Hands-On Steps Note: This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab. 1. From the vWorkstation desktop, open the Common Lab Tasks file. If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Figure 1 "Student Landing" workstation 2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to these questions as you proceed through the lab steps. Part 1: Capture Network Traffic using TCPdump utility Note: In the next steps, you will use TCPdump, a command line utility, to capture network traffic on the TargetLinux01 virtual server. You will generate that traffic by exploiting a cross-site scripting (XSS) vulnerability in the Damn Vulnerable Web Application (DVWA) tool. In the lab environment, you will be capturing traffic on one interface. In a real-world situation, it is likely the machine would be straddling both an internal network and an external network. In that case, you would want to want to monitor both sides of the interface. Monitoring outside network traffic allows information systems security practitioners to see who and what is attempting to infiltrate your IP network. Monitoring internal traffic allows network analysts to see exactly which hosts may be compromised and what destination IP addresses internal employees are accessing.

1. Double-click the RDP folder on the vWorkstation desktop to open the folder. 2. Double-click the TargetLinux01 file in the RDP folder to open a remote connection to the Linux machine. The remote desktop opens with the IP address of the remote machine (172.30.0.11) in the title bar at the top of the window. 3. From the Linux toolbar, select Applications > Accessories > Terminal to open the Linux command prompt. 4. At the command prompt, type su and press Enter to use the superuser account, instead of the student account, to access the root directory. 5. When prompted for a password, type toor and press Enter. 6. At the command prompt, type man tcpdump and press Enter to open the onscreen manual for the TCPdump utility. This screen displays all of the command line options for the tool and descriptions for each. Use the arrow keys to scroll through the manual to learn more about this tool. Press q to return to the command line prompt. Figure 2 TCPdump manual 7. At the command prompt, type cd /etc/network and press Enter to change the directory. 8. At the command prompt, type ls and press Enter to list the files in that directory. 9. At the command prompt, type cat interfaces and press Enter to display the available Ethernet interfaces. The system returns the list of Ethernet interfaces available. The iface eth0 inet static statement indicates that the physical Internet interface (eth0) is available. The IP address for this machine, 172.30.0.11, matches the IP address in the title bar of the remote window. 10. At the command prompt, type cd and press Enter to return to the root directory. 11. At the command prompt, type tcpdump -i eth0 -n -w tcpdumpcapturefile and press Enter to start the data capture. This command also instructs the utility to save the results of the data capture to a file (tcpdumpcapturefile) instead of printing the results. The TCPdump utility is now configured to capture data on the eth0 interface. Figure 3 Capture data to a file

