madlinux.com

madlinux.com

CNDC Week2 - Weekend Review If your scripting skills are a bit rusty, complete the CMD Shell Scripting Primer Lab 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 1 CNDC Week2 - Data Correlation Data Mining and Anomaly Identification Data Correlation - Discussion

Establishing configuration baselines Running services/tasks Startup/Autorun Locations Host log monitoring EVT Logs IIS Logs File Integrity Checking (MD5/SHA1) NTFS Auditing 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 3 Data Correlation - Discussion 1. Explain in your own words, what Data Correlation is.

Relating extranet and internet events Linking host and network log events E.g.: Unusually high traffic volumes identified in MRTG/Netflow logsduring the same time period large volumes of 400/500 status codes are recorded in the web servers log file 01/31/2020 Computer Network Defense Course 4 Tasklist Anomaly Scan - Discussion Tasklist /? /S system Specifies the remote system to connect to.

/M [module] Lists all tasks that have DLL modules loaded in them that match the given pattern name. If the module name is not specified, displays all modules loaded by each task. /SVC Displays services in each process. /V Specifies that the verbose information is to be displayed. /FI filter Displays a set of tasks that match a given criteria specified by the filter. /FO format Specifies the output format. Valid values: "TABLE", "LIST", "CSV". /NH Specifies that the "Column Header" should not be displayed in the

output. Valid only for "TABLE" and "CSV" formats. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 5 Tasklist Anomaly Scan - Lab Tasks Install Task Anomaly Scanner Insert Anomaly Condition Scan and Detect Task Anomaly BEGIN LAB NOW 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 6 Tasklist Anomaly Scan - Lab 2. Which of the following integrated cmd shell utilities would be most helpful in identifying the existence of several specific character strings, in a file, on a XP/Vista/7/2K3/2K8 system? Findstr Egrep Find Ngrep 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

7 Tasklist Anomaly Scan - Lab 3. Which of the following integrated cmd shell utilities would remotely retrieve a list of running processes from a XP/Vista/7/2K3/2K8 system? Showtask Tasklist Taskscan Taskshow 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 8 Tasklist Anomaly Scan - Lab

Summary Build baseline task list (for /F loop with tasklist.exe) Note: Many Win32/64 cmd shell utilities support connections to remote systems Filter duplicate entries from baseline task list (find-dupl.vbs) Identify baseline deviation (findstr /V) 01/31/2020 Computer Network Defense Course 9 Detect Startup Anomalies with REG and FC Overview

REG REG QUERY /? REG ADD /? REG DELETE /? REG COPY /? REG SAVE /? REG RESTORE /? REG LOAD /? REG UNLOAD /? REG COMPARE /? REG EXPORT /? REG IMPORT /? 01/31/2020 FC /A

/B /C /L /LBn /N /T /U /W /nnnn First/Last Lines Binary Comparison Disregards the Case Compares files as ASCII text MAX Consecutive mismatches Display Line Numbers Do Not Expand TAB to SPACEs Compare as UNICODE

Compresses White Space Number of Consecutive Lines after a mismatch. COMPUTER NETWORK DEFENSE COURSE 10 Detect Startup Anomalies with REG and FC Demo Lab Tasks Install Detect Startup Anomalies Script Reboot and create a current snapshot Make the current snapshot the new baseline Insert anomaly condition Reboot and detect anomaly conditions 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 11 Detect Startup Anomalies with REG and FC Demo Lab 4. Which of the following integrated Win32 cmd shell utilities would be helpful in identifying the contents of a registry key on an XP/2K3 system? REG Regedt32 Regedit Keyread 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

12 Detect Startup Anomalies with REG and FC Demo Lab 5. Which of the following integrated cmd shell utilities would be used to compare two files to determine if there are any changes in one of the files on a XP/Vista/7/2K3/2K8 system? Compare FC Comparefile DIFF 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

13 Autorunsc/Autoruns Discussion Where to download Baselining Image deployment Troubleshooting 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 14 Autorunsc Detect Startup Anomalies - Lab Tasks

Install Startup Anomaly Detection Script Analyze Autoruns Utility Create Startup Anomaly Condition and Detect Anomaly BEGIN LAB NOW 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 15 Autorunsc Detect Startup Anomalies - Lab Summary What time is the script scheduled to run? Why is this an ideal time? What startup anomaly did you detect?

