The Network Security Test Lab E-Book

The Network Security Test Lab

A Step-by-Step Guide

The Network Security Test Lab: A Step-by-Step Guide

Published by John Wiley & Sons, Inc.10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com

Copyright © 2015 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada

ISBN: 978-1-118-98705-6 ISBN: 978-1-118-98715-5 (ebk) ISBN: 978-1-118-98713-1 (ebk)

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2015946971

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

About the Author

Mr. Michael Gregg is the CEO of Superior Solutions, Inc., a Houston based IT security-consulting firm. He has more than 20 years experience in the IT field and holds two associate's degrees, a bachelor's degree, a master's degree, and many IT certifications such as: CISSP, CISA, CISM, MCSE, and CEH. Michael has authored/co-authored more than 20 books. Some include: Inside Network Security Assessment, SAMS 2005; Hack the Stack, Syngress 2006; Security Administrator Street Smarts, Syngress 2011; and How to Build Your Own Network Security Lab, Wiley 2008.

Michael has testified before the United States Congress on privacy and security breaches. He also testified before the Missouri State Attorney General's committee on cybercrime and the rise of cell phone hacking. He has spoken at major IT/Security conferences such as the NCUA auditors conference in Arlington, Virginia. He is frequently cited by major print publications as a cybersecurity expert and has also appeared as an expert commentator for network broadcast outlets and print publications such as CNN, FOX, CBS, NBC, ABC, The Huffington Post, Kiplinger's, and The New York Times.

Michael enjoys giving back to the community; some of his civic engagements include Habitat for Humanity and United Way.

Credits

Project EditorSydney Argenta

Technical EditorRob Shimonski

Production ManagerKathleen Wisor

Copy EditorMarylouise Wiack

Manager of Content Development & AssemblyMary Beth Wakefield

Marketing DirectorDavid Mayhew

Marketing ManagerCarrie Sherrill

Professional Technology & Strategy DirectorBarry Pruett

Business ManagerAmy Knies

Associate PublisherJim Minatel

Project Coordinator, CoverBrent Savage

ProofreaderNancy Carrasco

IndexerJohnna VanHoose Dinse

Cover DesignerWiley

Cover Image©iStock.com/alphaspirit

Acknowledgments

I would like to acknowledge Christine, Betty, Curly, and all my family. Also, a special thanks to everyone at Wiley. It has been a great pleasure to have worked with you on this book. I am grateful for the help and support from Carol Long, Sydney Argenta, Debbie Dahlin, and Rob Shimonski.

CONTENTS

Introduction

Overview of the Book and Technology

How This Book Is Organized

Who Should Read This Book

Tools You Will Need

What’s on the Wiley Website

Summary (From Here, Up Next, and So On)

Chapter 1: Building a Hardware and Software Test Platform

Why Build a Lab?

Hardware Requirements

Software Requirements

Summary

Key Terms

Exercises

Chapter 2: Passive Information Gathering

Starting at the Source

Mining Job Ads and Analyzing Financial Data

Using Google to Mine Sensitive Information

Exploring Domain Ownership

Summary

Key Terms

Exercises

Chapter 3: Analyzing Network Traffic

Why Packet Analysis Is Important

How to Capture Network Traffic

Wireshark

Other Network Analysis Tools

Summary

Key Terms

Exercises

Chapter 4: Detecting Live Systems and Analyzing Results

TCP/IP Basics

Detecting Live Systems with ICMP

Port Scanning

OS Fingerprinting

Scanning Countermeasures

Summary

Key Terms

Exercises

Chapter 5: Enumerating Systems

Enumeration

Advanced Enumeration

Mapping the Attack Surface

Summary

Key Terms

Exercises

Chapter 6: Automating Encryption and Tunneling Techniques

Encryption

Encryption Role in Authentication

Tunneling Techniques to Obscure Traffic

Attacking Encryption and Authentication

Summary

Key Terms

Exercises

Chapter 7: Automated Attack and Penetration Tools

Why Attack and Penetration Tools Are Important

Vulnerability Assessment Tools

Automated Exploit Tools

Determining Which Tools to Use

Picking the Right Platform

Summary

Key Terms

Exercises

Chapter 8: Securing Wireless Systems

Wi-Fi Basics

Wi-Fi Security

Wireless LAN Threats

Exploiting Wireless Networks

Securing Wireless Networks

Summary

Key Terms

Exercises

Chapter 9: An Introduction to Malware

History of Malware

Types of Malware

Common Attack Vectors

Defenses Against Malware

Summary

Key Terms

Exercises

Chapter 10: Detecting Intrusions and Analyzing Malware

An Overview of Intrusion Detection

IDS Types and Components

IDS Engines

An Overview of Snort

Building Snort Rules

Advanced Snort: Detecting Buffer Overflows

Responding to Attacks and Intrusions

Analyzing Malware

Summary

Key Terms

Exercises

Chapter 11: Forensic Detection

Computer Forensics

Acquisition

Authentication

Trace-Evidence Analysis

Hiding Techniques

Summary

Key Terms

Exercises

EULA

List of Tables

Chapter 1

Table 1.1

Table 1.2

Table 1.3

Chapter 2

Table 2.1

Table 2.2

Table 2.3

Table 2.4

Chapter 3

Table 3.1

Table 3.2

Table 3.3

Table 3.4

Table 3.5

Table 3.6

Table 3.7

Table 3.8

Chapter 4

Table 4.1

Table 4.2

Table 4.3

Table 4.4

Table 4.5

Table 4.6

Table 4.7

Chapter 5

Table 5.1

Table 5.2

Table 5.3

Table 5.4

Table 5.5

Chapter 6

Table 6.1

Chapter 8

Table 8.1

Table 8.2

Table 8.3

Chapter 9

Table 9.1

Chapter 10

Table 10.1

Table 10.2

Table 10.3

Table 10.4

Chapter 11

Table 11.1

List of Illustrations

Chapter 1

Figure 1.1 Type 1 hypervisors run directly on hardware.

