cyber security
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2 Blind Folio 1
Network Transports
Labs • Lab 2.1 Network Communication Analysis
Lab 2.1w Network Communication Analysis in Windows
Lab 2.1 Analysis Questions
Lab 2.1 Key Terms Quiz
• Lab 2.2 Port Connection Status
Lab 2.2w Windows-Based Port Connection Status
Lab 2.2l Linux-Based Port Connection Status
Lab 2.2 Analysis Questions
Lab 2.2 Key Terms Quiz
Chapter 2
02-ch02.indd 1 22/07/14 4:48 PM
Chapter 2: Network Transports2
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
Networks work by transporting data from point A to point B, and vice versa. However, to do so, they need standards to control data communication. In the lab exercises in this chapter, you will work with three of those standards: Address Resolution Protocol, User Datagram Protocol, and Transmission Control Protocol. You will be able to fully see how packets interact with one another to establish connections and get information where it is supposed to go. You will do this using tools such as netstat and Wireshark.
➜ Note
You can find instructions for setting up all environments used in this chapter on the book’s companion online learning center at www.securityplusolc.com.
Lab 2.1: Network Communication Analysis Wireshark is a powerful protocol analyzer (and sniffer) that network professionals can use to troubleshoot and analyze network traffic under great scrutiny. Since the information revealed by Wireshark can be used to either attack or defend a network, administrators should learn how to use it so that they are aware of what potential attackers can see. Wireshark is a utility that will help you to look at how various protocols work. It will be examined in several labs throughout the book.
In Lab 1.1, “Network Workstation Client Configuration,” you looked at the relationship of IP addresses to MAC addresses and the use of the ping command. In this lab, first you will see the traffic generated by one computer requesting the MAC address of another computer using Address Resolution Protocol (ARP). You will then look at the ICMP traffic in the ping request and reply process. Next, you will look at the connectionless protocol UDP that is used by DNS. Finally, you’ll look at connection- oriented TCP traffic.
Internet Control Message Protocol (ICMP) is a transport protocol used between different devices on a network to help the network know a bit more about what is happening and why it might be happening.
User Datagram Protocol (UDP) is a connectionless transport protocol used to send small amounts of data, typically where the order of transmission does not matter or where the timeliness of the traffic is more important than the completeness of the traffic (for example, Voice over IP).
02-ch02.indd 2 22/07/14 4:48 PM
Lab 2.1: Network Communication Analysis 3
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
Transmission Control Protocol (TCP) is a connection-oriented protocol between two or more computers. As such, a reliable connection must be established before data is transmitted. The process of two devices establishing this connection with TCP is called the three-way handshake. The following illustration shows the header of a TCP packet, and the following list (from RFC 791, “Internet Protocol,” at www.faqs.org/rfcs/rfc791.html) describes its fields.
• Source Port 16 bits. This is the source port number.
• Destination Port 16 bits. This is the destination port number.
• Sequence Number 32 bits. This is the sequence number of the first data octet in this segment (except when SYN is present). If SYN is present, the sequence number is the initial sequence number (ISN), and the first data octet is ISN+1.
• Acknowledgment Number 32 bits. If the ACK control bit is set, this field contains the value of the next sequence number the sender of the segment is expecting to receive. Once a connection is established, this is always sent.
• Data Offset 4 bits. This is the number of 32-bit words in the TCP header. This indicates where the data begins. The TCP header (even one including options) is an integral number of 32 bits long.
• Reserved 6 bits. This is reserved for future use and must be zero.
• Control Bits 6 bits (from left to right):
• URG Urgent Pointer field significant
• ACK Acknowledgment field significant
• PSH Push function
• RST Reset the connection
• SYN Synchronize sequence numbers
• FIN No more data from sender
02-ch02.indd 3 22/07/14 4:48 PM
Chapter 2: Network Transports4
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
• Window 16 bits. This is the number of data octets beginning with the one indicated in the acknowledgment field, which the sender of this segment is willing to accept.