01/31/2020 COMPUTER NETWORK DEFENSE COURSE 16 Autorunsc Detect Startup Anomalies - Lab 6. What would happen to the hash if someone modified a .bat or a .cmd script that was configured to run with the task scheduler? Would the script still run? Hash would change YES Note: Very important to set restrictive NTFS perms on all scripts 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 17 Autorunsc Detect Startup Anomalies - Lab 7. List some of the registry keys that are typically audited in most startup/autorun enumeration utilities. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SYSTEM\CurrentControlSet\Services 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 18

LogParser - Discussion Microsoft Download SQL Input XML, CSV, EVT, W3C etc. Output Text, Table, SQL, SQL, SYSLOG, Chart etc. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 19 LogParser Authentication Auditing - Lab 8. In reference to security log management, list the

nine common data sources (per NIST) 01/31/2020 Antimalware Software IDS/IPS Systems Remote Access Software Web Proxies Vulnerability Management Software Authentication Servers

Routers Firewalls Network Quarantine Servers COMPUTER NETWORK DEFENSE COURSE 20 Data Correlation and Anomaly Detection - Worksheet 9. Explain in brief, the difference between a basic search string and a regular expression. Basic Search String Dir win*.exe

Type file.log | find error Regular Expression \b[A-Z0-9._%+-][email protected][A-Z0-9.-]+\.[A-Z]{2,4}\b ^4[0-9]{12}(?:[0-9]{3})?$ 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 21 LogParser Authentication Auditing - Lab Tasks Deploy LogParser Script Verify Auditing Configuration Execute Attack Script Execute Logon Anomaly Audit Script

BEGIN LAB NOW 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 22 LogParser Authentication Auditing - Lab 10.Which of the following Microsoft utilities would be helpful in identifying a list of users, via a SQL query, who have more than 15 failed logon attempts on a XP/2K3 system? EventCombMT Dumpel MSSQL LogParser 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 23 LogParser Authentication Auditing - Lab Summary How does the logparser utilty work? Extras Search by Minute/Day/Year Created/Modified Files IIS Log Files Registry 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

24 IIS Web Log - Discussion Location \Windows\system32\logfiles W3SVC HTTPERR 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 25 Web Anomaly Detection - Worksheet 11. Provide an example (and brief description) of each IIS

6.0 W3C standard log header listed below: s-ip server IP address and port cs-method client to server method (HEAD, GET, POST) cs-uri stem client to server uri absolute stem (site.com/list.pl?acct=344) cs-uri query client to server uri query, after stem (site.com/list.pl?acct=344) s-port

server port number cs-username client to server username (will be - if anonymous) c-ip client IP address cs(User Agent) client to server application (iexplore, firefox) sc-status server to client status (200-ok, 400-client error, 500 server error)

01/31/2020 COMPUTER NETWORK DEFENSE COURSE 26 IIS Web Log Scanner - Lab Tasks Deploy IIS Web Log Scanner Deploy HTTPERR Monitor BEGIN LAB NOW 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

27 IIS Web Log Scanner - Lab 12.Explain how a reverse shell might be used by a criminal hacker. Going out to a https website, OK Microsoft Windows [Version 5.2.3790] Microsoft Windows [Version 5.2.3790] (C) Copyright Listening 1985-2003 Microsoft (C) Copyright 1985-2003 Microsoft

Corp. on Listening TCP 443 Corp. on TCP 443 Overflow C:\> C:\> 1. Buffer Overflow 1. Buffer Overflow 2. Callback 2. Callback 01/31/2020 TCP TCP

80 80 Bind CMD to port and Bind CMD to port and callback callback COMPUTER NETWORK DEFENSE COURSE 28 IIS Web Log Scanner - Lab 13. What is Unicode and how might an attacker utilize it in an exploit? Character encoding standard(s) created to support (many) world languages Some systems perform security checks before data

is passed to the decode routine. Unicode can be used to bypass these checks. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 29 IIS Web Log Scanner - Lab 14.What are some values we could look for in the anomaly log to help us determine whether or not the suspected attack was successful? http://www.ietf.org/rfc/rfc2616.txt 01/31/2020 Status Code

Description 2xx Successful 3xx Redirection 4xx Client Error 5xx Server Error

COMPUTER NETWORK DEFENSE COURSE 30 IIS Web Log Scanner - Lab 15.What type of attack(s) may cause no information to be recorded in the IIS logs? Why? Buffer overflow, brutal attack. Logging mechanism fails to perform duties. Modification of the W3C/HTTPERR logfile itself 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 31 IIS Web Log Scanner - Lab

16.Are there other utilities we can run against our Weblog/FTPlog/SMTPlog files to look for anomalies? Why is log archiving and storage so important? LogParser, AwStats, Analog, Findstr, Egrep etc. Historical analysis. Newly discovered attack may have been in play for months before exposure. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 32 IIS Web Log Scanner - Lab 17. What is the default folder location of the 2K3 servers IIS 6.0 web log file? \windows\system32\logfiles\W3SVC#

