e-dokumen.com

Lab 4: Protocols and Default Network Ports - Connecting to a Remote System3. Type the following to determine if port 23 is open on the remote system.C:\nmap 192.168.100.201 –p 23Figure 9: The Results of an Nmap ScanThe results of the Nmap scan indicate that the TELNET port is open on the remotesystem. In order to connect via TELNET, you need to have a user account and thepassword for the remote system. This information is sent over the network in clear text.The TELNET client is not installed by default on Windows Vista or Windows 7. It must beadded through the Add Programs and Features applet in the Control Panel.We have already added the TELNET client feature on the Windows 7 Internal AttackVirtual Machine.4. From the command prompt, type the following commandC:\telnet 192.168.100.201Figure 10: Using the TELNET command in Windows5. You will be warned that it might not be safe to send your password. Type y andpress Enter to send it anyway.Figure 11: Warnings about the Danger of Using TelnetYou will be prompted for the username and password. The username will be displayedas you type it, but the password is not displayed for security reasons.8/2/2013Copyright 2013 CSSIA, NISGTCPage 10 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote System6. For the username, type administrator and for the password type password.Figure 12: Inputting the Username and Password of the Remote SystemAfter a successful login, you will receive the message Welcome to Microsoft TelnetServer. You will start in the Documents and Settings Folder of the user’s account.Figure 13: A Successful TELNET connection was made7. Type the following command to change directories to the root of the C drive:C:\Documents and Settings\Administrator.WIN2K3DC cd \Figure 14 Changing Directories to the Root of C:8. Type the following command to view the IP address information of the remotesystem running Windows Server 2003 you are connected to through TELNET.C:\ ipconfigFigure 15: Displaying the IP address of the Remote machine8/2/2013Copyright 2013 CSSIA, NISGTCPage 11 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote System9. To view the active telnet connection from the Windows 7 Internal AttackMachine to the Windows Server 2k3 Internal Victim Machine in the networkconnections, type the following:C:\netstat –an findstr 23Figure 16: Viewing the TELNET Network Connection from Windows 7 to Server 2003The netstat data first indicates that the Windows Server 2003 is listening on port 23:TCP 0.0.0.0:230.0.0.0:0LISTENINGThe second connection indicates a TELNET connection from the Windows 7 InternalAttack Machine with the IP address of 192.168.100.5 to Windows Server 2k3 InternalVictim Machine with IP address 192.168.100.201.The other two connections displayed are dealing with Network Time Protocol, whichuses UDP and port 123. TELNET, on the other hand, uses TCP and port 23.10. Type the following command to view the files on the root of the C drive. of theremote Windows 2003 Server Internal Victim Machine .C:\dirFigure 17: Displaying the Files on the Remote System8/2/2013Copyright 2013 CSSIA, NISGTCPage 12 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote SystemIn the next step, we will make a text file on a remote system through the command line.Notepad and WordPad are GUI applications and cannot be utilized in a TELNET session.Using the edit command is not a good idea either because there is a good likelihood youwill get stuck in the editor. In order to create a text file, we will use the echo commandalong with a redirect ( ). This technique can be used in Windows or Linux.11. Type the following command to create a text file through the command line:C:\echo I am creating a text file here securityplus.txtFigure 18: Creating a Text File Using Echo12. Type the following command to view the newly created file.C:\dir s*Figure 19: Listing the File Created on the Remote System13. To view what is written inside the file, type the following command:C:\type securityplus.txtFigure 20: Displaying the Contents of the Text File on the Remote SystemThere are attributes you can add to a file from the command line, including: 8/2/2013Hidden – File is not displayed in a directory listing.Read Only – File is readable, but cannot be changed or deleted.System – File is used by the operating system.Archive –Used for backup purposes.Copyright 2013 CSSIA, NISGTCPage 13 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote SystemAttributes can be applied to files by using the attrib command. The attrib commandfollowed by a plus ( ) and the name of the file will add