• Checksum 16 bits. The checksum field is the 16-bit ones’ complement of the ones’ complement sum of all 16-bit words in the header and text. If a segment contains an odd number of header and text octets to be check-summed, the last octet is padded on the right with zeros to form a 16-bit word for checksum purposes. The pad is not transmitted as part of the segment. While computing the checksum, the checksum field itself is replaced with zeros.
• Urgent Pointer 16 bits. This field communicates the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field is only to be interpreted in segments with the URG control bit set.
• Options Variable.
• Padding Variable. The TCP header padding is used to ensure that the TCP header ends and data begins on a 32-bit boundary. The padding is composed of zeros.
There are essentially three steps to the three-way handshake. Initially, the first computer establishes a connection with the second computer via a synchronize packet (SYN). When the second computer receives this packet, it responds by sending a synchronize packet and an acknowledgment packet (ACK). When the initiating computer receives these two packets, it replies with an acknowledgment packet of its own, and a communication link is established between the two computers. When you think of the three-way handshake, think SYN, SYN/ACK, and ACK. As you will see, this is an important security concept.
For example, HTTP is an application-layer protocol that utilizes the TCP three-way handshake. It is a generic protocol that is most often used in web-based communication on the Internet. HTTP is used for communication between user agents and proxies, or gateways, to other Internet systems. It is a TCP- based protocol and uses port 80 to communicate.
Note that because switches are used in most networks, Wireshark will normally see broadcast traffic and traffic to and from only the machine it is running on. A switch filters out all other unicast traffic for the other machines on the network. To see all the traffic on the network, a hub or a switch with a spanned port would need to be used.
Learning Objectives After completing this lab, you will be able to
• Use Wireshark to capture a communication session between two computers
• Given a screenshot of a session captured using Wireshark, identify the three main sections of the Wireshark display
• Use Wireshark’s filter option to view desired protocols
02-ch02.indd 4 22/07/14 4:48 PM
Lab 2.1w: Network Communication Analysis in Windows 5
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
• Use Wireshark to capture and identify UDP traffic
• Use Wireshark to capture and identify TCP traffic, including the three-way handshake and the packets used to determine that a TCP session has ended
➜ Note
This lab is constructed upon protocols and methods associated with IPv4, including ARP. Because ARP is not part of IPv6, this lab will not provide the same results in an IPv6 environment.
25 minutes
Lab 2.1w: Network Communication Analysis in Windows
Materials and Setup You will need the following:
• Windows 7 Professional
• Windows 2008 Server
• Metasploitable
In addition, you will need the following:
• Wireshark
Lab Steps at a Glance
Step 1: Start the Windows 7 Professional and Windows 2008 Server PCs. Log on only to the Windows 7 PC.
Step 2: Clear the ARP cache.
Step 3: Start Wireshark and capture a ping session.
Step 4: Examine the captured session.
Step 5: Filter the captured session.
Step 6: Capture a DNS session.
02-ch02.indd 5 22/07/14 4:48 PM
Chapter 2: Network Transports6
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
Step 7: Examine the DNS session.
Step 8: Clear the ARP cache and capture a Telnet session.
Step 9: Examine the Telnet session and identify all the protocols in use.
Step 10: Log off from the Windows 7 Professional PC.
Lab Steps
Step 1: Start the Windows 7 Professional and Windows 2008 Server PCs. Log on only to the Windows 7 PC.
Log on to the Windows 7 Professional PC with these steps:
1. At the Login screen, click the Admin icon.
2. In the password text box, type the password adminpass and then press enter.
Step 2: Clear the ARP cache.
The ARP cache is an area in memory where the computer stores the information that is found in the ARP table. Clearing the ARP cache before you start the capture session allows you to have greater control over data you capture.
