The Network Security Test Lab: A Step-by-Step Guide

The Network Security Test Lab

A Step-by-Step Guide

Michael Gregg

The Network Security Test Lab: A Step-by-Step Guide

Published by

John Wiley & Sons, Inc.

10475 Crosspoint Boulevard

Indianapolis, IN 46256

www.wiley.com

Copyright © 2015 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-118-98705-6

ISBN: 978-1-118-98715-5 (ebk)

ISBN: 978-1-118-98713-1 (ebk)

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2015946971

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

About the Author

Mr. Michael Gregg is the CEO of Superior Solutions, Inc., a Houston based IT security-consulting firm. He has more than 20 years experience in the IT field and holds two associate's degrees, a bachelor's degree, a master's degree, and many IT certifications such as: CISSP, CISA, CISM, MCSE, and CEH. Michael has authored/co-authored more than 20 books. Some include: Inside Network Security Assessment, SAMS 2005; Hack the Stack, Syngress 2006; Security Administrator Street Smarts, Syngress 2011; and How to Build Your Own Network Security Lab, Wiley 2008.

Michael has testified before the United States Congress on privacy and security breaches. He also testified before the Missouri State Attorney General's committee on cybercrime and the rise of cell phone hacking. He has spoken at major IT/Security conferences such as the NCUA auditors conference in Arlington, Virginia. He is frequently cited by major print publications as a cybersecurity expert and has also appeared as an expert commentator for network broadcast outlets and print publications such as CNN, FOX, CBS, NBC, ABC, The Huffington Post, Kiplinger's, and The New York Times.

Michael enjoys giving back to the community; some of his civic engagements include Habitat for Humanity and United Way.

Credits

Project Editor

Sydney Argenta

Technical Editor

Rob Shimonski

Production Manager

Kathleen Wisor

Copy Editor

Marylouise Wiack

Manager of Content Development & Assembly

Mary Beth Wakefield

Marketing Director

David Mayhew

Marketing Manager

Carrie Sherrill

Professional Technology & Strategy Director

Barry Pruett

Business Manager

Amy Knies

Associate Publisher

Jim Minatel

Project Coordinator, Cover

Brent Savage

Proofreader

Nancy Carrasco

Indexer

Johnna VanHoose Dinse

Cover Designer

Wiley

Cover Image

©iStock.com/alphaspirit

Acknowledgments

I would like to acknowledge Christine, Betty, Curly, and all my family. Also, a special thanks to everyone at Wiley. It has been a great pleasure to have worked with you on this book. I am grateful for the help and support from Carol Long, Sydney Argenta, Debbie Dahlin, and Rob Shimonski.

CONTENTS

Introduction

Overview of the Book and Technology

How This Book Is Organized

Who Should Read This Book

Tools You Will Need

What’s on the Wiley Website

Summary (From Here, Up Next, and So On)

Chapter 1: Building a Hardware and Software Test Platform

Why Build a Lab?