the attribute to the file. Theattrib command followed by a minus sign (-)and the name of the file will remove theattribute from the file. A directory (dir) command along with a forward slash and thesymbol representing the attribute will display the files with those attributes.14. To hide the text file, type the following commandC:\attrib H securityplus.txtFigure 21: Hiding a File on the Remote System using the attrib Command15. After applying the attribute, try to view the hidden securityplus.txt fileC:\dir s*Figure 22: The Hidden File is not displayed on the Remote System16. To display the hidden securityplus.txt file, type the following command:C:\dir s* /ahNotice the switch used with the dir command. The “/a” switch means look for files witha specific attribute; the “h” specifies the hidden attribute.Figure 23: Displaying the Hidden File on the Remote SystemDisplaying, creating, and hiding files can be done on a remote system using TELNET. AnAdministrator can also perform other tasks, such as account and service maintenance8/2/2013Copyright 2013 CSSIA, NISGTCPage 14 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote System17. To create a user on the remote system type the following command:C:\net user admin1 P@ssword /addFigure 24: Adding a User through the Command LineBe aware that only administrative accounts have the capability to add users.You should receive the message that the command completed successfully. The usercreated will have an account named admin1 and a password of [email protected] administrator logged into the system remotely through the command line can alsoview, stop, and start services by using the net start and net stop commands. Oneservice that should not be stopped is the TELNET service or the connection will die.18. To stop the Automatic Updates service on the remote machine, type:C:\ net stop "Automatic Updates"Figure 25: Stopping the Automatic Updates Service19. Type exit to leave the command prompt session on the remote machine.Figure 26: Leaving the TELNET session8/2/2013Copyright 2013 CSSIA, NISGTCPage 15 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote System20. To be sure that your TELNET session to the Windows Server is disconnected, typeipconfig and the IP address of the Windows 7 Internal Attack Machine should bedisplayed again.C:\ipconfigFigure 27: The IP address Information of the Windows 7 Machine1.2ConclusionA network administrator can use TELNET to remotely connect to a computer to runcommands. A TELNET connection can be used to display and create files on the remotesystem, as well as perform other administrative tasks, like maintenance of accounts andservices. TELNET uses TCP port 23 and sends information over the network in clear text.1.3Discussion Questions1. What command can be used to show an active TELNET connection?2. What is the command that can be used to display files on a remote system whenan administrator is connected via a TELNET session?3. How can you create a file on a remote system during a TELNET session?4. What command can be used to determine if a remote system is running TELNET?8/2/2013Copyright 2013 CSSIA, NISGTCPage 16 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote System2Connecting to a Linux System through the Command LineMost people would agree with the fact that since its inception, Linux has always been anoperating system that took security seriously. Most distributions of Linux come with abuilt in SSH server as well as an SSH client that will allow you to connect to serversrunning SSH. The SSH, or secure shell, protocol, use Transmission Control Protocol port22. Unlike TELNET, everything sent over the wire using SSH is encrypted.2.1Using SSH to Connect to a Remote Linux SystemWarning - This must be done before starting Task 2:The Red Hat Linux Internal Victim Machine needs to be logged into using the rootusername with the password: password (the password will not be displayed for securityreasons). Once you have logged in, issue the command startx to start the GUI(Graphical User Interface). See Lab Settings, section 0 for details. Until this procedurehas been performed, Task 2 cannot be started.1. From a command prompt on the Windows 7 Internal Attack Machine, type thefollowing to determine if port 22 is open on the remote Linux system:C:\ nmap 192.168.100.147 –p 22Figure 28: Determining if SSH Port 22 is Open on the Remote MachineMicrosoft Windows does not have a Secure Shell (SSH) client built into the operatingsystem. However, third-party SSH client and server applications can be used to makeSSH connections to other systems or to