18.What is the default 2K3 IIS 6.0 HTTP Error Log location? \windows\system32\logfiles\HTTPERR 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 33 Nitko Scan - Demo Lab Boot into CNDC LiveCD Launch Nikto console Perl nikto.pl -update Perl nikto.pl h 10.10.x.x (partners IP) Run IIS Web Log Scanner Run HTTPERR Monitor

Review patterns in the log files 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 34 Long URI Query String - Demo Lab Transmit 4094 byte query Transmit 4095 byte query Examine W3C log file Discussion IIS Metabase Application Firewalls, Controlling Queries 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 35 Long URI Query String - Demo Lab 19. Explain how a 500,000 byte URI query string, sent to a Windows 2003 web server running IIS 6.0 would be logged. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 36 Web Leeching Demo Lab Discussion

Extracting web resources by guessing exact name Webbits (web-rabbits) Google Hacking Deploy website with backend database Extract (leech) database from web server Configure IIS security settings to prevent leeching 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 37 Web Leeching Demo Lab 20. Explain the concept of Web leeching (snarfing, as it applies to this demonstration) and an example of how to prevent it. Querying web servers for a resource that is not

advertised. Properly set security permissions prevent this activity. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 38 Web Leeching Demo Lab 21. How might Google Hacking be used to access private web cams and view database transaction logs? Google will enumerate and store data from sites it crawls/spiders. If a device is exposed to the internet, any identified link may be followed. 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 39 URLScan 3.1 Demo Lab \\research\class\week2\research-resources\URLScan -3.1-x86 \windows\system32\inetsrv\urlscan Logs UrlScan.ini 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

40 Windows File Auditing - Lab 22. Is there any benefit to auditing file and folder access if no one takes the time to perform regular audits of the audit data? Although it is advisable to perform audits at regular intervals, some is better than none. Also, the data could be valuable for historic analysis. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 41 Windows File Auditing - Lab

Tasks Enable & Configure Local Audit Policy Create Folder and User Accounts Configure file/Folder Auditing, Share, and NTFS Permissions Connect to Share, Generate Audit Events, and Analyze Audit Events BEGIN LAB NOW 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 42 Windows File Auditing - Lab 23. Identify what user created/deleted the file in the C:\Important folder. Provide a brief log explanation

to support this answer. READ, Create(instance type) DELETE (with read function) 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 43 Windows File Auditing - Lab 24. Is it common for administrators to audit ALL file and folder object access (success and failure) on a Windows 2K3/2K8 production system? No, not common. More likely only in a development/staging area environment, or perhaps a honeypot/honeynet setup. Excessive auditing can cause performance issues,

and in a large enterprise, large log files will develop. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 44 Host Change Detection & File Hashing - Discussion File Change Detection (MD5/SHA1/SHA2) Tripwire, LogParser, FCIV, (Perl/Tcl/Python etc. scripts) Does renaming a file change the hash? https://patches.csd.disa.mil/ MD5Known Bad MD5 Known Bad Hashes (download .xls file) Current Host Based Initiative HBSS (https://powhatan.iiie.disa.mil/tools/hbss/training)

01/31/2020 COMPUTER NETWORK DEFENSE COURSE 45 Microsoft File Checksum Integrity Verifier - Lab Tasks Install FCIV & Generate Baseline Insert Anomaly Into Executable File Scan for and Identify Anomalies BEGIN LAB NOW 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

46 Microsoft File Checksum Integrity Verifier - Lab How to specify additional file extensions: type *.dll type *.aspx type *.vbs type *.com 25. List a pro and a con to using tools like FCIV vs. using Integrated NTFS Auditing FCIV, Quick Easy Read Rapid Response NTFS Auditing, log file enumeration can be cumbersome without automated utilities 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 47

Dumplog2 Eventlog Collector - Lab 26. Provide a simple diagram of a Push and a Pull logging solution. Example: Push Logging Solution Event Event Log Collector Syslog, Port 514 Event Event 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

48 Dumplog2 Eventlog Collector - Lab 26. Provide a simple diagram of a Push and a Pull logging solution. Example: Pull Logging Solution Log Collector (Retriever) Actively Polls Clients for New Logs Event Yes Event Yes 01/31/2020

Any new events? COMPUTER NETWORK DEFENSE COURSE 49 Dumplog2 Eventlog Collector - Lab Tasks Install Dumplog2 Configure Dumplog2 Test and Verify Operation BEGIN LAB NOW 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

50 Dumplog2 Eventlog Collector - Lab 27. What is the primary benefit of collecting and importing your daily log files into one central location? Ease of Data Mining. Ideally, import into database and run regular audit reports. 28. Should the network/systems administrator(s) have exclusive access to all audit/log facilities? How might separation of duties blend into this discussion? SA/NMs need access to log files to perform daily duties. If possible, they should not be allowed to clear logfiles. Maintain a secondary logging/storage location. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

