Problem Set - I (Due at the beginning of class on 2/16/11) 2/2/11 CS 4740/6740 Network Security This problem set will be graded out of 240 points. It will count for 8% of your final grade.In this first assignment, you will be forming your teams and preparing your machines for the rest of the upcoming assignments. You will be required to understand and acknowledge the lab rules and you will get your first taste of the Network Security Lab layout. Forming a team Students should form teams with 3 people or less per group and choose a team name. You are responsible for choosing your teammates, so consider your choice carefully. Successful teams are made up of individuals who: Complement each other well in the areas of Unix Systems Administration, Windows Systems Administration, and Cryptography. Get along well with one another under stressful situations and can stay organized in a task-oriented environment. Once you have chosen your teammates, send an email to the TA (with a CC to Professor Ravi Sundaram) with the subject <course number> - Team: <team name> and the body containing the following information: Team name Team member names and email addresses (each line for one member) Your team will be then contacted with information/credentials to remotely access your lab machines at which point, you may begin the setup and scanning sections. Each team will be given two machines which run Ubuntu 10.x and Microsoft Windows Server 2003 respectively, which are a part of the NetSec Lab network. DO NOT install service packs, patches, firewalls, or any other software/service that is not explicitly noted in the assignments. Submitting the assignment. Please submit your assignment in electronic format via email to the TA (Triet Vo-huu) with a cc to the instructor (Ravi Sundaram). The assignment is due before 6 PM on 2/16/2011. Internet 1) Internet – Architecture, Layers [20] a) Explain what is layering giving one advantage and one disadvantage of layering? [4] b) Describe briefly and give one example of each of the following layers - physical, data link, network and transport. [4] c) State and explain the significance of the end-to-end principle? [2] d) What keeps packets from being passed along, router to router, indefinitely? [2] e) Which is better for transferring a large file – UDP or TCP and why? [2] f) What is an ICMP echo-request packet used for? [2] g) Explain how traceroute works? [4] 2) IP/BGP/DNS [20] a) Go to http://whois.arin.net/. Query for “Northeastern University” (quotes not included). List the IP blocks that are registered to Northeastern. [4] b) Go to http://whois.arin.net/ . Query for “a Northeastern University” (quotes not included). List the AS number(s) registered to Northeastern. List the emailid(s) of the tech contact for Northeastern’s Autonomous System(s). [4] c) Go to http://us.mirror.menandmice.com/knowledgehub/tools/dig. Leave the Name Server and Query Type field as is; query www.ccs.neu.edu in the Domain Name field. What is the IP address of www.ccs.neu.edu? [2] d) Go to http://tracert.com. Run a traceroute from SDSC (San Diego Super Computer Center) to www.ccs.neu.edu. List the IP(s) encountered in order. What is the average round trip time? How does it compare to the speed of light? [4] e) Go to any online ping server (e.g. http://tracert.com). Run a ping to www.ccs.neu.edu and to www.rsa.com. Do you see a difference? Why is this? [2] f) Go to http://stat.qwest.net/looking_glass.html. Pick any location; query for type “bgp” the IP address from part c). What is the AS number that CCIS’ website lives in and which organization does this AS belong to? What is the AS number immediately upstream of the AS that CCIS’ website lives in? Use http://whois.arin.net/ to determine the OrgName of the organization that provides connectivity to CCIS’ website. [4] Setup 3) Creating Accounts [25] Each team is provided with a team account for each machine. In order for team members to work more conveniently on the assignments, each member will have to create his/her own account on the team machines. To create an account on your Linux system, use the useradd command. However, you must have permission to execute the command, refer to the man page of sudo command for information. When creating your account, review the command options in the useradd man page to make sure the following requirements are satisfied: o Shell is /bin/bash. o A home directory is created and attached to the new account. o a) b) c) d) Add the account to admin group. By default, a newly created account is disabled. To enable it, login as the team user given to you by the TA, and use the passwd command to set a new password. Log into your Windows machine via Remote Desktop using the Administrator account provided and create your own account which should be added to the Administrators