allow incoming SSH connections. PuTTY is athird-party application that will allow you to connect to a remote system running SSH.8/2/2013Copyright 2013 CSSIA, NISGTCPage 17 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote System2. Double-click on putty.exe to launch the third-party SSH client application.Figure 29: Launching putty.exe on the Windows 7 MachineThe PuTTY Configuration will open. Users can choose the following connection types: RawTelnetRloginSSH (the default)SerialPuTTY makes a great choice for Windows Vista and Windows 7 users who need toconnect to remote devices because Windows no longer comes with HyperTerminal.3. In the Host Name (or IP address) box, type IP 192.168.100.147 and click Open.Figure 30: PuTTY Configuration Dialog Box8/2/2013Copyright 2013 CSSIA, NISGTCPage 18 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote System4. A PuTTY Security Alert Dialog will pop up. Click Yes to the Warning.Figure 31: Security Alert Dialog5. When you receive the login prompt, type root. The password is password.Note: the password will not appear when you type it for security reasons.Figure 32: Logging in to the Remote Machine via SSHAfter a successful login, you will receive a Last Login message and a prompt.Figure 33: A Successful Login to the SSH Server Displays the Last Login Time6. Checking the IP address of the machine you are connecting to remotely is nevera bad idea. To display IP address information in Linux, type the following:[root@rhel ]#ifconfigFigure 34: Displaying the IP address of the Remote Linux Machine8/2/2013Copyright 2013 CSSIA, NISGTCPage 19 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote SystemThe first IP address shown is for the first NIC in the system. The second is the loopbackaddress.7. To view the TCP secure shell (SSH) connection between the Windows 7 InternalAttack Machine and the Red Hat Linux Internal Victim Machine, type thefollowing command:[root@rhel ]#netstat –tan grep 22Figure 35: Viewing the Established SSH connectionThe netstat command, which works in Windows and Linux, displays active networkconnections. By using the –tan switch, you will only display TCP connections. You cannarrow down the output by piping ( ) the command into grep, Global RegularExpressions Print, and using port 22. The first line of the netstat output tells you thatthe Linux Machine is listening on port 22. The second line of the netstat output showsthe established connection between the Windows 7 Internal Attack Machine with the IPaddress of 192.168.100.5 and the Red Hat Linux Internal Victim Machine with the IPaddress of 192.168.100.147.To find out what directory you reside in on the Linux file system, type pwd. Thecommand pwd is short for both print working directory and present working directory.The tilde ( ) symbol tells you the current user is in their home directory.8. To view your current location on the file system in Linux, type:[root@rhel ]#pwdFigure 36: Printing the Present Working Directory9. List files in the root’s home directory by typing the following:[root@rhel ]#lsFigure 37: Using the ls command in Linux to View Files and Folders8/2/2013Copyright 2013 CSSIA, NISGTCPage 20 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote SystemThe ls command usually display files as different colors than folders. Also, files withexecutable permissions are typically displayed using a green font color. Anothercommon practice is to have folders start with a capital letter, although this is not arequirement.10. Creating a file in Linux can be done by using the VI Editor or by using the echocommand and a redirect symbol ( ), like in Microsoft Windows. To make a filecalled securityplus.txt with the phrase ”this is a file” in it, type the following:[root@rhel ]#echo this is a file securityplus.txtFigure 38: Creating a File in Linux11. Type ls to view the created securityplus.txt file within root’s home directory.[root@rhel ]#lsFigure 39: Displaying Files with the ls CommandIn Linux, the mv (move) command is used to rename a file. By placing a period (.) at thebeginning of a file name, that file will be hidden. This is the equivalent to using theattrib command to add the hidden attribute to a file in Windows.12. To hide the file, rename it using the mv command and put a period in the front.[root@rhel ]#mv securityplus.txt .securityplus.txtFigure 40: Renaming and Hiding a FileThe file is now hidden and will not be displayed when ls is used without any switches.13. Type ls to see that the securityplus.txt file is no longer displayed.