Hardware Requirements

Software Requirements

Summary

Key Terms

Exercises

Chapter 2: Passive Information Gathering

Starting at the Source

Mining Job Ads and Analyzing Financial Data

Using Google to Mine Sensitive Information

Exploring Domain Ownership

Summary

Key Terms

Exercises

Chapter 3: Analyzing Network Traffic

Why Packet Analysis Is Important

How to Capture Network Traffic

Wireshark

Other Network Analysis Tools

Summary

Key Terms

Exercises

Chapter 4: Detecting Live Systems and Analyzing Results

TCP/IP Basics

Detecting Live Systems with ICMP

Port Scanning

OS Fingerprinting

Scanning Countermeasures

Summary

Key Terms

Exercises

Chapter 5: Enumerating Systems

Enumeration

Advanced Enumeration

Mapping the Attack Surface

Summary

Key Terms

Exercises

Chapter 6: Automating Encryption and Tunneling Techniques

Encryption

Encryption Role in Authentication

Tunneling Techniques to Obscure Traffic

Attacking Encryption and Authentication

Summary

Key Terms

Exercises

Chapter 7: Automated Attack and Penetration Tools

Why Attack and Penetration Tools Are Important

Vulnerability Assessment Tools

Automated Exploit Tools

Determining Which Tools to Use

Picking the Right Platform

Summary

Key Terms

Exercises

Chapter 8: Securing Wireless Systems

Wi-Fi Basics

Wi-Fi Security

Wireless LAN Threats

Exploiting Wireless Networks

Securing Wireless Networks

Summary

Key Terms

Exercises

Chapter 9: An Introduction to Malware

History of Malware

Types of Malware

Common Attack Vectors

Defenses Against Malware

Summary

Key Terms

Exercises

Chapter 10: Detecting Intrusions and Analyzing Malware

An Overview of Intrusion Detection

IDS Types and Components

IDS Engines

An Overview of Snort

Building Snort Rules

Advanced Snort: Detecting Buffer Overflows

Responding to Attacks and Intrusions

Analyzing Malware

Summary

Key Terms

Exercises

Chapter 11: Forensic Detection

Computer Forensics

Acquisition

Authentication

Trace-Evidence Analysis

Hiding Techniques

Summary

Key Terms

Exercises

EULA

List of Tables

Chapter 1

Table 1.1

Table 1.2

Table 1.3

Chapter 2

Table 2.1

Table 2.2

Table 2.3

Table 2.4

Chapter 3

Table 3.1

Table 3.2

Table 3.3

Table 3.4

Table 3.5

Table 3.6

Table 3.7

Table 3.8

Chapter 4

Table 4.1

Table 4.2

Table 4.3

Table 4.4

Table 4.5

Table 4.6

Table 4.7

Chapter 5

Table 5.1

Table 5.2

Table 5.3

Table 5.4

Table 5.5

Chapter 6

Table 6.1

Chapter 8

Table 8.1

Table 8.2

Table 8.3

Chapter 9

Table 9.1

Chapter 10

Table 10.1

Table 10.2

Table 10.3

Table 10.4

Chapter 11

Table 11.1

List of Illustrations

Chapter 1

Figure 1.1 Type 1 hypervisors run directly on hardware.

Figure 1.2 Type 2 hypervisors run on an OS.

Figure 1.3 Install VMware Workstation.

Figure 1.4 Choose the typical option to install the VMware Workstation.

Figure 1.5 A bump key is a special key that has been cut to a number nine position and has a small amount of extra material shaved from the front and the shank of the key.

Figure 1.6 Bootable security distributions of Linux

Figure 1.7 Fedora Security Lab

Figure 1.8 Linux password creation

Figure 1.9 The Vulnhub website is useful to the security professional.

Chapter 2

Figure 2.1 The About Us page for Superior Solutions, Inc.

Figure 2.2 Leapfrogging to the primary target

Figure 2.3 The ZabaSearch website

Figure 2.4 Mapping a location to an address using Google Maps

Figure 2.5 Finding results on ZoomInfo

Figure 2.6 An archived web page on the Wayback Machine

Figure 2.7 The PayPalSucks.com home page

Figure 2.8 The FOCA interface

Figure 2.9 Source sifting with BlackWidow

Figure 2.10 The Edgar database

Figure 2.11 IANA home page

Figure 2.12 IANA top-level domains

Figure 2.13 IANA domain details

Figure 2.14 ARIN WHOIS results

Figure 2.15 DNS resolution

Figure 2.16 DNS root structure

Figure 2.17 Netcraft site lookup for example.com

Figure 2.18 Netcraft-identified web server banner

Figure 2.19 The VisualRoute interface

Chapter 3

Figure 3.1 Sniffing packets with a hub

Figure 3.2 You can use a Throwing Star LAN Tap to intercept traffic

Figure 3.3 Switch segmentation prevents hackers from seeing traffic on other ports

Figure 3.4 VLAN segmentation reduces the amount of traffic available for inspection

Figure 3.5 Port Mirroring allows you to configure one port to receive packets from another

Figure 3.6 You send an ARP request to find a physical address to match an IP address

Figure 3.7 ARP cache poisoning facilitates this man-in-the-middle attack

Figure 3.8 Open the Cain & Abel Sniffer tab

Figure 3.9 Use the Cain & Abel MAC Address Scanner

Figure 3.10 Cain & Abel lets you pick a target to sniff

Figure 3.11 Cain & Abel launching the attack

Figure 3.12 Observing the results of your ARP cache poisoning

Figure 3.13 A rogue DHCP server allows an attacker to redirect traffic

Figure 3.14 Select an interface in Wireshark

Figure 3.15 Wireshark has a three-pane design

Figure 3.16 Sample Wireshark packet decode

Figure 3.17 The Wireshark ICMP filter removes clutter

Figure 3.18 Using the Wireshark ip.addr filter

Figure 3.19 An example of a Wireshark ARP cache poisoning capture

Figure 3.20 Wireshark offers the Display Filter dialog box to help you create filters

Figure 3.21 Wireshark offers another way to apply filters

Figure 3.22 Use the autocomplete function in Wireshark when creating filters

Figure 3.23 The conversation filter in Wireshark lets you see intercommunication between hosts

Figure 3.24 The Ethernet frame is a simple structure.

