NETLAB+ Lab Information

The information provided below will be used to login to the Virtual Machines in
the NETLAB+ system.

Virtual Machine Username Password IP Address

Administrator P@ssw0rd 192.168.0.2

Windows Server
2016 + Clone (Clone)
Test Test123
192.168.0.3

Kali Linux kali kali 192.168.0.4

Module 12: Evading IDS Firewalls and Honeypots

An Intrusion Detection System (IDS) is security software or hardware device used to monitor, detect, and
protect networks or system from malicious activities; it alerts the concern security personnel immediately upon
detecting intrusions.

Intrusion detection systems are highly useful as IDS monitors both inbound/outbound traffic of the network
and checks for suspicious activities continuously that may indicate a network or system security breach. The
IDS checks traffic for signatures that match known intrusion patterns and signals an alarm when a match is
detected. An IDS is used to detect intrusions while an IPS is used to detect and prevent the intrusion on the
network.

Main Functions of IDS:

• An IDS gathers and analyzes information from within a computer or a network, to identify the
possible violations of security policy.
• An IDS is also referred as a “packet-sniffer,” which intercepts packets traveling along various
communication mediums and protocols, usually TCP/IP.
• An IDS evaluates traffic for suspected intrusions and signals an alarm after detection.

Objective
The objective of this lab is to help students learn and detect intrusions in a network, log, and view all log files.
In this lab, you will learn how to:

• Install and configure Snort IDS

• Detect Intruders using HoneyBot
• Bypassing Windows Firewall Using Nmap
• Bypassing Firewall Rules Using HTTP/FTP Tunneling
• Bypassing Windows Firewall using Metasploit

Scenario
Adoption of Internet use across throughout the business world has in turn boosted network usage; to protect
their networks, organizations are using various security measures such as firewalls, intrusion detection systems
(IDSs), intrusion prevention systems (IPSs), honeypots, and others. Networks are the most preferred targets of
hackers to compromise organizations’ security, and attackers find new ways to breach networks and attack
target organizations.

To become an expert Penetration Tester and Security Administrator, you must possess sound knowledge of
network intrusion prevention systems (IPSs), intrusion detection systems (IDS), malicious network activity,
and log information.
Exercise 1: Detecting Malicious Network Traffic Using HoneyBOT

A honeypot is a computer system on the Internet intended to attract and trap people who try unauthorized or
illicit utilization of the host system to penetrate into an organization’s network. A honeypot can log port access
attempts, or monitor an attacker's keystrokes. These could be early warnings of a more concerted attack. It
requires a considerable amount of attention to maintain a honeypot.
HoneyBOT is a medium interaction honeypot for windows. A honeypot creates a safe environment to capture
and interact with unsolicited traffic on a network. HoneyBOT is an easy-to-use solution that is ideal for
network security research or as part of an early-warning IDS.

Lab Scenario

A honeypot makes a protected domain in which to capture and interact with spontaneous movement on a
system. HoneyBOT is a simple-to-use arrangement perfect for system security research or as a feature of an
early-warning IDS.
As a penetration tester, you will come across systems behind firewalls that block you from access to the
information you want. Thus, you will need to know how to avoid the firewall rules in place and discover
information about the host. This step in a penetration testing is called Firewall Evasion Rules.

Lab Objectives

The objective of this lab is to help students learn to detect malicious traffic on a network by using HoneyBot.

Lab Duration: 10 Minutes

1. Login to the Windows Server 2016 VM Administrator account.

2. In the Password field enter P@ssw0rd and press Enter to login.
3. To install HoneyBOT, navigate to C:\Users\Administrator\Desktop\CEH\Other
Tools\HoneyBOT\HoneyBOT, double-click HoneyBOT_018.exe and follow the wizard driven
 installation steps to install complete.

4. Once the installation is completed make sure that Launch HoneyBOT option is checked so that
application will launch automatically.
5. HoneyBOT main window appears along with the HoneyBOT pop-up as shown in the screenshot.
Click Yes to configure HoneyBOT.

6. The HoneyBOT - Options window appears with default options checked on the General settings
tab. Leave the default settings, or modify them accordingly.

In this lab, we are leaving the settings to default for General Options.
7. Click the Email Alert tab; if you want HoneyBOT to send you email alerts, check Send Email
Alerts, and fill in the respective fields.

In this lab, we are not providing any details for emails alerts.

8. On the Exports tab, in which you can export the logs recorded by HoneyBOT, choose the
required option to view the reports; then proceed to the next step.

In this lab we are choosing Export Logs to CSV option.

9. On the Updates tab, uncheck Check for Updates; click Apply, and click OK to continue.

10. Bindings pop-up appears, click OK to continue.

11. HoneyBOT main window appears as shown in the screenshot. Now, leave the HoneyBOT
window running on Windows Server 2016 machine.

12. Click Kali Linux. If you see the Blue screen of Kali Linux press Space Bar to get the Login
screen of the Kali Linux.

