CEH v8 labs module 17 evading IDS firewalls and honeypots (1)

■ A computer running Windows Server 2012 as a host machineLab DurationTune: 30 MinutesOverview of Intrusion Prevention Systems and Intrusion Detection Systems activities for m aliciou s

Trang 1

Evading IDS, Firewalls,

and Honeypots

Module 17

Trang 2

Intrusion Detection System

A n intrusion detection system (IDS) is a derice or soft/rare application that monitors netirork and/or system activities fo r malicious activities or policy violations andprod/ices reports to a Management Station.

Lab ScenarioDue to a growing number o f intrusions and since the Internet and local networks have become so ubiquitous, organizations increasingly implementing various systems that monitor IT security breaches Intrusion detection systems (IDSes) are those that have recently gained a considerable amount o f interest An IDS is a

example, port scans One key feature o f intrusion detection systems is their ability to provide a view o f unusual activity and issue alerts notifying administrators and/or block a suspected connection According to Amoroso, intrusion detection is a

“process ot identifying and responding to malicious activity targeted at computing and networking resources.” 111 addition, IDS tools are capable ot distinguishing between insider attacks originating from inside the organization (coming from own

(Source: http://www.windowsecurity.com)

must possess sound knowledge o f network intrusion prevention system (IPSes), IDSes, malicious network activity, and log information.

Lab Objectives

■ Install and configure Snort IDS

■ Run Snort as a service

■ Log snort log files to Kiwi Syslog server

■ Store snort log files to two output sources simultaneouslyLab Environment

To earn׳ out tins lab, you need:

Trang 3

■ Notepads-+ installed 011 the host macliine

Lab DurationTime: 40 MinutesOverview of Intrusion Detection Systems

violations and produces reports to a Management Station Some systems may attempt to stop an intrusion attempt but tins is neither required nor expected o f a

prevention systems (IDPSes) for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies IDPSes have become a necessary addition to the secuntv infrastructure o f nearly even* organization Many IDPSes can also respond to a detected tlireat by attempting to prevent it from succeeding They use several response techniques, which involve the IDPS stopping die attack itself, changing the security environment.

about diem, attempting to stop them, and reporting them to security administrators.

Lab Analysis

your target’s security posture and exposure.

C E H L ab M an u al P ag e 848

Trang 4

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S

R E L A T E D T O T H I S L A B

Trang 5

Delecting Intrusions using Snort

Snort is an open source netnvrk intrusion prevention and detection system (IDS/IPS).

Lab ScenarioThe trade o f die intrusion detection analyst is to find possible attacks against their

tins by IDS logs and packet captures while corroborating with firewall logs, known vulnerabilities, and general trending data from the Internet The IDS attacks are

and categorizing those scenarios becomes a critical challenge These result ni huge amounts o f data and from tins data they must look for some land o f pattern However, die overwhelming tiows o f events generated by IDS sensors make it hard for security administrators to uncover hidden attack plans.

must possess sound knowledge o f network IPSes, IDSes, malicious network activity, and log information.

Lab ObjectivesThe objective o f tins lab is to familiarize students widi IPSes and IDSes.

Trang 6

■ A computer running Windows Server 2012 as a host machine

Lab DurationTune: 30 MinutesOverview of Intrusion Prevention Systems and Intrusion Detection Systems

activities for m aliciou s activity Tlie maui functions ot IPSes are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity.

An IDS is a device or software application that m onitors network and/or system activities for m aliciou s activities or policy violation s and produces reports to a Management Station It performs intrusion detection and attempt to sto p detected possible incidents.

Lab TasksStart Windows Server 2012 on the host maclune Install Snort.

To uistall Snort, navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion D etection Tools\Snort.

Double-click the Snort_2_9_3_1_lnstaller.exe file The Snort mstallation wizard appears.

Accept the License Agreement and uistall Snort with the default options

5 A wuidow appears after successful mstallation o f Snort Click the Close button.

6 Click OK to exit the Snort Installation wuidow.

1

2

3.

4.

You can also

download Snort from

http:// www.sno 1 t.org.

Install Snort

l Snort is an open

source network intrusion

prevention and detection

system (IDS/IPS).

Trang 7

Snort 2.9.3.1 SetuD ־ ' ° I *

*

(& Snort 2.9.3.1 Setup

Snort has successfully been installed.

Snort also requires W inPcap 4 1 1 to be installed on this m achine,

r W inP cap can be dow nloaded from :

OK

Figure 1.1: Snort Successful Installation Window

IDS, Firewalls, and HoneypotsMntrusion Detection Tools\Snort, and double-clicking WinPcap 4 1 _2.exe.

9 By default, Snort installs itself in C:\Snort (C:\ or D :\ depending upon die disk drive in which OS installed).

download Snort Rules After registration comples it will automaticallv redirect to a download page.

11 Click die Get Rules button to download die latest mles 111 tins lab w e have downloaded snortrules-snapshot-2931 ■tar.gz.

Honeypots\lntrusion Detection Tools\Snort.

13 Rename die extracted folder to snortrules.

Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort\snortrules\etc o f die extracted Snort mles, copy die snort.conf

die Snort mles Snort.conf tile.

IDS, Firewalls, and Honeypots\lntrusion Detection

V^/ WinPcap is a tool for

link-layer network access

that allows applications to

capture and transmit

network packets bypass the

protocol stack

Trang 8

17 Replace die preproc rules folder trom D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and HoneypotsMntrusion Detection

18 Copy all die tiles from diis location: D:\CEH-Tools\CEHv8 Module 17

Tools\Snort\snortrules\rules to C:\Snort\rules.

19 N o w navigate to C:\Snort and right-click folder bin, and click CmdHere

20 Type snort and press Enter.

y To print out the

TCP/IP packet headers to

the screen (i.e sniffer

mode), type: snort — v.