Figure 3.25 Ethernet frame decode.

Figure 3.26 A Simple network capture

Figure 3.27 IP header decode

Figure 3.28 A TCP header decode

Figure 3.29 Application layer decode

Figure 3.30 NetworkMiner ARP capture

Figure 3.31 Using NetworkMiner to display passwords

Figure 3.32 Capsa makes capturing and parsing network traffic very easy

Figure 3.33 Which OS

Figure 3.34 What is the security issue?

Figure 3.35 Why is only broadcast traffic captured?

Figure 3.36 Wireshark and tcpdump

Figure 3.37 One-way data cable

Chapter 4

Figure 4.1 TCP/IP protocol stack

Figure 4.2 Ethernet frames and MAC addresses

Figure 4.3 IPv4 header

Figure 4.4 ARP reply

Figure 4.5 TCP operation

Figure 4.6 TCP header

Figure 4.7 TCP flag structure

Figure 4.8 UDP header structure

Figure 4.9 FTP cleartext username and password

Figure 4.10 FTP successful ping

Figure 4.11 Examination of ping packets

Figure 4.12 Angry IP Scanner configuration

Figure 4.13 A completed scan in Angry IP Scanner

Figure 4.14 Wireshark traceroute TTL

Figure 4.15 Traceroute path

Figure 4.16 TCP three-step startup

Figure 4.17 TCP shutdown.

Figure 4.18 Wireshark capture of a full connect scan

Figure 4.19 UDP open and closed connections

Figure 4.20 Idle scan of an open port.

Figure 4.21 Idle scan of a closed port

Figure 4.22 Scan types and potential results

Figure 4.23 Wireshark port scan statics

Figure 4.24 Nmap four-packet scan result

Figure 4.25 Nmap port scan order

Figure 4.26 SuperScan

Figure 4.27 Wireshark

Figure 4.28 Wireshark packet structure

Figure 4.29 Wireshark packet structure

Figure 4.30 Wireshark packet structure decoded

Figure 4.31 TCP flags.

Figure 4.32 ICMP packet decode

Figure 4.33 Port scan flag filter

Figure 4.34 Open ports

Chapter 5

Figure 5.1 An example of a RIP packet capture

Figure 5.2 Wireshark captures this RIP packet, which provides an attacker with routing information.

Figure 5.3 Firewalking can help you identify a firewall’s settings.

Figure 5.4 The DumpSec GUI-based format makes it easy to get results.

Figure 5.5 SNMP is actually part of a larger framework known as the Internet Standard Network Management Framework.

Figure 5.6 The structure of SNMP components

Figure 5.7 SolarWinds IP Network browser lets you examine SNMP data.

Figure 5.8 Sample SCADA design

Figure 5.9 SHODAN is a vulnerability search website.

Figure 5.10 Attackers search for these common SCADA ports.

Figure 5.11 Is there anything you can enumerate in this Wireshark capture of SCADA traffic?

Figure 5.12 Various types of software can help with the password-cracking process.

Figure 5.13 Cain & Abel lets you choose a method to use when cracking passwords.

Figure 5.14 Ophcrack offers this online password-cracking tool.

Figure 5.15 Capture passwords with Mimikatz pass-the-hash program.

Figure 5.16 SecurityFocus lets you do vulnerability research.

Figure 5.17 Packet Storm aids you in exploit code research.

Figure 5.18 Installing SNMP services

Figure 5.19 Enter the IP address and network range into the IP Network Browser.

Figure 5.20 The IP network browser displays the results.

Figure 5.21 A Cain & Abel routing capture: Notice that the update is in RIP and RIPv2.

Figure 5.22 Select the computer you want DumpSec to target.

Figure 5.23 Select the fields to use in the Dump Users as Table.

Figure 5.24 DumpSec provides enumeration results.

Figure 5.25 User agent strings

Figure 5.26 Test your own browser at the Panopticlick website.

Chapter 6

Figure 6.1 Caesar’s cipher is an early encryption technique.

Figure 6.2 Symmetric encryption uses a shared key for encryption and decryption.