group. Passwords are not necessarily the same on both machines. Remember not to use weak passwords. Create all required accounts for each team member. [10] Explain the purpose of the sudo command. [5] What are the differences between sudo and su? [5] What is the /etc/sudoers file used for? [5] 4) Reviewing Network Settings [20] In order to perform any kind of attack, you will need to understand the network layout. To review your network settings, follow these steps, saving all the information for your report: a) On your Linux machine, determine network interfaces on the machine and their configuration using the ifconfig command. Determine the routing table using the route command. [6] b) On your Windows server, determine the network interfaces and their configuration using the ipconfig command or checking the properties on the Local Area Connection. [6] c) What does the overall topology of NetSec Lab network look like (give a detailed diagram)? [8] Scanning The topic of this section is network reconnaissance and scanning. This is the first step an attacker might use to survey your network and locate potential weaknesses. Therefore, it is imperative that users (especially those who might at one point run their own server) understand these techniques and themselves use scanning tools to discover their own system weaknesses as the first step in improving their defenses. 5) Port Scanning using NMAP [35] NMAP is a popular tool for various types of scanning against hosts on a network. Install NMAP and read its man page. a. Run a discovery scan using -sP against the IP range 10.0.0.64/26. You should have identified two systems in that IP range. Record the output for your report. [5] b. NMAP has an option to determine the operating systems and services running on the identified systems. Find it and record the output for your report [5] c. NMAP has a feature which automates banner-grabbing. Read the man page on the -sV option. Then, run a scan against the two discovered systems using the -sS and -sV options. Record the results of this scan. [5] d. Scan those systems with options -sT and -sS respectively. Record the output. What is the difference between those options? Which one runs faster and why? In general, why would an attacker use TCP SYN scan instead of a full TCP connect scan? [15] e. Review the -p option in the man page. Use this option to scan every UDP port of the two systems in question. Do you notice a difference between the scan rate of the two systems? Record the output of this command. Describe how you could use icmp_ratelimit kernel parameter in Linux to slow down a UDP scan. [5] 6) Stealth Scanning [30] A sneaky method was developed in 1998 to perform spoofed scans through the information leak of IP ID numbers. IP IDs are a field in the IP header of packets which allows a recipient to piece together packets that get fragmented in transit. In order to function properly, these IDs need to be mostly unique, and many IP implementations simply increment a global counter for each packet sent out. However, such an implementation leaks information about how many packets are being sent from a host. Using this leak, one can obtain the results of a spoofed TCP scan. Fyodor describes idle scanning in detail, along with an early post announcing the technique. We will first try this technique manually, then learn how to use nmap's automated idle scan feature. You will use three machines for this experiment. The Windows machine you identified in the previous scan will be called the "zombie" or "zero traffic host". The Linux machine you identified in the previous scan will be known as the victim. Your team's Linux machine will be the attacker. Before you begin the stealth scan, you will be checking to make sure that the zombie is not receiving traffic at the time of your test. If it is, you will have to wait for a later time. Open three seperate shell sessions to your Linux machine. In the first session, setup your Linux machine to listen for ICMP echo reply packets. These packets will be used to check the IP ID on the zombie host. A suggested command line for this is: tcpdump -v -i eth0 icmp[icmptype] == icmp-echoreply In the second session, send a few packets to the zombie machine to determine if it is idle. A suggested command is: ping -c 10 ZOMBIE_IP_ADDRESS Back in the first session, you should see ten lines of output from tcpdump corresponding to the ten echo reply packets. The lines should look something like: 11:37:52.054397 IP (tos 0x0, ttl 128, id 6197, offset 0, flags [DF], proto 1, length: 84) 10.0.0.X > 10.0.0.T: icmp 64: echo reply seq 376 Notice the id field in the IP headers section. This field is the IP ID and it should be incrementing by one for every line. If it is not, the zombie is not idle. Try this lab at another time. Now, in the