Project 1: Preparing your Trusted Windows XP Machine What You Need for This Project

10 Points

A trusted computer running any Warning! "Ethical Hacking and version of Windows, preferably Windows XP, with Internet Network Defense" students will access. This can be either a real capturing passwords in room S214. or virtual machine. Don't do online shopping, personal You need administrator e-mailing, or any other private privileges on the trusted machine. computer work in that lab. Make up The trusted machine must have a new password just for that lab. Firefox and antivirus software Nothing you do in that lab is private! installed on it. The instructions below assume you are working in the S214 lab. If you are working at home, you will have to adapt the steps to match your situation. A DVD containing useful virtual machines was handed out in class, labeled HX. Select a machine to be your primary machine for the semester. You'll want to keep using the same machine as much as possible, because your virtual machines will be there. Power on your computer and log on as explained below: User name: Your CCSF Student ID, unless it starts with @. If your ID starts with @, replace the @ with X. Leave the Password field emptyno password at all. Once you get logged in, you will be prompted to change your password. Make up a new password that you never use anywhere else. I recommend the password P@ssw0rd. Everything you type into a machine in S214 is at high risk of being discovered by other students! Do NOT use a password that you use in other places, such as your normal email account, CCSF registration, banking, etc. Click Start, My Computer. Find the VMs drive (usually V:). Right-click the VMs drive and click Properties. See how much free space remains on this drivemake sure there is at least 10 GB available. If there is not enough space available, store your virtual machines on another partition, such as the MoreVMs parttion. (If you have a portable USB hard drive, thats an even better place to store your VMs.) In the VMs window, right-click the empty space and click New, Folder. Name the folder YOUR NAME VMs replacing YOUR NAME with your own name. In the VMs window, double-click the Hacking folder to open it. Right-click the Win XP SP3 folder and click Copy.

Start Your Host Machine

1. 2.

Change Your Password

3.

Making Your VM (Virtual Machines) Folder

4.

5.

Copying a Windows XP SP3 Virtual Machine into Your VM Folder

6.

CNIT 123 Bowne

Page 243

Project 1: Preparing your Trusted Windows XP Machine

7.

10 Points

In the Hacking window, click the Up button on the toolbar. Right-click the YOUR NAME VMs folder and click Paste. Wait until the copy is finished. This will be your personal Trusted Machine. Double-click the VMware Workstation icon on the desktop. In the VMware Workstation window, from the menu bar, click View, Go to Home Tab. On the Home tab, click the Open Existing VM or Team icon. Navigate to the V: drive, open your folder, open the Win XP SP3 folder, and double-click the Windows XP Professional.vmx file. You should see a Windows XP Professional VM in the Powered Off state, as shown to the right on this page. In the Windows XP Professional VMware Workstation window, on the left side, click the Start this virtual machine link. If you see a message saying The location of this virtual machines configuration file has changed, accept the default selection of Create and click OK. When your machine starts up, click the Student account to log in. There is no password, and the Student account has Administrative privileges. Click Start, "All Programs", and look for "Mozilla Firefox". If it's not there, you will need to open Internet Explorer, go to getfirefox.com, download and install the latest version. All the virtual machines now have the same name. This will cause warning messages to appear on the desktops, and its confusing. So you should change your machines name to contain the station number and your name, with the following steps: Click the Start button on your virtual machines desktop, right-click My Computer, and click Properties. Click the Computer Name tab. Click the Change button. Enter the name of your station followed by your name, which will be something like this S214-01YOURNAME. Click OK. When a Computer Name Changes box appears saying You must restart, click OK. In the System Properties box, click OK. In the System Settings Change box, click Yes. Wait while your virtual computer restarts. Log in as you did before.

Starting VMware
8.

9.

Starting Your Virtual Machine

10.

11. 12.

Verifying that Firefox is Installed

13.

Changing Your Virtual Machines Name

14.

15.

CNIT 123 Bowne

Page 244

Project 1: Preparing your Trusted Windows XP Machine

16. Click the Start button on your virtual machines desktop, right-click My Computer, and click Properties. Click the Computer Name tab. The "Full computer name:" should contain your station number and your name, as shown to the right on this page.

10 Points

Saving a Screen Image

17. You have now completed Project 1. The only thing that remains is to turn it in. To do that, you need to make a JPEG image of the screen and email it to me, as explained below. Note the hand symbol just below this text: that indicates screen images that you must capture and turn in. Click the taskbar at the bottom of your host Windows XP desktop, to make the host machine listen to the keyboard, instead of the virtual machine. Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard. On the host machine, not the virtual machine, click Start, Programs, Accessories, Paint. In the untitled - Paint window, select Edit, Paste from the menu bar. The desktop appears in the Paint window (only a corner of it will be visible). In the untitled - Paint window, click File, Save. Save the document in the My Pictures folder (or any other place you wish, such as a floppy disk) with the filename Your Name Proj 1. Select a Save as type of JPEG. Email the JPEG image to me as an attachment to an e-mail message. Send it to: cnit.123@gmail.com with a subject line of Proj 1 From Your Name, replacing Your Name with your own first and last name. Send a Cc to yourself.
Last Modified: 1-28-09

18. 19. 20.

21.

22.

CNIT 123 Bowne

Page 245

Project 2: Taking Control of a Machine with Metasploit What You Need for This Project
A trusted computer running any version of Windows, with Internet access. You need administrator privileges. This can be either a real or virtual machine. The "Windows XP Target" virtual machine that was handed out in class, or any other computer running Windows XP with no service packs, Log in as usual with your CCSF ID and the password you chose in project 1.

15 points

LEGAL WARNING!
Use only machines you own, or machines you have permission to hack into. Hacking into machines without permission is a crime! Dont do it! If you do illegal things, you may be arrested and go to jail, and I will be unable to save you. These instructions are intended to train computer security professionals, not to help criminals.

Start Your Host Machine

1.

Copying a Target Virtual Machine into Your VM Folder

2. 3. 4.

Click Start, My Computer. Open the VMs drive. In the VMs (V:) window, double-click Hacking folder to open it. Right-click the WinXP_TARGET folder and click Copy. In the Hacking window, click the Up button on the toolbar. Right-click the YOUR NAME VMs folder and click Paste. Wait until the copy is finished. This will be your Target Machine. Double-click the VMware Workstation icon on the desktop. In the VMware Workstation window, from the menu bar, click View, Go to Home Tab. On the Home tab, click the Open Existing VM or Team icon. Navigate to the VMs drive, open your folder, open the WinXP_TARGET folder, and double-click the WinXP_TARGET.vmx file. On the left side, click the Start this virtual machine link. If you see a message saying The location of this virtual machines configuration file has changed, accept the default selection of Create and click OK. On the Target machines desktop, click Start, right-click "My Computer", and click Properties. Click the "Computer Name" tab. Click the Change button. Give your machine an unique name, such as YourNameTarget. Click OK. When a "Computer Name Changes" box appears saying You must restart, click OK. In the System Properties box, click OK. In the System Settings Change box, click Yes. Wait while your virtual computer restarts. Note: If you get an error message about duplicate names that prevents you changing the name, disable the network adapter before changing the name. On the Target virtual machine, open Internet Explorer and verify that you can reach the Internet. If you cannot, try restarting the virtual machine. If that doesnt fix it, call your instructor over to help solve the problem before going to the next step.

Starting Your Target Virtual Machine

5. 6.

7.

Changing Your Target Virtual Machines Name

8.

Testing Your Target Virtual Machines Internet Connection

9.

CNIT 123 Bowne

Page 246

Project 2: Taking Control of a Machine with Metasploit Finding Your Target Virtual Machines IP Address
10.

15 points

Click Start, Run. Type in CMD and press the Enter key. In the Command Prompt screen, type in IPCONFIG and press the Enter key. If you have two network adapters, find the one with an IP address that starts with 192. Write that address in the box to the right on this page. Target IP Address: ________________________ If you are using VMware Workstation, close the unused tabs in the VMware window that is running your Target virtual machine. This will unlock your trusted machine. Double-click the VMware Workstation icon on the desktop. In the VMware Workstation window, from the menu bar, click View, Go to Home Tab. On the Home tab, click the Open Existing VM or Team icon. Navigate to the V: drive, open your folder, open the WinXPSP3 folder, and double-click the Windows XP Professional.vmx file. You should see a Windows XP Professional VM in the Powered Off state. In the Windows XP Professional VMware Workstation window, on the left side, click the Start this virtual machine link. Open a Firefox and go to metasploit.com Click Framework. Click Download. Scroll down until you see the Windows installer for Metasploit 3,2, as shown below on this page. Click the framework-3.2.exe link. Save the file on your desktop.

Starting your Trusted Machine

11. 12. 13.

14.

Downloading and Installing Metasploit

15. 16. 17.

Installing Metasploit 3.2

18. Double-click the framework-3.2 file on your desktop and click through the installer, accepting all the default selections. A box will pop up, offering to install Nmap. Click Yes. Continue to click on all the default options when prompted. You will also install WinPCap. When you see the final box, saying "Completing the Metasploit Frameqork 3.2 Setup Wizard", click Finish. This will launch Metasploit. Even though the installer is done, there is a lot more installation to be completed. A Command Prompt window opens with a lot of file names scrolling by. Wait until it finishesit will take several minutes.

19.

CNIT 123 Bowne

Page 247

Project 2: Taking Control of a Machine with Metasploit Launching the MS04-011 LSASS Exploit
20.

15 points

When all the installation is complete, a "Metasploit Framework GUI v3.2-release" window opens, as shown below on this page. Type MS04 into the search box at the top of the window, and click the Find button.

21. 22. 23.

Double-click ms04_011_lsass. A box opens with a banner reading MSF::ASSISTANT. The first screen asks you to Select your target. Accept the default selection of "Automatic Targetting" and click Forward. The next screen asks you to Select your payload. Click the list box down-arrow to see all the payloads, and scroll down to select windows/shell/reverse_tcp as shown to the right on this page. This is a common payload that opens a Command Prompt on the victim machine, so you can type in commands of your choice to do anything you like on that machine. Click Forward.

CNIT 123 Bowne

Page 248

Project 2: Taking Control of a Machine with Metasploit

24.

15 points

25.

26.

27.

The next screen asks you to Select your options. Find the Target IP Address you wrote into a box on a previous page of these instructions, and type it into the RHOST box, as shown to the right on this page. Move the window up on the desktop so you can see the buttons at the bottom, and click Forward. The next screen asks you to Confirm settings. Click Apply. In the "Metasploit Framework GUI v3.2release" window, in the lower pane, click the "Module Output" tab. If the exploit works, you will see a message showing "Session 1 created", and in the lower right Sessions pane an IP address will appear, as shown below on this page. If the exploit fails, just repeat the process to exploit it a second timesometimes Windows XP requires two attacks to succumb.

CNIT 123 Bowne

Page 249

Project 2: Taking Control of a Machine with Metasploit Opening the Session

28.

15 points

In the "Metasploit Framework GUI v3.2-release" window, in the lower right pane, doubleclick the session line. A command prompt window opens, as shown below on this page. This lets you control the other machine! As shown below on this page, enter two commands to create a file on the victims desktop. This is a traditional way childish hackers scare victims, showing that you own their box. cd \documents and settings\student\desktop echo ha ha > YOURNAME_owns_your_computer.txt (Replace YOURNAME with your own name in the second command.)

Using the Reverse Shell to Tag the Victims Desktop

29.

CNIT 123 Bowne

Page 250

Project 2: Taking Control of a Machine with Metasploit Saving a Screen Image

30. 31. 32. 33.

15 points

34.

Make sure the command prompt window is visible, as shown above on this page, demonstrating that own the Target machine. Click outside the virtual machine to make the host machines desktop active. Press the PrintScrn key to copy the whole desktop to the clipboard. In the host machine, click Start, Programs, Accessories, Paint. In the untitled - Paint window, select Edit, Paste from the menu bar. The desktop appears in the Paint window, with only a corner of it visible. In the untitled - Paint window, click File, Save. Save the document in the My Pictures folder (or any other place you wish, such as a floppy disk) with the filename Your Name Proj 2a. Select a Save as type of JPEG.

CNIT 123 Bowne

Page 251

Project 2: Taking Control of a Machine with Metasploit Viewing the Tag

35. You should be able to see the new file on the victims desktop, as shown to the right on this page. Imagine how you would feel if files started appearing on your computer from nowhere while you were using it! To protect the Target from this attack, we will install a Microsoft security patch. To save time, I already downloaded the patch from

15 points

Patching the Target Machine

36.

microsoft.com/technet/security/bulletin/ms04011.mspx and saved it in the Target Machine.

37. 38. 39. 40. 41. 42. 43. 44. 45. 46. In the Target Machine, click Start, My Documents. Double-click the WindowsXP-KB835732-x86-ENU.EXE file. Some files are extracted, and the "Windows XP KB83572 Setup Wizard" opens. Restart your Target machine when prompted to. On the Trusted machine, close the Command Prompt window you used to tag the Target desktop. On the Trusted machine, in the "Metasploit Framework GUI v3.2-release" window, doubleclick ms04_011_lsass. A box opens with a banner reading MSF::ASSISTANT. The first screen asks you to Select your target. Accept the default selection of "Automatic Targetting" and click Forward. The next screen asks you to Select your payload. Select windows/shell/reverse_tcp and click Forward. The next screen asks you to Select your options. Type the Target IP Address into the RHOST box, and click Forward. The next screen asks you to Confirm settings. Click Apply. In the "Metasploit Framework GUI v3.2-release" window, in the lower pane, you should see the message "Server appears to have been patched", as shown to the right on this page.

Launching the MS04-011 Exploit Again

CNIT 123 Bowne

Page 252

Project 2: Taking Control of a Machine with Metasploit Saving a Screen Image

47. 48. 49. 50.

15 points

51.

Make sure the "Server appears to have been patched" message is visible, as shown on the previous page. Click outside the virtual machine to make the host machines desktop active. Press the PrintScrn key to copy the whole desktop to the clipboard. In the host machine, click Start, Programs, Accessories, Paint. In the untitled - Paint window, select Edit, Paste from the menu bar. The desktop appears in the Paint window, with only a corner of it visible. In the untitled - Paint window, click File, Save. Save the document in the My Pictures folder (or any other place you wish, such as a floppy disk) with the filename Your Name Proj 2b. Select a Save as type of JPEG. Email the JPEG images to me as attachments to a single email message. Send it to: cnit.123@gmail.com with a subject line of Proj 2 From Your Name, replacing Your Name with your own first and last name. Send a Cc to yourself.
Last Modified: 12-28-08

Turning in Your Project

52.

CNIT 123 Bowne

Page 253

Project 3: Stealing Passwords with a Packet Sniffer What You Need for This Project
A trusted computer running any version of Windows, with Internet access. You need administrator privileges. This can be either a real or virtual machine. A victim computer running any OS at all (even a Mac or Linux), networked to the trusted computer with either non-switched Ethernet or Wi-Fi. This can be either a real or virtual machine. This will only work on a non-switched network that is, an Ethernet network using a hub. This attack can be done on a switched network, but you need to trick the switch with ARP poisoning, or another technique. We'll do that in a later project.

Worth 15 Points

LEGAL WARNING!
Use only machines you own, or machines you have permission to hack into. Hacking into machines without permission is a crime! Dont do it! If you do illegal things, you may be arrested and go to jail, and I will be unable to save you. These instructions are intended to train computer security professionals, not to help criminals.

Packet Sniffing and Switched Ethernet

The defect of non-switched Ethernet that we will exploit here is that every packet is sent to every device on the hub, so your computer is able to read what other computers send and receive. Most wired networks are now switched, but wireless networks naturally send signals to every computer nearby, so this sort of attack works well for them.

Installing the Wireshark Packet Sniffer

1. Use your trusted virtual machine. 2. Open a Web browser and go to WireShark.org 3. Download and install the latest version of Wireshark. The installer will also install WinPCap.

Starting a Capture in Promiscuous Mode

4. Click Start, All Programs, Wireshark, Wireshark. 5. From the Wireshark menu bar, click Capture, Interfaces. Find the Interface with an IP address starting with 192.168.1. Thats the interface that connects to the Internet in room S214. Click the Options button in that interfaces line. 6. In the Wireshark Capture Options box, verify that the Capture packets in promiscuous mode box is checked, as shown to the right on this page. This means that your network interface will accept all the packets it receives, even the ones that are addressed to other machines. Click the Start button. 7. If you see a message saying Save capture file before starting a new capture?, click Continue Without Saving.

CNIT 123 Bowne

Page 254

Project 3: Stealing Passwords with a Packet Sniffer Entering a Password in the CCSF WebMail Client
8. In your virtual machine, open a browser and go to hills.ccsf.edu/mail 9. In the Name box, enter joeuser 10. In the Password box, enter topsecretpassword 11. Do NOT put in your real user name and password! As you will see, this Web page is not secure. After this lab, you might not want to use it anymore!

Worth 15 Points

12. Click the LOG IN button. If you see a message asking whether to remember the password, click "Not Now". After a few seconds, a message appears saying Username/Password Failure. 13. In the Wireshark: Capture box, click Stop.

Viewing the Password Captured From Your Own Computer

14. Wireshark shows the captured packets. To find the packet containing the password, click Edit, "Find Packet". In the By line, click the String button. Enter a string of pass and click the Find button. 15. Examine the data shown in the bottom pane, on the right-hand side. This is the text contained in the packet. In that data, you should find login_username and secretkey fields, revealing the username and password you typed in, as shown below on this page.

CNIT 123 Bowne

Page 255

Project 3: Stealing Passwords with a Packet Sniffer Saving the Screen Image
16. Press the PrintScrn key in the upper-right portion of the keyboard.

Worth 15 Points

17. On the Start menu, click Run. Enter the command mspaint and press the Enter key. Paint opens. 18. Press Ctrl+V on the keyboard to paste the image into the Paint window. Save the document with the filename Your Name Proj 3a. Select a Save as type of JPEG. Close Paint.

Capturing a Password from the Host Operating System

19. On your virtual machine, Click Start, All Programs, Wireshark, Wireshark. 20. From the Wireshark menu bar, click Capture, Interfaces. Find the Interface with an IP address starting with 192.168.1. Thats the interface that connects to the rooms LAN. Click the Start button in that interfaces line. 21. If you see a message saying "Save capture file before starting a new capture?", click "Continue Without Saving". 22. On the host machine, go to the hills.ccsf.edu/mail website. Log in with the fake name joeuser2 and password topsecretpassword2. 23. On your virtual machine, stop the capture. To find the packet containing the password, click Edit, "Find Packet". In the By line, click the String button. Enter a string of pass and click the Find button. You should see the user name and password in the lower right portion of the screen, as shown below on this page.

Saving the Screen Image

24. Press the PrintScrn key in the upper-right portion of the keyboard. 25. On the Start menu, click Run. Enter the command mspaint and press the Enter key. Paint opens. 26. Press Ctrl+V on the keyboard to paste the image into the Paint window. Save the document with the filename Your Name Proj 3b. Select a Save as type of JPEG. Close Paint.

CNIT 123 Bowne

Page 256

Project 3: Stealing Passwords with a Packet Sniffer Observing a Secure Password Transmission
27. On your own virtual machine, start another capture in promiscuous mode, as you did in steps 15-18 above. 28. On your own virtual machine, open a browser and go to gmail.com. Log in with the fake name JoeUser and password topsecretpassword, as shown to the right on this page.

Worth 15 Points

29. Stop the capture. Click Edit, "Find Packet". In the By line, click the String button. Enter a string of pass and click the Find button. No match is foundthe string pass does not appear in the packets at all. 30. Look in the Info column and find Client Hello, then Server Hello, then Certificate, as shown below. Those exchanges are parts of the SSL Handshake that prepared an encrypted layer to send your username and password. 31. Look at the packets that appear below "Server Hello". Find a packet labeled "SSLv3 Application Data" or "TLSv1 Application Data", like packet 22 in the image below on this page, and click on it in the top pane to select it. Details about the packet will appear in the middle pane. Click the + sign to expand Secure Socket Layer. Expand the layer inside (labeled "SSLv3 Record Layer" or "TLSv1 Record Layer"), so that the Encrypted Application Data is visible, as shown at the bottom of the image below on this page. Your user name and password are concealed in that encrypted data. Even though the packet sniffer can see the data go by, it cannot be read. This is how SSL protects you--all Web logons should use SSL.

CNIT 123 Bowne

Page 257

Project 3: Stealing Passwords with a Packet Sniffer Saving the Screen Image
32. Make sure Encrypted Application Data is visible in your screen image. 33. Press the PrintScrn key in the upper-right portion of the keyboard.

Worth 15 Points

34. On the Start menu, click Run. Enter the command mspaint and press the Enter key. Paint opens. 35. Press Ctrl+V on the keyboard to paste the image into the Paint window. Save the document with the filename Your Name Proj 3c. Select a Save as type of JPEG. Close Paint.

Turning in your Project

36. Email the JPEG images to me as attachments to one e-mail message to cnit.123@gmail.com with a subject line of Proj 3 From Your Name. Send a Cc to yourself.
Last modified 9-1-08

CNIT 123 Bowne

Page 258

Project 4: Installing Ubuntu Linux Using VMWare Workstation to Create a New Virtual Machine
1.

Worth 20 Points

2. 3. 4. 5. 6.

7.

8. 9. 10. 11. 12.

We are using VMware Workstation in the S214 lab, but its not a free program. If you are working at home, use VMmanager to create the virtual machine instead. Double-click the VMWare Workstation icon on the desktop. A VMWare Workstation window opens as shown to the right on this page. Click the New Virtual Machine icon. At the Welcome to the New Virtual Machine Wizard screen, click Next. At the Select the Appropriate Configuration screen, accept the default selection of Typical and click Next. At the Select a Guest Operating System screen, make sure that the Linux radio button is selected and in the Version box, select Ubuntu. Click Next. At the Name the Virtual Machine screen, enter a Virtual machine name of Your Name Ubuntu. Click the Browse button to choose the drive and folder to save the VM in. Navigate to V:\YOURNAME_VMs. Create a new subfolder named Ubuntu and click it to select it. Click Next. At the Network Type screen, accept the default selection of Use Bridged Networking and click Next. At the Select the Appropriate Configuration screen, accept the default selection and click Next. At the Specify Disk Capacity screen, change the size to 7 GB. Do not check either of the boxes. Click Finish. You should now see a window with Your Name Ubuntu in large gray letters near the top. The Ethernet settings on VMware Workstation are set to match the two physical network interfaces on our lab machines, so you will need to adjust network settings. This only has to be done once for each virtual machine. If you are working at home, this probably wont be necessary. In the Your Name Ubuntu Vmware Workstation window, on the left side, click the Edit virtual machine settings link.

Adjusting Network Settings

13.

CNIT 123 Bowne

Page 259

Project 4: Installing Ubuntu Linux

14.

Worth 20 Points

15.

16. 17. 18. 19. 20. 21.

In the Virtual Machine Settings box, on the Hardware tab, click the Ethernet item to select it. On the right side, click the Custom radio button and select VMnet2 (Bridged) as shown to the right on this page. Click the Add button. In the Welcome to the Add Hardware Wizard screen, click Next. In the Hardware Type screen, click Ethernet Adapter and click Next. In the Network Type screen, on the right side, click the Custom radio button and select VMnet0 (default Bridged). Click Finish. In the Virtual Machine Settings screen, click OK. In the Commands section in the middle of the window, click Start this virtual machine. A Your Name Ubuntu Virtual Machine opens saying The keyboard hook timeout value . Click OK to close the box. The virtual machine starts, and attempts to boot up, but there is no operating system installed, so it ends with the message shown on to the right on this page. Click OK to close the dialog box.

Starting the Virtual Machine with No Operating System

22.

CNIT 123 Bowne

Page 260

Project 4: Installing Ubuntu Linux Connecting the Virtual Machine to the Ubuntu CD Image
23. 24. From the Menu bar, select VM, Settings. In the Virtual Machine Settings box, click CD-ROM in the left pane. In the right pane, click Use ISO Image. Click the Browse button and navigate to V:\Install\ubuntu7.04-desktop-i386.iso as shown to the right on this page. (The Ubuntu version number in the image is different.) Click OK to close the Virtual Machine Settings box Click the Reset button as shown to the right on this page. If a VMWare Workstation box opens asking Are you sure that you want to restart the guest operating system? click OK. In the next box, click OK.

Worth 20 Points

25.

26.

Adjusting the Virtual BIOS Boot Order

27. As soon as the startup text appears in the window, click in the window and press the F2 key to edit the BIOS settings. You have to be fast you have only about 2 seconds to click and press F2. Adjust the Boot Order so that "CD-ROM" is first. Press F10 to Save and Exit, and Enter to confirm.

28.

CNIT 123 Bowne

Page 261

Project 4: Installing Ubuntu Linux Starting Linux from the CD Image

29. The virtual machine should boot from the ISO image, and show you the ubuntu starting screen shown to the right on this page. Press the Enter key to Start or Install Ubuntu, as shown to the right on this page.

Worth 20 Points

30.

31. 32.

Ubuntu will launch from the ISO file, and show a brown desktop with an Install icon on it, as shown to the right on this page. At this point, Ubuntu is running from the virtual CD. This Live CD mode is intended to let people try Linux on a Windows machine without changing the hard disk. The problem with it is that you cannot install software, save files, or customize it. Besides, we are using VMware, which protects the Windows XP host system anywaywe dont need the Live CD feature. So we will install Ubuntu onto the virtual hard disk. Double-click the Install icon. In the first Linux install screen, labeled "Step 1 of 7" in the lower left corner, accept the default selection of English and click the Forward button. In"Step 2 of 7", click on the map to select Los Angeles for a time zone, and click the Forward button. In"Step 3 of 7", accept the default keyboard layout selection of "U.S. English" and click the Forward button. Step 4 of 7 is preparing the disk space. Accept the default selections of "Guided use entire disk" and "IDE1 master (hda)" and click the Forward button. In"Step 5 of 7", "Migrating User Settings", don't change anything and click the Forward button. Step 6 of 7 is the Who are you? Screen. Type in your name and a logon name of your choice. Enter a password you can remember I recommend P@ssw0rd. Name your computer after the station number on the front panel, adding an L (for Linux) to the end, as shown to the right on this page. Click the Forward button. Step 7 of 7 is the "Ready to install" screen. Click the Install button. Wait while Linux installs it will take about 30 minutes. When you see an Installation Complete box, click Restart now.

Installing Ubuntu Linux on the Virtual Hard Disk

33. 34.

35. 36. 37.

38. 39.

40. 41.

CNIT 123 Bowne

Page 262

Project 4: Installing Ubuntu Linux

Worth 20 Points

Removing the Virtual CD

42. Ubuntu shuts down, leaving a black screen with small blue letters at the bottom saying "please remove the disc". If you are working in S214, do the following steps. (If you are working at home, press Ctrl+Alt to release the cursor and click the CD button at the top of the VMware Player window to remove it.) a. Click the lower X button in the upper right of the Ubuntu screen to shut down the virtual machine without completely closing VMware Workstation. b. You should now see a window with Your Name Ubuntu in large gray letters near the top. c. From the Menu bar, select VM, Settings. d. In the Virtual Machine Settings box, click CD-ROM in the left pane. In the right pane, click Use physical drive. e. Click OK to close the Virtual Machine Settings box f. Click Start this virtual machine. You should see a GRUB LOADING message, and when Ubuntu boots up, you will see the login screen shown to the right on this page. Type in your user name and press the Enter key. Then type in your password and pres the Enter key. At the upper right of the screen, you will see a clock with some icons near it. The leftmost icon is an orange square with a white star on it. Point to that icon and you should see that updates are available 98 updates, when I did it, as shown to the right on this page. Just like Windows, Ubuntu has vulnerabilities and a constant stream of updates. But the updates are not as important, because Linux is a lot more secure in the first place. Also, in my experience, Ubuntu updates are much more likely to break a working machine than Windows updates (see link Ch 1q on my Web page). So my recommendation is to not bother updating during this class unless there is a specific new feature you want. Ubuntu is a Debian Linux distribution, and one of the great things about Debian is that it has online repositories of applications which you can download and install easily. They are ready to go, just like updates, and they are all free! From the menu bar, click System, Administration, "Synaptic Package Manager". Enter your password when you are prompted to. Read the "Quick Introduction" box, then click the Close button.

43.

Concerning Updates
44.

45.

Examining the Package Repositories

46.

47. 48.

CNIT 123 Bowne

Page 263

Project 4: Installing Ubuntu Linux

49.

Worth 20 Points

50. 51.

52.

From the "Synaptic Package Manager" menu bar, click Settings, Repositories. A "Software Sources" box appears, as shown below. Make sure that the first four items are all checked, as shown below. These are all the repositories that contain commonly used programs. They are separated into these groups based on how open-source and free they are they are not all supported by Ubuntu, and they are not all necessarily legal in all countries. Click the Close button. In the "Synaptic Package Manager" box, click the Reload button. Close the "Synaptic Package Manager" box.

Saving the Screen Image

53. From the Ubuntu menu bar, click System, About Ubuntu. An introduction page opens, as shown to the right on this page. Click on the host Windows XP desktop taskbar. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 4.

54.

55.

CNIT 123 Bowne

Page 264

Project 4: Installing Ubuntu Linux Adjusting the Virtual BIOS Boot Order
56. 57. 58.

