The Network Security Test Lab: A Step-by-Step Guide
()
About this ebook
The Network Security Test Lab is a hands-on, step-by-step guide to ultimate IT security implementation. Covering the full complement of malware, viruses, and other attack technologies, this essential guide walks you through the security assessment and penetration testing process, and provides the set-up guidance you need to build your own security-testing lab. You'll look inside the actual attacks to decode their methods, and learn how to run attacks in an isolated sandbox to better understand how attackers target systems, and how to build the defenses that stop them. You'll be introduced to tools like Wireshark, Networkminer, Nmap, Metasploit, and more as you discover techniques for defending against network attacks, social networking bugs, malware, and the most prevalent malicious traffic. You also get access to open source tools, demo software, and a bootable version of Linux to facilitate hands-on learning and help you implement your new skills.
Security technology continues to evolve, and yet not a week goes by without news of a new security breach or a new exploit being released. The Network Security Test Lab is the ultimate guide when you are on the front lines of defense, providing the most up-to-date methods of thwarting would-be attackers.
- Get acquainted with your hardware, gear, and test platform
- Learn how attackers penetrate existing security systems
- Detect malicious activity and build effective defenses
- Investigate and analyze attacks to inform defense strategy
The Network Security Test Lab is your complete, essential guide.
Michael Gregg
Michael Gregg is the President of Superior Solutions, Inc. and has more than 20 years' experience in the IT field. He holds two associate’s degrees, a bachelor’s degree, and a master’s degree and is certified as CISSP, MCSE, MCT, CTT+, A+, N+, Security+, CNA, CCNA, CIW Security Analyst, CCE, CEH, CHFI, CEI, DCNP, ES Dragon IDS, ES Advanced Dragon IDS, and TICSA. Michael's primary duty is to serve as project lead for security assessments, helping businesses and state agencies secure their IT resources and assets. Michael has authored four books, including Inside Network Security Assessment, CISSP Prep Questions, CISSP Exam Cram2, and Certified Ethical Hacker Exam Prep2. He has developed four high-level security classes, including Global Knowledge's Advanced Security Boot Camp, Intense School's Professional Hacking Lab Guide, ASPE's Network Security Essentials, and Assessing Network Vulnerabilities. He has written over 50 articles featured in magazines and Web sites, including Certification Magazine, GoCertify, The El Paso Times, and SearchSecurity. Michael is also a faculty member of Villanova University and creator of Villanova's college-level security classes, including Essentials of IS Security, Mastering IS Security, and Advanced Security Management. He also serves as a site expert for four TechTarget sites, including SearchNetworking, SearchSecurity, SearchMobileNetworking, and SearchSmallBiz. He is a member of the TechTarget Editorial Board.
Read more from Michael Gregg
CASP+ CompTIA Advanced Security Practitioner Study Guide: Exam CAS-003 Rating: 0 out of 5 stars0 ratingsSecurity Administrator Street Smarts: A Real World Guide to CompTIA Security+ Skills Rating: 3 out of 5 stars3/5
Related to The Network Security Test Lab
Related ebooks
CEH v9: Certified Ethical Hacker Version 9 Practice Tests Rating: 0 out of 5 stars0 ratings(ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Review Guide: Exam SY0-501 Rating: 1 out of 5 stars1/5Cyber Security Policy Guidebook Rating: 0 out of 5 stars0 ratingsStart-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsMastering Microsoft Virtualization Rating: 0 out of 5 stars0 ratingsInformation Security: Principles and Practice Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Certification The Ultimate Study Guide to Practice Questions With Answers and Master the Cybersecurity Analyst Exam Rating: 0 out of 5 stars0 ratingsFight Fire with Fire: Proactive Cybersecurity Strategies for Today's Leaders Rating: 0 out of 5 stars0 ratingsPacket Analysis Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsCybersecurity Center A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCategorical Trust in Digitality Rating: 0 out of 5 stars0 ratingsNetwork Security Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsZero Trust Security: Building Cyber Resilience & Robust Security Postures Rating: 0 out of 5 stars0 ratingsSafeguarding the Digital Fortress: A Guide to Cyber Security: The IT Collection Rating: 0 out of 5 stars0 ratingsCyber Resilience: Defence-in-depth principles Rating: 0 out of 5 stars0 ratingsCorporate security Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsPenetration Testing Fundamentals-2: Penetration Testing Study Guide To Breaking Into Systems Rating: 0 out of 5 stars0 ratingsAZURE AZ 500 STUDY GUIDE-1: Microsoft Certified