21 Tlie Initialization Complete message displays Press Ctrl+C Snort exits and comes back to C:\Snort\bin.

22 N o w type snort -W Tins command lists your machine’s physical address,

IP address, and Ediernet Dnvers, but all are disabled by default.

Figure 1.3: Snort -W Command

die Ediernet Driver index number is 1.

Adm inistrator: C:\W indows\system32\cmd.exe

A c q u ir in g n e tw o r k t r a f f i c f r o n " \D eu ic e\N P F _< 0F B 098 22-88 B 5-411 F -A F D 2 -F E 3735A 9?7 B B> _

Verify Snort Alert

Trang 9

25 You see a rapid scroll text 111 die command prompt It means diat die

E 7 To specify a log into Ethernet Driver is enabled and working properly.

logging directory, type

snort — dev —1

/logdirectorylocationand,

Snort automatically knows

to go into packet logger

Intrusion Detect ion

System (NIDS) mode so

that you don’t record every

single packet sent down the

wire, type: snort -dev -1

nM.flP.MM• S e q : 0 x 8 10 4 7 C 4 0 Ack: 0x4C 743C 54 Win: 0xFFFF T cpL en: 20

Figure 1.5: Ping googje.com Command

Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4

C : \ S n o r t \ b i n , s n o r t -d e v - i 4 Running in p a c k e t dump 11uue

— == I n i t i a l i z i n g S n o r t ==—

I n i t i a l i z i n g O u tp u t P lu g in s ?

p cap DAQ c o n f i g u r e d t o p a s s i v e The DAQ v e r s i o n d o e s n o t s u p p o r t r e l o a d

Figure 1.4: Snort — dev — i 4 Command

Trang 10

29 Close both command prompt windows The verification o f Snort

verbose mode.

30 Configure die snort.conf file located at C:\Snort\etc.

31 Open die snort.conf file with N otepad+ +.

screenshot

Figure 1.7: Configuring Snortconf File in Notepad++

33 Scroll down to die Step #1: S et the network variables section (Line 41) o f snort.conf file 111 the HOME_NET line, replace any widi die IP addresses (Line 45) o f die machine where Snort is ranning.

^ fe

* x

*

»צ <

£נ|

*

o 1 0 e & JS

| H

Figure 1.8: Configuring Snortconf File in Notepad ־(־־ 1 ־

34 Leave die EXTERNAL_NET any line as it is.

T A S K 3

Configure

snort.conf File

& Make sure to grab

the rules for the version

you are installing Snort for.

m Log packets in

tcpdump format and to

produce minimal alerts,

type: snort -b -A fast -c

snort.conf.

m Notepad־)־ + is a free

source code editor and

Notepad replacement that

supports several languages

It runs in the MS Windows

environment.

Trang 11

35 I f you have a DNS Server, dien make changes 111 die DNS_SERVERS line bv replacing $HOME_NET widi yonr D N S Server IP address; otherwise, leave diis line as it is.

37 Remember diat if you don’t have any servers running on your machine,

38 Scroll down to RULE_PATH (Line 104) 111 Line 104 replace /mles widi

Line 106 replace /preproc rules with C:\Snort\preproc rules.

m The element ’any’ can

be used to match all IPs,

although ’any’ is not

allowed Also, negated IP

ranges that are more

general than non-negated

IP ranges are not allowed.

Ptc\s1xxtconf Notepad♦ ♦ _ | a x ך

Erie Ldit Search !rfiew Encoding Language Settings Macro Ru

>

* ף*

3 114

1

>

Ncirrwl Ur! file length: 25439 lines: 657 Ln: 106 Cot :45 S*l:0 UNIX ANSI NS

ua Rule variable names

can be modified in several

ways You can define meta-

variables using the $

operator These can be

used with the variable

modifier operators ? and

-Figure 1.9: Configuring Snoitconf File in Notepad++

39 Li Line 113 and 114 replace /rules widi C:\Snort\ rules.

108 f z r you a re u a in a r e p u ta tio n p r e p r o c e s s o r a c t tn e a e

*.09 $ C u r r e n tl y th e r e i s a bug w ith r e l a t i v e p a th s , th e y a r e r e l a t i v e t o w here an o re ia

110 f n o t r e la c i v * co •n o rc.co n X l i k e che above v a r ia b le •

111 • T h is 1a c o n p le e e ly i n c o n a ia te n t w ith how e t h e r v a r a w or*, BUG 89986

1*.? 4 Smt th • abaoluta pa th a p p ro p ria te ly

77־ v a r white LISI PAIH c : \ s n o r t \ r u i e a l

71: Bmcmsi.EAiii ciMaaalmltaJ

117 4 Seen #3: C onfigure Che decoder For More in fo rm a tio n , 9ee BSASME decode

angth: 25d51 lines:657 _ Ln:1» Col:35 S«l:0

Figure 1.10: Configuring Snort.conf File in Notepad++

Trang 12

40 Navigate to C:\Snort\rules and create two tiles and name them

w h itejist.ru les and black jist.ru les make sure die two dies extensions are rules.

41 Scroll down to Step #4: Configure dynamic loaded libraries section (Line 242) Configure dynamic loaded libraries in this section.

42 At padi to dynamic preprocessor libraries (Line 247), replace /usr/local/lib/snort_dynamicpreprocessor/ with your dynamic preprocessor libranes tolder location.

43 111 tins lab, dynamic preprocessor libraries are located at C:\Snort\lib\snort_dynamicpreprocessor.

