A) Port Scanning: We will use Nmap tool for Port Scanning.
Nmap Tool
Nmap stands for Network Mapper is a free Open-source command-line tool. Nmap is an information-gathering tool used for recon reconnaissance. Basically, it scans hosts and services on a computer network means it sends packets and analyses the response.
1) Open: The target port actively responds to TCP/UDP/SCTP requests.
2) Closed: The target port is active but not listening.
3) Filtered: A firewall or Packet filtering device is preventing the port state being returned.
4) Unfiltered: The target is reachable but cannot determine if it is opened or closed.
5) Open/Filtered: Nmap cannot determine if the target port is open or filtered.
6) Closed/filtered: Nmap cannot determine if the target port is closed or filtered.
Display the following for IP addresses 127.0.0.1 or any other IP address.
a) Scan the open ports
Syntax: nmap -open[IP-address/url]
Example: namp -open 127.0.0.1
Example: nmap -open Scaname.nmap.org
b) Scan single port
Syntax: nmap -p port_number [IP address]
Example: nmap -p 80 127.0.0.1
Example: nmap -p- 127.0.0.1
c) Scan specified range of port
Syntax: nmap -p [range in the format 1-100] [IP address/url]
Example: nmap -p 1-500 127.0.0.1
Example: nmap -p 1-500 Scaname.nmap.org
d) Scan entire port range
Syntax: nmap -p 1-65535 [IP address]
Example: nmap -p 1-65535 127.0.0.1
Example: nmap -p- 127.0.0.1
f) Scan for specific service name
Syntax: nmap -p [service_name1, service_name2, …n] [IP address]
Example: nmap -p http 127.0.0.1
B) Network Scanning
Nmap tool is also used to scan networks. In network scanning, we can find live host on a network, OS detection and its version, Ping Sweeps.
a) Ping Scan: It returns list of hosts on a target network and total number of assigned IP addresses.
Syntax: nmap -sP [IP address]
Example: nmap -sP 127.0.0.1
b) Host Scan: Host scan sends ARP request packets to all the hosts connected to your networks. Each host then responds to this packet with another ARP packet containing its status and MAC address.
Syntax: nmap -sP [host address]
Example: nmap -sP 45.33.49.119
Example: nmap -sP 75.52.251.71
c) DNS Query: If you will see anything unusual in this list, you can then run a DNS query on a specific host.
Syntax: nmap -sL [IP address]
Example: nmap -sL 72.52.251.71
d) OS Scan: This Command returns information of the OS of a host.
Syntax: nmap -O [IP address]
Example: nmap -O 127.0.0.1
C) IDs (Intrusion Detection) Snort IDs Tool:
Snort is a free open-source network intrusion detection system (IDS) and intrusionprevention system (IPS). Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them andgenerates alerts for users.
Snort can be configured in three main modes:
1. Sniffer Mode: The program will read network packets and display them on theconsole.
2. Packet Logger Mode: The program will log packets to the disk.
3. Network Intrusion Detection System Mode: The program will monitor network traffic and analyse it against a rule set defined by the user. The program will thenperform a specific action based on what has been identified.
Link to download Snort_2_9_18_1_Installer.x64.exe for Windows Platform:
https://www.snort.org/download
Link to download the rules for snort: https://www.snort.org/download You can Sign up to snort to get more detailed rules.
Link to download Npcap 0.9984 for windows platform:
Questions:
How snort works. Explain with steps and demonstrate various modes of snort.
Steps to defend your network with Snort for Windows:
Snort should be a dedicated computer in your network. This computer’s logs should be reviewed often to see malicious activities on your network.
1) Download Snort from the Snort.org website
2) Download Rules from Snort.org website. You must register to get the rules. (You shoulddownload these often) https://snort.org/downloads.
3) Double click on the.exe to install snort. This will install snort in the “C:\Snort” folder.It is important to have npcap or WinPcap installed.
4) Double click on the.exe to install snort. This will install snort in the “C:\Snort” folder.It is important to have npcap or WinPcap installed
5) Extract the Rules file. You will need WinRAR for the.gz file.
6) Copy all files from the “rules” folder of the extracted folder. Now paste the rules into“C:\Snort\rules” folder.
7) Copy “snort.conf” file from the “etc” folder of the extracted folder. You must paste it into “C:\Snort\etc” folder. Overwrite any existing file. Remember if you modify your snort.conf file and download a new file, you must modify it for Snort towork.