1. Click Start | All Programs | Accessories and right-click Command Prompt. Select Run As Administrator.
2. In the User Account Control dialog box, click Yes.
3. At the command line, type arp –a and press enter.
4. There should be no entries. If there are, clear them with the arp –d command.
➜ Note
Leave the Command Prompt window open throughout this lab because you will use it multiple times.
Step 3: Start Wireshark and capture a ping session.
This step introduces you to Wireshark and shows you how to use it to capture, view, and filter communication between two computers.
1. Start Wireshark by choosing Start | All Programs | Wireshark. See Figure 2-1.
02-ch02.indd 6 22/07/14 4:48 PM
Lab 2.1w: Network Communication Analysis in Windows 7
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
➜ Note
The startup screen displays the commands needed to use Wireshark.
2. Start capturing data by clicking Interface List. (You use Capture | Interfaces on the menu bar when the startup screen is not displayed.)
3. In the Capture Interfaces dialog box, shown in Figure 2-2, click Start to start capturing data.
4. At the command line, type ping 192.168.100.102 and press enter.
5. Observe the response. You should receive four replies.
Figure 2-1 Wireshark startup screen
Figure 2-2 Capture Interfaces dialog box
02-ch02.indd 7 22/07/14 4:48 PM
Chapter 2: Network Transports8
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
6. Stop capturing data in Wireshark by clicking Capture | Stop.
7. Observe the captured session. See the example shown in Figure 2-3.
What protocol is being used for the ping requests?
Step 4: Examine the captured session.
You will now look at the information that Wireshark gives you.
1. As shown in Figure 2-3, Wireshark’s main screen is separated into three sections.
• Packet list section Located at the top, this section summarizes the packets captured. Clicking any one of the packets in this section displays more detailed information in the other two sections.
• Tree view section Located in the middle, this section displays in a tree format detailed information about the packet selected in the top section.
• Data view section Located at the bottom, this section shows the raw data of a captured packet in hexadecimal format and textual format. Hexadecimal is the base16 numbering system. It is composed of the numbers 0–9 and the letters A–F. Hexadecimal is sometimes used as a short way of representing binary numbers. Any section selected in the tree view section will be highlighted in this section.
Figure 2-3 Wireshark after collecting ping data
02-ch02.indd 8 22/07/14 4:48 PM
Lab 2.1w: Network Communication Analysis in Windows 9
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
2. The following are the columns in the packet list section. Each column provides specific information.
• No The order in which the packets were received
• Time The time each packet was captured relative to the beginning of the capture
• Source Source address
• Destination Destination address
• Protocol Protocol used to capture the packet
• Length Packet length in (bytes)
• Info A summary of what the packet is doing
Whichever frame is highlighted in the packet list section is what is displayed in the tree view and data view sections. In the packet list section, you may have other packets besides the ones you intended to generate. These may include packets of IGMP (used for multicast) or 802.1D (for spanning tree). Which packets you see depends upon your network equipment or what network equipment is being simulated.
➜ Note
You will see two packets that have a protocol of ARP. The first is a broadcast, and the second is a reply.
3. Select the first packet that has a protocol of ARP and a destination of Broadcast.
4. Select in the tree view section the part labeled Ethernet II and click the + symbol.
5. Select the line that says Destination.
a. What is the broadcast address in hexadecimal?
b. Observe that the broadcast address is also highlighted in the data view section.
c. Which is first, the source or the destination?
6. In the tree view section, click Address Resolution Protocol and expand it (click the + symbol).
a. What is the protocol type?
b. What is the protocol size?
7. In the packet list section, select the ARP reply packet, which should be the ARP packet listed after the broadcast packet. The information in the tree view and data view sections will change accordingly.
02-ch02.indd 9 22/07/14 4:48 PM
Chapter 2: Network Transports10
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
8. For the two computers to communicate, the MAC address of the destination must be known. Since you cleared the ARP cache table, the computer had to request it again.
Can you think of ways that this mechanism might be exploited?