Figure 1.2 Type 2 hypervisors run on an OS.

Figure 1.3 Install VMware Workstation.

Figure 1.4 Choose the typical option to install the VMware Workstation.

Figure 1.5 A bump key is a special key that has been cut to a number nine position and has a small amount of extra material shaved from the front and the shank of the key.

Figure 1.6 Bootable security distributions of Linux

Figure 1.7 Fedora Security Lab

Figure 1.8 Linux password creation

Figure 1.9 The Vulnhub website is useful to the security professional.

Chapter 2

Figure 2.1 The About Us page for Superior Solutions, Inc.

Figure 2.2 Leapfrogging to the primary target

Figure 2.3 The ZabaSearch website

Figure 2.4 Mapping a location to an address using Google Maps

Figure 2.5 Finding results on ZoomInfo

Figure 2.6 An archived web page on the Wayback Machine

Figure 2.7 The PayPalSucks.com home page

Figure 2.8 The FOCA interface

Figure 2.9 Source sifting with BlackWidow

Figure 2.10 The Edgar database

Figure 2.11 IANA home page

Figure 2.12 IANA top-level domains

Figure 2.13 IANA domain details

Figure 2.14 ARIN WHOIS results

Figure 2.15 DNS resolution

Figure 2.16 DNS root structure

Figure 2.17 Netcraft site lookup for example.com

Figure 2.18 Netcraft-identified web server banner

Figure 2.19 The VisualRoute interface

Chapter 3

Figure 3.1 Sniffing packets with a hub

Figure 3.2 You can use a Throwing Star LAN Tap to intercept traffic

Figure 3.3 Switch segmentation prevents hackers from seeing traffic on other ports

Figure 3.4 VLAN segmentation reduces the amount of traffic available for inspection

Figure 3.5 Port Mirroring allows you to configure one port to receive packets from another

Figure 3.6 You send an ARP request to find a physical address to match an IP address

Figure 3.7 ARP cache poisoning facilitates this man-in-the-middle attack

Figure 3.8 Open the Cain & Abel Sniffer tab

Figure 3.9 Use the Cain & Abel MAC Address Scanner

Figure 3.10 Cain & Abel lets you pick a target to sniff

Figure 3.11 Cain & Abel launching the attack

Figure 3.12 Observing the results of your ARP cache poisoning

Figure 3.13 A rogue DHCP server allows an attacker to redirect traffic

Figure 3.14 Select an interface in Wireshark

Figure 3.15 Wireshark has a three-pane design

Figure 3.16 Sample Wireshark packet decode

Figure 3.17 The Wireshark ICMP filter removes clutter

Figure 3.18 Using the Wireshark ip.addr filter

Figure 3.19 An example of a Wireshark ARP cache poisoning capture

Figure 3.20 Wireshark offers the Display Filter dialog box to help you create filters

Figure 3.21 Wireshark offers another way to apply filters

Figure 3.22 Use the autocomplete function in Wireshark when creating filters

Figure 3.23 The conversation filter in Wireshark lets you see intercommunication between hosts

Figure 3.24 The Ethernet frame is a simple structure.

Figure 3.25 Ethernet frame decode.

Figure 3.26 A Simple network capture

Figure 3.27 IP header decode

Figure 3.28 A TCP header decode

Figure 3.29 Application layer decode

Figure 3.30 NetworkMiner ARP capture

Figure 3.31 Using NetworkMiner to display passwords

Figure 3.32 Capsa makes capturing and parsing network traffic very easy

Figure 3.33 Which OS

Figure 3.34 What is the security issue?

Figure 3.35 Why is only broadcast traffic captured?

Figure 3.36 Wireshark and tcpdump

Figure 3.37 One-way data cable

Chapter 4

Figure 4.1 TCP/IP protocol stack

Figure 4.2 Ethernet frames and MAC addresses

Figure 4.3 IPv4 header

Figure 4.4 ARP reply

Figure 4.5 TCP operation

Figure 4.6 TCP header

Figure 4.7 TCP flag structure

Figure 4.8 UDP header structure

Figure 4.9 FTP cleartext username and password

Figure 4.10 FTP successful ping

Figure 4.11 Examination of ping packets

Figure 4.12 Angry IP Scanner configuration

Figure 4.13 A completed scan in Angry IP Scanner

Figure 4.14 Wireshark traceroute TTL

Figure 4.15 Traceroute path

Figure 4.16 TCP three-step startup

Figure 4.17 TCP shutdown.

Figure 4.18 Wireshark capture of a full connect scan

Figure 4.19 UDP open and closed connections

Figure 4.20 Idle scan of an open port.

Figure 4.21 Idle scan of a closed port

Figure 4.22 Scan types and potential results

Figure 4.23 Wireshark port scan statics

Figure 4.24 Nmap four-packet scan result

Figure 4.25 Nmap port scan order

Figure 4.26 SuperScan

Figure 4.27 Wireshark

Figure 4.28 Wireshark packet structure

Figure 4.29 Wireshark packet structure

Figure 4.30 Wireshark packet structure decoded

Figure 4.31 TCP flags.