Associate Azure Security Engineer: Exam-AZ 500 Rating: 0 out of 5 stars0 ratingsPenetration Testing Fundamentals -1: Penetration Testing Study Guide To Breaking Into Systems Rating: 0 out of 5 stars0 ratingsCyber Security Risk Management A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratings"Careers in Information Technology: Cybersecurity Analyst": GoodMan, #1 Rating: 0 out of 5 stars0 ratingsCybersecurity Protocols A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsBreaking the Availability Barrier Ii: Achieving Century Uptimes with Active/Active Systems Rating: 0 out of 5 stars0 ratingsCracking the Fortress: Bypassing Modern Authentication Mechanism Rating: 0 out of 5 stars0 ratingsDefending the Digital Perimeter: Network Security Audit Readiness Strategies Rating: 0 out of 5 stars0 ratingsRisk and Cybersecurity Third Edition Rating: 0 out of 5 stars0 ratingsCybersecurity Charter Standard Requirements Rating: 0 out of 5 stars0 ratings
Security For You
Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5CompTIA CySA+ Study Guide: Exam CS0-003 Rating: 2 out of 5 stars2/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701 Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsThe Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5Dark Territory: The Secret History of Cyber War Rating: 4 out of 5 stars4/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsHow to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Codes and Ciphers - A History of Cryptography Rating: 4 out of 5 stars4/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5CompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsThe Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsBlockchain Basics: A Non-Technical Introduction in 25 Steps Rating: 5 out of 5 stars5/5Cybersecurity For Dummies Rating: 5 out of 5 stars5/5Hunting Cyber Criminals: A Hacker's Guide to Online Intelligence Gathering Tools and Techniques Rating: 5 out of 5 stars5/5Amazon Web Services (AWS) Interview Questions and Answers Rating: 5 out of 5 stars5/5
Reviews for The Network Security Test Lab
0 ratings0 reviews
Book preview
The Network Security Test Lab - Michael Gregg
The Network Security Test Lab
A Step-by-Step Guide
Michael Gregg
Wiley LogoThe Network Security Test Lab: A Step-by-Step Guide
Published by
John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2015 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-118-98705-6
ISBN: 978-1-118-98715-5 (ebk)
ISBN: 978-1-118-98713-1 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2015946971
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
About the Author
Mr. Michael Gregg is the CEO of Superior Solutions, Inc., a Houston based IT security-consulting firm. He has more than 20 years experience in the IT field and holds two associate's degrees, a bachelor's degree, a master's degree, and many IT certifications such as: CISSP, CISA, CISM, MCSE, and CEH. Michael has authored/co-authored more than 20 books. Some include: Inside Network Security Assessment, SAMS 2005; Hack the Stack, Syngress 2006; Security Administrator Street Smarts, Syngress 2011; and How to Build Your Own Network Security Lab, Wiley 2008.
Michael has testified before the United States Congress on privacy and security breaches. He also testified before the Missouri State Attorney General's committee on cybercrime and the rise of cell phone hacking. He has spoken at major IT/Security conferences such as the NCUA auditors conference in Arlington, Virginia. He is frequently cited by major print publications as a cybersecurity expert and has also appeared as an expert commentator for network broadcast outlets and print publications such as CNN, FOX, CBS, NBC, ABC, The Huffington Post, Kiplinger's, and The New York Times.
Michael enjoys giving back to the community; some of his civic engagements include Habitat for Humanity and United Way.
Credits
Project Editor
Sydney Argenta
Technical Editor
Rob Shimonski
Production Manager
Kathleen Wisor
Copy Editor
Marylouise Wiack
Manager of Content Development & Assembly
Mary Beth Wakefield
Marketing Director
David Mayhew
Marketing Manager
Carrie Sherrill
Professional Technology & Strategy Director
Barry Pruett
Business Manager
Amy Knies
Associate Publisher
Jim Minatel
Project Coordinator, Cover
Brent Savage
Proofreader
Nancy Carrasco
Indexer
Johnna VanHoose Dinse
Cover Designer
Wiley
Cover Image
©iStock.com/alphaspirit
Acknowledgments
I would like to acknowledge Christine, Betty, Curly, and all my family. Also, a special thanks to everyone at Wiley. It has been a great pleasure to have worked with you on this book. I am grateful for the help and support from Carol Long, Sydney Argenta, Debbie Dahlin, and Rob Shimonski.
CONTENTS
Introduction
Overview of the Book and Technology
How This Book Is Organized
Who Should Read This Book
Tools You Will Need
What’s on the Wiley Website
Summary (From Here, Up Next, and So On)
Chapter 1: Building a Hardware and Software Test Platform
Why Build a Lab?