9. In the packet list section, click the first ping request and look in the Info section.
a. This is the first ping you sent. Notice that there are four of them as well as four replies.
b. What protocol does Wireshark list as being used by ping to send and reply?
Step 5: Filter the captured session.
Even though this packet capture did not gather too much information, on a busy network it is easy to get thousands of packets, sometimes in a short time. Sorting through them can be quite a chore. Therefore, it is useful to learn how to use the filters. The filters can help you access the information you are looking for.
1. Click inside the Filter text box on the Filter bar.
2. Type arp and press enter (or click Apply).
✖ Warning
This is a case-sensitive command. If you type ARP, the box will be highlighted in red, and the filter will not work.
3. Notice that only the ARP packets are displayed now. Also, notice that when you type in the Filter box, the background is highlighted red if you have incorrect syntax and is highlighted green if the syntax is correct.
4. When you are finished with that filter and want to see all packets captured, click Clear on the Filter bar.
➜ Note
On the Filter bar, the Expression button will help you create correctly formatted filter instructions.
Step 6: Capture a DNS session.
In the previous steps, you used Wireshark to look at ICMP and lower-layer protocols. You will now look at UDP traffic.
02-ch02.indd 10 22/07/14 4:48 PM
Lab 2.1w: Network Communication Analysis in Windows 11
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
UDP is a transport layer protocol. However, UDP is a connectionless protocol. As such, it has few error-recovery functions and no guarantee of packet delivery. UDP reduces the protocol overhead significantly. This illustration shows the UDP header format, and the following list (from RFC 768, “User Datagram Protocol,” at www.faqs.org/rfcs/rfc768.html) describes the fields.
• Source Port An optional field. When meaningful, it indicates the port of the sending process and may be assumed to be the port to which a reply should be addressed in the absence of any other information. If not used, a value of zero is inserted.
• Destination Port Has meaning within the context of a particular Internet destination address.
• Length The length in octets of this user datagram including the header and the data.
• Checksum The 16-bit ones’ complement of the ones’ complement sum of a pseudoheader of information from the IP header, the UDP header, and the data, padded with zero octets at the end (if necessary) to make a multiple of two octets.
To capture a DNS session, follow these steps:
1. Start a new capture session in Wireshark by choosing Capture | Interfaces and clicking Start; then click Continue Without Saving.
2. At the command line, type nslookup linuxserv.security.local and press enter.
3. Once you get the response in the command prompt, stop the capture in Wireshark by choosing Capture | Stop.
Step 7: Examine the DNS session.
At this point you should have a capture of an nslookup command. It may have an ARP session in the capture. See the example in Figure 2-4.
1. In the packet list section, select the first packet that has DNS listed in the Protocol column.
2. In the tree view section, expand the User Datagram Protocol item.
a. Observe the information that is displayed.
b. What is the source port?
c. What is the destination port?
d. What is the checksum value?
02-ch02.indd 11 22/07/14 4:48 PM
Chapter 2: Network Transports12
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
Step 8: Clear the ARP cache and capture a Telnet session.
1. At the command prompt, type arp –a.
2. If you see entries, use arp –d to remove them.
3. Start a new capture session in Wireshark by choosing Capture | Interfaces and clicking Start; then click Continue Without Saving.
4. Type telnet linuxserv.security.local and press enter.
5. At the login prompt, enter labuser and press enter.
6. At the password prompt, type password and press enter. Note that you will not see the characters as you type the password. This is normal.
7. Check to see which accounts are on the machine by typing cat /etc/passwd and pressing enter. You can now log out by typing exit and pressing enter.
8. Stop the capture in Wireshark by choosing Capture | Stop.
Figure 2-4 Wireshark after collecting nslookup
02-ch02.indd 12 22/07/14 4:48 PM
Lab 2.1w: Network Communication Analysis in Windows 13
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
Step 9: Examine the Telnet session and identify all the protocols in use.