Worth 20 Points

59.

You should correct the boot order, so your new Ubuntu virtual machine starts up from the hard disk, not from the CD-ROM image. From the Ubuntu desktop menu bar, click System, Quit. Click the Reset button. As soon as the startup text appears in the window, click in the window and press the F2 key to edit the BIOS settings. You have to be fast you have only about 2 seconds to click and press F2. Adjust the Boot Order so that "Hard Drive" is first. Press F10 to Save and Exit, and Enter to confirm When your Ubuntu machine restarts, click System, Quit. Click the "Shut Down" button. Email the JPEG image to me as an attachment. Send the message to cnit.123@gmail.com with a subject line of Proj 4 From Your Name. Send a Cc to yourself.
Last modified 6-4-09

Shutting Down the Ubuntu Machine

60. 61.

Turning in your Project

CNIT 123 Bowne

Page 265

Project 5: Port Scans and Firewalls

Worth 15 Points

Warning! Unexpected port scans are rude, and possibly even illegal! Port scans can set off intrusion detection systems and get us all into trouble. Dont scan other peoples servers, just scan machines you have permission to scan. The only machines you should scan in this project are machines in S214, or on your own network at home.
Start Your Ubuntu 8.04 Virtual Machine
1. 2. Open VMware Player or VMware Workstation. Launch your Ubuntu 8.04 virtual machine. When your machine starts up, log in as with the name and password you chose in the previous project. From the menu bar in the upper left corner of the Ubuntu desktop, click Applications, Accessories, Terminal. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ping ubuntu.com You should see lines starting "64 bytes from", as shown to the right on this page. Press Ctrl+C to stop the pinging. If you don't see any replies, your virtual machine is not connected to the Internet. You need to be connected to the Internet to proceed with this project. Try troubleshooting it with the instructions titled "Fixing Problems with Ubuntu on VMware", which is in the printed lecture notes and homework, and available on my Web page samsclass.info on the CNIT 123 Page in the Projects section. If you don't have a Terminal window open, open one by clicking Applications, Accessories, Terminal. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: sudo apt-get update Enter your password when you are prompted to. This command updates your software repository lists, so your system can find all the software packages that are available. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: sudo apt-get y install nmap zenmap wireshark Wait while software downloads and installs.

Ensuring that You Have an Internet Connection

3. 4. 5.

6.

Installing nmap, zenmap, and wireshark

7. 8.

9.

CNIT 123 Bowne

Page 266

Project 5: Port Scans and Firewalls

10. This installs the three programs we need nmap: the most famous port scanning software in the world 11. 12. zenmap: the graphical front end to the nmap port scanner wireshark: the excellent graphical packet sniffer

Worth 15 Points

Port Scanning Your Own Ubuntu Machine With zenmap

If you don't have a Terminal window open, open one by clicking Applications, Accessories, Terminal. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: sudo zenmap Enter your password if you are prompted to. In the Zenmap window, enter a Target: 127.0.0.1. Accept the default Profile: of Intense Scan, as shown below on this page. Click the Scan button.

13.

CNIT 123 Bowne

Page 267

Project 5: Port Scans and Firewalls

14.

Worth 15 Points

In the lower portion of the results pane, you should see a chart showing the open ports. Your Ubuntu machine should have port 631/tcp open, and it may have other ports open too, such as 22/tcp as shown in the figure on the previous page. These open ports show listening processes on the Ubuntu machine. Port 631 is used for printer sharing, and it's open by default on a freshly installed Ubuntu machine.

Finding the IP Address of Your Host Machine

15.

Host IP: ____________________

In the Windows XP host machine (not the Ubuntu virtual machine), click Start, Run. In the Run box, enter cmd and press the Enter key. In the Command Prompt window, enter the IPCONFIG command and press the Enter key. Several IP addresses appear. Find the one that starts with 192.168.1 and write it in the box to the right on this page. In the Zenmap window, enter the IP address of your host machine. Click the Scan button.

Port Scanning Your Own Host Machine

16.

CNIT 123 Bowne

Page 268

Project 5: Port Scans and Firewalls

17.

Worth 15 Points

If your host machine has the normal firewall settings, you will get results as shown below on this page, showing ports 135, 139, and 445 open. If you show no ports open at all, your host machine may have its firewall set to block all unsolicited incoming traffic. Nmap tries to guess the operating system from the responsesbut it isnt very accurate. It identified my Win XP Service Pack 3 machine as either Win XP SP2 or Win 2003 Server.

Starting your Windows XP Virtual Machine

18. Open another instance of VMware Player or VMware Workstation. Launch your Windows XP virtual machine. Log in with your usual account, which is probably Student with no password. In your Windows XP virtual machine, click Start, Run. In the Run box, Win XP VM IP: ____________________ enter cmd and press the Enter key. In the Command Prompt window, enter the IPCONFIG command and press the Enter key. Several IP addresses appear. Find the one that starts with 192.168.1 and write it in the box to the right on this page.

Finding the IP Address of Your Windows XP Virtual Machine

19.

Setting Your Windows XP Virtual Machine's Firewall to No Exceptions

20. In your trusted Windows XP virtual machine, click Start, Control Panel. If you see a heading of Pick a category in the right pane, click the Switch to Classic View link in the left pane. Double-click Windows Firewall. In the Windows Firewall box, on the General tab, click the "On (recommended)" radio button. Check the "Dont allow exceptions" box, as shown to the right on this page. Click the OK button.

21.

CNIT 123 Bowne

Page 269

Project 5: Port Scans and Firewalls

Worth 15 Points

Port Scanning Your Windows XP Virtual Machine With the Firewall On No Exceptions
22. 23. In the Zenmap window, enter the IP address of your Windows XP virtual machine. Click the Scan button. You should get results as shown below on this page, saying "All 1714 scanned ports are filtered". Thats what the firewall doesblocks all responses to unexpected SYN packets, on all ports.

Saving a Screen Image

24. 25. 26. Click outside the virtual machine to make the host machines desktop active. Press the PrintScrn key to copy the whole desktop to the clipboard. In the host machine, click Start, Programs, Accessories, Paint. In the untitled - Paint window, select Edit, Paste from the menu bar. The desktop appears in the Paint window, with only a corner of it visible. In the untitled - Paint window, click File, Save. Save the document in the My Pictures folder (or any other place you wish, such as a floppy disk) with the filename Your Name Proj 5a. Select a Save as type of JPEG.

27.

Setting Your Windows XP Virtual Machine's Firewall to Off

28. In your Windows XP virtual machine, click Start, Control Panel. If you see a heading of Pick a category in the right pane, click the Switch to Classic View link in the left pane. Double-click Windows Firewall. In the Windows Firewall box, on the General tab, check the Off (not recommended) box, as shown to the right on this page. Click the OK button.

29.

CNIT 123 Bowne

Page 270

Project 5: Port Scans and Firewalls

Worth 15 Points

Port Scanning Your Windows XP Virtual Machine With the Firewall Off
30. 31. In the Zenmap window, verify that the IP address of your Windows XP virtual machine is still in the Target: box. Click the Scan button. You should get results as shown below on this page, showing a few open ports: 135, 139, and 445. With the firewall off, several ports respond to the SYN packets.

Saving a Screen Image

32. 33. 34. Click outside the virtual machine to make the host machines desktop active. Press the PrintScrn key to copy the whole desktop to the clipboard. In the host machine, click Start, Programs, Accessories, Paint. In the untitled - Paint window, select Edit, Paste from the menu bar. The desktop appears in the Paint window, with only a corner of it visible. In the untitled - Paint window, click File, Save. Save the document in the My Pictures folder (or any other place you wish, such as a floppy disk) with the filename Your Name Proj 5b. Select a Save as type of JPEG. Email the JPEG images to me as attachments to a single email message. Send it to: cnit.123@gmail.com with a subject line of Proj 5 From Your Name, replacing Your Name with your own first and last name. Send a Cc to yourself.
Last Modified: 12-28-08

35.

Turning in Your Project

36.

CNIT 123 Bowne

Page 271

Project 6: Analyzing Types of Port Scans What You Will Need

An Ubuntu 8.04 virtual machine

20 Points

A Windows machine with the firewall off to scan. The instructions assume you are using a Windows XP virtual machine. Open VMware Player or VMware Workstation. Launch your Windows XP virtual machine. Log in with your usual account, which is probably Student with no password. In your Windows XP virtual machine, click Start, Run. In the Run box, Win XP VM IP: ____________________ enter cmd and press the Enter key. In the Command Prompt window, enter the IPCONFIG command and press the Enter key. Several IP addresses appear. Find the one that starts with 192.168.1 and write it in the box to the right on this page. In your Windows XP virtual machine, click Start, Control Panel. If you see a heading of Pick a category in the right pane, click the Switch to Classic View link in the left pane. Double-click Windows Firewall. In the Windows Firewall box, on the General tab, check the Off (not recommended) box, as shown to the right on this page. Click the OK button.

Starting your Windows XP Virtual Machine

1.

Finding the IP Address of Your Windows XP Virtual Machine

2.

Setting Your Windows XP Virtual Machine's Firewall to Off

3.

4.

Start Your Ubuntu 8.04 Virtual Machine

5. 6. Open VMware Player or VMware Workstation. Launch your Ubuntu 8.04 virtual machine. When your machine starts up, log in as with the name and password you chose in the previous project.

CNIT 123 Bowne

Page 272

Project 6: Analyzing Types of Port Scans Pinging the Windows XP Virtual Machine From the Ubuntu Machine
7. 8.

20 Points

9.

10. 11. 12.

From the menu bar in the upper left corner of the Ubuntu desktop, click Applications, Accessories, Terminal. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: PING ip-address Do not type the literal letters "ipaddress" replace them with the Win XP VM IP address you wrote on the first page of these instructions. You should see lines saying 64 bytes from, as shown above on this page, indicating that you do have a working network connection between the two machines. If you see the message Destination host unreachable, something is wrong. Try opening a Web browser on both machines to make sure they are both connected to the Internet, and check the IP addresses. You need to get the two machines connected properly before you can proceed with this project. When the ping is working properly, type Ctrl+C to stop the pinging. If you don't have a Terminal window open, open one by clicking Applications, Accessories, Terminal. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: sudo wireshark Enter your password when you are prompted to. If the screen seems to freeze, try moving the windows arou nd to reveal a box warning you that wireshark is running as root, as shown to the right on this page. Check the "Don't show this message again" box and click the OK button.

Starting The Wireshark Network Analyzer

13.

CNIT 123 Bowne

Page 273

Project 6: Analyzing Types of Port Scans

14.

20 Points

In the The Wireshark Network Analyzer window, click Capture, Interfaces. A list of interfaces appears, as shown below.

15. 16. 17.

18. 19. 20.

21. 22.

Find the device that connects to the Internetusually eth0 or eth1. That device will show some packets detected (3 in the figure above), and an IP address starting with 192.168.1. Write your IP address in the box to the right on this page. Ubuntu IP: ________________________ In the Wireshark: Capture Interfaces box, in the eth0 or eth1 line that is capturing packets, click the Options button. In the Wireshark: Capture Options box, click the Capture Filter button. In the Wireshark: Capture Filter box, click the IP address 192.168.0.1 button. Click OK. In the Wireshark: Capture Options box, in the Capture Filter box, edit the IP address to match the Ubuntu IP address you wrote in the box on the previous page. This will limit your capture to packets sent to or from your Ubuntu machine. Click the Start button. If you see a message saying Save capture file before starting a new capture?, click Continue without saving. From the menu bar in the upper left corner of the Ubuntu desktop, click Applications, Accessories, Terminal. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: sudo zenmap Enter your password if you are prompted to.

Starting zenmap
23. 24.

CNIT 123 Bowne

Page 274

Project 6: Analyzing Types of Port Scans Performing a Ping Sweep of the 192.168.1.0/24 Network
25. In the upper left of the zenmap window, click the "Command Wizard" button. In the "Nmap command constructor wizard" box, accept the default selection of Novice, as shown to the right on this page. Click the Forward button.

20 Points

26.

27.

In the next box, click Command and enter a Target of 192.168.1.0/24. (If you are working at home, you might be on a different subnet, so change these numbers as necessary to scan your own home subnet.) Then click the Forward button.

28.

In the next box, make these selections, as shown below on this page: TCP scan: None Special scans: Timing: Services version detection: Operating system detection: Ping scanning Aggressive Unchecked Unchecked

29.

Click the Forward button.

CNIT 123 Bowne

Page 275

Project 6: Analyzing Types of Port Scans

30.

20 Points

31.

32.

33.

34. 35.

36.

In the next box, click the "ICMP ping" box, as shown to the right on this page. Then click the Forward button. In the next box, leave all the Target options unchecked and click the Forward button. In the next box, leave all the Source options unchecked and click the Forward button. In the next box, leave all the Other options unchecked and click the Forward button. In the next box, click the Apply button. The scan starts automatically. It will now ping every IP address in your subnet. This specifies the range 192.168.1.0 through 192.168.1.255 we will scan through the whole LAN (every real or virtual machine in S214). When the sweep completes, you should see a list of the hosts that were found, as shown below. The IP addresses and the total number of hosts may be different, but you should detect at least two hostsyour Ubuntu and Windows XP machines.

Saving the Screen Image

37. 38. 39. Make sure you can see the message shown above on the screen, showing at least two hosts that appear to be up. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 6a. Page 276

CNIT 123 Bowne

Project 6: Analyzing Types of Port Scans Using Wireshark to Analyze the Ping Sweep
40.

20 Points

In the Wireshark: Capture Window, click Capture, Stop. You should see a lot of ARP requests, as shown below on this page. Because you are scanning your own LAN, Nmap uses ARP broadcasts rather than ICMP packets to find hosts.

Performing a Connect Scan of the Windows XP Virtual Machine

41. 42. In the upper left of the zenmap window, click the "Command Wizard" button. In the "Nmap command constructor wizard" box, accept the default selection of Novice, and click the Forward button. 43. In the next box, click Command and enter the IP address of your Windows XP Virtual Machine into the Target box, as shown to the right on this page. Then click the Forward button. 44. In the next box, make these selections, as shown to the right on this page: TCP scan: TCP connect scan Special scans: None Timing: Aggressive

Services version detection: Unchecked Operating system detection: Unchecked 45. Click the Forward button.

CNIT 123 Bowne

Page 277

Project 6: Analyzing Types of Port Scans

46. In the next box, click the "Don't ping before scanning" box, as shown to the right on this page. Then click the Forward button. In the next box, leave all the Target options unchecked and click the Forward button. In the next box, leave all the Source options unchecked and click the Forward button. In the next box, leave all the Other options unchecked and click the Forward button. In the next box, click the Apply button. The scan starts automatically. When the scan completes, you should see a list of open ports including 135/tcp open as shown to the right on this page.

20 Points

47.

48.

49.

50. 51.

Starting a New Wireshark Capture

52. 53. In the The Wireshark Network Analyzer window, click Capture, Start. . If you see a message saying Save capture file before starting a new capture?, click Continue without saving. In the upper left of the zenmap window, click the "Command Wizard" button. In the "Nmap command constructor wizard" box, accept the default selection of Novice, and click the Forward button. In the next box, click Command and enter the IP address of your Windows XP Virtual Machine into the Target box, as shown to the right on this page. Then click the Forward button.

Performing a Connect Scan of Port 135 only

54. 55. 56.

CNIT 123 Bowne

Page 278

Project 6: Analyzing Types of Port Scans

57. In the next box, make these selections, as shown below on this page: TCP scan: TCP connect scan Special scans: None Timing: Aggressive

20 Points

Services version detection: Unchecked Operating system detection: Unchecked 58. Click the Forward button. 59. In the next box, click the "Don't ping before scanning" box. Then click the Forward button. 60. In the next box, click the "Ports to scan" box. Enter 135 into the box on that same line, as shown to the right on this page. Then click the Forward button. 61. In the next box, leave all the Source options unchecked and click the Forward button. 62. In the next box, leave all the Other options unchecked and click the Forward button. 63. In the next box, click the Apply button. 64. The scan starts automatically. When the scan completes, you should see one port open: 135/tcp open as shown to the right on this page.

Using Wireshark to Analyze the Connect Scan

65. 66. In the Wireshark Window, click Capture, Stop. You should see this pattern of four packets, as shown to the right on this page: [SYN] [SYN, ACK] [ACK]

[RST, ACK] This is a complete TCP three-way handshake, followed by a RST to end the session. CNIT 123 Bowne Page 279

Project 6: Analyzing Types of Port Scans Saving the Screen Image

67. 68. 69.

20 Points

Make sure the four packets are all visible: [SYN], [SYN, ACK], [ACK], [RST, ACK]. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 6b.

Performing a SYN Scan of the Windows XP Virtual Machine

70. 71. In the upper left of the zenmap window, click the "Command Wizard" button. In the "Nmap command constructor wizard" box, accept the default selection of Novice, and click the Forward button. 72. In the next box, click Command and enter the IP address of your Windows XP Virtual Machine into the Target box. Then click the Forward button. 73. In the next box, make these selections, as shown to the right on this page: TCP scan: TCP SYN scan Special scans: None Timing: Aggressive

Services version detection: Unchecked Operating system detection: Unchecked 74. Click the Forward button. 75. In the next box, click the "Don't ping before scanning" box and click the Forward button. 76. In the next box, leave all the Target options unchecked and click the Forward button. 77. In the next box, leave all the Source options unchecked and click the Forward button. 78. In the next box, leave all the Other options unchecked and click the Forward button. 79. In the next box, click the Apply button. 80. When the scan completes, you should see the same list of open ports you saw in the Connect scan, including 135/tcp open as shown below on this page. The SYN scan is stealthier, but it still works.

CNIT 123 Bowne

Page 280

Project 6: Analyzing Types of Port Scans Performing a NULL Scan of the Windows XP Virtual Machine
81. 82.

20 Points

In the upper left of the zenmap window, click the "Command Wizard" button. In the "Nmap command constructor wizard" box, accept the default selection of Novice, and click the Forward button. 83. In the next box, click Command and enter the IP address of your Windows XP Virtual Machine into the Target box. Then click the Forward button. 84. In the next box, make these selections: TCP scan: Null scan 85. 86. 87. 88. 89. 90. 91. Special scans: Timing: Services version detection: None Aggressive Unchecked

Operating system detection: Unchecked Click the Forward button. In the next box, click the "Don't ping before scanning" box and click the Forward button. In the next box, leave all the Target options unchecked and click the Forward button. In the next box, leave all the Source options unchecked and click the Forward button. In the next box, leave all the Other options unchecked and click the Forward button. In the next box, click the Apply button. When the scan completes, you should see All 1714 scanned ports are closed, as shown to the right on this page. The NULL scan is stealthy, but it fails on Windows machines.

Performing a SYN Scan of the Ubuntu Machine

92. 93. In the upper left of the zenmap window, click the "Command Wizard" button. In the "Nmap command constructor wizard" box, accept the default selection of Novice, and click the Forward button. 94. In the next box, click Command and enter an IP address of 127.0.0.1 into the Target box. Then click the Forward button. 95. In the next box, make these selections: TCP scan: TCP SYN scan Special scans: Timing: Services version detection: None Aggressive Unchecked Unchecked Page 281

Operating system detection: 96. Click the Forward button. CNIT 123 Bowne

Project 6: Analyzing Types of Port Scans

97. 98. 99. 100. 101. 102.

20 Points

In the next box, click the "Don't ping before scanning" box and click the Forward button. In the next box, leave all the Target options unchecked and click the Forward button. In the next box, leave all the Source options unchecked and click the Forward button. In the next box, leave all the Other options unchecked and click the Forward button. In the next box, click the Apply button. When the scan completes, you should see port 631/tcp open, as shown to the right on this page. SYN scans work fine on Linux machines.

Performing a NULL Scan of the Ubuntu Machine

103. In the upper left of the zenmap window, click the "Command Wizard" button. 104. In the "Nmap command constructor wizard" box, accept the default selection of Novice, and click the Forward button. 105. In the next box, click Command and enter an IP address of 127.0.0.1 into the Target box. Then click the Forward button. 106. In the next box, make these selections: TCP scan: Null scan 107. 108. 109. 110. 111. 112. 113. Special scans: Timing: Services version detection: None Aggressive Unchecked

Operating system detection: Unchecked Click the Forward button. In the next box, click the "Don't ping before scanning" box and click the Forward button. In the next box, leave all the Target options unchecked and click the Forward button. In the next box, leave all the Source options unchecked and click the Forward button. In the next box, leave all the Other options unchecked and click the Forward button. In the next box, click the Apply button. When the scan completes, you should see the same port(s) open, as shown to the right on this pagethe NULL scan works on a Linux machine.

CNIT 123 Bowne

Page 282

Project 6: Analyzing Types of Port Scans Starting a New Wireshark Capture of the lo Device
114. In the The Wireshark Network Analyzer window, click Capture, Interfaces. 115. In the Wireshark: Capture Interfaces box, in the lo line, click the Options button. Be careful use the lo line, NOT the eth0 line. We want to capture "localhost" traffic. 116. In the "Wireshark: Capture Options" box, delete all the text in the "Capture filter:" box, as shown to the right on this page. Then click the Start button. 117. If you see a message saying "Save capture file before starting a new capture?", click Continue without saving.

20 Points

Performing a NULL Scan of Ports 631-632 on the Ubuntu Linux Machine

118. In the upper left of the zenmap window, click the "Command Wizard" button. 119. In the "Nmap command constructor wizard" box, accept the default selection of Novice, and click the Forward button. 120. In the next box, click Command and enter an IP address of 127.0.0.1 into the Target box. Then click the Forward button. 121. In the next box, make these selections: TCP scan: Null scan Special scans: Timing: Services version detection: None Aggressive Unchecked

Operating system detection: Unchecked 122. Click the Forward button. 123. In the next box, click the "Don't ping before scanning" box and click the Forward button. 124. In the next box, click the "Ports to scan" box. Enter 631-632 into the box on that same line, as shown to the right on this page. Then click the Forward button. 125. In the next box, leave all the Source options unchecked and click the Forward button. 126. In the next box, leave all the Other options unchecked and click the Forward button. 127. In the next box, click the Apply button.

CNIT 123 Bowne

Page 283

Project 6: Analyzing Types of Port Scans

128. When the scan completes, you should see port 631/tcp open|filtered, and port 632/tcp closed, as shown to the right on this page. The NULL scan can tell a closed from an open port on a Linux machine.

20 Points

Using Wireshark to Analyze the NULL Scan

129. In the Wireshark Window, click Capture, Stop. 130. You should see a packet sent to > ipp [ ] which is port 631, as shown below on this page. The empty brackets [ ] indicate that none of the status bits were setthis is a NULL packet. The NULL packet sent to > ipp (port 631) caused no reply, but the Null packet sent to > bmpp (port 632) was answered with a [RST, ACK] packet, indicating that port 632 is closed.

Saving the Screen Image

131. Make sure you can see the three packets: > ipp [ ] > bmpp [ ] [RST, ACK] 132. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. 133. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 6c.

Turning in your Project

134. Email the JPEG images to me as an attachment. Send the message to cnit.123@gmail.com with a subject line of Proj 6 From Your Name. Send a Cc to yourself.

Last modified 12-28-08

CNIT 123 Bowne

Page 284

Project 7: Using a Software Keylogger What You Need for This Project
A trusted computer running any version of Windows, with Internet access. You need administrator privileges. This can be either a real or virtual machine. I recommend using your Target virtual machine. You will have to disable or uninstall any antivirus software that provides real-time protection, such as McAfee, because this keylogger is detected as malware and blocked.

Worth 10 Points

LEGAL WARNING!
Use only machines you own, or machines you have permission to hack into. Hacking into machines without permission is a crime! Dont do it! If you do illegal things, you may be arrested and go to jail, and I will be unable to save you. These instructions are intended to train computer security professionals, not to help criminals.

Downloading and Installing 7-Zip

1.

2. 3. 4. 5.

You'll need 7-zip to open the keylogger installation file, because I compressed and encrypted it to prevent virus scanners from deleting if from my Web server. Open a browser (Firefox, preferably) and go to 7-zip.org Download and install the latest stable version of 7-zip, with the default options.

Creating a Restore Point

After the project is over, you'll want to get the keylogger off the machine. An easy way to do that is to use System Restore. Click Start, Help and Support. In Help and Support Center window, in the Pick a Task section, click Undo changes to your computer with System Restore. In the next screen, select Create a Restore Point and click Next. In the next screen enter a Restore Point Description of Your Name Restore Point for Project 7 and click Create. When you see the Restore Point Created message, click Close. Open a browser (Firefox, preferably) and go to samsclass.info. Click the "CNIT 123" link. On the CNIT 123 page, click Projects. On the line below "Project 7", click "Download SC Keylog Pro Demo", as shown below on this page. Save the sc-keylogprodemo-passwordsam.7z file on your desktop.

6. 7.

Downloading and Installing SC KeyLog PRO (Demo version)

CNIT 123 Bowne

Page 285

Project 7: Using a Software Keylogger

8. 9. 10.

Worth 10 Points

On your desktop, right click the sc-keylogprodemo-password-sam.7z file and click 7-zip, "Extract Here" as shown to the right on this page. In the "Enter password" box, type sam as shown to the right on this page. Click OK. Double-click the keylogprodemo.exe file on your desktop and click through the installer, accepting all the default selections. After installation, the SC-KeyLog PRO Demo should launch, showing a small gray box as shown to the right on this page. If it does not open automatically, click Start, All Programs, SC-KeyLog PRO DEMO, Main. In the SC-KeyLog PRO Demo box, click the Continue evaluation link. A large window opens titled Sc-KeyLog PRO *** Demo version *** with a smaller box in front of it titled SCKeyLog Control Panel/ In the SC-KeyLog Control Panel, click Create SC-KeyLog Engine. In the SC-KeyLog Engine Builder box, click Next. In the next window, clear the Use email box. Emailed log files are a great feature, but as far as I can tell there is no way to make them work with the demo version. Click Next. In the next window, enter a Stealth name of YOUR_NAME_Keylogger as shown to the right on this page. Dont use the literal words YOUR_NAME use your own name instead. It is possible to choose a sneakier name to conceal the keyloggers nature, but for this project we are not trying to be sneaky, just to see how it works.

Using SC KeyLog PRO to Make a KeyLog Engine

11.

12. 13.

14. 15. 16.

17.

CNIT 123 Bowne

Page 286

Project 7: Using a Software Keylogger

18. Check the Installation message box and click the blue Edit link. Enter the text shown to the right, replacing YOUR NAME with your own name. Make sure the message has your name and my email address in it. Click OK. In the SC-KeyLog Engine Builder window, click Next. In the next window, you choose where to save the file. Accept the default of C:\fun.exe and click Next. In the SC-KeyLog Engine Builder window, click Next. The next window says Congratulations! As shown to the right on this page. Verify that only the Install on this computer box is checked, as shown to the right on this page. Click OK.

Worth 10 Points

19. 20.

21. 22.

Installing the Keylog Engine

23. A warning box appears as shown to the right on this page. Click Yes.

24.

A message box with your name in the title and my email address in the body should appear, as shown to the right on this page. Hold down the Alt key and press the PrntScn key to copy the active window to the clipboardthe Keylogger created by YOUR NAME box. Click Start, Run. Enter the command mspaint and press the Enter key. Paint opens. Press Ctrl+V on the keyboard to paste the image into the Paint window. Click File, Save. Save the document in the My Pictures folder (or any other place you wish, such as a floppy disk) with the filename Your Name Proj 7a. Select a Save as type of JPEG. In the Keylogger created by YOUR NAME box, click OK.

Saving the Screen Image

25.

26. 27.

28.

CNIT 123 Bowne

Page 287

Project 7: Using a Software Keylogger Typing in Plain Text and a Password

29.

Worth 10 Points

30.

Open Notepad and type in some text, including your name, as shown to the right on this page. Open a browser and go to Gmail.com. Log in as JoeUser with a password of topsecretpassword. Dont use your real login name and password, because it will be captured in the Keyloggers DAT file. Click the Sign in button. You wont get in, because the password is wrong. Click Start, My Computer. Double-click C:. If necessary, click Show the contents of this folder. Double-click Windows. If necessary, click Show the contents of this folder. Double-click System32. If necessary, click Show the contents of this folder. Click View, Details. Click the Date modified header twice to sort by date, with the most recent files on top. The Keylogger files are hidden system files. To make them visible, click Tools, Folder Options. Click the View tab. Click the Show hidden files and folders radio button. Scroll down and clear the Hide protected operating system files (Recommended) box. In the Warning box, click Yes. In the Folder Options box, click OK. You should see a file with a name starting reggol (logger backwards), as shown below. The keystrokes will be stored in the file ending in .dat.

Finding the Log File

31. 32. 33. 34. 35.

36.

CNIT 123 Bowne

Page 288

Project 7: Using a Software Keylogger Viewing the Captured Keystrokes

37. 38.

Worth 10 Points

In the SC-KeyLog Control Panel, click View Current Logfile. Look through the Logged Data. You should be able to find the sentence you typed, and the user name and password you typed in, as shown below on this page.