־ ־

7 C:\Sn0rl\etc\s1xxU 0nf Notepad ♦ ♦ ן ־ ־ x ז Erie Ld!t Search Vie* Incoding Language Settings Macro Run PK1g<13 ftmdew J

־ז 2

2S0 צ- 2 252 255

* p a th t o b ase p re p ro c e s s o r e ngine ciyr.anlceng 1 ne /u 9 r /1 0 c a l/llb /s n 0 r L _ £ iy n a m lc e n g ln e /llb s r_ e r.g ir.e 3 0

t p a th t o dynamic r u l e s l i b r a r i e s

d y n a n lc d e te c c lo n d i r e c t o r y / u s r / l o c a l/ 1 lb /a n o rc_ d y n a m lc r u lea

4 s t e p t s : C o n tia u r e p r e p r o c e s s o r s

4 For more in f o r m a tio n , se e th e Snore M anual, C o n fig u rin g S n o r t ־ P re p ro c esso

4 STP C o n tro l C hannle P r e p r o c e s s o r For n o te in f o r m a ti o n , se e PFA2ME OTP

V p r e p r o c e s s o r o e ci p o r t a 1 2123 3386 2152 >

»

V

»צ 2

2<5i

t Z n lm « p a c k e t n o r m a l iz a tio n For moz• in f o r m a ti o n , se e R £ A D 2 n o rm alise

4 Does n o tn in a i n IDS node

3r«pr0c«110r n o rn m lix e _ ip 4

p r e p r o c e s s o r r.crm ai1 s e _ to p 1 1p9 eon seream

p r e p r o c e s s o r norma l i e e i c m p i

p r e p r o c e s s o r n o r m a liz e lp « N.mul u»t file length: 2544S linttt: 657 In :247 Col :69 S*i:0 UNIX ANSI 1NS

Figure 1.11: Configuring Snort.couf File in Notepad++

44 At padi to base preprocessor (or dynamic) engine (Line 250), replace

preprocessor engine C:\Snort\lib\snort_dynamicengine\sf_engine.dll.

m The include keyword

allows other rule files to be

included within the rule file

indicated on die Snort

command line It works

much like an #include

from die C programming

language, reading the

contents of the named file

and adding the contents in

the place where die include

statement appears in die

file.

H U Preprocessors are

loaded and configured

using the ‘preprocessor’

keyword The format of die

users and programmers to

drop modular plug-ins into

Snort fairly easily.

Trang 13

45 Comment (#) die dynamic mles libraries line as you already configured die

C:\Snort\et*V r c f < •f Notepad♦♦ - o x

Be Ldit Search View Encoding Language Settings Macro Run Pfcjgns ftndcvr Z

• 9

31

■י•*

^

־ o ' H e

250 dyr.anu.ceng i n - C : \ 3n o r t\li b \s n o r t_ d y n s n 1ic e n g i n e \ s f _ e n g i n e d l l

♦ path to dynamic rules libraries

> d y n a c ic d e te c tlo n d i r e c t o r y /u » r / l o c a l / 'l l b / s n o r t _ a y n a » l s t l e a |

V >t e c *M c o n r ia u r e p r e p r o c e s s o r s

* Por more m f o rm a c io n , se e th e Snore M anual, C o n fig u rir.c S n o r t ־ P re p ro c e ss o

4 GTP Control Chmnnlm Preprocessor For *or inforwation, י•• RSADME.GTP

t p re p ro c e s s o r a sp : p o r ts ( 2123 3386 2152 )

I I n l i n e p a c k e t n o r m a l iz a tio n For more in g o z m a tio n , se a ZZZZXZ n o rm a liz e

♦ Does n o ta in a i n IDS mode preprocessor normelize_ip4

p r e p r o c e s s o r r c r x a l1 ze_־ c p : i p s ecr stre am

p r e p r o c e s s o r ncrm0 11ze_1 cmp4

p r e p r o c e s s o r n o r m a liz e l p 6

I teal fie length :25*146 ling :557 Ln:253 Col ;3 Sd :0 I

Note: Preprocessor

code is run before the

detection engine is called,

but after the packet has

been decoded The packet

can be modified or

analyzed in an out-of-band

manner using this

mechanism.

Figure 1.13: Configuring Snortconf File in Notepad++

46 Scroll down to Step #5: Configure Preprocessors section (Line 256), die

C:\Sn0rt\etc\snort conf Notepad*

l i t L3t Search View Encoding Language Settings Macro Run Plugre Amdcw I

♦ preprocessor norjralire icmpC

• T a r g e t-b a s e d IP d e fr a g m e n ta tio n For more inform ation, see RLADME f ra g 3

p r e p r o c e s s o r £ r a g S _ g lo b a l: m ax_Iraga 6SSS6

p r e p r o c e s s o r tr o a 3 e n g in e : p o l i c y windows d e te c t_ a r * 1a i 1 es c v erlap_11m 1t 10 a 1 n _ f ra o m e n t_ le n g th 100 tim e o u t

f o r mere m r o r a t i o n , ace h u ' j I' l s tr e a n b

V l a r g e t s i s e a a e a te c u l in s p e c t io n /o tr c a m rc a s s e e D iy

p r e p r o c e s s o r s c r e o » S _ g lo b a l; t r a c k e c p y e s , \ tr* c k _ u d p y e a , \

t r a c k _ 1 cnc no, \ MX_tcp 362144, \

r a x _ a c t1 v e _ r e 3 p o n s e s 2, \

m in r e s p o n s e se co n d s 5 _

1:269 Col :3 Sd 0 myth: 25456 line :557

48 Scroll down to Step #6: Configure output plugins (Line 514) 111 tins step, provide die location o l die classification.config and reference.config files.

m IPs may be specified

individually, in a list, as a

CIDR block, or any

combination of die duee.

m Many configuration

and command line options

o f Snort can be specified in

the configuration file

Format: config <directive>

[: <value>]

Trang 14

CASnort\ett\snm conf Notepad* ♦ ' - I ם

l i t idit Search view Encoding language Settings Macro Run Plugns ftmdcw I

djae s i s c e ז

!|

hh« a , & * * r י

0

B •ncCcorf )"

il ף step 46: cor.rioure cutput plugins

4 5 *׳j ?or more information, see Snort Manual, Configuring Snort - Output Modules[

5!«

51fl * unified?