12. Minimize the TargetLinux01 window to return to the vWorkstation desktop. 13. Double-click the Mozilla Firefox icon on the vWorkstation desktop to open the browser. You can access the DVWA tool using any Internet browser, but the steps in this lab will use the Firefox browser. 14. Type http://172.30.0.11/dvwa in the browser's address box and press Enter. The DVWA has been installed on the TargetLinux01 server within the virtual lab. 15. Type the following credentials and click Login to continue. Username: admin Password: password 16. On the DVWA Welcome screen, click the DVWA Security button. 17. Select low from the Script Security drop-down menu and click Submit to change the security level. 18. Click the XSS reflected button in the DVWA navigation menu. XSS vulnerabilities are generally found in Web forms that send and retrieve data to databases via HTML. 19. In the What's your name? box, type Simon and click Submit. The Web form will take the name you entered and repeat it back to you in a friendly welcome. 20. In the What's your name? box, type and click Submit. Figure 4 Output of script test Note: The greater and less-than arrows surrounding "Simon" are referred to as scripting tags in HTML. They are what allow you to add scripts to a Web page. By entering into a form field you are entering a script that contains only the instruction Simon. The fact that you see a response, even just the word "Hello" from the form indicates that this form is vulnerable. The Web form does not complain and it fails to return the expected outcome. Now that you have found a possible vulnerability, you will need to test it further. 21. In the What's your name? box, type alert('a vulnerability'); and click Submit. Note: In order to test the vulnerability, you need to enter a script that does something. The command "alert" is a scripting function that generates a pop-up alert window to the screen. The command is telling the form to run a script that generates a pop-up window with the statement "a vulnerability". The fact that you see this result, proves that the form will allow scripts to run. Since this simple script was processed correctly, you know that there is a good chance that any type of malicious script can be run. 22. Click OK to close the alert window. 23. Close the Firefox browser. 24. Maximize the TargetLinux01 window to return to that server. 25. In the terminal window, press CTRL+Z to stop the data capture and return to the command line prompt. 26. At the terminal command prompt, type tcpdump -n -r tcpdumpcapturefile and press Enter to display the contents of the tcpdumpcapturefile file on the screen. 27. Use the scrollbar to return to the top of the output stream, where the packets related to the DVWA were captured. Notice that the communication in this output is between 172.30.0.2, the vWorkstation, and 172.30.0.11, the TargetLinux01 machine. Notice too, that the port used for this data stream is port 80 (172.30.0.11.80), which corresponds to HTTP, as you might expect from a Web application. Figure 5 Results of the HTTP data capture 28. Make a screen capture showing the contents of the tcpdumpcapturefile file and paste it into a Lab Report file. 29. Close the terminal window. 30. When prompted, click the Close Terminal button to continue. 31. Close the TargetLinux01 window. Part 2: Capture Network Traffic with Wireshark

Note: In the next steps, you will start a packet capture of TCP/IP traffic on the virtual network using the Wireshark application. You will then use the PuTTY application to establish a Telnet or SSH connection to the IP addresses for several of the machines available in this lab. Each of these connections will gather more data for Wireshark to capture. Click the Topology link at the top of the Intro tab to view a visual representation of the devices used in this lab. TCP is a connection-oriented protocol and is used by applications that require this type of behavior. A three-way handshake (SYN > SYN-ACK > ACK) is performed between the IP source and IP destination to establish a connection-oriented connection. 1. Double-click the Wireshark icon on the vWorkstation desktop to open the application. 2. In the Capture pane, select the Student network interface from the drop-down menu, and click the green Start icon to begin the packet capture process. Figure 6?Start a packet capture using Wireshark 3. Minimize the Wireshark window. 4. Double-click the PuTTY icon on the desktop to start the PuTTY application. 5. In the Host Name (or IP address) box of the PuTTY Configuration dialog box, type 172.16.8.5 (the IP address for LanSwitch1), select the Telnet radio button and click Open to open an unsecure Telnet connection. Figure 7 Configure PuTTY for Telnet 6. Type the following credentials at the login prompt: Login: cisco Password: cisco 7. In the terminal console window, type show interface and press Enter to display the list of available interfaces. 8. In the terminal console window, type show vlan and press Enter to display the VLANs on this machine. Figure 8 Cisco show commands 9. In the terminal console window, type quit and press Enter to close the terminal console session to LanSwitch1. 10. Repeat steps 5-9 for each of the following IP addresses: LAN Switch 2: 172.16.20.5 Tampa 2811 router: 172.17.8.1 11. Double-click the PuTTY icon on the desktop to start the PuTTY application again. 12. In the Host Name (or IP address) box of the PuTTY Configuration dialog box, type 172.16.8.1 (the IP address for LanSwitch2), select the SSH radio button, if necessary, and click Open to start a secure connection. Figure 9 Configure PuTTY for SSH 13. Click Yes when prompted to close the PuTTY Security Alert pop-up, and type the following credentials at the login prompt: Login: cisco Password: cisco 14. In the terminal console window, type show interface and press Enter to display the list of available interfaces. 15. In the terminal console window, type quit and press Enter to close the terminal console to LanSwitch2. 16. Repeat steps 11-12 for the TargetLinux01 server, 172.30.0.11, click Yes when prompted to close the PuTTY Security Alert popup, and type the following credentials at the login prompt: Login: student Password: student 17. In the terminal console window, type exit and press Enter to close the terminal console. Part 3: Transfer Files using Tftpd64 and FileZilla Note: In the next steps, you will open a connection to the TargetWindows01 server and gather additional packet data for Wireshark by using the Tftpd64 application and FileZilla to send small files between clients and servers on the various machines. 1. In the RDP folder, double-click the TargetWindows01 file to open a remote connection to the Windows Server. The remote desktop opens with the IP address of the remote machine (172.30.0.10) in the title bar at the top of the window and the

