planning of a firewall that protects a server. - [60%]
3. Configure the physical connectivity of a firewall that protects a server. - [5%]
4. Configure firewall rules of a firewall that protects a server. - [30%]
Hands-On Steps
Note: This lab contains detailed lab procedures which you should follow as written. Frequently
performed tasks are explained in the Common Lab Tasks document on the vWorkstation
desktop. You should review these tasks before starting the lab.
1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the
file in Adobe Reader.
If desired, use the File Transfer button to transfer the file to your local computer and print
a copy for your reference. Instructions for transferring the file can be found in the file
itself.
Figure 1 Student Landing workstation
2. On your local computer, create the lab deliverable files.
3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to
these questions as you proceed through the lab steps.
53
spreadsheet contains two worksheets: Physical Configuration and Firewall Rules. The
spreadsheet was designed to document answers to the questions prompted by the pfSense
Firewall Configuration Wizard, in the order you will be required to answer them. You will
record the configuration settings for the pfSense Firewall in this spreadsheet as you proceed
through the lab. It is a good idea to scan Part 2 of this lab if you are unfamiliar with firewall
configurations. Seeing how the questions are posed by the wizard might help you understand
how the pfSenseFirewallPlanner_EmailServer spreadsheet works in conjunction with the wizard.
Many of the steps in this part of the lab follow basic Windows conventions in Windows Server
2008. If you are an experienced Windows user who is already familiar with these steps, feel free
to write down the information provided and move ahead with the lab exercises. If you are not
familiar with these functions, please follow the steps and see the results but also understand that
they vary somewhat between different versions of Windows and vary greatly from the way
similar information is derived in other operating systems.
1. Click the File Transfer button on the vWorkstation desktop to transfer the
pfSenseFirewallPlanner_EmailServer spreadsheet from the virtual desktop to your local
computer.
2. Open the pfSenseFirewallPlanner_EmailServer spreadsheet on your local computer.
This is a blank firewall planning spreadsheet that you will use to plan the configuration of
the Firewall software prior to making any changes in the software itself. It is also used to
record any configuration changes to this original plan.
Note: There are many factors to consider when planning how a server will be set up and
secured. Because the lab environment is intended to be as straightforward as possible,
you will configure a single, stand-alone server that provides only a single service: e-mail.
In an actual production environment, it is possible that multiple e-mail servers are
configured on the same, shared, hardware or that the same hardware be used to support
multiple services, such as Web services and the File Transfer Protocol, in addition to email. Look at each service offered in the following figure and determine what must be
configured and why.
Figure 2 Server configuration environment
In this figure, the server is the machine on the right. The first protocol allowed for the
server is the File Transfer Protocol (FTP). Allowing this protocol will allow new software
to be loaded to the server and other support files to be copied as needed. A more secure
approach would be to not allow FTP at all, instead, loading new software and other
needed files locally via CD/DVD or USB memory stick. While this approach is more
secure, it is not as convenient and requires that a human be seated at the e-mail server,
rather than remotely connected. In this virtual lab, you will turn off the firewall rule that
allows FTP except when the server is being updated. Another option would to use secure
FTP (sFTP) protocol, which encrypts the file transfer commands.
54
Domain Name Service (DNS) is allowed on this server because the e-mail server uses
DNS for a variety of functions, such as resolving IP addresses of domain names
associated with e-mail addresses, and therefore, it must be explicitly allowed.
The Simple Mail Transfer Protocol (SMTP) and the Post Office Protocol (POP3) are both
allowed so that the e-mail server may send (POP3) and receive (SMTP) e-mail. This may
seem backwards from what is normally understood, but remember that the POP3 protocol
is between the e-mail server and the e-mail client and allows the client to receive (and
therefore the server to send) emails. The reverse is true of SMTP: the e-mail client sends
and the e-mail server receives. And what about the more secure POP3S? It will not be
considered in this lab, nor will the more complex Internet Message Access Protocol
(IMAP) which may be used in place of, or in addition to, POP3 or POP3S.
Lastly, Secure Shell (SSH) is allowed on both the remote e-mail server whose firewall is
being configured as well as on the workstation from which the configuration is being
done. As mentioned in the discussion on FTP, it would be far more secure though far less
convenient to require administration of the e-mail server to be performed by a person
sitting directly in front of the server.
3. Refer to the Firewall Rules worksheet of the pfSenseFirewallPlanner_EmailServer
spreadsheet to determine the first item.
The first item on the Physical Configuration worksheet is Hostname. A hostname is the
unique name of the computer (host) on the network capable of originating or responding
to an interaction using the Internet Protocol. The hostname has been assigned by the
system administrator as email-server. The Internet Protocol address, which also serves as
the domain for this server, associated with the e-mail server is an IP version 4 (IPv4)
address of 172.30.0.100.
Note: Do not forget that the e-mail server is a different machine from the vWorkstation
desktop. Later in this lab, you will use the pfSense Firewall software to connect to the email server remotely and configure it.
Figure 3 pfSenseFirewallPlanner_EmailServer spreadsheet
4. In the Settings column of the Physical Configuration worksheet in the Hostname row,
type email-server.
5. In the Comments column of the Physical Configuration worksheet, type *changed for
each configuration to indicate that this information will vary with each computer that
will be configured.
6. In the Settings column of the Physical Configuration worksheet in the Domain row, type
172.30.0.100.
7. In the Comments column of the Physical Configuration worksheet, type Provided by the
administrator to indicate that this information will vary with each computer that will be
configured.
55
8. In the Settings column of the Physical Configuration worksheet in the Allow DNS server
list to be overwritten row, type Yes.
Note: DNS Server questions are potentially problematic and could leave the local
computer open to various security problems, and could even cause the local PC not to
work properly. There are a number of pieces of malicious software that will change the
Domain Name Server addresses to its own DNS Servers in order to monitor what sites
are being visited, hijack the browser sessions, or other, more nefarious things. If the DNS
Server fields are left blank and a numeric IP address is used in the Domain field, as is the
case with this configuration, then the computer will not use Dynamic Host Configuration
Protocol (DHCP), which is not allowed anyway, and security vulnerabilities due to DNS
can be avoided completely.
9. In the Comments column of the Physical Configuration worksheet, type Provided by the
administrator to indicate that this information will vary with each computer that will be
configured.
Note: There are additional physical configuration questions, such as information about
the username and password for this server, which will have already been answered
correctly by the system administrator at the time the server was installed. You will know
that the firewall was properly configured if you are able to remotely access the e-mail
server using the pfSense Firewall software. In the interest of being thorough and secure,
you will review the options used to configure the e-mail server and record them in the
pfSenseFirewallPlanner_EmailServer spreadsheet during Part 2 of this lab.
10. Save the completed spreadsheet as
yourname_pfSenseFirewallPlanner_EmailServer.xls, replacing yourname with your
own name and submit the file with your lab deliverables.
Note: Up to this point, you have planned for the administrative configuration of the
remote e-mail firewall using the pfSenseFirewallPlanner_EmailServer spreadsheet. Now,
you will complete the Firewall Rules worksheet.
The first consideration you will encounter is the order of your definition lists. You can
compare the process of defining firewall rules to the process of defining most access
control lists (ACLs). In both cases, the simplest approach is best. These are not
sophisticated programs with conditional branching logic, but rather simple lists of rules
that are evaluated in order, and when there are two conflicting rules, the first rule in the
list that applies is used. For example, if line 3 of the definition says dont allow X for a
certain condition, but in line 22 you decide to allow X for a certain condition, the first
rule that matches a certain condition is in line 3, so that is the rule that will always be
followed.
The second consideration is whether the firewall is, by default, permissive or restrictive.
That is to say whether everything is allowed by default (permissive) or not allowed by
default (restrictive). In the first case (permissive), very few support calls are generated
56
and users are usually happier because everything they wish to do is allowed by default as
rules exist only for known security problems, which rarely interfere with what a user
wants to do. However, this approach also leaves the door open for a wide variety of
security risks. The restrictive approach says that, by default, everything is restricted
unless it is specifically allowed. This approach is known as default deny. From a
security standpoint, this is the preferred approach, though it requires more thoughtful
configuration of the rules. The second approach, restrictive, is applied by the pfSense
Firewall: every type of packet that is not explicitly allowed (or passed) is blocked by
default. In other words, every packet that comes into the computer is evaluated by the
firewall rules and is blocked by the firewall if it is not explicitly allowed.
In the next steps, you will use the Firewall Rules worksheet to plan the configuration of
the remote e-mail firewall. You will allow specific actions and block everything else.
You will begin by deciding which actions to allow. You must recognize that any actions
you allow may have security implications in and of themselves, but to be useful you have
to allow the computer to do some actions and have some interactions with the network.
11. Click the Firewall Rules tab at the bottom of the pfSenseFirewallPlanner_EmailServer
spreadsheet to open the Firewall Rules worksheet.
Figure 4 Firewall Rules worksheet
12. Compare the headings in the Firewall Rules worksheet with the following table.
Each field in the worksheet is described in this table. You will need this information to
complete the firewall rules configuration.
Column
A
Column Title
Action
Description
Action indicates the action you wish the pfSense Firewall
to take when it encounters a certain type of network
traffic. The choices are pass, block, or reject. The
difference between block and reject is important and only
works when the protocol is set to one of the Internet
protocols: Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP), but not TCP/UDP. In the case
of block, the questionable incoming packet is blocked and
discarded (or logged, based upon the setting for that
option). There is no indication to the sender that the
packet has not reached the intended destination. If reject
is chosen, a packet is returned to the sender indicating that
the packet or packets they sent were not accepted. There
are numerous cases of the rejected packets being used by
malicious software and malicious individuals to verify
that a computer exists at the designated IP address, and
then to attempt additional infiltration. It is, therefore,
recommended that traffic be rejected only in specific
cases.
D
E-H
I-J
L-O
P-Q
R
S
57
Column Title
Disabled
Description
Disabled allows a rule to be disabled but not deleted. This
can be used for testing purposes or to temporarily allow a
certain action.
Interface
Interface allows a firewall rule to be applied only to a
specific interface (WAN or LAN) or type of tunnel within
the interface (PPPoE, PPTP, or IPSec).
Protocol
Protocol allows rules to be applied only to certain types of
packets that use a specific protocol.
Source IP
Source IP Address allows inverting the address
Address
comparison (if NOT is marked) as well as specification of
the IPv4 address and CIDR (/n) indicator.
Source Port
Source Port Range allows the rule to be applied only to
Range
specific source port ranges or to any source port ranges.
Because the source computer uses the ephemeral ports
(usually port numbers from 49152 to 65535) as the source
port and can use any available ephemeral port, this option
is usually left blank or Any.
Source O/S
Source O/S allows for traffic to be allowed by a certain
rule only from specific operating systems and only for
Transmission Control Protocol (TCP) traffic.
Destination IP Destination IP Address allows inverting the address
address
comparison (if NOT is marked) as well as specification of
the IPv4 address and CIDR (/n) indicator.
Destination Port Destination Port Range allows the rule to be applied only
Range
to specific destination port ranges or to any source port
ranges.
Log
Log indicates if the packets handled by this specific rule
should be logged.
Description
Description allows a brief alphanumeric description of
each rule to be entered.
13.
14. Note: In the next steps, you will use the Firewall Rules worksheet to plan the
configuration of a local firewall for this virtual computer. You will allow specific actions
and block everything else. You will begin by deciding which actions to allow. You must
recognize that any actions you allow may have security implications in and of
themselves, but to be useful you have to allow the computer to do some actions and have
some interactions with the network. In this lab, you will allow the traffic displayed in this
figure.
Figure 5 Firewall Rules allowable traffic
The pfSense Firewall requires a different rule for Secure Hypertext Transfer Protocol
58
(HTTPS) traffic. At this time we will not specify a rule for HTTPS traffic. This means
that when the browser encounters a Web site that utilizes the HTTPS protocol, traffic will
be blocked by the firewall. Keep in mind that this is a good example for a lab exercise but
not for practical implementation. In actual implementations there should also be a rule to
pass, block, or reject HTTPS traffic.
