Practical Systems Security Lab
Lab 3 (2 weeks)

Due Feb. 21, 2004

The homework topic this week is network reconnaissance and scanning (two week assignment with parts I and II). This is the first step an attacker might use to survey your network and locate potential weaknesses. Therefore, it is imperative that users (especially those who might at one point run their own server) to understand these techniques, and themselves to use scanning tools, to discover their own system weaknesses as the first step in improving their defenses.

Any tool mentioned here will be available via ftp from 192.168.66.10 (Dastun) in the /pub/lab3 directory. The username is anonymous and put anything as the password.

For this assignment, please configure your systems to use 192.168.66.10 (Dastun) for name resolution. Each team will be assigned a target network to scan via email from the TA.

PART I.

  1. DNS Zone Transfers and Information Leakage:
    1. First, attempt a zone transfer for the localtestnet domain. What is interesting about what you’ve found? What information about a network is gained by doing this? How could the DNS server’s administrator make it more secure (there is more than one way, please mention at least two)?
    2. Think about how an interested party would locate the authoritative name server for your network to do a query in the first place? Why do these records have to be publicly available? And why in the world are contact names, emails, and phone numbers attached to these records? Could these be used maliciously?
  2. Scanning Hosts with NMAP (and similar tools):
    1. Install NMAP and read up on it. Choose a particular scan type and explain what is unique about it and what it is crafted to accomplish.
      Note: This may already be installed.
    2. Using what you have learned from your DNS recon about the target team’s subnet, use NMAP to “learn more”. Determine if hosts listed in DNS are alive and list the ones that are. Also, attempt to determine the host operating system and list those as well. Scan the active hosts and compile a list of active ports on the system and give a short description of what that port does.
    3. Why would an attacker use a TCP SYN scan instead of a full TCP connect scan?
    4. What good would limiting certain types of ICMP traffic into/out of our network do for us in terms of network defense? What problems might this action also present from an administrative point of view?
  3. Automated Network Discovery Tools:
    1. Use an automated network discovery tool like Cheops, NeoTrace, or VisualRoute (try all three) to form a network map of the target nework.
    2. How is this similar to what traceroute does?
    3. Explain how this is useful both for network administrators as well as for potential attackers.
PART II.

  1. Basic UNIX Service Enumeration Techniques
    1. Learn about the Netcat tool and what you can do with it. Provide a brief explanation of its capabilities, both from an offensive and defensive point of view.
      Note: You may have to comment out #define BIND in netcat.c
    2. If you found any www/telnet or ftp servers on your target network, use Netcat for grabbing the available banners. What good does this do to you and what does it tell a potential intruder about the target host? How might they use this information?
    3. Check UNIX users/groups on remote targets via finger and report your findings. How could an attacker use this information? How can we prevent this sort of information leakage? What if we really needed to run finger for some bizarre reason?
  2. Windows NetBIOS/SMB Enumeration
    1. Use NET VIEW (Windows command line) or smbclient (Linux) to enumerate NetBIOS services (Windows port 139, try hosts on your own local network, assume the investigating user has an unprivileged local account) including Samba shares.
    2. To further simplify the process, try using nbtscan and scan for shares using Legion. What did you find?
  3. SNMP Enumeration
    1. You can learn a lot about a Windows server via SNMP if you can guess the community string. Try using a common community string with Solar Winds’ IP Network Browser and point out any important information that you find. How can you change the default community string?
    2. Network devices also (obviously) rely a great deal on SNMP. Try enumerating your default router.
  4. All-In-One Vulnerability Scanners
    1. These are really powerful, and really easy to use. Try using Nessus to scan your own local subnet and provide a listing of what you’ve found. Describe how a tool such as Nessus can be an incredibly powerful asset to any system administrator and also how they can be dangerous in the wrong hands.
    2. Take a quick look at the Nessus architecture and describe how it works. How do they keep their inventory of service vulnerabilities up to date? How does the plugin architecture work, and how can an administrator or developer use this to write custom tools for their own deployments?