Saving the Screen Image

39. 40. 41. Press the PrntScn key to copy the desktop to the clipboard. Click Start, Run. Enter the command mspaint and press the Enter key. Paint opens. Press Ctrl+V on the keyboard to paste the image into the Paint window. Click File, Save. Save the document in the My Pictures folder (or any other place you wish, such as a floppy disk) with the filename Your Name Proj 7b. Select a Save as type of JPEG. In the Keylogger created by YOUR NAME box, click OK. Click Start, Help and Support. In Help and Support Center window, in the Pick a Task section, click Undo changes to your computer with System Restore. In the next screen, select Restore my computer to an earlier time and click Next. When the Select a Restore Point screen appears, select the restore point labeled Your Name Restore Point for Project 7. Click Next. If a window opens warning you that changes made after this point will not be monitored, click OK. Click Next again to perform the System Restore. Email the JPEG images to me as attachments to one e-mail message to cnit.123@gmail.com with a subject line of Proj 7 From Your Name. Send a Cc to yourself.

42. 43.

Removing the Keylogging Software with System Restore

44. 45.

Turning in your Project

46.

Last modified 12-28-08

CNIT 123 Bowne

Page 289

Project 8: C Programming on Ubuntu What You Will Need

15 Points

A Ubuntu machine Start your Ubuntu machine and log in as usual. From the Ubuntu menu bar, click Applications, Accessories, Terminal. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: sudo apt-get install build-essential Give it your password when you are prompted to. After a message saying "After unpacking, <some amount> additional disk space will be used", when it asks you Do you want to continue [Y/n]?", type Y and press the Enter key. Wait while software downloads and installs. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: pico hello.c The pico editor opens. Type in the program shown to the right on this page. Hold down the Ctrl key and press O to output your file. Press the Enter key to accept the filename and save your file. Hold down the Ctrl key and press X to exit pico. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: gcc hello.c o hello.exe This command compiles the hello.c program, creating an executable machine language file named hello.exe. If you made any errors typing in the hello.c file, you will get error messages here. Use pico to fix the errors and recompile the file until it compiles without any errors. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ./hello.exe This command executes the hello.exe program. You should see Hello World! At the start of the next line, as shown to the right on this page.

Starting Your Ubuntu Virtual Machine

1. 2. 3.

Installing the Essential C Software

Writing the hello.c Source Code

4.

Compiling hello.c to Create the hello.exe File

5.

Executing the hello.exe File

6.

CNIT 123 Bowne

Page 290

Project 8: C Programming on Ubuntu

7.

15 Points

This program works, but it would be nicer if it greeted you by name, and if it put a couple of newline characters after the greeting to make it cleaner-looking. The next version, hello2, will add these features. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: pico hello2.c The pico editor opens. Type in the program shown to the right on this page. Hold down the Ctrl key and press O to output your file. Press the Enter key to accept the filename and save your file. Hold down the Ctrl key and press X to exit pico. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: gcc hello2.c o hello2.exe This command compiles the hello2.c program, creating an executable machine language file named hello2.exe. If you made any errors typing in the hello2.c file, you will get error messages here. Use pico to fix the errors and recompile the file until it compiles without any errors. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ./hello2.exe This command executes the hello2.exe program. It should ask you for your name. When you type in your name, you should be greeted by name, as shown to the right on this page. The hello2 program is poorly written, and exposes your machine to being exploited by hackers. That's because it takes the name from typed input and puts it in the name string, but the name string has a size limitit only has enough room for 10 characters. Names longer than 10 characters will cause user-input data to overwrite parts of memory that were not intended to store data, making the program crash. This is a Buffer Overflow. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ./hello2.exe This command executes the hello.exe program.

Writing the hello2.c Source Code

8.

Compiling hello2.c to Create the hello2.exe File

9.

Executing the hello2.exe File With Your Name

10.

Crashing the hello2.exe File With a Long NameBuffer Overflow

11.

12.

CNIT 123 Bowne

Page 291

Project 8: C Programming on Ubuntu

13.

15 Points

When you see the What is your name? prompt, type in this name: 12345678901234567890 You should see a *** stack smashing detected *** message, as shown below on this page. Although this just crashes the machine, which could result in a denial of service, with carefully crafted false data it is often possible to use such errors to open a shell on the host, giving you complete control over it. That's how many of the Metasploit exploits work.

Saving the Screen Image

14. 15. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 8a. Select a Save as type of JPEG. We need to patch this code. So we'll make another version. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: cp hello2.c hello3.c This makes a copy of hello2.c named hello3.c. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: pico hello3.c The pico editor opens. Modify the scanf call to match the program shown to the right on this page. Hold down the Ctrl key and press O to output your file. Press the Enter key to accept the filename and save your file. Hold down the Ctrl key and press X to exit pico.

Writing the hello3.c Source Code

16.

17.

CNIT 123 Bowne

Page 292

Project 8: C Programming on Ubuntu Compiling hello3.c to Create the hello3.exe File

18.

15 Points

In the Terminal window, after the $ prompt, enter this command, then press the Enter key: gcc hello3.c o hello3.exe This command compiles the hello3.c program, creating an executable machine language file named hello3.exe. If you made any errors typing in the hello3.c file, you will get error messages here. Use pico to fix the errors and recompile the file until it compiles without any errors. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ./hello3.exe This command executes the hello.exe program. When you see the What is your name? prompt, type in this name: 12345678901234567890 The program now just ignores any characters after the first ten. There is no error message, and no stack overflow. The program is patched. This is what many of those Microsoft security patches docorrect code to remove buffer overflow vulnerabilities. By the way, this is not a very complete fix, because it leaves some keyboard characters in an input buffer which could lead to unexpected results later in the program. For a more thorough way of patching scanf, see link Ch 7i.

Running the hello3.exe File With a Long Name

19.

20.

Saving the Screen Image

21. 22. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 8b. Select a Save as type of JPEG. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ping 192.168.1.1 That number is the default gateway in S214. If you are not in S214, use your default gateway instead of that address. You should see a series of lines starting "64 bytes from" as shown below on this page. Ping will just continue sending packets until you terminate it by holding down the Ctrl key and pressing C.

Using ping
23.

CNIT 123 Bowne

Page 293

Project 8: C Programming on Ubuntu

24.

15 Points

In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ping 192.168.1.1 w1 This makes ping fasterit stops after one second. We will make a simple ping scanner, like one of the Nmap functions. It will ping each of 100 IP addresses for one second to see if there is any response. This works, although it is a lot slower and clumsier than Nmap. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: pico pingscan.c The pico editor opens. Type in the program shown to the right on this page. (If you are on a different subnet, replace 192.168.1 with the first 3 numbers in your LAN's IP address.) Hold down the Ctrl key and press O to output your file. Press the Enter key to accept the filename and save your file. Hold down the Ctrl key and press X to exit pico. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: gcc pingscan.c o pingscan.exe This command compiles the pingscan.c program, creating an executable machine language file named pingscan.exe. If you see error messages, use pico to fix the errors and recompile the file until it compiles without any errors. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ./pingscan.exe The program prints 100 ping command lines on the terminal, as shown to the right on this page. However, it doesn't execute the PINGs, it just prints out the commands. To make the commands execute, we need to put them into a file and make the file executable.

Writing the pingscan.c Source Code

25.

26.

Compiling pingscan.c to Create the pingscan.exe File

27.

Executing the pingscan.exe File

28.

29.

CNIT 123 Bowne

Page 294

Project 8: C Programming on Ubuntu

30. 31.

15 Points

32.

In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ./pingscan.exe > ping100 You see another prompt with no message, which is what Linux does when there is no problem. The > sign is the output redirection operator, and it took the lines of text that were going to the screen and put them into a file named ping100 instead. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ls Note that this command starts with a lowercase L, not the numeral 1. This shows a list of the files and directories in the working directory, as shown below. Your filenames will be different, but you should be able to see the ping100 file. Data files are in black letters, executable files are green, and directories are aqua. Note that the ping100 file is present, but in black lettersthis file is not executable.

33.

34.

In the Terminal window, after the $ prompt, enter this command, then press the Enter key: chmod a+x ping100 This command changes the mode of the ping100 file to make it executable by all users. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ls Find the ping100 file in the list and verify that it is now shown in green letters.

CNIT 123 Bowne

Page 295

Project 8: C Programming on Ubuntu

35.

15 Points

In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ./ping100 The ping scan should run, with results like those shown below on this page. It will take about 100 seconds to finish.

Saving the Screen Image

36. 37. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 8c. Select a Save as type of JPEG. Email the JPEG images to me as attachments to a single email message. Send the message to cnit.123@gmail.com with a subject line of Proj 8 From Your Name. Send a Cc to yourself.

Turning in your Project

38.

Credit:
I got some of this from crasseux.com/books/ctutorial/String-overflows-with-scanf.html (Link Ch 7i)
Last modified 9-16-07

CNIT 123 Bowne

Page 296

Project 9: Perl Programming on Ubuntu What You Will Need

10 Points

A Ubuntu machine Perl is a lot simpler to use than C. It's usually interpreted, so you don't need to compile it, and it's already included in Ubuntu so you don't have to install it. Perl is designed to handle text data, with useful functions for inputting data from Web forms and other structures, and manipulating it. Because they are simpler, Perl programs are called scripts. Start your Ubuntu machine and log in as usual. From the Ubuntu menu bar, click Applications, Accessories, Terminal. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: pico hello.pl The pico editor opens. Type in the program shown above on this page. Hold down the Ctrl key and press O to output your file. Press the Enter key to accept the filename and save your file. Hold down the Ctrl key and press X to exit pico. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: perl hello.pl This command executes the hello.pl program. You should see Hello World! output, as shown to the right on this page. This program works, but it would be nicer if it greeted you by name, and if it put a couple of newline characters after the greeting to make it cleaner-looking. The next version, hello2, will add these features. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: pico hello2.pl The pico editor opens. Type in the program shown below on this page. Hold down the Ctrl key and press O to output your file. Press the Enter key to accept the filename and save your file. Hold down the Ctrl key and press X to exit pico.

Introduction to Perl
1.

Starting Your Ubuntu Virtual Machine

2. 3. 4.

Writing the hello.pl Source Code

Executing the hello.pl Script

5.

6.

Writing the hello2pl Source Code

7.

CNIT 123 Bowne

Page 297

Project 9: Perl Programming on Ubuntu Executing the hello2.pl Script

8.

10 Points

In the Terminal window, after the $ prompt, enter this command, then press the Enter key: perl hello2.pl This command executes the hello.pl program. Type in your name and press Enter. You see the greeting, as shown below on this page.

Saving the Screen Image

9. 10. 11. Make sure the Terminal window is visible, showing your script operating correctly, as shown above on this page. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 9a. Select a Save as type of JPEG. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: perl hello2.pl Give it a long namea whole line of characters, then press the Enter key. The program just greets you, no matter how long your name is. You can even use several lines of characters, as shown below. There is no apparent limit to how long the input can be you cannot overflow the buffer. Perl is less powerful than C, but also less dangerous.

Using a Long Name

12.

CNIT 123 Bowne

Page 298

Project 9: Perl Programming on Ubuntu

10 Points

Writing the pingscan.pl Source Code

13. We will make a simple ping scanner, like one of the Nmap functions. It will ping each of 100 IP addresses for one second to see if there is any response. This works, although it is a lot slower and clumsier than Nmap. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: pico pingscan.pl The pico editor opens. Type in the program shown to the right on this page. (If you are on a different subnet, replace 192.168.1 with the first 3 numbers in your LAN's IP address.) Hold down the Ctrl key and press O to output your file. Press the Enter key to accept the filename and save your file. Hold down the Ctrl key and press X to exit pico. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: perl pingscan.pl The program prints 100 ping command lines on the terminal, as shown to the right on this page. However, it doesn't execute the PINGs, it just prints out the commands. To make the commands execute, we need to put them into a file and make the file executable. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: perl pingscan.pl > ping100a You see another prompt with no message, which is what Linux does when there is no problem. The > sign is the output redirection operator, and it took the lines of text that were going to the screen and put them into a file named ping100a instead. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: chmod a+x ping100a This command changes the mode of the ping100 file to make it executable by all users. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ls Find the ping100a file in the list and verify that it is now shown in green letters. Page 299

14.

Running the pingscan.pl Script

15.

16.

Using Redirection to Make the ping100a File

17. 18.

Making the ping100a File Executable

19.

20.

CNIT 123 Bowne

Project 9: Perl Programming on Ubuntu Running the ping100a File

21.

10 Points

In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ./ping100a The ping scan should run, with results like those shown below on this page. It will take about 100 seconds to finish.

Saving the Screen Image

22. 23. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 9b. Select a Save as type of JPEG. Email the JPEG images to me as attachments to a single email message. Send the message to cnit.123@gmail.com with a subject line of Proj 9 From Your Name. Send a Cc to yourself.
Last modified 12-30-08

Turning in your Project

24.

CNIT 123 Bowne

Page 300

Project 10: Python on Windows What You Need for This Project

15 Points

A computer running Windows XP, with Internet access. You need administrator privileges. This can be either a real or virtual machine.

Downloading and Installing ActivePython

1. 2. 3. 4. 5. Start a browser and go to activestate.com On the left side, click ActivePython. Click the blue Get ActivePython button. In the line labeled Download and Free, click the blue Download button. The next page asks you for optional information; your name and email. Leave it blank and click Continue. 6. At the next page, find the latest version (ActivePython 2.4.3.11 when I did it). Find the Windows (x86) version and click the blue MSI link. 7. Save the file on your desktop and run it. Install the software with all the default selections.

Starting ActivePython
8. Click Start, All Programs, ActiveState ActivePython 2.4, Pythonwin IDE.

Hello World in Python

9. A PythonWin window opens, with an Interactive Window open inside it. At the >>> prompt, type in this command, then press the Enter key: print Hello World! The result is to print Hello World! on the next line in green text, as shown to the right on this page.

Making a Customized Greeting in Interactive Python

10. At the >>> prompt, type in this command, then press the Enter key: name = raw_input("What is your name: ") 11. A box pops up asking for your name, as shown to the right on this page. Type your name into the box, then press the Enter key: 12. The box vanishes and you are back at the original screen, with a >>> prompt. Your name has now been stored in the variable name. To see that, at the >>> prompt, type in this command, then press the Enter key: print name You should see your name printed in green text, as shown to the right on this page.

CNIT 123 Bowne

Page 301

Project 10: Python on Windows

15 Points

13. The variable name persists until you change it, or close PythonWin. You can use it again. To see that, at the >>> prompt, type in this command, then press the Enter key: print Hello, name You should see your customized greeting.

Making hello.py: a Customized Greeting Python Script

14. The interactive window is good for simple, short actions, but its not a good way to make a long script. To create a script, from the PythonWin menu bar, click File, New. In the New box, accept the default selection of Python Script and click OK. 15. Type in the script shown to the right on this page. The first two lines are comments, indicated by the # sign. 16. After typing in your script, from the PythonWin menu bar, click File, Save. Save it in the My Documents folder with the name hello. PythonWin will add the file extension .py to the file name. 17. To run the script, from the PythonWin menu bar, click File, Run. In the Run Script box, verify that it shows the hello.py script, and click OK. 18. When a box pops up asking for your name, type your name and press the Enter key. 19. Drag the hello.py window out of the way so you can see the Interactive Window. You should see >>> Hello YourName in black letters at the bottom, as indicated by the box in the figure to the right on this page.

Saving the Screen Image

20. Press the PrntScn key to copy the desktop to the clipboard. 21. On the Start menu, click Run. Enter the command mspaint and press the Enter key. Paint opens. 22. Press Ctrl+V on the keyboard to paste the image into the Paint window. Save the document in the Shared Documents folder with the filename Your Name Proj 10a. Select a Save as type of JPEG. Close Paint.

CNIT 123 Bowne

Page 302

Project 10: Python on Windows Starting a Netcat Listener in Ubuntu Linux

15 Points

23. Now well open a socket from Python on Windows to Netcat on Linux, and transfer data both ways. 24. Start your Ubuntu Linux machine and log in as usual. 25. From the Ubuntu menu bar, click Applications, Accessories, Terminal. 26. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: ifconfig Find the IP address for your eth0 interface and write it in Ubuntu IP: ________________________ the box to the right on this page. 27. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: nc -h The help page for the nc command appears, as shown below on this page. Netcat is the full name of this networking utilityit is very useful (see link Ch 7o).

CNIT 123 Bowne

Page 303

Project 10: Python on Windows

15 Points

28. For now, all we want to do is listen for inbound data. After the $ prompt, type in this command, then press the Enter key: nc l p 4242 Note that the first switch is a lowercase L, not the numeral 1. This will start a process listening on port 4242 on the Linux machine.

Displaying the Listening Sockets on the Ubuntu Machine

29. Leave the terminal window showing the nc command alone, and from the Ubuntu menu bar, click Applications, Accessories, Terminal to open a second Terminal window. 30. In the new Terminal window, after the $ prompt, enter this command, then press the Enter key: netstat l --protocol=inet You should see a list of network connections that are listening, as shown below on this page. Look for the line that shows *:4242 thats the netcat listener, waiting for any incoming connections on port 4242.

Establishing a TCP Socket in Python on Windows

31. From the PythonWin menu bar, click File, New. In the New box, accept the default selection of Python Script and click OK. 32. Type in the script shown below on this page. Put your Ubuntu machines IP address in the second linethats the number you wrote in the box on a previous page of these instructions.

CNIT 123 Bowne

Page 304

Project 10: Python on Windows

15 Points

33. After typing in your script, from the PythonWin menu bar, click File, Save. Save it in the My Documents folder with the name client1. PythonWin will add the file extension .py to the file name. 34. Drag the hello.py window out of the way so you can see the Interactive Window. 35. To run the script, from the PythonWin menu bar, click File, Run. In the Run Script box, verify that it shows the client1.py script, and click OK. 36. Nothing happens on the Windows machine, unless you have made a typographical error in the script.

Observing the Session Established on the Windows Machine

37. Leave the PythonWin windows alone for now. 38. From the Windows desktop, click Start, Run. Type in CMD and press the Enter key. 39. In the Command Prompt window, enter this command and press the Enter key: netstat -n You should see a list of network connections. Look for the line that shows a Foreign Address ending with :4242 (second from the bottom in the figure below). The connection should show a State of ESTABLISHED.

Saving the Screen Image

40. Press the PrntScn key to copy the desktop to the clipboard. 41. On the Start menu, click Run. Enter the command mspaint and press the Enter key. Paint opens. 42. Press Ctrl+V on the keyboard to paste the image into the Paint window. Save the document in the Shared Documents folder with the filename Your Name Proj 10b. Select a Save as type of JPEG. Close Paint.

Receiving and Sending Data With the Ubuntu Linux Machine

43. Leave the PythonWin windows alone on the Windows XP machine. 44. Return to the Ubuntu machine. Look at the Terminal window that is running the netcat listener. You should see the text sent from the Windows machine on it: Hello from Windows! as shown to the right on this page.

CNIT 123 Bowne

Page 305

Project 10: Python on Windows

45. Click in the Terminal window, and type in the message Hi from Linux! Then press the Enter key. Your Terminal window should now look like the figure to the right on this page.

15 Points

Observing the Received Data on the Windows Machine

46. Go back to the Windows machine. In the Interactive Window, you should see the message received Hi from Linux! as shown to the right on this page.

Saving the Screen Image

47. Press the PrntScn key to copy the desktop to the clipboard. 48. On the Start menu, click Run. Enter the command mspaint and press the Enter key. Paint opens. 49. Press Ctrl+V on the keyboard to paste the image into the Paint window. Save the document in the Shared Documents folder with the filename Your Name Proj 10c. Select a Save as type of JPEG. Close Paint.

Turning in your Project

50. Email the JPEG images to me as attachments to one e-mail message to cnit.123@gmail.com with a subject line of Proj 10 From Your Name. Send a Cc to yourself. Credits richarddooling.com/index.php/2006/03/14/python-on-xp-7-minutes-to-hello-world/ (Link Ch 7l), coolnamehere.com/geekery/python/pythontut.html (Link Ch 7n), aspn.activestate.com/ASPN/docs/ActivePython/2.4/python/lib/socket-example.html (Link Ch 7p), and The book Gray Hat Hacking : The Ethical Hacker's Handbook (2004) by Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, and Michael Lester.
Last modified 12-30-08

CNIT 123 Bowne

Page 306

Project 11: Windows Rootkit: Hacker Defender What You Need for This Project
1. A virtual machine running Windows XP (any version)

15 Points

Copying the Virtual Machine

Make a copy of your VM for this project. Don't work with the original, because you will want to discard this VM after rootkitting it. This rootkit is not good for the machine. You can see one of the errors it caused on my virtual machine belowI don't think you will be able to trust your machine after doing this to it.

Starting the Windows XP Virtual Machine

2. Use VMware and start your copied virtual machine.

CNIT 123 Bowne

Page 307

Project 11: Windows Rootkit: Hacker Defender Downloading the Hacker Defender Rootkit
3. 4. 5. 6. 7. 8. 9. 10.

15 Points

Open a browser on your Windows XP virtual machine go to rootkit.com On the left side, in the "Rootkit Collection" section, click "Hacker Defender". In the download line, click link. If you see a certificate warning, click OK. This is evil software, we can expect security warnings. That's why we use a virtual machine we intend to discard for this nasty stuff. Save the hxdef100r.zip file on your desktop. Close all windows. On your desktop, double-click the hxdef100r.zip file. In the hxdef100r.zip window, double-click the readmeen file. Scan this file, its interesting. This rootkit was in actual use on many infected systems according to your textbook author, and the readme file claims that there are commercial versions with more features. This is an example of illegal commercial softwaremalware authors sell their programs, and sometimes even try to fight piracy of them. Click Start, "My Computer". Double-click the C: drive to open it. If necessary, click "Show the contents of this folder". Drag the hxdef100.ini file to the C: window and drop it there. If your antivirus software stops it, turn off your antivirus software. For McAfee antivirus, the steps are: a. Right-click the shield icon in the taskbar tray, on the lower right of the desktop b. Click "Disable On-Access Scan" Drag the hxdef100.exe file to the C: window and drop it there. In the C: window, double-click the hxdef100.ini file. It's messy, with a lot of added <, >, /, and \ characters, as shown to the right on this page. From the Notepad menu bar, click Edit, Replace. In the "Find what:" box, type < Click the "Replace All" button. Empty the "Find what:" box, and type > into it. Click the "Replace All" button. Empty the "Find what:" box, and type / into it. Click the "Replace All" button. Empty the "Find what:" box, and type \ into it. Click the "Replace All" button. Empty the "Find what:" box, and type " into it. Click the "Replace All" button. Empty the "Find what:" box, and type : into it. Click the "Replace All" button.

Installing the Hacker Defender Rootkit

11. 12.

13.

Customizing the Configuration File

14.

15. 16. 17. 18. 19. 20. 21. 22.

CNIT 123 Bowne

Page 308

Project 11: Windows Rootkit: Hacker Defender

23. The file should be much cleaner now, as shown to the right on this page. From the Notepad menu bar, click File, Save. In the [Hidden Processes] section, add this line, as shown to the right on this page:

15 Points

24.

notepad.exe
25. In the [Hidden Ports] section, modify the TCPO line to look like this, as shown to the right on this page:

TCPO:80
26. 27. From the Notepad menu bar, click File, Save. The rootkit is now configured to hide the Notepad process, and also outgoing HTTP connections (port 80).

Viewing the Notepad Process with Task Manager

28. Right click the taskbar and click "Task Manager". In "Windows Task Manager", click the Processes tab. The notepad.exe process should be visible, as shown to the right on this page.

CNIT 123 Bowne

Page 309

Project 11: Windows Rootkit: Hacker Defender Viewing Network Connections with NETSTAT
29. 30. 31. 32.

15 Points

Open a Web browser and go to www.ccsf.edu Click Start, Run. Type in CMD and press the Enter key. In the Command Prompt window, type this command, and then press the Enter key:

NETSTAT
You should see some connections to cloud.ccsf.cc.cca.us:http, as shown below on this page.

Running the Rootkit

33. In the Command Prompt window, type this command, and then press the Enter key:

cd \
34. This changes the working directory to C:\, where the rootkit is. In the Command Prompt window, type this command, and then press the Enter key:

hxdef100.exe -:noservice
35. This starts the rootkit normally. In the Command Prompt window, type this command, and then press the Enter key:

dir
36. The rootkit files are no longer present in the directory, as shown to the right on this page. The rootkit is working!

CNIT 123 Bowne

Page 310

Project 11: Windows Rootkit: Hacker Defender Examining the C: drive with Windows Explorer
37. 38.

15 Points

Click Start, "My Computer". Double-click the C: drive to open it. If you already have a C: window open, click View, Refresh. You should see folders, but no files starting hxdef, as shown below on this page.

Capturing a Screen Image

39.

40.

41. 42.

Click outside the virtual machine to make the host operating system active. Press the PrintScrn key in the upper-right portion of the keyboard. Click Start, Programs, Accessories, Paint. In the untitled - Paint window, select Edit, Paste from the menu bar. In the untitled - Paint window, click File, Save. Select a Save as type of JPEG. Save the document with the filename Your Name Proj 11a. Click Start, Programs, Accessories, Notepad. Right click the taskbar and click "Task Manager". In "Windows Task Manager", click the Processes tab. Click the "Image Name" header to sort the processes alphabetically. The notepad.exe process should be invisible, as shown to the right on this page.

Examining Processes with Task Manager

43. 44.

Capturing a Screen Image

Make sure the Notepad window is visible, and that the Task Manager window shows an alphabetical list that clearly shows that notepad.exe is absent. 46. Click outside the virtual machine to make the host operating system active. CNIT 123 Bowne Page 311 45.

Project 11: Windows Rootkit: Hacker Defender

47. 48. 49.

15 Points

Press the PrintScrn key in the upper-right portion of the keyboard. Click Start, Programs, Accessories, Paint. In the untitled - Paint window, select Edit, Paste from the menu bar. In the untitled - Paint window, click File, Save. Select a Save as type of JPEG. Save the document with the filename Your Name Proj 11b. Open a Web browser and go to www.ccsf.edu Click Start, Run. Type in CMD and press the Enter key. In the Command Prompt window, type this command, and then press the Enter key:

Viewing Network Connections with NETSTAT

50. 51. 52. 53.

NETSTAT
The list of connections should not show any connections to :http addresses, as shown below on this page.

Capturing a Screen Image

54. Make sure the browser is visible, showing a Web page, and the NETSTAT output is also visible, showing that there are no HTTP connections. The contradiction between these two items demonstrates that the rootkit is working. Click outside the virtual machine to make the host operating system active. Press the PrintScrn key in the upper-right portion of the keyboard. Click Start, Programs, Accessories, Paint. In the untitled - Paint window, select Edit, Paste from the menu bar. In the untitled - Paint window, click File, Save. Select a Save as type of JPEG. Save the document with the filename Your Name Proj 11c. Page 312

55. 56. 57. 58.

CNIT 123 Bowne

Project 11: Windows Rootkit: Hacker Defender Turning in Your Project

59.

15 Points

Email the JPEG image to me as attachments to one e-mail message. Send it to: cnit.124@gmail.com with a subject line of Proj 11 From Your Name, replacing Your Name with your own first and last name. Send a Cc to yourself. Simply restarting the machine should stop the rootkit. And the antivirus should remove it. But I don't recommend trusting any of thatjust delete the virtual machine. That's what virtual machines are for.
Last Modified: 12-30-08

Returning Your Machine to Normal Function

60.

CNIT 123 Bowne

Page 313

Project 12: Using Ophcrack to Crack Windows XP Passwords What You Need for This Project
A computer running Windows XP (any version). This can be either a real or virtual machine. You dont need administrator privilegesyou dont need any login account at all on the Windows XP machine. You need physical access to the Windows XP machine, and the ability to boot from a CD. Log in as usual with your CCSF ID and the password you chose in project 1.

15 points

LEGAL WARNING!
Use only machines you own, with passwords you created, or machines with accounts you have permission to hack into. Stealing passwords, or even possession of them without permission from the owners, is a crime! Dont do it! If you do illegal things, you may be arrested and go to jail, and I will be unable to save you. These instructions are intended to train computer security professionals, not to help criminals.

Start Your Host Machine

1.

Starting your Windows XP Machine

2.

3.

4. 5.

Double-click the VMware Workstation icon on the desktop. In the VMware Workstation window, from the menu bar, click View, Go to Home Tab. On the Home tab, click the Open Existing VM or Team icon. Navigate to the V: drive, open your folder, open the Win XP Pro for Hacking folder, and double-click the Windows XP Professional.vmx file. You should see a Windows XP Professional VM in the Powered Off state. In the Windows XP Professional VMware Workstation window, on the left side, click the Start this virtual machine link. When your machine starts up, click the Student account to log in. There is no password, and the Student account has Administrative privileges. Click Start, right-click My Computer, and click Manage. In Computer Management, in the left pane, expand the Local Users and Groups container. In the left pane of Computer Management, click the Users container. You should see some accounts in the right pane, as shown below on this page.

Creating Passwords to Crack

6. 7.

CNIT 123 Bowne

Page 314

Project 12: Using Ophcrack to Crack Windows XP Passwords Deleting Unused Accounts
8.

15 points

9. 10. 11.