Hardware Requirements
Software Requirements
Summary
Key Terms
Exercises
Chapter 2: Passive Information Gathering
Starting at the Source
Mining Job Ads and Analyzing Financial Data
Using Google to Mine Sensitive Information
Exploring Domain Ownership
Summary
Key Terms
Exercises
Chapter 3: Analyzing Network Traffic
Why Packet Analysis Is Important
How to Capture Network Traffic
Wireshark
Other Network Analysis Tools
Summary
Key Terms
Exercises
Chapter 4: Detecting Live Systems and Analyzing Results
TCP/IP Basics
Detecting Live Systems with ICMP
Port Scanning
OS Fingerprinting
Scanning Countermeasures
Summary
Key Terms
Exercises
Chapter 5: Enumerating Systems
Enumeration
Advanced Enumeration
Mapping the Attack Surface
Summary
Key Terms
Exercises
Chapter 6: Automating Encryption and Tunneling Techniques
Encryption
Encryption Role in Authentication
Tunneling Techniques to Obscure Traffic
Attacking Encryption and Authentication
Summary
Key Terms
Exercises
Chapter 7: Automated Attack and Penetration Tools
Why Attack and Penetration Tools Are Important
Vulnerability Assessment Tools
Automated Exploit Tools
Determining Which Tools to Use
Picking the Right Platform
Summary
Key Terms
Exercises
Chapter 8: Securing Wireless Systems
Wi-Fi Basics
Wi-Fi Security
Wireless LAN Threats
Exploiting Wireless Networks
Securing Wireless Networks
Summary
Key Terms
Exercises
Chapter 9: An Introduction to Malware
History of Malware
Types of Malware
Common Attack Vectors
Defenses Against Malware
Summary
Key Terms
Exercises
Chapter 10: Detecting Intrusions and Analyzing Malware
An Overview of Intrusion Detection
IDS Types and Components
IDS Engines
An Overview of Snort
Building Snort Rules
Advanced Snort: Detecting Buffer Overflows
Responding to Attacks and Intrusions
Analyzing Malware
Summary
Key Terms
Exercises
Chapter 11: Forensic Detection
Computer Forensics
Acquisition
Authentication
Trace-Evidence Analysis
Hiding Techniques
Summary
Key Terms
Exercises
EULA
List of Tables
Chapter 1
Table 1.1
Table 1.2
Table 1.3
Chapter 2
Table 2.1
Table 2.2
Table 2.3
Table 2.4
Chapter 3
Table 3.1
Table 3.2
Table 3.3
Table 3.4
Table 3.5
Table 3.6
Table 3.7
Table 3.8
Chapter 4
Table 4.1
Table 4.2
Table 4.3
Table 4.4
Table 4.5
Table 4.6
Table 4.7
Chapter 5
Table 5.1
Table 5.2
Table 5.3
Table 5.4
Table 5.5
Chapter 6
Table 6.1
Chapter 8
Table 8.1
Table 8.2
Table 8.3
Chapter 9
Table 9.1
Chapter 10
Table 10.1
Table 10.2
Table 10.3
Table 10.4
Chapter 11
Table 11.1
List of Illustrations
Chapter 1
Figure 1.1 Type 1 hypervisors run directly on hardware.
Figure 1.2 Type 2 hypervisors run on an OS.
Figure 1.3 Install VMware Workstation.
Figure 1.4 Choose the typical option to install the VMware Workstation.
Figure 1.5 A bump key is a special key that has been cut to a number nine position and has a small amount of extra material shaved from the front and the shank of the key.
Figure 1.6 Bootable security distributions of Linux
Figure 1.7 Fedora Security Lab
Figure 1.8 Linux password creation
Figure 1.9 The Vulnhub website is useful to the security professional.
Chapter 2
Figure 2.1 The About Us page for Superior Solutions, Inc.
Figure 2.2 Leapfrogging to the primary target
Figure 2.3 The ZabaSearch website
Figure 2.4 Mapping a location to an address using Google Maps
Figure 2.5 Finding results on ZoomInfo
Figure 2.6 An archived web page on the Wayback Machine
Figure 2.7 The PayPalSucks.com home page
Figure 2.8 The FOCA interface
Figure 2.9 Source sifting with BlackWidow
Figure 2.10 The Edgar database
Figure 2.11 IANA home page
Figure 2.12 IANA top-level domains
Figure 2.13 IANA domain details
Figure 2.14 ARIN WHOIS results
Figure 2.15 DNS resolution
Figure 2.16 DNS root structure
Figure 2.17 Netcraft site lookup for example.com
Figure 2.18 Netcraft-identified web server banner
Figure 2.19 The VisualRoute interface
Chapter 3
Figure 3.1 Sniffing packets with a hub
Figure 3.2 You can use a Throwing Star LAN Tap to intercept traffic
Figure 3.3 Switch segmentation prevents hackers from seeing traffic on other ports
Figure 3.4 VLAN segmentation reduces the amount of traffic available for inspection
Figure 3.5 Port Mirroring allows you to configure one port to receive packets from another
Figure 3.6 You send an ARP request to find a physical address to match an IP address
Figure 3.7 ARP cache poisoning facilitates this man-in-the-middle attack
Figure 3.8 Open the Cain & Abel Sniffer tab
Figure 3.9 Use the Cain & Abel MAC Address Scanner
Figure 3.10 Cain & Abel lets you pick a target to sniff
Figure 3.11 Cain & Abel launching the attack
Figure 3.12 Observing the results of your ARP cache poisoning
Figure 3.13 A rogue DHCP server allows an attacker to redirect traffic
Figure 3.14 Select an interface in Wireshark
Figure 3.15 Wireshark has a three-pane design
Figure 3.16 Sample Wireshark packet decode
Figure 3.17 The Wireshark ICMP filter removes clutter
Figure 3.18 Using the Wireshark ip.addr filter
Figure 3.19 An example of a Wireshark ARP cache poisoning capture
Figure 3.20 Wireshark offers the Display Filter dialog box to help you create filters
Figure 3.21 Wireshark offers another way to apply filters
Figure 3.22 Use the autocomplete function in Wireshark when creating filters
Figure 3.23 The conversation filter in Wireshark lets you see intercommunication between hosts
Figure 3.24 The Ethernet frame is a simple structure.
Figure 3.25 Ethernet frame decode.