Figure 6.3 Asymmetric encryption requires two related keys.

Figure 6.4 Linux salting creates a password.

Figure 6.5 Challenge-response authentication requires the user to enter a correct answer.

Figure 6.6 TCP ACK Tunneling

Figure 6.7 Advanced tunneling techniques allow attackers access to data behind a firewall.

Figure 6.8 WordPress tells you the username is incorrect.

Figure 6.9 CrypTool

Figure 6.10 CrypTool decryption

Figure 6.11 32-bit CrypTool decryption

Figure 6.12 Follow TCP Stream.

Figure 6.13 Base64 username and password

Figure 6.14 Decoded password

Chapter 7

Figure 7.1 The Nessus client/server model makes scan data available.

Figure 7.2 The Nessus Knowledge Base provides developer information.

Figure 7.3 Nessus lets you select which target to scan.

Figure 7.4 The Nessus Plugins tab lets you scan for plug-ins.

Figure 7.5 The Nessus Knowledge Base provides information about known vulnerabilities.

Figure 7.6 The Nessus report can be customized.

Figure 7.7 Armitage offers a GUI.

Figure 7.8 The Metasploit payload offers update options.

Figure 7.9 The Browser Exploitation Framework Project log-in screen

Figure 7.10 Use N-Stalker to scan for vulnerabilities.

Chapter 8

Figure 8.1 Computers are connected via wireless NICs in wireless ad hoc mode.

Figure 8.2 Wireless infrastructure mode with a centralized wireless device

Figure 8.3 WiGLE.net displays maps of wireless LANs.

Figure 8.4 NetStumbler can gather information about nearby wireless networks.

Figure 8.5 NIC cards allow you to attach an antenna for wardriving.

Figure 8.6 Recent war-walking results show a high number of unsecured networks.

Figure 8.7 Password eavesdropping is easy on unsecured networks.

Figure 8.8 Win Sniffer captures passwords and usernames.

Figure 8.9 Cain & Abel sniffs and cracks passwords.

Figure 8.10 Access point spoofing involves tricking users into using a rogue AP.

Figure 8.11 Set the Wireshark capture options.

Figure 8.12 You can use Wireshark to capture packet information.

Chapter 9

Figure 9.1 Much of today’s malware is designed to target specific individuals or firms, and avoid discovery.

Figure 9.2 A Trojan is combined with a legitimate program by a wrapper.

Figure 9.3 RDGSoft Tejon Crypter is just one of the available crypters.

Figure 9.4 VirusTotal is just one online antivirus tool.

Chapter 10

Figure 10.1 An IDS defines four possible states.

Figure 10.2 How Signature-based IDS functions

Figure 10.3 How statistical anomaly-based IDS functions

Figure 10.4 An IDS can tell the difference between normal and abnormal activity.

Figure 10.5 Example of Snort log files

Figure 10.6 A DomainTools lookup provides a lot of information about domains.

Figure 10.7 A GeoIPTool lookup can give you geographical information.

Figure 10.8 Tcpiputils.com allows you to see whether a domain is known to generate malware.

Figure 10.9 BFK offers a passive DNS database.

Figure 10.10 You can configure your virtual machines with one computer to act as the controller.

Figure 10.11 Be sure to isolate your network from outside sources.

Figure 10.12 Private malware analysis companies do not share their knowledge about malware with antivirus companies.

Figure 10.13 WinMD5 offers a GUI program for finding malware.

Figure 10.14 Process Explorer allows you to examine processes running on a computer.

Figure 10.15 Wireshark finds this Zeus Botnet performing click fraud.

Figure 10.16 Configuration of browser loopback settings

Chapter 11

Figure 11.1 You use the evidence to understand the relationship between the suspect and victim.

Figure 11.2 A write blocker helps you copy evidence from the suspect’s computer.

Figure 11.3 File slack and drive space may hold important clues for forensic investigation.

Figure 11.4 MD5Summer is one of the tools you can use for hashing.

Figure 11.5 Belkasoft IE History Extractor makes it easier to explore a browser’s history file.

Figure 11.6 The Outlook email header provides a lot of information, including the source IP address.

Figure 11.7 Use SFind to detect hidden streamed files.

Figure 11.8 S-Tools is just one of the steganographic tools available.

Figure 11.9 S-Tools displays an image comparison.

Figure 11.10 Explore Internet email headers.

Figure 11.11 S-Tools enables you to hide a file inside another file.