8) Open a command prompt (cmd.exe) and navigate to folder “C:\Snort\bin” folder.(at the Prompt, type cd\snort\bin).
9) To start (execute) snort in sniffer mode use following command: snort -dev -i 3
-i indicates the interface number. You must pick the correct interfacenumber. In my case, it is 3.
-dev is used to run snort to capture packets on your network.
10) To check the interface list, use following command: snort -W
11) You can tell which interface to use by looking at the Index number and findingMicrosoft. As you can see in the above example, the other interfaces are for VMWare. My interface is 3.
12) To run snort in IDS mode, you will need to configure the file “snort.conf” accordingto your network environment.
13) To specify the network address that you want to protect in snort.conf file, look forthe following line.
var HOME_NET 192.168.1.0/24 (You will normally see any here)
14) You may also want to set the addresses of DNS_SERVERS, if you have some on yournetwork. Example:
16) Change the path of all library files with the name and path on your system. and youmust change the path of snort_dynamicpreprocessorvariable.
C:\Snort\lib\snort_dynamiccpreprocessor
You need to do this to all library files in the “C:\Snort\lib” folder. The old path might be:“/usr/local/lib/…”. you will need to replace that path with your system path. Using C:\Snort\lib
17) Change the path of the “dynamicengine” variable value in the “snort.conf” file..Example: dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
18) Add the paths for “include classification.config” and “include
reference.config”files. include c:\Snort\etc\classification.config include c:\Snort\etc\reference.config
19) Remove the comment (#) on the line to allow ICMP rules, if it is commented with a #.
include $RULE_PATH/icmp.rules
20) You can also remove the comment of ICMP-info rules comment, if it is commented.
include $RULE_PATH/icmp-info.rules
21) To add log files to store alerts generated by snort, search for the “output log”test in snort.conf and add the following line:
output alert_fast: snort-alerts.ids
22) Comment (add a #) the whitelist $WHITE_LIST_PATH/white_list.rules and the blacklist
Change the nested_ip inner, \ to nested_ip inner #, \
23) Comment out (#) following lines: #preprocessor normalize_ip4 #preprocessor normalize_tcp: ips ecn stream#preprocessor normalize_icmp4 #preprocessor normalize_ip6
#preprocessor normalize_icmp6
24) Save the “snort.conf” file.
25) To start snort in IDS mode, run the following command:
snort c:\snort\etc\snort.conf -l c:\snort\log -i 3 (Note: 3 is used for my interface card)
If a log is created, select the appropriate program to open it. You can use WordPad or Notepad++ to read the file.
To generate Log files in ASCII mode, you can use following command while running snort in IDS mode:
snort -A console -i3 -c c:\Snort\etc\snort.conf -l c:\Snort\log -K ascii
26) Scan the computer that is running snort from another computer by using PING orNMap (ZenMap).
After scanning or during the scan you can check the snort-alerts.ids file in the log folder to insure it is logging properly. You will see IP address folders appear.
Note: if it gives an error message add comment (#) for following lines in snort.config file. decompress_swf {deflate lzma} \
decompress_pdf {deflate}
Snort monitoring traffic:
Snort’s detailed report when scanning has stopped:
Log files – We can also view log files:
Note: Read the setup and configuration of Snort from Snort.org. While this is a demo, Snort can be configured thousands of ways to detect and alert you in the event you have malicious activity on your network. Downloading signatures often is extremely important.
D) Network Sniffing Wireshark:
Wireshark is a free and open-source packet analyzer. It is used for network
troubleshooting, analysis, software and communications protocol development, and education. Wireshark is cross-platform, using the Qt widget toolkit in current releasesto implement its user interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows.
There is also a terminal-based (non-GUI) version called TShark.
Wireshark is used to capture and analyse packets in network. It is also used as a sniffer, network protocol analyzer, and network analyser. We can also applyspecific filter on network traffic to get more filtered data packets.
Link to download Wireshark 3.4.8 for windows platform:
https://www.wireshark.org/download.html
Wireshark needs Npcap.
Link to download Npcap 0.9984 for windows platform: https://nmap.org/npcap/dist/
a) Wireshark User Interface
1) Menu bar
3) Filter Toolbar
4) Packet List Pane
6) Packet Bytes Pane
7) Status bar
Tweets
Ethical Hacking Lab Manual
Twitter
Facebook
WhatsApp
LinkedIn