51 Dumplog2 Eventlog Collector - Discussion 2008 event forwarding Kiwi syslog monitor (now SolarWinds) Swatch Tripwire Quest Software (InTrust) 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 52 Eventtriggers Discussion Eventtriggers EVENTTRIGGERS /Create /? EVENTTRIGGERS /Delete /? EVENTTRIGGERS /Query /? Monitor NT Eventlog for specific event Active response for triggered event 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

53 Eventtriggers Demo Lab Tasks Install WFP Eventtrigger Delete protected file Review eventlog for trigger and check email 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 54 Port Reporter - Discussion Netstat

Listdlls Tcpvcon Fport 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 55 Port Reporter - Lab Tasks Install Port Reporter & PR-Parser Generate Traffic & Review Port Reporter Logs BEGIN LAB NOW

01/31/2020 COMPUTER NETWORK DEFENSE COURSE 56 Port Reporter - Summary Auto log rotation at midnight Runs as an NT service Identifies account under which outbound connection was initiated Reasonable resource/log footprint, ok to run 24/7 CSV delimited log file Monitor log files, can grow large if left unattended Use forfiles to delete files over xx days old

StudentCD contains sample script in: studentCD\Week2\Auto-Install\PortRPTR 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 57 Cisco Incident Identification & Response Discussion Many metro switching & routing devices allow access from dozens of engineers

Figure out one user/pass scheme and score on the whole netblock Cisco and JunOS are based on the BSD code train and may be susceptible to exploits for this platform Famous Cisco Bug ID CSCdt93862 (HTTP exec) Cisco Casum 2GB Buffer Overflow Mike Lynn heap overflow in IPv6 Stack (2005) Restraining order prevents Mike from speaking about exploit. Was also fired. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 58 Cisco Incident Identification & Response Demo Lab Tasks

Create and configure FTP Target Build incident Response Commands Capture HyperTerminal Session Execute Commands and Analyze Output BEGIN LAB NOW 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 59 Frame/Packet Filters - Discussion BPF Syntax Snort WinDump Tcpdump Wireshark Network Monitor

Building an Anomaly Sensor Ignore everything Normal Detect out-of-band covert channels 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 60 WinDump Packet Analysis - Lab Summary (www.tcpdump.org) WinDump/Tcpdump (similar syntax) -n (do not resolve DNS names) -c (capture the next # packets) -w (write packet capture to Pcap file) -r (read in Pcap file) -X (dump payload data)

-s0 (increase capture window to entire snaplength) Berkley Packet Filters 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 61 WinDump Packet Analysis - Lab Tasks Install WinDump & WinPcap Identify Network Device to Monitor Initialize Packet Dump for # of Packets Preserve and Record Packet Dump Build a BPF Anomaly Detection Filter Build a Custom BPF to Detect Broadcasts BEGIN LAB NOW

01/31/2020 COMPUTER NETWORK DEFENSE COURSE 62 Header & Payload Anomaly Identification - Lab 29. Anomalous TCP Headers List at least two anomalies 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 63 Header & Payload Anomaly Identification - Lab

30. ICMP Traffic 1 (Anomaly) List two anomalies 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 64 Header & Payload Anomaly Identification - Lab 31. ICMP Traffic 2 (Identification) What operating system was this ICMP echo request likely sent from? Windows Operating System (user initiated) 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 65 32. Reading WinDump Output - Lab D F B E H K

J C 01/31/2020 A G COMPUTER NETWORK DEFENSE COURSE I 66 Promiscuous Mode & RF Monitor Mode - Discussion Wired (Promiscuous Mode)

Pass all received network traffic to the kernel Wireless (Promiscuous Mode) Pass all received network traffic from locked on channel XX to the kernel Wireless (RF Monitor Mode) Channel hop and pass received network traffic to the kernel 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 67 MS Promiscuous Mode Query - Lab Tasks

Install PromQry Scan for and Detect System(s) in Promiscuous Mode BEGIN LAB NOW 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 68 MS Promiscuous Mode Query - Lab 33. Explain what putting a network interface into Promiscuous Mode means. Pass all received network traffic to the kernel

01/31/2020 COMPUTER NETWORK DEFENSE COURSE 69 Ethernet Security - Discussion Physical Security If not in use, unplug it 802.1x Video Maintain redundant RADIUS/Kerberos devices Port Security Switchport port-security (mac-address sticky) 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