Figure 11.12 Hide this text in the file.

Figure 11.13 Fill in the encryption options and enter a passphrase.

Figure 11.14 One image contains your hidden message. Look closely and see whether can tell the difference.

Introduction

Welcome to The Network Security Test Lab. With this book, you can increase your hands-on IT security skills. The techniques and tools discussed in this book can benefit IT security designers and implementers. IT security designers will benefit as they learn more about specific tools and their capabilities. Implementers will gain firsthand experience from installing and practicing using software tools needed to secure information assets.

Overview of the Book and Technology

This book is designed for individuals who need to better understand the functionality of security tools. Its objective is to help guide those individuals in learning when and how specific tools should be deployed and what any of the tools’ specific limitations are. This book is for you if any of the following are true:

You want to learn more about specific security tools.

You lack hands-on experience in using security tools.

You want to get the skills needed to advance at work or move into a new position.

You love to tinker or expand your skills with computer software and hardware.

You are studying for a certification and want to gain additional skills.

How This Book Is Organized

The contents of this book are structured as follows:

Chapter 1, Building a Hardware and Software Test Platform—Guides you through the process of building a hardware test platform.

Chapter 2, Passive Information Gathering—Reviews the many ways that information can be passively gathered. This process starts at the organization’s website, and then moves to WHOIS records. This starting point allows you to build a complete profile of the organization.

Chapter 3, Analyzing Network Traffic—Reviews methods and techniques for packet analysis. You will learn firsthand how common packet analysis tools such as Wireshark, Capsa, and Netwitness are used.

Chapter 4, Detecting Live Systems and Analyzing Results—Once IP ranges have been discovered and potential systems have been identified, you will move quickly to using a host of tools to determine the status of live systems. Learn how Internet Control Message Protocol (ICMP) and other protocols work, while using both Linux and Windows lab systems.

Chapter 5, Enumerating Systems—Explores how small weaknesses can be used to exploit a system and gain a foothold or operational control of a system. You will learn firsthand how to apply effective countermeasures by changing default banners, hardening systems, and disabling unwanted services.

Chapter 6, Automating Encryption and Tunneling Techniques—Provides insight into how cryptographic systems are used to secure information and items such as passwords. You learn firsthand how these systems are attacked and which tools are used.

Chapter 7, Automated Attack and Penetration Tools—Presents you with an overview of how attack and penetration tools work. These are the same tools that may be used against real networks, so it is important to understand how they work and their capabilities.

Chapter 8, Securing Wireless Systems—Offers an overview of the challenges you’ll face protecting wireless networks. Although wireless systems are easy to deploy, they can present a real security challenge.

Chapter 9 An Introduction to Malware—Takes you through a review of malware and demonstrates how to remove and control virulent code. You learn how to run rootkit detectors and spyware tools, and use integrity-verification programs.

Chapter 10, Detecting Intrusions and Analyzing Malware—Introduces intrusion detection systems (IDSs) and discusses the ways in which malware can be analyzed. This chapter gives you the skills needed to set up and configure Snort and use tools such as IdaPro.

Chapter 11, Forensic Detection—Reviews the skills needed to deal with the aftermath of a security breach. Forensics requires the ability to acquire, authenticate, and analyze data. You learn about basic forensic procedures and tools to analyze intrusions after security breaches.

Who Should Read This Book

This book is designed for the individual with intermediate skills. While this book is focused on those who seek to set up and build a working security test lab, this does not means that others cannot benefit from it. If you already have the hardware and software needed to review specific tools and techniques, Chapter 2 is a good starting point. For other even more advanced individuals, specific chapters can be used to gain additional skills and knowledge. As an example, if you are looking to learn more about password hashing and password cracking, proceed to Chapter 6. If you are specifically interested in wireless systems, Chapter 8 is for you. So, whereas some readers may want to read the book from start to finish, there is nothing to prevent you from moving around as needed.

Tools You Will Need

Your desire to learn is the most important thing you have as you start to read this book. I try to use open source free software as much as possible. After all, the goal of this book is to try to make this as affordable as possible for those wanting to increase their skills. Because the developers of many free tools do not have the development funds that those who make commercial tools do, these tools can be somewhat erratic. The upside is that, if you are comfortable with coding or developing scripts, many of the tools can be customized. This gives them a wider range of usability than many commercial tools.