1. In the packet list section, select the first packet that has TCP listed in the Protocol column.
2. In the tree view section, expand the Transmission Control Protocol item.
a. Observe the information that is displayed.
b. What is the source port?
c. What is the destination port?
d. What is the checksum value? Is it correct?
e. What differences do you notice between the TCP and UDP headers?
3. You can now see just the TCP connection by selecting any packet in the TCP connection and then right-clicking it and choosing Follow TCP Stream.
This opens a text window that shows the text of the TCP connection. The red text is what was sent by the client, and the blue text is what was sent by the server. When you close that window, you will see that a filter has been set up that will show only that TCP stream. On the top will be the three-way handshake. On the bottom will be the closing of the TCP session.
Step 10: Log off from the Windows 7 Professional PC.
At the Windows 7 PC, follow this step:
1. Choose Start | Log Off.
Lab 2.1 Analysis Questions The following questions apply to the lab in this section:
1. What protocol does Wireshark indicate is being used when pinging a computer?
2. You are the network administrator for your LAN. You have just captured the network traffic for the last ten minutes and have thousands of packets captured. You are interested in looking only at packets using the AIM protocol. What would you do to view only the desired packets?
3. You are the network administrator for your LAN. You have just captured network traffic and are analyzing the packets. You find several packets that look suspicious to you. How would you find out what the source IP address and the source MAC address of the packets are?
4. Besides HTTP, name three other protocols or applications that are TCP based and would require a three-way handshake to initiate the session.
5. What is a disadvantage of using a connectionless protocol?
6. What is a benefit of using a connection-oriented protocol?
7. What is a benefit of using a connectionless protocol?
02-ch02.indd 13 22/07/14 4:48 PM
Chapter 2: Network Transports14
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
Lab 2.1 Key Terms Quiz Use these key terms from the lab to complete the sentences that follow:
ACK
filter
HTTP
packet
packet delivery
port
session
SYN
SYN/ACK
three-way handshake
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Wireshark
1. Wireshark captures ____________________ sent across the network.
2. The ____________________ will show you only the packets you are looking for.
3. ____________________ is the packet sent to acknowledge the completion of the three-way handshake and thus the beginning of communications.
4. ____________________ is a connection-oriented protocol and implements the three-way handshake as its basis for communication.
5. ____________________ is a packet sent to acknowledge the receipt of the original SYN packet.
6. ____________________ is a connectionless protocol.
7. UDP does not guarantee ___________________.
Follow-Up Labs • Lab 4.1: IP Address and Port Scanning Service Identity Determination Now that you
are familiar with Wireshark and how ARP and port connections work, you will see how to discover devices on the network and the ports they have open.
• Lab 8.2: Using SSH SSH can be used to encrypt traffic so that the content is hidden from Wireshark and other sniffers.
02-ch02.indd 14 22/07/14 4:48 PM
Lab 2.2: Port Connection Status 15
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
Suggested Experiments 1. Start a Wireshark capture. Log in to your e-mail account or other online account. What kind of
data is captured? Can anything be exploited?
2. Try the same capture with other TCP-based applications such as Telnet, FTP, or SMTP.
3. Streaming audio and video is typically done using UDP. Capture some packets from a streaming source and verify this by analyzing whether the packets are TCP or UDP.
References • ARP
• www.faqs.org/rfcs/rfc826.html
• www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/arp.mspx
• HTTP www.w3.org/Protocols/rfc2616/rfc2616.html
• TCP www.faqs.org/rfcs/rfc793.html
• Three-way handshake www.faqs.org/rfcs/rfc3373.html
• UDP www.faqs.org/rfcs/rfc768.html
• Wireshark www.wireshark.org/
• Principles of Computer Security, Fourth Edition (McGraw-Hill Education, 2015), Chapter 9
Lab 2.2: Port Connection Status Netstat is an important utility for network administrators. It is used to display active TCP connections and UDP connections, Ethernet statistics, and the IP routing table. A port can be in any one of a number of states. When a TCP port is in a listening state, it is waiting for the initiation and completion of a three-way handshake. This results in the port transforming to an established state.