70 Ethernet Security - Discussion DHCP Spoofing ip dhcp snooping Watches DHCP discover and offer, records it in a binding table IP Helper address by default is the only port that can send offers Rogue DHCP servers will be placed into a err-disable state if they try to transmit a DHCP offer ARP Spoofing ip arp inspection Untrusted ports, only 15 ARP Packets Per Second (PPS) ARP Replies that do not match the binding table are dropped 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 71 WiFi Exploitation Demo Lab Tasks Install and Configure WiFi AP in WEP Mode

Install and Configure WiFi AP in WPA Mode Install and Configure Proxim USB WiFi Client using WEP Install and Configure Proxim USB WiFi Client using WPA Install and Configure AirPcap Ex/Nx Injection Adapter Install and Configure Wireless Injection Tool (CAIN) Install and Configure AirPcap Classic Adapter Install AirCrack-ng Disassociate WEP Client, Inject Traffic and Perform WEP Crack Disassociate WPA Client, Capture Re-Authentication Frames, Execute Dictionary Crack 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 72 WiFi Exploitation Demo Lab

Summary RF_Monitor Mode WEPNot an option WPAWhat if I use a complex password? tkiptun-ng 802.11i & 802.1x (Crypto & Access Control) Transmission Control, SSID Concealment & MAC Restrictions Flying Squirrel Aruba & Cisco (Built-In Rogue AP Detection) 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

73 NTOP Discussion www.ntop.org www.flukenetworks.com www.netscout.com Calix & Xangati Etherape 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

74 NTOP Demo Lab Tasks Boot from CNDC LiveCD Boot Cisco Routers Start NTOP Configure Netflow on Cisco Routers Configure Netflow on NTOP sensors View netflow data Discuss/Demo MRTG Begin Lab Now 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

75 NTOP Demo Lab - Netflow Cisco Router Config config t interface FastEthernet 0/0 ip route-cache flow exit ip flow-export destination 10.10.x.x 9996 ip flow-export source FastEthernet 0/0 ip flow-export version 5 ip flow-cache timeout active 1 ip flow-cache timeout inactive 15 show ip flow export show ip cache flow

01/31/2020 COMPUTER NETWORK DEFENSE COURSE 76 NTOP Demo Lab - Netflow NTOP Config Plugins Netflow Activate Netflow Add Netflow Device Local Collector Port: 9996 Click Set Port Virtual Netflow Interface Network Address: 10.10.1x.0/255.255.255.0

Click Set Interface Address Navigate to: Plugins Netflow Statistics 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 77 NTOP Demo Lab 34. Regarding network traffic anomaly detection (as shown in the NTOP Lab), list some network, transport, or application protocols which might be categorized as abnormal traffic. Appletalk, DC++, Telnet, IPv6 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 78 NTOP Demo Lab 35. What is a Bogon Route? Regarding bogon network ranges, area there additional network ranges we should be aware of? Ref: http://www.iana.org/assignments/ipv4-address-space, www.cymru.com/Documents/bogon-dd.html, ip.ludost.net Non routable, typically used in Denial of Service and spoofing 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 79 NTOP Demo Lab 36. Reference www.iana.org/numbers and ws.arin.net/whois . If i were being attacked by an IP Address from the 88-block, I could perform a WHOIS query on the IP to discover the netblock owner. What Regional Internet Registry (RIR) does the 88-block belong to? RIPE 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

80 NTOP Demo Lab 37. Navigate to www.onion-router.net and review the literature on Onion Routing (Tor Generation). Who is responsible for Onion Routing development? What vulnerability does onion routing introduce (how can criminals utilize this technology)? Naval Research Lab. Covert channel crypto tunnels. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 81

NTOP Demo Lab 38. Can a system transmit payload data to a listening TCP socket without first establishing a TCP Three-Way handshake? No, TCP does not allow payload data transfer until a session is successfully established. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 82 NTOP Demo Lab

39. List some abnormal control bit (tcp flag) combinations. SYN FIN SYN ACK URG RST FIN PSH SYN RST 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 83 Syslog UDP Spoofing Demo Lab Tasks Load and configure 3Com syslog server Load RafaelX Packet Generator Inject syslog message using native IP

address Inject syslog message using spoofed IP address 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 84 Syslog UDP Spoofing Demo Lab 40. Why is UDP categorized as a connectionless protocol? No handshake, does not maintain session state via sequence numbers 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 85 Syslog UDP Spoofing Demo Lab 41. Provide an answer to support the following statement: I can send spoofed syslog packets (successfully) to a standard syslog server Yes, many default syslog implementations use traditional UDP port 514. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 86