Figure 4.32 ICMP packet decode

Figure 4.33 Port scan flag filter

Figure 4.34 Open ports

Chapter 5

Figure 5.1 An example of a RIP packet capture

Figure 5.2 Wireshark captures this RIP packet, which provides an attacker with routing information.

Figure 5.3 Firewalking can help you identify a firewall’s settings.

Figure 5.4 The DumpSec GUI-based format makes it easy to get results.

Figure 5.5 SNMP is actually part of a larger framework known as the Internet Standard Network Management Framework.

Figure 5.6 The structure of SNMP components

Figure 5.7 SolarWinds IP Network browser lets you examine SNMP data.

Figure 5.8 Sample SCADA design

Figure 5.9 SHODAN is a vulnerability search website.

Figure 5.10 Attackers search for these common SCADA ports.

Figure 5.11 Is there anything you can enumerate in this Wireshark capture of SCADA traffic?

Figure 5.12 Various types of software can help with the password-cracking process.

Figure 5.13 Cain & Abel lets you choose a method to use when cracking passwords.

Figure 5.14 Ophcrack offers this online password-cracking tool.

Figure 5.15 Capture passwords with Mimikatz pass-the-hash program.

Figure 5.16 SecurityFocus lets you do vulnerability research.

Figure 5.17 Packet Storm aids you in exploit code research.

Figure 5.18 Installing SNMP services

Figure 5.19 Enter the IP address and network range into the IP Network Browser.

Figure 5.20 The IP network browser displays the results.

Figure 5.21 A Cain & Abel routing capture: Notice that the update is in RIP and RIPv2.

Figure 5.22 Select the computer you want DumpSec to target.

Figure 5.23 Select the fields to use in the Dump Users as Table.

Figure 5.24 DumpSec provides enumeration results.

Figure 5.25 User agent strings

Figure 5.26 Test your own browser at the Panopticlick website.

Chapter 6

Figure 6.1 Caesar’s cipher is an early encryption technique.

Figure 6.2 Symmetric encryption uses a shared key for encryption and decryption.

Figure 6.3 Asymmetric encryption requires two related keys.

Figure 6.4 Linux salting creates a password.

Figure 6.5 Challenge-response authentication requires the user to enter a correct answer.

Figure 6.6 TCP ACK Tunneling

Figure 6.7 Advanced tunneling techniques allow attackers access to data behind a firewall.

Figure 6.8 WordPress tells you the username is incorrect.

Figure 6.9 CrypTool

Figure 6.10 CrypTool decryption

Figure 6.11 32-bit CrypTool decryption

Figure 6.12 Follow TCP Stream.

Figure 6.13 Base64 username and password

Figure 6.14 Decoded password

Chapter 7

Figure 7.1 The Nessus client/server model makes scan data available.

Figure 7.2 The Nessus Knowledge Base provides developer information.

Figure 7.3 Nessus lets you select which target to scan.

Figure 7.4 The Nessus Plugins tab lets you scan for plug-ins.

Figure 7.5 The Nessus Knowledge Base provides information about known vulnerabilities.

Figure 7.6 The Nessus report can be customized.

Figure 7.7 Armitage offers a GUI.

Figure 7.8 The Metasploit payload offers update options.

Figure 7.9 The Browser Exploitation Framework Project log-in screen

Figure 7.10 Use N-Stalker to scan for vulnerabilities.

Chapter 8

Figure 8.1 Computers are connected via wireless NICs in wireless ad hoc mode.

Figure 8.2 Wireless infrastructure mode with a centralized wireless device

Figure 8.3 WiGLE.net displays maps of wireless LANs.

Figure 8.4 NetStumbler can gather information about nearby wireless networks.

Figure 8.5 NIC cards allow you to attach an antenna for wardriving.

Figure 8.6 Recent war-walking results show a high number of unsecured networks.

Figure 8.7 Password eavesdropping is easy on unsecured networks.

Figure 8.8 Win Sniffer captures passwords and usernames.

Figure 8.9 Cain & Abel sniffs and cracks passwords.

Figure 8.10 Access point spoofing involves tricking users into using a rogue AP.

Figure 8.11 Set the Wireshark capture options.

Figure 8.12 You can use Wireshark to capture packet information.

Chapter 9

Figure 9.1 Much of today’s malware is designed to target specific individuals or firms, and avoid discovery.

Figure 9.2 A Trojan is combined with a legitimate program by a wrapper.

Figure 9.3 RDGSoft Tejon Crypter is just one of the available crypters.

Figure 9.4 VirusTotal is just one online antivirus tool.

Chapter 10

Figure 10.1 An IDS defines four possible states.

Figure 10.2 How Signature-based IDS functions

Figure 10.3 How statistical anomaly-based IDS functions

Figure 10.4 An IDS can tell the difference between normal and abnormal activity.

Figure 10.5 Example of Snort log files

Figure 10.6 A DomainTools lookup provides a lot of information about domains.

Figure 10.7 A GeoIPTool lookup can give you geographical information.

Figure 10.8 Tcpiputils.com allows you to see whether a domain is known to generate malware.

Figure 10.9 BFK offers a passive DNS database.

Figure 10.10 You can configure your virtual machines with one computer to act as the controller.

Figure 10.11 Be sure to isolate your network from outside sources.

Figure 10.12 Private malware analysis companies do not share their knowledge about malware with antivirus companies.

Figure 10.13 WinMD5 offers a GUI program for finding malware.

Figure 10.14 Process Explorer allows you to examine processes running on a computer.

Figure 10.15 Wireshark finds this Zeus Botnet performing click fraud.

