Page 1 of 17

Installing 1.1 NTOP ..Page 3 1.2 WEBMIN ..Page 3 1.3 APACHE ..Page 3 1.4 WIRESHARKp..Page 5 1.5 JOHN The RIPPER p..Page 6 1.6 EtterCap ....Page 7 1.7 PortSentry ..Page 7 1.8 LogCheck ..Page 8 1.9 Firestarter ....Page 9 1.10 Nikto ..Page 9 1.11 Modsecurity ..Page 9 1.12 Snort...Page 11 1.13 Nessus ..Page 13 1.14 Whisker p..Page 15 1.15 CGIchk ....Page 15 1.16 Windows Based Tools p..Pending TCPView FPort Nmap 1.17 TinyWeb p..Pending

Page 2 of 17

Setting up
System
You will need to activate the network as follows: 1. Login as root (password to be provided) 2. Right click on the desktop and open a terminal window 3. Type: netconfig 4. Follow the prompts, adding an IP number based on your computer name 192.168.1.x where x is the computer number. Lab EN305 uses the computer number Lab EN310 uses the computer number with a ''5" in front. Examples: EN310 - computer 03 = 192.168.1.53 It is essential that you follow this pattern otherwise you computer will not see the network Subnet mask: 255.255.255.0 Take defaults for gateway and DNS server (not relevant as we are off the network) 5. Exit netconfig saving changes 6. Type: service network start 7. Type: ifconfig and check that changes are active 8. ping another computer to confirm - like ping 192.168.1.x

Page 3 of 17

1.1 Ntop
cd Desktop/Tools tar xvzf ntop_3.1.tgz td ntop ./configure ;make ;make install ./ntop -U nobody -P /tmp -w 3000 The procedure may wait in between, push enter if it stops You will be then prompted to provide an admin password. Leave that window running and using a browser connect to: http://youripnumber:3000 Note: NTOP takes time to collect data so leave it running

1.2 Webmin
Installation of Webmin
cd Desktop/Tools tar xvzf webmin-1.320.tar.gz cd webmin-1.320 ./setup.sh Accept the defaults, better if you dont enter the password even. Open a web browser http:youripaddress:10000 Enter username:admin password: <blank>; To create users Go to System Create a new user Enter the user name, In the Shell portion scroll down to select /bin/bash, Select a normal password and enter the password. Push the Create button(at the bottom of the page) To start services Go to Networking Extended Internet Services Select Telnet and FTP then push Enable Selected Apply changes.

1.3 Apache
cd Desktop/Tools/ tar xvzf httpd_2.0.52.tar.gz cd httpd-2.0.52/ ./configure ;make ;make install (why do we use--prefix=/usr/local/apache2) /usr/local/apache2/bin/apachectl start /usr/local/apache2/bin/apachectl stop Dont use this unless you want to stop the server

Page 4 of 17 To check access and error logs: tail f /usr/local/apache2/logs/access-log tail f /usr/local/apache2/logs/error-log

1. Unpack the archive file tar xvzf httpd.2.0.52.tgz <--- if you really want to know: x = extract, v= verbose, z = unzip, f = it is a file (not tape) Do a ls -al and check that various directories are there - src, conf, htdocs and so on. ./configure;make;make install /usr/local/apache2/bin/apachectl start

Most configuration information is in the httpd.conf file. /usr/local/apache2/conf/httpd.conf It should run with the default settings. If not, edit the "Listen" line and insert your ip number :80 Location of HTML files: /usr/local/apache2/htdocs <-- this is where the HTML documents are located. Apache version varies so check! Note: the file index.html is the initial document served up. You can replace this later, but must still call it index.html

Check Status

ipAdd
ps -ef | grep httpd

Log directory: /usr/local/apache2/logs access_log - who has used your server error_log - any errors. Also a record of any server restarts

1. Check the logs directory: The error log should say (or similar) [Sun May 10 14:39:04 1998] created shared memory segment #260 [Sun May 10 14:39:04 1998] Server configured -- resuming normal operations

Page 5 of 17

This line means - no error - we are running If you don't get the last line, check what the message is, it will be a guide. 2. Check the access_log - it should say: (or similar) tuan.dlk.com.au - - [10/May/1998:14:40:38 +1000] "GET / HTTP/1.0" 200 1316 tuan.dlk.com.au - - [10/May/1998:14:40:38 +1000] "GET /apache_pb.gif HTTP/1.0" 200 2326 tuan.dlk.com.au - - [10/May/1998:14:40:57 +1000] "GET /manual/index.html HTTP/1.0" 200 2311 3. The file httpd.pid should have a number in it - the process id.