519 4 aeeonsenaaa rcr !cost installs

520 4 cutput u n ified 2 : filename merged.log, lim it 128, nosts3«r, wpls_eTrent_types, vlon_event_type3

521 Si'i4 ־ A d d itio n a l c o n f ig u r a tio n f o r s p e c i f i c t j p e s o f i n s t a l l s

523 # cutput alert_uni£ied2: filename snort.alert, liiait 125, nosCaap

524 f o u tp u t lo g u n 1 r1 e d 2 : r ile n a ra e s n a r e l o o , l i m i t 123, n c s ta s p

4 o a t a t a s e

4 o u tp u t d a ta b a s e : a l e r t , <db_type>, u s? r« < u s e rn a n !> pa9 9wsrd~<pass«10rd

V cutput aatacasci 100, <dto_type>, u9er־<uacma&e> passvsr3^<paaswo?d>

» * e ta d a ti rercrcr.ee aata do not * e a itv t£e

-• include C:\Snarc\ece\elass1f1eat1on.e0nf10l

lii _ laclud# C; \Sac r \ « c c \r»C«r«nc« eonti g_|

length :25482 lina:6S7 In :541 Co) :22 S*l:0

c a Tlie frag3

preprocessor is a target-

based IP defragmentation

module for Snort.

Figure 1.15: Configuring SnorT.coiif File in Notepad++

lrigure 1 i כ: V_on 11 gunng snort.coni rile in !Notepad 1

־!־-5 0 11 1 t h i s step #6, a d d t h e l i n e output alert_fast: alerts.ids f o r S n o r t t o

519 V ftccoescnaca co r !coat i n s t a l l s S?0 4 c u tp u t u n if ie d 2 : f ile n a m e m erged 100, l i m i t 128, n osta*p» * p ls _ e 'r e n t _ ty p e s , v la n _ e v e n t_ ty p e s 521

4 A d d itio n a l c o n f ig u r a tio n f o r s p e c i f i c ty p e s o f i n s t a l l s

525 4 c u tp u t a l o r t _ u n i f i » d 2 : fila n a n w a n o r t a l r t , l i m i t 129, r.o>ca>p

524 4 c u tp u t lo g un1E1ed2: r ile n a ra e s n o r t is o , l i m i t 126, r.: ־ י a x t

- - - 4 c atafcase

533 4 cutput database: alert, <db_type>, uaer-<useman-> pea3*:rc־<fa3sword

534 4 cutput dataoa3e: loo, <db type>, u3er=<u3emaEe> pa33w:ro=<pa33word> ׳

|hc«nwl U*t file Itngth: 25511 lin»:657 1 6 ?5: מ CoJ:30 S«l:0

m Note: ’ipvar’s are

enabled only with IPv 6

support Without IPv 6

support, use a regular ’var.’

5 1 B y d e f a u l t , d i e C:\Snort\log f o l d e r is e m p t y , w i d i o u t a n y f ile s 111 it G o t o d i e

C:\Snort\log f o l d e r , a n d c r e a t e a n e w t e x t file w i t h d i e n a m e alerts.ids.

Ii=yj Frag3 is intended as a

replacement for die &ag 2 5 2 E n s u r e d i a t e x t e n s i o n o f d i a t f ile is .ids.

defragmentation module

and was designed with the

following goals:

1 Faster execution than

frag 2 with less complex

Trang 15

ם _

log

Search log P

v C alerts.ids

1 item

53 111 die snort.conf tile, find and replace die ipvar string widi var By default die string is ipvar, which is not recognized by Snort, so replace it widi die var string.

Note: Snort now supports multiple configurations based on V LAN Id or IP subnet widiui a single instance o f Snort Tins allows administrators to specify multiple snort configuration files and bind each configuration to one or more VLANs or subnets radier dian running one Snort for each configuration required.

□ in selection Replace A|l

Replace All in All Opened Documents

I I Match rase

@ Wrae around

54 Save die snort.conf file.

tile; for diis lab w e have enabled ICMP mle so diat Snort can detect any host discovery ping probes to die system running Snort.

56 Navigate to C:\Snort\rules and open die icmp-info.rules file widi Notepad

+ +

57 Uncomment the Line number 47 and save and close die file.

Trang 16

C:\Srxwi\rules\icrnp info.rules Nofepad♦

E*e Edit Search View Encoding Language SetDngs Macro Run Plugns ftndcw J >

0- > H « o ־a 4m * ורו P c* f t *ta -t -ז r ״| פ , T,[ | כ S i l i f l « >

Pi—!<■1 H trp+Tfo 1 ute« |

נ ♦ a l e r t isrsp $ EXI ERNAL_NET any -> $H0KE_NET any cnsj:"ICXE-INFC I REP r o u t e r a d v e r tis e m e n t" ; 1 ty p e :9 ; r e r e r e n ׳

29 * a l e r t le a p SEXTERNAL_NET any ־ > SHOMEKET any (m sg:־ ICXP-IKyC IRDP r o u t e r s e l e c t i o n " ; ity p e : 1 0 ; r e f e r e n c e :ו

30 # a l e r t leap $SXIERNA 1 _NET any -> $HOKE_NET any (n sg : ■־I-XP-IKFC FUJG *HIX•; lc y p e :S ; c o n t e n t : 1 13 12 11 1 10״■

31 * a l e r t lc n p SEXTERNAL_NET an y -> SH0HE_KET any (r\sg :״ ICMP־ INF0 PING BSD type"; 1ty p e : 8; c o n t e n t : ״ |O0 09 0A 01

32 * a l e r t i=r^> SEXTERNALNET any - > SH0KE_NET any ( o s g : "IS 'P -IN T C PING BayRS R o u te r " ; i t y p e : 8; c o n t e n t :■ | 01 02