15. In Column S of the Firewall Rules worksheet, type File Transfer Protocol. Dont forget
that we are going to configure the server, the device on the right-hand side of the diagram
in Figure 5.
You will create a rule to allow file transfers to and from the Internet to facilitate the
loading and updating of the software on the e-mail server, according to the following
definition: Pass (Column A) all traffic on the LAN interface (Column C) using TCP
protocol (Column D) from any type of address with any value with any subnet mask
(Columns E-H) for the standard port range (Columns I-J) for any operating system
(Column K) for any destination IP address (Columns L-O) for the FTP port range
(Columns P-Q) and there is no need to log the traffic (Column R).
16. In Column A of the Firewall Rules worksheet, select Pass from the drop-down list to
allow Internet traffic.
17. In Column C, type LAN.
18. In Column D, type TCP.
19. In Columns F and G, type Any.
20. In Columns I and J, type Any.
21. In Column K, type Any.
22. In Columns M and N, type Any.
23. In Columns P and Q, type FTP.
24. In Column R, type No.
25. Repeat steps 13-22 to create the following rule descriptions, making adjustments where
necessary. Use the following table as a guide.
Allow Domain Name Service (DNS) so that the e-mail software can resolve text URLs,
into numeric IP addresses instead of requiring them to be typed in as IP addresses. This is
very useful for the e-mail server in functions varying from resolving destination
addresses such as email.user@emailserver.com to checking allowed and blacklisted email servers so that Unsolicited Commercial Email (UCE/SPAM) can be detected and,
potentially, blocked.
Allow e-mail to be received to/from anyone using Simple Mail Transfer Protocol
(SMTP).
Allow Post Office Protocol, version 3 (POP3) so that users can retrieve e-mail from the
server.
Allow Secure Shell (SSH) so that the e-mail server can be remotely managed by a secure
command-line interface. (SSH is quickly replacing Telnet for this purpose.)
Firewall Rule
Allow DNS
Allow SMTP
Protocol
TCP
TCP
TCP
TCP
59
Any-Any
Any-Any
Note: Three very important protocols are not defined on the e-mail server in this lab: HTTP,
DHCP, and ICMP. If you wish to use a browser for any reason on the e-mail server, either HTTP
and/or its secure version, HTTPS, must be defined. In our case, the server will be managed
remotely using an application that communicates with the e-mail server using the Secure Shell
(SSH) protocol. The Dynamic Host Configuration Protocol is not used because the server will be
statically configured with a non-changing IP address and other characteristics. In addition,
Internet Control Message Protocol (ICMP) will not be allowed in this lab because it is not
desirable for the e-mail server in this environment to respond to ICMP requests and be
susceptible to the associated vulnerabilities. This is an individual decision of the organization
that owns and/or administers the server and varies from environment to environment.
60
7. Use the data from the System: General Setup screento complete the Physical
Configuration worksheet of the pfSenseFirewallPlanner_EmailServer spreadsheet and
properly document the server firewall.
61
15. Click the Plus button at the bottom right side of the Rules table on the pfSense Firewall
application window to add a new rule.
Figure 12 Add new rule button
16. Use the entries in the Firewall Rules worksheet to create a rule for File Transfer
Protocol.
Figure 13 New Firewall Rules: Edit screen
17. Click Save to return to the Firewall Rules screen.
18. Repeat steps 15-17 for the remaining rules on the Firewall Rules worksheet.
19. Compare your Rules table with the one in the following figure.
Figure 14 pfSense Firewall LAN Rules table
20. After any discrepancies in the rules have been corrected, click the Apply changes button
above the Rules table to apply the rule changes that you have made to the firewall.
Figure 15 Apply changes button
After the settings have been applied, the red message bar will change to indicate that fact.
Figure 16 Confirmation message
Note: Up to this point, configuration of the firewall has been done using the Telnet
protocol. However, it is more secure to use the Secure Shell (SSH) protocol, which
makes it more difficult for hackers to reconfigure our e-mail server firewall remotely. In
the next steps, you will change the remote configuration protocol to SSH.
21. From the pfSense Firewall menu, click System > Advanced.
22. Use the scrollbar on the pfSense Firewall as necessary to locate the Secure Shell portion
of the System: Advanced functions screen.
23. Click the Enable Secure Shell checkbox to enable this option.
For this lab all of the remaining fields will be left at their defaults, though it is strongly
advised to use authorized keys to authenticate users in an actual implementation.
Figure 17 System: Advanced functions screen
24. Click Save to complete the change.
Note: There is only one administrative step left: saving a copy of the configuration file
that so that this configuration may be easily restored if there is a problem. Problems that
would require restoration of the configuration file could be unintentional, such as a
complete hardware crash of the server, an unintentional modification of the configuration
62
due to careless typing, or even memory modification due to a cause such as static
electricity. Intentional problems could also warrant restoration of the configuration file.
Malicious insiders could intentionally replace or modify the configuration file. Malicious
outsiders or malware could do the same. The backup configuration file for this lab will be
stored, and restored if needed, locally, but it is common practice for backup copies of
configuration files to be stored in a separate, secure server and transferred either via FTP
or, better yet, by an external USB memory stick.
25. From the pfSense Firewall menu, select Diagnostics > Backup/Restore.
Figure 18 Diagnostics: Backup/restore screen
26. Click the Download configuration button.
27. Click Save on the resulting File Download dialog box to open the Save As dialog box
and click Downloads to save the file in the Downloads folder.
Figure 19 Save As dialog box
28. Accept the default options in this dialog box, and click Save.
Figure 20 Download complete dialog box
29. Make a screen capture showing the Download complete dialog box and paste it into
your Lab Report file.
Note: At this point of the lab, you may click Close to close the dialog box and end this
part of the lab; however, the configuration information in this backup/restore file is stored
in a human and machine readable format call eXtensible Markup Language (XML) that is
a couple of evolutionary steps up from Hypertext Markup Language (HTML) and some
other markup languages used in the Internet. If you are interested in learning more about
this topic, click Open to open the text file containing the XML code and inspect what is
displayed. You will note that there are <tags> defined to contain all of the information in
the firewall configuration and that they contain values that were either entered as a part of
this lab or are default values provided by the pfSense Firewall application.
It will probably also occur to you that humans with editor programs (such as this one) or
other programs could read, and potentially modify, this file. It may also occur to you that
you could bypass the clunky and cumbersome menu structure and go right to entering the
XML in the configuration file, as many professionals do. You could also write code to
generate different, custom configuration files to assure consistency and reduce typos.
There is really no limit to what can be accomplished with this type of code.
30. Save the completed spreadsheet as
yourname_pfSenseFirewallPlanner_EmailServer.xls, replacing yourname with your
own name and submit the file with your deliverables.
63
31. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this
lab.
Overview
In this lab, you first planned a configuration of the pfSense Firewall using a spreadsheet, the
pfSenseFirewallPlanner_EmailServer, to protect an e-mail server computer. The pfSense
Firewall is a current-generation product with most of the functionality and options that are found
in most firewall products, though the implementation may vary from firewall to firewall. In the
second part of the lab, you configured the pfSense Firewall using the planning spreadsheet that
you created in Part 1 of the lab.
64
3. The File Transfer Protocol (FTP) uses which transport protocol, TCP or UDP?
4. From a security standpoint, it is more desirable to use the numeric IP address of a static
IP host, such as an e-mail server, than to allow the address to be looked up the Domain
Name Service. True or False?
5. Because the e-mail server will not be required to run a browser, which protocol is not
allowed by the firewall rules?
6. Because the e-mail server uses a fixed, static, predetermined IP address, which protocol is
not used, and, therefore, not specifically allowed to pass through the firewall?
7. Hyper Text Transfer Protocol (HTTP) and Secure HTTP (HTTPS) are the same protocol
from a standpoint of passing or blocking them with a firewall. True or False?
8. Which protocol is used for a variety of functions in the e-mail server, such as resolving
the numeric address of email.user@emailserver.net, and which servers are blacklisted for
being sources of Unsolicited Commercial Email (UCE)?
65
66
1. In the first part of the lab, you will validate the existing pfSense Firewall rules in
preparation for completing a penetration test.
2. In the second part of the lab, you will use OpenVAS to check for the vulnerabilities on a
virtual Windows server, and then reconfigure the firewall eliminate those vulnerabilities.
3. Finally, if assigned by your instructor, you will explore the virtual environment on your
own to answer a set of challenge questions that allow you to use the skills you learned in
the lab to conduct independent, unguided work, similar to what you will encounter in a
real-world situation.
Learning Objectives
Upon completing this lab, you will be able to:
1. Describe the steps of a penetration test.
2. Perform a penetration test against a system protected by a pfSense firewall.
3. Discuss measures that can be taken to harden a target against attacks while balancing
system access and usability needs.
pfSense Firewall
OpenVAS
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. Lab Report file including:
a. screen captures of the following steps: Part 2, Steps 6, 9, 16, and 23,
b. DCE Services Enumeration research from Part 2, Step 11;
2. Lab Assessments file;
3. Optional: Challenge Questions file, if assigned by your instructor.
67
The following are the evaluation criteria for this lab that students must perform:
1. Describe the steps of a Penetration Test. - [30%]
2. Perform a Penetration Test against a system which is behind a pfSense firewall. - [50%]
3. Discuss measures that can be taken to harden a target against attacks while balancing
system access and usability needs. - [20%]
Hands-On Steps
Note: This lab contains detailed lab procedures which you should follow as written. Frequently
performed tasks are explained in the Common Lab Tasks document on the vWorkstation
desktop. You should review these tasks before starting the lab.
1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the
file in Adobe Reader.
If desired, use the File Transfer button to transfer the file to your local computer and print
a copy for your reference. Instructions for transferring the file can be found in the file
itself.
Figure 1 "Student Landing" workstation
2. On your local computer, create the lab deliverable files.
3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to
these questions as you proceed through the lab steps.
68
1. Double-click the pfSense Firewall icon to open the firewall configuration in an Internet
Explorer window
2. Click OK to accept the default credentials and open the pfSense Firewall application.
Figure 2 pfSense firewall overview
3. Select Firewall > Rules from the pfSense toolbar.
4. Click the LAN tab to validate the existing firewall rules meet the following criteria.
o Allow File Transfer Protocol (FTP) so that users can send files back and forth
o Allow Domain Name Service (DNS) so that users can type URLs, instead of
requiring them to know specific IP addresses of any Web sites they wish to visit
o Allow email to be received to/from anyone, specify the port range as that used by
the Simple Mail Transfer Protocol (SMTP)
o Allow Post Office Protocol, version 3 (POP3) so that users can retrieve email
from the server
o Allow Secure Shell (SSH) so that the email server can be remotely managed by a
secure command line interface (SSH is quickly replacing TELNET for this
purpose).
o Allow Internet browsing using the HTTP protocol
o Allow secure Internet browsing using the HTTPS protocol
o Allow Internet Control Message Protocol (ICMP) messages, such as the PING
diagnostic message
Figure 3 pfSense firewall rules
5. Minimize the pfSense Firewall window.
Note: As you just verified, the pfSense Firewall has been configured as shown in the
following figure. Remember that this information is available to you because you are the
defender of the information system you are testing. If you were an actual attacker, you
would not have access to this information and you would have to use some alternate
means (reconnaissance) to gain access it.