Figure 3.26 A Simple network capture
Figure 3.27 IP header decode
Figure 3.28 A TCP header decode
Figure 3.29 Application layer decode
Figure 3.30 NetworkMiner ARP capture
Figure 3.31 Using NetworkMiner to display passwords
Figure 3.32 Capsa makes capturing and parsing network traffic very easy
Figure 3.33 Which OS
Figure 3.34 What is the security issue?
Figure 3.35 Why is only broadcast traffic captured?
Figure 3.36 Wireshark and tcpdump
Figure 3.37 One-way data cable
Chapter 4
Figure 4.1 TCP/IP protocol stack
Figure 4.2 Ethernet frames and MAC addresses
Figure 4.3 IPv4 header
Figure 4.4 ARP reply
Figure 4.5 TCP operation
Figure 4.6 TCP header
Figure 4.7 TCP flag structure
Figure 4.8 UDP header structure
Figure 4.9 FTP cleartext username and password
Figure 4.10 FTP successful ping
Figure 4.11 Examination of ping packets
Figure 4.12 Angry IP Scanner configuration
Figure 4.13 A completed scan in Angry IP Scanner
Figure 4.14 Wireshark traceroute TTL
Figure 4.15 Traceroute path
Figure 4.16 TCP three-step startup
Figure 4.17 TCP shutdown.
Figure 4.18 Wireshark capture of a full connect scan
Figure 4.19 UDP open and closed connections
Figure 4.20 Idle scan of an open port.
Figure 4.21 Idle scan of a closed port
Figure 4.22 Scan types and potential results
Figure 4.23 Wireshark port scan statics
Figure 4.24 Nmap four-packet scan result
Figure 4.25 Nmap port scan order
Figure 4.26 SuperScan
Figure 4.27 Wireshark
Figure 4.28 Wireshark packet structure
Figure 4.29 Wireshark packet structure
Figure 4.30 Wireshark packet structure decoded
Figure 4.31 TCP flags.
Figure 4.32 ICMP packet decode
Figure 4.33 Port scan flag filter
Figure 4.34 Open ports
Chapter 5
Figure 5.1 An example of a RIP packet capture
Figure 5.2 Wireshark captures this RIP packet, which provides an attacker with routing information.
Figure 5.3 Firewalking can help you identify a firewall’s settings.
Figure 5.4 The DumpSec GUI-based format makes it easy to get results.
Figure 5.5 SNMP is actually part of a larger framework known as the Internet Standard Network Management Framework.
Figure 5.6 The structure of SNMP components
Figure 5.7 SolarWinds IP Network browser lets you examine SNMP data.
Figure 5.8 Sample SCADA design
Figure 5.9 SHODAN is a vulnerability search website.
Figure 5.10 Attackers search for these common SCADA ports.
Figure 5.11 Is there anything you can enumerate in this Wireshark capture of SCADA traffic?
Figure 5.12 Various types of software can help with the password-cracking process.
Figure 5.13 Cain & Abel lets you choose a method to use when cracking passwords.
Figure 5.14 Ophcrack offers this online password-cracking tool.
Figure 5.15 Capture passwords with Mimikatz pass-the-hash program.
Figure 5.16 SecurityFocus lets you do vulnerability research.
Figure 5.17 Packet Storm aids you in exploit code research.
Figure 5.18 Installing SNMP services
Figure 5.19 Enter the IP address and network range into the IP Network Browser.
Figure 5.20 The IP network browser displays the results.
Figure 5.21 A Cain & Abel routing capture: Notice that the update is in RIP and RIPv2.
Figure 5.22 Select the computer you want DumpSec to target.
Figure 5.23 Select the fields to use in the Dump Users as Table.
Figure 5.24 DumpSec provides enumeration results.
Figure 5.25 User agent strings
Figure 5.26 Test your own browser at the Panopticlick website.
Chapter 6
Figure 6.1 Caesar’s cipher is an early encryption technique.
Figure 6.2 Symmetric encryption uses a shared key for encryption and decryption.
Figure 6.3 Asymmetric encryption requires two related keys.
Figure 6.4 Linux salting creates a password.
Figure 6.5 Challenge-response authentication requires the user to enter a correct answer.
Figure 6.6 TCP ACK Tunneling
Figure 6.7 Advanced tunneling techniques allow attackers access to data behind a firewall.
Figure 6.8 WordPress tells you the username is incorrect.
Figure 6.9 CrypTool
Figure 6.10 CrypTool decryption
Figure 6.11 32-bit CrypTool decryption
Figure 6.12 Follow TCP Stream.
Figure 6.13 Base64 username and password
Figure 6.14 Decoded password
Chapter 7
Figure 7.1 The Nessus client/server model makes scan data available.
Figure 7.2 The Nessus Knowledge Base provides developer information.
Figure 7.3 Nessus lets you select which target to scan.
Figure 7.4 The Nessus Plugins tab lets you scan for plug-ins.
Figure 7.5 The Nessus Knowledge Base provides information about known vulnerabilities.
Figure 7.6 The Nessus report can be customized.
Figure 7.7 Armitage offers a GUI.
Figure 7.8 The Metasploit payload offers update options.
Figure 7.9 The Browser Exploitation Framework Project log-in screen
Figure 7.10 Use N-Stalker to scan for vulnerabilities.
