"1. Penetration Testing
a. What are 9 hacking steps of the hacking methodology discussed in "Hacking exposed" by McClure et al?
b. How the nmap detects the OS version of the machine scanned?
c. How the scanning tools evades the IDS detection? Mention two techniques.
d. fpipe can be used to setup backdoor connections and to avoid blocking by the firewall.
Assume a site has a DMZ LAN set up similar to our homework#4 with 128.198.61.39 for DNS server and 128.198.61.40 for web server, and that an attacker has infected two of the machines, one in DMZ LAN and one in intranet.
The attacker has executed a command "fpipe -l 53 -s 53 -r 80 10.0.0.51" on one of the infected machines. Note that the options for the fpipe are:
-l Specifies the FPipe listening server port number.
This is the port number that listens for connections on the FPipe machine.
-r Specifies the remote port number.
This is the port number on the remote machine that will be connected to.
-s Specifies the outbound connection local source port number.
This is the port number that data sent from the FPipe server machine will come from when sent to the remote machine.
10.0.0.51 the remote host IP.
1. What machines are infected? Indicate their IP addresses.
2. From Internet, what IP address and port number will the attacker use to connect to the infected intranet machine of this site?
3. If the attacker can gain the intranet access with this fpipe, which firewall is not set up right?
4. What firewall rule (iptables command) will protect such intranet access? I would like to have a generic rule and just protect against 10.0.0.51.
5. The service that got infected is critical to the site. Why the site can still operate and the system admin did not detect right away, besides being lazy in checking the logs? Give one reason.
6. Assume the attacker only hijacks the process but not the executable of this service, how can the system admin detect this backdoor?
7. How do you improve the fpipe to avoid such a detection?
8. The process goes away when system reboot. How can the hacker do to make sure the modified fpipe runs after system reboot?
e. In the above case, a command, "nc -v -L -e cmd.exe -p 80 -s 10.0.0.51" was used by the attacker to set up a backdoor connection.
1. How can this backdoor be used by the attacker? Give two scenarios.
2. How can Network-based IDS be used to detect such an attack?
3. How can Host-based IDS be used to detect such an attack?
f. It is against a company's security policy to by-pass the company's firewalls and establish direct connection between an intranet node and Internet, and between an intranet node and a DMZ server. How can a security officer detect that an employee has set up a backdoor dialup server using his office phone/cellphone and his office desktop? Briefly discuss tools the security office can use for this case.
g. What is metepreter contained in Metasploit Framework software? How you use it?
h. The nmap -sV -v 128.198.60.156 show the following result:
[cs591@viva ~]$ nmap -sV -v 128.198.60.156
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-05-10 13:12 MDT
Machine 128.198.60.156 MIGHT actually be listening on probe port 80
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 3, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect() Scan against csvm1.uccs.edu (128.198.60.156) [1674 ports] at 13:12
Discovered open port 443/tcp on 128.198.60.156
Discovered open port 25/tcp on 128.198.60.156
Discovered open port 80/tcp on 128.198.60.156
Discovered open port 445/tcp on 128.198.60.156
Discovered open port 1025/tcp on 128.198.60.156
Discovered open port 1027/tcp on 128.198.60.156
Discovered open port 139/tcp on 128.198.60.156
Discovered open port 135/tcp on 128.198.60.156
Discovered open port 5000/tcp on 128.198.60.156
The Connect() Scan took 1.11s to scan 1674 total ports.
Initiating service scan against 9 services on csvm1.uccs.edu (128.198.60.156) at 13:12
The service scan took 6.16s to scan 9 services on 1 host.
Host csvm1.uccs.edu (128.198.60.156) appears to be up ... good.
Interesting ports on csvm1.uccs.edu (128.198.60.156):
(The 1665 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft ESMTP 6.0.2600.1
80/tcp open http Microsoft IIS webserver 5.1
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
5000/tcp open upnp Microsoft Windows UPnP
Service Info: OS: Windows
Nmap finished: 1 IP address (1 host up) scanned in 7.407 seconds
1. What exploits will you try? List the three names of the exploits you may be able to use with Backtrack.
2. What payload will you use? Brief explain why.
3. Some of the payload has a version with name "reverse" which let the victim initiates the connection instead of the attacker's machine. Give a scenario where you want to use the "reverse" version of the payload.
2. Firewall
a. How MASQUERADE is used? Is this service only dealing with outbound packets (to Internet)?
b. How DNAT is used? Is it applied in PREROUTING or POSTROUTING?
c. A web site uses cgi-scripts on a DMZ web server to process the purchasing/credit card information filled by the customer. The purchasing/credit card information is then transferred back to the intranet database server for processing.
1. How can it protect the credit card info before the data is transferred back to the intranet database for processing.
2. Since the security policy of the inner firewall prohibits the DMZ web server from initiating a connection to the intranet, how will you set up the data transfer of the purchasing/credit card info?
3. IDS
a. How can zero-day worm be detected? Briefly discuss one technique.
b. If a hacker changes the content of the TFN DDoS attack msg from "1234" to "blast", what will be the new snort rule to be added?
c. The above scenario indicates the problem with IDS detection based on specific patterns. If the attacker changes the content, the existing rules will produce false negatives. What is your solution to this?
d. What are the rule optons in SNORT that can improve the efficiency of the intrusion detection process? List two. Briefly discuss why.