Figure 10.16 Configuration of browser loopback settings

Chapter 11

Figure 11.1 You use the evidence to understand the relationship between the suspect and victim.

Figure 11.2 A write blocker helps you copy evidence from the suspect’s computer.

Figure 11.3 File slack and drive space may hold important clues for forensic investigation.

Figure 11.4 MD5Summer is one of the tools you can use for hashing.

Figure 11.5 Belkasoft IE History Extractor makes it easier to explore a browser’s history file.

Figure 11.6 The Outlook email header provides a lot of information, including the source IP address.

Figure 11.7 Use SFind to detect hidden streamed files.

Figure 11.8 S-Tools is just one of the steganographic tools available.

Figure 11.9 S-Tools displays an image comparison.

Figure 11.10 Explore Internet email headers.

Figure 11.11 S-Tools enables you to hide a file inside another file.

Figure 11.12 Hide this text in the file.

Figure 11.13 Fill in the encryption options and enter a passphrase.

Figure 11.14 One image contains your hidden message. Look closely and see whether can tell the difference.

Guide

Cover

Table of Contents

Chapter 1

Pages

xx

xxi

xxii

xxiii

xxiv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

Introduction

Welcome to The Network Security Test Lab. With this book, you can increase your hands-on IT security skills. The techniques and tools discussed in this book can benefit IT security designers and implementers. IT security designers will benefit as they learn more about specific tools and their capabilities. Implementers will gain firsthand experience from installing and practicing using software tools needed to secure information assets.

Overview of the Book and Technology

This book is designed for individuals who need to better understand the functionality of security tools. Its objective is to help guide those individuals in learning when and how specific tools should be deployed and what any of the tools’ specific limitations are. This book is for you if any of the following are true:

You want to learn more about specific security tools.

You lack hands-on experience in using security tools.

You want to get the skills needed to advance at work or move into a new position.

You love to tinker or expand your skills with computer software and hardware.

You are studying for a certification and want to gain additional skills.

How This Book Is Organized

The contents of this book are structured as follows:

Chapter 1, “Building a Hardware and Software Test Platform”

—Guides you through the process of building a hardware test platform.

Chapter 2, “Passive Information Gathering”

—Reviews the many ways that information can be passively gathered. This process starts at the organization’s website, and then moves to WHOIS records. This starting point allows you to build a complete profile of the organization.

Chapter 3, “Analyzing Network Traffic”

—Reviews methods and techniques for packet analysis. You will learn firsthand how common packet analysis tools such as Wireshark, Capsa, and Netwitness are used.

Chapter 4, “Detecting Live Systems and Analyzing Results”

—Once IP ranges have been discovered and potential systems have been identified, you will move quickly to using a host of tools to determine the status of live systems. Learn how Internet Control Message Protocol (ICMP) and other protocols work, while using both Linux and Windows lab systems.

Chapter 5, “Enumerating Systems”

—Explores how small weaknesses can be used to exploit a system and gain a foothold or operational control of a system. You will learn firsthand how to apply effective countermeasures by changing default banners, hardening systems, and disabling unwanted services.

Chapter 6, “Automating Encryption and Tunneling Techniques”

—Provides insight into how cryptographic systems are used to secure information and items such as passwords. You learn firsthand how these systems are attacked and which tools are used.

Chapter 7, “Automated Attack and Penetration Tools”

—Presents you with an overview of how attack and penetration tools work. These are the same tools that may be used against real networks, so it is important to understand how they work and their capabilities.

Chapter 8, “Securing Wireless Systems”

—Offers an overview of the challenges you’ll face protecting wireless networks. Although wireless systems are easy to deploy, they can present a real security challenge.

Chapter 9 “An Introduction to Malware”

—Takes you through a review of malware and demonstrates how to remove and control virulent code. You learn how to run rootkit detectors and spyware tools, and use integrity-verification programs.

Chapter 10, “Detecting Intrusions and Analyzing Malware”

—Introduces intrusion detection systems (IDSs) and discusses the ways in which malware can be analyzed. This chapter gives you the skills needed to set up and configure Snort and use tools such as IdaPro.

Chapter 11, “Forensic Detection”

—Reviews the skills needed to deal with the aftermath of a security breach. Forensics requires the ability to acquire, authenticate, and analyze data. You learn about basic forensic procedures and tools to analyze intrusions after security breaches.

Who Should Read This Book

This book is designed for the individual with intermediate skills. While this book is focused on those who seek to set up and build a working security test lab, this does not means that others cannot benefit from it. If you already have the hardware and software needed to review specific tools and techniques, Chapter 2 is a good starting point. For other even more advanced individuals, specific chapters can be used to gain additional skills and knowledge. As an example, if you are looking to learn more about password hashing and password cracking, proceed to Chapter 6. If you are specifically interested in wireless systems, Chapter 8 is for you. So, whereas some readers may want to read the book from start to finish, there is nothing to prevent you from moving around as needed.

Tools You Will Need

Your desire to learn is the most important thing you have as you start to read this book. I try to use open source “free” software as much as possible. After all, the goal of this book is to try to make this as affordable as possible for those wanting to increase their skills. Because the developers of many free tools do not have the development funds that those who make commercial tools do, these tools can be somewhat erratic. The upside is that, if you are comfortable with coding or developing scripts, many of the tools can be customized. This gives them a wider range of usability than many commercial tools.

Tools are only half the picture. You will also need operating systems to launch tools and others to act as targets. A mixture of Linux and Windows systems will be needed for this task. We will delve into many of these issues in the first chapter. You may also want to explore sites like http://www.linuxlinks.com/distributions. There is more on this in the next section.