Chapter 8
Figure 8.1 Computers are connected via wireless NICs in wireless ad hoc mode.
Figure 8.2 Wireless infrastructure mode with a centralized wireless device
Figure 8.3 WiGLE.net displays maps of wireless LANs.
Figure 8.4 NetStumbler can gather information about nearby wireless networks.
Figure 8.5 NIC cards allow you to attach an antenna for wardriving.
Figure 8.6 Recent war-walking results show a high number of unsecured networks.
Figure 8.7 Password eavesdropping is easy on unsecured networks.
Figure 8.8 Win Sniffer captures passwords and usernames.
Figure 8.9 Cain & Abel sniffs and cracks passwords.
Figure 8.10 Access point spoofing involves tricking users into using a rogue AP.
Figure 8.11 Set the Wireshark capture options.
Figure 8.12 You can use Wireshark to capture packet information.
Chapter 9
Figure 9.1 Much of today’s malware is designed to target specific individuals or firms, and avoid discovery.
Figure 9.2 A Trojan is combined with a legitimate program by a wrapper.
Figure 9.3 RDGSoft Tejon Crypter is just one of the available crypters.
Figure 9.4 VirusTotal is just one online antivirus tool.
Chapter 10
Figure 10.1 An IDS defines four possible states.
Figure 10.2 How Signature-based IDS functions
Figure 10.3 How statistical anomaly-based IDS functions
Figure 10.4 An IDS can tell the difference between normal and abnormal activity.
Figure 10.5 Example of Snort log files
Figure 10.6 A DomainTools lookup provides a lot of information about domains.
Figure 10.7 A GeoIPTool lookup can give you geographical information.
Figure 10.8 Tcpiputils.com allows you to see whether a domain is known to generate malware.
Figure 10.9 BFK offers a passive DNS database.
Figure 10.10 You can configure your virtual machines with one computer to act as the controller.
Figure 10.11 Be sure to isolate your network from outside sources.
Figure 10.12 Private malware analysis companies do not share their knowledge about malware with antivirus companies.
Figure 10.13 WinMD5 offers a GUI program for finding malware.
Figure 10.14 Process Explorer allows you to examine processes running on a computer.
Figure 10.15 Wireshark finds this Zeus Botnet performing click fraud.
Figure 10.16 Configuration of browser loopback settings
Chapter 11
Figure 11.1 You use the evidence to understand the relationship between the suspect and victim.
Figure 11.2 A write blocker helps you copy evidence from the suspect’s computer.
Figure 11.3 File slack and drive space may hold important clues for forensic investigation.
Figure 11.4 MD5Summer is one of the tools you can use for hashing.
Figure 11.5 Belkasoft IE History Extractor makes it easier to explore a browser’s history file.
Figure 11.6 The Outlook email header provides a lot of information, including the source IP address.
Figure 11.7 Use SFind to detect hidden streamed files.
Figure 11.8 S-Tools is just one of the steganographic tools available.
Figure 11.9 S-Tools displays an image comparison.
Figure 11.10 Explore Internet email headers.
Figure 11.11 S-Tools enables you to hide a file inside another file.
Figure 11.12 Hide this text in the file.
Figure 11.13 Fill in the encryption options and enter a passphrase.
Figure 11.14 One image contains your hidden message. Look closely and see whether can tell the difference.
Introduction
Welcome to The Network Security Test Lab. With this book, you can increase your hands-on IT security skills. The techniques and tools discussed in this book can benefit IT security designers and implementers. IT security designers will benefit as they learn more about specific tools and their capabilities. Implementers will gain firsthand experience from installing and practicing using software tools needed to secure information assets.
Overview of the Book and Technology
This book is designed for individuals who need to better understand the functionality of security tools. Its objective is to help guide those individuals in learning when and how specific tools should be deployed and what any of the tools’ specific limitations are. This book is for you if any of the following are true:
You want to learn more about specific security tools.
You lack hands-on experience in using security tools.
You want to get the skills needed to advance at work or move into a new position.
You love to tinker or expand your skills with computer software and hardware.
You are studying for a certification and want to gain additional skills.
How This Book Is Organized
The contents of this book are structured as follows:
Chapter 1, Building a Hardware and Software Test Platform
—Guides you through the process of building a hardware test platform.
Chapter 2, Passive Information Gathering
—Reviews the many ways that information can be passively gathered. This process starts at the organization’s website, and then moves to WHOIS records. This starting point allows you to build a complete profile of the organization.
Chapter 3, Analyzing Network Traffic
—Reviews methods and techniques for packet analysis. You will learn firsthand how common packet analysis tools such as Wireshark, Capsa, and Netwitness are used.
Chapter 4, Detecting Live Systems and Analyzing Results
—Once IP ranges have been discovered and potential systems have been identified, you will move quickly to using a host of tools to determine the status of live systems. Learn how Internet Control Message Protocol (ICMP) and other protocols work, while using both Linux and Windows lab systems.
Chapter 5, Enumerating Systems
—Explores how small weaknesses can be used to exploit a system and gain a foothold or operational control of a system. You will learn firsthand how to apply effective countermeasures by changing default banners, hardening systems, and disabling unwanted services.