Learning Objectives After completing this lab, you will be able to
• Name the command used to display protocol statistics and current TCP/IP network connections
• Understand how a computer can manage multiple communications through the use of ports
• List the switches that can be added to the netstat command to increase its functionality
02-ch02.indd 15 22/07/14 4:48 PM
Chapter 2: Network Transports16
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
10 minutes
Lab 2.2w: Windows-Based Port Connection Status In this lab you will use the Windows netstat command to analyze an FTP connection and an HTTP connection to a server.
Materials and Setup You will need the following:
• Windows 7 Professional
• Windows 2008 Server
Lab Steps at a Glance
Step 1: Log on to the Windows 7 Professional and Windows 2008 Server PCs.
Step 2: Use the netstat command to look at the open ports on the Windows 2008 Server machine.
Step 3: From the Windows 7 machine, establish an FTP connection and an HTTP connection to the Windows 2008 Server machine.
Step 4: Use the netstat command to look at the connections on the Windows 2008 Server machine.
Step 5: Log off from both the Windows 2008 Server and Windows 7 PCs.
Lab Steps
Step 1: Log on to the Windows 7 Professional and Windows 2008 Server PCs.
1. On the Windows 7 PC, at the Login screen, click the Admin icon and then type adminpass in the password text box.
2. On the Windows 2008 Server PC, press ctrl-alt-del at the Login screen, enter the username administrator and the password adminpass, and then click OK.
Step 2: Use the netstat command to look at the open ports on the Windows 2008 Server machine.
A server will have several ports in a listening state. A port that is in a listening state is waiting for a request to connect.
02-ch02.indd 16 22/07/14 4:48 PM
Lab 2.2w: Windows-Based Port Connection Status 17
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
To view the open ports on the Windows 2008 Server computer, follow these steps:
1. Click Start; type cmd in the Search Programs And Files box and press enter.
2. At the command line, type netstat /? and press enter.
a. Observe the display options for the network connection.
b. What option displays the ports in use by number?
c. What option lists all connections and listening ports?
d. What option shows the programs that created each connection?
3. At the command line, type netstat –na and press enter.
➜ Note
If the text scrolls up off the screen, maximize the Command Prompt window and use the scroll bar on the right to adjust your view of the text.
a. Observe the ports that are in a listening state.
b. How many ports are in a listening state?
c. What port numbers are used for FTP and HTTP?
d. Are those ports in a listening state?
e. Why are so many ports open, and do they all need to be open?
f. Should you be concerned that so many ports are open?
Step 3: From the Windows 7 machine, establish an FTP connection and an HTTP connection to the Windows 2008 Server machine.
From the Windows 7 machine, follow these steps:
1. Click Start; type cmd in the Search Programs And Files box and press enter.
2. At the command line, type ftp 192.168.100.102 and press enter.
3. At the login prompt, type administrator and press enter.
4. At the password prompt, type adminpass and press enter.
02-ch02.indd 17 22/07/14 4:48 PM
Chapter 2: Network Transports18
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
Leave the command line open to see the results.
5. Choose Start | Internet Explorer.
6. In the address box, type 192.168.100.102 and press enter.
Step 4: Use the netstat command to look at the connections on the Windows 2008 Server machine.
1. At the command line of the Windows 2008 Server machine, type netstat.
2. After a brief pause, you should get output that looks like the following:
C:\>netstat Active Connections Proto Local Address Foreign Address State TCP win2k8serv:ftp win7.security.local:1065 ESTABLISHED TCP win2k8serv:http win7.security.local:1068 ESTABLISHED
➜ Note
If you do not see the HTTP connection the first time you do this, refresh Internet Explorer and then, at the command line, retype netstat and press enter.
Even though you are connected to the same machine twice, the use of port assignments keeps information in the FTP session separate from information in the HTTP session. The combination of an IP address and port number is called a socket.
