Lab Network Security

ITT450 LAB EXERCISE (update: 22 Feb, 12.06 AM)

LAB 1: INTRODUCTION

  1. Logical address (IP V4)
    1. 192.168.2.4
    2. X.X.X.X

       

  2. Loopback IP address
    1. 127.0.0.1
    2. 127.x.x.x
    3. Loopback purpose : for those who doesn’t has NIC

       

  3. Physical address
    1. 01:23:45:67:89:ab
    2. Is also known as MAC address

       

  4. Protocol
    1. TCP : Protocol at transport layer which allow reliable, manageable, connection oriented between host (application)
    2. FTP : protocol to transfer file (reliable)
    3. POP : Protocol to pull email for mail server
    4. UDP : Tranport layer protocol on best effort basis, not reliable but fast and simpler.
    5. SMTP : protocol to send mail to mail server
    6. Telnet : protocol to allow remote access to other host

       

  5. Class of IP address

Class

Address Range

Supports

Class A

1.0.0.1 to 126.255.255.254

Supports 16 million hosts on each of 127 networks.

Class B

128.1.0.1 to 191.255.255.254

Supports 65,000 hosts on each of 16,000 networks.

Class C

192.0.1.1 to 223.255.254.254

Supports 254 hosts on each of 2 million networks.

Class D

224.0.0.0 to 239.255.255.255

Reserved for multicast groups.

Class E

240.0.0.0 to 254.255.255.254

Reserved for future use, or Research and Development Purposes.

Ranges 127.x.x.x are reserved for loopback tests, for example, 127.0.0.1. Ranges 255.255.255.255 are used to broadcast to all hosts on the local network.

http://www.computerhope.com/jargon/i/ip.htm

Class A and B are private IP Address

 

1 à 128 à 192 à 224 à 240

 

  1. Use Cross-cable UTP to connect PC and a hub/switch/router
  2. Peer-to-peer configuration –
    1. a connection between 2 hosts (PC for example) without any intermediate device (hub/switch/router)
    2. doesn’t need default gataway
  3. Use IPconfig or netstat to check our computer IP address from command prompt
  4. Use Ping to check other host live/dead and also to know other domain IP adress

 

Port

Port

Protocol

Description

  1. 80
  2. 23
  3. 21
  4. 443
  5. 110

http

telnet

ftp

https

pop3

Used for web browsing.

To communicate to remote host.

To transfer a file.

Used for web browsing for security.

Used for email.

 

*************************************************************

 

LAB 2 : JTR

JTR (John The Ripper)

Assumption:

  • File text yg kita nak crack password tu = list.txt
  • Location john-mmx.exe dan john-386.exe is D:\jtr\run

Command utk crack password (1 jer) denganc ara paling mudah.

D:\jtr\run\john-mmx     list.txt

 

Command utk crack password using bruteforce in incremental mode :

D:\jtr\run\john-mmx     –incremental     list.txt

 

Command utk crack password pakai dictionary method using password.lst file as dictionary:

D:\jtr\run\john-mmx     –wordlist=password.lst     list.txt

 

Command utk show password yg dah Berjaya di peroleh:

D:\jtr\run\john-mmx –show

 

*************************************************************

 

LAB 3 : NMAP

Basic port state.

  1. Open :
    1. Host sent reply indicating that there is a service listening on that particular port. Port is active and willing to accept connection.
    2. Beruk add: An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port
  2. Closed :
    1. The host sent a reply indicating that connection will be denied to that port. No application or service listening to it.
    2. Beruk add: A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it.
  3. Filtered :
    1. There is no reply from the host. Unable to determine the states of the port due to nmap packet has been filtered (by firewall for example). Therefore nmap can’t probe that port.
    2. Beruk add: Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port
  4. Unfiltered :
    1. Mean this port is accessible but nmap is unable to determine whether it is open or closed.
  5. Open | filtered :
    1. Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response.
  6. Close | filtered :
    1. This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

     

Targeted host: 10.0.0.9 (in LAN)

Command

Result

nmap 10.0.0.9

Port number

State (open, close, filtered, unfiltered)

Service (Apache, IIS, rstp, netbios)

MAC Address

nmap –sS 10.0.0.9

Sama seperti nmap 10.0.0.9

nmap -sS -A

Port number

State (open, close, filtered, unfiltered)

Service (Apache, IIS, rstp, netbios)

MAC Address

Operating System (Windows, Linux)

Network Distance (hop)

Service Info

nmap -sP 10.0.0.0/24

Dia akan bagi tau mana-mana IP yg active (online), MAC address dia dan if possible nama device tu..utk sumer IP range 10.0.0.0/24

 

IP host yg online,

MAC yg Online

Nama Host

Nmap –sV 10.0.0.9

Port Number

State

Service

MAC

Service Info (Operating System)    

nmap –sS –PO –A -v

Bagi sumer dlm lab nak.

