1.2 Guided Exercise: Analysing Network Traffic: Resources

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 33

1.

2 Guided Exercise: Analysing Network


Traffic
Resources                      
Files http.pcap
Machines Windows 10

In this exercise you will use Wireshark to analyse network traffic. 

Wireshark is already installed and you may start it by openening the Desktop folder
called Exercises and then Wireshark. Double click Wireshark to open it. 

Once Wireshark starts go to File -> Open and select the file called http form the folder
Exercises ->
Wireshark. 

Once the file opens locate the Source and Destination IPv4 addresses. These should be
145.254.160.237 and 65.208.228.223
respectively. 
Determine the Source Port and the Destination Port. These should be 3372 and 80
respectively.
1.3 Guided Exercise: Analysing Telnet
Network Traffic
Resources                      
Files None
Machines Windows 10

In this exercise you will use Wireshark to analyse network traffic. 

Wireshark is already installed and you may start it by opening the Desktop folder
called Exercises and then Wireshark. Double click Wireshark to open it. 
Once Wireshark starts go to File -> Open and select the file called telnet-raw from the
folder Exercises -> Wireshark.

Once the file opens locate the Source and Destination IPv4 addresses. These shoud be
192.168.0.2 and 192.168.0.1 respectively. 
Determine the Source Port and Destination Port. These should be 1254 and 23
respectively.
Select packet number 4 and then right click on it. Go to Follow and then click on TCP
Stream. 
On the new window that opens you will observe the username and password the user
used to login to the telnet server. This username is “fake” and the password is “user”.
1.4 Basic Network Utilities
Now that you know what IP addresses and URLs are, you need to be familiar with
some basic network utilities. You can execute some network utilities from a command
prompt (Windows) or from a shell (Unix/Linux). Many people are already familiar
with Windows, so we will focus on how to execute the commands from the Windows
command-prompt perspective. However, these utilities are available in all operating
systems. 

1.4.1 Ipconfig

The first thing you want to do is get information about your own system. To
accomplish this, you must get a command prompt. In Windows, you do this by going
to the Start menu, selecting All Programs, and then choosing Accessories. You can
also go to Start, Run, and type cmd to get a command prompt. In Windows 10 you go
to Search and type cmd. Now you can type in ipconfig. (You could input the same
command in UNIX or Linux by typing in ifconfig from the shell.) After typing in
ipconfig (ifconfig or ip addr in Linux), you should see something much like the below
screenshot.
This command gives you information about your connection to a network (or to the
Internet). Most importantly, you find out your own IP address. The command also has
the IP address for your default gateway, which is your connection to the outside
world. Running the ipconfig command is a first step in determining your system’s
network configuration. Most commands including ipconfig have a number of
parameters, or flags, which can be passed to the commands to make the computer
behave in a certain way. You can find out what these commands are by typing in the
command, followed by a space, and then typing in hyphen question mark: -?.

As you can see, you might use a number of options to find out different details about
your computer’s configuration. The most commonly used method would probably be
ipconfig/all.
1.4.2 Ping

Another common used command is ping. Ping is used to send a test packet, or echo
packet, to a machine to find out whether the machine is reachable and how long the
packet takes to reach the machine. This useful diagnostic tool can be employed in
elementary hacking techniques. Figure 1-3 shows the command.
The above command shows that a 32-byte echo packet was sent to the destination and
returned. The TTL means “time to live.” That time unit is how many intermediary
steps, or hops, the packet should take to the destination before giving up. Remember
that the Internet is a vast conglomerate of interconnected networks. Your packet
probably won’t go straight to its destination. It will have to take several hops to get
there. As with ipconfig, you can type in ping -? to find out various ways you can
refine your ping.

1.4.3 Tracert

The next command is tracert. This command is a sort of “ping deluxe.” Tracert not
only tells you whether the packet got there and how long it took, but it also tells you
all the intermediate hops it took to get there. (This same command can be executed in
Linux or UNIX, but it is called traceroute rather than tracert.) You can see this utility
in Figure 1-4.
With tracert, you can see (in milliseconds) the time the IP addresses of each
intermediate step listed, and how long it took to get to that step. Knowing the steps
required to reach a destination can be very important. 

1.4.4 Netstat

Netstat is another interesting command. It is an abbreviation for Network Status.


Essentially, this command tells you what connections your computer currently has.
Don’t panic if you see several connections; that does not mean a hacker is in your
computer. You will see many private IP addresses. This means your network has
internal communication going on. You can see this in Figure 1-5.