3. Connect to the server on a well-known port (FTP and HTTP) from an ephemeral port (a port with a number greater than 1023). The output listed in step 2 shows a connection between port 1065 locally and port 21 (FTP) on the remote machine. The local machine is connected from port 1068 to port 80 (HTTP).
a. In your output of netstat, what port is connected to FTP?
b. In your output of netstat, what port is connected to HTTP?
Step 5: Log off from both the Windows 2008 Server and Windows 7 PCs.
1. To log off from the Windows 2008 Server PC, choose Start | Log Off.
2. To log off from the Windows 7 PC, choose Start | Log Off.
02-ch02.indd 18 22/07/14 4:48 PM
Lab 2.2l: Linux-Based Port Connection Status 19
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
10 minutes
Lab 2.2l: Linux-Based Port Connection Status
Materials and Setup You will need the following:
• Kali
• Metasploitable
Lab Steps at a Glance
Step 1: Log on to the Metasploitable and Kali PCs.
Step 2: Use the netstat command to look at the open ports on the Metasploitable PC.
Step 3: Using the Kali PC, establish an FTP connection and an HTTP connection to the Metasploitable PC.
Step 4: Use the netstat command to look at the connections on the Metasploitable PC.
Step 5: Trace the port to a process.
Step 6: Close Iceweasel and log out of the GUI on the Kali PC.
Step 7: Log off from both the Metasploitable and Kali PCs.
Lab Steps
Step 1: Log on to the Metasploitable and Kali PCs.
To log on to the Metasploitable PC, follow these steps:
1. At the login prompt, type user and press enter.
2. At the password prompt, type user and press enter.
➜ Note
You will not see any characters as you type in the password.
02-ch02.indd 19 22/07/14 4:48 PM
Chapter 2: Network Transports20
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
To log on to the Kali PC, follow these steps:
1. At the login screen, click Other.
2. In the Username text box, type root and press enter.
3. In the Password text box, type toor and press enter.
Step 2: Use the netstat command to look at the open ports on the Metasploitable PC.
A server will have several ports in a listening state. A port that is in a listening state is waiting for a request for a connection to be established to it.
To use the netstat command on the Metasploitable PC, follow these steps:
1. At the command line, type netstat -h and press enter.
a. Observe the options.
b. What option displays the ports in use by number?
c. What option shows all connections and listening ports?
2. At the command line, type netstat –tuna and press enter.
➜ Note
If the text scrolls up off the screen, maximize the Command Prompt window and use the scroll bar on the right to adjust your view of the text. You can also use shiFt+page up or shiFt+page down.
a. Observe the ports that are in a “listening” state.
b. How many ports are in a listening state?
c. What port numbers are used for HTTP and FTP?
d. Are those ports in a listening state?
e. Why are so many ports open, and do they all need to be open?
f. Should you be concerned that so many ports are open?
Step 3: Using the Kali PC, establish an FTP connection and an HTTP connection to the Metasploitable PC.
You will now connect to the Metasploitable PC on well-known ports (FTP and HTTP) from ephemeral ports (ports with a number greater than 1023). The output listed shows a connection between port
02-ch02.indd 20 22/07/14 4:48 PM
Lab 2.2l: Linux-Based Port Connection Status 21
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
1065 locally and port 21 (FTP) on the remote machine. The local machine is connected from port 1068 to port 80 (HTTP).
1. On the Kali PC, click the Terminal icon, as shown in Figure 2-5.
2. At the command line, type ftp 192.168.100.202 and press enter.
3. At Name (192.168.100.202:root), type user and press enter.
4. At Password, type user and press enter.
Now view a web page on the server by following these steps:
5. Click the Iceweasel icon at the top.
6. In the address bar, type http://192.168.100.202/ and press enter.
Step 4: Use the netstat command to look at the connections on the Metasploitable PC.