Tools are only half the picture. You will also need operating systems to launch tools and others to act as targets. A mixture of Linux and Windows systems will be needed for this task. We will delve into many of these issues in the first chapter. You may also want to explore sites like http://www.linuxlinks.com/distributions. There is more on this in the next section.

What’s on the Wiley Website

To make the process as easy as possible for you to get started, some of the basic tools you will need are available on the Wiley website that has been setup for this book at www.wiley.com/go/networksecuritytestlab.

Summary (From Here, Up Next, and So On)

The Network Security Test Lab is designed to take readers to the next stage of personal knowledge and skill development. Rather than presenting just the concept or discussing the tools that fit in a specific category, The Network Security Test Lab takes these topics and provides real-world implementation details. Learning how to apply higher-level security skills is an essential skill needed to pursue an advanced security career, and to make progress toward obtaining more complex security certifications, including CISSP, CASP, GSEC, CEH, CHFI, and the like. I hope that you enjoy this book, and please let me know how it helps you advance in the field of cyber security.

CHAPTER 1

Building a Hardware and Software Test Platform

This book is designed for those who need to better understand the importance of IT security. This chapter walks you through what you need to set up a hardware/software test platform. As a child, you may have loved to take things apart, TVs, radios, computers, and so on, in a quest to better understand how they worked. Your tools probably included soldering irons, screwdrivers—maybe even a hammer! That is similar to what you will be doing throughout this book. While you won’t be using a hammer, you will be looking at protocols and applications to understand how they work. You will also examine some common tools that will make your analysis easier. The objective is to help you become a better network analyst, and improve and sharpen your IT security skills.

Because no two networks are the same, and because they change over time, it is impossible to come up with a one-size-fits-all list of hardware and software that will do the job for you. Networks serve the enterprises that own them, and enterprises must change over time. In addition, the scale of operation impacts security considerations. If you pursue a career as a security consultant, your goals (and inevitably your needs) will differ, depending on whether you work for a large multinational corporation (and even here, your goals and needs will depend on the type of industry) or a small office/home office (SOHO) operation or a small business. Clearly, a whole spectrum of possibilities exists here.

This chapter provides the first step in building your own network security lab. You will start to examine the types of hardware and gear that you can use to build such a test environment, and then look at the operating systems and software you should consider loading on your new equipment.

Why Build a Lab?

A laboratory is as vital to a computer-security specialist as it is to a chemist or biologist. It is the studio in which you can control a large number of variables that come to bear upon the outcome of your experiments. And network security, especially, is a field in which the researcher must understand how a diverse range of technologies behave at many levels. For a moment, just consider the importance of the production network to most organizations. They must rely on an always-on functioning, which means that many tests and evaluations must be developed in a lab on a network that has been specifically designed for such experiments.

NOTE  A laboratory is a controlled environment in which unexpected events are nonexistent or at least minimized. Having a lab provides a consequence-free setting in which damage that might result from experimentation is localized (and can, it is hoped, be easily corrected).

Consider something as basic as patch management. Very few organizations move directly from downloading a patch to installing it in the production environment. The first step is to test the patch. The most agreed-upon way to accomplish this is to install it on a test network or system. This allows problems to be researched and compatibility ensured. You might also want to consider a typical penetration test. It may be that the penetration-testing team has developed a new exploit or written a specific piece of code for this unique assignment. Will the team begin by deploying this code on the client’s network? Hopefully not. The typical approach would be to deploy the code on a test network to verify that it will function as designed. The last thing the penetration test team needs is to be responsible for a major outage on the client’s network. These types of events are not good for future business.

Building a lab requires you to become familiar with the basics of wiring, signal distribution, switching, and routing. You also need to understand how you might tap into a data stream to analyze or, potentially, attack the network. The mix of common network protocols must be understood; only by knowing what is normal on the network can you recognize and isolate strange behavior. Consider some of the other items that might motivate you to construct such a lab:

Certification

Job advancement

Knowledge

Experimentation

Evaluation of new tools

To varying degrees, networking- and security-related certifications require knowledge of the hardware and software of modern networks. There is no better vehicle for learning about networking and security issues firsthand than to design and build your own network lab. This provides a place where you can add and remove devices at will and reconfigure hardware and software to your liking. You can observe the interaction between the systems and networking devices in detail.

Advancing in your field is almost never an accident. The IT industry is an area of constant change, and the best way to build a career path in the world of IT is to build your skill set. By mastering these technologies, you will be able to identify the knowledgeable people on the job or at a customer’s site, and align yourself with them. You might even uncover some gifts that you did not previously realize you possessed, such as a love for hexadecimal—well, maybe.