1.4 Wireshark
Before you start,

Make sure that you have the following ports open:

21 FTP (use Webmin to start) 22 SSH (already running) 23 Telnet (use Webmin to start) 25 Sendmail 80 Apache

Create a normal user account using Webmin - required to allow remote logins
Webmin - System --> Users and Groups - ************--Bin Bash***********

Installation
cd Desktop/Tools/ tar xvzf wireshark-0.99.5.tar.gz cd wireshark-0.99.5 ./configure ;make ;make install (it takes a while, compiling) wireshark

Capturing traffic - Use Wireshark

Wireshark: Extract Configure wireshark

Page 6 of 17 Select capture - Interfaces (Menu) Make sure you have set: Interface: eth0 in Linux Check boxes: Update list of packets in real time Automatic scrolling in live capture Disable name resolution Start

2. Get the person next to you to telnet to your ip number: telnet ipnumber and login Do same for ftp Now capture some web traffic Then login via ssh: ssh username@ipnumber 3. Now stop capturing with: Capture, stop There should be a lot of traffic displayed. 4. Now, lets filter out the noise to check specific traffic - in our case FTP or Telnet Scroll down and find, for example the first FTP in the "Protocol" column (use Edit, Find) Now, right click on this line and select 'Follow TCP stream' This should filter out all the other traffic, leaving just the traffic from the selected session. 5. Check out behaviour. Visibility of password and such like. 6. Do same for the other traffic. What passwords/traffic can you capture - why?

1.5 John The Ripper - Password Cracker

tar xvzf john-1.6.tar.gz cd john-1.6/src make generic <-- note options may vary, check README

Page 7 of 17 cd .. run/unshadow /etc/passwd /etc/shadow > passwd.1 run/john passwd.1

1.6

EtterCap

cd Desktop/Tools tar xvzf ettercap0.6.4.tar.gz It may wait after unzipping, push enter if it waits. cd ettercap-0.6.4/ ./configure ;make ;make install ettercap (in a maximised window) Youll be directed to an interface where you can select the Source and Target computer. Select the Source andTarget by pushing Enter on the IP numbers seen. Once you select the source and target, push A to start sniffing. Youll be able to see the packets from specified computer towards the target.

1.7
o o o

PortSentry
Depending on rules, can prevent access of packets. Immediately update firewall/iptables with regards to ip adderss Can be used to attack back Tarpit Subtle way of attacking something. Can take an attacker offline

Local Computer cd Desktop/Tools/ tar xvzf portsentry1.1.tar.gz cd portsentry-1.1/ Edit the portsentry.conf by: GoApplicationAccessoriesText EditorOpenFileSystem usr/local/psionic/portsentry/portsentry.conf SearchFindiptables support for Linuxreplace the following line: KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP" With: KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"

Page 8 of 17

In the # TCP Wrappers# section: Add a hash(#) before the foolowing line: KILL_HOSTS_DENY="ALL: $TARGET$" Save the file and close the text editor. Re-open to double check, before starting portsentry. usr/local/psionic/portsentry/portsentry.history make linux make install ./portsentry atcp ./portsentry audp tail -f /var/log/messages to check the logs. ps -ef|grep portsentry to check the running status. root 7869 1 0 12:53 ? 00:00:00 ./portsentry -atcp root 7871 1 0 12:53 ? 00:00:00 ./portsentry -audp root 7928 7436 0 12:55 pts/3 00:00:00 grep portsentry killall portsentry to delete the configuration of portsentry. Attacker nmap IP

iptables L to see the iptable entries(blocked ip addresses). iptables F to flush those entries(delete blocked ip addresses).

1.8

LogCheck

cd Desktop/Tools/ tar xvzf logcheck-1.1.tar.gz cd logcheck-1.1 make linux cd /usr/local/etc ./ logcheck.sh

tail -f /var/spool/mail/root --OR mail (and then the mail number that you want to read) if you need to check the history of blocked ip addresses /usr/local/psionic/portsentry/portsentry.history iptables L to see the iptable entries(blocked ip addresses).

Page 9 of 17 iptables F to flush those entries(delete blocked ip addresses You need to re-run the /usr/local/etc/ logcheck.sh command everytime before checking the mail.