13. Type kali in the Username field and click Next.

14. Type kali in the Password field and click Sign In to login.
15. Click Terminal icon from the Favorites (left handside of the Desktop) to launch.
16. Now, type ftp [IP Address of the Windows Server 2016] and press Enter in the Terminal window.
17. Switch back to Windows Server 2016 machine from Resources pane. Expand the Ports and
Remotes node at the left side of the HoneyBOT dashboard.

Under Ports, you can see the port numbers from which Windows Server 2016 received the
requests or attacks. Under Remotes, it records the IP addresses through which it received the
requests.

18. Now, in the left pane under ports select 21, and in the right pane right-click on the packets
recorded by the HoneyBOT and click View Details from the menu as shown in the screenshot.
 19. The Packet Log window appears, as shown in the screenshot. It displays the complete log details
of the request captured by HoneyBOT.

In the screenshot, under Connection Details, you can see the Date and Time of the connection
established, and the protocol used. It also shows the Source IP, Port, and Source Port, as shown
below.

20. On completing the lab exercise, exit all the applications and close all the files and folders that
were opened during the lab. Cancel this lab session and relaunch a new session.
In this lab you have learned how to detect malicious traffic on a network by using HoneyBOT.
Exercise 2: Bypassing Windows Firewall Using Nmap Evasion
Techniques

Bypassing firewall is a technique where an attacker manipulates the attack sequence to escape from being
detected by the underlying security firewall. The firewall operates on the predefined set of rules, and by
thorough knowledge and skill, an attacker can bypass the firewall by employing various firewall bypassing
techniques.

Lab Scenario
Network/security administrators play a crucial role in setting up the security defences within an organization.
Though such defences protect the machines in the network, there might still be an insider who would try to
apply different evasion techniques to identify the services running on the target. In this scenario, consider an
admin has written certain Windows Firewall rules to block your system from reaching one of the machines in
the network. You will be taught to use Nmap in such a way that you perform a recon on the target using other
active machines on the network and identify the services running on the machine along with their open ports.

Lab Objectives

The objective of this lab is to help students learn how to bypass a firewall using Nmap.

Lab Duration: 10 Minutes

1. Login to the Windows Server 2016 VM Administrator account.

2. In the Password field enter P@ssw0rd and press Enter to login.
3. Open the Control Panel; in the All Control Panel Items window, click Windows Defender
Firewall. The Windows Defender Firewall window appears; click Use recommended settings to
 turn on Firewall.

4. Now, you can see the Firewall is enabled in the Windows Server 2016 machine. Click Advanced
settings link in the left pane.
5. Windows Defender Firewall with Advanced Security window appears, select Inbound Rules in
the left pane and click New Rule under Actions pane.

6. Rule Type wizard appears, select Custom radio button and click Next.
7. In the Program wizard, leave the settings to default and click Next.

8. Leave the settings to default in Protocols and Ports section and click Next.
9. In the Scope section, In Which remote IP addresses does this rule apply to? section choose These
IP addresses radio button and click Add.
10. IP address window appears, type the IP address of the Kali Linux machine here, (ex: 10.10.10.11)
and click OK.
11. Click Next in the Scope wizard.
12. In the Action wizard, select Block the connection radio button and click Next.
13. In the Profile wizard leave the options to default and click Next.
14. In the Name wizard, provide any name to rule and click Finish.

15. Click Kali Linux. If you see the Blue screen of Kali Linux press Space Bar to get the Login
screen of the Kali Linux.

Type kali in the Username field and click Next.

16. Type kali in the Password field and click Sign In to login.
17. Click Terminal icon from the Favorites (left handside of the Desktop) to launch.
18. Now, let's perform basic nmap scan. Type the command nmap [IP Address of Windows Server
2016] and press Enter. As the Firewall is turned on in the Windows 10 machine, the output of the
nmap scan shows All the 1000 scanned ports on Windows Server 2016 are filtered.
19. Now, perform SYN Scan. Type the command sudo nmap -sS [IP Address of Windows Server
2016] and press Enter. Still we got the same result as Firewall is turned on.

20. Now, perform INTENSE Scan. Type the command sudo nmap -T4 -A [IP Address of Windows
Server 2016] and press Enter. Still we got the same result as Firewall is turned on

21. Now, let's perform Ping Sweep scan on the subnet to find out the live machines in the network.
Type the command
sudo nmap -sP [IP Address of Windows Server 2016 ending in 0]/24 and press Enter.
(example: 10.10.10.0/24) In the output of the nmap you can find the live machines on the network
as shown in the screenshot.
 22. Now, perform Zombie Scan. Type the command:
sudo nmap -sI [IP of another device] [IP Address of Windows Server 2016] and press Enter. You
can see that PORT 80 and PORT 3389 is open. You might need to try one or more devices to find
one suitable.

23. This lab is now complete, go to your Windows Firewall -> Advanced Settings screen to delete the
Block Kali Linux rule for future labs

In this lab you have learned how to bypass a firewall using Nmap.