Building a lab demonstrates your desire and ability to study and control networks. One key item that potential employers always consider is whether a candidate has the drive to get the job done. Building your own security lab can help demonstrate to employers that you are looking for more than just a job: You want a career. As you use the network resources in your lab, you will invariably add to your knowledge and understanding of the technologies that you employ. Learning is a natural consequence.

Experimentation is a practical necessity if you are to fully understand many of the tools and methods employed by security professionals and hackers alike. Just consider the fact that there are many manuals that explain how Windows Server 2012 works, or how a Check Point firewall works, but no manual can account for every single situation and what is ‘unique’ to any environment you encounter. Some combinations and interactions are simply unknown. By building your own lab, you will discover that when deployed in complex modern networks, many things do not work the way the documentation says they will. And many times, it does not suffice to simply understand what happens; you need to appreciate the timing and sequence of events. This requires the control that a laboratory environment provides.

Because IT is an industry of continual change, new software, new security tools, new hacking techniques, and new networking gizmos constantly appear. A network security lab provides you with a forum in which to try these things out. You certainly don’t want to risk corrupting a computer that you depend on every day to do your job. And you don’t want to negatively impact the work of others; doing so is a good way to quickly put the brakes on your budding career.

A laboratory thus provides a place where you can try new things. This is a setting in which you can gain a detailed understanding of how things are put together and how they normally interact. It is an environment in which you can likely predict the outcome of your experiments, and if an outcome is unexpected, you can then isolate the cause.

BUILDING YOUR OWN SECURITY LAB

A common question among students and those preparing for certification is, How do I really prepare for the job or promotion I am seeking? The answer is always the same: know the material, but also get all the hands-on experience you can. Many times they don’t have enough money in their IT budget, or they are a struggling student. That is totally understandable. Yet the fact remains that there is no way to pick up many of the needed skills by reading alone. And many tests cannot be conducted on a live Internet-connected network.

With a little work and effort, you can find the equipment required to practice necessary skills at a reasonable price—network professionals have been doing this for years. There are even sites such as certificationkits.com that are set up exclusively to provide students with a full set of networking gear needed to complete a Cisco Certified Network Associate (CCNA) or a Cisco Certified Network Professional (CCNP) certification.

Hardware Requirements

Before you can get started with any testing, you need to assemble some hardware. Your goal, as always, will be to do this as inexpensively as possible. Many things might be included in a network security laboratory. Some of these items are mandatory (for example, cables), and some things can be added according to your needs and as they become available or affordable. Although it is possible to contain everything within one computer, your requirements will vary from time to time based on the scenario that you are modeling.

Here are some of the things that will likely end up in your mix:

Computers

Networking tools

Cables

Network-attached storage (NAS)

Hubs

Switches

Routers

Removable disk storage

Internet connection

Cisco equipment

Firewalls

Wireless access points

Keyboard, video, mouse (KVM) switches

Surge suppressors and power strips

In your network lab, you will need a wide variety of cables, as this will allow you to configure your test network in many different ways. Specific configurations will be needed for different scenarios. You will also want to have some tools that come in handy for building and testing cables, so items such as wire strippers, crimp tools, and punch-down tools might find their way into your toolbox. Crossover and loopback adapters can prove handy, too.

Hubs, switches, and routers are the building blocks of network infrastructure. It is crucial to understand how the roles of these things differ. Not all switches have identical capabilities. Likewise, routers can vary considerably, so it is good to have a couple to choose from. Cisco products are so prevalent that it is a good idea to include some of their equipment in the mix; they will be found at almost every worksite.

An Internet connection is a necessity. You will need to research various topics and download software as you use the network in your lab. Or you might find yourself modeling the behavior of an Internet-based attacker. On the slim chance that you are borrowing WiFi from your neighbor’s open access point, now is the time to make the upgrade to your own dedicated connection.

Having a firewall can prove very valuable, too. As a security professional, you are expected to have an appreciation for these devices and their capabilities. Your firewall could prove to be an important component in some of your experiments. On a daily basis, you can use your firewall to protect your primary (home or office) network from the unpleasant things that can occur on the network in your lab.

Don’t forget the logistical details of constructing a network. You will need table space, shelving, power strips, and surge suppressors. If you have an old uninterrupted power supply (UPS) available, you might employ it, too. With several computers in close proximity, you will probably not want to have to deal with a bunch of monitors, keyboards, and mice; a KVM switching arrangement can save a lot of space and aggravation. Now you can turn your attention to the physical computing hardware that you will need.