FileZilla Server application open on the desktop. Figure 10 TargetWindows01 desktop 2. Minimize the TargetWindows01 window to return to the vWorkstation desktop. 3. Close the RDP folder. 4. Double-click the FileZilla Client icon on the vWorkstation desktop to open the application. 5. If prompted, click OK to close the Welcome to FileZilla pop-up. 6. Type the following login credentials in the text boxes at the top of the FileZilla window to connect to the FileZilla Server on the TargetWindows01 desktop. Host: 172.30.0.10 User name: student Password: P@ssw0rd! Port: 21 Note: You are required to enter a mixed-case password. If you are not using Citrix Receiver to access this lab please use the CAPS LOCK button or the On-Screen Keyboard to input this password. 7. Click the Quickconnect button to complete the connection to the FileZilla Server. 8. Click OK when prompted to remember FileZilla passwords and close the pop-up. 9. Navigate to the folders cited in the following list on both the Local site and the Remote site panes: Local site: (C:\ISSA_TOOLS\Documentation) Remote site: (Users/Administrator/Desktop) Figure 11 FTP connection to TargetWindows01 10. Right-click the AnyConnect_adminguide.pdf file in the Local site pane and select Upload from the context menu to upload the file to the vWorkstation desktop. Drag the Filename border to the right to see the entire filename and ensure that you are selecting the correct file. When the download process is complete, use the scrollbar in the Remote pane to see the new file. 11. Close the FileZilla Client window. 12. Maximize the TargetWindows01 window. 13. Make a screen capture showing the AnyConnect_adminguide.pdf on the TargetWindows01 desktop and paste it into your Lab Report file. 14. Right-click the Windows Start icon and select Search from the context menu. 15. In the Search pane, type tftpd to retrieve the list possible matches and click Tftpd64 from the resulting list to open the application. 16. When the application window launches, click the Tftp Client tab. 17. Minimize the TargetWindows01 window to return to the vWorkstation desktop. 18. Double-click the Tftpd64 icon on the vWorkstation desktop to launch the application. The Tftpd64 application uses the TFTP (Trivial File Transfer Protocol) to send (put) or receive (get) files between computers. 19. When the application window launches, click the Tftp Server. 20. Maximize the TargetWindows01 window. 21. On the Tftp Client tab, type or select the following information and click the Put button. Host: 172.30.0.2 (vWorkstation) Port: 69 Local File: C:\Users\Administrator\Desktop\AnyConnect_adminguide.pdf Block Size: Default This is the same file that you transferred using FileZilla earlier in this lab. The status responses in the area below the connection information indicate whether or not the file transfer was successful. Figure 12 Tftpd64 file transfer