Chapter 6, Automating Encryption and Tunneling Techniques
—Provides insight into how cryptographic systems are used to secure information and items such as passwords. You learn firsthand how these systems are attacked and which tools are used.
Chapter 7, Automated Attack and Penetration Tools
—Presents you with an overview of how attack and penetration tools work. These are the same tools that may be used against real networks, so it is important to understand how they work and their capabilities.
Chapter 8, Securing Wireless Systems
—Offers an overview of the challenges you’ll face protecting wireless networks. Although wireless systems are easy to deploy, they can present a real security challenge.
Chapter 9 An Introduction to Malware
—Takes you through a review of malware and demonstrates how to remove and control virulent code. You learn how to run rootkit detectors and spyware tools, and use integrity-verification programs.
Chapter 10, Detecting Intrusions and Analyzing Malware
—Introduces intrusion detection systems (IDSs) and discusses the ways in which malware can be analyzed. This chapter gives you the skills needed to set up and configure Snort and use tools such as IdaPro.
Chapter 11, Forensic Detection
—Reviews the skills needed to deal with the aftermath of a security breach. Forensics requires the ability to acquire, authenticate, and analyze data. You learn about basic forensic procedures and tools to analyze intrusions after security breaches.
Who Should Read This Book
This book is designed for the individual with intermediate skills. While this book is focused on those who seek to set up and build a working security test lab, this does not means that others cannot benefit from it. If you already have the hardware and software needed to review specific tools and techniques, Chapter 2 is a good starting point. For other even more advanced individuals, specific chapters can be used to gain additional skills and knowledge. As an example, if you are looking to learn more about password hashing and password cracking, proceed to Chapter 6. If you are specifically interested in wireless systems, Chapter 8 is for you. So, whereas some readers may want to read the book from start to finish, there is nothing to prevent you from moving around as needed.
Tools You Will Need
Your desire to learn is the most important thing you have as you start to read this book. I try to use open source free
software as much as possible. After all, the goal of this book is to try to make this as affordable as possible for those wanting to increase their skills. Because the developers of many free tools do not have the development funds that those who make commercial tools do, these tools can be somewhat erratic. The upside is that, if you are comfortable with coding or developing scripts, many of the tools can be customized. This gives them a wider range of usability than many commercial tools.
Tools are only half the picture. You will also need operating systems to launch tools and others to act as targets. A mixture of Linux and Windows systems will be needed for this task. We will delve into many of these issues in the first chapter. You may also want to explore sites like http://www.linuxlinks.com/distributions. There is more on this in the next section.
What’s on the Wiley Website
To make the process as easy as possible for you to get started, some of the basic tools you will need are available on the Wiley website that has been setup for this book at www.wiley.com/go/networksecuritytestlab.
Summary (From Here, Up Next, and So On)
The Network Security Test Lab is designed to take readers to the next stage of personal knowledge and skill development. Rather than presenting just the concept or discussing the tools that fit in a specific category, The Network Security Test Lab takes these topics and provides real-world implementation details. Learning how to apply higher-level security skills is an essential skill needed to pursue an advanced security career, and to make progress toward obtaining more complex security certifications, including CISSP, CASP, GSEC, CEH, CHFI, and the like. I hope that you enjoy this book, and please let me know how it helps you advance in the field of cyber security.
CHAPTER 1
Building a Hardware and Software Test Platform
This book is designed for those who need to better understand the importance of IT security. This chapter walks you through what you need to set up a hardware/software test platform. As a child, you may have loved to take things apart, TVs, radios, computers, and so on, in a quest to better understand how they worked. Your tools probably included soldering irons, screwdrivers—maybe even a hammer! That is similar to what you will be doing throughout this book. While you won’t be using a hammer, you will be looking at protocols and applications to understand how they work. You will also examine some common tools that will make your analysis easier. The objective is to help you become a better network analyst, and improve and sharpen your IT security skills.
Because no two networks are the same, and because they change over time, it is impossible to come up with a one-size-fits-all list of hardware and software that will do the job for you. Networks serve the enterprises that own them, and enterprises must change over time. In addition, the scale of operation impacts security considerations. If you pursue a career as a security consultant, your goals (and inevitably your needs) will differ, depending on whether you work for a large multinational corporation (and even here, your goals and needs will depend on the type of industry) or a small office/home office (SOHO) operation or a small business. Clearly, a whole spectrum of possibilities exists here.
This chapter provides the first step in building your own network security lab. You will start to examine the types of hardware and gear that you can use to build such a test environment, and then look at the operating systems and software you should consider loading on your new equipment.
Why Build a Lab?
A laboratory is as vital to a computer-security specialist as it is to a chemist or biologist. It is the studio in which you can control a large number of variables that come to bear upon the outcome of your experiments. And network security, especially, is a field in which the researcher must understand how a diverse range of technologies behave at many levels. For a moment, just consider the importance of the production network to most organizations. They must rely on an always-on functioning, which means that many tests and evaluations must be developed in a lab on a network that has been specifically designed for such experiments.
NOTE A laboratory is a controlled environment in which unexpected events are nonexistent or at least minimized. Having a lab provides a consequence-free setting in which damage that might result from experimentation is localized (and can, it is hoped, be easily corrected).