1.9

Firestarter

Run a nmap scan first ICMP limit 10/sec => Prevents Denial of Service for anyone sending more than 10 packets a second cd Desktop/Tools/ tar xvzf firestarter-1.0.3.tar.gz cd firestarter-1.0.3 ./configure ;make ;make install Firestarter. This will take you to Firestarter GUI. Accept defaults and push save at the end. Firestarter will start. Go to the Policy tab(there are 3 tabs Status, Events and Policy) Select inbound or outbound traffic that needs to be controlled. Configure the rules based on either IP numbers for all ports or port numbers for everyone. Push Apply Policy Start Firewall. Watch out Event tabs for the activities blocked .

1.10 Nikto
cd Desktop/Tools/ tar xvzf nikto-current.tar.gz cd nikto-1.36/ ./nikto.pl -h 192.168.1.x Gives you details about the vulnerabilities of the web server. Its web scanner.

1.11 ModSecurity
Stop Apache if it is running Re-compile Apache with the following parameter: ./configure --enable-unique-id make ; make install cd Desktop/Tools/ tar xvzf modsecurity-apache_2.1.3.tar.gz

Page 10 of 17 cd modsecurity-apache_2.1.3 cd apache2 Edit the file named makefile by going to Applications Text Editor Open Desktop Tools modsecurity-apache_2.1.3 apache2. In the file: Delete top_dir = /apps/apache22 Add top_dir = /usr/local/apache2 (Notice the numbers are also changed from 22 and 2) Save and Exit. While remaining in the Desktop/Tools/ modsecurity-apache_2.1.3/apache2, compile with: make make install Edit the file httpd.conf by going to Applications Text Editor OpenFileSystem usr local apache2conf httpd.conf Search for LoadModule foo_module modules/mod_foo.so

If you go searchLoadModuleyoull come here: # Example: # LoadModule foo_module modules/mod_foo.so Just at the end of above portion: Add : LoadFile /usr/lib/libxml2.so LoadModule security2_module modules/mod_security2.so Include conf/modsecurity/*.conf Save and exit. Configuration Policies: cd\ cd /usr/local/apache2/conf/ mkdir modsecurity cd modsecurity cp /root/Desktop/Tools/modsecurity-core-rules_2.1-1.4.3.tar.gz if this doesnt work: Go to Applications FileBrowser root Desktop Tools and copy modsecurity-core-rules_2.11.4.3.tar.gz and for pasting go to root and then up, this takes you to / the filesystem. /usr/local/apache2/conf/modsecurity and paste here. tar xvzf modsecurity-core-rules_2.1-1.4.3.tar.gz

Page 11 of 17 rm -f modsecurity-core-rules_2.1-1.4.3.tar.gz Then start apache: /usr/local/apache2/bin/apachectl start For modsecurity logs: tail f /usr/local/apache2/logs/modsec_debug.log tail f /usr/local/apache2/logs/modsec_audit.log For apache logs: tail f /usr/local/apache2/logs/access_log tail f /usr/local/apache2/logs/error_log At this point you can edit the *.conf files to fit your machines usage and expected rule sets. /usr/local/apache2/conf/modsecurity ls:blocking CHANGELOG LICENSE modsecurity_crs_10_config.conf modsecurity_crs_20_protocol_violations.conf modsecurity_crs_21_protocol_anomalies.conf modsecurity_crs_30_http_policy.conf modsecurity_crs_35_bad_robots.conf modsecurity_crs_40_generic_attacks.conf modsecurity_crs_45_trojans.conf modsecurity_crs_50_outbound.conf modsecurity_crs_55_marketing.conf restart apache You now have Mod_Security installed, congratulations! Test that it works: Logs: /usr/local/apache2/logs - you will see mod_security logs Diagnostics: check the error_log to make sure there are no errors Now run Nikto, Whisker, Nessus, CgiChk

1.12 Snort
Before installing snort you need to install some extra tools: PCRE cd Desktop/Tools tar xvzf pcre-5.0.tar.gz cd pcre-5.0 ./configure ;make ;make install