If you are using the Windows XP image in the S214 lab, there are some extra accounts named User1, User2, User3, etc. Those accounts are not important, and its best to get them out of the way to avoid confusion. In the right pane of Computer Management, right-click User1 and click Delete. In the Local Users and Groups box, click Yes. Repeat the process for all the accounts with names starting with User. Be careful! Dont delete the Student account or you wont be able to get back into your own virtual machine easily. Fill in the table below with passwords to test. Dont just use my examples, which are very weak, scramble the letters and numbers to make passwords that are hard to remember and hard to guess. The only exception is Test15a for that account, use the exact password I have given fifteen a characters. Six letters like abcdef: Twelve letters like abcdefghijkl: Six letters and numbers like abc123: _______________________________ _______________________________ _______________________________ _______________________________ _______________________________

Creating Test Passwords

12.

Testa6 Testa12 Testan6

Testan12 Twelve letters and numbers like abcdef: Testas6 Six letters with symbols like abc!@#:

Testas12 Twelve letters with symbols like abcdef!@#$%^: _______________________________ Test15a Testx Fifteen letter as: A password you think is reasonably secure: aaaaaaaaaaaaaaa _______________________________

Creating Test Accounts

13. 14. In the left pane of Computer Management, right-click Users and click New User. In the NewUser box, enter user name of Testa6 and the password you wrote down above, and click Create. The check boxes in the lower section of the New User box dont matter, because no one will really be using these accounts. Repeat the process to create all the accounts in the box above. Click Start, Turn Off Computer, Turn Off.

15. 16.

Shutting Down Your Machine

CNIT 123 Bowne

Page 315

Project 12: Using Ophcrack to Crack Windows XP Passwords Getting the Ophcrack CD Image
17.

15 points

You need the Ophcrack CD image, or a bootable CD. If you are working in the S214 lab, the image is already there in the V:\Install folder. If you are working at home, you can either copy it from there onto a large storage device, or burn a bootable CD in the lab, or download it yourself from http://ophcrack.sourceforge.net/ If you are working at home, use VMmanager to direct the virtual CD to the Ophcrack ISO image. If you are working in S214, do the steps below: a. Make sure your virtual machine is powered down. You cannot change these settings while its on. b. In the VMware Workstation window, from the menu bar, click View, Go to Home Tab. c. On the Home tab, click the Open Existing VM or Team icon. Navigate to the V: drive, open your folder, open the Win XP Pro for Hacking folder, and double-click the Windows XP Professional.vmx file. You should see a Windows XP Professional VM in the Powered Off state. d. From the Menu bar, select VM, Settings. e. In the Virtual Machine Settings box, click CD-ROM in the left pane. In the right pane, click Use ISO Image. Click the Browse button and navigate to V:\Install\ophcrack-livecd-1.1.3.iso f. Click OK to close the Virtual Machine Settings box. g. Click Start this virtual machine.

Setting the Virtual CD to Use the Ophcrack CD Image

18.

Booting from the Ophcrack CD Image

19. The virtual machine should boot from the CD. If it doesnt, you may have to click in the blank window, press F2, and adjust the boot order in the BIOS. Ophcrack loads Slackware Linux and automatically runs the Ophcrack rainbow table cracker. A window should appear, with the user accounts listed, and passwords slowly filling in oneby-one as Ophcrack finds them. Wait until the Time elapsed shown in the lower right corner reaches at least 200 seconds. By then, Ophcrack should have found several of your passwords. Then capture this screen image.

20.

21.

CNIT 123 Bowne

Page 316

Project 12: Using Ophcrack to Crack Windows XP Passwords Saving a Screen Image
22. 23. 24.

15 points

25.

Click outside the virtual machine to make the host machines desktop active. Press the PrintScrn key to copy the whole desktop to the clipboard. In the host machine, click Start, Programs, Accessories, Paint. In the untitled - Paint window, select Edit, Paste from the menu bar. The desktop appears in the Paint window, with only a corner of it visible. In the untitled - Paint window, click File, Save. Save the document in the My Pictures folder (or any other place you wish, such as a floppy disk) with the filename Your Name Proj 12a. Select a Save as type of JPEG. Windows XP passwords are very insecure! With Ophcrack, anyone could easily crack almost any password of the usual length (8 characters or so). This is because Windows XP uses LM Hashes. To learn about LM Hashes, open a browser and read this brief article:

Learning about LM Hashes

26.

http://en.wikipedia.org/wiki/LM_hash
27. Find the answers to the two questions in the box to the right on this page. You will need to send these answers in with the images at the end of this project. A: Microsoft replaced LM hashes with NTLM hashes. What operating systems used LM hashes only? _____________________________________________________ B: Does Windows Vista still use LM Hashes? _____________________________________________________

Shutting Down Ophcrack and Restarting Windows XP

28. 29. 30. 31. 32. 33. Your virtual machine is still running Ophcrack. To stop it, right-click a blank part of the desktop and click Logout. When your virtual machine has shut down, do these steps to disconnect the virtual CD from the OPhcrack ISO image file: From the Menu bar, select VM, Settings. In the Virtual Machine Settings box, click CD-ROM in the left pane. In the right pane, click Use physical drive. Click OK to close the Virtual Machine Settings box. Click Start this virtual machine. Windows XP should start. Log in as Student.

CNIT 123 Bowne

Page 317

Project 12: Using Ophcrack to Crack Windows XP Passwords Setting a Restore Point
34.

15 points

35.

LM hashes are not a bug in Windows XPthey are a deliberate feature. So turning them off is just a matter of adjusting Windows XP with a single Registry key. Before changing the Registry, it is a good practice to create a Restore Point, so you can recover if you make a mistake. Click Start, Help and Support. In Help and Support Center window, in the Pick a Task section, click Undo changes to your computer with System Restore. In the next screen, select Create a Restore Point and click Next. In the next screen enter a Restore Point Description of Your Name Restore Point for Project 12 and click Create Click Start, Run. Enter REGEDIT and press the Enter key.

Hardening Windows XP: Removing LM Hashes

36.

CNIT 123 Bowne

Page 318

Project 12: Using Ophcrack to Crack Windows XP Passwords

37. In the left pane of the Registry Editor window, click the + sign to expand the HKEY_LOCAL_MACHINE key. Then expand these keys:

15 points

SYSTEM CurrentControlSet Control

38. 39. Click the Lsa key to select it. Your Registry Editor window should look like the example shown to the right on this page. If the nolmhash key is present, right-click it and click Modify. If it's not already there, do this: a. On the Edit menu, point to New, and then click DWORD Value. b. A new value appears in the right pane, with its name highlighted. Type in the name NoLMHash, and then press Enter. c. On the Edit menu, click Modify.

CNIT 123 Bowne

Page 319

Project 12: Using Ophcrack to Crack Windows XP Passwords

40. 41. 42. In the Edit DWORD Value box, enter a Value data: of 1, and then click OK. Restart your computer. Log in as Student.

15 points

Changing the Password for the Testa6 Account

Click Start, right-click My Computer, and click Manage. In Computer Management, in the left pane, expand the Local Users and Groups container. Click the Users container to select it. Right-click the Testa6 account in the right pane and select Set password. In the Set password for Testa6 box, click Proceed. In the Set password for Testa6 box, enter a new password of any length in both boxes. Click OK. Repeat the steps you did previously, under the headings Setting the Virtual CD to Use the Ophcrack CD Image and Booting from the Ophcrack CD Image. You should see results as shown to the right on this pagethe Testa6 account shows /EMPTY/ because there is no LM Hash and Ophcrack cannot crack its password. Notice that the unchanged passwords are still vulnerable, because the previously created LM Hashes are still present. Click outside the virtual machine to make the host machines desktop active. Press the PrintScrn key to copy the whole desktop to the clipboard. In the host machine, click Start, Programs, Accessories, Paint. In the untitled - Paint window, select Edit, Paste from the menu bar. The desktop appears in the Paint window, with only a corner of it visible. In the untitled - Paint window, click File, Save. Save the document in the My Pictures folder (or any other place you wish, such as a floppy disk) with the filename Your Name Proj 12b. Select a Save as type of JPEG. Email the JPEG images to me as attachments to a single email message. Answer the questions in the body of the email message. Send it to: cnit.123@gmail.com with a subject line of Proj 12 From Your Name, replacing Your Name with your own first and last name. Send a Cc to yourself.
Last Modified: 9-20-07

43. 44. 45.

Running Ophcrack Again

46.

47.

Saving a Screen Image

48. 49. 50.

51.

Turning in Your Project

52.

CNIT 123 Bowne

Page 320

Project 13: Using the Ultimate Boot CD to Create Admin. Accts. What You Need for This Project
A computer running Windows XP (any version). This can be either a real or virtual machine. You dont need administrator privilegesyou dont need any login account at all on the Windows XP machine. You need physical access to the Windows XP machine, and the ability to boot from a CD.

10 pts.

LEGAL WARNING!
Use only machines you own, or machines you have permission to hack into. Accessing computers without permission from the owners is a crime! Dont do it! If you do illegal things, you may be arrested and go to jail, and I will be unable to save you. These instructions are intended to train computer security professionals, not to help criminals.

Getting the Ultimate Boot CD Image

1.

2.

You need the Ultimate Boot CD image, or a bootable CD of it. If you are working in the S214 lab, the image is already there in the V:\Install folder. If you are working at home, you can copy it from there onto a large storage device, or burn a bootable CD in the lab, or download it yourself from ubcd4win.com you need to download " UBCD4WinV303.exe" and then run it. It performs a long installation processit takes two hours or more, and requires a Windows installation CD. If you are working at home, use VMmanager to direct the virtual CD to the Ultimate Boot CD ISO image. If you are working in S214, do the steps below: a. Make sure your virtual machine is powered down. You cannot change these settings while its on. b. In the VMware Workstation window, from the menu bar, click View, Go to Home Tab. c. On the Home tab, click the Open Existing VM or Team icon. Navigate to the V: drive, open your folder, open the Win XP Pro for Hacking folder, and double-click the Windows XP Professional.vmx file. You should see a Windows XP Professional VM in the Powered Off state. d. From the Menu bar, select VM, Settings. e. In the Virtual Machine Settings box, click CD-ROM in the left pane. In the right pane, click Use ISO Image. Click the Browse button and navigate to V:\Install\ UBCD4WinBuilder.iso f. Click OK to close the Virtual Machine Settings box. g. Click Start this virtual machine. The virtual machine should boot from the CD. If it doesnt, you may have to click in the blank window, press F2, and adjust the boot order in the BIOS. When you see the screen shown to the right on this page, accept the default selection of Launch "The Ultimate Boot CD for Windows", and press the Enter key. Page 321

Setting the Virtual CD to Use the Ultimate Boot CD Image

3.

Booting from the Ultimate Boot CD Image

4.

5.

CNIT 123 Bowne

Project 13: Using the Ultimate Boot CD to Create Admin. Accts.

10 pts.

6. 7.

8.

9.

When you see a box saying "Select shell to start,"don't click anythingjust wait for it to close.. When you see a box say ing "Network support is not started yet. Do you want to start network support now?" click Yes. In the "PE Network Configurator" box, accept the default of "Dynamic IP Address (DHCP)" and click OK. In the "PE Network Configurator" box, accept the default of "Obtain an IP Address Automatically" and click OK. When you see the desktop, click Start, Programs, Password Tools, Password Renew. In the "Password Renew for NT's v. 1.1 BETA" box, in the lower right, click the"Select a target" button. In the "Browse for folders" box, expand"(C:) Local Disk," click the WINDOWS folder, and click OK, as shown to the right on this page. In the "Password Renew for NT's v. 1.1 BETA" box, in the left pane, click "Create a new Administrator user". In the right pane, enter a user name of drevil and a password you can remember, such as password, in both password boxes. In the left pane, click "Install". A box should pop up saying "Password Renew for NTs is successfully done!" as shown to the right on this page. Make sure the "Password Renew for NTs is successfully done!" message is visible. Press Ctrl+Alt to release the mouse cursor. Click outside the virtual machine to make the host machines desktop active. Page 322

Using Password Renew to Create a New Administrator User

10.

11.

12.

13.

14.

Saving a Screen Image

15. 16.

CNIT 123 Bowne

Project 13: Using the Ultimate Boot CD to Create Admin. Accts.

17. 18.

10 pts.

19.

Press the PrintScrn key to copy the whole desktop to the clipboard. In the host machine, click Start, Programs, Accessories, Paint. In the untitled - Paint window, select Edit, Paste from the menu bar. The desktop appears in the Paint window, with only a corner of it visible. In the untitled - Paint window, click File, Save. Save the document in the My Pictures folder (or any other place you wish, such as a floppy disk) with the filename Your Name Proj 13. Select a Save as type of JPEG. From the desktop, click Start, "Turn off computer." In the "Shut down windows" box, select Restart and click OK. Click immediately in the virtual machine's window and press F2 to adjust the BIOS settings. Set the boot order to boot from the hard disk, not the CD. Let Windows start up normally. You should see the drevil account on the Windows Welcome screen, as shown to the right on this page. Click on drevil and enter the password you selected, such as password. When the desktop loads, double-click the clock in the lower right corner of the desktop. When the clock opens so you can set the time, that proves you are an Administrator. I don't know any defense against this. It is possible that a new Windows version would change the location of the NT password hashes, and cause this particular version of the tool to stop working, but it could just be updated. The only trustworthy way to prevent this would be to lock attackers out of the room with the computer in it. A BIOS password to prevent booting from the CD would slow an attacker down a bit, but all you need to do is open the system unit and remove the motherboard battery to defeat that. Email the JPEG image to me as an attachment. Send it to: cnit.123@gmail.com with a subject line of Proj 13 From Your Name, replacing Your Name with your own first and last name. Send a Cc to yourself.
Last Modified: 2-23-07

Testing the New Account

20. 21. 22.

23.

Protecting Your Computers From This Attack

24.

Turning in Your Project

25.

CNIT 123 Bowne

Page 323

Project 14: Rootkitting Ubuntu Linux Copying Your Ubuntu Virtual Machine
1.

Worth 20 Points

2.

DO NOT DO THIS PROJECT ON YOUR ORIGINAL UBUNTU LINUX MACHINE! Rootkits are very dangerous. I killed two machines developing this project. If you do everything correctly, you will clean the rootkit off, but if you do anything wrong, including shutting the machine down with the rootkit installed, your Ubuntu machine will be seriously damaged, to the point that it should just be discarded. On the host Windows XP system, click Start, My Computer. Double-click the V: drive to open it, and double-click the YOURNAME_VMs folder to open it. Right-click the Ubuntu folder, hold down the right mouse button, move the mouse to the side about inch, and release the mouse button. Select "Copy Here" from the context menu. Wait until the copy completesit should take about 3-5 minutes. Start your copied Ubuntu virtual machine and log in as usual. From the Ubuntu menu bar, click Applications, Internet, Firefox Web Browser. Go to http://samsclass.info/123/proj/fk.tkz In the Opening fk.tkz box, click the Save to disk radio button. Click the OK button. The file saves on your desktop. Close all windows. On the desktop, double-click the fk.tgz file. In the fk.tkz window, click the Extract button. In the Extract box, click the Extract button. A fk-0.4 folder appears on the desktop. From the Ubuntu menu bar, click Applications, Accessories, Terminal. In the terminal window, enter this command, then press the Enter key: cd Desktop This changes the working directory to the Desktop, where you extracted the installation files. fk-0.4. In the terminal window, enter this command, then press the Enter key: cd fk-0.4 This changes the working directory to the fk-0.4 folder. In the terminal window, enter this command, then press the Enter key: ls You should see several files, including install and README.

Start Your Freshly Copied Ubuntu Virtual Machine

3. 4. 5.

Downloading the Rootkit

Extracting the Rootkit

6. 7. 8. 9. 10.

Installing the Rootkit

11.

12.

CNIT 123 Bowne

Page 324

Project 14: Rootkitting Ubuntu Linux

13.

Worth 20 Points

In the terminal window, enter this command, then press the Enter key: pico README You should see the features and installation instructions, as shown below on this page. After reading the installation instructions, press Ctrl+X to exit pico.

14.

In the terminal window, enter this command, then press the Enter key: sudo ./install If you are prompted for your password, enter it. You should see blue messages as the installation proceeds, followed by red messages saying you now own the box., and warning you to go clean the logs to hide your activities from the administrator, as shown to the right on this page.

CNIT 123 Bowne

Page 325

Project 14: Rootkitting Ubuntu Linux Using netstat to View Active Connections
15. 16.

Worth 20 Points

From the Ubuntu menu bar, click Applications, Internet, Firefox Web Browser. Go to www.ccsf.edu In the terminal window, enter this command, then press the Enter key: netstat --protocol=inet You should see the network connections, as shown below, showing one or more connections to ccsf addresses, with :www added to the end, showing that they are connecting to port 80, the usual World Wide Web port.

17. 18.

Close Firefox. In the terminal window, enter this command, then press the Enter key: cd /dev/proc/fuckit/config This changes the working directory to the process directory, where the rootkit does its work. In the terminal window, enter this command, then press the Enter key: ls Note these files: lports shows the local ports to hide, progs shows the programs to hide, and rports shows the remote ports to hide. In the terminal window, enter this command, then press the Enter key: sudo pico rports If you are prompted for your password, enter it. In the pico text editor, add 80 to the end of the file, as shown to the right on this page. Press Ctrl+O and Enter to save the file. Press Ctrl+X to exit pico. From the Ubuntu menu bar, click Applications, Internet, Firefox Web Browser. Go to www.ccsf.edu

Configuring the Rootkit to Hide Connections to Port 80

19.

20.

Using netstat to View Active Connections With the Rootkit Hiding Port 80
21.

CNIT 123 Bowne

Page 326

Project 14: Rootkitting Ubuntu Linux

22.

Worth 20 Points

In the terminal window, enter this command, then press the Enter key: netstat --protocol=inet You should see no www connections, even though the browser is clearly visible, as shown to the right on this page. The rootkit is hiding them.

Saving the Screen Image

23. Make sure the two windows are both visible, shown the browser and the netstat output. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 14a. In the terminal window, enter this command, then press the Enter key: sudo apt-get install rkhunter In the terminal window, enter this command, then press the Enter key: sudo rkhunter -c If you are prompted for your password, enter it. You should see a long list of binaries scroll by, and then the message [Press <ENTER> to continue]. Press Enter. rkhunter did not find anything wrong with the binary files on the hard disk.

24. 25. 26.

Installing the rkhunterRootkit Detector

27.

Running the rkhunterRootkit Detector

28.

29.

CNIT 123 Bowne

Page 327

Project 14: Rootkitting Ubuntu Linux

30.

Worth 20 Points

Now rkhunter looks for known rootkits one-by-one in alphabetical order. When it gets up to F, it should find the rootkit, as shown below on this page.

Saving the Screen Image

31. 32. 33. 34. Make sure the message saying Found parts of this rootkit/trojan is visible. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 14b. When you see the message [Press <ENTER> to continue], press Enter. rkhunter will do a lot of tests, and find a few more problems, all apparently connected with the rootkit you installed. The rootkit does not crash the Ubuntu machine while its running, but it wont restart, not even in Recovery mode. You can use the infected machine, and you can close VMware, saving the machines running state, and restore that state, but you cannot shut it down normally. Do NOT shut down the infected Ubuntu machine. Just minimize its VMware window. Open a new VMware Wodkstation window. Start your clean Ubuntu virtual machine and log in as usual. In your clean Ubuntu machine, open Firefox and go to samsclass.info Click the CNIT 123 link. On the next page, click Projects. Scroll down to "Project 14". Find the fix-fu link next to "Project 14". Right-click the fix-fu link. Click Save link as. Click Save to save the file on your desktop. Close Firefox. On your Ubuntu desktop, double-click the fix-fu.tar.gz file. Click Extract. Click Extract. A folder named fix-fu should appear on your desktop. Close all windows.

Completing the rkhunter Scan

35.

Removing the Rootkit

36.

Starting the Clean Machine

37. 38.

Downloading the fix-fu Archive

39. 40. 41. 42. 43.

CNIT 123 Bowne

Page 328

Project 14: Rootkitting Ubuntu Linux Examining the backup-fu Script in the Clean Machine
44. 45.

Worth 20 Points

46.

In your clean machine, from the Ubuntu menu bar, click Applications, Accessories, Terminal. In the terminal window, enter this command, then press the Enter key: cd Desktop/fix-fu This changes the working directory to folder containing the scripts. In the terminal window, enter this command, then press the Enter key: cat backup-fu You should see the script, as shown to the right on this page. All it does is copy ten files into the fix-fu folder.

Saving the Screen Image

47. 48. 49. 50. Make sure the Terminal window is visible, showing the ten cp commands. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 14c. In the terminal window, enter this command, then press the Enter key: sudo ./backup-fu Enter your password when you are prompted to. This executes the script, copying the files. In the terminal window, enter this command, then press the Enter key: ls You should see the names of the files appear in green print, as shown below on this page.

Running the backup-fu Script in the Clean Machine

51.

52.

Compressing fix-fu Folder on the Clean Machine

53. 54. On the Clean Machine Ubuntu desktop, right-click the fix-fu folder. In the context menu, click "Create Archive". In the "Create Archive" box, click Create. A file named fix-fu.tar.gz appears on the desktop this is a compressed archive, like a Windows Zip file.

CNIT 123 Bowne

Page 329

Project 14: Rootkitting Ubuntu Linux Emailing the fix-fu.tar.gz Archive to Yourself
55. 56. 57. 58. 59. 60. 61. 62. 63. 64.

Worth 20 Points

On the Clean Machine Ubuntu desktop, click the red Firefox icon at the top left of the screen. Open an email account, and email the fix-fu.tar.gz archive to yourself as an attachment. In the clean Ubuntu machine, click System, Quit, Shut down. From the Infected Ubuntu machines menu bar, click the red Firefox icon at the top left of the screen. Open your email, and download the fix-fu.tar.gz archive to your desktop. On the Infected Machine Ubuntu desktop, right-click fix-fu.tar.gz archive. In the context menu, click "Open with "Archive Manager"". In the fix-fu.tar.gz box, click Extract. In the Extract box, click Extract. A folder named fix-fu appears on the desktop. In your infected machine, from the Ubuntu menu bar, click Applications, Accessories, Terminal. In the terminal window, enter this command, then press the Enter key: cd Desktop/fix-fu This changes the working directory to folder containing the scripts. In the terminal window, enter this command, then press the Enter key: cat fix-fu You should see the script, as shown to the right on this page.

Shutting Down the Clean Ubuntu Virtual Machine Copying the fix-fu.tar.gz Archive to the Infected Ubuntu Machine

Examining the fix-fu Script in the Infected Machine

65.

Saving the Screen Image

66. Make sure the Terminal window is visible, showing the ten cp commands. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 14d.

67. 68. 69.

CNIT 123 Bowne

Page 330

Project 14: Rootkitting Ubuntu Linux Running the fix-fu Script in the Infected Machine
70.

Worth 20 Points

71.

In the terminal window, enter this command, then press the Enter key: sudo ./fix-fu Enter your password when you are prompted to. This executes the script, copying the files. You should now be able to shut down and restart your previously infected machine normally. As far as I know, this completely fixes it. Email the JPEG images to me as attachments to a single email message Send the message to cnit.123@gmail.com with a subject line of Proj 14 From Your Name. Send a Cc to yourself.

Turning in your Project

72.

CNIT 123 Bowne

Page 331

Project 14: Rootkitting Ubuntu Linux NotesHow I Created the Fix

Worth 20 Points

51. Here are the steps I used to create this fix. They may be helpful in fixing other rootkit infections. First I used the script shown to the right to create a file listing all the directories in the Ubuntu file system. Heres what the alldirs file looks like its very long, this is just the first ten records. It lists every directory.

Then I used this perl script to create another file with md5sum commands for each directory.

This is the resultits a long file, but here are the first ten lines. When I ran it, some of the directories made it crash, like the /dev ones, because the things in there are not exactly files. I just commented out the lines that made it crash, which were mostly in /dev or /proc directories, until the script ran without crashing. This means some files were not tested.

CNIT 123 Bowne

Page 332

Project 14: Rootkitting Ubuntu Linux

This is the result of running the script before installing the rootkitits a long file, but here are the first ten lines. This is a very useful file, showing the MD5 hash for every file on a clean Ubuntu machine, except for the /dev and /proc directories I excluded in the previous step. Then I installed the rootkit and immediately ran the md5 script again. This is the result. The first ten files match, but there are many thousands of files here.

Worth 20 Points

To compare them, all I used was this command: diff beforefu afterfu The results are shown to the right. I cleaned it up a bit, but this is a complete list of all the files that changed. Not a very long list at all! All I did was remove files that did not matter, such as log files, files I created during testing, and network and hard disk statistics files. There were three library files that were not present on my clean system, so I ignored them. It might have been a more complete fix to delete them on the infected system, but the fix seemed to work without worrying about them. That left the ten files to be copied and replaced.
Last modified 12-30-08

CNIT 123 Bowne

Page 333

Project 15: Using a Hardware Keylogger

10 points

What You Need for This Project

A computer of any sort, as long as it has a keyboard plug that fits into the keylogger (PS/2 or USB). An ID card you can give your instructor in exchange for one of the keyloggers. Unplug the keyboard in the back of your computer and insert the hardware keylogger Plug the keyboard back in. I wrote these instructions for the KeySpyer keyloggers I bought in April 2009. Open Notepad and type in your name and project 15, as shown below on this page.

LEGAL WARNING!
Only spy on machines you own, or machines you have permission to soy on. Using keyloggers machines permission is a crime! Dont do it! If you do illegal things, you may be arrested and go to jail, and I will be unable to save you. These instructions are intended to train computer security professionals, not to help criminals.

Plug in the Keylogger

23.

Enter Text to Capture

24.

25.

Open a browser and go to Gmail.com. Enter a user name of JoeUser and a password of TopSecretPassword. Don't log in with your real password! Your keystrokes are being recorded! Open another Notepad window and type in this password, followed by the Enter key: menu A menu appears, as shown on the next page. While the keylogger is in this mode, you won't be able to type into any other windowit grabs the keyboard and won't let go until you exit. All you need to do for this project is dump the captured keystrokes, as shown on the next page, but feel free to experiment with the menu options. However, Don't change the password! If you change the password, the device will become useless to everyone else, and there is no practical way to recover it.

Entering the Password to View the Menu

26. 27.

CNIT 123 Bowne

Page 334

Project 15: Using a Hardware Keylogger Display the Captured Keystrokes

28. 29. 30. Type in the number 1 At the next prompt, type the letter w The captured text appears, as shown to the right on this page. Make sure the password TopSecretPassword is visible in the screen, as shown in near the bottom of the image on the right on this page. Press the PrintScrn key in to copy the whole desktop to the clipboard. Click Start, Programs, Accessories, Paint. In the untitled - Paint window, select Edit, Paste from the menu bar. In the untitled - Paint window, click File, Save. Save the document in the My Pictures folder (or any other place you wish, such as a floppy disk) with the filename Your Name Proj 15. Select a Save as type of JPEG. Note: If you cannot type in the file name, that means the keylogger is locking the keyboard. Go back to Notepad and type in x to exit the keylogger, or menu to see the menu again, and then x.. If all else fails, physically disconnect the keylogger and plug the keyboard back in without it to make your keyboard respond.

10 points

Saving a Screen Image

31. 32.

33.

Erasing the Memory

34. In the Notepad window,, type in this password, followed by the Enter key: menu Type in the number 0 At the next prompt, type Y Wait until the process completes, and you see another KeySpyer -> prompt. Then type x to exit the keylogger menu mode. Give the keylogger back, and reclaim your ID card. Email the JPEG image to me as an attachment to an email message. Send it to: cnit.123@gmail.com with a subject line of Proj 15 From Your Name, replacing Your Name with your own first and last name. Send a Cc to yourself.
Last Modified 4-16-09

35. 36. 37.

Return the Keylogger to Your Instructor

38. 39.

Turning in Your Project

CNIT 123 Bowne

Page 335

Project 16: Building a Web Server What You Will Need

15 Points

A Windows XP machine to use as a Web server A Windows XP Installation disk (or ISO file)

Setting the Windows XP Virtual Machine to See the CD Image

1.

2.

3. 4.

5. 6. 7. 8. 9.

Double-click the VMware Workstation icon on the desktop. In the VMware Workstation window, from the menu bar, click View, Go to Home Tab. On the Home tab, click the Open Existing VM or Team icon. Navigate to the V: drive, open your folder, open the Windows XP for Hacking folder, and double-click the Windows XP Professional.vmx file. On the left side, click Edit virtual machine settings link. In the Virtual Machine Settings box, click CD-ROM in the left pane. In the right pane, click Use ISO Image. Click the Browse button and navigate to V:\Install\en_winxp_pro_with_sp2.iso Click OK to close the Virtual Machine Settings box On the left side, click Start this virtual machine link. As soon as the startup text appears in the window, click in the window and press the F2 key to edit the BIOS settings. Adjust the Boot Order so that the hard disk is first. That will prevent your virtual machine from starting from the CD. Press F10 to Save and Exit, and Enter to confirm. When your machine starts up, log in as Student, or any other account with Administrative privileges. On the virtual machine's desktop, click Start, Control Panel. If you see a Pick a category header, click Switch to Classic View. Doubleclick Add or Remove Programs. In the Add or Remove Programs box, click Add/Remove Windows Components. In the Windows Components Wizard box, click the box next to Internet Information Services (IIS), as shown to the right on this page. If a firewall warning pops up, allow this program access to the Internet. In the Windows Components Wizard box, click Next. Wait while files are installed. In the Completing the Windows Components Wizard box, click Finish. Close all windows.