Consider something as basic as patch management. Very few organizations move directly from downloading a patch to installing it in the production environment. The first step is to test the patch. The most agreed-upon way to accomplish this is to install it on a test network or system. This allows problems to be researched and compatibility ensured. You might also want to consider a typical penetration test. It may be that the penetration-testing team has developed a new exploit or written a specific piece of code for this unique assignment. Will the team begin by deploying this code on the client’s network? Hopefully not. The typical approach would be to deploy the code on a test network to verify that it will function as designed. The last thing the penetration test team needs is to be responsible for a major outage on the client’s network. These types of events are not good for future business.
Building a lab requires you to become familiar with the basics of wiring, signal distribution, switching, and routing. You also need to understand how you might tap into a data stream to analyze or, potentially, attack the network. The mix of common network protocols must be understood; only by knowing what is normal on the network can you recognize and isolate strange behavior. Consider some of the other items that might motivate you to construct such a lab:
Certification
Job advancement
Knowledge
Experimentation
Evaluation of new tools
To varying degrees, networking- and security-related certifications require knowledge of the hardware and software of modern networks. There is no better vehicle for learning about networking and security issues firsthand than to design and build your own network lab. This provides a place where you can add and remove devices at will and reconfigure hardware and software to your liking. You can observe the interaction between the systems and networking devices in detail.
Advancing in your field is almost never an accident. The IT industry is an area of constant change, and the best way to build a career path in the world of IT is to build your skill set. By mastering these technologies, you will be able to identify the knowledgeable people on the job or at a customer’s site, and align yourself with them. You might even uncover some gifts that you did not previously realize you possessed, such as a love for hexadecimal—well, maybe.
Building a lab demonstrates your desire and ability to study and control networks. One key item that potential employers always consider is whether a candidate has the drive to get the job done. Building your own security lab can help demonstrate to employers that you are looking for more than just a job: You want a career. As you use the network resources in your lab, you will invariably add to your knowledge and understanding of the technologies that you employ. Learning is a natural consequence.
Experimentation is a practical necessity if you are to fully understand many of the tools and methods employed by security professionals and hackers alike. Just consider the fact that there are many manuals that explain how Windows Server 2012 works, or how a Check Point firewall works, but no manual can account for every single situation and what is ‘unique’ to any environment you encounter. Some combinations and interactions are simply unknown. By building your own lab, you will discover that when deployed in complex modern networks, many things do not work the way the documentation says they will. And many times, it does not suffice to simply understand what happens; you need to appreciate the timing and sequence of events. This requires the control that a laboratory environment provides.
Because IT is an industry of continual change, new software, new security tools, new hacking techniques, and new networking gizmos constantly appear. A network security lab provides you with a forum in which to try these things out. You certainly don’t want to risk corrupting a computer that you depend on every day to do your job. And you don’t want to negatively impact the work of others; doing so is a good way to quickly put the brakes on your budding career.
A laboratory thus provides a place where you can try new things. This is a setting in which you can gain a detailed understanding of how things are put together and how they normally interact. It is an environment in which you can likely predict the outcome of your experiments, and if an outcome is unexpected, you can then isolate the cause.
BUILDING YOUR OWN SECURITY LAB
A common question among students and those preparing for certification is, How do I really prepare for the job or promotion I am seeking?
The answer is always the same: know the material, but also get all the hands-on experience you can. Many times they don’t have enough money in their IT budget, or they are a struggling student. That is totally understandable. Yet the fact remains that there is no way to pick up many of the needed skills by reading alone. And many tests cannot be conducted on a live Internet-connected network.
With a little work and effort, you can find the equipment required to practice necessary skills at a reasonable price—network professionals have been doing this for years. There are even sites such as certificationkits.com that are set up exclusively to provide students with a full set of networking gear needed to complete a Cisco Certified Network Associate (CCNA) or a Cisco Certified Network Professional (CCNP) certification.
Hardware Requirements
Before you can get started with any testing, you need to assemble some hardware. Your goal, as always, will be to do this as inexpensively as possible. Many things might be included in a network security laboratory. Some of these items are mandatory (for example, cables), and some things can be added according to your needs and as they become available or affordable. Although it is possible to contain everything within one computer, your requirements will vary from time to time based on the scenario that you are modeling.
Here are some of the things that will likely end up in your mix:
Computers
Networking tools
Cables
Network-attached storage (NAS)
Hubs
Switches
Routers
Removable disk storage
Internet connection
Cisco equipment
Firewalls
Wireless access points
Keyboard, video, mouse (KVM) switches
Surge suppressors and power strips
In your network lab, you will need a wide variety of cables, as this will allow you to configure your test network in many different ways. Specific configurations will be needed for different scenarios. You will also want to have some tools that come in handy for building and testing cables, so items such as wire strippers, crimp tools, and punch-down tools might find their way into your toolbox. Crossover and loopback adapters can prove handy, too.
Hubs, switches, and routers are the building blocks of network infrastructure. It is crucial to understand how the roles of these things differ. Not all switches have identical capabilities. Likewise, routers can vary considerably, so it is good to have a couple to choose from. Cisco products are so prevalent that it is a good idea to include some of their equipment in the mix; they will be found at almost every worksite.