third session window, scan the victim on a single port, spoofing the source address to point to the zombie server. You can do this with nmap using a command line like: nmap -P0 -sS -p PORT -e eth0 -S ZOMBIE_IP_ADDR VICTIM_IP_ADDR You should first select PORT as a port you know is open on the VICTIM. This scan will send a single SYN packet to an open TCP port on the victim system, made to look like it came from the zombie machine. Send a few more ICMP echo requests to the zombie host with the command: ping -c 3 ZOMBIE_IP_ADDRESS Return to the router session window in which tcpdump is running. Play close attention to the IP ID field. You should see a hole in the sequence between the packets from the first ping command and the last one. You can repeat the experiment several times. If you did everything right, you should notice the sequence skips one number for each time you run the scan. This is because the zombie system will respond with a RST packet to the SYN/ACK received from the victim system, which causes the system-wide ID to increment by one. a) Record a snippet of the tcpdump output when the scan was run. Annotate the output to point-out holes in the IP ID sequence associated with your spoofed scan. [18] NOTE: nmap will report correct results of the scan, even though you didn't give your system's address as the source. Because of the current network configuration, nmap sees the responses even though they aren't technically destined for your Linux router. If you were using an idle host the same interface as the victim, nmap would likely show all ports as filtered, even though the IP IDs would indicate otherwise. Run the experiment again, this time against a port which you know is closed. Watch the IP ID sequence and see if there are any holes. Repeat this several times to be sure; there shouldn't be a hole. This is because the victim will return a RST packet to the zombie host and the zombie host will not respond to a RST packet. b) Fortunately, this labor-intensive scan technique has been automated in nmap. Read the man page's explanation of the -sI scan type. Run an idle scan against the same victim host, once again using the zombie host. Scan at least 5 TCP ports, some known to be open, and some known to be closed. Record the output of this scan. [12] 7) Automated Network Discovery Tools [20] a. Download from the Internet and use an automated network discovery tool like NeoTrace, VisualRoute (try at least one) to form a network map of the target network (choose any target outside of the NetSec Lab network). What information would this would give you? [10] b. Explain how this is useful both for network administrators as well as for potential attackers. [10] 8) Basic UNIX Service Enumeration [25] a. Learn about the netcat tool and what you can do with it. Provide a brief explanation of it’s capabilities, both from an offensive and defensive point of view. [5] b. If you found any Web server or Telnet server on your target network, use netcat for grabbing the available banners. What good does this do and what does it tell a potential intruder about the target host? How might they use this information? [10] c. Check UNIX users/groups on remote targets (or your own if no users are logged in on the target subnet) via finger and report your findings. How could this information be used by an attacker? How can we prevent this sort of information leakage? What if we really needed to run finger for some bizarre reason? [10] 9) Windows NetBIOS/SMB Enumeration [20] a. Use net view (Windows command line) or smbclient (Linux) to enumerate NetBIOS services (Windows port 139, try hosts on your own local network, in particular try host knoxville, assume the investigating user has an unprivileged local account) including Samba shares. Record your output. [10] b. To further simplify the process, try using nbtscan (pre-installed) and scan the entire 10.0.0.0/24 network for shares using Legion (download from http://strawman/scan/). What did you find? Include your output. [10] 10) All-in-one Vulnerability Scanners [25] a. These are really powerful, and really easy to use. You will be using Nessus to scan your own local subnet. Download the software (either Windows or Linux), read installation and user guide, register to the HomeFeed subscription and try using it. Provide a listing of what you have found in the local subnet. Describe how a tool such as Nessus can be an incredibly powerful asset to any system administrator and also how they can be dangerous in the wrong hands. [15] b. Take a quick look at the Nessus architecture and describe how it works. How do they keep their inventory of service vulnerabilities up to date? How does the plugin architecture work, and how can an administrator or developer use this to write custom tools for their own deployments? [10]