What’s on the Wiley Website

To make the process as easy as possible for you to get started, some of the basic tools you will need are available on the Wiley website that has been setup for this book at www.wiley.com/go/networksecuritytestlab.

Summary (From Here, Up Next, and So On)

The Network Security Test Lab is designed to take readers to the next stage of personal knowledge and skill development. Rather than presenting just the concept or discussing the tools that fit in a specific category, The Network Security Test Lab takes these topics and provides real-world implementation details. Learning how to apply higher-level security skills is an essential skill needed to pursue an advanced security career, and to make progress toward obtaining more complex security certifications, including CISSP, CASP, GSEC, CEH, CHFI, and the like. I hope that you enjoy this book, and please let me know how it helps you advance in the field of cyber security.

CHAPTER 1Building a Hardware and Software Test Platform

This book is designed for those who need to better understand the importance of IT security. This chapter walks you through what you need to set up a hardware/software test platform. As a child, you may have loved to take things apart, TVs, radios, computers, and so on, in a quest to better understand how they worked. Your tools probably included soldering irons, screwdrivers—maybe even a hammer! That is similar to what you will be doing throughout this book. While you won’t be using a hammer, you will be looking at protocols and applications to understand how they work. You will also examine some common tools that will make your analysis easier. The objective is to help you become a better network analyst, and improve and sharpen your IT security skills.

Because no two networks are the same, and because they change over time, it is impossible to come up with a one-size-fits-all list of hardware and software that will do the job for you. Networks serve the enterprises that own them, and enterprises must change over time. In addition, the scale of operation impacts security considerations. If you pursue a career as a security consultant, your goals (and inevitably your needs) will differ, depending on whether you work for a large multinational corporation (and even here, your goals and needs will depend on the type of industry) or a small office/home office (SOHO) operation or a small business. Clearly, a whole spectrum of possibilities exists here.

This chapter provides the first step in building your own network security lab. You will start to examine the types of hardware and gear that you can use to build such a test environment, and then look at the operating systems and software you should consider loading on your new equipment.

Why Build a Lab?

A laboratory is as vital to a computer-security specialist as it is to a chemist or biologist. It is the studio in which you can control a large number of variables that come to bear upon the outcome of your experiments. And network security, especially, is a field in which the researcher must understand how a diverse range of technologies behave at many levels. For a moment, just consider the importance of the production network to most organizations. They must rely on an always-on functioning, which means that many tests and evaluations must be developed in a lab on a network that has been specifically designed for such experiments.

 NOTE A laboratory is a controlled environment in which unexpected events are nonexistent or at least minimized. Having a lab provides a consequence-free setting in which damage that might result from experimentation is localized (and can, it is hoped, be easily corrected).

Consider something as basic as patch management. Very few organizations move directly from downloading a patch to installing it in the production environment. The first step is to test the patch. The most agreed-upon way to accomplish this is to install it on a test network or system. This allows problems to be researched and compatibility ensured. You might also want to consider a typical penetration test. It may be that the penetration-testing team has developed a new exploit or written a specific piece of code for this unique assignment. Will the team begin by deploying this code on the client’s network? Hopefully not. The typical approach would be to deploy the code on a test network to verify that it will function as designed. The last thing the penetration test team needs is to be responsible for a major outage on the client’s network. These types of events are not good for future business.

Building a lab requires you to become familiar with the basics of wiring, signal distribution, switching, and routing. You also need to understand how you might tap into a data stream to analyze or, potentially, attack the network. The mix of common network protocols must be understood; only by knowing what is normal on the network can you recognize and isolate strange behavior. Consider some of the other items that might motivate you to construct such a lab:

Certification

Job advancement

Knowledge

Experimentation

Evaluation of new tools

To varying degrees, networking- and security-related certifications require knowledge of the hardware and software of modern networks. There is no better vehicle for learning about networking and security issues firsthand than to design and build your own network lab. This provides a place where you can add and remove devices at will and reconfigure hardware and software to your liking. You can observe the interaction between the systems and networking devices in detail.

Advancing in your field is almost never an accident. The IT industry is an area of constant change, and the best way to build a career path in the world of IT is to build your skill set. By mastering these technologies, you will be able to identify the knowledgeable people on the job or at a customer’s site, and align yourself with them. You might even uncover some gifts that you did not previously realize you possessed, such as a love for hexadecimal—well, maybe.

Building a lab demonstrates your desire and ability to study and control networks. One key item that potential employers always consider is whether a candidate has the drive to get the job done. Building your own security lab can help demonstrate to employers that you are looking for more than just a job: You want a career. As you use the network resources in your lab, you will invariably add to your knowledge and understanding of the technologies that you employ. Learning is a natural consequence.

Experimentation is a practical necessity if you are to fully understand many of the tools and methods employed by security professionals and hackers alike. Just consider the fact that there are many manuals that explain how Windows Server 2012 works, or how a Check Point firewall works, but no manual can account for every single situation and what is ‘unique’ to any environment you encounter. Some combinations and interactions are simply unknown. By building your own lab, you will discover that when deployed in complex modern networks, many things do not work the way the documentation says they will. And many times, it does not suffice to simply understand what happens; you need to appreciate the timing and sequence of events. This requires the control that a laboratory environment provides.

Because IT is an industry of continual change, new software, new security tools, new hacking techniques, and new networking gizmos constantly appear. A network security lab provides you with a forum in which to try these things out. You certainly don’t want to risk corrupting a computer that you depend on every day to do your job. And you don’t want to negatively impact the work of others; doing so is a good way to quickly put the brakes on your budding career.