Figure 4 Lab configuration
69
The security industry is adopting what it calls the attacker kill chain to describe the process of
attack. Reconnaissance can use a combination of technical and social engineering approaches
and leads to the weaponization of specific tools, such as spear-fishing emails or mobile apps. The
delivery phase, often left to specialists, wherein the malicious software is delivered to the
intended victim or victims. Often a pen test is a precursor to delivery. Next, is the exploitation
phase in which the attack is unleashed. Most modern attacks have a C2, or command and control,
component during which, at minimum, the results of exploitation are reported but can also
include additional targeting and tasks. Certain disruptive software does not have a C2 phase,
such as malware intended to operate without reporting results or requesting additional direction
from an outside source.
During the final phase, extraction, logs may be modified, malicious software may "self-destruct"
to avoid detection, or other steps. In a strange egomaniacal twist, it has also become common
practice for attackers to leave some sort of indication that they were present, often as a dare to
defenders and/or law enforcement but often in an attempt to redirect blame to other parties.
Figure 5 Attacker kill chain
Automated tools, such as OpenVAS or the Retina Network Security Scanner, can be used to
perform the vulnerability assessment portion of a penetration test. In the next step you will use
OpenVAS to check for any vulnerabilities in the virtual environment and then craft a plan to
reduce or eliminate those vulnerabilities hopefully without creating new ones.
1. Double-click the OpenVAS Web icon to start the OpenVAS application. The Greenbone
Security Assistant will open in a new Internet Explorer tab.
The OpenVAS server takes several minutes to initialize. Do not click any other buttons;
you will be prompted for a password when the server is ready.
2. When prompted, type the following credentials and click Login to open the Greenbone
Security Assistant window.
o Username: openvasadmin
o Password: pass
Figure 6 Greenbone Security Assistant
3. In the IP address or hostname box under the Quick Start section of the page, type
192.168.16.15 (the IP address for the Windows 2008 Server on Network 2) and press
Start Scan.
When the scan is completed, you will see a blue Done button in the Status column of the
table. The scan can take several minutes to complete. You can manually refresh the page
during this time, or set the page to automatically refresh.
Figure 7 Scan 192.168.16.15
70
4. In the Tasks header, select Refresh every 10 Sec from the first drop-down menu and
click the Set Button (green refresh arrows button) to its right.
Figure 8 Refresh the screen
5. When the scan completes, click today's date in the Reports table on the main screen,
which corresponds to the scan you just ran, to open the Reports Summary.
Note: At this point of your review, the Report Summary simply tells you that the tool has
identified medium- and low-ranked vulnerabilities. You will explore these findings later
in this lab. Security analysts use this type of report to compare the findings of several
scans over time.
6. Make a screen capture showing the number of Medium and Low security issues
found on the Reports Summary and paste it into your Lab Report file.
7. Use the scrollbar to locate the Results Filtering portion of the report.
Note: The results can be filtered a number of different ways. This is less important for
this lab where you are scanning one IP address with a minimum or ports and there are
only a minimum of results, but it can be a significant time saver when a specific
vulnerability is being searched for.
Figure 9 Result Filtering for scan of 192.168.16.15
8. Use the scrollbar to locate the Filtered Results portion of the report.
Note: In the Results Filtering portion of the report, the findings are sorted by port and
then threat in ascending order. Notice that the port summary above the first vulnerability
in the report includes port 135 indicating that the first vulnerability, or set of
vulnerabilities, is related to Windows Client Server communication. The detailed
summary information that follows this summary table provides a plain-English high-level
description of the problem as well as a hint at the solution (which in this case is to filter
port 135).
Figure 10 First detailed security issue
9. Make a screen capture showing the security issues reported for 192.168.16.15 and
paste it into your Lab Report file. You may need to make multiple images to capture the
entire summary.
Note: Because the virtual Workstation has no direct Internet connection, in the next
steps, you will explore the threats identified by OpenVAS using your own computer's
Internet connection.
10. On your local computer, open a new Internet browser session.
71
11. From your favorite search engine, search for DCE Services Enumeration (the first
security issue identified by OpenVAS) to determine why port 135 should be filtered and
document this information in your Lab Report file.
12. On the vWorkstation, click the firewall.local tab in the Internet Explorer window.
Recall that the first pfSense firewall rule in the existing configuration is a default permit
(allow any) rule.
Figure 11 Default permit rule
13. Click the Default LAN -> any checkbox and click the Delete button to remove that
firewall rule.
Figure 12 Delete Default permit rule
14. When prompted, click OK to confirm the change.
15. Click the Apply changes button.
Figure 13 Apply changes
16. Make a screen capture showing the modified firewall rules and paste it into your Lab
Report file.
17. Click the Greenbone Security Assistant (OpenVAS) tab in the Internet Explorer
window.
18. Click the Greenbone Security Assistant logo at the top of the page to return to the home
page.
19. In the OpenVAS Tasks table, click the start icon (green arrow) to re-start the scan of
192.168.16.15.
Figure 14 Re-start the scan
20. Repeat step 4 to automatically refresh the screen.
Note: Pen testing is an excellent security control, but you should always rescan a system
or network to validate changes. It is also important to rerun a vulnerability scan after
patching programs or closing vulnerabilities because in closing some you may have
opened others.
When the scan is complete note that the Trend arrow is pointed down indicating that
there are fewer vulnerabilities found in this scan as compared to the last scan.
Figure 15 Trend indicator
21. When the scan completes, click today's date in the Reports table on the main screen,
which corresponds to the scan you just ran, to open the Reports Summary.
22. In the Reports Summary, note the number of Medium and Low security issues found.
72
23. Make a screen capture showing the number of Medium and Low security issues
found on the Reports Summary and paste it into your Lab Report file.
24. Use the scrollbar to locate the Filtered Results portion of the report.
Notice that the threat on port 135 is no longer an issue because of the changes you've
made to the firewall rules.
25. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this
lab.
Overview
In this lab you began by configuring a pfSense firewall. You then analyzed the vulnerabilities
and potential attack strategies against the firewall and a server which is on Network 2, beyond
the firewall from your attack position. If assigned by your instructor you performed an additional
vulnerability scan and researched the details and possible threats of the vulnerabilities.
73
Reconnaissance
Exploitation
Weaponization
System Hardening
3. Time and dollar budgets permitting, it is beneficial to run more than one vulnerability
scan because different vulnerability scanners may get different results. True or False?
6. Network 1, including the host connection for the firewall, is a part of the _________
Class C or CIDR /24 subnetwork.
74
75
1. The first part of the lab will focus on social engineering. By following the sample attack,
you will learn many of the ways in which information can be gathered from a subject, or
subjects, and combined for either real-world or cybercrimes.
2. The second part of the lab will concentrate on reverse social engineering. By following
the example provide, you will learn the importance of open source intelligence in
designing a reverse social engineering attack.
3. Finally, if assigned by your instructor, you will do further research on the technical
aspects of the attack plan and develop a social engineering campaign against a target.
This lab is a paper-based lab and requires the use of the Virtual Security Cloud Lab (VSCL) only
to access the relevant documents.
Learning Objectives
Upon completing this lab, you will be able to:
1. Recognize some of the key characteristics of a social engineering attack.
2. Identify some of the key signs of a reverse social engineering attack.
3. Describe the differences and similarities of an attack of convenience and a targeted
attack.
4. Implement countermeasures to social and reverse social engineering attacks.
None
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. Lab Report file including screen captures of the following steps: Part 1, Steps 7, 12, 15,
18, and 22;
2. Lab Assessments file;
3. Optional: Challenge Questions answers and a sample open source intelligence plan if
assigned by your instructor.
76
Hands-On Steps
Note: This lab contains detailed lab procedures which you should follow as written. Frequently
performed tasks are explained in the Common Lab Tasks document on the vWorkstation
desktop. You should review these tasks before starting the lab.
1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the
file in Adobe Reader.
If desired, use the File Transfer button to transfer the file to your local computer and print
a copy for your reference. Instructions for transferring the file can be found in the file
itself.
Figure 1 Student Landing workstation
2. On your local computer, create the lab deliverable files.
3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to
these questions as you proceed through the lab steps.
77
cracking safes, and driving get-away cars. The same sort of specialization is happening in
cyberspace.
In Part 1 of this lab, you will be shadowing a cybercriminal specializing in social engineering
techniques. You will follow the steps in the lab to discover just how he gathers the information
he needs to develop an attack on the targeted company. The documents required for this lab are
located on the vWorkstation desktop. It is imperative to maximize your learning from the lab that
you not read ahead and that you stop and execute the various steps of the lab as instructed. Each
section will show a series of vignettes which may be successful in and of themselves or may be
woven together with other social and reverse social engineering methods, and possibly technical
hacking, to represent an entire campaign against the target.
While the scenario in this lab targets a fictitious company and simulates the information
gathering phase of the hacking process, the steps described are typical of the real-world.
Your cybercriminal mentor has informed you that the targeted company for this attack is an
organization called Global Enterprises, Inc., located in Dalton, Georgia. You have been hired to
collect enough information to enable an attack on their email system. Though you anticipate that
the email server will be protected by a firewall, you don't know what firewall or what type of
email server.
The first step in this reconnaissance mission is to conduct a simple Internet search to find the
correct target company. The easiest things are frequently overlooked by highly technical hackers:
most enterprises try to get a URL that is some variation of their name. Your mentor knows better
and types www.globalenterprises.com into his browser.
1. Double-click the website.pdf icon on the vWorkstation desktop to see the result of the
browser search.
Figure 2 Global Enterprises home page (Photo copyright MIXA next/Thinkstock)
Note: Remember, the only thing we know about the targeted is the name and location.
The home page of this Web site confirms the name of the company is the same as the
targeted company, but doesn't provide the location. Further research is required. Your
mentor informs you that most companies will list address and phone numbers on the
Contact Us page, so that's that next step.
2. Close the website.pdf file.
3. Double-click the contact.pdf icon to open the Contact Us page.
Figure 3 Global Enterprises Contact Us page
Note: Because of the relatively small size of Dalton, Georgia and the reassurance you
gained from the fact that the company's name appears in the URL, you can be fairly
confident that this is the correct Global Enterprises, but it may be wise to double check
with the client.
78
You might be tempted to take time to guess at what the client might want to accomplish
with an attack on the email system of an engineered flooring company based in north
Georgia: Are they a competitor who wishes to get inside information? To exfiltrate
intellectual processes such as manufacturing methods, customer lists or information to
support, or derail, an upcoming merger? Is there a financial or personal motive? In the
end, as a professional hacker, you don't really care: you are being hired to provide
information which can be used by others to mount the attack so the "why" is interesting,
but not important.
What is important, then, is to learn as much more about the target as possible.
4. Close the contact.pdf file.
Note: A general Internet search using Google, Bing or some other search engine returns
thousands of references, most of which refer to some other Global Enterprises, but don't
refer to the target Global Enterprises, so you must keep looking.
Perhaps you could find information about employees of the company. Start by checking
the email address format for the target company, Global Enterprises. The Contact Us
page on the company's Web site lists an email link as sales@globalenterprises.com,
rather than sales@gobal-enterprises.com, or some other variant. This is as you would
expect from inspecting the site's URL but, as usual, it is good to verify the information
and avoid a waste of time and effort.
You might think that you could just type "@globalenterprises.com" into your search
engine as a starting point for your search, but you can't. There are no major search
engines that search email addresses, so you must take another approach.
One thing to consider, but which is beyond the scope of this exercise, is the hacking of
Google itself or of purchasing lists that are the result of hacking Google or other email
collection efforts, known as harvesting. Hacking Google itself is very risky and could
lead to jail time faster than hacking other sites due to Google's investment in security and
legal action. However, purchasing bulk mailing lists from organizations that sell such
things openly on the Internet and searching the doc or txt files that you have purchased
may yield the results for which you are looking at a very low price.
Another common source of information is a domain name registration service, such as
whois.net. These sites, and there are dozens of them, have provided a lot of useful
information in the past, so that's the next step. The newer registrations protect employee
privacy, but older registrations can yield technical and administrative contact names,
addresses, phone numbers, and a host of other details that can be very useful in putting
together in putting together a very effective social engineering campaign.