22. Click OK when the TFTP transfer is completed and close the Tftpd64 application. 23. Minimize the TargetWindows01 window to return to the vWorkstation desktop. 24. In the Tftpd64 window, click the Show Dir button to verify that the AnyConnect_adminguide.pdf file was transferred to the vWorktation. 25. Make a screen capture showing the transferred file in the Tftpd64 directory and paste it into the Lab Report file. 26. Close the Tftpd64:directory window. 27. Close the Tftpd64 application on the vWorkstation desktop. Part 4: Analyze a Packet Capture with Wireshark Note: In the next steps, you will stop the data capture that Wireshark has been collecting and review Wireshark's built-in filters to gather important network traffic baseline definitions. You will also save a .pcap file for analysis later in this lab. 1. On the vWorkstation desktop, maximize the Wireshark application if necessary. 2. Click the Stop the running live capture icon on the Wireshark toolbar to stop the packet capture process. 3. From the Wireshark menu, select Statistics > Protocol Hierarchy. Wireshark opens a new window that describes the different protocol types captured on the LAN segment; this provides a clear indication of what protocols are on the LAN segment and which ones are permitted to be on the LAN segment as part of the network's overall baseline definition. Adjust the window size to view the entire report. Figure 13 Protocol Hierarchy Statistics 4. Make a screen capture showing the Protocol Hierarchy Statistics and paste it into your Lab Report file. 5. Close the Protocol Hierarchy Statistics window. 6. From the Wireshark menu, select Statistics > Packet Lengths. 7. On the Packet Lengths window, click the Create Stat button. Wireshark opens a new window that describes the packet size distribution of the capture. It is important to know and understand what protocols and what size of Ethernet frames are being used for the transmission on the LAN segment. This is an important network traffic baseline-definition. 8. Make a screen capture showing the Packet Lengths distribution and paste it into your Lab Report file. 9. Close the Packet Lengths with Filter window. 10. Click Cancel to close the Packet Lengths window. 11. From the Wireshark menu, select File > Save As. 12. In the Save As dialog box, navigate to the Security_Strategies folder (This PC > Local Disk (C:) > Security_Strategies), name the report yourname_WiresharkCapture, replacing yourname with your own name, select Wireshark/tcpdump/…-pcap from the Save as type drop-down list, and click Save. 13. Use the File Transfer button to download the yourname_WiresharkCapture file from the Security_Strategies folder (C:/Security_Strategies) your local computer and submit it as part of your deliverables. 14. Close the Wireshark window. Part 5: Analyze a Packet Capture File with NetWitness Investigator Note: In the next steps, you will import the Wireshark packet capture file into NetWitness Investigator and review the packet capture data in context, and compare the Wireshark statistical output with NetWitness Investigator's contextual view. While both Wireshark and NetWitness Investigator can be used to capture network traffic, the freeware version of NetWitness Investigator has a limitation of 1G of protocol capture per session. Wireshark does not have a limitation on the size of the capture file which makes it better suited to protocol capture. Wireshark can be used to analyze capture files, but NetWitness Investigator is a seven-layer protocol analyzer that provides detailed protocol analysis and protocol behavior analysis and is much more userfriendly in terms of understanding protocol behavior and protocol analysis.

1. Double-click the NetWitness Investigator icon on the vWorkstation desktop to start the application. 2. From the NetWitness Investigator menu, click Collection > New Local Collection. 3. In the Collection Name box, type yourname Collection, replacing yourname with your own name, and click OK to name the new collection. 4. In the left pane, double-click the yourname Collection you just created to activate it and change the status to Ready. 5. Right-click the yourname Collection and click Import Packets. Figure 14 Import a PCAP file 6. In the Open dialog box, navigate to the Security_Strategies folder (This PC > Local Disk (C:) > Security_Strategies), click the yourname_WiresharkCapture.pcap you saved earlier in this lab, and click Open. 7. When the file has finished importing, double-click the yourname Collection to open it in NetWitness Investigator. In the summary report, locate details about the PuTTY sessions and file transfers you performed in this lab. You should be able to identify the following: The IP protocol (TCP or UDP) used for each transaction. The IP addresses of the machines you interacted with in this lab. The name of the files transferred. The user accounts and passwords used in this lab. Figure 15 NetWitness Investigator summary information 8. Make a screen capture showing the password and filename used in the FTP transfer and paste it into your Lab Report file. 9. Make a screen capture showing the filename used in the TFTP file transfer and paste it into your Lab Report file. 10. Make a screen capture showing the IP addresses for the SSH sessions and paste it into your Lab Report file. 11. Close the NetWitness Investigator window. 12. Close the virtual lab, or proceed with Part 6 to answer the challenge question for this lab.

Copyright ? 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company