NDG EH Lab 16
NDG EH Lab 16
NDG EH Lab 16
LAB SERIES
NETLAB Academy Edition, NETLAB Professional Edition, and NETLAB+ are registered trademarks of Network Development Group,
Inc.
VMware is a registered trademark of VMware, Inc. Cisco, IOS, Cisco IOS, Networking Academy, CCNA, and CCNP are registered
trademarks of Cisco Systems, Inc. EMC2 is a registered trademark of EMC Corporation.
Lab 16: Evading IDS
Contents
Introduction ........................................................................................................................ 3
Objective ............................................................................................................................. 3
Pod Topology ...................................................................................................................... 4
Lab Settings ......................................................................................................................... 5
1 Initialize Network Monitoring Applications................................................................ 6
2 Test IDS Results with Regular Nmap Scan .................................................................. 9
3 Test IDS Results with Low MTU Scan ........................................................................ 12
4 Test IDS Results with Decoy Scan ............................................................................. 13
5 Test IDS Results with Spoofed MAC Scan ................................................................. 15
Introduction
Different methods can be employed to attempt to thwart IDS detection. This lab
explores the different methods that can be employed to hide from IDS systems.
Objective
In this lab, you will be conducting ethical hacking practices using various tools. You will
be performing the following tasks:
Pod Topology
Lab Settings
The information in the table below will be needed in order to complete the lab. The
task sections below provide details on the use of this information.
192.168.0.254
pfSense 192.168.68.254 admin pfsense
192.168.9.1
1. Navigate to the topology page and click on the Security Onion VM icon.
2. At the login prompt, enter ndg as the username. Press Enter.
3. Enter password123 as the password. Click Login.
4. Once logged in, double-click on the Squert icon to launch the application via web
browser.
5. Once Chromium appears, notice the warning message. Click on the Advanced
link for more options.
6. Click on the Proceed to localhost (unsafe) link.
7. On the Squert login page, enter ndg as the username and password123 as the
password. Click submit.
10. Navigate back to the Desktop and double-click on the Sguil icon.
11. In the Sguil login window, enter ndg as the username and password123 as the
password. Click OK to login.
12. Check the box for ndg-virtual-machine-eth0 and click the Start SGUIL button.
6. Initiate a fragmented packet scan using the Nmap application. Using the
Terminal, type the command below followed by pressing the Enter key.
nmap -f 192.168.0.2
7. Once the scan successfully finishes, navigate back to the Security Onion VM.
8. Change focus to the Chromium browser and click the squert tab.
Notice a signature identified that the potential scan was detected by the system.
12. Notice the Medium Severity populates, click on its respective boxed icon.
13. On the Medium Severity Events page, notice that the Nmap scan was detected.
15. Click on the Date/Time column to organize the events in a descending order.
16. Notice that no results are given at this time with the Sguil application.
3. Once the scan finishes, navigate back to the Security Onion VM.
4. Change focus to the Chromium browser with the Snorby tab opened.
5. Click the Dashboard menu item.
If results are not being displayed, wait for 1-2 minutes and then refresh the page
once more.
3. Once the scan finishes, navigate back to the Security Onion VM.
4. Change focus to the Chromium browser with the squert tab opened.
5. Click the refresh icon located in the top pane.
6. Notice that Squert caught the same recent Nmap scan. Click on the QUEUE event
with ET SCAN Potential VNC Scan 5X00-5X20 as its Signature.
7. Notice that the scan successfully created a decoy IP address along with the real
IP address of the Kali VM.
3. Once the scan finishes, navigate back to the Security Onion VM.
4. Compare scan results with Snorby, Squert, and Sguil.
5. Close the Security Onion and Kali PC viewers.