5. Double-click the whois.pdf icon to see the whois.net results for Global Enterprises.
79
80
search criteria you entered eliminated anyone who works for any Global Enterprises
located anywhere other than Dalton or North Georgia, even if they are working at a
different location of the same target company. For this hacking assignment, you would
not consider them good candidates for an attack if they are located elsewhere.
Your mentor helps you determine which of the employees in the search research might be
good candidates for further research. Remember, the information you are looking for:
anything about the firewall or email server that Global Enterprises is using.
Anne Lawrence: Because she is in HR recruiting, she might know the information you
need, and because her job involves talking to people, she might be open about revealing
the information if you approach her in the right manner. She is your number one
candidate right now.
Steve Burns: Steve is a project manager and PMP (Project Management Professional)
who previously worked at Rich's Department Stores which means that he is probably
more of a physical project manager, not an IT person, so does not move to the top of your
list.
Ravi Purim: Mr. Purim is not a current employee and he was a high-level executive
when he did work at Global Enterprises. Best not to include him in your list; he will not
easily give up the information you need.
Heath Andreeson: As Assistant Director of Systems Development, he makes a great
candidate. He probably knows what we want to know and there are a number of ways
you might be able to approach him to obtain the information with or without his
knowledge; however, he was formerly with the Los Angeles Police Department. Without
knowing what his role was in the police department, you will need to investigate further.
If he was ever a law enforcement officer, as opposed to a civilian support person, he
might be trained in detecting deception, even on the telephone or via email, and has a
high chance of revealing our true intentions. Keep him on the list, but continue seeking a
better candidate.
LouAnne Garfinkle: She is Director of Global IT and Global Enterprises is small
enough that she probably knows what we need to know. Because this job is a promotion
from her previous position at Rugs-R-Us as Assistant Director, you can assume that was
her goal in leaving Rugs-R-Us. In addition, her name is relatively unique, so it will be
easier to find her in subsequent Internet searches. She has just moved to number one in
your list of possible candidates.
Bryan Smythe: As a director of business development, he is further removed from the
information you need, and with a common name, he is added to the bottom of your list.
So now you know that the best option for your social engineering attack on Global
Enterprises is LouAnne Garfinkle with Anne Lawrence a close second. You need to find
out a little more about LouAnne, so you decide to view her GetConnected profile.
81
82
Note: What else can LouAnne's blog tell us? The rest of LouAnne's blog is a treasure
trove of open source intelligence. Other blog entries reveal additional technical details
and specific problems she has had with the software and how most of those problems
were fixed. She even lists user group meetings and conferences she will be attending,
and, best of all, those at which she will be speaking! Even people who should know
better, are not always aware of the trail they leave behind. They leave traces of
information behind in a variety of places never thinking that someone else might be
trying to connect the pieces together. Information gathering is often as simple as
following the breadcrumbs.
Sometimes a simple Internet search is the best approach. In this case, you could search
for "LouAnne Garfinkle and Global Enterprises", or variants of her possible email
address, such as "lgarfinkle" or "lagarfinkle". The search would likely result in a large
amount of unrelated results, but could provide some open intelligence hits, especially for
someone you already know has a Web presence via her own blog and speaking
engagements. Be especially aware of hits related to technical support Web sites since the
questions and answers she might have posted on those sites might be very revealing.
Another approach is to concentrate on personal details, such as hobbies, family and other
personal interests revealed in a blog that might become very useful in building a targeted
social engineering campaign, spearfishing (phishing) emails, or even direct contact via
telephone or personal contact. Depending upon your client's budget, the sky is the limit
for data mining and LouAnne Garfinkle is only one of several Global Enterprises
employees that may be good targets for gathering intelligence about the company.
No matter which approach you follow, you certainly know a lot more than you did before
and with no intrusive hacking and no likelihood that you will be detected in any way. In
the worst case scenario, your browser history will give you away, but a quick scrub of the
browser's cache will alleviate that problem. Secure storage and ultimate destruction of
your screen captures will erase any forensic evidence.
83
information or to get the subject to take some action that will cause the desired information to be
revealed. However, there is a subset of social engineering called reverse social engineering in
which a set of circumstances are set up that cause the subject to approach the social engineer and
reveal the desired information.
In Part 2 of this lab, you will see how your hacking mentor used a common reverse social
engineering technique to obtain more information from LouAnne Garfinkle. After studying
LouAnne's GetConnected profile, your mentor made an educated guess that LouAnne might
have left her old job (Assistant Director of IT) for her new job (Director of Global IT) for a
promotion. He has also guessed that visibility and responsibility were more important to her than
salary, as long as salary was similar. Based on this very simple psychological profile, and
knowing that LouAnne has already been in her current job since 2009, your mentor thinks
LouAnne might be in the market for another promotion. He places an ad in several newspaper
near Dalton, Georgia, to see if LouAnne Garfinkle will respond.
Figure 8 Ad used to lure LouAnne Garfinkle
1. Double-click the ad.pdf icon on the vWorkstation desktop to view the details of the job
ad.
2. Close the ad.pdf file.
Note: So, did this ruse work? Like a charm. LouAnne not only responded to the ad, but
she submitted her resume via email as requested and went through what seemed to be a
normal hiring process. LouAnne participated in a number of phone interviews with the
"VP of Global IT" for the hiring company, the person whom she would replace if she was
the successful candidate. During these interviews LouAnne unwittingly revealed a great
deal of very specific information about the technology in place at Global Enterprisesinformation that would have been very difficult to get any other way. The final interview
was held at a downtown hotel with a "corporate recruiter" because, as LouAnne was told,
the prospective employer did not want to reveal its identity for reasons of confidentiality,
but LouAnne was assured that any job offers would come directly from the company.
Three days later LouAnne was contacted by the "recruiter" and was let down easily. She
was told that the individual whom she was to replace had decided to put off retirement for
another year, but that she impressed everyone throughout the interview process and could
expect a call within the year.
LouAnne didn't realize it but all phone interviews were conducted with your hacking
mentor using burner cell phones that were discarded after the desired information was
obtained. The email address she submitted her resume to was an anonymous account,
which she was told was being directed to the recruiter's private account because the
hiring company wanted confidentiality until the final candidate was offered a job.
How can an organization guard against social engineering and reverse social
engineering? The answer is awareness training and constant vigilance, but that does not
come without a price. An organization must be very careful that the awareness training
initiatives, including the use of formal classes, posters, rewards for leads on intellectual
84
property leaks, and occasional internal news stories of how social engineering could
happen even within the company, do not curtail or destroy the cooperation and teambuilding that the organization strives so hard to build. It is a tough balance but one that
organizations can achieve with a strong program that defines clearly what is acceptable
and what is not, does so in writing, and asks the employee to acknowledge in writing, at
time of hire and annually thereafter, that they have read, understand and will abide by the
rules. It is also important for an organization to be prepared to enforce the policy by
terminating employees, contractors, and subcontractors who do not abide by the policy.
3. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this
lab.
Overview
In this lab, you followed a social engineering scenario. You acted as a cybercriminal and used
social engineering techniques to gather enough information to develop an attack on a targeted
company. You learned the importance of open source intelligence in designing a reverse social
engineering attack.
85
3. What is the current version number of the firewall software used by Global Enterprises?
6. Which Global Enterprises employee used to work for the Los Angeles Police
Department?
8. Job applicants often feel as if the job description were written especially for them, in
LouAnnes case that was true. Briefly describe what elements of the job ad from Part 2 of
the lab might appeal specifically to LouAnne Garfinkle.
9. What is the difference between social engineering and reverse social engineering?
a. Social engineering is used in the real world. Reverse social engineering is used in
the cyber world.
b. Social engineering is used on most people. Reverse social engineering is used on
people with specialized law enforcement training.
c. In social engineering the con artist goes to the target, in reverse social engineering
the con artist gets the target to come to them.
d. In social engineering email is taken from the subject, in reverse social engineering
the subject is sent email or SPAM.
e. Only script kiddies do social engineering, Reverse social engineering is done by
professional cyber criminals.
86
10. What is the top objective of an anti-social engineering campaign within an organization?
a. Penalties
b. Awareness
c. Spying on co-workers
d. Spying on bosses
e. Spying on subordinates
f. All of c-e above
87
88
penetration test to ascertain the likelihood and impact of a potential breach. Any changes to the
configuration should be applied uniformly to all VPN connections within the organization.
In this lab, you will configure the server side of the Linux Debian Openswan VPN. Only
someone with security knowledge and an understanding of the organization's operating
environment can properly protect the network's resources. Once the server side of the VPN is
configured, the systems operational personnel can apply the configuration to the client devices,
reboot both machines, and test the VPN connection. You will configure the other side of the
VPN in the Configuring the Linux Debian Openswan VPN: Client Side lab later in this lab
manual.
This lab has two parts which you should complete in order.
1. In the first part of the lab, you will configure the server side of a Linux Debian Openswan
VPN.
2. Finally, if assigned by your instructor, you will explore the virtual environment on your
own in the Challenge Questions section of the lab and use the skills you learned in the lab
to and practice a basic, but important, skill required of systems operators and security
analysts and engineers alike.
Learning Objectives
Upon completing this lab, you will be able to:
1. Configure the server side of a Linux Debian Openswan VPN.
2. Describe the advantages and disadvantages of different VPN configuration options.
3. Discuss how to prevent attacks against data in transit using a properly configured VPN.
PuTTY
Openswan VPN
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
89
Lab Report file including screen captures of the following steps: Part 1, Step 49;
A completed Openswan Host-Host Configuration your name.xlsx file;
Lab Assessments file;
Optional: Challenge Questions file, if assigned by your instructor.
Hands-On Steps
Note: This lab contains detailed lab procedures which you should follow as written. Frequently
performed tasks are explained in the Common Lab Tasks document on the vWorkstation
desktop. You should review these tasks before starting the lab.
1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the
file in Adobe Reader.
If desired, use the File Transfer button to transfer the file to your local computer and print
a copy for your reference. Instructions for transferring the file can be found in the file
itself.
Figure 1 "Student Landing" workstation
2. On your local computer, create the lab deliverable files.
3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to
these questions as you proceed through the lab steps.
90
configure the Openswan VPN. In the next steps, you will use PuTTY, a terminal emulator, to
connect to remote server. The PuTTY application is being used in this lab, but any terminal
emulator will yield the same results. It is also possible to log onto the VPN server directly.
Figure 2 Virtual lab configuration
1. Double-click the putty.exe icon on the vWorkstation desktop to open the application
window.
2. In the Host Name box, type 172.30.0.100 (the IP address of the Linux Debian Openswan
VPN server).
Figure 3 PuTTY Configuration dialog box
3. If necessary, click the SSH radio button to use a Secure Shell (SSH) connection.
4. Click Open to complete the connection.
5. Log in to the server using the following credentials.
o Login: student and press Enter.
o password: type ISS316Security and press Enter.
You are now logged into Debian Linux in the student account. In order to configure the
Openswan VPN, you must have super user (su) privileges.
6. Log in to the server using the super user credentials.
7. At the prompt, type su and press Enter.
8. When prompted for a password, type toor and press Enter.
You are now logged into the Linux Debian machine with super user access.
Note: The Openswan software has already been installed on the server by the system
administrator. In the next steps, you will use the ipsec verify command to assure that the
ipsec is properly installed and working, use the ipsec whack command to check for any
existing VPN tunnels, and then update the ipsec configuration file.
9. At the prompt, type ipsec verify and press Enter.
A cursory glance will indicate that the results for the ipsec verify command include
mostly OKs and no FAILURES, which it good. The IPSec Verify sidebar will explain
each check in detail.
Figure 4 Results of ipsec verify command
IPsec Verify
The ipsec verify command is used to confirm that the ipsec is active and communicating
properly. The following table describes each of the checks that the command performs.