33 * alert res© S EXIERNAL_NET any -> $H 0 KE_NET any (m3?:"XCXP-lNFO rIUG SeOSI.x"; ltype: 8 ; content:"|QQ 00 00 0׳

34 # a l e r t icnj? SEXTERNAL_NET a n y -> £H0KE_NET any ( n s g :״ ICM?-IK7C ?IUG C isc o T ype x " ; i t y p e : 8; c o n te n t:" |A B CD

35 # a l e r t l e a p $EXTERNAL_NET any -> $HOKE_NET any ( n s g :־ irxP-IK FC PING D elpiH -P iec L e Windows"; l t y p e : S ; c o n ie n

36 * a l e r t ic n p SEXTERNAL~NET an y -> SHOHEJJET any ( n s g :״ ICMP-INF0 PIHG F lo * p o m t2 2 0 0 o r Networlc Management Sof־

34 ־ alert icnp SEXTERNALNET any -> SHOKENET any (xasg: "ICXP-IK7C PIHG IP HetMonitor Macintosh"; itype:B; cont•■

38 t alert 1 st® $exiernal_net any -> Shoke_nei any (n3g:1״cxp-lKFC pibg li2i־jx/35״d״; a31ze:8; 1a:13170; 1 type :8

♦ a l e r t ic n p SEXTERNAL_NET any -> SH0XE_NET any (msg:*ICKP-IK7C PIHG M ic r o s o ft Windows"; i t y p e : 8; c o n t e n t : "0

40 I a l e r t l e a p $EXIERNA1_NET any - > $HOXE_KET any ( n s g :" I 3 ( ? ־ XKFC POTG n e tw o rk T oolbox 3 Windows"; 1 ty p e : 8; coi

* a l e r t ic n p SEXTERNAL_NET any ־ > SH0KE_NET any (msg:"ICMP-INF0 PIHG Pm g-O -H eterW indow s"; lty p e :9 * c o n te n t:

42 « alert SEXTERNAL~NET any ־> SH0KE~NET any (rasg:״ICKP-IKFC PIHG Pinger Windows"; itype: 8 ; content:"Oata

43 * alert 1 cnp cexiernal_net any ־> Shoxe_nei any (n93:”1cxff-iKF0 pihg seer wmdowa״; ltypese; content«18״a 04

44 • a l e r t 1 a 1p SEXTERNAL NET a n y ־ > SHOKE NET any (m sg:״ ICXP-INF0 PING O ra c le S o l a n s " ; d s 1 s e : 8; 1ty p e « 0j c la s

45 f a l e r t l e a p $EXTERNAL_NET any -> $H0XE_KIT any ( n » g :2 ״ CXff-IKFC PIHG Window•": lc y p e : 8; c o n t e n t : "abc d erg fcljk

9a l e r t icrap SEXIERNAI_NEI any > SH0KE_KEI any !naa:*1atP-lNfC t r a c e r o u t e " ; 1 s v c c :8; t t l i l ; claaat!tt : a t t c n

“ alert icnp SFXTRRXAL NFT any -> SH0XE KET any (mag: •׳:CMP-IKFC PIKG"; icode:0; itype: 8 ; classtyp-:»iac-activ 1 |

» a l e r t isno S m o x e jje t any ->CEXTERNAL_NET any i.src Aaareaa mask Rcpiv"> ic o d c io ; l t v p e u s ; cia®.

49 • a l e r t 1cr«p SEXTERNALNET a n y ־ > SH0KE_NET any (m sg:״ ICKP-INF0 A ddre ss Maslr Reply u n d e fin e d code"* 1 e o d e :>0

50 t a l e r t l e a p $SXTERKAL_NET any -> $K0KE_KET any ( e s g : ” Z:X9-X):FC Add:««« Ka»k R v q u e st" ; lc o d « :0 ; lt y p e : 1 7 ; cl•

51 ♦ a l e r t 1 מ גס SEXIERNAL_NET any ־ > SH0XE_NET any (n s3 :"ICJ4P־ lNfO A d d re ss Mask R e au e st u n d e tin e d c o d e " ; !co d e ::

52 « alert SEXTERNAL~NET any -> $HOKE~NET any (Mgr-ICVP-INFC Alternate Ho«t Addre״״"; icode:0; itype: 6 ; c

f alert isnp «exiernal_net any ־> «hoxe_net any (nss: 1 ״cxp- 1 NFC Alternate Host ״aareaa undermed code״; iced•

>4 * a l e r t 1 cnp SEXTERNAL_NET a n y -> SH0KE_NET any (e1sj:* IC H P ־ INF0 D atagrati C o n v e rsio n E r r o r " ; lc o d esO ; 1t y p e :3

55 f a l e r t l e a p fEXTERNAL NET a n y - > <H0KE NET any (tasg: "ZCXr-IKFC S a ta g r a a C onveralon E r r o r u n d e fin e d c o d e " ? 1 ■ v

NcinwlUxlfile length: 17357 lines: 123 Ln:47 Cc4:1 S«1:0 UMX ANSI IMS

Figure 1.19: Configuring Snort.coiif File iti N’otepad++

58 N o w navigate to C:\Snort and nght-click folder bin, select CmdHere from

59 Type snort -iX -A co n so le -c C:\Snort\etc\snort.conf -I C:\Snort\log -K ascii and press Enter to start Snort (replace X with your device index

60 If you enter all the command information correctly, you receive a graceful

61 If you receive a fatal error, you should first verify diat you have typed all modifications correcdy into the snort.conf tile and then search dirough the tile for entries matching your fatal error message.

62 If you receive an error stating “Could not create the registry key,” then run the command prompt as an Administrator.

Administrator: C:\Windows\system32\cmd.exe

Validate

Configurations

y ’To run Snort as a

daemon, add -D switch to

any combination Notice

that if you want to be able

to restart Snort by sending

a SIGHUP signal to die

daemon, specify the full

path to die Snort binary

when you start it, for

Figure 2.18: Snort Successfully Validated Configuration W indow

C:\Snort\etc\snort.conf -I C:\Snort\log -i 2 and dien press Enter.