Note: this is not a secure Web server. It is just the default IIS configuration. If you want a real Web server to host a Web site, this is only the first step

Installing Internet Information Services (IIS)

10.

11. 12.

13. 14. 15.

CNIT 123 Bowne

Page 336

Project 16: Building a Web Server Finding Your Web Server's IP Address
16.

15 Points

On the virtual machine's desktop, click Start, Run. Type in CMD and press the Enter key. Type in IPCONFIG and press the Enter key Find the IP address of your machinein S214, it starts with 192.168.1. Write that address in the box to the right on Web Server IP: ____________________________ this page. In the Web server, open a browser and go to samsclass.info Click CNIT 123. Click Projects. Right-click the Big Image link next to Project 16 and select Save link as. Save the big01.bmp image in the C:\Inetpub\wwwroot folder. On the virtual machine's desktop, click Start, My Computer. Double-click the C: drive to open it. If necessary, click Show the contents of this folder. Doubleclick the Inetpub folder. Double-click the wwwroot folder. This is where IIS stores Web page files by default. For security, it is best not to place your files in this folder, but we'll do it anyway in this project. Click Tools, Folder Options. On the View tab, make sure that Hide extensions for known file types is not checked. Click OK. In the wwwroot window, click View, List. Find the big01.bmp file, as shown to the right on this page. In the Web browser, enter this address and press the Enter key: IP-Address/big01.bmp Don't enter the literal string IP-address; instead, type in the "Web Server IP" from the box on the previous page. You should see a big image with the words 2 MB on it, as shown to the right on this page.

Downloading the Big Image

17. 18.

19.

20.

21. 22.

23.

CNIT 123 Bowne

Page 337

Project 16: Building a Web Server Creating the big.html File

24. On the virtual machine's desktop, click Start, All Programs, Accessories, Notepad. Type in the Web page shown below on this page. Using copy and paste will make it easier. Save it in the C:\Inetpub\wwwroot folder with the filename big.html On the virtual machine's desktop, click Start, All Programs, Accessories, Command Prompt. Type in the following commands, ending each one with the Enter key. When entering repetitive commands, use the up-arrow key to repeat a previously typed line, and then use the left-arrow key to edit it. cd \inetpub\wwwroot copy big01.bmp big02.bmp copy big01.bmp big03.bmp copy big01.bmp big04.bmp copy big01.bmp big05.bmp copy big01.bmp big06.bmp copy big01.bmp big07.bmp copy big01.bmp big08.bmp copy big01.bmp big09.bmp copy big01.bmp big10.bmp copy big01.bmp big11.bmp copy big01.bmp big12.bmp copy big01.bmp big13.bmp copy big01.bmp big14.bmp copy big01.bmp big15.bmp copy big01.bmp big16.bmp copy big01.bmp big17.bmp copy big01.bmp big18.bmp copy big01.bmp big19.bmp copy big01.bmp big20.bmp

15 Points

25.

CNIT 123 Bowne

Page 338

Project 16: Building a Web Server

26. On the virtual machine's desktop, click Start, My Computer. Double-click the C: drive to open it. If necessary, click Show the contents of this folder. Double-click the Inetpub folder. Doubleclick the wwwroot folder. You should see 20 images in the folder, as shown to the right on this page. In the Web browser, enter this address and press the Enter key: IP-Address/big.html Don't enter the literal string IPaddress; instead, type in the Web Server's IP address. You should see a Web page with 20 images in it, slowly loading, as shown below on this page.

15 Points

27.

28.

29.

Go to another machine and open the Web page with the same address: IP-Address/big.html The page should open, showing that the Web server is working, distributing the page to any client on the LAN that requests it. If your machine had a public IP address, this page would now be visible to anyone on the Internet.

Saving the Screen Image

Press the PrntScn key to copy whole screen to the clipboard. Open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 16. CNIT 123 Bowne Page 339 30.

Project 16: Building a Web Server Turning in your Project

31.

15 Points

Email the JPEG image to me as an attachment. Send the message to cnit.123@gmail.com with a subject line of Proj 16 From Your Name. Send a Cc to yourself.
Last modified 10-17-08

CNIT 123 Bowne

Page 340

Project 17: Performing a Denial of Service Attack With Nmap What You Will Need

15 Points

A Ubuntu machine to perform the Nmap scans A Web server with a large page to view, as you set up in the previous project.

Warning! Denial of service attacks are illegal! The only machines you should scan in this project are machines in S214, or on your own network at home.

Start the Web Server

1. 2. Double-click the VMware Workstation icon on the desktop. In the VMware Workstation window, from the menu bar, click View, Go to Home Tab. On the Home tab, click the Open Existing VM or Team icon. Navigate to the V: drive, open your folder, open the Windows XP for Hacking folder, and double-click the Windows XP Professional.vmx file. On the left side, click Start this virtual machine link. When your machine starts up, log in as Student, or any other account with Administrative privileges. On the virtual machine's desktop, click Start, All Programs, Accessories, Command Prompt. Type in the following command, then press the Enter key: netstat an This command lists all the active network connections, as shown below on this page. Look for the line that shows that the Local Address 0.0.0.0:80 is LISTENINGthat is the Web server waiting for any connection to port 80. If you don't see the process listening on port 80, something is wrong with your Web server and you need to fix it before proceeding further.

3. 4.

Verifying that Internet Information Services (IIS) is Running

5.

6.

Using Task Manager to Display the Performance of Your Web Server

7. On the virtual machine's desktop, rightclick the taskbar (at the bottom of the screen) and select Task Manager. In Task Manager, click the Performance tab. You should see a graph labeled CPU Usage History, as shown to the right on this page. There's another graph there too, but this is the one of greatest interest now. Leave the Task Manager window open on your server, and drag it to the lower right corner of the desktop so it will be easy to keep it visible while other windows are open. If you have the Comodo firewall, right-click the icon in the taskbar tray and select Adjust Security Level, Allow All. If you have some other firewall, make sure it is off. Page 341

8.

Turn Off the Firewall

9.

CNIT 123 Bowne

Project 17: Performing a Denial of Service Attack With Nmap Finding Your Web Server's IP Address
10.

15 Points

On the virtual machine's desktop, click Start, Run. Type in CMD and press the Enter key. Type in IPCONFIG and press the Enter key Find the IP address of your machinein S214, it starts with 192.168.1. Write that address in the box to the right on Web Server IP: ____________________________ this page. Double-click the VMware Workstation icon on the desktop. In the VMware Workstation window, from the menu bar, click View, Go to Home Tab. On the Home tab, click the Open Existing VM or Team icon. Navigate to the V: drive, open your folder, open the Your Name Ubuntu folder, and double-click the Your Name Ubuntu.vmx file. On the left side, click the Start this virtual machine link. If you see a message saying The location of this virtual machines configuration file has changed, accept the default selection of Create and click OK. When your machine starts up, log in as with the name and password you chose in the previous project. From the menu bar in the upper left corner of the Ubuntu desktop, click Applications, Accessories, Terminal. In the Terminal window, after the $ prompt, enter this command, then press the Enter key: nmap ip-addr Replacing ip-addr with the server's IP address. You should see a scan that takes approximately one second, as shown above on this page. Enter the nmap ip-addr command again, and this time watch the CPU Usage History graph on the Web server. You should see a brief spike of activity, as shown to the right on this page.

Starting Your Ubuntu Virtual Machine

11. 12.

13. 14.

Running a Normal nmap Scan of the Web Server

15. 16.

17.

18.

CNIT 123 Bowne

Page 342

Project 17: Performing a Denial of Service Attack With Nmap Running More Intrusive nmap Scan of the Web Server
19.

15 Points

20.

In the Terminal window, after the $ prompt, enter this command, then press the Enter key: nmap ip-addr sT p1-65535 T5 Replacing ip-addr with the server's IP address. This scan uses complete Connect handshakes, scans all 65,535 ports, and does it at the maximum speed. (To see all the nmap options, type nmap --help.) The CPU Usage History graph on the Web server should show a much larger and longer surge of activity, as shown to the right on this page. Find a watch with a second hand, or double-click the clock in a convenient Windows XP virtual machine, such as the Web server. On the host machine (or any other machine in the LAN), open a browser. In the Web browser, enter the address below, Then wait until a time you can easily remember, such as the start of a certain minute, and press the Enter key: IP-Address/big.html Don't enter the literal string IP-address; instead, type in the Web Server IP from the box on a previous page. Wait until the entire page loads, Time to Load Page: ____________________ including all the images, and write the elapsed time in the box to the right on this page. When I did it, it took 50 seconds. In the Ubuntu machine, in the Terminal window, after the $ prompt, enter this command, then press the Enter key: echo "nmap ip-addr sT p1-65535 T5" >> tenscans Replacing ip-addr with the server's IP address. The easiest way to enter this command is to pres the up-arrow to repeat the previous command and then edit it with the left-arrow and right-arrow. In the Ubuntu machine, in the Terminal window, after the $ prompt, press the up-arrow key once. You should see the same echo command appear again. Press the Enter key: Repeat this process eight more times, so you have done it a total of ten times. If you lose count, and end up with 8 or 12 repititions, that's OK. echo "nmap ip-addr sT p1-65535 T5" >> tenscans In the Ubuntu machine, in the Terminal window, after the $ prompt, enter this command, then press the Enter key: cat tenscans

Timing the Web Page Load Without a Port Scan

21. 22. 23.

24.

Making a Shell Script to Run Ten Port Scans

25.

26.

27.

CNIT 123 Bowne

Page 343

Project 17: Performing a Denial of Service Attack With Nmap

28.

15 Points

29.

30.

31.

You should see ten lines as shown to the right on this page. This script will run ten intrusive scans, making the Web server busy for about five minutes. In the Ubuntu machine, in the Terminal window, after the $ prompt, enter this command, then press the Enter key: chmod a+x tenscans This command makes the tenscans file executable. In the Ubuntu machine, in the Terminal window, after the $ prompt, enter this command, then press the Enter key: ./tenscans This command executes the tenscans script. You should see the CPU Usage History in your Web server increase, and stay high, as shown to the right on this page. On the same machine you used to time the previous port load, in the same browser window, hold down the Shift key and click the Reload button. This forces the page to completely reload from the Web server, not just redraw from the local cache. Make a note of the time you started the reload. Wait until the entire page loads, including all the images, and note the elapsed time in the box to the right on this page. If it is loading very slowly, just wait for 2 or 3 minutes, and make a note of how Time to Load Page During a Port Scan: many images loaded in that time. When I did it, it only loaded 3 images _____________________________________ after 4 minutes. Go back to the server, and look at the CPU Usage History. You should see a lot of activity, lasting several minutes, as shown to the right on this page. Yours may not peak at 100%, but it should show clear activity. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. Page 344

Timing the Web Page Load During a Port Scan

32.

33.

Saving the Screen Image

34.

35.

CNIT 123 Bowne

Project 17: Performing a Denial of Service Attack With Nmap

36.

15 Points

On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 17a. In the Ubuntu machine, click in the Terminal window. Hold down the Ctrl key and press C to cancel the scan. Repeat this until you see the $ prompt again. Look at the CPU Usage History on the server. Soon it should drop down to 0% or so, as the denial of service attack stops. There are plenty of good firewalls out there, software and hardware. But for this project, the relatively weak Windows firewall is good enough. On the Web server's desktop, click Start, Control Panel. Double-click Windows Firewall. In the Windows Firewall box, click On (recommended). Make sure the Don't allow exceptions box is cleared, as shown above on this page. Click the Exceptions tab. Click the Add Port button. In the Add a Port box, enter a Name of Web Server and a Port number of 80. Make sure the TCP radio button is selected, as shown to the right on this page. In the Add a Port box, click OK. In the Windows Firewall box, click OK. On the host machine (or any other machine in the LAN), open a browser. Enter the address below, and press the Enter key: IP-Address/big.html Don't enter the literal string IP-address; instead, type in the Web Server IP from the box on a previous page. The page should load, as before. If it does not, you need to adjust the firewall settings. Make sure there is only one firewall turned on, and that port 80 TCP is open for incoming traffic.

Stopping the Port Scans

37.

38.

Protecting the Server With a Firewall

39.

40. 41.

42. 43.

44. 45. 46.

Testing the Web Server

47.

CNIT 123 Bowne

Page 345

Project 17: Performing a Denial of Service Attack With Nmap Starting the Port Scans Again
48.

15 Points

49.

In the Ubuntu machine, in the Terminal window, after the $ prompt, enter this command, then press the Enter key: ./tenscans The scan proceeds as before, but this time the CPU Usage History shows much less burden on the server. The firewall is saving the server from the attack! Make sure the server's CPU Usage History is visible, showing a low level of activity, as shown above on this page. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 17b. Write the two "Time to Load Page" values you measured in the body of your email! Email the JPEG images to me as attachments. Send the message to cnit.123@gmail.com with a subject line of Proj 17 From Your Name. Send a Cc to yourself.

Saving the Screen Image

50. 51. 52.

Turning in your Project

53. 54.

Last modified 6-4-07

CNIT 123 Bowne

Page 346

Project 18: Cracking Windows Passwords with Cain and Abel What You Need

15 Points

A Windows XP machine with administrator access (real or virtual) Click Start, right-click My Computer, and click Manage. In Computer Management, in the left pane, expand the Local Users and Groups container. In the left pane of Computer Management, click the Users container. You should see some accounts in the right pane, as shown below on this page.

Creating Passwords to Crack

40. 41.

Creating Test Accounts

42. 43. In the left pane of Computer Management, right-click Users and click New User. In the NewUser box, enter user name of P3 and a User name Password password of abc, and click Create. The check boxes in the lower section of the New User box P3 abc dont matter, because no one will really be using P5 abcde these accounts. P7 abcdefg Repeat the process to create the three accounts in the box to the right on this page. On the virtual machine's desktop, open a browser and go to oxid.it In the upper left, click Projects. Scroll down past the disclaimer and click "Cain & Abel". Scroll down and click "Download Cain & Abel v4.9.25 for Windows NT/1000/XP". (The version number may be higher now.) Save the installer on your desktop. Double-click the installer. Install the software with the default options. It will install WinPCap as well as Cain & Abel. Cain is the password cracker, and Abel is the process that harvests the hashed passwords from the Windows machine. You normally install Abel on the target machine, but we'll just install it locally. Click Start, Programs, Accessories, Command Prompt. Page 347

44.

Installing Cain
45. 46. 47. 48. 49.

Installing Abel
50.

51.

CNIT 123 Bowne

Project 18: Cracking Windows Passwords with Cain and Abel

52.

15 Points

53.

54.

55.

56. 57.

Type in the following command and press the Enter key: copy \"program files"\cain\abel.exe \Windows This command copies the Abel installer to the C:\Windows folder. Type in the following command and press the Enter key: copy \"program files"\cain\abel.dll \Windows This command copies the Abel DLL file to the C:\Windows folder. This file is the actual service. Type in the following command and press the Enter key: cd \Windows This command changes the working directory to C:\Windows. Type in the following command and press the Enter key: abel This command installs the Abel service. A box pops up saying "Abel service has been installed successfully!" Click OK. Type in the following command and press the Enter key: services.msc The Services window appears. At the top of the right pane, right-click Abel and click Start. In the top line of the right pane, you should see the Abel service with a Status of Started, as shown below on this page.

Finding your Computer's IP Address

58. Click Start, Run. Type in CMD and press Enter. In the Command Prompt window, type IPCONFIG and press Enter. Find your IP address and write it in the box to the right on this page. IP Address: ____________________________

Collecting Password Hashes With Cain

59. 60. 61. Double-click the Cain icon on the desktop. Click the Network tab. In the left pane, double-click "Quick List". Double-click your IP Address. Expand Abel. Click Hashes. A Cain box pops up asking "Include password history hashes?". Click No.

CNIT 123 Bowne

Page 348

Project 18: Cracking Windows Passwords with Cain and Abel

62.

15 Points

The password hashes appear, as shown in the figure at the top of the next page. Note that if you have disabled LM hashes in a previous project, the P3, P5, and P7 LanMan Hash values will be identical.

63. 64.

In the right pane, right-click, and click "Send All to Cracker". Click the Cracker tab. In the right pane, right-click P3, point to "Brute-Force Attack", and click "NTLM Hashes", as shown below on this page. Note: we are cracking the NTLM hashes, not the old, weak LM hashes. The NTLM hashes are much more difficult to crack, so it will only work for short passwords.

Cracking Passwords

CNIT 123 Bowne

Page 349

Project 18: Cracking Windows Passwords with Cain and Abel

65. 66. 67. 68. 69.

15 Points

70.

In the "Brute-Force Attack" box, click the Start button. It should find the three-letter password immediately. Close the "Brute-Force Attack" box. In the right pane, right-click P5, point to "Brute-Force Attack", and click "NTLM Hashes". In the "Brute-Force Attack" box, click the Start button. It should find the five-letter password within a few seconds. Close the "Brute-Force Attack" box. In the right pane, right-click P7, point to "Brute-Force Attack", and click "NTLM Hashes". In the "Brute-Force Attack" box, click the Start button. The seven-letter password is hard to crack, however no answer appears immediately. It might take a long time to crack, so we'll give up. Click the Stop button. Click the Exit button. You should see the two passwords you found, abc and abcde, in the NT Password column of the Cain window, as shown below.

Saving the Screen Image

71. Press the PrntScn key to copy whole screen to the clipboard. Open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj X9. Email the JPEG image to me as an attachment. Send the message to cnit.123@gmail.com with a subject line of Proj X9 From Your Name. Send a Cc to yourself.
Last modified 12-28-08

Turning in your Project

72.

CNIT 123 Bowne

Page 350

Project 19: John the Ripper on Ubuntu Linux Start Your Ubuntu Virtual Machine
1. 2. 3. Start your Ubuntu machine and log in as usual.

10 Points

Installing john the ripper

From the Ubuntu menu bar, click Applications, Accessories, Terminal. In the terminal window, enter this command, then press the Enter key: sudo apt-get install john Enter your password when you are prompted to. When you are asked to continue, enter Y. In the terminal window, enter this command, then press the Enter key: sudo adduser user1 This will create a new user account named user1. When you are prompted for a password, type in abc both times. Enter your password when you are prompted to. When you are prompted for Full name[], Room number[], Home phone[], Work phone[], and Other[], press Enter to accept the default values. When you see the question Is this information correct? [y/N], enter Y. In the terminal window, enter this command, then press the Enter key: sudo adduser user2 This will create a new user account named user2. When you are prompted for a password, type in wall both times. Enter your password when you are prompted to. When you are prompted for Full name[], Room number[], Home phone[], Work phone[], and Other[], press Enter to accept the default values. When you see the question Is this information correct? [y/N], enter Y. In the terminal window, enter this command, then press the Enter key: sudo adduser user3 This will create a new user account named user3. When you are prompted for a password, type in abc123 both times. Enter your password when you are prompted to. When you are prompted for Full name[], Room number[], Home phone[], Work phone[], and Other[], press Enter to accept the default values. When you see the question Is this information correct? [y/N], enter Y. In the terminal window, enter this command, then press the Enter key: sudo cat /etc/shadow This command prints out the shadow file, which contains hashed passwords. You should see the three users you created with hashed passwords as shown below (your hashes will be different).

Creating Passwords to Crack

4.

5.

6.

7.

CNIT 123 Bowne

Page 351

Project 19: John the Ripper on Ubuntu Linux Running john the ripper
8.

10 Points

In the terminal window, enter this command, then press the Enter key: sudo john /etc/shadow Enter your password when you are prompted to. This command cracks the hashes, which are MD5s salted with a two-character salt. Some passwords come up quickly, as shown below on this page. Others take longer. In this mode, john uses a configuration file that tests passwords in the order the designer found to be most effective.

Saving the Screen Image

9. 10. 11. Make sure the john command can is visible, and at least one password has been found, as shown above on this page. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 19a. Email the JPEG image to me as an attachment. Send the message to cnit.123@gmail.com with a subject line of Proj 19 From Your Name. Send a Cc to yourself. John installs files in a lot of places, and most of the information on the Internet is about other systems and not very helpful. If you want to customize John, I recommend reading CONFIG and the other files in /usr/share/doc/john. The configuration file is in /etc/john/john-conf. To find all the john files, use this command: sudo find / -name john

Turning in your Project

12.

Further Information
13.

Last modified 10-27-08

CNIT 123 Bowne

Page 352

Project 20: Cracking WEP with BackTrack2 What You Will Need

20 Points

A wireless access point A computer running any OS with any wireless NIC to be the client A different computer with a Linksys WUSB54G WiFi card, or another Wi-Fi card that is compatible with the BackTrack 2 live CD operating system A Backtrack 2 Live CD

Warning: Only use this on networks you own. Cracking into networks without permission is a crimedont do it!

Choose Your Access Point/Router

1. There are four Access Point/Routers available in S37: Linksys, D-Link, Belkin, and Buffalo. Choose one and use the corresponding instructions below to set up a secure Wireless Local Area Network (WLAN). If you are working at home, you can use any wireless router.

Linksys Router Restoring the Access Point to Factory Default Settings

2. 3. Get the blue Linksys BEFW11S4 router from the closet. Plug in the power cord. Do not plug in any Ethernet cables yet. Press the little red RESET button on the back and hold it in for ten seconds. This resets the router back to its factory default settings. Choose one computer to be the Wired Client. Disconnect the blue Ethernet cable from the back of the Wired Client. Take another cable and connect the Wired Client to port 1 on the router. Check the front panel of the router: the light under number 1 should light up, but the Internet light should be dark. On the Wired Client, click Start, All Programs, Accessories, Command Prompt. Type in this command and press the Enter key. IPCONFIG You should see an IP address starting with 192.168.1, as shown below. There are other network adapters present with other IP addresses, but one of them should start with 192.168.1. If you dont have an IP address like that, restart the Wired Client computer. Ethernet adapter Local Area Connection 2: Connection-specific IP Address. . . . . Subnet Mask . . . . Default Gateway . . DNS . . . . . . Suffix . . . . . . . . . . . . . . . . : : 192.168.1.101 : 255.255.255.0 : 192.168.1.1

Connecting a Wired Client Computer to the Router

4.

5.

CNIT 123 Bowne

Page 353

Project 20: Cracking WEP with BackTrack2

6.

20 Points

On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING 192.168.1.1 You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the router as a client. The LAN in S214 uses the 192.168.1.0 subnet, which is the same as the default subnet for the Linksys router. The router wont be able to connect to the LAN unless it uses a different subnet for its clients, so we need to change the router to a different subnet. On the Wired Client. open a browser and go to this address: 192.168.1.1 A box pops up asking for a user name and password. Leave the User Name blank and enter a password of admin In the Linksys page, on the Setup tab, change the Local IP Address to 192.168.10.1, as shown to the right on this page. Scroll to the bottom of the page and click the Save Settings button. A popup box appears saying Next time, log in the router with the new IP address. Click OK. Now that the router has a new address, the Wired Client needs a new IP address too to connect to it. To force a DHCP renew, unplug the network cable from port 1 on the router, wait a couple of seconds, and plug it in again.

Changing the Subnet on the Router

7.

8.

9.

10.

11. 12. 13.

CNIT 123 Bowne

Page 354

Project 20: Cracking WEP with BackTrack2

14.

20 Points

15.

On the Wired Client , in the Command Prompt window, type in this command and press the Enter key. IPCONFIG You should see an IP address starting with 192.168.10. If you dont have an IP address like that, restart the Wired Client computer. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING 192.168.10.1 You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the router again as a client. Make up a new SSID to be your networks name. Write it in the box to the right on this page. Don't use any spaces in the name. On the Wired Client. open a browser and go to this SSID: _______________________ address: 192.168.10.1 Channel: 1 A box pops up asking for a user name and password. Leave the User Name blank and enter a password of admin In the Linksys page, click the Wireless tab. Click the blue Basic Wireless Settings tab. In the Wireless line, click Enable. Enter your SSID in the Wireless Network Name(SSID): box. Select a Wireless Channel of 1 2.417 GHZ, as shown to the right on this page. At the bottom of the page, click Save settings.

Setting the SSID and Channel on the Access Point/Router

16. 17. 18.

19.

20.

Setting WEP Security on the Access Point/Router

21. Make up a ten-digit hexadecimal WEP key and write it in the box to the right on this WEP Key: ________________________ page. Each digit can be a numeral 0 through 9, or a letter from A through F. On the Wired Client, a browser should still be open, showing address 192.168.10.1 a. If the browser window is not still open, open a new one, go to 192.168.10.1, and log in with User Name blank and a password of admin

22.

CNIT 123 Bowne

Page 355

Project 20: Cracking WEP with BackTrack2

23. In the Linksys page, click the Wireless tab. Click the blue Wireless Security tab. In the Wireless Security line, click Enable. Select a Security Mode: of WEP. Enter the WEP Key you wrote in the box on this page into the WEP Key 1 field. At the bottom of the page, click Save settings.

20 Points

Connecting the Router to the Rooms LAN

24. Find the blue cable attached to the wall that used to be plugged into the Wired Client. Plug it into the WAN port on the router. The Internet front panel light should come on. On the Wired Client, a browser should still be open, showing address 192.168.10.1 a. If the browser window is not still open, open a new one, go to 192.168.10.1, and log in with User Name blank and a password of admin In the Linksys page, at the upper right, click the Status tab. At the bottom of the screen, click the DHCP Renew button. The router should now show an Internet IP Address starting with 192.168.1 as shown to the right on this page. If it does not, click the the DHCP Renew button again. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING YAHOO.COM You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the Internet through the router.

25.

26.

27.

Skip ahead to the Connecting a Wireless Client to the Access Point/Router section.
CNIT 123 Bowne Page 356

Project 20: Cracking WEP with BackTrack2 Belkin Router Restoring the Access Point to Factory Default Settings
28. 29.

20 Points

Get the gray Belkin router from the closet. Plug in the power cord. Do not plug in any Ethernet cables yet. Use a pin or paper clip to press the little RESET button on the back and hold it in for ten seconds. This resets the router back to its factory default settings. Choose one computer to be the Wired Client. Disconnect the blue Ethernet cable from the back of the Wired Client. Take another cable and connect the Wired Client to port 1 on the router. Check the front panel of the router: the light under number 1 should light up, but the WAN light should be dark. On the Wired Client, click Start, All Programs, Accessories, Command Prompt. Type in this command and press the Enter key. IPCONFIG You should see an IP address starting with 192.168.2, as shown below. There are other network adapters present with other IP addresses, but one of them should start with 192.168.2. If you dont have an IP address like that, restart the Wired Client computer. Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.2.2

Connecting a Wired Client Computer to the Router

30.

31.

32.

Setting the SSID and Channel on the Access Point/Router

33.

On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING 192.168.2.1 You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the router as a client. SSID: _______________________ Channel: 11 Make up a new SSID to be your networks name. Write it in the box to the right on this page. Don't use any spaces in the name. On the Wired Client. open a browser and go to this address: 192.168.2.1 A Belkin page opens. In the upper right, click the Log in button. A Login screen appears. Leave the Password box empty and click the Submit button. If the browser displays a Security Warning box, click Continue.

34. 35. 36.

CNIT 123 Bowne

Page 357

Project 20: Cracking WEP with BackTrack2

37. 38. On the left side of the screen, click Channel and SSID. In the Wireless > Channel and SSID page, enter your SSID in the SSID box. Select a Wireless Channel of 11, as shown to the right on this page. At the bottom of the page, click Apply Changes.

20 Points

39.

Setting WEP Security on the Access Point/Router

40. Make up a ten-digit hexadecimal WEP key and write it in the box to the right on this WEP Key: ________________________ page. Each digit can be a numeral 0 through 9, or a letter from A through F. On the Wired Client, a browser should still be open, showing address 192.168.2.1 In the left pane, in the Wireless section, click Security. In the Security Mode box, select 64-bit WEP. Enter the WEP Key you wrote in the box on this page into the Key 1 field, as shown to the right on this page. At the bottom of the page, click Apply Changes.

41. 42.

Connecting the Router to the Rooms LAN

43. Find the blue cable attached to the wall that used to be plugged into the Wired Client. Plug it into the Connection to Modem port on the router. The WAN front panel light should come on. On the Wired Client, a browser should still be open, showing address 192.168.2.1 In the Belkin page, on the left side, in the Internet WAN section, click Connection Type. In the WAN > Connection Type screen, accept the default selection of Dynamic and click the Next button. In the WAN > Connection Type > Dynamic IP screen, leave the Host Name box empty and click the Apply Changes button. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING YAHOO.COM You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the Internet through the router.

44. 45. 46. 47. 48.

Skip ahead to the Connecting a Wireless Client to the Access Point/Router section.
CNIT 123 Bowne Page 358

Project 20: Cracking WEP with BackTrack2 D-Link Router Restoring the Access Point to Factory Default Settings
49. 50.

20 Points

Get the gray D-Link router from the closet. Plug in the power cord. Do not plug in any Ethernet cables yet. Use a pin or paper clip to press the little RESET button on the back and hold it in for ten seconds. This resets the router back to its factory default settings. Choose one computer to be the Wired Client. Disconnect the blue Ethernet cable from the back of the Wired Client. Take another cable and connect the Wired Client to port 1 on the router. Check the front panel of the router: the light under number 1 should light up, but the WAN light should be dark. On the Wired Client, click Start, All Programs, Accessories, Command Prompt. Type in this command and press the Enter key. IPCONFIG You should see an IP address starting with 192.168.0, as shown below. There are other network adapters present with other IP addresses, but one of them should start with 192.168.0. If you dont have an IP address like that, restart the Wired Client computer. Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.0.100

Connecting a Wired Client Computer to the Router

51.