91
Check Performed
Description of Results
The version of IPsec is correct (or at least consistent with the
Version check and
rest of the installed modules), and the IPsec software
ipsec on-path
components are where they are supposed to be.
Openswan is installed with the NETKEY IPsec protocol stack.
Linux Openswan
This check will return one of two choices: the native NETKEY
U2.6.37-g955aaafbprotocol stack or the new alternative KLIPS. Each choice has its
dirty/K3.2.0-4-amd64
own advantages and disadvantages, but because the virtual lab
(netkey)
uses IPv4, NETKEY has been chosen.
Checking for IPsec
IPsec was successful installed in the operating system.
support in kernel
Support for Security Association reference (SAref) is not
SAref kernel support
applicable for this installation.
The XFRM (transform) procedures which provide additional
NETKEY: Testing
XFRM related proc policy management and enforcement for establishing and
operating Security Associations (SAs) are working properly.
values
The daemon that performs the Internet Key Exchange (IKE)
Checking that pluto is
functions configured with the build is called pluto, and it is
running
running.
Pluto is listening for IKE requests on port 500 and is using the
Pluto listening for
User Datagram Protocol (UDP).
IKE on udp 500
Pluto is listening for Network Address Translation Traversal
Pluto listening for
NAT-T on udp 4500 (NAT-T) on port 4500 using UDP.
Checking for 'ip'
The ip command is operational.
command
The sh shell is required to assure support consistency in
Checking /bin/sh is
Openswan. This check assures that the shell is sh, and not dash.
not /bin/dash
This check assures that the iptables command is operational. The
iptables command allows configuration of certain options and
Checking for
'iptables' command rules for IPv4. The ipv6tables command is required for similar
functionality for the IPv6 protocol.
Opportunistic Encryption (OE) begins the connection
negotiation process with encrypted messages, but if the
encrypted messages are not responded to, or not responded to
Opportunistic
Encryption Support properly, the fallback is unencrypted support. In the case of this
configuration, OE is disabled therefore the systems must use
encrypted messages to negotiate connection establishment.
Note: Next we will use the ipsec whack --status command to display the status of the
IPsec installation and verify the status of any existing tunnels prior to configuring a VPN
tunnel. Tunnel set-up can be done manually or automatically. Automatic configuration is
done by accepting the software's default configuration. Contrary to common practice, in
most cases a manual configuration is easier, less error prone, and gives the security
engineer more control. Within Openswan; however, the automatic approach is usually
preferred so that is the approach you will use in this lab.
92
Prior to beginning the configuration process, there is one more very serious security
consideration. What if you inadvertently make a configuration change, select a
configuration option improperly, or properly select an option, but improperly document
it. Any of these actions could cause the two systems to stop communicating with each
other. This would be the IT equivalent of locking your keys in the house. If you left the
back door unlocked or hid a key under the mat, you would be able to access your house.
You could do the same thing in an IT situation, if you don't mind the system being less
secure. In most cases, however, systems are most secure if either two people with
administrative rights are physically sitting each at the local and remote keyboards, or if
both systems are physically brought to the same place so that one person, with admin
rights, has access to both systems. Either option is valid, but the second approach is the
most secure.
10. At the prompt, type ipsec whack --status and press Enter.
11. Use the scrollbar to scroll back to the top of the results.
The first part of the ipsec whack --status results confirms that NETKEY is used as the
protocol stack and explains how the interfaces are configured. The results also indicate
that debug mode is turned off.
Figure 5 Result of ipsec whack --status command (Part 1)
The second part of the ipsec whack --status results delineates which virtual private
networks are allowed and which are disallowed. The warning message here points out
that no virtual private subnets are disallowed. Pay close attention to the list of allowed
virtual private networks. fd00::/8 and fe80::/10 are allowed. These are IPv6 addresses,
whereas the others are IPv4 with Classless Inter-Domain Routing (CIDR) designations.
Figure 6 Result of ipsec whack --status command (Part 2)
The third part of the ipsec whack --status results specifies the configuration of all possible
Encapsulating Security Payload (ESP) values and ESP authorization (auth) attributes
(attr). The ESP encryption configurations include the name, Initialization Vector Length
(ivlen), minimum and maximum key sizes (keysizemin and keysizemax) allowed, and
also includes the name of the algorithm. The last algorithm, id=251, is a null
authentication with a minimum and maximum key size of zero, which indiciates no key
at all.
Figure 7 Result of ipsec whack --status command (Part 3)
The final part of the results shows the configuration of the allowable Internet Key
Exchange (IKE) types. First, you will see the encryption algorithm, the block size and
key length. Next, the results display the hashing algorithms and hash size. The DiffieHellman group and bit length follow, and finally, database statistics are shown.
93
94
Note: While this spreadsheet does not include all possible configuration options, it does
include more options that you will need for this lab. The Options column includes the
configuration options for the commands generated by the worksheet. For any cell in the
Options column, click the arrow to display a drop-down menu of available options.
13. In cell C2 of the spreadsheet, type your own name, replacing the text already in that cell.
14. In cell D20, type 2 to identify the specification version that the file conforms to.
This statement is required in configuration files after version 1.
15. In cell D23, type %defaultroute to allow Debian to fill in the relevant IP addresses
when the configuration file is run.
If you were configuring a specific route, you would type the IP address for that route in
this cell.
16. In cell F24, type Y to exclude the klipsdebug configuration statement.
Unless asked to do so by a developer or security analyst, this command should not be
enabled.
17. In cell F25, type Y to exclude the plutodebug configuration statement.
Unless asked to do so by a developer or security analyst, this command should not be
enabled.
18. In cell D26, type /var/run/pluto to specify the dump directory.
Though not required, it is good practice to include a dumpdir statement.
19. Leave cell F27 blank to include the NAT traversal statement.
The statement is not required in the virtual lab because there is no Network Address
Translation gateway in the configuration, let alone one to be traversed. It is included in
the spreadsheet because it is common in most VPN configurations. This statement tells
Openswan to properly handle the unencrypted header information prepended to encrypted
IPSec packets that must traverse NAT gateways.
20. In cell D28, select auto to allow the protocol stack to be selected dynamically.
The NETKEY or KLIPS protocol stacks may be specified, or the protocol stack may be
selected dynamically. The default is NETKEY if no protostack= statement exists, if both
ends have protostack=auto, or if there is a conflict.
95
21. In cell C30, type %default to add the section title that begins the group of commands
that configures the Security Associations (SA), and their related tunnels for negotiating
key administration.
The second conn section, beginning in cell C42, creates the section title that begins the
group of commands that configures the actual tunnel between the Local/Left and
Remote/Right machines that are used securely carry the user's information.
22. In cell C31, select ignore, the default auto configuration statement.
23. In cell C32, review the options in the cell's drop-down menu. The default authentication
method is RSA signatures (rasig). Leave cell F32 blank to include the default statement.
Another option is to use Pre-Shared Keys (PSK) or a more sophisticated approach, such
as Rivest-Shamir-Adelman (RSA). Very often, PSK is chosen because it appears to be
easier to set up; however, a passphrase, or even a string of random keyboard characters,
used as a pre-shared key, can be cracked fairly easily with modern techniques and
hardware. On the other hand, RSA creates the keys using an algorithm that intentionally
creates keys that are much harder to crack. There are ways to make PSK more secure, but
in this lab, you will use RSA.
24. In cell C33, select 3des from the cell's drop-down menu to establish the desired IKE
ciphers. Leave cell F33 blank to include the command.
It is noteworthy that with Openswan's automatic configuration mode the Internet Key
Exchange (IKE) protocol is used to automate certain aspects of the set-up. The IKE
statement in cell A33 will include the options selected in the next two rows of the
spreadsheet, so selections made in those rows will change the statement in cell A33.
25. In cell C34, select md5 from the cell's drop-down menu to specify the IKE hash in cell
A33. In cell F34, the Y excludes a separate IKE hashes statement.
26. In cell C35, select modp1024 from the cell's drop-down menu to specify the IKE
pfsgroup in cell A33. In cell F35, the Y excludes a separate IKE pfsgroups statement.
27. In cell F36, type Y to exclude the Phase 2 algorithm statement.
28. In cell C37, review the options in the cell's drop-down menu. In cell F37, type Y to
accept any Phase 2 combinations and exclude a separate Phase 2 ciphers statement.
The Phase 2 statement will include the options selected in the next two rows of the
spreadsheet; however, in this lab, you will exclude these statements and accept any
default Phase 2 combinations.
29. In cell C38, review the options in the cell's drop-down menu. In cell F38, the Y excludes
a separate Phase 2 hashes statement.
30. In cell C39, review the options in the cell's drop-down menu. In cell F39, the Y excludes
a separate Phase 2 pfsgroups statement.
31. In cell F40, type Y to exclude the IKE key statement.
96
32. In cell C43, select 0.0.0.0 from the cell's drop-down menu to allow any address on that
side of the VPN to work with the VPN.
There are several options for handling the left IP address, as one can see by selecting the
drop-down menu in the Options column. If you wanted to enter a specific IP address,
select [ip address] from the drop-down menu in the Options column and type the IP
address in cell D43.
33. In cell D44, type 172.30.0.0/24, the subnet address for the Local machine, specified in
Classless Inter-Domain Routing (CIDR) notation.
34. In cell D45, type 172.30.0.2, the IP address of the Remote machine in Figure 9.
35. In cell D46, type 172.30.0.0/24, the subnet address for the Remote machine, specified in
Classless Inter-Domain Routing (CIDR) notation.
36. In cell C47, select tunnel from the cell's drop-down menu to establish a VPN tunnel as
the connection type. Leave cell F47 blank to include the command.
37. There is no Left RSA signature authentication key for this lab. In cell C48, select %none
from the cell's drop-down menu. Leave cell F48 blank to include the command.
38. There is no Right RSA signature authentication key for this lab. In cell C49, select
%none from the cell's drop-down menu. Leave cell F49 blank to include the command.
39. Select File > Save As from the OpenOffice menu. If necessary, click the Desktop icon,
select Microsoft Excel 97/2000/XP (.xls)(*.xls) from the Save as type drop-down menu,
type Openswan Host-Host Configuration your name in the File name box, and click
Save. When prompted, click Keep Current Format to close the popup message.
Replace your name with your own name.
Note: In the previous steps, the options you selected in the Openswan Host-to-Host
Configuration worksheet created a set of command lines in column A with the correct
spacing and syntax required to create an ipsec configuration file. The # signs indicate
comments and are not executed. The blank lines and white space are required and are
properly set-up. This approach is far more consistent and less error-prone than typing in
commands and then troubleshooting the results. Every organization should have some
procedures in place, whether an Excel spreadsheet, a word processing document or a
formal program that provides consistent guidance in the creation of the ipsec.conf file as
well as other important configuration files.
In the next steps, you will use the command lines you created in this worksheet to create
the ipsec.conf file. This file is found in the /etc/ directory.
40. Select cells A19 through A50 of the worksheet, right-click within the highlighted cells,
and select Copy from the context menu to copy the text to the system clipboard.
Figure 11 Highlighted command lines in the configuration worksheet
41. Minimize the OpenOffice window.
97
Note: In the next steps, you will save a copy of the existing ipsec.conf file before editing
it using the vi editor, a standard text editor that ships with Debian7. Other text editors will
work as well, but you will use the vi editor in this virtual environment.
You may get additional help with the configuration at any time by using the command
man ipsec.conf at the command line in the PuTTY window. A cheat sheet of vi
commands is also available on the virtual desktop. If necessary, type :q! and press Enter
at the vi command prompt to exit the editor without saving your changes and return to the
command prompt.
42. Click anywhere in the PuTTY window to activate it.
43. At the prompt, type cp /etc/ipsec.conf /etc/ipsec_conf.old and press Enter to save a
copy of the existing configuration file.