A laboratory thus provides a place where you can try new things. This is a setting in which you can gain a detailed understanding of how things are put together and how they normally interact. It is an environment in which you can likely predict the outcome of your experiments, and if an outcome is unexpected, you can then isolate the cause.

 BUILDING YOUR OWN SECURITY LAB

A common question among students and those preparing for certification is, “How do I really prepare for the job or promotion I am seeking?” The answer is always the same: know the material, but also get all the hands-on experience you can. Many times they don’t have enough money in their IT budget, or they are a struggling student. That is totally understandable. Yet the fact remains that there is no way to pick up many of the needed skills by reading alone. And many tests cannot be conducted on a live Internet-connected network.

With a little work and effort, you can find the equipment required to practice necessary skills at a reasonable price—network professionals have been doing this for years. There are even sites such as certificationkits.com that are set up exclusively to provide students with a full set of networking gear needed to complete a Cisco Certified Network Associate (CCNA) or a Cisco Certified Network Professional (CCNP) certification.

Hardware Requirements

Before you can get started with any testing, you need to assemble some hardware. Your goal, as always, will be to do this as inexpensively as possible. Many things might be included in a network security laboratory. Some of these items are mandatory (for example, cables), and some things can be added according to your needs and as they become available or affordable. Although it is possible to contain everything within one computer, your requirements will vary from time to time based on the scenario that you are modeling.

Here are some of the things that will likely end up in your mix:

Computers

Networking tools

Cables

Network-attached storage (NAS)

Hubs

Switches

Routers

Removable disk storage

Internet connection

Cisco equipment

Firewalls

Wireless access points

Keyboard, video, mouse (KVM) switches

Surge suppressors and power strips

In your network lab, you will need a wide variety of cables, as this will allow you to configure your test network in many different ways. Specific configurations will be needed for different scenarios. You will also want to have some tools that come in handy for building and testing cables, so items such as wire strippers, crimp tools, and punch-down tools might find their way into your toolbox. Crossover and loopback adapters can prove handy, too.

Hubs, switches, and routers are the building blocks of network infrastructure. It is crucial to understand how the roles of these things differ. Not all switches have identical capabilities. Likewise, routers can vary considerably, so it is good to have a couple to choose from. Cisco products are so prevalent that it is a good idea to include some of their equipment in the mix; they will be found at almost every worksite.

An Internet connection is a necessity. You will need to research various topics and download software as you use the network in your lab. Or you might find yourself modeling the behavior of an Internet-based attacker. On the slim chance that you are borrowing WiFi from your neighbor’s open access point, now is the time to make the upgrade to your own dedicated connection.

Having a firewall can prove very valuable, too. As a security professional, you are expected to have an appreciation for these devices and their capabilities. Your firewall could prove to be an important component in some of your experiments. On a daily basis, you can use your firewall to protect your primary (home or office) network from the unpleasant things that can occur on the network in your lab.

Don’t forget the logistical details of constructing a network. You will need table space, shelving, power strips, and surge suppressors. If you have an old uninterrupted power supply (UPS) available, you might employ it, too. With several computers in close proximity, you will probably not want to have to deal with a bunch of monitors, keyboards, and mice; a KVM switching arrangement can save a lot of space and aggravation. Now you can turn your attention to the physical computing hardware that you will need.

 NOTE Commercial-quality equipment is much more capable than the products targeted for the consumer or SOHO market. You will be better off with a real Cisco router, even if it is used and scratched up, than with a little Netgear home router.

Physical Hardware

When it comes to computer systems, there are three key items to consider: processor, memory, and disk space. Having a fast processor, a lot of memory, and a bunch of disk space is a big positive when selecting or building a computer. Fast and big are relative terms whose meaning changes over time. But generally, a good place to start with a Windows PC would be an Intel Core i5 system with 32GB of RAM. Think of these as your minimum requirements. Generally, you can get away with a little less memory with Linux systems.

In terms of disk storage, an internal 1TB SATA hard drive would be considered a minimum requirement. While a solid-state hard drive is not mandatory, it will reduce boot-up times and it will reduce system response times. Removable disk storage, such as USB and NAS, can allow you to safely image your systems so that they can be restored with relative ease if they become corrupt during an experiment. NAS can be handy for holding copies of configuration files, downloaded software, and whatever else you may need while working on the network. It is great to have a central storage location that you can access from various computer systems.

So how do you start building your lab? First, consider many of the sources that exist for the equipment you need. Some of these sources include the following:

Equipment you already have

New equipment purchases

Used equipment purchases

Each of these options is discussed in the following sections along with an overview of their advantages and disadvantages.

Equipment You Already Have

Either at home or at work, you are already likely to have some of the items that will prove useful in building your own security lab. These could range from something as trivial as a handful of Ethernet cables in your desk drawer to shelves full of spare or retired PCs, switches, and routers.

If you are doing this on the job, there are a couple of possible scenarios. Is the spare equipment under your control? If not, you will have to work things out with the appropriate supervisors and make sure that they approve your use of the equipment. Next, you want to take stock of what is available and make a list of the things that look like they could prove useful. Don’t worry about the details at this point. Focus on the important items that were mentioned earlier in this chapter.

Finally, prioritize your list and pick out the things that you think will be most useful. Keep the list, as you will probably refer to it later. Remember to start with a small collection of obviously needed items, such as several PCs, laptops, a router, a hub or switch, an Internet connection, and a handful of cables. It will be easy to add things later, so try not to get carried away and include two of everything in your initial efforts.