52.

53.

On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING 192.168.0.1 You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the router as a client. Make up a new SSID to be your networks name. Write it in the box to the right on this page. Don't use any spaces in the name. On the Wired Client. open a browser and go to this address: 192.168.0.1 A box pops up asking for a user name and password. Enter a user name of admin and leave the password blank. Click the OK button.

Setting the SSID and Channel on the Access Point/Router

54. SSID: _______________________ Channel: 6

55. 56.

CNIT 123 Bowne

Page 359

Project 20: Cracking WEP with BackTrack2

57. 58. 59. On the left side of the screen, click Wireless. Enter your SSID in the SSID box, as shown to the right on this page. Select a Wireless Channel of 6, as shown to the right on this page.

20 Points

Setting WEP Security on the Access Point/Router

60.

WEP Key: ________________________

61. 62.

Make up a ten-digit hexadecimal WEP key and write it in the box to the right on this page. Each digit can be a numeral 0 through 9, or a letter from A through F. In the Security: box, select WEP. In the WEP Encryption: box, select 64-bit. In the Key1: box, enter the WEP Key you wrote in the box on this page. At the bottom of the page, click Apply. A message appears saying The device is restarting. Click Continue. Find the blue cable attached to the wall that used to be plugged into the Wired Client. Plug it into the WAN port on the router. The WAN front panel light should come on. On the Wired Client, a browser should still be open, showing the D-Link page. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING YAHOO.COM You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the Internet through the router.

Connecting the Router to the Rooms LAN

63. 64. 65.

Skip ahead to the Connecting a Wireless Client to the Access Point/Router section.

CNIT 123 Bowne

Page 360

Project 20: Cracking WEP with BackTrack2 Buffalo Router with OpenWRT Firmware Restoring the Access Point to Factory Default Settings
66. 67.

20 Points

Get the Buffalo router labeled "OpenWRT" from the closet. Plug in the power cord. Do not plug in any Ethernet cables yet. Use a pen to hold the little INIT button on the bottom. Unplug the power cord. Plug the power cord back in and hold the INIT button down for 30 seconds. This resets the router back to its default settings. Choose one computer to be the Wired Client. Disconnect the blue Ethernet cable from the back of the Wired Client. Take another cable and connect the Wired Client to port 1 on the router. Check the front panel of the router: the light under number 1 should light up, but the WAN light should be dark. On the Wired Client, click Start, All Programs, Accessories, Command Prompt. Type in this command and press the Enter key. IPCONFIG You should see an IP address starting with 192.168.11, as shown below. There are other network adapters present with other IP addresses, but one of them should start with 192.168.11. If you dont have an IP address like that, restart the Wired Client computer. Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.11.175

Connecting a Wired Client Computer to the Router

68.

69.

70.

On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING 192.168.11.1 You should see replies, and you should see the back panel lights on the router blink. The Wired Client is now connected to the router as a client. Make up a new SSID to be your networks name. Write it in the box to the right on this page. Don't use any spaces in the name. SSID: _______________________ On the Wired Client. open a browser and go to this Channel: 6 address: 192.168.11.1 An "OpenWrt Admin Console" page opens. At the top, click Network. A box pops up asking for a user name and password. Enter a user name of root and type in a password of password Click the OK button.

Setting the SSID and Channel on the Access Point/Router

71.

72. 73.

74.

CNIT 123 Bowne

Page 361

Project 20: Cracking WEP with BackTrack2

75. In the light blue menu bar, below the "OpenWrt Admin Console" header, click Wireless. Enter your SSID in the ESSID box, as shown to the right on this page. Select a Wireless Channel of 6, as shown to the right on this page. At the bottom of the page, click the "Save Changes" button. Click the "Apply Changes" link.

20 Points

76.

77.

78.

Setting WEP Security on the Access Point/Router

79. Make up a ten-digit hexadecimal WEP key and write it in the box to the right on this page. Each digit can be a numeral 0 WEP Key: ________________________ through 9, or a letter from A through F. In the Encryption Settings: section near the bottom of the page, select an "Encryption Type" of WEP, as shown to the right on this page.. In the top WEP Keys box, enter your WEP Key, as shown to the right on this page. At the bottom of the page, click the "Save Changes" button. Click the "Apply Changes" link. Find the blue cable attached to the wall that used to be plugged into the Wired Client. Plug it into the WAN port on the router. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING YAHOO.COM You should see replies, and you should see the back panel lights on the router blink. The Wired Client is now connected to the Internet through the router. Page 362

80.

81.

82. 83. 84.

Connecting the Router to the Rooms LAN

CNIT 123 Bowne

Project 20: Cracking WEP with BackTrack2 Connecting a Wireless Client to the Access Point/Router
85.

20 Points

86. 87.

88. 89.

90.

91.

92.

Find a machine with a wireless NIC to use as the Wireless Client computer. Machines S214-15, 16, and 17 have wireless NICs, and there are also USB wireless NICs available that can be attached to other stations. Disconnect the blue Ethernet cable from the back of your Wireless Client computer to ensure that it uses only the wireless connection. In the lower right of the desktop, find the Wireless Network Connection icon, as shown to the right on this page. It shows a computer with radio waves coming from it. Right-click that icon and click View available wireless networks. Find your SSID in the list and click it, as shown to the right on this page. Click the Connect. button In the Wireless network connection box, enter the WEP Key you wrote in the box on a previous page of these instructions. Put the same key in the second box and click Connect. Wait while your Wireless Client connects. When the connection is made, you should see the word Connected next to your SSID, as shown to the right on this page. On the Wireless Client, click Start, All Programs, Accessories, Command Prompt. Type in this command and press the Enter key. IPCONFIG You should see an IP address starting with 192.168.10 On the Wireless Client, in the Command Prompt window, type in this command and press the Enter key. PING 192.168.10.1 You should see replies, and you should see the front panel lights on the router blink. The Wireless Client is now connected to the router as a wireless client.

CNIT 123 Bowne

Page 363

Project 20: Cracking WEP with BackTrack2 Getting the BackTrack 2 CD

93.

20 Points

You need a BackTrack 2 CD. Your instructor handed them out in class. If you are working at home, you download it from http://www.remote-exploit.org/backtrack.html Connect the USB cable from the Linksys WUSB54G ver. 4 NIC.

Plugging in the USB NIC

94. 95.

Booting the Hacker Computer from the BackTrack 2 CD

Insert the bt2 CD and restart your "Hacker Computer". If it won't boot from the CD, press F2 to enter the BIOS settings page and set it to boot from the CD. If it asks for a BIOS Password, press the Enter key. 96. You should see a message beginning ISOLONUX. At the boot: prompt, press the Enter key. Several pages of text scroll by as Linux boots. 97. When you see a page with a bt login: prompt, type in this username and press the Enter key: root 98. At the Password: prompt, type in this password and press the Enter key: toor 99. At the bt ~ # prompt, type in this command and press the Enter key: Konsole xconf button 100. At the bt ~ # prompt, type in this command and press the Enter key: startx 101. A graphical desktop should appear, with a start button showing the letter K on a gear in the lower left, as shown to the right on this page.

Getting Your Wi-Fi Interface's MAC Address

102. Click the Konsole button, as shown above on this page. 103. In the "Shell Konsole" window, type in this command, and then press the Enter key:

ifconfig rausb0 up
104. In the "Shell Konsole" window, type in this command, and then press the Enter key:

ifconfig
105. You should see the rausb0 device, as shown below on this page. This is the USB network interface, and it is working as a normal network card now. Find the "HWaddr" valuethis is the MAC address of your Wi-Fi interface. Write it in the box to the right on this MAC: ______________________________________ page.

CNIT 123 Bowne

Page 364

Project 20: Cracking WEP with BackTrack2

20 Points

106. In the "Shell Konsole" window, type in this command, and then press the Enter key:

ifconfig rausb0 down

A lot of blank lines will scroll by. That is normal.

Starting the wifi-0 Device

107. In the "Shell Konsole" window, type in this command, and then press the Enter key:

airmon-ng stop rausb0

108. In the "Shell Konsole" window, type in this command, and then press the Enter key:

airmon-ng start wifi0

We have now stopped the wireless card and restarted it with the special MadWiFi drivers, which are necessary for cracking WEP. Now the card is monitoring on all channels.

Capturing Packets to View the Available Networks

109. Click the Konsole button to open a new Konsole window, titled "Shell Konsole <2>". 110. In the "Shell Konsole <2>" window, type in this command, and then press the Enter key:

airodump-ng w test rausb0

This command opens a window showing all local networks, as shown below on this page. The captured packets are going to a file named test, which isn't important right now. The columns in the output are explained below: BSSID The MAC address of the access point PWR Power level Beacons The number of beacon packets captured #Data The number of packets containing Initialization Vectors (IVs) these are the packets we need to crack WEP. CH The channel (1 through 11 are used in the USA) MB The speed of the network in Mbps ENC, CIPHER, AUTH These values specify the encryption method ESSID The name of the network

CNIT 123 Bowne

Page 365

Project 20: Cracking WEP with BackTrack2

20 Points

111. Write the BSSID, CH, and ESSID of the access point you want to BSSID: ______________________________________ crack into in the box to the right on this page. Note that the CH: __________ BSSID, STATION, etc. information at the bottom of the ESSID: ______________________________________ screen refers to the client, not the Access Point. 112. Press Ctrl+C to stop the Airodump capture. If it won't stop, use the mouse to close the "Shell Konsole <2>" window. Then click the Konsole button to open a new "Shell Konsole <2>" window.

Restarting Monitoring on the Correct Channel

113. Click the "Shell Konsole" window to make it activethis is the window you used for the airmon-ng commands. 114. In the "Shell Konsole" window, type in this command, and then press the Enter key:

airmon-ng stop rausb0

115. In the "Shell Konsole" window, type in this command, and then press the Enter key:

airmon-ng start wifi0 11 Replace 11 with the CH number you wrote in the box above on this page. Now the card is
monitoring only the channel we are interested in.

Resuming Packet Capture

116. Click the "Shell Konsole <2>" window to make it activethis is the Konsole window you used for the airodump-ng command. 117. In the "Shell Konsole <2>" window, type in this command, and then press the Enter key:

airodump-ng c 11 w output rausb0 Replace 11 with the CH number you wrote in the box above on this page. Now the card is
monitoring only the channel we are interested in. This captures packets on the desired channel, and dumps into the file output.cap. Notice that the #Data are not rising quickly you may not even see any data being captured at all. Leave this capture running.

CNIT 123 Bowne

Page 366

Project 20: Cracking WEP with BackTrack2 Performing a Fake Authorization Attack

20 Points

118. We will send out packets asking to authorize to the access point as a client. The card is actually in monitor mode, listening to the network, but it can also inject traffic into the network and spoof a normal card in managed mode. 119. Click the "Shell Konsole" window to make it activethis is the window you used for the airmon-ng commands. 120. In the "Shell Konsole" window, type in this command, and then press the Enter key:

aireplay-ng help
This shows a help message, explaining the options available for aireplay-ng. Notice the section at the bottom showing "Attack modes", as shown to below. The attack we will use now is a fake authorization, with time delay 0, using the -1 0 switches.

121. In the "Shell Konsole" window, type in this command, and then press the Enter key:

aireplay-ng -1 0 e belkin54g a 00:11:50:1E:43:87 h 00:16:B6:5B:A3:D6 rausb0 Replace belkin54g with the ESSID you wrote in the box on a previous page of these
instructions. Replace 00:11:50:1E:43:87 with the BSSID you wrote in the box on a previous page of these instructions (the access point's hardware address). Replace 00:16:B6:5B:A3:D6 with the MAC you wrote in the box on a previous page of these instructions (the Wi-Fi NIC card's MAC address). You should see an "Association successful" message, as shown above on this page.

CNIT 123 Bowne

Page 367

Project 20: Cracking WEP with BackTrack2 Performing an ARP Replay Attack

20 Points

122. Now we will capture an ARP request, and replay it to force the Access Point to pump out a lot of IVs. 123. In the "Shell Konsole" window, type in this command, and then press the Enter key:

aireplay-ng -3 b 00:11:50:1E:43:87 h 00:16:B6:5B:A3:D6 rausb0 Replace 00:11:50:1E:43:87 with the BSSID you wrote in the box on a previous
page of these instructions (the access point's hardware address). Replace 00:16:B6:5B:A3:D6 with the MAC you wrote in the box on a previous page of these instructions (the Wi-Fi NIC card's MAC address). The last line in your "Shell Konsole" window should show the number of packets read, the number of ARP requests captured, and the number of packets sent, as shown below on this page. Within a few seconds, all three of these numbers should start rising rapidly. That means the ARP replay attack is successfully pumping IV values out of the access point, gathering data that can be used to crack the WEP encryption quickly.

124. Look at the "Shell Konsole <2>" window. The # Data value should be rising very rapidly, as shown below on this page.

CNIT 123 Bowne

Page 368

Project 20: Cracking WEP with BackTrack2 Cracking the Key

20 Points

125. Click the Konsole button to open a new Konsole window, titled "Shell Konsole <3>". 126. In the "Shell Konsole <3>" window, type in this command, and then press the Enter key:

aircrack-ng a 1 n 64 output*.cap
It should find the key within a few minutes, as shown below on this page.

Saving the Screen Image on the Desktop

127. On the Hacker Computer, from the Backtrack 2 desktop, click Start, Screenshot. 128. In the Screenshot window, click the "Save As" button. 129. In the "Save as Screenshot" window, in the unlabelled box on the upper right, click the arrow and select /root/desktop. 130. In the "Save as Screenshot" window, in the Location: box, type in a filename of Yourname-Proj20.jpg Firefox 131. Click the Save button. Your file should appear on the desktop.

Starting Firefox
132. On the Hacker Computer, at the lower left of the desktop, click the "Firefox button", as shown to the right on this page.

button

Turning in your Project

133. Firefox opens. Go to a Web-based email service you feel comfortable using in S214 it should be one with a password you don't use anywhere else. 134. Email the JPEG image to me as an attachment. Send the message to cnit.123@gmail.com with a subject line of Proj 20 From Your Name. Send a Cc to yourself.

Credits
I got a lot of this from "Wireless Vulnerabilities and Cracking with the Aircrack Suite", by Stephen Argent, in the magazine hakin9, Issue 1/2008. There is a lot more information about cracking WEP and WPA in that article, it's great!
Last modified 12-30-08

CNIT 123 Bowne

Page 369

Project 21: Sniffing with ettercap on Ubuntu Linux What You Will Need

Worth 15 Points

Revised 10-16-08

A Ubuntu machine to perform the ettercap scan A Windows machine to act as a file server (your virtual Windows XP machine will work) Another Windows machine to be a client (your host Windows XP machine will work) Start your Ubuntu machine and log in as usual. From the menu bar in the upper left corner of the Ubuntu desktop, click Applications, Add/Remove. In the Add/Remove Applications box, in the Search field, enter ettercap and press the Enter key. When the ettercap application appears, as shown below on this page, check the check box in the Application pane. In the Apply the following changes? box, click Apply. Enter your password when you are prompted to. Wait while software downloads and installs.

Start Your Ubuntu Virtual Machine

1. 2. 3. 4.

Installing ettercap

5.

When you see a Changes applied box saying that the changes were successful, click Close.

CNIT 123 Bowne

Page 370

Project 21: Sniffing with ettercap on Ubuntu Linux Starting ettercap

6. From the Ubuntu menu bar, click Applications, Accessories, Terminal. In the terminal window, enter this command, then press the Enter key: ettercap --help A long list of options appears, as shown to the right on this page.

Worth 15 Points

7.

8.

In the terminal window, enter this command, then press the Enter key: sudo ettercap i eth0 Tq -d Note: You may need to use eth1 instead of eth0. Enter your password when you are prompted to. This command starts ettercap in text mode, with DNS resolution of IP addresses. There are several lines of introductory information, as shown to the right on this page, followed by the message Text only Interface activated. This window is now sniffing all network traffic to find passwords.

CNIT 123 Bowne

Page 371

Project 21: Sniffing with ettercap on Ubuntu Linux Logging in to a Simple HTTP Login Form with Firefox from Ubuntu
9. 10. 11.

Worth 15 Points

12.

13.

Leave the Terminal window open. From the menu bar in the upper left corner of the Ubuntu desktop, click Applications, Internet, Firefox Web Browser. Type in the address tinyurl.com/fakelogin and press the Enter key. Enter your name into the Username field. Do NOT put your real password into the password field, whatever you do! Put in a password of FromUbuntu and click the Submit Query button. When a box pops up asking whether you want Firefox to remember this password, click Not now. After a few seconds, you will see a message saying OK, Login approved. Close or minimize the Firefox window. The ettercap window should now show the name and password you typed in. You may need to wait 10 or 15 seconds for the password to appear. Leave the Terminal window open. Go to a Windows machine. You could use your host system, or any computer in the room. On the Windows machine, open a Web browser and go to tinyurl.com/fakelogin Enter your name into the Username field. Put in a password of FromWindows and press the Enter key. When a box pops up asking whether you want the browser to remember this password, click Not now. After a few seconds, you will see a message saying Username/Password Failure. Look at your Ubuntu machine now. The ettercap window should now show both names and passwords, as shown below on this page.

Logging in to a Simple HTTP Login Form with Firefox from Windows

14. 15. 16. 17. 18.

19.

CNIT 123 Bowne

Page 372

Project 21: Sniffing with ettercap on Ubuntu Linux

Worth 15 Points

Saving the Screen Image

20. 21. 22. Make sure the two passwords FromUbuntu and FromWindows are visible, as shown on the previous page. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 21a.

Setting up a File Share on a Windows Machine

23. Start a Windows XP virtual machine. You can use the same host machine you are running Ubuntu on, or any other host computer on the LAN. Log in as usual. Click Start, My Computer. In the My Computer window, click Tools, Folder Options. In the Folder Options box, click the View tab. Scroll to the bottom of the list and make sure the Use simple file sharing (recommended) box is checked, as shown to the right on this page. Click the OK button. Right-click the desktop and select New, Folder. Name the new folder YourNameShare. Dont use the literal text YourNameinstead use your own name. Right-click the YourNameShare folder and click Sharing and Security. If you see a window like the figure to the right on this page, click the lower blue text saying If you understand the security risks, but want to share files without running the wizard, click here and then click Just enable file sharing If you dont see that box, thats OK, just proceed to the next step.

24.

25.

26. 27.

CNIT 123 Bowne

Page 373

Project 21: Sniffing with ettercap on Ubuntu Linux

28. In the YourNameShare Properties box, click the Share this folder on the network button, as shown to the right on this page. Click the OK button. This machine is now a File Server.

Worth 15 Points

29.

On your File Server Windows machine, click Start, Run, enter CMD, and press the Enter key. Find the IP address of your Windows machine and write it in the box to the right Win File Server IP: _______________________________ on this page. Go to a different Windows machine, such as the host Windows XP system. Click Start, Run. In the Run box, enter two backslashes and the IP address you wrote in the box above, as shown to the right on this page. Dont use the exact address shown in the figureuse the IP address of your own Windows XP file server. Press the Enter key. If a Connect to box appears, requesting a User name and Password, as shown to the right on this page, just click Cancel.

Connecting to the File Share From a Different Windows Machine

30.

31.

CNIT 123 Bowne

Page 374

Project 21: Sniffing with ettercap on Ubuntu Linux

32.

Worth 15 Points

Look at your Ubuntu machine now. The ettercap window should one or more password hashes, as shown below on this page. Its possible to crack these hashes, but it can be difficult. You need to use a tool like John the Ripper, which we will use in a later project.

33.

If you dont see any hashes, try opening any local network share from any computer. The simplest way to do it in S214 is to go to any host Windows XP machine, click Start, Run and enter \\192.168.1.3 Make sure the password HASH is visible, as shown above on this page. Press Ctrl+Alt to release the mouse, and click on the host Windows XP desktop. Press the PrntScn key to copy whole screen to the clipboard. On the host Windows XP desktop, open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 21b. Email the JPEG image to me as an attachment. Send the message to cnit.123@gmail.com with a subject line of Proj 21 From Your Name. Send a Cc to yourself.

Saving the Screen Image

34. 35. 36.

Turning in your Project

37.

Last modified 12-30-08

CNIT 123 Bowne

Page 375

Project 22: HTTPS MITM with Cain Purpose

15 pts.

Cain performs the whole Man-in-the-middle attack, including creating a spoofed digital certificate. It easily steals passwords and traffic off the wire, even in HTTPS sessions.

Installing Cain and Abel

1. Use your Virtual Windows XP machine 2. Open a Web browser. Go to http://www.oxid.it/cain.html 3. Download Cain & Abel for Windows XP, install it. It will also install WinPCap.

Sniffing for Targets

4. Double-click the Cain icon on the desktop to launch Cain. 5. From the top menu, click Configure. 6. In the Configuration Dialog box, on the Sniffer tab, verify that the interface with the IP address that goes to the Internet is highlighted. 7. In the Configuration Dialog box, on the APR tab, click the Use ARP Request Packets (More Network Traffic) radio button at the bottom, as shown to the right on this page. Click OK. 8. In the upper left of the Cain window, click the Start/Stop Sniffer button (the second button from the left), and the Start/Stop APR button (third from the left) so they are both depressed, as shown to the right on this page. 9. At the top of the screen, click the Sniffer tab. On the toolbar, click the+ icon. 10. In the Mac Address Scanner box, check the All Tests box. Click OK. Wait while several progress bars move across the screen. 11. Click the APR tab at the bottom. Click in the empty upper right hand table. Click the + icon on the toolbar.

yCNIT 123 Bowne

Page 376

Project 22: HTTPS MITM with Cain Starting the ARP Poison Routing

15 pts.

12. In the New APR poison Routing box, click the gateway IP in the left pane. Then click the target IP in the right pane, as shown below on this page. Click OK.

13. Wait 30 seconds. You should see a Status of Poisoning, as shown to the right on this page. If you see a status of "Idle", toggle the the Start/Stop Sniffer button and the Start/Stop APR buttons, leaving them both depressed.

yCNIT 123 Bowne

Page 377

Project 22: HTTPS MITM with Cain Opening Gmail on the Target Machine
14. On the target machine, open Internet Explorer and go to Gmail.com 15. You should see connections appearing in the lower portion of the Cain window.

15 pts.

16. Enter a fake user name and password into the Gmail login screen and try to log in. You should see warnings about the security certificate. Agree to connect anyway. 17. On the bottom of the Cain window, click the Passwords tab. In the left pane, click the HTTP item to select it. Your Gmail password should be visible, as shown below on this page.

Saving the Screen Image

18. Click outside the virtual machine to make its title bar dim. Press the PrntScn key to copy whole screen to the clipboard in the host Windows XP machine. Open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj 22.

Turning in your Project

19. Email the JPEG image to me as an attachment. Send the message to cnit.123@gmail.com with a subject line of Proj 22 From Your Name. Send a Cc to yourself.
Last modified 12-30-08

yCNIT 123 Bowne

Page 378

Project X1: TCP/IP Addressing Exercises

Name: ________________________
10 Points Max.

In the diagrams I am using here, there are three numbers given for each NIC, in this order: IP Address Subnet Mask Default Gateway The default gateway on the Gateway Machine (the machine at the top in these diagrams) is for a 2nd NIC, not shown, that connects to the Internet.

How to Solve Subnetting Problems

1. Subnet Masks: Start at the Gateway Machine (the machine at the top in these diagrams). Find the subnet mask. Make sure every machine has the same subnet mask. In the example below, the subnet mask is 255.255.255.0 2. Label the Subnet: Find the network portion of the IP address of the Gateway Machine. Fill in the host portion with 0s. Write that label above the network (in the upper left, in these diagrams). In the example below, the Gateway Machine has an IP address of 192.168.1.101 and since the subnet mask is 255.255.255.0, the network portion includes only the first 3 bytes. To find the subnet label, replace the last byte with zero: 192.168.1.0. 3. Check the IP Addresses Network Portion: Make sure that each NIC on a subnet has the same network address as the label you wrote at the top of the subnet. In the example below, on the left subnet, that means every IP address must start with 192.168.1 Host Portion: Make sure that each NIC on a subnet has a different host address, including the default gateway. In the example below, the Gateway Machine has a host address of 1, and the others are 101, 102, and 103, so there are no duplicates. 4. Default Gateway: On each subnet, the default gateway is the Gateway Machines IP address. It is the same for each NIC on the subnet, except the Gateway Machine itself, which has a default gateway of the network above it, usually an ISP. In the example below, the Gateway Machine has an IP address of 192.168.1.1, so the default gateway must be 192.168.1.1 for all three workstations at the bottom of the chart.

Subnet: 192.168.1.0

To the Internet

Hub

192.168.1.1 255.255.255.0 147.144.51.1

yCNIT 123

192.168.1.101 255.255.255.0 Bowne 192.168.1.1

192.168.1.102 255.255.255.0 Page 192.168.1.1 379

192.168.1.103 255.255.255.0 192.168.1.1

Project X1: TCP/IP Subnetting Exercises

1. Fill in the missing numbers so this network will operate correctly.

Subnet: ____________

To the Internet

Hub

192.168.0.1 255.255.255.0 147.144.51.1

_____________________ _____________________ _____________________

_____________________ _____________________ _____________________

_____________________ _____________________ _____________________

2. Fill in the missing numbers so this network will operate correctly.

Subnet: ____________

To the Internet

Hub

10.1.1.1 255.0.0.0 147.144.51.1

_____________________ _____________________ _____________________

_____________________ _____________________ _____________________

_____________________ _____________________ _____________________

CNIT 123 Bowne

Page 380

Project X1: TCP/IP Subnetting Exercises

3. Fill in the missing numbers so this network will operate correctly.

Subnet: ____________

To the Internet

Hub

_______________ _______________ 147.144.51.1

10.0.0.101 255.255.0.0 10.0.0.1

_____________________ _____________________ _____________________

_____________________ _____________________ _____________________

4. Fill in the missing numbers so this network will operate correctly.

Subnet: 172.31.0.0

To the Internet

Hub

_______________ _______________ 147.144.51.1

_____________________ _____________________ _____________________

_____________________ _____________________ _____________________

_____________________ _____________________ _____________________

CNIT 123 Bowne

Page 381

Project X1: TCP/IP Subnetting Exercises

5. Change one number so this network will operate correctly.

Subnet: 192.168.1.0

To the Internet

Hub

192.168.1.1 255.255.255.0 147.144.51.1

192.168.1.2 255.255.255.0 192.168.1.1

192.168.1.3 255.255.255.0 192.168.1.1

192.168.1.4 255.255.0.0 192.168.1.1

6.

Change one number so this network will operate correctly.

Subnet: 192.168.1.0

To the Internet

Hub

192.168.1.1 255.255.255.0 147.144.51.1

192.168.1.13 255.255.255.0 192.168.11.1

192.168.1.3 255.255.255.0 192.168.1.1

192.168.1.2 255.255.255.0 192.168.1.1

CNIT 123 Bowne

Page 382

Project X1: TCP/IP Subnetting Exercises

7. Change one number so this network will operate correctly.

Subnet: 192.168.1.0

To the Internet

Hub

192.168.1.1 255.255.255.0 147.144.51.1

192.168.1.2 255.255.255.0 192.168.1.1

192.168.1.3 255.255.255.0 192.168.1.1

193.168.1.102 255.255.255.0 192.168.1.1

8.

Change one number so this network will operate correctly.

Subnet: 10.0.0.0

To the Internet

Hub

10.1.1.1 255.0.0.0 147.144.51.1

10.1.1.101 255.0.0.0 10.1.1.1

10.2.1.101 255.0.0.0 10.1.1.1

10.1.1.101 255.0.0.0 10.1.1.1

CNIT 123 Bowne

Page 383

Project X1: TCP/IP Subnetting Exercises

9. Change one number so this network will operate correctly.

Subnet: 172.16.0.0

To the Internet

Hub

172.16.1.1 255.255.0.0 147.144.51.1

172.16.19.2 255.255.0.0 172.16.1.1

172.16.1.19 255.255.0.0 172.16.1.1

172.19.1.2 255.255.0.0 172.16.1.1

10. Change one number so this network will operate correctly.

Subnet: 172.16.0.0

To the Internet

Hub

172.16.1.1 255.0.0.0 147.144.51.1

172.16.1.13 255.255.0.0 172.16.1.1

172.16.1.14 255.255.0.0 172.16.1.1

172.16.1.15 255.255.0.0 172.16.1.1

CNIT 123 Bowne

Page 384

Project X2: Hack This Site What You Need for This Project
A computer of any kind with Internet access. A lot of time to spend solving puzzles and doing research. Be warnedthese puzzles can take a lot of time, and require advanced techniques beyond the textbook or the course. The extra credit points do not justify the time it will take you to solve these puzzles, but if you do, you will learn a lot.

15 points max.