Syslog UDP Spoofing - Discussion Use Crypto (IPSEC) \\research\class\week2\researchresources\IPSEC - QuickConfig TCP Option Available? Administrative VLAN 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 87 ICMP Covert Channel Demo Lab Configure windump to listen with ICMP filter Windump i2 n X s0 icmp Open Rafael and insert custom payload into ICMP

echo request packet Capture ICMP packet and view payload Ping neighbor and view normal ICMP echo request from a Windows system 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 88 ICMP Covert Channel Demo Lab 42. In what popular way did criminal hackers exploit the ICMP protocol back in the 90s? Denial of Service, Ping of Death, Evil Ping

01/31/2020 COMPUTER NETWORK DEFENSE COURSE 89 ICMP Covert Channel Demo Lab 43. How might ICMP be used as a covert data channel? Keylogger, chat program, data dump (dd over icmp), reference: Loki, Hping 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

90 FTP Exploitation - Lab Passive FTP Overview 44. In passive FTP, the data channel connection is initiated by: The Client Active FTP Overview 45. In active FTP, the data channel connection is initiated by: 01/31/2020 The Server COMPUTER NETWORK DEFENSE COURSE

91 FTP Exploitation - Lab FTP Dropbox pub, public, upload, upload, dropbox, users/jack http://www.socialsecurity.gov/OACT/babynames FTP Server Side Transfer Tasks Execute FTP Bounce SPAM Activity BEGIN LAB NOW 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

92 FTP Exploitation - Lab 46. What are some anomalies that network intrusion detection systems might look for to detect this type of activity? Incorrect Port Command 47. What IP and port would the FTP server connect to after the following commands were issued to it? PORT 10,10,0,2,4,87 10.10.0.2:1111 48. Using the PORT command on an FTP server to connect to a destination machine and port other than that of the initial host control connection, is referred to as a FTP Bounce Attack 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

93 Honeypot Decoy - Discussion Decoy System Banner Decoys Full Deception System Emulation Actual System Full audit/payload log Anomaly Redirector Padded Cell 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 94

Decoy in C - Lab Tasks Deploy Decoy Trigger Decoy Utility BEGIN LAB NOW 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 95 Decoy in C - Lab Summary Specialized activity (coordinate with CI)

Why is it important to monitor your honeypot system closely? Honeyd, Jackpot, Tiny Honeypot Tarpitting LaBrea 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 96 Decoy in C - Lab 49. Regarding Honeypots, explain the difference between a Full System and a Deception System. Are there any legal issues to be concerned with in the development, deployment, and use of a Honeypot?

Full System As close to the real thing as possible. Deception System Decoy/Banner-Slinger Honeypot does not exclude you from responsibility if abused and used for unlawful activities. 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 97 SPAM/SMTP - Discussion CAN SPAM Act Spamhaus SenderID, Sender Policy Framework, Sender IP

Reputation Proxy Hunting (YAPH) CGI-BIN Abuse (Form Injection) Botnets Worms Bot Herders IRC 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 98 Internet Mail Headers 50-55 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 99 Bogus SMTP Headers & Proxy SPAM - Lab Tasks Create SMTP Internet Mail Header Template Generate Mail Message and Insert Bogus Header Review Mail Message and Internet Mail Header Use Proxy to Relay SPAM Review Mail Message and Internet Mail Header 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 100

Bogus SMTP Headers & Proxy SPAM - Lab 56.Explain what information contained in the Internet Mail header is considered reliable information The entry added by YOUR mail server 57.What steps are being taken by the Army to prevent bogus source messages like this from plaguing the Armys mail systems? SPAM Filtering (SenderID, Sender Policy Framework, IP Reputation, Bayesian Analysis) Digital Signatures Restricted Relay (vs. Open and Closed Relay) 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

101 Bogus SMTP Headers & Proxy SPAM - Lab 58.Assuming that the Internet Mail header is false, how would we go about tracking down the true IP address of the system that relayed the mail message? Follow the breadcrumbs 59.Which of the following is NOT a common method spammers use to send unsolicited e-mail? a. b. c. d. 01/31/2020 Proxies CGI-BIN Exploits

Hijacking SMTP Sessions Botnets COMPUTER NETWORK DEFENSE COURSE 102 Web Injection and CGI-SPAM - Lab Tasks Analyze Current Web Feedback Form Inject Custom POST Review Mail Messages BEGIN LAB NOW 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

103 Web Injection and CGI-SPAM - Lab 60. Explain how you were able to successfully abuse the Web feedback form (hint: Data Validation) The POST data was modified and injected with sbd.exe. There was NO server side validation to check the recpt to value. Also, any client side validation could have been easily bypassed. 61. Briefly explain what command injection is as it relates to web form fields. SELECT * FROM accounts WHERE name=Picard' AND password='' OR 'a'='a' 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

104 Web Injection and CGI-SPAM - Lab 61. (cont)Briefly explain what command injection is as it relates to web form fields. XSS >