New Equipment Purchases

Naturally, you have the option of buying new equipment. Sometimes this might be the easiest way to go, if you want to get the job done quickly. The only problem is that buying retail is probably the most expensive option. If you don’t have much in the way of retired or spare equipment available, you might have to take this route. If you see your lab as a more or less permanent addition to the workplace, something that you plan to use on an ongoing basis for the foreseeable future, then maybe this is justified.

If you take this path, consider writing a proposal for the needed equipment. Determine the advantages that such a lab will bring to the department and to the company. Make sure to discuss these advantages in your proposal. Highlight the monetary savings that such an investment can return. On the positive side, this approach provides state-of-the-art equipment for the lab. You will also have all the manuals and software readily available. And you won’t have to hunt around for missing parts. If you cannot get all the funds approved, you may decide that a few key components are best purchased new. Then the other odds and ends can be filled in on the cheap.

Of all the items that are recommended for inclusion in the lab, which one is best bought new? Many people would agree that PCs will most impact the usefulness of the lab. Older PCs tend to be somewhat slower and lacking in important resources, notably memory and storage capabilities. The prices of PCs have fallen considerably over the past few years. As an example, you can buy a decently equipped Dell “open source” desktop machine for around $500. If you are going to put Linux on it anyway, you don’t care that the machine does not come with an operating system. And if you intend to share one keyboard, display, and mouse with a KVM switch, again, who cares that the price does not include a display?

 NOTE Watch the prices of memory and hard drives. Be careful with regard to memory prices if you decide to buy new computers. It is often cheaper to buy your own memory and install it in the machine yourself. And when it comes to hard drives, look for the breakpoint in the pricing where there seems to be an extraordinary price jump relative to the increase in drive size. That is the “sweet spot” in the market.

Used Equipment Purchases

If you are building your own security lab for home use, this may be the most viable option for obtaining some of the needed equipment. Although this route does require more work, you can save a substantial amount of money. It also spurs creativity, and that is a valuable skill in the networking and IT security field. Employ a bit of imagination. Who sells used computers, networking equipment, and pieces and parts? You will find no shortage of folks who sell used items. Independent computer stores might have odds and ends that they would love to clear out of the way. You might encounter demonstration items or things that fall into the “open box” category. In retail, this is sometimes called B-stock. Some companies specialize in exactly this kind of thing. With a little web browsing, you are likely to discover several of them, such as www.liquidation.com and www.craigslist.com.

In addition, some flea market vendors specialize in used computer equipment. As an example, in Dallas, they hold a computer flea market twice a month. This is a paradise for computer nerds, who can likely find almost everything they need at a substantial discount. Check out www.sidewalksale.com if you’re going to be in the north Texas area. Other areas also set up such events; just ask around and check local resources. Who knows, you might find some useful items.

Computer companies often sell refurbished systems and components. Sometimes these items are returned by those challenged by a simple software or hardware problem (such as a missing software driver), or they have come back from a lease, or maybe there was a minor cosmetic defect or a trivial part was missing. Whatever the reason that motivates the seller, you can often find systems or significant components at prices that are well below retail. Some manufacturers outsource refurbished equipment that is returned. Often, the affected products are sold through various channels such as the Internet.

Although the risk is higher than with new equipment, the savings can be substantial. Just do your homework first. Check out the reviews for various items and determine whether others are reporting them as error prone or of high quality. Sites such as www.epinions.com and http://reviews.cnet.com report on specific products and hardware.

Online Auctions

eBay pioneered the online auction segment of the market back in the mid-1990s. Online auctions are a little different from the bidding process that you may be familiar with. Online auctions award the winning bid to the high bidder. This bid may have been placed three days before the auction’s closing, or three seconds before. Some individuals actually enjoy watching the last few seconds of the bidding process so that they can snipe the bid from another potential buyer just seconds before the auction ends. For the seller, a portion of the profits goes to the auction site in the form of seller fees. Buyers will want to look closely at any additional fees or charges that are placed on the final bid. Some individuals may even be running scam auctions in which they have no intention of ever sending you the goods purchased or may even misrepresent the goods as usable when they are in fact damaged. Here are some common tips for buyers:

Bid low so that you don’t end up overpaying for the goods or services.

Ask the seller questions if you want to know more about the item being sold.

Monitor auctions close to their closing time to make sure that you don’t miss a valuable item over a few dollars.

Online auction sites include www.liquidators.com, www.ubid.com, and www.ebay.com. eBay is the largest site and has proven to be an invaluable resource for buying and selling an endless number of things. They have a section dedicated to computers and networking, so if you are looking for a specific item, such as a particular brand and model of router, this is a super place to start your search. Even if you don’t end up buying the item that you are interested in on eBay, you can get a good feel for the market price for whatever it is that you are curious about. It is very helpful to have a good sense of the cost of used items.

This book is not a forum for eBay do’s and don’ts. Suffice it to say that you probably shouldn’t buy anything off eBay that you are not prepared to write off as a loss. Although the vast majority of offerings are completely legitimate, horror stories do pop up from time to time. You must be the judge.

Be aware that while eBay transactions often avoid state sales taxes, these savings may well be offset by shipping and handling charges. Shipping may also take some time. Some sellers send items immediately after an auction closes, whereas others may wait days to ship. The time can vary considerably. This is not necessarily bad, just something to keep in mind if you have a project planned that is time-critical. All in all, eBay is a great resource. Just use common sense, and you will likely get a good result.