LEGAL WARNING!
It's OK to do the puzzles at HackThisSite.org, but DO NOT HACK INTO OTHER COMPUTERS! Accessing computers without permission from the owners is a crime! Dont do it! If you do illegal things, you may be arrested and go to jail, and I will be unable to save you. This project will teach you more about criminal hackers understand them, but do not imitate their morals.

Part I: Basic Web Challenges (max. 10 pts)

1.

2. 3. 4.

5. 6.

7.

Be warned: in this project, you will be learning real criminal techniques from real criminals. Do not reveal your real name or address, or trust these people. As you will see in Part II, the creator of this site is currently in prison. If you prefer not to do this project, you don't need to. That's why it's extra creditnot required. Open a browser and go to hackthissite.org In the upper left, click on the green word register. Fill out the form to create an account. Do NOT give these people your real name or any correct information, not even a real email address. I used the address sam@mailinator.com and I recommend that you use a mailinator address too. After creating your account, log in. Then, on the upper left of the main page, in the challenges section, click "Basic Web." You should see a page labeled Level 1(the idiot test). There is a form asking for a password. Your job is to figure out the password. There is a Help! Link at the bottom which can help you. Solve as many puzzles as you can. You get one point per level completed. There is a forum on the site which contains hints, tutorials, and even outright explicit instructions at solving the puzzles. The puzzles are very instructive, although not perfect. In my opinion level 8 is too frustratingthe code injection routine is too restrictive, so you don't get enough reward for coming close to the answer. But that's because the technique being used is so powerful that you could take over the whole hackthissite.org server, so they have to protect themselves.

CNIT 123 Bowne

Page 385

Project X2: Hack This Site

8.

15 points max.

When you have completed as many levels as you can, or want to, take a screen image showing how far you got, as shown to the right on this page.

Saving the Screen Image

9. 10. 11. Press the PrntScn key to copy the desktop to the clipboard. On the Start menu, click Run. Enter the command mspaint and press the Enter key. Paint opens. Press Ctrl+V on the keyboard to paste the image into the Paint window. Save the document in the Shared Documents folder with the filename Your Name Proj X2. Select a Save as type of JPEG. Close Paint. At the main hackthissite.org page, in the upper left, click Realistic Missions. Look through the missions, as shown below, and think about them from an ethical point of view, not a technical point of view.

Part II: Jeremy Hammond's Ethics and Fate

12.

13. 14. 15.

Open a browser and go to en.wikipedia.org/wiki/Jeremy_Hammond Read what Jeremy did, and what happened to him. Write a couple of paragraphs about Jeremy Hammond and his case. Make sure to address these points: a. Was Jeremy Hammond an Ethical Hacker? Why or why not? b. Was his sentencing fair? Should it have been more or less severe? Why? Email the JPEG image to me as an email attachment to cnit.123@gmail.com with a subject line of Proj X2 From Your Name. Put your Part II discussion in the body of the email message. Send a Cc to yourself.
Last modified 2-20-07

Turning in your Project

16.

CNIT 123 Bowne

Page 386

Project X3: Getting into Ubuntu Linux Without a Password What You Need for This Project

15 Points

A trusted computer running Ubuntu Linux 6.10. This can be either a real or virtual machine.

Starting Ubuntu in Recovery Mode

1. Start Ubuntu Linux as usual, from the hard disk. When you see a " GRUB Loading" message, as shown to the right on this page, click in the virtual machine and press the ESC key. You have to be fastyou have only a few seconds to do it. 2. In the next screen, you have a selection of kernel options, as shown to the right on this page. Select one of the ones labeled (recovery mode). 3. This mode is analogous to Window's Safe Mode. If your Ubuntu linux has no password on the root account (which is the default situation), you can start in recovery mode without a password, and run as root, with full administrative privileges.

Using whoami to determine your user name

4. When Ubuntu starts up, you see text only, no graphics, as shown to the right on this page. This is recovery mode. Enter this command, then press the Enter key: whoami The response tells you your user name: it is root.

Editing the passwd File to Create a New User Named drevil

5. In the terminal window, enter this command, then press the Enter key: cd /etc This command changes the current working directory to /etc. This is where two essential system files are found: passwd and shadow. 6. In the terminal window, enter this command, then press the Enter key: cp passwd passwd.bak This command copies the passwd file to a backup, so you can undo the changes you are about to make if something goes wrong. Form a strict habit of creating these backup files! You are messing with essential system files, and you will be unhappy if you wreck a system and have no way back. Ubuntu does not have anything like Windows XP's System Restore if you wreck it, you have to figure out what you did and fix it yourself.

CNIT 123 Bowne

Page 387

Project X3: Getting into Ubuntu Linux Without a Password

7.

15 Points

In the terminal window, enter this command, then press the Enter key: pico passwd Scroll to the bottom of the file and type this line in exactly, as shown to the right on this page: drevil:x:150:1000::/home/drevil:/bin/bash

8. Hold down the Ctrl key and press the O key to save your file. A message appears saying File Name to Write: passwd. Press the Enter key. 9. Hold down the Ctrl key and press the X key to exit from pico. You should see a # prompt again. 10. The passwd file has this format: Each line in this file contains information about one account. Each line has 7 colondelimited fields (this means 7 entries separated by colons): login name, the letter "x", the numerical user ID, the numerical primary group ID for the user, a comment field (for example, the full name of the user), the user's $HOME directory, the name of the shell (meaning the program that is run at login). (From http://linux.about.com/od/linux101/l/blnewbie3_2_3.htm) 11. So the line you just added created a new user named drevil But we have not created a password for this account yet.

Examining the shadow File

12. In the terminal window, enter this command, then press the Enter key: cp shadow shadow.bak This command copies the shadow file to a backup. 13. In the terminal window, enter this command, then press the Enter key: pico shadow The file should open in pico. Use the arrow keys to move the cursor to the bottom of the file. You should see your account names with a hashed password, looking like random characters, as shown below on this page:

CNIT 123 Bowne

Page 388

Project X3: Getting into Ubuntu Linux Without a Password

15 Points

14. This file contains the passwords for each account that has a password, in a hashed form (scrambled with a one-way function, usually MD5). Now we have a little problem: we want to give drevil a password, but there is no way to calculate the hashed password. Ubuntu is smarter than Windows XP and does not use predictable hashes. But we can still get the hash by setting the password for the root account. 15. Hold down the Ctrl key and press the X key to exit from pico. You should see a # prompt again.

Changing the root Password

16. In the terminal window, enter this command, then press the Enter key: passwd 17. When you see the Enter new UNIX password: prompt, type in a new password you like, such as password and press the Enter key. You won't see anything on the screen when you type just type it anyway. 18. At the Retype new UNIX password: prompt, type in a the same password and press the Enter key. . You should see password updated successfully.

Editing the shadow File to Create a Password for drevil

19. In the terminal window, enter this command, then press the Enter key: pico shadow The file should open in pico, as shown below on this page.

20. The first line now contains a long hashed password for the root account. All you need to do is to copy this line and paste it at the bottom, as shown below. 21. If necessary, use the arrow keys to place the cursor in the line starting with root. Hold down the Ctrl key an d press K to cut the line. Then hold down the Ctrl key and press U to uncut (paste) the line back. 22. Use the arrow keys to move to the bottom of the file. Hold down the Ctrl key and press U to uncut (paste) another copy of the same line. 23. Finally, change the name root in the last line to drevil CNIT 123 Bowne Page 389

Project X3: Getting into Ubuntu Linux Without a Password

15 Points

CNIT 123 Bowne

Page 390

Project X3: Getting into Ubuntu Linux Without a Password

15 Points

24. Your file should contain the same hashed password for the root and drevil accounts, as shown in the figure on the previous this page. Your hashes will be different from mine, even if you use the same password ("password"), because they are "salted" we will discuss this later.

Saving the Screen Image

25. Make sure the pico window is visible, showing the drevil line with the hashed password. Click outside the virtual machine window to make the host Windows XP operating system receive your keystrokes. Then press the PrtScn button to capture the screen image. 26. On the host Windows XP desktop, click Start, Run. Enter the command mspaint and press the Enter key. Paint opens. 27. Press Ctrl+V on the keyboard to paste the image into the Paint window. Click File, Save. Save the document with the filename Your Name Proj X3a. Select a Save as type of JPEG.

Saving the Modified shadow File

28. Click in the pico window to make it active again. Hold down the Ctrl key and press the O key to save your file. A message appears saying File Name to Write: shadow. Press the Enter key. 29. Hold down the Ctrl key and press the X key to exit from pico. You should see a # prompt again.

Creating the Home Directory /home/drevil

30. In the terminal window, enter this command, then press the Enter key: cd /home This command changes the working directory to /home 31. In the terminal window, enter this command, then press the Enter key: mkdir drevil This command makes a working directory named drevil 32. In the terminal window, enter this command, then press the Enter key: chown drevil drevil This command changes the owner of the drevil directory to the user drevil.

Adding drevil to the admin Group

33. In the terminal window, enter this command, then press the Enter key: addgroup drevil admin This command adds drevil to the admin group, so drevil can use the sudo command to do administrative tasks.

Restarting the Ubuntu Machine

34. Press Ctrl+Alt+Ins to restart Ubuntu. Don't enter recovery mode just let it start normally.

CNIT 123 Bowne

Page 391

Project X3: Getting into Ubuntu Linux Without a Password Logging in as drevil
35. You should see a login screen, as shown to the right on this page. Type in the user name drevil and press the Enter key. 36. In the next screen, enter the password you used, such as password and press the Enter key.

15 Points

Running whoami
37. From the menu bar, click Applications, Accessories, Terminal. 38. In the terminal window, enter this command, then press the Enter key: whoami

Saving the Screen Image

39. Make sure the Terminal window identifying you as drevil is visible. Then click outside the virtual machine window to make the host Windows XP operating system receive your keystrokes. Then press the PrtScn button to capture the screen image. 40. On the host Windows XP desktop, click Start, Run. Enter the command mspaint and press the Enter key. Paint opens. 41. Press Ctrl+V on the keyboard to paste the image into the Paint window. Click File, Save. Save the document with the filename Your Name Proj X3b. Select a Save as type of JPEG.

Turning in your Project

42. Email the JPEG images to me as email attachments to a single message. Send the message to cnit.123@gmail.com with a subject line of Proj X3 From Your Name. Send a Cc to yourself.
Last modified 6-2-07

CNIT 123 Bowne

Page 392

Project X4: Protecting Your Privacy With The Onion Router What You Need for This Project
A trusted computer running any version of Windows, with Internet access. You need administrator privileges. This can be either a real or virtual machine.

10 Points

Introduction to Tor
Tor protects your privacy when you use the Internet by bouncing the packets through randomly-selected "Onion Routers." Tor comes with two related programsProvixy, a proxy server, and Videlia, a graphical user interface for Tor.

Getting Firefox
1. Use your Windows XP virtual machine. 2. You need Firefox for this project. If you don't have it, open Internet Explorer and go to getfirefox.com, download it, and install it.

Installing The Onion Router (TOR)

3. Open Firefox and go to tor.eff.org 4. At the top center of the main page, click Download. 5. Click the blue link in the Package column, in the Windows section, as shown below on this page. When I did it, the link name was 0.1.2.18a. 6. Save the executable and run it. Click through the Vidalia Bundle Setup Wizard and install the software with the default options. After Tor is installed, you should see a "Vidalia Control Panel" window saying "Tor is running", as shown to the right on this page.

Configuring Firefox to Use FoxyProxy

7. In Firefox, go to addons.mozilla.org 8. At the top right of the page, enter foxyproxy in the search box and click the Search button. 9. In the next page, click the FoxyProxy link. In the next page, click the green Install now link. In the Software Installation box, wait a few seconds, then click the Install Now button. 10. Close all windows. Start Firefox again. 11. A FoxyProxy box pops up asking "Would you like to configure FoxyProxy for use with Tor?" Click Yes. 12. A FoxyProxy box pops up asking "Are you using Tor with Privoxy or without?" Click With. 13. A FoxyProxy box pops up saying "Privoxy is no longer needed" Click Yes. 14. A FoxyProxy box pops up saying "Please enter the port on which Privoxy is listening." Accept the default value of 8118 and click OK.

CNIT 123 Bowne

Page 393

Project X4: Protecting Your Privacy With The Onion Router

10 Points

15. A FoxyProxy box pops up saying "Would you like DNS requests to go through the Tor network?." Click Yes . 16. A "FoxyProxy Proxy Settings" box appears, as shown to the right on this page. This is asking which pages should use the proxy. Click OK. 17. A FoxyProxy box pops up saying "Congratulations!" Click OK. 18. A FoxyProxy box pops up saying "Firefox must restart" Click Yes.

Finding Your IP Address Without Tor

19. Look at the status bar in the lower right corner of your Firefox window. You should see "FoxyProxy: Disabled" in red letters. 20. In the address bar of the Firefox window, enter the address whatismyipaddress.com and press the Enter key.

CNIT 123 Bowne

Page 394

Project X4: Protecting Your Privacy With The Onion Router

10 Points

21. You should see your IP address in the window, with a map showing your location, as shown to the right on this page. That's the problem everyone you send packets to can tell who and where you are!

Saving the Screen Image

22. Make sure you can see your IP address and the "FoxyProxy: Disabled" notation in the lower right corner of the Firefox window. 23. Press the PrtScn button to capture the screen image. 24. Click Start, Run. Enter the command mspaint and press the Enter key. Paint opens. 25. Press Ctrl+V on the keyboard to paste the image into the Paint window. Click File, Save. Save the document with the filename Your Name Proj X4a. Select a Save as type of JPEG.

CNIT 123 Bowne

Page 395

Project X4: Protecting Your Privacy With The Onion Router Using Tor to Protect Your Privacy
26. In the lower right corner of your Firefox window, right-click the red letters saying "FoxyProxy: Disabled". In the context menu, click "Use proxy "Tor" for all URLs". 27. The "FoxyProxy: Disabled".label changes to "FoxyProxy: Tor".

10 Points

28. Press the F5 key on the keyboard to refresh the page. The IP address should change to a different address, and the location will change, as shown below on this page.

Saving the Screen Image

29. Make sure the IP address is different, and that the "FoxyProxy: Tor" message is vusible in the lower right corner of the Firefox window. 30. Press the PrtScn button to capture the screen image.

31. Click Start, Run. Enter the command mspaint and press the Enter key. Paint opens. 32. Press Ctrl+V on the keyboard to paste the image into the Paint window. Click File, Save. Save the document with the filename Your Name Proj X4b. Select a Save as type of JPEG.

Turning in your Project

33. Email the JPEG images to me as attachments to one e-mail message to cnit.123@gmail.com with a subject line of Proj X4 From Your Name. Send a Cc to yourself.
Last modified 1-1-08

CNIT 123 Bowne

Page 396

Project X5: Sniffing Cleartext Passwords with Cain Installing Cain and Abel
1. Use a Virtual Windows XP machine. 2. Open a Web browser. Go to http://www.oxid.it/cain.html 3. Download Cain & Abel for Windows XP, install it. It will also install WinPCap.

10 pts.

Sniffing for Passwords

4. Double-click the Cain icon on the desktop to launch Cain. 5. From the top menu, click Configure. 6. In the upper left of the Cain window, click the Start/Stop Sniffer button (the second button from the left), as shown to the right on this page. 7. At the top of the screen, click the Sniffer tab. Click the Passwords tab at the bottom.

Logging in to a Simple HTTP Login Form

8. Open Firefox and go to: tinyurl.com/fakelogin 9. Type in a fake name and password. Click the Submit Query button. 10. When a box pops up asking whether you want Firefox to remember this password, click Not now. After a few seconds, you will see a message saying OK, Login approved. 11. In Cain, in the left pane, click HTTP. You should see the captured password, as shown below.

CNIT 123 Bowne

Page 397

Project X5: Sniffing Cleartext Passwords with Cain Logging in to a CCSF's Email
12. In Firefox, go to: hills.ccsf.edu/mail 13. Type in a fake name and password, as shown to the right on this page. Click the Login button. 14. When a box pops up asking whether you want Firefox to remember this password, click Not now. After a few seconds, you will see a message saying "ERROR Unknown user or password incorrect". 15. Look at the Cain windowit did not capture this password.

10 pts.

Adjusting Cain's HTTP Settings

16. Is the SquirrelMail login secure? The URL doesn't show HTTPS, so it's probably not encrypted. Let's examine how Cain's password sniffer works. 17. From the Cain menu bar, click Configure. In the "Configuration Dialog" box, click the "Filters and ports" tab. The HTTP sniffer looks only on ports 20, 3128, and 8080, as shown to the right on this page. But you can see from the URL of the SquirrelMail page that it operates on port 9999. 18. In the "Configuration Dialog" box, on the "Filters and ports" tab, right-click "80,3128,8080" in the list of TCP ports for the HTTP protocol. In the context menu, click "Change TCP Ports". 19. In the "HTTP / ProxyHTTP (TCP)" box, change the ports listed to 80,3128,8080,9999 and then click OK. 20. You should now see 9999 included in the list of ports, as shown to the right on this page. 21. In the "Configuration Dialog" box, click OK.

CNIT 123 Bowne

Page 398

Project X5: Sniffing Cleartext Passwords with Cain Logging in to a CCSF's Email
22. In Firefox, go to: hills.ccsf.edu/mail

10 pts.

23. Type in a fake name and password, as shown to the right on this page. Click the Login button. 24. When a box pops up asking whether you want Firefox to remember this password, click Not now. After a few seconds, you will see a message saying "ERROR Unknown user or password incorrect". 25. Look at the Cain windowyou should see the captured password, as shown below.

Saving the Screen Image

26. Click outside the virtual machine to make its title bar dim. Press the PrntScn key to copy whole screen to the clipboard in the host Windows XP machine. Open Paint and paste in the image. Save it as a JPEG, with the filename Your Name Proj X5.

Turning in your Project

27. Email the JPEG image to me as an attachment. Send the message to cnit.123@gmail.com with a subject line of Proj X5 From Your Name. Send a Cc to yourself.
Last modified 12-30-08

CNIT 123 Bowne

Page 399

Project X6: Microsoft Baseline Security Analyzer (MBSA)

10 Pt Extra

Downloading and Installing the Microsoft Baseline Security Analyzer (MBSA)

1. You can do this project on a Windows XP virtual machine, but I recommend doing it on Vista. Start any Vista computer in S214 and log in as Student with no password, or with any other account in the Administrators group. 2. Open a browser and go to http://www.microsoft.com/technet/security/tools/mbsahome.mspx 3. Click the latest version at the time I wrote this, it was MBSA 2.1 Beta. 4. At the next screen, click Download now. Follow the instructions on your screen to go to the Download Center, validate your Windows copy, and download MBSA. The exact steps vary. 5. Install it with all the default selections.

Scanning Your Computer with MBSA

6. Click Start, All Programs, Microsoft Baseline Security Analyzer 2.1. If a "User Account Control" box pops up, press Alt+C or click Continue. 7. In the Microsoft Baseline Security Analyzer window, click Scan a computer. 8. In the Pick a computer to scan screen, notice that you can scan more than one computer with this tool, and that you can scan for many different problems. We will use the default selection to scan the local computer, and to scan for all the vulnerabilities. The only items not checked by default are "Configure computers for Microsoft Update and scanning prerequisites " and "Advanced Update Services Options" which are not relevant when you are scanning a single machine. 9. Click Start Scan. Wait until the scan completes.

Saving the Screen Image

10. When you see the View Security Report header, the scan is complete. Make sure the Windows Security Updates line is visible, as shown to the right on this page. Press Alt+PrtScn to copy this window to the clipboard. 11. On the Start menu, click Run. Enter the command mspaint and press the Enter key. Paint opens. 12. Press Ctrl+V on the keyboard to paste the image into the Paint window. Save the document in the Shared Documents folder with the filename Your Name Proj X6. Select a Save as type of JPEG. Close Paint. CNIT 123 Bowne Page 400

Project X6: Microsoft Baseline Security Analyzer (MBSA) Reading the Security Report
13. Read the Security Report and answer the questions in the box below.

10 Pt Extra

A: What version of the MBSA are you using? ____________________________________ B: In the Administrative Vulnerabilities section, what did it say about your File System? _________________________________________________________________________ C: What was the result of the Password Expiration test? _________________________________________________________________________

Turning in your Project

14. Email the JPEG image to me as an attachment to an e-mail message. Answer the questions in the box in the body of the e-mail message. Send the message to: cnit.123@gmail.com or cnit.335@gmail.com with a subject line of "Proj X6 From Your Name", replacing Your Name with your own first and last name. Send a Cc to yourself.

Last modified 10-2-07

CNIT 123 Bowne

Page 401

Project X7: Winfingerprint Downloading and Installing Winfingerprint

1. Start your Windows XP virtual machine and log in as usual. 2. Open a browser and go to winfingerprint.sourceforge.net 3. Scroll down and click the latest free version at the time I wrote this, it was winfingerprint 0.6.2. Note the MD5 hash value, as shown to the right on this page. 4. In the next page, scroll down and find the blue winfingerprint-0.6.2.zip link, as shown to the right on this page. Download the zip file and save it on your desktop. 5. Click Start, All Programs, Hashcalc, Hashcalc. Drag the zip file from your desktop into the Data: box and drop it there. The hash should calculate immediately. Compare the MD5 hash value to the value you saw on the Winfingerprint web page. They should agreeif they dont, something is wrong. 6. Double-click the Zip file to open it. Double-click the Setup file. Install it with all the default selections. When the installer asks you for permission to make three minor changes on your computer (port numbers and connection timeouts), click Yes.

10 Pt Extra

Scanning the Local Computer

7. If Winfingerprint did not open automatically, click Start, All Programs, Winfingerprint, Winfingerprint. 8. In the Winfingerprint window, in the upper left, click Single Host. Verify that the IP address shown is your own XP machine. 9. Look through the scan options: they are impressive, like Nmap or Nessus. Accept the default selections and click the Scan button. If a firewall warning pops up, allow the traffic. 10. Scroll down and examine the report. It shows every service pack and patch on the machine, and all the running processes. I was able to see the brand of firewall and antivirus software toovery valuable information to an intruder. CNIT 123 Bowne Page 402

Project X7: Winfingerprint Saving a Screen Image

10 Pt Extra

11. Make sure the Services: section is showing in the Winfingerprint screen. 12. Press Alt+PrtScn to copy this window to the clipboard. 13. On the Windows XP virtual machines desktop, click Start, Run. Enter the command mspaint and press the Enter key. Paint opens. 14. Press Ctrl+V on the keyboard to paste the image into the Paint window. Save the document in the Shared Documents folder with the filename Your Name Proj X7a. Select a Save as type of JPEG. Close Paint.

Locating a Target Computer

15. Lets call the machine you have been using your Trusted Computer. 16. Find another Windows XP virtual machine in the room that you can use for a while. This will be your Target Computer. If necessary, copy a fresh one from the V:\Hacking folder. 17. Start that machine up and log in as usual. Click Start, Run and enter the CMD command. In the Command Prompt window, enter the IPCONFIG command to find its IP address. Write your Target IP address in the box below. Target IP: ___________________________

Turning Off the Firewall on the Target Computer

18. On the Target machine, click Start, Control Panel. If necessary, click Switch to classic view. Double-click Windows Firewall. 19. In the Windows Firewall box, click Off (not recommended) as shown to the right on this page. Click OK.

CNIT 123 Bowne

Page 403

Project X7: Winfingerprint Scanning the Target Computer From Your Trusted Computer
20. On your Trusted Computer, in the Winfingerprint window, in the upper right, click the Clear button. 21. In the Winfingerprint window, in the upper left, click Single Host. Enter the IP address of your Target Computer. Click the Scan button. If a firewall warning pops up, allow the traffic. 22. Scroll down and examine the report. It shows much less informationthe service packs and services are not shown. But you can still see information about the computers name, patch level, and shares.

10 Pt Extra

Turning On the Firewall on the Target Computer

23. On the Target machine, click Start, Control Panel. If necessary, click Switch to classic view. Double-click Windows Firewall. 24. In the Windows Firewall box, click On and also check the Dont allow exceptions box, as shown below on this page. Click OK.

CNIT 123 Bowne

Page 404

Project X7: Winfingerprint Scanning the Target Computer From Your Trusted Computer
25. On your Trusted Computer, in the Winfingerprint window, in the upper right, click the Clear button. 26. In the Winfingerprint window, in the upper left, click Single Host. Enter the IP address of your Target Computer. Click the Scan button. If a firewall warning pops up, allow the traffic. 27. Now you get no information at all, not even a PING response, as you would expect.

10 Pt Extra

Saving a Screen Image

28. Press Alt+PrtScn to copy this window to the clipboard. 29. On the Windows XP virtual machines desktop, click Start, Run. Enter the command mspaint and press the Enter key. Paint opens. 30. Press Ctrl+V on the keyboard to paste the image into the Paint window. Save the document in the Shared Documents folder with the filename Your Name Proj X7b. Select a Save as type of JPEG. Close Paint.

Turning in your Project

31. Email the JPEG images to me as attachments to one e-mail message. Send the message to: cnit.123@gmail.com with a subject line of Proj X7 From Your Name, replacing Your Name with your own first and last name. Send a Cc to yourself.

Last modified 6-4-07

CNIT 123 Bowne

Page 405

Project X8: OpenPGP on Ubuntu Linux Start Your Ubuntu Virtual Machine
1. 2. Start your Ubuntu machine and log in as usual.

15 Points

Set up a GMail Account

You can do this project with an existing mail account, but I don't recommend it, because you might expose your personal email and your password to other students. So I recommend that you make a temporary email account just for this project, as detailed in the following steps. From the menu bar in the upper left corner of the Ubuntu desktop, click Applications, Internet, Firefox Web Browser. Go to Gmail.com If you are already signed into Gmail, click sign out. Click "Sign up for Gmail". Fill in the "Create an Account" page. At the bottom, click the "I accept. Create my account." button. In the next page, click "I'm ready show me my account". In the next page, you should see your inbox with a couple of welcome messages. At the top right, click Settings. On the Settings page, click "Forwarding and POP". In the Forwarding section, click the Forward a copy radio button and enter your usual email account in the box, as shown below. This will enable you to see your score when your homework is graded. In the "POP Download" section, click the Enable POP for all mail" radio button. Click the "Save Changes" button.

3. 4. 5. 6. 7. 8. 9. 10.

11.

CNIT 123 Bowne

Page 406

Project X8: OpenPGP on Ubuntu Linux

15 Points

Installing Thunderbird and enigmail

12. 13. From the menu bar in the upper left corner of the Ubuntu desktop, click Applications, Accessories, Terminal. In the terminal window, enter this command, then press the Enter key: sudo apt-get install mozilla-thunderbird-enigmail Enter your password when you are prompted to. At the "Do you want to continue? [Y/n]" prompt, type Y. This command installs the Thunderbird email client with the enigmail OpenPGP Key Manager. From the menu bar in the upper left corner of the Ubuntu desktop, click Applications, Internet, Thunderbird Mail. In the "Import Wizard" box, accept the default selection of "Don't Import Anything" and click the Next button. In the "New Account Setup" box, accept the default selection of "Email account" and click the Next button. At the "Identity" screen, enter your name and the new Gmail address you created in the first section of this project. Click the Next button. At the "Server information" screen, select POP as the type of incoming server you are using. Enter pop.gmail.com in the Incoming Server field. Set the Outgoing Server to smtp.gmail.com, as shown to the right on this page. Click the Next button. At the "User names" screen, enter your Gmail username (including @gmail.com) in the Incoming User Name and Outgoing User Name fields, and click Next. At the "Account name" screen, accept the default and click Next. At the "Congratulations" screen, verify your account information in the dialog box, and click Finish. Thunderbird will now attempt to get your mail, but it won't work because Gmail uses secure connections, with different ports. Don't wait for it, just proceed with the nest steps. But be warned, Thunderbird will pop up a box in the next minute or so saying it was unable to get your mail. That's OK. Page 407

Setting Thunderbird to Receive Normal Gmail

14.

15.

16.

17.

18.

19. 20. 21.

CNIT 123 Bowne

Project X8: OpenPGP on Ubuntu Linux

22. 23.

15 Points

From the Thunderbird menu bar, click Edit, Account settings. In the upper left portion of the "Account Settings" box, click "Server Settings". In the right pane, in the "POP Mail Server" section, change the Port to 995, as shown below on this page. In the "Security Settings" section, click the SSL radio button.

24.

25.

26. 27.

28. 29.

In the upper left portion of the "Account Settings" box, click "Outgoing Server (SMTP)". In the right pane, click your gmail account and click the Edit button. In the "SMTP Server" box, change the Port to 587, as shown to the right on this page. In the "Use secure connection:" section, click "TLS, if available" and click OK. In the "Account Settings" box, click OK. In the Thunderbird tool bar, click "Get Mail". If Thunderbird is unresponsive, close it and open it again. In the "Enter your password" box, type in your password and click OK. You should see the two GMail welcome messages in the Thunderbird window, as shown at the top of the next page.

CNIT 123 Bowne

Page 408

Project X8: OpenPGP on Ubuntu Linux

15 Points

Turning off HTML Message Composition

30. 31. OpenPGP signatures don't work with HTML mail, so it's best to shut it off. From the Thunderbird menu bar, click Edit, Account settings. In the upper left portion of the "Account Settings" box, click "Composition & Addressing". In the right pane, clear the "Compose messages in HTML format" check box, as shown below on this page. Click the OK button.