Shell Injection 01/31/2020 Feed illegitimate arguments into URL query or POST data. May also use & to feed secondary shell command COMPUTER NETWORK DEFENSE COURSE 105 SNMP - Discussion Default TCP or UDP? SNMP v1 & 2(c) Community String based RO or RW SNMP v3

AUTH (MD5 | SHA1) PRIV (DES | 3DES | AES) SNMPc 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 106 SNMP Exploitation - Lab Tasks Install Cain Configure RW SNMP String on Router Extract Startup-config, Modify, Upload New Startup-config Discuss Countermeasures

BEGIN LAB NOW 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 107 SNMP Exploitation - Lab 62. List modifications you could make to the router to prevent such an event from re-occurring Use IPSEC transport connections to management server Use non routable management VLAN or SNMPv3 63. Security summary of each SNMP version 01/31/2020 SNMPv1:

Cleartext Community Strings SNMPv2: Cleartext Community Strings SNMPv3: AUTH (MD5 | SHA1) & PRIV (DES | 3DES | AES) COMPUTER NETWORK DEFENSE COURSE 108 RDP Security and TLS - Lab RDP Overview 128-bit crypto

Vulnerable to Main-In-The Middle Attacks Tasks Baseline Cain Setup RDP Hijacking Configure RDP TLS 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 109 RDP Security and TLS - Lab 64. RDP Hijacking can be avoided by configuring on your terminal servers. TLS/SSL

Discussion: PKI Infrastructure Self-Signed Certs Default Vista/Server-2008+ 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 110 DNS Poison with SSL Hijacking Demo Lab Tasks Deploy Google/Yahoo Decoy Web Install Cain

Use Cain to Poison/Redirect client to Decoy Web Review user/password collector Use Cain to add Pubkey for Yahoo Mail Poison Yahoo client logon View cleartext user/pass in payload 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 111 SSH Hijacking Demo Lab Tasks Boot CNDC LiveCD Set root password with passwd command Start SSHd Copy putty client to windows

SSH from Windows to LiveCD, accept key Use Cain to Poison Windows Client SSH from Windows to LiveCD Review captured password in Cain 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 112 DNS Poison with SSL Hijacking Demo Lab Discussion DNS UDP used for most standard queries PKI Vulnerabilities Force legacy 56-bit keying User response to Certificate Warning

Lack of certificate revocation checking oBuy cert with stolen credit card SSLStrip-ing Revert to standard HTTP | Note: HSTS will defend against this 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 113 DNS Poison with SSL Hijacking Demo Lab 65. SSL/SSH Hijacking can be prevented by (Choose Two): a. Using large 1024+ bit public keys b. Respecting certificate warning errors c. Using mutual authentication d. Using SHA2 authentication

01/31/2020 COMPUTER NETWORK DEFENSE COURSE 114 DNS Poison with SSL Hijacking Demo Lab 66. VoIP interception can be prevented by a. Configuring and using SSL\TLS encryption b. Using a non standard CODEC c. Encrypting the Trunk links d. Using an authorized softphone 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

115 Network Intrusion Detection TAPs, Mirroring/SPAN Ports, Bridging, and Snort with Barnyard & BASE Network TAPs - Discussion www.netoptics.com Active Passive

Aggregating Non-Aggregating 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 117 Adapter Teaming Using a TAP Device - Lab Tasks Install TAP Device Capture Traffic & Verify Bi-Directional Datastream 01/31/2020

COMPUTER NETWORK DEFENSE COURSE 118 Adapter Teaming Using a TAP Device - Lab Summary I. What is a benefit of using a link aggregator TAP? II. What is a benefit of using a nonaggregating TAP? III. What might a passive TAP be used for? IV. What might an active TAP be used for? 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 119

Port Mirroring - Discussion Local Mirror/SPAN Remote Mirroring (RSPAN) VLAN Mirroring Tagged Untagged Mirroring Trunk Ports 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 120 Cisco SPAN (Port Monitoring) - Lab Tasks

Connect Hosts to Switch Setup Source Port Monitor Setup Destination Port Monitor Capture Traffic & Verify Bi-Directional Datastream 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 121 Cisco SPAN (Port Monitoring) - Lab Summary I. Are there any other options for source port II.

