Lab Exercise & Hands on Penetration & Analysis Traffic SNORT Pervasive Computing Research Group Faculty of Computer Science & Information System Universiti Teknologi Malaysia
Lab Exercise & Hands on
Penetration & Analysis Traffic
SNORT
Pervasive Computing Research Group
Faculty of Computer Science & Information System
Universiti Teknologi Malaysia
Note :
• Create four groups in the class
• Each Groups maximum 10 students and total group to be fulfilled.
• Every week for two groups
• Bring your notebook and already installed ; – Putty (for remote Linux shell from your computer)
– WinSCP (for download – upload data from/to Linux server)
– FTP Client (for download – upload data from/to Windows 2003 server)
Scenario
Foot printing, Gathering Information
IP Address, MAC Address, Port, Daemon /
Application
Vulnerability / Holes
Penetration
Analysis & Recognize
Identification
Report
Probes Vulnerability
Monitoring
Testing Vulnerability Server
• Penetration using BACKTRACK
– Nmap (network scanning tools)
– Nikto (web services vulnerability tools)
– Hydra / medusa (password dictionary attack: SSH)
• Analyze vulnerability
– OS Windows 2003 / Fedora / Windows 7
– Compare it
10.10.10.15
• Open your command com and type PING 10.10.10.15
• Open your PUTTY ;
– Add : 10.10.10.15
– Click Open
– Type : root
– Pass : toor
– root@bt:# ping 10.10.10.5
WIRESHARK & TCPDUMP
• Type command tshark in the terminal
tshark –w yournamefile_tshark.pcap
– Create tshark file for one exercise.
• Type command tcpdump in the terminal tcpdump –w yournamefile_tcpdump.pcap
Last login: Tue May 8 10:09:13 2012 root@bt:~# ping 10.10.10.5 PING 10.10.10.5 (10.10.10.5) 56(84) bytes of data. 64 bytes from 10.10.10.5: icmp_seq=1 ttl=128 time=0.816 ms 64 bytes from 10.10.10.5: icmp_seq=2 ttl=128 time=0.528 ms 64 bytes from 10.10.10.5: icmp_seq=3 ttl=128 time=0.501 ms ^C --- 10.10.10.5 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1998ms rtt min/avg/max/mdev = 0.501/0.615/0.816/0.142 ms
Ctrl C = to stop ping
Scanning
• Typing nmap in the terminal root@bt:# nmap –v –A ip target
– Target
• FEDORA 14 : 10.10.10.5
• Windows 2000 : 10.10.10.25
• Windows 2003 : 10.10.10.30
• Others command :
nmap -help
• Nmap command nmap –sP IP Address,
nmap –Vv –A Ip Address,
nmap –sS Ip address,
nmap –O Ip address, • Observe the output
• How many host did it find ?
• What is the IP Address of the host ?
• How long did the scan take ?
• What the result from this stages ?
Web Scanning : NIKTO
• Type command in the terminal
– root@bt:~# cd download/
– root@bt:~/download# cd nikto-2.1.4/
– root@bt:~/download/nikto-2.1.4#
– # ./nikto.pl -h 10.10.10.20 (or other target)
– Others command
• ./nikto.pl -h ip target -p 80
• ./nikto.pl -h ip target -T 58
SNORT
• Packet Sniffer snort –v
Snort –v -c /etc/snort/snort.conf
• Alert analysis (offline): snort -r yourfile.pcap -c /etc/snort/snort.conf