Thrift Stores

An often-overlooked option is thrift stores that handle used computer and network items. As an example, Goodwill has computer stores in Texas and California. The notion of recycling is often behind these operations. Businesses and individuals with old computers and related items donate them. The thrift organizations clean these components up, reformat the disk drives, strip some of the parts, and categorize them. If you’re in a computer-centric area such as San Francisco, California, or Austin, Texas, these may be good places to find equipment to construct your lab. It is hard to say what kind of treasures you will find in these outlets. A thrift store might just have some equipment that is useful to you, such as the following:

Hubs, commercial and consumer grade, single and dual speed

Switches, likewise

Routers, some of commercial quality

Power bricks for many kinds of devices, including laptops

SCSI adapters, cheap

Ethernet network adapters (PCI and PCMCIA)

CD and DVD drives, any kind you might need

Monitors, many sizes, CRTs and LCDs

Computer systems, both PC and Mac, with various operating systems

Bare systems, comprising a case, power supply, Motherboard, CPU, memory, hard drive, and CD drive

Old licensed software such as Windows Server 2003 or Windows XP that can be used to create target virtual machines

It is fair to assume that what is available varies from time to time with this sort of venue. Sometimes you will get lucky, and sometimes you will be disappointed. But the price is right.

Company Sales

Many companies have employee sales from time to time. When this happens, employees have an opportunity to enjoy the first pick of equipment that is probably going to be donated, recycled, or discarded. It is often the case that the company is primarily interested in just getting rid of these items. They also see an additional benefit in making these things available to their employees. Making money is seldom a significant motivator. Large entities, government organizations, and schools do a lot of this type of activity. As an example, I attended one of these sales where Dell Latitude laptops were going for less than $200 each. I was able to pick up 12 for use in a course kit I was building. The bottom line is, if you or one of your friends becomes aware of this kind of opportunity, you might want to take advantage of it.

Virtual Hardware

Modern computer systems have come a long way in how they process, store, and access information. One such advancement is in virtualization. While there are many types of virtualization, this section focuses on virtual systems. Virtual systems create an environment in which a guest operating system can function. This is made possible by the ability of the software to virtualize the computer hardware and needed services. Virtualized computing uses a virtual machine (VM), also called a virtual server. A VM is a virtualized computer that executes programs like a physical machine. VMware, VirtualBox, Virtual PC, Xen, and Hyper-V are a few examples of virtual machines.

A virtual server enables the user to run a second, third, fourth, or more operating systems on one physical computer. For example, a virtual machine will let you run another Windows OS, Linux x86, or any other OS that runs on an x86 processor and supports standard BIOS booting. Virtual machines are a huge trend and can be used for development and system administration and production, and to reduce the number of physical devices needed.

Virtual servers reside on a virtual emulation of the hardware layer. Using this virtualization technique, the guest has no knowledge of the host’s operating system. Virtualized servers use hypervisors, which can be classified as either type 1 or type 2. Type 1 hypervisor systems do not need an underlying OS. This design of hypervisor runs directly on the hardware. An example of a type 1 hypervisor-based system is shown in Figure 1.1.

Figure 1.1 Type 1 hypervisors run directly on hardware.

A type 2 hypervisor runs on top of an underlying host operating system. The guest operating system then runs above the hypervisor. An example of a type 2 hypervisor is shown in Figure 1.2.

Figure 1.2 Type 2 hypervisors run on an OS.

A type 2 hypervisor allows the physical system administrator to create guest operating systems that may be different from the base operating system. This technique uses a type 2 hypervisor to coordinate instructions to the CPU.

The hypervisor validates all the guest-issued CPU instructions and manages any executed code that requires additional privileges. VMware uses the hypervisor, which is also known as a virtual machine monitor (VMM). The hypervisor is the foundation of this type of virtualization, as it accomplishes the following:

Interfaces with hardware

Intercepts system calls

Operates with the operating system

Offers hardware isolation

Enables multi-environment protection

 NOTE Two choices for virtualization include VirtualBox by Oracle and VMware. This lab uses a type 2 hypervisor and Windows 7 for the base operating system, with several virtual systems loaded as guest operating systems.

VMware

Virtualization is the process of emulating hardware inside a virtual machine. This process of hardware emulation duplicates the physical architecture needed for the program or process to function. One of the first companies to develop a virtual product was VMware (www.vmware.com). They demonstrated this technology and patented it in the late 1990s. Before this, the development of hardware such as processors had not progressed enough to make this technology commercially viable for the average desktop-computer user. VMware would be a good choice to use in your lab because it enables you to easily test security tools, try out upgrades, and study for certification exams.

Probably the most important consideration is that more is always better. This means that more memory, more hard disk space, more processing power, and faster components always make for a better base system. You want to maintain a peak resource usage of no more than 60 percent to 80 percent. Greater usage will cause the systems to bottleneck and will also lead to performance problems. While VMware makes many different products, this section focuses on the following:

VMware Player

VMware Workstation

Table 1.1 lists some of the requirements and specifications of VMware products.

Table 1.1 Basic VMware Specifications

VIRTUAL DEVICE

PLAYER

PLAYER PRO

WORKSTATION

CD-ROM

Rewritable

Rewritable

Rewriteable

DVD-ROM

Readable

Readable

Readable

ISO mounting

Yes

Yes

Yes

Maximum memory

4GB

4GB

64GB

Processor

Same as host

Same as host

Same as host

IDE devices

4 max

4 max

4 max

NIC

10/100/1000

10/100/1000

10/100/1000

Video

SVGA

SVGA

SVGA

USB Support

3.0

3.0

3.0

As you can see in Table 1.1