Start Snort

E th ica l H a c k in g a n d C o u n term easu res Copynght © by EC-Council

Trang 17

Figure 2.19: Start Snort in IDS Mode Command

64 Snort starts running in IDS mode It first initializes output plug-ins, preprocessors, plug-ins, load dynamic preprocessors libranes, rale chains o f Snort, and dien logs all signatures.

65 After initializing interface and logged signatures, Snort starts and waits for

an attack and tngger alert when attacks occur on the machine.

- * > S n o r t T < *

-Uersion 2.9.3.1-UIN32 GRE <Build 40>

By Martin Roesch 8r The Snort Team: http://www.snort.org/snort/snort-t Copyright <C> 1998-2012 Sourcefire, Inc., et al.

Using PCRE version: 8.10 2010-06-25 Using ZLIB version: 1.2.3

Rules Engine: S F_S NORT _DET ECTION_ENGI HE Uersion 1.16 <Build 18>

SF_REPUTATION Uersion 1.1 <Build 1>

SF_POP Uersion 1.0 <Build 1>

SF_T10DBUS Uersion 1.1 <Build 1>

SF_IMAP Uersion 1.0 <Build 1>

Figure 1.20: Initializing Snort Rule Chains Window

66 After initializing the interface and logged signatures Snort starts and waits for an attack and trigger alert when attacks occur on the maclune.

67 Leave die Snort command prompt mnning.

68 Attack your own machine and check whedier Snort detects it or not.

69 Launch your Windows 8 Virtual ]Maclune (Attacker Machine).

70 Open die command prompt and type ping XXX.XXX.XXX.XXX -t from die Attacker Machine (XXX.XXX.XXX.XX is your Windows Server 2012 IP address;.

71 G o to Windows Server 2012, open die Snort command prompt, and press Ctrl+C to stop Snort Snort exits.

72 N ow go to die C:\Snort\log\10.0.0.12 folder and open the ICMP_ECHO.ids text file.

£ 0 1 When Snort is run as

a Daemon, the daemon

creates a PID file in the log

directory.

^ T A S K 6

Attack Host

Machine

m Note that to view the

snort log file, always stop

snort and dien open snort

log file.

Trang 18

ICMP.ECHO.idT- Notepad ! ם ’ ־ ' x

File Edit Format View Help

| [ * * ] IC M P -IN F O PING [ * * ]

11/14-12:24:17.131365 1 0 0 0 1 2 -> 1 0 0 0 1 0 ICMP TTL:128 TOS:0x0 ID:31479 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:198 ECHO

[ * * ] ICHP-INFO PING [ * * ] 11/14-12:24:18.146991 1 0 0 0 1 2 -> 1 0 0 0 1 0 ICMP TTL:128 TOS:0x0 I D : 31480 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:199 ECHO

[ • • ] ICMP-INFO PING [ * * ] 11/14-12:24:19.162664 1 0 0 0 1 2 -> 1 0 0 0 1 0 ICMP TTL:128 TOS:0x0 I D : 31481 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:200 ECHO

[ • • ] ICMP-INFO PING [ * * ] 11/14-12:24:20.178236 1 0 0 0 1 2 -> 1 0 0 0 1 0 ICMP TTL:128 TOS:0x0 ID:31482 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:201 ECHO

[ * * ] ICMP-INFO PING [ * * ] 11/14-12:24:21.193933 1 0 0 0 1 2 -> 1 0 0 0 1 0 ICMP TTL:128 TOS :0X0 ID : 31483 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:202 ECHO

[ * * ] ICMP-INFO PING [ * * ] 11/14-12:24:22.209548 1 0 0 0 1 2 -> 1 0 0 0 1 0 ICMP TTL:128 TOS:0x0 I D : 31484 IpLen:20 DgmLen:60 Type:8 Code:0 ID :1 Seq:203 ECHO

Figure 1.21: Snort Alerts ids Window Listing Snort Alerts

means diat your Snort is working correcdy to trigger alert when attacks

Lab Analysis

yoiu־ target’s security posture and exposure.

Trang 19

2 Evaluate how you process Snort logs to generate reports.

Internet Connection Required

Trang 20

111 order to become an expert penetration tester and security administrator, you must possess sound knowledge ot network mtnision prevention system (IPSes), IDSes, identify network malicious activity, and log information, stop, or block malicious network activity.

Lab Objectives

Tlie objective o f tins lab is to help students learn and understand IPSes and IDSes

111 tins lab, vou need to:

■ Install Snort and configure sno rtco nf file

■ Validate configuration settings

■ Perform an attack 011 the Host Machine

■ Perform an intrusion detection

■ Attempt to stop detected possible incidents

Trang 21

Lab Environment

To carry-out tins lab, you need:

■ A computer running Windows Server 2012 as a host macliine

■ Windows 8 running on virtual machine as an attacker macliine

■ WinPcap drivers installed on die host macliine

■ Kiwi Syslog Server installed on die host macliine

■ Admniistrative privileges to configure settings and mil tools

Lab Duration

Tune: 10 Minutes

Overview of of IPSes and IDSes

An intrusion detection system (IDS) is a device or softw are application diat monitors network an d /o r system activities for m alicious activities or polio,’ violations and produces reports to a management station

Intrusion detection and prevention systems (IDPS) are primarily tocused on identifying possible incidents, logging information about them, attempting to stop diem, and reporting diem to security administrators

Lab Tasks

1 Navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and

on die Windows Server 2012 host machine

2 The L icense Agreem ent window appears, Click I Agree.

Figure 2.1: kiwi syslog server installation

£ 7 You can also

download Kiwi Syslog

Trang 22

3 111 die Choose Operating Mode wizard, check die Install Kiwi Syslog

־ ן ° ז x

Kiwi Syslog Server 9.3.4 Installer

C h o o s e O p e r a t in g M o d e The program can be run as a Service or Application

solarwinds ׳ ־

O I n s t a l l K iw i S y s lo g S e i v e i a s a S e i v ic e This option installs Kiwi Syslog Server as a Windows service, alowing the program to run without the need for a user to logn to Windows This option also retails the Kiwi Syslog Server Manager which is used to control the service.

| ( * I n s t a l l K iw i S y s lo g S e i v e i a s a n A p p l i c a t io n | This op bon retails Kiwi Syslog Server as a typical Windows appkcabon, requrng a user to login to Windows before r im n g the application.