Certainly, other utilities can be used when working with network communications.
However, the four we just examined are the core utilities. These four (ipconfig, ping,
tracert, and netstat) are absolutely essential to any network administrator.
3.8 Guided Exercise: Configuring iptables
Rules
Resources
Files None
Machines Ubuntu Server

In this exercise, you are required to write custom iptables rules.

Login to Ubuntu Server and then run the command “sudo iptables -L”. It will ask for
the user password. Enter the user password which is “Pa$$w0rd”, press enter and then
it will show the current iptables rules. 

Write the command “sudo iptables –A INPUT –p tcp --dport ssh –j ACCEPT” and if
sudo asks for the user password enter “Pa$$w0rd”.  Then run the command sudo
iptables –L to list the iptables rules. 
Write the command “sudo iptables –A INPUT –p tcp --dport 80 –j ACCEPT” and if
sudo asks for the user password enter “Pa$$w0rd”.  Then run the command sudo
iptables –L to list the iptables rules.

To save the iptables rules run the command “sudo iptables-save”.


4.4 Guided Exercise: Implementing an IDS
Resources
Files None
Machines Windows Server, Ubuntu Server

In this exercise you are required to install Snort on Windows Server and capture data
for analysis.

Login to Windows Server and open the desktop folder Exercises -> Snort. Double
click the Snort Installer file to install it. 
Accept the License Agreement by clicking I Agree.
Click Next on the Choose Components window.
Click Next on the Choose Install Location.
Click Close once the installation finishes and then OK on the Snort Setup.

Copy the file snort.conf from the Desktop folder Exercises -> Snort to C:\Snort\etc
and overwrite the file that is already there. Copy the file local.rules from the Desktop
folder Exercises -> Snort to C:\Snort\rules.

Open the file local.rules using WordPad. Under the LOCAL RULES section there are
different rules having a header and a body. The first rule detects a SYN scan and the
second rule detects an ACK
scan. 

On the folder Exercises -> Snort double click the file WinPcap to install it. Click Next
on the WinPcap Setup window and then click I Agree. Click Install on the next
window and leave the check mark on Automatically start the WinPcap driver at boot
time. 
Once the installation finishes click on Finish.

Open a command prompt by right clicking the Start button and select Command
Prompt (Admin).  
Type cd C:\Snort\bin where bin is the default directory where the snort executable
resides.

Type the following command “snort –c C:\Snort\etc\snort.conf –i1 –l C:\Snort\log –A


console” and press enter. The option –c tells Snort to find the configuration file. The
option –i1 tells Snort to capture on interface 1. The –l option tells Snort to log alerts
and where to save them. The –A console option tells Snort to send alerts also to the
console. This option is normally not used because it slows down detection and Snort
may drop
packets. 
Login to Ubuntu Server and run the comannd nmap –A 192.168.1.20. Allow the scan
to complete and then check the Snort command prompt on Windows Server.

Switch to the Windows Server and on the Snort command prompt you should see 5
SYN scan alerts and 5 ACK scan allerts. Press Control + C to stop
Snort. 
Once you stop Snort a list with different statistics will be
revealed. 
11.1 ISO Standards
The International Organisation for Standardization creates standards for a wide range
of topics. There are hundreds of such standards, and it would be impossible to cover
them in a single chapter. In fact, each standard could be the subject of a chapter, or at
least a few chapters. Some of the more important standards for network security are
listed here:

 ISO/IEC 15408: The Common Criteria for Information Technology Security


Evaluation
 ISO/IEC 25000: Systems and Software Engineering
 ISO/IEC 27000: Information technology — Security Technology
 ISO/IEC 27001: Information Security Management
 ISO/IEC 27005: Risk Management
 ISO/IEC 27006: Accredited Certification Standard
 ISO/IEC 28000: Specification for security management systems for the supply
chain
 ISO 27002: Information Security Controls
 ISO 27003: ISMS Implementation
 ISO 27004: IS Metrics
 ISO 27005: Risk management
 ISO 27006: ISMS certification
 ISO 27007: Management System Auditing
 ISO 27008: Technical Auditing
 ISO 27010: Inter-organisation communication
 ISO 27011: Telecommunications
 ISO 27033: Network security
 ISO 27034: Application security
 ISO 27035: Incident Management
 ISO 27036: Supply chain
 ISO 27037: Digital forensics
 ISO 27038: Document reduction
 ISO 27039: Intrusion prevention
 ISO 27040: Storage security
 ISO 27041: Investigation assurance
 ISO 27042: Analysing digital evidence
 ISO 27043: Incident Investigation

You might also like