NOTE  Commercial-quality equipment is much more capable than the products targeted for the consumer or SOHO market. You will be better off with a real Cisco router, even if it is used and scratched up, than with a little Netgear home router.

Physical Hardware

When it comes to computer systems, there are three key items to consider: processor, memory, and disk space. Having a fast processor, a lot of memory, and a bunch of disk space is a big positive when selecting or building a computer. Fast and big are relative terms whose meaning changes over time. But generally, a good place to start with a Windows PC would be an Intel Core i5 system with 32GB of RAM. Think of these as your minimum requirements. Generally, you can get away with a little less memory with Linux systems.

In terms of disk storage, an internal 1TB SATA hard drive would be considered a minimum requirement. While a solid-state hard drive is not mandatory, it will reduce boot-up times and it will reduce system response times. Removable disk storage, such as USB and NAS, can allow you to safely image your systems so that they can be restored with relative ease if they become corrupt during an experiment. NAS can be handy for holding copies of configuration files, downloaded software, and whatever else you may need while working on the network. It is great to have a central storage location that you can access from various computer systems.

So how do you start building your lab? First, consider many of the sources that exist for the equipment you need. Some of these sources include the following:

Equipment you already have

New equipment purchases

Used equipment purchases

Each of these options is discussed in the following sections along with an overview of their advantages and disadvantages.

Equipment You Already Have

Either at home or at work, you are already likely to have some of the items that will prove useful in building your own security lab. These could range from something as trivial as a handful of Ethernet cables in your desk drawer to shelves full of spare or retired PCs, switches, and routers.

If you are doing this on the job, there are a couple of possible scenarios. Is the spare equipment under your control? If not, you will have to work things out with the appropriate supervisors and make sure that they approve your use of the equipment. Next, you want to take stock of what is available and make a list of the things that look like they could prove useful. Don’t worry about the details at this point. Focus on the important items that were mentioned earlier in this chapter.

Finally, prioritize your list and pick out the things that you think will be most useful. Keep the list, as you will probably refer to it later. Remember to start with a small collection of obviously needed items, such as several PCs, laptops, a router, a hub or switch, an Internet connection, and a handful of cables. It will be easy to add things later, so try not to get carried away and include two of everything in your initial efforts.

New Equipment Purchases

Naturally, you have the option of buying new equipment. Sometimes this might be the easiest way to go, if you want to get the job done quickly. The only problem is that buying retail is probably the most expensive option. If you don’t have much in the way of retired or spare equipment available, you might have to take this route. If you see your lab as a more or less permanent addition to the workplace, something that you plan to use on an ongoing basis for the foreseeable future, then maybe this is justified.

If you take this path, consider writing a proposal for the needed equipment. Determine the advantages that such a lab will bring to the department and to the company. Make sure to discuss these advantages in your proposal. Highlight the monetary savings that such an investment can return. On the positive side, this approach provides state-of-the-art equipment for the lab. You will also have all the manuals and software readily available. And you won’t have to hunt around for missing parts. If you cannot get all the funds approved, you may decide that a few key components are best purchased new. Then the other odds and ends can be filled in on the cheap.

Of all the items that are recommended for inclusion in the lab, which one is best bought new? Many people would agree that PCs will most impact the usefulness of the lab. Older PCs tend to be somewhat slower and lacking in important resources, notably memory and storage capabilities. The prices of PCs have fallen considerably over the past few years. As an example, you can buy a decently equipped Dell open source desktop machine for around $500. If you are going to put Linux on it anyway, you don’t care that the machine does not come with an operating system. And if you intend to share one keyboard, display, and mouse with a KVM switch, again, who cares that the price does not include a display?

NOTE  Watch the prices of memory and hard drives. Be careful with regard to memory prices if you decide to buy new computers. It is often cheaper to buy your own memory and install it in the machine yourself. And when it comes to hard drives, look for the breakpoint in the pricing where there seems to be an extraordinary price jump relative to the increase in drive size. That is the sweet spot in the market.

Used Equipment Purchases

If you are building your own security lab for home use, this may be the most viable option for obtaining some of the needed equipment. Although this route does require more work, you can save a substantial amount of money. It also spurs creativity, and that is a valuable skill in the networking and IT security field. Employ a bit of