It is good practice to save a copy of the existing file before you begin editing in case you
need to restore the original. In this virtual lab, this step is added only as a reminder.
44. At the prompt, type vi /etc/ipsec.conf and press Enter to open the existing configuration
file in the vi editor.
45. At the prompt, type A to enter the append mode and move the cursor to the end of the
current line.
46. Right-click to paste the copied text from the configuration worksheet.
Figure 12 Text copied from configuration worksheet
47. Press Ctrl+C twice to leave the append mode and return to the vi command prompt.
48. Expand the PuTTY window as necessary to see the entire contents of the configuration
file.
49. Make a screen capture showing the entire contents of the configuration file and paste it
into your Lab Report file.
50. Type :x and press Enter to save your changes, exit the editor, and return to the Linux
command prompt.
51. In the PuTTY window, type exit and press Enter to exit superuser root access, and type
exit and press Enter again to close the terminal emulator.
Note: The server side of the VPN tunnel is now configured. In order to test the
connection the other end of the VPN connection must be configured and Openswan must
be restarted on both machines in order for the configuration changes to take effect. The
other end of the connection will be configured in a separate lab, Configuring a VPN
Client for Secure File Transfers.
52. Maximize the OpenOffice window and close the application.
53. Click Save when prompted to save your changes.
54. Click the File Transfer button on the vWorkstation desktop to transfer the Openswan
Host-Host Configuration your name file from the virtual desktop to your local
computer for your own future use.
98
Note: Refer to the Preface of this lab manual for more detailed instructions on the File
Transfer process.
55. If desired, click the File Transfer button on the vWorkstation desktop to transfer the VI
Cheat Sheet file from the virtual desktop to your local computer for your own future use.
56. Close the virtual lab, or proceed with Part 2 to answer the challenge questions for this
lab.
Overview
In this lab, you learned that a Virtual Private Network (VPN) is a private network that enables
remote users (for example, employees, suppliers, partners, and customers) to leverage the
inherently insecure public Internet to connect to an enterprise's private network resources in a
secure manner. To do this, companies create a secure tunnel from the client to the server and use
encryption to keep unauthorized parties from viewing or intercepting the data in transit. You
used a worksheet to guide your configuration decisions and created a new ipsec.conf file to
configure the server side of a Linux Debian Openswan VPN.
99
IPsec.conf file
Figure 14 Content of the new ipsec.conf file
100
A tunnel VPN, the most common type, encrypts and sends the content using a secure
path, or tunnel, between two points across an unencrypted network. Tunnel mode
encrypts the entire data packet including the headers and the payload.
A transport VPN encrypts the transported content, the data payload, but leaves the header
information, including IP addresses unencrypted. Transport mode is generally used when
both end points are known, for example in remote desktop services or terminal emulators.
A passthrough VPN, used primarily by small and home offices (SOHOs), enables the
VPN traffic to pass through the router. The traffic on a passthrough VPN is not
interpreted, decoded or encoded in any way.
A tunnel VPN establishes a secure information tunnel, rather than a physical tunnel, that uses a
sophisticated combination of encryption and authentication, most often via the IPsec protocol.
Although most VPN tunnels typically employ some encryption, they do not necessarily have to.
One example of a VPN tunnel that logically separates connections without using encryption is a
Multiprotocol Label Switching (MPLS) VPN in which labels are used to identify the contents of
a packet and allows the packet to use any transport protocol.
Another versatile feature of VPNs is that they may be implemented between endpoints which do
not share the same operating system or even the same VPN application software as long as they
use the same VPN protocol. In the same way that browsers communicate with web servers: the
browsers and web servers may be mismatched in a variety of ways, but as long as both ends
interpret HTML the same way, they will work just fine.
This lab, potentially, has three parts which should be completed in the order specified.
101
1. In the first part of this lab, you will configure the vWorkstation, a Windows Server 2008
machine, as a VPN client to connect to a Linux Debian Openswan VPN.
2. In the second part of this lab, you will use the Wireshark protocol analyzer to look at the
tunneled VPN traffic using the IPsec protocol, and compare it with the non-tunneled
traffic. You will look at the detailed packet interactions of the File Transfer Protocol
(FTP) and Secure Shell (SSH) protocol.
3. If assigned by your instructor, you will get some additional hands-on experience in a less
structured environment in the Challenge Questions section of the lab.
Learning Objectives
Upon completing this lab, you will be able to:
1. Recognize and explain the differences between secure and non-secure file transfers.
2. Determine the password and content of non-secure file transfers.
3. Configure a Windows Server 2008 VPN client to work with a Linux Debian Openswan
VPN.
4. Describe the differences between non-tunneled and tunneled connections.
5. Discuss the roles and functions of encryption, authentication and different elements of the
IPsec protocol, such as ESP and AH.
6. Explain different phases and modes of operation of the IPsec protocol.
Openswan VPN
PuTTY
Windows Server
Wireshark
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. Lab Report file including screen captures of the following steps: Part 1, Steps 39 and 55,
and Part 2, Steps 12, 38, 43, 53, and 62;
2. Lab Assessments file;
102
Hands-On Steps
Note: This lab contains detailed lab procedures which you should follow as written. Frequently
performed tasks are explained in the Common Lab Tasks document on the vWorkstation
desktop. You should review these tasks before starting the lab.
1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the
file in Adobe Reader.
If desired, use the File Transfer button to transfer the file to your local computer and print
a copy for your reference. Instructions for transferring the file can be found in the file
itself.
Figure 1 "Student Landing" workstation
2. On your local computer, create the lab deliverable files.
3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to
these questions as you proceed through the lab steps.
103
Note: In this part of the lab, you will use an IPsec configuration file to configure a VPN tunnel
between a Windows Server 2008 client machine and a Linux Debian Openswan VPN server.
Figure 2 VPN configuration diagram
The IPsec configuration file establishes all of the options used to configure the VPN tunnel on
the VPN server. It is considered a best practice in many organizations to document the
configuration of VPN connections, firewalls, and load balancers, using a configuration
spreadsheet, a manual checklist, or some other form of documentation, such as a printed copy of
the configuration file. In this lab, you will work from a copy of the IPsec configuration file
(ipsec.conf) provided by the security analyst or sysadmin of the Linux Debian VPN server to
configure the VPN client.
Following additional best practice protocol, the documentation version of the configuration file
has been named ipsec-debian-vpn.conf to better describe its contents. Many organizations also
include a version number and an implementation date in the file names.
1. Right-click the ipsec-debian-vpn.conf icon on the vWorkstation desktop to select it.
2. Click Open on the context menu.
3. When prompted, click the Select a program from a list of installed programs option
and click OK.
4. Click the Wordpad icon in the resulting window to select that program.
Note: Any text editor, such as Windows NotePad, or a word processing program can be
used to view *.conf files. Wordpad is used here simply because it is available on the
vWorkstation desktop.
5. Resize the Wordpad window to display the entire contents of the file and move the
application to the far right of the desktop as shown in the following figure.
Note: You will refer to this file throughout this part of the lab. Resizing the Wordpad
window keeps it in view as your proceed with the lab steps.
Figure 3 ipsec-debian-vpn.conf file displayed in Wordpad
6. Double-click the Network icon on the vWorkstation desktop.
Figure 4 Windows Network Window
7. Click the Network and Sharing Center link beneath the menu bar at the top of the
window.
Figure 5 Network and Sharing Center
8. Click the Set up a new connection or network link at the bottom of the window.
104
105
25. Double-click Internet Protocol Version 4 to open the Internet Protocol Version 4
(TCP/IPv4) Properties dialog box.
26. Click the Advanced button to open the Advanced TCP/IP Settings dialog box.
27. Click the Use default gateway on remote system checkbox to remove the checkmark.
Note: The Debian-VPN connection will not use a gateway on the destination machine or
network. The nat_traversal=yes statement in the configuration file indicates that the VPN
connection will not traverse a Network Address Translation gateway. Though not
detailed, the VPN configuration diagram in Figure 2 confirms this lack of a gateway
requirement.
Figure 13 Advanced TCP/IP Settings dialog box
28. Click OK to close the Advanced TCP/IP Settings dialog box.
29. Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.
30. Click the Security tab in the Debian-VPN Properties dialog box.
31. Click the Advanced settings button.
Note: In the ipsec-deban-vpn.conf file, the statement also=L2TP-PSK-noNat indicates
that this connection uses the Layer 2 Tunneling Protocol with Pre-Shared Keys.
32. In the L2TP tab, click the Use preshared key for authentication radio button.
Note: A preshared key is a passphrase that shared by the security analyst or systems
administrator with anyone authorized to use the VPN. Often, these keys are a complex
series of upper and lower case, numbers and symbols making it difficult for a hacker to
guess. It is a best practice to copy and paste the pre-shared key to ensure that no
keyboarding errors are made in establishing the VPN client connection. In this case, the
preshared key is a simple phrase: this is the life.
33. In the Key box, type this is the life, the preshared key for this VPN connection.
Figure 14 L2TP Advanced Properties dialog box
34. Click OK to close the Advanced Properties dialog box.
Note: In the ipsec-debian-vpn.conf file, the statement pfs=no indicates that Perfect
Forward Secrecy is not required by the encryption methodology. The encryption
methodology in this case will be negotiated at time of connection and does not need to be
specified.
35. Select Optional encryption (connect even if no encryption) from the Data encryption
drop-down menu on the Security tab of the Debian-VPN Properties dialog box.
Figure 15 Select a data encryption method
106
107
A cursory glance will indicate that the results for the ipsec verify command include
mostly OKs and no FAILURES, which it good.
Figure 18 Results of ipsec verify command
Note: This PuTTY connection was made across the VPN and a command (ipsec verify)
has been executed and verified on the Debian Openswan VPN server.
51. In the PuTTY window, type exit and press Enter to return exit the superuser account
and return to the student prompt.
52. In the PuTTY window, type exit and press Enter to close the terminal emulator.
53. Maximize the Network Connections window.
54. Right-click the Debian-VPN icon and select Status from the context menu to open the
Debian-VPN Status dialog box.
55. Make a screen capture showing the Debian-VPN Status window and paste it into the
Lab Report file.
Compare the bytes sent and received with those same fields from step 38. This data
reflects the activity that took place during the PuTTY connection.
56. Click Disconnect to close the VPN connection.
57. Close the Network Connections window.
58. Close the Wordpad window.
108
The Wireshark window opens with the detailed information about the first packet
captured, Frame 1, displayed in the middle pane. Use your mouse to drag the borders of
any pane up or down to change its size.
The top pane of the Wireshark window contains all of the packets that Wireshark
has captured, in time order and provides a summary of the contents of the packet
in a format close to English. Keep in mind that the content will be different
depending upon where you capture packets in the network. Also remember that
the "source" and "destination" is relative to where a packet is captured. This area
of the Wireshark window will be referred to as the frame summary.
o The middle pane of the Wireshark window is used to display the packet structure
and contents of fields within the packet. This area of the Wireshark window will
be referred to as the frame details.
o The bottom pane of the Wireshark window displays the byte data. All of the
information in the packet is displayed in hexadecimal on the left and in decimal,
in characters when possible, on the right. This can be a very useful feature,
especially if passwords for which you are looking are unencrypted. This area of
the Wireshark window will be referred to as the byte data.
o
109
110
111
112
113
decrypt the contents of a file and display it even though non-authorized persons-who do
not possess the decryption key-could not read the file contents.
In the next steps, you will analyze the Wireshark packets of an encrypted transfer of a
new file, ipsec2.conf using the Secure Shell (SSH) protocol. The ipsec2.conf file is larger
than the ipsec.conf file transferred using the FTP protocol.
40. Click File > Open and double-click the ssh-capture.pcapng file to open the file in
Wireshark. Use the scrollbar as necessary to locate the file.
The Wireshark Frame Summary will display no frames when the file is loaded because
the ftp-data filter is still applied. You could click the Clear button in the Filter toolbar to
display all of the packets, or apply a new filter.