 

Port number

State (open, close, filtered, unfiltered)

Service (Apache, IIS, rstp, netbios)

MAC Address

Operating System (Windows, Linux)

Network Distance (hop)

Service Info

Port discovered/protocol

Netbios (workgroup etc)

 

  • -sS = Basic scan type
  • -sX = Xmas tree scan
  • -sV = service and version detection
  • -O = OS detection
  • -A = all?
  • -sP = detect online ke tak instead of open atau close (ping method)
  • -sO = Scan protocol (1 utk ICMP, 6 utk TCP, 17 (11 in hex) utk UDP), 2 utk IGMP)

 

LAB 4 : INFORMATION GATHERING

  • use nMap to know port and application/service.
    • Dah tau port apa yg open dan application apa yg dipakai utk port tu, cari vulnerability tentang application tu.
    • Nmap jugak leh bagi tau OS apa yg pakai, so kita boleh usha if that OS (without update) ada vurnerable ke tak dan exploit lubang2 itu.
  • use tracert or traceroute to know our targeted host tu dlm network yg sama ke tak dengan menganalisa route dari pc kita ke targeted host.
    • Selalunya kalau targeted host tu dlm network yg sama, dia melalui router yg sama.
    • Kalau dah tau dlm network yg sama, boleh execute LAN attack etc.
    • Tracert google.com
    • Traceroute –l google.com (force to use ICMP rather than UDP)
  • use ping to revert domain name to IP
    • ping jugak dpt digunakan utk check dlm satu2 block IP, host mana yg online. Guna ping sweep (nmap pun ada) utk check ranges of IPs.
    • Ping –t google.com (-t tu gunanya utk indefinite check rather than 3x ping jer)
  • use nslookup to get all IPs for that domain name
    • dapat check for each domain name, what IPs (kadang2 lebih dari 1) yg associate dengan domain name tu.
    • Nslookup google.com (akan reveal yg google.com nie actually ada banyak IP).
    • Dah tau IP tu, gi la kat arin-whois.net plak utk tau range dia.
  • Arin-whois.net : guna service nie utk tau setiap domain name tu (google, yahoo), dia nyer range IP berapa. Bila dah tau range IP, leh guna ping sweep utk check host mana yg online. Kalau satu IP tu 24/7 dok online jer…tau la itu adalah server kat organization nie.
  • Hacker wannabe…add please😄

     

 

LAB 5 : PACKET CAPTURE

Command

Result

Windump –d

Akan display our NIC (network interface device) dlm pc kita. Kalau ada dua, kena pilih salah satu yg active la.

 

In this case, list of device ada satu jer la

Windump -i

Utk pilih interface apa yg dipakai. Let say kita ada dua NIC, 1 dan 2, so pakai option nie utk guna NIC yg mana.

Katakan nak pakai nic yg kedua, pakai windump –i 2

Windump –c

Utk count berapa banyak result dia nak bagi.

Usage: windump –c 20

Dia akan display 20 result jer.

Windump –x

Akan display packet tu punya header dan content dia.

Windump tcp

Display only TCP packet

Windump udp

Display only UDP packet

Windump icmp

Display only ICMP packet

Windump –c 10 –x tcp

Display 10 TCP packets which it can detect.

Windump –i 2 –c 10 –x TCP

Display 10 TCP packets which it can detect dari NIC nombor 2.

Windump -X

Sama macam –x Cuma taruk ASCII result

Windump –xx

Header + data

 

 

Lab 4: Info Gathering

use nMap to know port and application/service

use tracert to know the route

use ping to revert domain name to IP

use nslookup to get all IPs for that domain name

 

Lab 5: Packet capture using windump/tcp dump

what is the command to:

run tcpdump/windump

to capture TCP, UDP, ICMP packet with its content and filter it for apropriate catagory

to select interface

to know interface

 

Credit:

Nazzyhan, Wawa, Beruk, Admin…

    • berok
    • February 21st, 2010

    PORT STATES
    open -An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port

    closed -A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it.

    filtered -Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port

    nmap comma

    • wawa-chan
    • March 11th, 2010

    Wa dah send LAB 6 & 7 kt mail you ok arham-san ^^

    • expertester
    • March 11th, 2010

    dah update dah. thaks wawa.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: