Tutorial/Practical 2 (Week 3) CP3302/CP5603

Remarks:

This tutorial/practical consists of some tutorial-type questions that are chosen from Review Questions in Chapters 2 and 3 of the textbook, as well as some practical-type questions that are chosen from:Michael E. Whitman and Herbert J. Mattord, Hands-On Information Security Lab Manual, (third edition), Course Technology, Cengage Learning, USA, 2011.

This tutorial/practical may not be completed in the scheduled practical session for this sub- ject. So you are strongly recommended to complete it in your own time (note that students are expected to work 10 hours per week on this subject, including 3 hours of contact time).

Due to security issues, you may not be allowed to practise all commands and programs of the practical-type questions with the universitys computers. So, interested students are encouraged to do this section on their own computers (if available). You will not be assessed for utilities/commands that cannot be practised on university computers.

1. (Review Question 1 Chapter 2)Why is information security a management problem? What can management do that technology cannot?

2. (Review Question 2 Chapter 2)Why is data the most important asset an organization possesses? What other assets in the organization require protection?

3. (Review Question 3 Chapter 2)Which management groups are responsible for implementing information security to protect the organizations ability to function?

4. (Review Question 5 Chapter 2) What is information extortion?Describe how such an attack can cause losses, using an example not found in the text.

5. (Review Question 6 Chapter 2)Why do employees constitute one of the greatest threats to information security?

6. (Review Question 7 Chapter 2)What measures can individuals take to protect against shoulder surfing?

10

7. (Review Question 9 Chaptewr 2)What is the difference between a skilled hacker and an unskilled hacker (other then the lack of skill)?How does protection against each differ?

8. (Review Question 10 Chapter 2)What are the various types of Malware? How do worms differ from viruses?Do Trojan horses carry viruses or worms?

9. (Review Question 12 Chapter 2)What is the most common form of violation of intellectual property? How does an organization protect against it?What agencies fight it?

10. (Review Question 14 Chapter 2)How does technology obsolescence constitute a threat to information security? How can an organization protect against it?

11. (Review Question 15 Chapter 2)Does the intellectual property owned by an organization usually have value? If so, how can attackers threaten that value?

12. (Review Question 16 Chapter 2 )What are the types of password attacks?What can a systems administrator do to protect against them?

13. (Review Question 17 Chapter 2)What is the difference between a denial-of-service attack and a distributed denial-of-service attack?Which is potentially more dangerous and devastating? Why?

14. (Review Question 18 Chapter 2)For a sniffer attack to succeed, what must the attacker do?How can an attacker gain access to a network to use the sniffer system?

15. (Review Question 19 Chapter 2)What method does a social engineering hacker use to gain information about a users login and password?How would this method differ if it were targeted towards an administrators assistant versus a data-entry clerk?

16. (Review Question 1 Chapter 3)What is the difference between law and ethics?

17. (Review Question 2 Chapter 3)What is civil law and what does it accomplish?

18. (Review Question 3 Chpater 3)What are the primary examples of public law?

19. (Review Question 6 Chapter 3)What is privacy in an information security context?

20. (Review Question 11 Chapter 3) What is intellectual property (IP)?Is it afforded the same protection in every country of the world? What laws currently protect it in the United States and Europe?

21. (Review Question 13 Chapter 3) What is due care?Why would an organization want to make sure it exercises due care in its usual course of operations?

22. (Review Question 14 Chapter 3)How does due diligence differ from due care? Why are both important?

23. (Review Question 15 Chapter 3) What is a policy?How does it differ from a law?

24. (Review Question 17 Chapter 3)What is the best method for preventing an illegal or unethical activity?

25. (Review Question 18 Chapter 3)Of the information security organizations listed that have codes of ethics, which has been established for the longest time? When was it founded?

26. (Review Question 19 Chapter 3)Of the organizations listed that have a code of ethics, which is focused on auditing and control?

27. (Review Question 20 Chapter 3)What can be done to deter someone from committing a crime?

Lab 2

Materials Required

Microsoft Windows XP Professional or Microsoft Windows Vista Business.

One or more IP addresses and Domain name System (DNS).

A Web Browser Microsoft Internet Explorer or Mozilla Firefox.

Background (Footprinting)

When attackers want to compromise a targeted system, they usually use a methodological approach to gather information and then launch their attack. The initial stage of information gathering is footprinting attempting to find out the extent of the targets network presence, or footprint. Once the network presence is defined, an attacker then attempts to characterize the full scope and depth of the devices visible on the targets network. This step is often called fingerprinting, but also goes by many other names, such as scanning, enumeration, or port scanning. Once the network devices reachable by the attacker are documented, the effort moves on to identify weakness or vulnerabilities in the systems. The attacker then tries to compromise systems, steal information, or perform other illegal acts as intended from the start. Most will then make at least some attempt to cover their actions as they leave their victims systems. Some attackers will leave backdoor programs also called rootkits or reverse shells running to allow them to return later to steal more information or to use the systems in attacking other targets. Some will simply crash the systems to hide the facts about their activities.Where attackers engage in these steps looking for weaknesses to exploit, defenders must un- derstand the processes the attackers use. This will allow them to better defend the networks and systems they are supposed to be protecting. You are expected to know enough about how an attacker works so that you are better able to design, build, and maintain networks and systems that are effective in being defended from attack.The First step of the attack process is footprinting. This is the process of collecting infor- mation about an organization, its networks, its address ranges, and the people who use them. Footprinting is usually completed via readily available electronic resources. It is important for security administrators to know exactly what an individual can find on the Internet regarding their organizations. The information an organization maintains about itself should be properly organized, professionally presented, and as secure as possible to defeat any social engineering and hacking attempts. This is sort of like checking all the doors and windows on your house before leaving.Footprinting includes both researching information from printed resources as well as gathering facts that can be collected from online resources and through social engineering efforts.

Background (Web Reconnaissance)

Web reconnaissance is a simple but effective method of collecting rudimentary information about an organization. All Web browsers can display source code, allowing users to not only view the Web pages in their intended format, but also to look at the code that was written to create the pagethis often reveals hidden information. The kinds of information gathered during the footprinting of an organizations networks and systems commonly include the names of Web personnel, the names of additional servers, locations of script bins, and so on. Web pages can also be downloaded for offline viewing, dissecting, or duplicating. This allows time to design a spoof site, and then to hack the Web server to load the fake version of the sits web pages. Some utilities, including some Web-authoring tools like Dreamweaver from Macromedia and Sam Spade from Blighty Design, enable a more detailed analysis of the components of a Web page.Web reconnaissance is one of the most basic and simple methods of collecting information on an organization. It generally provides only limited information, but occasionally it can uncover a valuable clue about the organization and its systems. Web reconnaissance can be used to identify the name of an organizations Webmaster or other member of the technical staff, either of which is helpful in executing a social engineering ploy. Web reconnaissance is also a good way to identify the domain names of related web servers, which can then be used to identify additional IP addresses for further reconnaissance activities.An organization should scrutinize its own Web sites to ensure that no vital organizational information is exposed in its Web site code.E-mail addresses should not contain any part of an employees name. For example, the Web- masters address should be listed as webmaster@company.com not jdoe@company.com. Additionally, an organization should use page redirection and server address aliases in its Web pages instead of simply listing page references and specific addresses for servers. This prevents possible attackers from perusing the pages and gleaning additional information about the organizations network and server infrastructure. A an alternative, an organization can outsource its Web server hosting ser- vices, and either locate all its Web pages on the hosts servers or use page redirection from the hosts servers to specific content directories. With domain name registration, the customers are none the wise and a DNS query for the companys web site resolves to the We hosts server rather than a server on the companys network. When this method is used, no information about the companys network is revealed.

Background (WHOIS)

WHOIS is a service common to Windows and Linux that allows you to look up domain names on a remote server. Whenever you need to find out more about a domain name, such as its IP address, who the administrative contact is, or other information, you can use the WHOIS utility to determine points of contact (POC), domain owners, and name servers. Many servers respond to TCP queries on port 43 in a manner roughly analogous to the DDN NIC WHOIS service described in Request for Comment (RFC) 954. You can locate information about this Internet Request for Comment (IRFC) along with most others at www.rfc-archive.org. Some sites provide this directory service via the finger protocol or accept queries by electronic mail for directory information. WHOIS was originally created to provide individuals and organizations with a free lookup utility to find out if the domain name they wanted to register was already in use. Unfortunately, WHOIS can also be used by attackers to gather information about a domain, identify owners of addresses, and collect other information that can be used in social engineering attacks. Social engineering is the

use of tidbits of information to trick someone into providing the hacker with valuable information on systems configuration, usernames, passwords, and a variety of other information that could help get protected information.There are five specific WHOIS queries used to obtain information. Some can be performed together, and others must be performed independently:

Register queries: Used for querying specific Internet registrars, such as InterNIC. If a WHOIS query reveals the name of a registrar, going to that specific registrar and repeating the query might reveal additional information.

Organizational queries: In addition to providing the name of the registrar, a WHOIS query should provide basic information on the organization that owns the domain name. This may also provide information on the points of contact (see below).

Domain queries: Domain information is the primary result of a WHOIS query. Through a process called inverse mapping, a WHOIS query can also provide domain information for a known IP address.

Network queries: The Internet version of WHOIS (registrar Web sites such as www.internic.net) provide only rudimentary information, but the Linux/UNIX version and the Sam Spade utility provide much more detailed information by cross-referencing directories, such as the initial and owning registrars directories. This can actually result in detailed information on the entire range of addresses owned by an organization, especially in an inverse mapping exercise.

Point of contact queries: The final pieces of information gleaned in a query are the names, addresses, and phone numbers of points of contacts, which are vital for a social engineering attack.

WHOIS searches databases to find the name of network and system administrators, RFC au- thors, system and network points of contact, and other individuals who are registered in various databases. WHOIS can be accessed by using Telnet to connect to an appropriate WHOIS server and logging in as whois (no password is required). The most common Internet name server is located at the Internet Network Information Center (InterNIC) at rs.internic.net. This specific database con- tains only Internet domains, IP network numbers, and domain points of contact. Policies governing the InterNIC database are described in RFC 1400. Many software packages contain a WHOIS client that automatically establishes the Telnet connection to a default name server database, although users can usually specify any name server database they want. While most UNIX/Linux builds contain utilities such as WHOIS, all Windows-based builds use utilities designed by third parties.Windows users can also use third-party software to obtain the same functionality. In addition to the InterNIC utility, you may use the freeware utility Sam Spade.

Footprinting Using Windows

The process of collecting information about an organization from publicly accessible sources is called footprinting. This process includes both researching information from printed resources as well as gathering facts that can be collected from online resources and through social engineering efforts.

Network Reconnaissance Using Command Line

The elements of network reconnaissance describe a broad set of activities designed to map out the size and scope of a network using Internet utilities. This includes the number and addresses of available servers, border routers, and the like.Most common utilities are nslookup, ping, and traceroute

Web Reconnaissance, using nslookup

(i) Describe the purpose of the utility (search the Internet).

(ii) Using Command Line, list and describe the options that can be used by this utility.

(iii) Utilizing IP addresses and/or domain name systems (DNS), describe every commands and the information that you have obtained.

In particular, you should try the followings (demonstrate each action):

In Windows, open a command prompt window.

Enter nslookup to begin operating in the interactive mode.

Record the default server and address.

Enter the DNS to determine the IP address.

Record the IP address corresponding to the entry.

You can also reverse the process and look up a domain name from a known address.

Record the domain name entry for the IP address.

Enter set all to determine the current settings.

Run the same address used earlier. Are there any differences in the output depending on the run-time changes?

Another interesting use of this utility is to examine the mail server responsible for a particular address or domain name. The nsllokup command provides this information by first setting the type to MX (mail exchange), and then entering the DNS or IP address. The system also provides the names and addresses of the primary and secondary name servers responsible for the mail servers DNS registration.