41. In the Filter box, type ssh and click Apply to create a new filter that will display only
those packets related to the SSH file transfer.
42. Resize the borders of each pane to display frames 12-49 in the Frame Summary pane.
Figure 34 Frame Summary for the ssh filter
Note: The Secure Shell (SSH) protocol replaces the older, insecure Telnet protocol for
keyboard mode, or as it is sometimes still called, command line interface, for the
interaction between systems, such as configuration of servers, routers and switches.
Telnet is still used in many cases even though it suffers from many of the same
shortcomings as FTP: it operates in clear text mode and is easy to hack. In the next steps,
you will see how SSH can be used to securely transfer files.
Notice that this file transfer, which uses SSHv2 rather than FTP, is also between
172.30.0.2 and 172.30.0.100 so all other things about the environment are the same.
Explore the Frame Details and Byte Data for each step that follows to see how this
exchange differs from the FTP file transfer.
43. Make a screen capture showing the Frame Summary for Frames 12-49 and paste it
into your Lab Report file.
44. Click frame 12.
Frame 12 indicates this file transfer the destination machine as 172.30.0.2, a Debian
implementation of SSHv2.
45. Click frame 13.
Frame 13 indicates this file transfer the destination machine as 172.30.0.100, a Windows
implementation of SSHv2.
46. Click frame 15.
114
Frames 15 and 18 are the Key Exchange initialization between the two systems. If you
look at the detail at Frame 15 you will see that the server (172.30.0.100) proposes use of
aes128-ctr (a stream cipher which utilizes an underlying block mode algorithm) as the
encryption method with hmac-md5 as the authentication mechanism and no compression.
Initialization strings are also proposed. In Frame 18, the proposals of the server are
accepted by the client (172.30.0.2).
47. Click frame 20.
Frames 20 and 21 are the Diffie-Hellman Key Exchange initialization.
Figure 35 The SEQ/ACK analysis for frame 21
48. Click frame 22.
Frames 22 and 24 are the initial exchange in which the Client requests new keys.
49. Click frame 28.
Frames 28-49 are the transfer of the ipsec2.conf file. The contents are encrypted and are
unreadable except by authorized persons who have the appropriate keys or unauthorized
persons who have obtained the keys in some other way.
Figure 36 SSH file transfer in frame 28
Note: Though SSH encrypts files during the file transfer process, the content can be
decrypted if the SSH encryption keys are compromised. However, if a file is encrypted
prior to transfer, outside of the FTP utility, an additional measure of security is provided.
Even if the SSH encryption keys are compromised, the attacker will still end up with
unreadable content.
In the next steps, you will analyze Wireshark packets related to a VPN file transfer of the
ipsec.conf file. For each step, review the Frame Details and Byte Data for each frame.
50. Click File > Open and double-click the ipsec-capture.pcapng file to open the new file
in Wireshark.
The Wireshark Frame Summary will display the SSH filtered results of the capture file.
51. Click Clear in the Filter toolbar to view the entire contents of the entire packet.
52. Resize the pane borders to view the Frame Summary for frames 1-21.
Figure 37 Frame Summary for frames 1-21
53. Make a screen capture showing the Frame Summary for frames 1-21 and paste it into
your Lab Report file.
115
116
Frames 252-272 represent a Secure Shell (SSH) transfer between 172.30.0.2 and
172.30.100.
Figure 40 SSH file transfer in frames 252-272
59. To see the SSH packets in more detail, type ssh in the Filter box and click Apply to
create a new filter that will display only those packets related to the SSH file transfer.
60. Click frame 271.
Frame 271 is the beginning of the file transfer.
61. Click the last frame in the SSH file transfer.
Use what you have learned in the lab to identify the end of the file transfer packets.
62. Make a screen capture showing the last frame in the SSH file transfer and paste it
into your Lab Report file.
Note: Among the noteworthy things about this capture file is the fact that the SSH
transfer occurs outside of the IPsec tunnel, otherwise it would not be possible to see the
details of the SSH interaction between the two machines because the SSH protocol
transactions would be encrypted within the ESP frames. The ESP frames between these
two machines was carrying other traffic than SSH. What traffic? Without the keys or
access to the machines (such as screen shots, key loggers or possibly log entries) it would
be impossible to say but there are other types of analysis, such as traffic analysis, that
could reveal more about the exchange.
63. To see the ESP exchanges over the IPsec VPN tunnel, type esp in the Filter box and click
Apply.
64. Click File > Quit from the Wireshark menu to close Wireshark.
65. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this
lab.
117
Overview
In this lab you configured the vWorkstation, a Windows Server 2008 machine, as a VPN client
to connect to a Linux Debian Openswan VPN. You also used the Wireshark protocol analyzer to
look at the tunneled VPN traffic using the IPsec protocol, and compare it with the non-tunneled
traffic. You reviewed detailed packet interactions of the File Transfer Protocol (FTP) and Secure
Shell (SSH) protocol.
3.
4.
5.
6.
7.
8.
118
119
1. The first part of the lab will focus on social engineering and reverse social engineering.
By following the sample attack, you will learn many of the ways in which information
can be gathered from a subject or subjects and combined for either real-world or
cybercrimes.
2. In the second part of the lab, you will research email scams and use social engineering to
create a believable spam email to solicit funds for a fictitious fund-raising opportunity.
3. Finally, if assigned by your instructor, you will use the skills you learned in the lab to
design social and reverse social engineering attacks against several targets. Even if not
assigned, you are encouraged to review to explore these real-world situations.
This lab is a paper-based lab and requires the use of the Virtual Security Cloud Lab (VSCL) only
to access the relevant documents.
Learning Objectives
Upon completing this lab, you will be able to:
1. Recognize some of the key characteristics of a social engineering attack.
2. Identify some of the key signs of a reverse social engineering attack.
3. Implement countermeasures to social and reverse social engineering attacks.
None
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. Lab Report file including screen captures of the following steps: Part 1, Steps 8 and 14,
and Part 2, Step 4.
2. Lab Assessments file;
3. Optional: Challenge Questions file, if assigned by your instructor.
120
Hands-On Steps
Note: This lab contains detailed lab procedures which you should follow as written. Frequently
performed tasks are explained in the Common Lab Tasks document on the vWorkstation
desktop. You should review these tasks before starting the lab.
1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the
file in Adobe Reader.
If desired, use the File Transfer button to transfer the file to your local computer and print
a copy for your reference. Instructions for transferring the file can be found in the file
itself.
Figure 1 Student Landing workstation
2. On your local computer, create the lab deliverable files.
3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to
these questions as you proceed through the lab steps.
121
122
the actual IP address. You should subtract 7 from each of the first four numbers when
you type it in. To protect the darknet, he tells you can write down the number he gave
you, but you must remember to subtract 7.
You head to the library first thing the next morning and access the site.
3. Double-click the darknetwebsite.pdf icon on the vWorkstation desktop to see the
Hackers R Us web page.
Figure 3 Hackers R Us DarkNet home page
Photo iStockphoto/Thinkstock
Note: After some emails back and forth with a mysterious person known to you only as
Kitty Kat (KK), you have made a deal. Hackers R Us will provide you with remote
access to Marina and Ritas Cupcakes internal network via their Virtual Private Network
in exchange for a rather large sum of money, payable in bitcoin. Youve already set up a
Bitcoin account and made an initial payment of 50%, with the balance due as soon as you
access Marina and Ritas VPN for the first time.
All you have to do is sit back and wait for KK to perform her magic.
4. Close the darknetwebsite.pdf file.
Note: KK begins her work with a quick Google search to view the companys Web site,
locate biography information about the sisters, including their birthdates, and find any
news she can about the company and its owners that will help her reach her goal of
accessing the companys VPN. She finds a recent article about the company in the local
business journal.
5. Double-click the newspaper.pdf icon to read the article from the business section of the
Cincinnati Journal.
Figure 4 Article from business section of Cincinnati Journal
6. Close the newspaper.pdf file.
Note: From this article, KK learns that the top sales team as well as the founders, Marina
and Rita, will be flying to Hawaii in time for their February 16th meeting. Her next step
is to get the actual travel itinerary. Presumably the entire HQ and East US group will
travel together, so KK calls Marina and Ritas headquarters in Lakewood, Ohio, and
claims to be a new hire in the US West division and that her boss, Lisa Lipscombe, asked
her to make travel arrangements to Lakewood, but she has lost the name and number of
the travel consultant. The helpful operator at Marina and Ritas headquarters tells her that
the travel consultant is David Spivey at Air, Land and Sea Travel. The operator also
provides a direct number to assure that KK gets better service.
123
KK calls David Spivey, identifies herself as a temp at Marina and Ritas Cupcakes and
asks that Marinas and Ritas travel itinerary for the Hawaii Presidents Club trip be
faxed to a Lakewood, Ohio phone number. David is not suspicious because it is a normal
request and the phone number appears correct. He does not realize that the number is for
a fax drop box that allows the fax to be retrieved from anywhere on the Internet.
7. Double-click the travel.pdf icon to see the travel itinerary for Marina and Rita Sugarton.
Figure 5 Marina and Rita Sugartons travel itinerary
8. Make a screen capture showing the entire travel itinerary for Marina and Rita and paste
it into your Lab Report file.
9. Close the travel.pdf file.
Note: KK now has the travel itinerary, and she knows what Marina and Rita look like
from the pictures on their Web site, so KK can start to assemble an attack plan. She plans
to enlist the aid of a couple of accomplices to steal a tablet or smartphone from one of the
Marina and Rita team on their way to Hawaii. Knowing how vulnerable these devices
will be in the airport, KK will intercept the group at the airport and, along with two
accomplices, will steal the device as the individual goes through the security checkpoint.
KKs team has tried this successfully before, so successfully in fact that some travel
agencies are issuing warnings to their clients. The good news for KK, and for you as her
client, most travelers ignore these warnings.
10. On your local computer, open an Internet browser session.
11. In the address box of the browser, type http://www.corporatetravelsafety.com/safetytips/category/airport-safety/tip/thefts-at-airport-screening-stations and press Enter
to read the travel warning that describes how this type of theft works.
12. Minimize the local browser session.
Note: On the day of the flight, KK uses the Paradise Flyer Priority number from the
travel itinerary and Marina Sugartons birthdate found during an initial Google search to
confirm, via a quick telephone call to Paradise Airlines, that Marina and Rita checked in
via Internet and will be checking two pieces of luggage.
KK and her accomplices arrive at the airport early and position themselves to watch for
the Sugarton sisters arrival. Right on time, a sleek black limousine arrives and delivers
the two Sugarton sisters, VP North American Franchise Sales, Sara Collier, and six large
bags. The baggage porter loads a cart curbside and transports the checked luggage inside.
The group is tailed by KK to the security checkpoint where KK quickly goes through the
security checkpoint and waits patiently on the other side. Her accomplices position
themselves in order to delay Marina, Rita, and Sara at the metal detectors long enough for
one of the accomplices to grab whatever electronic devices are placed in the bowl before
they go on the conveyor belt.
124
The thieves grab Marina Sugartons smartphone and surreptitiously pass the device to
KK who is able to pass back through security to the safety of the airport terminal. Marina,
Rita, and Sara collect their belongings and rush to catch their flight to Atlanta without
noticing the missing phone.
Unless their domestic flight from Cleveland to Atlanta has onboard telephones, Marina
will not be able to report the loss or theft of her device until she arrives in Atlanta. This
gives the criminals at least a two hour window. KK contacts her client, you, and agrees
that for an extra fee KK will exploit this vulnerability window and download any
information that she can.
Figure 6 Marinas smartphone
Photo Anatolii Babii/123RF
Note: As with many busy people, Marina has neglected to include a screen lock on her
smartphone, which means that anyone, including KK, can gain immediate access to her
contacts and other private information. The graphic icon-based interface makes it very
easy to find the access point for the Marina and Ritas Cupcakes Virtual Private Network
and, subsequently, her email.