Generating a Key Pair

32. 33. 34. 35. 36. 37. In the Thunderbird menu, click OpenPGP, "Key Management". In the "OpenPGP Setup Wizard", accept the default selection of "Yes, I would like to use the wizard" and click the Next button. At the Signing screen, accept the default selection of "Yes, I want to sign all of my email" and click the Next button. At the Encryption screen, accept the default selection of "No, I will create per-recipient rules..." and click the Next button. At the Preferences screen, click "No, thanks" and click the Next button. At the "Create a Key" screen, enter a passphrase of your choice in both boxes and click the Next button. Make sure you remember the passphrase! Page 409

CNIT 123 Bowne

Project X8: OpenPGP on Ubuntu Linux

38. 39.

15 Points

At the Summary screen, notice that you are creating a 2048-bit key. Click Next. At the "Key Creation" screen, there is a progress bar, but it doesn't move quickly. To make it move faster, open Firefox and surf through some Web pages. It will collect random bits from your actions. When your key is ready, you will see the "OpenPGP Confirm" box shown below on this page. Click Yes.

40. 41. 42. 43. 44.

In the "Create and Save Revocation Certificate" box, click Save. When you are prompted to, type in your passphrase and click OK. In the "OpenPGP Alert" box, click OK. At the "Thank you" screen,, click Finish. An "OpenPGP Key Management "window appears, with your email address in it. Doubleclick your email address to see the "Key Properties" as shown below on this page. Click OK to close the "Key Properties" box.

CNIT 123 Bowne

Page 410

Project X8: OpenPGP on Ubuntu Linux Uploading Your Public Key

45.

15 Points

46.

Now you have created a public key and a private key. But to be useful, you must upload your public key to a keyserver so others can use it to send you email. In the "Key Management" box, click your email address to select your key. From the menu bar, click Keyserver, "Upload Public Keys". In the "Select keyserver" box, select pgp.mit.edu, as shown to the right on this page. Click OK. This will send your public key to a keyserver. Close the "OpenPGP Key Management" box. In the Thunderbird tool bar, click Write. Compose a message to cnit.123@gmail.com as shown to the right on this page. Send a Cc: to yourself, at any email account you like. Note the little pen and key symbols in the lower right of the windowthey control encryption and signing. Accept the default values (signed but not encrypted) and click the Send button. If it asks for your passphrase and your password, enter them. Open Firefox. Go to gmail.com (or whatever other mail account you sent your Cc: to) and read your email. Look for your signed message. You should see the PGP SIGNATURE section, as shown below on this page.

Turning in Your Homework

47. 48.

Viewing the Signature in a Browser

49.

Last modified 6-5-07

CNIT 123 Bowne

Page 411

Project X9: Cracking WPA What You Will Need

15 Points

A wireless access point A computer running any OS with any wireless NIC to be the client A different computer with a Linksys WUSB54G WiFi card, or another Wi-Fi card that is compatible with the BackTrack 2 live CD operating system A Backtrack 2 Live CD

Warning: Only use this on networks you own. Cracking into networks without permission is a crimedont do it!

Choose Your Access Point/Router

1. There are four Access Point/Routers available in S37: Linksys, D-Link, Belkin, and Buffalo. Choose one and use the corresponding instructions below to set up a secure Wireless Local Area Network (WLAN). If you are working at home, you can use any wireless router that supports WPA (they all do, unless your equipment is very old).

Linksys Router Restoring the Access Point to Factory Default Settings

2. 3. Get the blue Linksys BEFW11S4 router from the closet. Plug in the power cord. Do not plug in any Ethernet cables yet. Press the little red RESET button on the back and hold it in for ten seconds. This resets the router back to its factory default settings. Choose one computer to be the Wired Client. Disconnect the blue Ethernet cable from the back of the Wired Client. Take another cable and connect the Wired Client to port 1 on the router. Check the front panel of the router: the light under number 1 should light up, but the Internet light should be dark. On the Wired Client, click Start, All Programs, Accessories, Command Prompt. Type in this command and press the Enter key. IPCONFIG You should see an IP address starting with 192.168.1, as shown below. There are other network adapters present with other IP addresses, but one of them should start with 192.168.1. If you dont have an IP address like that, restart the Wired Client computer. Ethernet adapter Local Area Connection 2: Connection-specific IP Address. . . . . Subnet Mask . . . . Default Gateway . . DNS . . . . . . Suffix . . . . . . . . . . . . . . . . : : 192.168.1.101 : 255.255.255.0 : 192.168.1.1

Connecting a Wired Client Computer to the Router

4.

5.

CNIT 123 Bowne

Page 412

Project X9: Cracking WPA

6.

15 Points

On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING 192.168.1.1 You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the router as a client. The LAN in S214 uses the 192.168.1.0 subnet, which is the same as the default subnet for the Linksys router. The router wont be able to connect to the LAN unless it uses a different subnet for its clients, so we need to change the router to a different subnet. On the Wired Client. open a browser and go to this address: 192.168.1.1 A box pops up asking for a user name and password. Leave the User Name blank and enter a password of admin In the Linksys page, on the Setup tab, change the Local IP Address to 192.168.10.1, as shown to the right on this page. Scroll to the bottom of the page and click the Save Settings button. A popup box appears saying Next time, log in the router with the new IP address. Click OK. Now that the router has a new address, the Wired Client needs a new IP address too to connect to it. To force a DHCP renew, unplug the network cable from port 1 on the router, wait a couple of seconds, and plug it in again.

Changing the Subnet on the Router

7.

8.

9.

10.

11. 12. 13.

CNIT 123 Bowne

Page 413

Project X9: Cracking WPA

14.

15 Points

15.

On the Wired Client , in the Command Prompt window, type in this command and press the Enter key. IPCONFIG You should see an IP address starting with 192.168.10. If you dont have an IP address like that, restart the Wired Client computer. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING 192.168.10.1 You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the router again as a client. Make up a new SSID to be your networks name. Write it in the box to the right on this page. Don't use any spaces in the name. On the Wired Client. open a browser and go to this SSID: _______________________ address: 192.168.10.1 Channel: 1 A box pops up asking for a user name and password. Leave the User Name blank and enter a password of admin In the Linksys page, click the Wireless tab. Click the blue Basic Wireless Settings tab. In the Wireless line, click Enable. Enter your SSID in the Wireless Network Name(SSID): box. Select a Wireless Channel of 1 2.417 GHZ, as shown to the right on this page. At the bottom of the page, click Save settings.

Setting the SSID and Channel on the Access Point/Router

16. 17. 18.

19.

20.

CNIT 123 Bowne

Page 414

Project X9: Cracking WPA Setting WPA Security on the Access Point/Router
21. On the Wired Client, a browser should still be open, showing address 192.168.10.1 a. If the browser window is not still open, open a new one, go to 192.168.10.1, and log in with User Name blank and a password of admin In the Linksys page, click the Wireless tab. Click the blue Wireless Security tab. In the Wireless Security line, click Enable. Select a Security Mode: of WPA Pre-Shared Key. Enter a WPA Shared Key of password as shown to the right on this page. At the bottom of the page, click Save settings.

15 Points

22.

Connecting the Router to the Rooms LAN

23. 24. Find the blue cable attached to the wall that used to be plugged into the Wired Client. Plug it into the WAN port on the router. The Internet front panel light should come on. On the Wired Client, a browser should still be open, showing address 192.168.10.1 a. If the browser window is not still open, open a new one, go to 192.168.10.1, and log in with User Name blank and a password of admin In the Linksys page, at the upper right, click the Status tab. At the bottom of the screen, click the DHCP Renew button. The router should now show an Internet IP Address starting with 192.168.1 as shown to the right on this page. If it does not, click the the DHCP Renew button again. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING YAHOO.COM You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the Internet through the router.

25.

26.

Skip ahead to the Connecting a Wireless Client to the Access Point/Router section.
CNIT 123 Bowne Page 415

Project X9: Cracking WPA Belkin Router Restoring the Access Point to Factory Default Settings
27. 28.

15 Points

Get the gray Belkin router from the closet. Plug in the power cord. Do not plug in any Ethernet cables yet. Use a pin or paper clip to press the little RESET button on the back and hold it in for ten seconds. This resets the router back to its factory default settings. Choose one computer to be the Wired Client. Disconnect the blue Ethernet cable from the back of the Wired Client. Take another cable and connect the Wired Client to port 1 on the router. Check the front panel of the router: the light under number 1 should light up, but the WAN light should be dark. On the Wired Client, click Start, All Programs, Accessories, Command Prompt. Type in this command and press the Enter key. IPCONFIG You should see an IP address starting with 192.168.2, as shown below. There are other network adapters present with other IP addresses, but one of them should start with 192.168.2. If you dont have an IP address like that, restart the Wired Client computer. Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.2.2

Connecting a Wired Client Computer to the Router

29.

30.

31.

Setting the SSID and Channel on the Access Point/Router

32.

On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING 192.168.2.1 You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the router as a client. SSID: _______________________ Channel: 11 Make up a new SSID to be your networks name. Write it in the box to the right on this page. Don't use any spaces in the name. On the Wired Client. open a browser and go to this address: 192.168.2.1 A Belkin page opens. In the upper right, click the Log in button. A Login screen appears. Leave the Password box empty and click the Submit button. If the browser displays a Security Warning box, click Continue.

33. 34. 35.

CNIT 123 Bowne

Page 416

Project X9: Cracking WPA

36. 37. On the left side of the screen, click Channel and SSID. In the Wireless > Channel and SSID page, enter your SSID in the SSID box. Select a Wireless Channel of 11, as shown to the right on this page. At the bottom of the page, click Apply Changes. On the Wired Client, a browser should still be open, showing address 192.168.2.1 In the left pane, in the Wireless section, click Security. In the Security Mode box, select WPAPSK (no server). Enter a "Pre-shared key (PSK)" of password as shown to the right on this page. At the bottom of the page, click Apply Changes.

15 Points

38.

Setting WPA Security on the Access Point/Router

39. 40.

Connecting the Router to the Rooms LAN

41. Find the blue cable attached to the wall that used to be plugged into the Wired Client. Plug it into the Connection to Modem port on the router. The WAN front panel light should come on. On the Wired Client, a browser should still be open, showing address 192.168.2.1 In the Belkin page, on the left side, in the Internet WAN section, click Connection Type. In the WAN > Connection Type screen, accept the default selection of Dynamic and click the Next button. In the WAN > Connection Type > Dynamic IP screen, leave the Host Name box empty and click the Apply Changes button. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING YAHOO.COM You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the Internet through the router.

42. 43. 44. 45. 46.

Skip ahead to the Connecting a Wireless Client to the Access Point/Router section.

CNIT 123 Bowne

Page 417

Project X9: Cracking WPA D-Link Router Restoring the Access Point to Factory Default Settings
47. 48.

15 Points

Get the gray D-Link router from the closet. Plug in the power cord. Do not plug in any Ethernet cables yet. Use a pin or paper clip to press the little RESET button on the back and hold it in for ten seconds. This resets the router back to its factory default settings. Choose one computer to be the Wired Client. Disconnect the blue Ethernet cable from the back of the Wired Client. Take another cable and connect the Wired Client to port 1 on the router. Check the front panel of the router: the light under number 1 should light up, but the WAN light should be dark. On the Wired Client, click Start, All Programs, Accessories, Command Prompt. Type in this command and press the Enter key. IPCONFIG You should see an IP address starting with 192.168.0, as shown below. There are other network adapters present with other IP addresses, but one of them should start with 192.168.0. If you dont have an IP address like that, restart the Wired Client computer. Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.0.100

Connecting a Wired Client Computer to the Router

49.

50.

51.

On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING 192.168.0.1 You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the router as a client. Make up a new SSID to be your networks name. Write it in the box to the right on this page. Don't use any spaces in the name. On the Wired Client. open a browser and go to this address: 192.168.0.1 A box pops up asking for a user name and password. Enter a user name of admin and leave the password blank. Click the OK button.

Setting the SSID and Channel on the Access Point/Router

52. SSID: _______________________ Channel: 6

53. 54.

CNIT 123 Bowne

Page 418

Project X9: Cracking WPA

55. 56. 57. On the left side of the screen, click Wireless. Enter your SSID in the SSID box, as shown to the right on this page. Select a Wireless Channel of 6, as shown to the right on this page.

15 Points

Setting WPA Security on the Access Point/Router

58. 59. 60. 61. In the Security: box, select WPA. In the Passphrase: box, enter password In the Confirmed Passphrase: box, enter password At the bottom of the page, click Apply. A message appears saying The device is restarting. Click Continue.

WEP Key: ________________________

Connecting the Router to the Rooms LAN

62. 63. 64. Find the blue cable attached to the wall that used to be plugged into the Wired Client. Plug it into the WAN port on the router. The WAN front panel light should come on. On the Wired Client, a browser should still be open, showing the D-Link page. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING YAHOO.COM You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the Internet through the router.

CNIT 123 Bowne

Page 419

Project X9: Cracking WPA Buffalo Router with OpenWRT Firmware Restoring the Access Point to Factory Default Settings
65. 66.

15 Points

Get the Buffalo router labeled "OpenWRT" from the closet. Plug in the power cord. Do not plug in any Ethernet cables yet. Use a pen to hold the little INIT button on the bottom. Unplug the power cord. Plug the power cord back in and hold the INIT button down for 30 seconds. This resets the router back to its default settings. Choose one computer to be the Wired Client. Disconnect the blue Ethernet cable from the back of the Wired Client. Take another cable and connect the Wired Client to port 1 on the router. Check the front panel of the router: the light under number 1 should light up, but the WAN light should be dark. On the Wired Client, click Start, All Programs, Accessories, Command Prompt. Type in this command and press the Enter key. IPCONFIG You should see an IP address starting with 192.168.11, as shown below. There are other network adapters present with other IP addresses, but one of them should start with 192.168.11. If you dont have an IP address like that, restart the Wired Client computer. Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.11.175

Connecting a Wired Client Computer to the Router

67.

68.

69.

On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING 192.168.11.1 You should see replies, and you should see the back panel lights on the router blink. The Wired Client is now connected to the router as a client. Make up a new SSID to be your networks name. Write it in the box to the right on this page. Don't use any spaces in the name. SSID: _______________________ On the Wired Client. open a browser and go to this Channel: 6 address: 192.168.11.1 An "OpenWrt Admin Console" page opens. At the top, click Network. A box pops up asking for a user name and password. Enter a user name of root and type in a password of password Click the OK button.

Setting the SSID and Channel on the Access Point/Router

70.

71. 72.

73.

CNIT 123 Bowne

Page 420

Project X9: Cracking WPA

74. In the light blue menu bar, below the "OpenWrt Admin Console" header, click Wireless. Enter your SSID in the ESSID box, as shown to the right on this page. Select a Wireless Channel of 6, as shown to the right on this page. At the bottom of the page, click the "Save Changes" button. Click the "Apply Changes" link.

15 Points

75.

76.

77.

Setting WPA Security on the Access Point/Router

78. In the Encryption Settings: section near the bottom of the page, select an "Encryption Type" of WPA (PSK), as shown to the right on this page.. In the WPA PSK box, enter password, as shown to the right on this page. At the bottom of the page, click the "Save Changes" button. Click the "Apply Changes" link. Find the blue cable attached to the wall that used to be plugged into the Wired Client. Plug it into the WAN port on the router. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. PING YAHOO.COM You should see replies, and you should see the front panel lights on the router blink. The Wired Client is now connected to the Internet through the router.

79.

80. 81. 82.

Connecting the Router to the Rooms LAN

CNIT 123 Bowne

Page 421

Project X9: Cracking WPA Connecting a Wireless Client to the Access Point/Router
83.

15 Points

84. 85.

86. 87.

88.

89.

90.

Find a machine with a wireless NIC to use as the Wireless Client computer. Machines S214-15, 16, and 17 have wireless NICs, and there are also USB wireless NICs available that can be attached to other stations. Disconnect the blue Ethernet cable from the back of your Wireless Client computer to ensure that it uses only the wireless connection. In the lower right of the desktop, find the Wireless Network Connection icon, as shown to the right on this page. It shows a computer with radio waves coming from it. Right-click that icon and click View available wireless networks. Find your SSID in the list and click it, as shown to the right on this page. Click the Connect. button In the Wireless network connection box, enter the WEP Key you wrote in the box on a previous page of these instructions. Put the same key in the second box and click Connect. Wait while your Wireless Client connects. When the connection is made, you should see the word Connected next to your SSID, as shown to the right on this page. On the Wireless Client, click Start, All Programs, Accessories, Command Prompt. Type in this command and press the Enter key. IPCONFIG You should see an IP address starting with 192.168.10 On the Wireless Client, in the Command Prompt window, type in this command and press the Enter key. PING 192.168.10.1 You should see replies, and you should see the front panel lights on the router blink. The Wireless Client is now connected to the router as a wireless client.

CNIT 123 Bowne

Page 422

Project X9: Cracking WPA Getting the BackTrack 2 CD

91.

15 Points

You need a BackTrack 2 CD. Your instructor handed them out in class. If you are working at home, you download it from http://www.remote-exploit.org/backtrack.html Connect the USB cable from the Linksys WUSB54G ver. 4 NIC. Insert the bt2 CD and restart your "Hacker Computer". If it won't boot from the CD, press F2 to enter the BIOS settings page and set it to boot from the CD. If it asks for a BIOS Password, press the Enter key. You should see a message beginning ISOLONUX. At the boot: prompt, press the Enter key. Several pages of text scroll by as Linux boots. When you see a page with a bt login: prompt, type in this username and press the Enter key: root At the Password: prompt, type in this password and press the Enter key: toor At the bt ~ # prompt, type in this command and press the Enter key: Konsole xconf button At the bt ~ # prompt, type in this command and press the Enter key: startx A graphical desktop should appear, with a start button showing the letter K on a gear in the lower left, as shown to the right on this page.

Plugging in the USB NIC

92. 93.

Booting the Hacker Computer from the BackTrack 2 CD

94. 95. 96. 97. 98. 99.

Downloading a Word List

100. A dictionary attack uses a list of possible pre-shared keys. We'll use a simple, small list that will make the attack fast, although less thorough. 101. Click the Firefox button, as shown to the right on this page. 102. In Firefox, go to www.cotse.com/tools/wordlists.htm

Firefox button

CNIT 123 Bowne

Page 423

Project X9: Cracking WPA

103. A Web page with many wordlists appears, as shown to the right on this page. Right-click common-p and click "Save Link As". 104. In the "Save As" box, select a "Save in folder:" of root, as shown to the right on this page. Click the Save button.

15 Points

Starting the wifi-0 Device

105. Click the Konsole button, as shown above on this page. 106. In the "Shell Konsole" window, type in this command, and then press the Enter key:

airmon-ng stop rausb0

107. In the "Shell Konsole" window, type in this command, and then press the Enter key:

airmon-ng start wifi0

We have now stopped the wireless card and restarted it with the special MadWiFi drivers, which are necessary for cracking WEP. Now the card is monitoring on all channels.

CNIT 123 Bowne

Page 424

Project X9: Cracking WPA Capturing Packets to View the Available Networks

15 Points

108. Click the Konsole button to open a new Konsole window, titled "Shell Konsole <2>". 109. In the "Shell Konsole <2>" window, type in this command, and then press the Enter key:

airodump-ng w test rausb0

This command opens a window showing all local networks, as shown below on this page. The columns in the output of immediate importance for cracking WPA are explained below: BSSID The MAC address of the access point CH The channel (1 through 11 are used in the USA) ENC, CIPHER, AUTH These values specify the encryption method, and should say WPA, TKIP, PSK for the pre-shared key method we are cracking. ESSID The name of the network

110. Write the BSSID, CH, and ESSID of the access point you want to BSSID: ______________________________________ crack into in the box to the right on this page. Note that the CH: __________ BSSID, STATION, etc. information at the bottom of the ESSID: ______________________________________ screen refers to the client, not the Access Point. 111. Press Ctrl+C to stop the Airodump capture. If it won't stop, use the mouse to close the "Shell Konsole <2>" window. Then click the Konsole button to open a new "Shell Konsole <2>" window.

Restarting Monitoring on the Correct Channel

112. Click the "Shell Konsole" window to make it activethis is the window you used for the airmon-ng commands. 113. In the "Shell Konsole" window, type in this command, and then press the Enter key:

airmon-ng stop rausb0

114. In the "Shell Konsole" window, type in this command, and then press the Enter key:

airmon-ng start wifi0 11 Replace 11with the CH number you wrote in the box above on this page. Now the card is
monitoring only the channel we are interested in. CNIT 123 Bowne Page 425

Project X9: Cracking WPA Resuming Packet Capture

15 Points

115. Click the "Shell Konsole <2>" window to make it activethis is the Konsole window you used for the airodump-ng command. 116. In the "Shell Konsole <2>" window, type in this command, and then press the Enter key:

airodump-ng c 11 w output rausb0 Replace 11 with the CH number you wrote in the box above on this page. Now the card is
monitoring only the channel we are interested in. This captures packets on the desired channel, and dumps into the file output.cap. 117. At the top of the airodump-ng output, information about the access point is displayed. At the bottom is information about associated clients, as shown below on this page. Find the STATION address for a client associated with your access point, STATION:____________________________________ and write it in the box to the right on this page. If you don't have any associated station, go to your Wireless Client, disconnect, and reconnect to the access point.

CNIT 123 Bowne

Page 426

Project X9: Cracking WPA Performing a Deauthentication Attack

15 Points

118. We need to capture a four-way handshake from a client authenticating, to get the data we will use to crack WPA. We could just wait for a client to authenticate, but that might take a long time. The easier way is to force a deauthentication, after which the client will reauthenticate. 119. Click the "Shell Konsole" window to make it activethis is the window you used for the airmon-ng commands. 120. In the "Shell Konsole" window, type in this command, and then press the Enter key:

aireplay-ng help
This shows a help message, explaining the options available for aireplay-ng. Notice the section at the bottom showing "Attack modes", as shown to below. The attack we will use now is deauthenticate, using the -0 10 switch, to send ten deauthentication frames.

121. In the "Shell Konsole" window, type in this command, and then press the Enter key:

aireplay-ng -0 10 a 00:11:50:1E:43:87 c 00:12:17:75:A0:19 rausb0 Replace 00:11:50:1E:43:87 with the BSSID you wrote in the box on a previous
page of these instructions (the access point's hardware address). Replace 00:12:17:75:A0:19 with the STATION you wrote in the box on a previous page of these instructions (the Wireless Client's MAC address). You should see an "Sending deauth to station" message, as shown above on this page. 122. Go look at your Wireless Client. It may have automatically reconnected, or it may now be disconnected. If it is disconnected, reconnect it manually. But most people set their Wi-Fi networks to be remembered and automatically reconnect, so they won't even notice this attack in progress.

CNIT 123 Bowne

Page 427

Project X9: Cracking WPA Performing a Dictionary Attack on the Captured Handshake

15 Points

123. Now we will capture an ARP request, and replay it to force the Access Point to pump out a lot of IVs. 124. In the "Shell Konsole" window, type in this command, and then press the Enter key:

aircrack-ng -w common-p.htm output*.cap

125. You should see a list of BSSID values, and your target network should be labeled with "WPA (1 handshake)", as shown below on this page. If there is no captured handshake, repeat the deauthentication and reauthentication process. 126. Enter the index number of your target network and press the Enter key. Aircrack simply tries each password on the list in alphabetical order, as shown below on this page.

127. When it finds your password, you should see the message "KEY FOUND! [ password ]", as shown below on this page.

CNIT 123 Bowne

Page 428

Project X9: Cracking WPA Saving the Screen Image on the Desktop

15 Points

128. On the Hacker Computer, from the Backtrack 2 desktop, click Start, Screenshot. 129. In the Screenshot window, click the "Save As" button. 130. In the "Save as Screenshot" window, in the unlabelled box on the upper right, click the arrow and select /root/desktop. 131. In the "Save as Screenshot" window, in the Location: box, type in a filename of Yourname-ProjX10.jpg Firefox 132. Click the Save button. Your file should appear on the desktop.

Starting Firefox
133. On the Hacker Computer, at the lower left of the desktop, click the "Firefox button", as shown to the right on this page.

button

Turning in your Project

134. Firefox opens. Go to a Web-based email service you feel comfortable using in S214 it should be one with a password you don't use anywhere else. 135. Email the JPEG image to me as an attachment. Send the message to cnit.123@gmail.com with a subject line of Proj X10 From Your Name. Send a Cc to yourself.

Credits
I got a lot of this from "Wireless Vulnerabilities and Cracking with the Aircrack Suite", by Stephen Argent, in the magazine hakin9, Issue 1/2008. There is a lot more information about cracking WEP and WPA in that article, it's great!
Last modified 4-7-08

CNIT 123 Bowne

Page 429

CCSF Email
If you are already using pine or GroupWise, continue getting it that way. You need to know your HP-UNIX ID and password. There is a list of the IDs in S214, but you can usually figure it out this way: Use the first letter of your first name, then the first five letters of your last name, then a number which is usually 01.All letters are lowercase. So Joe Greens HP-UNIX ID would be jgreen01. The only problem is that if several students have similar names, one of them is 01 and the next is 02 and so on, so if your name is a common one you wont know the number. Your first-time password is your birthday, in this format: three letters for the month, two numbers for the day of the month, two numbers for the year. So a birthday of March 13, 1978 is mar1378 and a birthday of Nov 2, 1960 is nov0260. If you access your HP-UNIX account using Telnet or SSH Secure Shell, you will be forced to change your password to a new one you make up the first time you log in. If you use the WebIMAP page described below, you will not be forced to change your password.

WebIMAP
Start a browser and go to hills.ccsf.edu/mail Enter your HP-UNIX ID and password. The first time you use it you will see a configuration page just accept the defaults and go on to the main MAIL page shown below. Its a normal Web mail interface like Hotmail or Yahoo mail.

CNIT 123 Bowne

Page 430

Free VMware Software CCSF Email

1. You need to read your ccsf.edu email. At the moment, student email goes to hills (see "CCSF Hills Email" handout), but soon it will be transferred to Gmail. When that happens, your instructor will have instructions about it. 2. You should have received an e-mail with the subject line "An account has been created for you". This e-mail has your username and password in it. You cannot download any software without that information.

Downloading
3. 4. 5. 6. 7. Open a Web browser and go to http://samsclass.info At the top of the page, click "VMware software". At the upper right of the page, click "Sign In". Log in with the user name and password from your e-mail message. Click the "VMware Workstation for Windows" link. Follow the on-screen directions to download the software and get your activation code.

Revised 6-4-09

CNIT 123 Bowne

Page 431

Fixing Common Ubuntu Problems on VMware "The network bridge on device VMnet0 is temporarily down"
If VMware gives the "The network bridge on device VMnet0 is temporarily down" message in S214: 1. Shut down the Ubuntu VM 2. Edit virtual machine settings 3. In the "Virtual Machine Settings" box, on the left, click "Ethernet" to select it. On the right, set the "Network connection" to "Custom - VMnet2". 4. Start the Ubuntu VM again.

No Internet Connection With Address 169.254.x.y

If VMware has no network connection, and ifconfig shows an address starting with 169.254, or an extra network adapter line showing eth0:avah, that means that DHCP has failed. Here is the cure: 1. Click Start, Accessories, Terminal 2. In the Terminal window, type this command and press the Enter key:

sudo dhclient
3. This will repeat the DHCP process to get a fresh IP address.

CNIT 123 & 124 Bowne

Page 432

Fixing Common Ubuntu Problems on VMware Network Adapter is eth1 Instead of eth0
1. 2. 3. 4. 5. This happens when a virtual machine is copied. It's a problem because many hacking tools are sloppily written and assume that you are using eth0. Start the Ubuntu 8.04 virtual machine and log in as usual. Click Applications, Accessories, Terminal In the Terminal window, type this command and press the Enter key:

ifconfig
You should see your Ethernet adapter information, as shown below on this page. If you see information for an eth0 adapter, you don't have this problem and you don't need to do the steps below. If your adapter shows up as eth1 or eth2 (or some larger number) and there is no eth0 line at all, as shown above, you need to perform the following steps:

6. 7.

In the Terminal window, type this command and press the Enter key:

cd /etc/udev/rules.d
In the Terminal window, type this command and press the Enter key: Enter your password when you are prompted to. This command makes a backup copy of the file, just in case something goes wrong. In the Terminal window, type this command and press the Enter key:

sudo cp 70-persistent-net.rules 70-persistent-net.rules.bak

8.

sudo pico 70-persistent-net.rules

CNIT 123 & 124 Bowne Page 433

Fixing Common Ubuntu Problems on VMware

9. The file opens, as shown below (don't worry if you can't read the type well at this point). The part of this we need to change is at the far right side of a long line, so you won't be able to see the whole thing at once unless you are using a monitor with higher resolution than the ones available in S214.

10.

In the bottom portion of this file there are one or more lines starting "SUBSYSTEM=". Scroll to the far right of one of those lines. At the very far right you will see the Ethernet interface name, as shown below on this page. In my case, it was NAME="eth2"

11. 12. 13.

Change the end of this line so it says

NAME="eth0"
Save your changes with Ctrl+X, Y, Enter Click System, Quit. Click Restart.
Last modified 6-4-09

CNIT 123 & 124 Bowne

Page 434