[root@rhel ]#lsFigure 41: The Hidden File is not Displayed with ls8/2/2013Copyright 2013 CSSIA, NISGTCPage 21 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote System14. To view hidden files within the root’s home directory, type the following:[root@rhel ]#ls -aFigure 42: Displaying Hidden Files in LinuxDisplaying, creating, and hiding files can be done on a remote system using SSH. Theroot account can also perform other tasks, such as account and service maintenance15. To add a user to the Red Hat Linux Internal Victim Machine, type the following:[root@rhel ]#useradd admin1Figure 43: Adding a User to the Remote Linux SystemThe passwd and shadow files in the /etc directory store the names of the users. Theshadow file also stores the user’s password hash. Linux users can use the cat command,which stands for concatenate, to display the contents of a file like the shadow file.Some files can contain pages of information. To narrow the display results, the grepcommand can be used. GREP, which stands for Global Regular Expressions Print, can beused to search for a character or a string of characters within a given output set.8/2/2013Copyright 2013 CSSIA, NISGTCPage 22 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote System16. To view the admin1 user created within the shadow file, type the following:[root@rhel ]#cat /etc/shadow grep admin1Figure 44: Using GREP to Filter Search ResultsThe service command can be used to stop, start, and view server status.17. To view the status of the Very Secure FTP Daemon9 (vsftpd), type the following:[root@rhel ]#service vsftpd statusFigure 45: Viewing the Status of the vftpd Service18. To stop the vsftpd service on the remote Linux system, type the following:[root@rhel ]#service vsftpd stopFigure 46: Shutting Down the vsftpd service19. To end the SSH session on the remote Linux system, type the following:[root@rhel ]#exitFigure 47: Typing Exit to Leave the SSH SessionThe PuTTY Window will close and the SSH session will be terminated.8/2/2013Copyright 2013 CSSIA, NISGTCPage 23 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote System2.2ConclusionSecure Shell, or SSH, allows users to remotely connect and administer computersrunning the Linux, Unix, and Mac operating systems as well other network devices suchas routers and switches. Secure Shell encrypts the traffic, unlike TELNET, so theusernames, passwords, and commands will not be visible to anyone inspecting networktraffic. It is strongly recommended that SSH be used instead of TELNET when possible.2.3Discussion Questions1.2.3.4.8/2/2013What port does Secure Shell use?Is there a native SSH client or server on Microsoft Windows system?What is the file in Linux that contains the password hash?What are two methods that can be used for creating a file during a remotesecure shell (SSH) connection within Linux?Copyright 2013 CSSIA, NISGTCPage 24 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote System3Analyzing Remote Connections in Network TrafficIn this section, you will analyze a preexisting network capture file with TELNET and SSHtraffic. You will be able to view the clear text communication during the TELNET session,but you will be unable to view the encrypted communication of the SSH connection.3.1Using Wireshark to Analyze Connections to a Remote Linux SystemWireshark is a protocol analyzer, which will allow you to inspect and capture networktraffic. The 32-bit and 64-bit versions can be downloaded from www.wireshark.org.Open a Terminal to Get Started1. Open a terminal on the BackTrack 5 Internal Attack Machine by clicking on thepicture to the right of the word System in the task bar in the top of the screen.Type wireshark (all lowercase) to bring up the Wireshark program.Figure 48: The Terminal Windows within BackTrack2. If you receive a message about running Wireshark as root can be dangerous,click the button that says Don’t show this message again, and click OK.Figure 49: Allow Wireshark to run as root8/2/2013Copyright 2013 CSSIA, NISGTCPage 25 of 31

Lab 4: Protocols and Default Network Ports - Connecting to a Remote System3. Select file from the Wireshark menu and select open. Double click on the rootfolder then double click on the lab4 folder. Double click on the filetelnetssh.pcapFigure 50: Opening the Wireshark fileExamining TELNET traffic can be done by using either of the two filters within Wireshark: telnettcp.port 23If TELNET is used on a Windows system, the following filter can be used (

Wireshark – Wireshark is a protocol analyzer that will allow you to capture and analyze network traffic. Wireshark can be used to inspect traffic and examine the clear text co