An Internet connection is a necessity. You will need to research various topics and download software as you use the network in your lab. Or you might find yourself modeling the behavior of an Internet-based attacker. On the slim chance that you are borrowing WiFi from your neighbor’s open access point, now is the time to make the upgrade to your own dedicated connection.
Having a firewall can prove very valuable, too. As a security professional, you are expected to have an appreciation for these devices and their capabilities. Your firewall could prove to be an important component in some of your experiments. On a daily basis, you can use your firewall to protect your primary (home or office) network from the unpleasant things that can occur on the network in your lab.
Don’t forget the logistical details of constructing a network. You will need table space, shelving, power strips, and surge suppressors. If you have an old uninterrupted power supply (UPS) available, you might employ it, too. With several computers in close proximity, you will probably not want to have to deal with a bunch of monitors, keyboards, and mice; a KVM switching arrangement can save a lot of space and aggravation. Now you can turn your attention to the physical computing hardware that you will need.
NOTE Commercial-quality equipment is much more capable than the products targeted for the consumer or SOHO market. You will be better off with a real Cisco router, even if it is used and scratched up, than with a little Netgear home router.
Physical Hardware
When it comes to computer systems, there are three key items to consider: processor, memory, and disk space. Having a fast processor, a lot of memory, and a bunch of disk space is a big positive when selecting or building a computer. Fast and big are relative terms whose meaning changes over time. But generally, a good place to start with a Windows PC would be an Intel Core i5 system with 32GB of RAM. Think of these as your minimum requirements. Generally, you can get away with a little less memory with Linux systems.
In terms of disk storage, an internal 1TB SATA hard drive would be considered a minimum requirement. While a solid-state hard drive is not mandatory, it will reduce boot-up times and it will reduce system response times. Removable disk storage, such as USB and NAS, can allow you to safely image your systems so that they can be restored with relative ease if they become corrupt during an experiment. NAS can be handy for holding copies of configuration files, downloaded software, and whatever else you may need while working on the network. It is great to have a central storage location that you can access from various computer systems.
So how do you start building your lab? First, consider many of the sources that exist for the equipment you need. Some of these sources include the following:
Equipment you already have
New equipment purchases
Used equipment purchases
Each of these options is discussed in the following sections along with an overview of their advantages and disadvantages.
Equipment You Already Have
Either at home or at work, you are already likely to have some of the items that will prove useful in building your own security lab. These could range from something as trivial as a handful of Ethernet cables in your desk drawer to shelves full of spare or retired PCs, switches, and routers.
If you are doing this on the job, there are a couple of possible scenarios. Is the spare equipment under your control? If not, you will have to work things out with the appropriate supervisors and make sure that they approve your use of the equipment. Next, you want to take stock of what is available and make a list of the things that look like they could prove useful. Don’t worry about the details at this point. Focus on the important items that were mentioned earlier in this chapter.
Finally, prioritize your list and pick out the things that you think will be most useful. Keep the list, as you will probably refer to it later. Remember to start with a small collection of obviously needed items, such as several PCs, laptops, a router, a hub or switch, an Internet connection, and a handful of cables. It will be easy to add things later, so try not to get carried away and include two of everything in your initial efforts.
New Equipment Purchases
Naturally, you have the option of buying new equipment. Sometimes this might be the easiest way to go, if you want to get the job done quickly. The only problem is that buying retail is probably the most expensive option. If you don’t have much in the way of retired or spare equipment available, you might have to take this route. If you see your lab as a more or less permanent addition to the workplace, something that you plan to use on an ongoing basis for the foreseeable future, then maybe this is justified.
If you take this path, consider writing a proposal for the needed equipment. Determine the advantages that such a lab will bring to the department and to the company. Make sure to discuss these advantages in your proposal. Highlight the monetary savings that such an investment can return. On the positive side, this approach provides state-of-the-art equipment for the lab. You will also have all the manuals and software readily available. And you won’t have to hunt around for missing parts. If you cannot get all the funds approved, you may decide that a few key components are best purchased new. Then the other odds and ends can be filled in on the cheap.
Of all the items that are recommended for inclusion in the lab, which one is best bought new? Many people would agree that PCs will most impact the usefulness of the lab. Older PCs tend to be somewhat slower and lacking in important resources, notably memory and storage capabilities. The prices of PCs have fallen considerably over the past few years. As an example, you can buy a decently equipped Dell open source
desktop machine for around $500. If you are going to put Linux on it anyway, you don’t care that the machine does not come with an operating system. And if you intend to share one keyboard, display, and mouse with a KVM switch, again, who cares that the price does not include a display?
NOTE Watch the prices of memory and hard drives. Be careful with regard to memory prices if you decide to buy new computers. It is often cheaper to buy your own memory and install it in the machine yourself. And when it comes to hard drives, look for the breakpoint in the pricing where there seems to be an extraordinary price jump relative to the increase in drive size. That is the sweet spot
in the market.
Used Equipment Purchases
If you are building your own security lab for home use, this may be the most viable option for obtaining some of the needed equipment. Although this route does require more work, you can save a substantial amount of money. It also spurs creativity, and that is a valuable skill in the networking and IT security field. Employ a bit of