01/31/2020 traffic flow monitoring other than both? Note: execute the monitor session command on your Cisco switch followed with the ? wildcard character to view other command options Identify and list some pros and cons to using a Switch for traffic monitoring? COMPUTER NETWORK DEFENSE COURSE 122 Network Intrusion Detection - Discussion IDS vs. IPS

Active/Passive (Inhibit, Inline) Pass Through vs. Pass By Compare evolution of IDS/IPS to that of Antivirus Key Components Engine Snort, RealSecure Logging Facility Syslog, SNMP, NT Eventlog, XML, SQL Management Interface/Console Web, Proprietary 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

123 Network Intrusion Detection - Discussion SSL Acceleration (onboard) PCI Card SSL Offloading (appliance) Terminate SSL, Scan, Forward to Web Server/Farm SSL Bridging/Initiation Inbound (we control CERTs) Outbound (must spoof CERTs) 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 124 Network Intrusion Detection - Worksheet

What attacks are used against a NIDS? Include methods criminals may use to evade NIDS 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 125 Network Intrusion Detection Demo Lab Tasks

Boot from CNDC LiveCD Start/Autoconfigure Snort IDS Update snort signatures Scan lab partner with nmap Review BASE console Scan lab partner with nikto.pl Review BASE console Archive alerts E-mail alerts Save alert as capture file and open with Wireshark Review snort.conf file Build and test custom signature

01/31/2020 COMPUTER NETWORK DEFENSE COURSE 126 Network Intrusion Detection Demo Lab Summary Where to get snort Where to get signatures Keep IDS/IPS patched Time & Effort 01/31/2020 COMPUTER NETWORK DEFENSE COURSE

127 IDS Implementation - Worksheet Explain the difference between a pass-through and a pass-by IDS system What mechanism or device is required to allow your IDS/IPS system to monitor encrypted traffic? List the three key components to a hIDS/nIDS 01/31/2020 COMPUTER NETWORK DEFENSE COURSE 128

Recently Viewed Presentations

  • State Impact Assessment Kickoff mm dd, 2016 xx:00 am - xx:00 pm

    State Impact Assessment Kickoff mm dd, 2016 xx:00 am - xx:00 pm

    Almost 1 in 4 States Report at Least 1 System Procurement in the Workbooks *Data as of June 16, 2016. Proportion of States that Reported a System Procurement Impact in their Workbook Number of States System Procurement
  • Diapositiva 1

    Diapositiva 1

    Llego con retraso Intra! Intrate! ¡Entra! ¡Entrad! Ubi Antonius atque Marcellus sunt? Num aegrotant? ¿Dónde están Antonio y Marcelo? ¿Es que están enfermos? Paenitet me…! ¡Lo siento…! Me excusa. Ignoscas. Discúlpame. Perdona Animum advortite, discipuli, atque mihi dicite: Id, quod...
  • 2012 County Legislative Issues - KACo

    2012 County Legislative Issues - KACo

    KACo Board of Directors Executive Committee John Wilson President Garrard County Judge/Executive Tommy Turner President-Elect Larue County Judge/Executive Jerry "Peanuts" Gaines 1st Vice President Warren County Sheriff Buddy L. Nichols 2nd Vice President Lyon County Magistrate Chris Harris Past President...
  • A86012 Management and Principles of Accounting (2019/2020) Session

    A86012 Management and Principles of Accounting (2019/2020) Session

    What is an Accountant? A man past middle age, spare, wrinkled, intelligent, cold, passive, non-committal, with eyes like a codfish; polite in contact but at the same time unresponsive, calm and damnably composed as a concrete post or a plaster...
  • Demonstration PowerPoint - University of Oklahoma

    Demonstration PowerPoint - University of Oklahoma

    Times Arial Tahoma Calibri Wingdings A2E/ZapfDingbats Lucida Sans Unicode Times New Roman DemonstrationPowerpoint-20050610 1_DemonstrationPowerpoint-20050610 Equation Electronic Chaos Outline Motivation Chaos Circuit Bifucation Plot Differential Equation PASCO Chaos Circuit The nonlinear element D(x) Chaotic Attractor Slide 10 Feigenbaum ...
  • Chapter 10 The Full Screen - Dr. Gehan Dhameeth

    Chapter 10 The Full Screen - Dr. Gehan Dhameeth

    Arial Calibri Times New Roman Symbol Default Design Microsoft Word Document Microsoft PowerPoint Slide Slide 1 Chapter 10 The Full Screen Difficulties in Concept Selection The Full Screen Purposes of the Full Screen Screening Alternatives A Simple Scoring Model Source...
  • Scenario Snapshots - Microsoft

    Scenario Snapshots - Microsoft

    The student's disability category (as noted in the ETR) is the . starting point. for the MDR. Teams must also consider other student needs and issues that are addressed in the ETR, the IEP or through other means. Example: Student...
  • YOUNG PEOPLE and - wp.area28aa.org

    YOUNG PEOPLE and - wp.area28aa.org

    Alcoholics Anonymous® is a fellowship of men and . women who share their experience, strength and . hope with each other that they may solve their . common problem and help others to recover . from alcoholism. PREAMBLE-(continued)