SolarWinds, Inc.

Figure 22: Kiwi Syslog server installation

4 111 die Install Kiwi Syslog Web A c c e ss wizard, uncheck die optionselected and click Next >.

X Kiwi Syslog Server 9.3.4 Installer

I n s t a ll K iw i S y s lo g W e b A c c e s s Remote viewing, filtering and highlighting of Syslog events

solarwinds

I I I n s t a l l K iw i S y s lo g W e b A c c e s s

V C r e a t e a n e w W e b A c c e s s lo g g in g ■ u le in K iw i S y s lo g S e i v e i Kiwi Syslog Web Access can be enabled in the licensed or evaluation versions of Kiwi Syslog Server.

SolarWinds, Inc.

Figure 23: kiwi syslog server

5 Leave die settings as their defaults in the Choose Components wizard and click Next >.

Trang 23

Kiwi Syslog Server 9.3.4 Installer I ־־ I

Space requred: 89.5MB Solar Winds, In c -

< Back | Next > | | Cancel |

Program files (required)

0 Shortcuts apply to all users

0 Add Start menu shortcut b^J Add Desktop shortcut

p i Add QuickLaunch shortcut

O Add Start-up shortcut Desa1 ptx>n Position your mouse over a component to see its description.

Figure 2.4: adding components

6 111 die C hoose Install Location wizard, leave the settings as their defaultsand click Install to continue

Kiwi Syslog Server 9.3.4 Installer

C h o o s e In s t a ll L o c a t io n Choose the folder n whkh to nstal Kiwi Syslog Server 9.3.4

1

Figure 2.5: Give destination folder

7 Click Finish to complete the installation

You should see a test

message appear, which

indicates Kiwi is working

Trang 24

Kiwi Syslog Server 9.3.4 Installer [_“ I 1 ם x

C o m p le tin g th e Kiwi S ys lo g S e rv e r

9 3 4 S e tu p W iz a rd

Kiwi Syslog Server 9.3.4 has been installed on your computer.

Click Finish to dose this wizard.

@ Run Kiwi Syslog Server 9.3.4

Visit the SotorWmds website

< Back | Ftnoh | Cancel j

Figure 2.6: kiwi syslog server finish window

8 Click OK ill the Kiwi Syslog Server - Default Settings Applied dialog box

TU

Kiwi Syslog Server - Default settings applied

Thank you fo r choosing Kiwi Syslog Server.

This is the first tim e the program has been run on this machine

The fo llo w in g default 'A ction' settings have been applied

’ Display all messages

* Log all messages to file: SyslogCatchAll.txt These settings can be changed fro m the File | Setup menu.

Happy Syslogging

OKFigure 2.7: Default setting applied window

9 To launch die Kiwi Syslog Server Console move your mouse cursor to lower-left corner o f your desktop and click Start.

Q j Yiiwi Syslog Server is Figure 2.8: starting menu in windows server 2012

a free syslog server for 10 111 die Start menu apps click Kiwi Syslog Server Console to launch dieWindows It receives logs r r J J

Windows It receives logs,

displays and forwards app

syslog messages from hosts

such as routers, switches,

UNIX hosts and other

syslog-enabled devices

Trang 25

C*׳ -־T I

KKl Package 1

Figure 2.9: click kkvi syslog server application

11 Configure Syslog alerts 111 die snort.conf file

12 To contigiire Syslog alerts, first exit from the Snort command prom pt (press Ctrl+C).

13 G o to C:\Snort\etc and open die snort.conf file widi Notepad++.

14 Scroll down to Step #6: Configure output plugins, in the syslog section (Line 527), remove # and modify die line to output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG ALERT.

Snort.conf before modification Syslog

C\Sn0rt\«c\srx>ftc<y»f

Notewd-Hr [<*t S mt H i yicw tvcM q fectng* Marre Run Pluglni Window J

■

*131

«

t Step te : Coaflgrare output plugins

* Additional configuration for 9E«c1r1c typea or lnatalla

* output al*rt_unlfled2: filename snort.alert U n it 128, n 08ta*p

* output log_«UT1ea2: niecaae 9rtort.log, u n i t 128, rostairp flo g ; LOO AJIg 100 ALERT|

ט The reason why you

have to run snortstart.bat

batch file as an

administrator is that, in

your current configuration,

you need to maintain rights

to not only output your

alerts to Kiwi, but to write

them to a log file

Trang 26

C:\Sn0rt\etcVsrxyt cof't Notepad-• ן - ־ g flnqi Mam Run Pluqin Window

^ ל׳ץ 1 י־ ן weSrf»g

׳ Filf fdt Search View f

3 )[§) 3 Cv יי S ) | -י

• fe| 3 c

iC<5 preprocessor reputa tion: \

013 **#**#**«**«#*»*#*«##**#*«*#•*#*«****#»**#•*#»*#**

pi4 # Step *€: Coaflarare output plugins

pis * For *ore Infomatlon, see Snort Manual, Conflouring Snore - Output Modules 5

l output u n iiie a i: £ile:;«*e se;aec.ica, l u u t 128 nostanp, npls_e5

ז Additional c onfiguration fo r s p e c ific types of i n s t a ll s

1 output a le rt_ u n lfle d 2: filename s n o r t.a le r t U n it 128, nostajip

» output log_unlfled?: flle n aa e s n o r t.log, l l j t l t 128, nostaxp

» database

I output database! a l e r t , <db_t/pe>, users<usernan«> pa8avford=<pa»sv0rd> te s t dbnaa!e-<r.a1*e> h0st*<S10atname3

