Hping lab
Reflection on Practical Skills:
In this lab we have practical about how to install hping which is spoofing the ip address of the packets to hide the identity of the sender “attacker”.
Lab Question
What is packet spoofing?
It is changing the IP address of the sender in the source IP packet to be unknown for the receive
What is a raw socket?
It is socket that hasn’t follow any of the common protocol “TCP,UDP” method of transmission. It is use usually in security related tasks, just sent for verity of testing similar to ICMP.
What command line options allow you to change TCP flags?
-F –fin set FIN flag
-S –syn set SYN flag
-R –rst set RST flag
-P –push set PUSH flag
-A –ack set ACK flag
-U –urg set URG flag
-X –xmas set X unused flag (0x40)
-Y –ymas set Y unused flag (0x80)
How does ‘ping’ work? What are the two ICMP packet types used in ‘ping’?
- – After issue ping command, the command will set a number for each echo request, the sending time and Time To live (TTL) period.
- – When the destination replies (echo-reply) back to the sender if it is alive, sender will have used sending time on the packet to figure out the Round-Trip Time.
- – Then echo-request will send again with increments in identifier number, and so on till a program or user terminate this process.
- – After terminating the ping, it will show a brief percentage of lost and received packets as well as maximum and minimum round-trip time and other info. ICMP packets types are: 1- error reporting messages. 2- query messages. Discussion on Implementation: Installing hping isn’t complex, just after uncompressed the program file like normal way and go inside the folder, pcap-bpf.h file need to be copy to a path that hping expected to find it on. And the command should be issue like the following:
- – cp /usr/include/pcap-bpf.h /usr/include/net/bpf.h that will help hping find C header file to check it
- – then the common three commands of installing should be follow.
– man hping might help to discover program options and the following some of them: -S: this option is used to set syn flag -a: this option is used to spoof the source address of the sender. -o: this option is used to choose the kind of service.
– – flood : this option is used to attack the destination by DoS
Reflection on the Scope:
In this scenario we practice a way of testing secure of the network which is performing kind of attack like DoS and trying to changing the source address of the attacker to check how the security layers will response to this behavior of the attack and how to protect the network if there are bugs in the security.
References:
https://en.wikipedia.org/wiki/Raw_socket https://mustbehero.wordpress.com/2013/09/26/tutorial-on-how-to-using-hping2/ https://2buntu.com/articles/1204/ping-how-does-it-work/
Honeypot lab
Reflection on Practical Skills:
In this lab we have practical about how to install Honeyd which is another kind of IDS to make fake network devices to confuse an attacker.
Lab Question
Honeypot is unused machine that set in vlan or in a network to be like a trap for attacker. Its purpose is to detect evil traffic and logs it to allow network admin analyses to fix the bug that attacker used.
What does the program honeyd do? How does it do it? What are some of its features?
It does similar function of virtual machine plus it has a database of temples for almost all network devices that allow network admin to create many virtual hosts that look like real ones to attacker. From its features are mimic almost all network devices at once. Also it can emulate services like Telnet, IIS or POP.
Where does honeyd store its log files be default? Where did you put honeyd’s log files?
The log files in this path /var/log/honeypot and I don’t change its place because there wasn’t requirement for that.
What do these log files contain?
They contain information about the traffic that coming to honeyd machines
Did the log files report the results of the scans by your CentOS machine?
Yes
Discussion on Implementation:
We have Honey already installed in A FreeBSD Unix like machine so there isn’t installing steps.
Just configuration like setting up on that machine a bit different than Linux due to the name of the interface is Le0 not eth0.
We have a templates of network devices that should be written on a text file, and this FreeBSD is CLI so, we will use this command to write the templates:
ee <FileName>
after writing the templates, it is recommended to honeyd in debugging mode to find possible mistkes in written file by this command:
honey -d -I [interface name ] -f [FileName]
where [FileName] is the same one that we have wrote the templates on it as well as [the interface name]
if the result of the previous command doesn’t show any errors or unknown line , it should be know alias every templates with an IP addresses by typing this commands:
ifconfig [interfaces name ] inet [IP address] alias
the above command should be repeated for each template that was written. Then honeyd will ignore replying to blocked port by typing this commands for both UDP and TCP traffic. sysctl net.inet.tcp.blackhole=1 sysctl net.inet.udp.blackhole=1
now Honeyd is ready and it should be scan by other machine to show records in log files
Reflection on the Scope:
In this scenario we practice a way of securing a network which is making a trap for attacker to observe their hacking damage and block the bugs that is used by attacker. Furthermore, it is used to monitor the traffic of the network like IDS
References: http://www.honeyd.org/faq.php#what https://en.wikipedia.org/wiki/Honeyd