KK is able to access the Marina and Ritas Cupcakes email via the VPN, which is set-up
for Marinas convenience to use a pre-stored password for the VPN and automatic sign-in
for the email. Even though it is likely that the smartphone is fairly new, KK is quickly
and easily able to determine that Marina and Ritas email uses the IMAP protocol and,
therefore, copies of all emails are stored on the server. KK is able to download a
malicious piece of code which copies all email, with attachments, to KKs server.
In addition, KK is able to determine all of the characteristics required for sign-in to the
Marina and Ritas Cupcakes VPN except for the encrypted password. She might be able
to use the encrypted password in a replay attack, but it would be far better off if she
actually knew the password.
In order to cover her tracks, KK deletes the malicious code and pays a teenager $20 to
take the device and a copy of the itinerary to the Paradise Airlines counter and tell the
airline representative that he found this near the baggage check-in.
The Paradise Airlines agent sends a message to the gate agent in Atlanta who informs
Marina that her lost device has been found and assures her that the airline will deliver it
to the hotel in Maui tomorrow. Marina was unaware that her phone had ever been lost,
but is glad that it will be returned, safe and sound. And she is unaware that all of her
emails, with attachments, for the last several years, including the 18 months since her
retail stores had begun popping up, were now in the hands of a competitor.
You deposit the balance of KKs professional services fee into her bitcoin account.
In many cases this would be the end of the story, but you are still not satisfied. Youve
analyzed the emails and are tantalized by the gaps in the information. Gaps that could be
125
filled in if only you had access to the archived emails from other key people in the
company. You again contact KK for advice and KK suggests a way to get those key
people to change their VPN passwords so that you can attack them in the same way that
Marina was attacked: download all of their emails without their knowledge.
Arrangements are made for a second set of payments via the bitcoin account and KK gets
to work.
KK knows that the most efficient way to get the most information is to find a way to open
the VPN while Marina and Rita are still in Hawaii. With the VPN tunnel open, she can
download anything she wants. She decides to send an email from Marina Sugartons
email account to several employees at the company. The email asks everyone to reset
their VPN passwords.
13. Double-click the email.pdf icon to view the email sent by KK to employees of Marina
and Ritas Cupcakes.
Figure 7 Fake email sent from Marina Sugartons email account
Photo luminaimages/ShutterStock, Inc.
14. Make a screen capture showing Marinas email and paste it into your Lab Report file.
15. Close the email.pdf file.
Note: All of the employees complied with the email request since they were asked to do so by
one of the co-presidents. No one noticed that none of the Top Achievers who were with Marina
in Hawaii (and who might have mentioned the email to Marina herself) were included in the
email distribution list. With the VPN now open, KK is able to collect all of the emails from all of
these email accounts. This new batch of data included information about markets, strategies,
franchising and related business issues, and recipes, as well as personal information such as
travel itineraries, receipts for web purchases, relationships, and gossip, that you, as KKs client
and Marina Sugartons competitor, will be able to exploit. In other words, a treasure trove of
information about all aspects of Marina and Ritas Cupcakes.
What can be done to strengthen access procedures and make a VPN more secure? The first thing
is to be sure that all parameters for the VPN, such as algorithms, Perfect Forward Secrecy, key
length, and frequency of key changes are proper for the type of information being protected and
are applied uniformly. All configuration procedures should be reviewed periodically and updated
as needed according to current best practices. It is also possible to increase security by allowing
VPN connections only from specific MAC addresses or MAC/IP address pairs. Security can also
be increased by using devices that generate one-time use passwords or parts of passwords, such
as RSA SecurID. Other forms of multi-factor authentication such as biometrics are possible,
again, considering the value or information being protected and other factors. For more
information on VPN Security, review the publication at
http://www.infosec.gov.hk/english/technical/files/vpn.pdf
126
127
Note: >Every email campaign has a specific addressee on whom it is expected to work.
This may be a single person or a list of people. Lists may be purchased, from legitimate
or illegal sources, or harvested by you. It is best practice for spammers to send emails to
only one person at a time, even if they intend to target a large group of individuals, unless
the particular group of people being targeted might be more likely to believe the email
when they see the other recipients. In this case, Charlie Roberts is being specifically
targeted.
9. In the From content cell, type Susan Dougherty <susand@innocentbystander.com>.
Note: The senders identity is just as important. It has to be a person or entity with which
the recipient has, or can develop, a trust relationship. This is why so many spammers
compromise personal email lists from sources such as Gmail and Yahoo Mail. In many
cases, malicious emails use an actual sender email addresses, but more often the emails
use a temporary email address created by the spammer for the specific email campaign.
The decision to use a real or false sender address depends on whether or not the spammer
wishes the recipient to respond to the sender. In this case, Susan Dougherty is a known
contact of the target, Charlie Roberts, and that increases the odds that the email will be
believable. When the sender is a known contact of the target, using their actual email
address increases the appearance that the email is proper.
10. In the Date content cell, type todays date.
Note: The date and time of an email are usually automatically generated by the email
sending software but, often, sending can be delayed until a specific date and time, or
otherwise spoofed.
11. In the Subject content cell, type A favor?.
Note: Many professional spear phishers rely on a catchy subject line to increase the
chance of a curious recipient opening an email. How many real emails do you receive
from friends or business associates with the subject line save money or big sale? In this
case, since you are using real sender and recipient names, it would be best to use a more
casual subject.
Figure 9 Completed table layout for email sample
Note: The body of the email is arguably the most important, and depends entirely on the
goals of the spammer. If the intent is as simple as wanting to verify that the email account
is active, the recipient only has to open the email and the content is of lesser importance.
If the intent is to encourage the recipient to do something, then the content becomes more
important. In this case, the spammers intent is to gather funds and collect credit card
credentials that exploited later to steal their identity. To accomplish this goal, the
spammer would need to have a Web site set up to collect this information. The spammer
secures an address, https://www.NotCFSCDS.com or simply an IP address, such as
128
129
Overview
A properly configured Virtual Private Network which uses IPsec and adheres very closely to best
practices, such as strong authentication, network segmentation, device validation, posture
assessment, etc. is very formidable and protects all types of information while it is in transit from
one location to the other. In this lab, you learned how to use social engineering techniques to
unlock the secrets of a targeted individual or organization by attacking their Virtual Private
Network. You also researched email scams and used social engineering to create a believable
spam email to solicit funds for a fictitious fund-raising opportunity.
Lab Assessment Questions & Answers
1. What is the darknet?
a. An Internet for non-English speaking people
b. The criminal side of the Internet
c. An Internet just for law enforcement
d. The old, IPv4 Internet that is being retired as IPv6 takes over
e. None of the above
2. What email protocol does Marina and Rita's Cupcakes use and why is it important?
3. Text in an email must match the URL to which it links. True or false?
4. Instead of relying just on a user ID and password systems, VPN access can be protected
by tokens like SecurID and other ____________ methods.
130
5. In many instances an IP address is used to access a server rather than a URL because a
URL is more difficult to set up and easier to track. True or False.
a. fewer
b. more
c. about the same
7. Were Charlie Roberts and Susan Dougherty known to each other, and did they have a
trust relationship that could be exploited?
8. Which of the following steps can make VPN access more secure?
a. Assure Perfect Forward Secrecy during IKE key exchange
b. Allow access only from specific MAC addresses
c. Allow access only from specific MAC/IP address pairs
d. Use foreign words as passwords
e. Change password letters to numbers, such as all Ls to 7s and all Os to 0s.
131
System information tools, e.g. Windows Computer Management and Windows Task
Manager, provide information about the current operating state of a computer system.
Windows Task Manager provides information about currently running tasks, use of
system resources, and system performance. Windows Computer Management provides
more detailed information about the system including: lists of services (applications and
operating system components) and their current state, computer hardware configuration,
security and system events, and scheduled tasks.
System configuration tools are used to scan an operating system and key software
applications for security issues. Microsoft Baseline Security Analyzer (MBSA) is a
system scanning tool that scans workstations and servers running Microsoft Windows
operating systems. MBSA will check for system administration and mis-configuration
problems, applications software issues including missing patches and updates, and
missing or partially installed system security updates. MBSA can be configured to check
for missing updates and recommended security settings for Internet Explorer, Internet
Information Server (IIS), Microsoft Office, and SQL Server. MBSA is more powerful
than Windows Update since it checks system and software settings in the registry in
addition to checking for required software updates. After the scan completes, MBSA will
generate a report which identifies security issues and provides recommendations for
132
Learning Objectives
Upon completing this lab, you will be able to:
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
133
1. Lab Report file including screen captures of the following steps: Part 1, Steps 9, 11, 15,
20, and 24. Part 2, Steps 6 and 9;
2. Lab Assessments file;
3. Optional: Challenge Questions file, if assigned by your instructor.
Hands-On Steps
Note: This lab contains detailed lab procedures which you should follow as written. Frequently
performed tasks are explained in the Common Lab Tasks document on the vWorkstation
desktop. You should review these tasks before starting the lab.
1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the
file in Adobe Reader.
If desired, use the File Transfer button to transfer the file to your local computer and print
a copy for your reference. Instructions for transferring the file can be found in the file
itself.
Figure 1 "Student Landing" workstation
2. On your local computer, create the lab deliverable files.
3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to
these questions as you proceed through the lab steps.
134
135
10. Make a screen capture showing all the processes associated with Remote Desktop
Services and paste it into your Lab Report file.
11. Click the Performance tab and wait 45-60 seconds for the history graphs to display data
on 50% or more of the graph.
Figure 6 Windows Task Manager: Performance tab
12. Make a screen capture showing the current system performance and paste it into
your Lab Report file.
13. Close the Windows Task Manager.
Use the scrollbars as necessary to view the Windows Start button.
14. Click the Windows Start button and navigate to Administrative Tools > Computer
Management to open the Windows Computer Management tool.
Resize the Computer Management window so that the entire window is visible.
Figure 7 Computer Management application window
15. Navigate to System Tools > Event Viewer > Windows Logs > Application by clicking
on the plus signs to open the sub menus.
The Windows Application Log records information about events. It will record successful
operations, system warnings, error messages about failed operations, as well as
information about both successful and unsuccessful logon attempts.
Figure 8 Windows Application Log
16. Make a screen capture showing the Application Log and paste it into your Lab Report
file.
17. Click Filter Current Log from the Actions pane on the right-hand side of the window.
18. In the Event level portion of the filter form, click each of the following checkboxes to
select those event levels:
o Critical
o Warning
o Error
Verify that the Verbose and Information checkboxes are unchecked.
Figure 9 Filter Current Log form
19. Click OK to filter the log entries.
20. Scroll down to find the first Error event entry in the log file and click the Error line item
to display the log entry. Review the Log Entry.
136
137
138
Overview
In this lab, you gathered information about system performance and running tasks including
memory and bandwidth usage, and looked for remote desktop services. You also ran a security
scan on the Windows 2008 server using Microsoft Baseline Security Analyzer (MBSA) to
identify any missing software updates or updates which were not completely installed, and detect
changes to system configuration parameters which could have occurred as the result of an
intrusion or the actions of a malicious insider.
2. Windows Task Manager and Windows Computer Manager both provide information
about system services. Compare and contrast the types of information (about system
services) that can be obtained from these tools.
139
3. Explain how you could use one or more of the Windows log files to investigate a
potential malware infection on a system. What types of information are available to you
in your chosen log file?
4. Should you filter log files during an investigation into a security incident? Why or why
not?
5. Should remote desktop services be enabled on employee workstations for use by IT Help
Desk personnel? Why or why not?
6. How does Microsoft Baseline Security Analyzer (MBSA) differ from Windows Update?
Why are Shares a source of system vulnerabilities?