I output databasei lo g <db_typ«>, usera<usernane> password»<passv׳ord> te s t dbna»es<naae> bo»t*<ho*tnaae>

׳

U Ca li M:l»

Figure 2.11: Snortconfig after configuration

16 Open Kiwi Syslog Server Console and press Ctrl+T Tins is to test Kiwi Syslog Server alert logs

File Edit Vic* Hdp

Dale Tun* P-o״ly

lla*ln«m-11 14 2012 1621 30 Lwal7.D»U1g 127.0.01 Kiwi Sytloy S* 1vv1 • T*t< latfttayw nuaibei 0001

11

J

Figure 2.12: Kiwi Syslog Service Manager window

17 Leave die Kiwi Syslog Server Console D o not close die window

18 N ow open a command prom pt with Snort and type diis command: snort -

press Enter (here X is index number o f your Ediernet card)

Trang 27

_ □ x

Administrator: C:\Windows\system32\cmd.exe

Figure 2.13: Snort Alerts-ids Window Listing Snort Alerts

19 O pen a com m and prom pt 111 your W indows 8 virtual m achine and type tins command: ping 10 0.0.10 (IP address o f your host m achine where Kiwi Svslog Server Console is run n in g )

20 Go to Kiwi Syslog Service Manager window (diat is already open) and observe die triggered alert logs

u a Kiwi Syslog Server

different logging action

depending on the host

11-14-2012 184012 Autf Aleil 127.0.01 Nvv 14 18 40.12 WIN-2N9STOSGIEN w.ort |1 384 6| ICMP INF: PING |CU«*i»c*tion Hhc activity) [Piiuiily 3] {ICHP) 10.0.0.12

10.0.0.10 11-14-201? 18 40 0C Autf Air,I 1270 0 1 Nov 14 1 0 40 on WIN-?N9r.1nSG1rN tnatl |1 384 G| ICMP-INFO PING (CtasiKcalian Mbc n«:tivil*| [PiKnityr 3] (irMPJ 10 0 01?

1000.10

11 14 ?012 10.40.Ub Autfi Alcit 127.0.0 1 Nov 14 10:40:0b WIN 2N91>1USGILN *nort: |l J84:b| ILMI־ INI U I1NG ILIautfication: Hue nctivitvl H'noiity: 31 (ICMP) 10.0.0.12

10.0.0.10 11-14-2012 18:4004 Autf A leu 127.0.01 Nov 14 18:40:04 WIN-2N9STOSGIEN tnort |1:384 6| ICMP-1NF0 PING ICIattificalion: Hite activity [Piioiity: 3] {ICMP) 10.0.0.12

11-14201? 18 40 03 Autf Air.1 12700 1 Nov 14 1 0 40 01 WIN-?N9r.TnSGIFN mart |1 384 C| ICMP-INTO PING (CUsiKcalian Mbc activity] [Piiaifty: 3] (IPMP) 10 0 01?

10 00.10 11-14 2012 18:4002 Autf Alcit 127.0.0.1 Nov 14 18:40:02 WIN 2N9S1USGIEN *nort: |1:384:6) ICMP INF (J PING (Ua3*tf1cat10n: Mac acbvitrl [Pnonty: 3] {ICHP) 10.0.0.12

10.0.0.10 11-14-2012 18.40.01 Autfi Ale J 127.0.0.1 Nov 14 18.40:01 WIN-2N9STOSGIEN w.ort [1.384.6] ICMP-1NF0 PING |CU«*c*tion: H״ c activity) [Piioiily: 3) {ICHP) 10.0.0.12

10 00.10 11-14-201? 18 40 (10 AutfiAlril 127 0.01 Nov 14 1 8 40:00 WIN-2N9STOSGIEN snort |1 384 6| ICMP-INF0 PIHG IClasirtcahan Mbc activity) [Piioiily: 3J ilCHP110 0 0 12

10 0 0.10

11 14 2012 18:39:59 Autf* Alert 127.0.0.1 Nov 14 18:39:53 WIN 2N9510SGIEN *nort |1:384:61 ICMP INFU PING [CIroiication: Mnc acbvitrl [PrioiKy: 3) {ICHP) 10.0.0.12

10.0.0.10 11-14-701? 1839 58 Autf Aletl 1270 0 1 Nov 14 18 39:58 WIN-7N9STC1SGIFN tnort [1 384 6| ICMP-INFO PING [CLmificatian Mbc activity) [Pifciiily: 3] {ICHP) 10 0 012

1000.10

11 14 201? 103*57 Autf Alert 127 001 Nov 14 10•39:57 WIN 2N9S10SGICN *nort |1 304 K| ICMP INFO PIHG U:U» 1*r,ahon Mmc cebvitj׳) [Pnoiiljr 3] IICMP110 0 0 12

10.0.0.10

11 14 2012 18:3958 Autfi Alcil 127.0.0.1 Nov 14 18:39:56 WIN 2N9STOSGIEN *nort )1:384:6) ICMP INFO PING )□***ification: Mbc activitrl [Piioiity: 31 {ICMP) 10.0.0.12 j

Figure 2.14: Kiwi Syslog Service Manager widi Snort Logs

21 111 Kiwi Syslog, you see the Snort alerts outputs listed 111 Kiwi Syslog Service Manager

22 You have successfully output Snort Alerts to two sources

Định dạng
Số trang	55
Dung lượng	2,3 MB