Set type option to mx by typing set type=MX.

Run the domain and IP addresses again and note the differences observed in the output.

Record the mail servers corresponding to the DNS addresses you entered.

Zone transfer information can be obtained during the session by using the ls command and its option (note that many DNS administrators disable this option for security reasons).

Enter exit to terminate the nslookup session.

What other useful information can you obtain using the nslookup utility?

Web Reconnaissance, using Ping

(i) Describe the purpose of the utility (search the Internet).

(ii) Using Command Line, list and describe the options that can be used by this utility.

(iii) Utilizing IP addresses and/or domain name systems (DNS), describe every commands and the information that you have obtained.

In particular, you should try the followings (demonstrate each action):

In windows, open a command prompt window. To examine the options available, simply enter ping.

Enter the local/remote IP addresses. The computer generates four Internet Control Message Protocol (ICMP) echo request, and the destination host responses. Note the response provides information on the number of packets generated and received, along with the time expired between the transmission and reception of each. It also provides basic statistics on the minimum, maximum, and average packet times.

Record the minimum, maximum, and average times for your ping.

Demonstrate ping to an unreachable host (e.g. enter ping 192.168.240.240).

What other useful information can you obtain using the ping utility?

Web Reconnaissance, using Traceroute

(i) Describe the purpose of the utility (search the Internet).

(ii) Using Command Line, list and describe the options that can be used by this utility.

(iii) Utilizing IP addresses and/or domain name systems (DNS), describe every commands and the information that you have obtained.

In particular, you should try the followings (demonstrate each action):

In Windows, go to the command prompt. Enter tracert. A list of the options available for the tracert command appears.

To perform a tracerout on a local host, enter tracert followed by your assigned IP address.

To conduct a traceroute on a remote host, enter tracert www.course.com. Note the level of information provided. Not only is the domain name address of each intermediate node presented, but the corresponding IP addresses as well. Record your findings.

Repeat these steps for additional addresses you may have.

What other useful information can you obtain using the tracert utility?

Network Reconnaissance Using a Web Browser

Organizational Information Collection

In Windows, open a Web Browser (Internet explorer or Firefox).

Enter the address in the address text box of your Web browser.

If using Internet Explorer, click Page, then View Source. If using Firefox, click View, thenPage Source. In the window that opens, scan through the HTML source code.

Attempt to identify key pieces of information about the organization from the HTML source code.

If you can determine the name of the individual who wrote the code, record it.

Record the addresses of the first two Web sites located outside the target organization that are referred to in the code.

Record the first two links to other Web servers located inside the target organization that is referred to in the code.

Record the first two references pointing to directories containing executable code (such asJava, Perl, Linux or UNIX commands).

9. Repeat steps 2-8 for other addresses or URLs.

Gathering WHOIS Information with Web Browsers

In Windows, open a Web browser (Internet Explorer or Firefox).

In the address text box, enter www.internic.net.

Click Whois in the list of options available at the top of the page.

In the Whois text box, enter the URL or IP address (such as samspade.org without the www prefix), and then click submit. Note that the resulting screen provides limited information on the subject domain name, along with the addresses of the name servers that contain the actual domain names that maintain the internal server links. It also contains limited information on the registrar system. It provides information only for top-level domains of .aero, .arpa, .biz,.com, .coop, .edu, .info, .int, .museum, .net, and .org.

Record the registrar for your domain name of interest.

Record the primary and secondary name servers for this domain name.

What other useful information can you determine from this output?

Repeat the steps above for addresses or URLs of your interest.

Another Web-based WHOIS engine resides at ARIN. Open a Web browser window and enterhttp://www.arin.net in the Address text box. The ARIN home page opens.

Type an IP address into the SEARCH EHOIS text box and press Enter.

Information about who owns the IP address is displayed, along with the range of IP addresses belonging to that owner. Also, contact information of the coordinator, as well as the date the information was last updated may be listed.

For each address, determine the NetRange, NameServer, and OrgName information.

Determine the IP address range for the assigned addresses.

Repeat these steps for addresses and URLs of your interest.