1. At the command line, type netstat –tn.
2. After a brief pause, you should get output that looks like the following:
tcp 0 0 192.168.100.202:80 192.168.100.201:1059 ESTABLISHED tcp 0 0 192.168.100.202:21 192.168.100.201:1040 ESTABLISHED
Figure 2-5 The Terminal shell
02-ch02.indd 21 22/07/14 4:48 PM
Chapter 2: Network Transports22
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
➜ Note
If you do not see port 80 the first time you do this, refresh Iceweasel and then, at the command line, retype netstat –tn and press enter.
Even though you are connected to the same machine twice, the use of port assignments keeps information in the FTP session separate from information in the Telnet session. The combination of IP address and port number is called a socket.
a. From the output displayed by the netstat command, what port is connected to FTP?
b. From the output displayed by the netstat command, what port is connected to HTTP?
Step 5: Trace the port to a process.
1. At the command line, type lsof > ~/lsof and press enter.
2. Type less ~/lsof and press enter.
What is the process ID for the FTP connection?
3. Type q to exit the less output.
4. At the command line, type ps –ax and press enter.
What information is given for the FTP process ID?
Step 6: Close Iceweasel and log out of the GUI on the Kali PC.
1. In the Iceweasel window, click the x in the upper-right corner.
2. On the Kali PC, choose K Menu | Log Out and click Log Out again.
Step 7: Log off from both the Metasploitable and Kali PCs.
1. At the Metasploitable PC command line, type logout and press enter.
2. On Kali, click the Root icon in the top-right corner and select logout.
Lab 2.2 Analysis Questions The following questions apply to the labs in this section:.
1. What is the netstat command used for?
2. What options would you use with the netstat command to show only TCP connections?
3. What option would you use with the netstat command to show statistics for each protocol?
02-ch02.indd 22 22/07/14 4:48 PM
Lab 2.2l: Linux-Based Port Connection Status 23
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
4. Look at the following output from the netstat command and explain what it means:
Proto Local Address Foreign Address State TCP 0.0.0.0:21 0.0.0.0:0 LISTENING
5. Look at the following output from the netstat command and explain what it means:
Proto Local Address Foreign Address State TCP 192.168.2.2:3545 192.168.1.104:21 ESTABLISHED
6. You need to look at the routing table for a computer connected to your local area network. What command would you use to view the routing table?
Lab 2.2 Key Terms Quiz Use these key terms from the labs to complete the sentences that follow:
established state
HTTP
listening state
netstat
port
session
socket
states
TCP connections
UDP connections
1. Active connections on a computer system can be displayed by entering ____________________ at the command line.
2. The line 216.239.39.147:80 ESTABLISHED indicates an active connection to a computer system on ____________________ 80.
3. The ____________________ information displayed by the netstat command shows the current status of the connection.
4. The combination of an IP address and its associated port is referred to as a(n) ____________________.
5. The command netstat -p tcp will show ____________________.
Follow-Up Lab • Lab 6.1: Trojan Attacks Commands used in this lab will help to show when your computer
may be infected with a Trojan.
02-ch02.indd 23 22/07/14 4:48 PM
Chapter 2: Network Transports24
Lab Manual / Principles of Computer Security Lab Manual, Fourth Edition / Nestler / 655-1 / Chapter 2
Suggested Experiments 1. On your computer at home, run the netstat command and look at the ports that are open. List
the ports that are open and identify what they are used for. Which ports are open that don’t need to be?
2. Install and run the utility fport from Foundstone (www.foundstone.com). Fport will show you the applications associated with the ports that are open.
References • Netstat
• www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ netstat.mspx
• www.linuxhowtos.org/Network/netstat.htm
• Principles of Computer Security, Fourth Edition (McGraw-Hill Education, 2015), Chapters 9, 11, 17
• TCP
• RFC 793: TCP www.faqs.org/rfcs/rfc793.html
• UDP
• RFC 768: UDP www.faqs.org/rfcs/rfc768.html
02-ch02.indd 24 22/07/14 4:48 PM