Page 12 of 17 cd .. Then proceed to the snort installation tar xvzf snort-2.7.0.1.tar.gz cd snort-2.7.0.1 ./configure ;make ;make install Make a dir in the root: mkdir /etc/snort cd /etc/snort cp /root/Desktop/Tools/snort-2.7.0.1/etc/* . (end with a space and a full-stop) --OR Use the ApplicationsFile Browser Go to /root/Desktop/Tools/snort-2.7.0.1/etc, select everything and copy, then Go to /etc/snort and paste here. Edit the snort.conf file Use the ApplicationsText EditorOpen Go to Filesystem/etc/snort/snort.conf Search for HOME_NET Replace: # var HOME_NET 10.1.1.0/24 With: var HOME_NET 192.168.1.0/24 (Remember to remove the hash#) Replace: var RULE_PATH ../rules With: var RULE_PATH /etc/snort/rules(Remember to remove the hash#, if there is one.) Remove hash(#) from the following line: # output alert_syslog: LOG_AUTH LOG_ALERT # [Unix flavours should use this format...] # output alert_syslog: LOG_AUTH LOG_ALERT # output cd /etc/: tcpdump.log(this line is not just below, but after few lines) cd /var/log/ mkdir /var/log/snort touch /var/log/snort/alert cd /etc/snort cp /root/Desktop/Tools/snortrules-pr-2.4.tar.gz .(end with a space and a full-stop) tar xvzf snortrules-pr-2.4.tar.gz cd /root/Desktop/Tools/snort-2.7.0.1 snort -c /etc/snort/snort.conf

Page 13 of 17 Initializing rule chains... ERROR: (/etc/snort/rules/web-misc.rules)97 => Cannot use 'rawbytes' and 'http_ur i' as modifiers for the same "content" nor use 'rawbytes' with "uricontent". Fatal Error, Quitting.. Comment out the following lines(put a # in fron of each line): Line 97: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1143; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; Line 452: alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 log #information disclosure"; flow:to_server,established; content:"/ComGetLogFile.php3"; nocase; #pcre:"fn=Eye\d{4}_\d{2}.log/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; #classtype:web-application-activity; sid:3545; rev:2;) Snort can be run in Sniffer mode by using : snort dvi eth0 To start Snort in NIDS mode using this configuration file, execute this command: snort -c /etc/snort/snort.conf -D -i eth0

1.13 Nessus
You need four sets of files: 1. nessus-libraries 2. libnasl 3. nessus-core 4. nessus-plugins The order of compilation is critical! They must be done in the order as above. Compile and Install nessus-libraries:-dvi cd Desktop/Tools tar xvzf nessus_libraries_2.1.3.tar.gz cd nessus-libraries/ ./configure ;make ;make install Add an extra line to ld.so.conf by using(it is lower-case L):

Page 14 of 17 Use the ApplicationsText EditorOpen Go to Filesystem/etc/ld.so.conf Add: /usr/local/lib save and exit. cd .. Compile and Install libnasl: tar xvzf libnasl_2.1.3.tar.gz cd libnasl/ ./configure ;make ;make install cd .. Compile and Install nessus-core: tar xvzf nessus_core_2.1.3.tar.gz cd nessus-core/ ./configure ;make ;make install cd .. Compile and Install nessus-plugins: tar xvzf nessus_plugins_2.1.3.tar.gz cd nessus-plugins/ ./configure ;make ;make install cd .. ldconfig(it is lower-case L,even if you did it somewhere before youll have to do it here.) nessus mkcert(Keep pushing Enter to accept all defaults) nessus-adduser Login : brijesh Authentication (pass/cert) [pass] : Login password : Login password (again) : Only enter the login and the Login password, for everything else push enter to accept defaults. CTRL+D when you finish, this will add the user. nessusd Open a new terminal window: ps -ef|grep nessusd(to check that nessusd is working) nessus (this will take you to the nessus client window) Enter the username and password you created in nessus. Accept the defaults,click yes(both windows). On the Target Selection Tab Enter the Target IP number Start the Scan

Page 15 of 17 The Nessus NG report will show all the ports. Whilst running Nessus you will need to check logs: tail -f /var/log/messages

1.14 Whisker
cd Desktop/Tools/ tar xvzf whisker1.4.0.tar.gz cd v1.4 ./whisker.pl -h 192.168.1.x (x = some other hosts ip)

1.15 CGIChk
cd Desktop/Tools/ tar xvzf cgichk_2.60.tar.gz cd cgichk/ make ./cgichk 192.168.1.x(own ip number)

Ntop

Network Monitoring ntop is a network probe that shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user's terminal. In Web mode, it acts

Page 16 of 17 as a web server, creating a HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, a HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics. Network Administration Webmin is a web-based system configuration tool for OpenSolaris, Linux and other Unix-like systems, although recent versions can also be installed and run on Windows [1]. With it you can configure many operating system internals, such as users, disk quotas, services, configuration files etc., as well as modify and control many open source apps, such as the Apache HTTP Server, PHP, MySQL etc. Log check Nikto Web Scanner is a Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received. Functions at Layer 7 Firewall Password cracker Sniffer Port Scanner Web server Scans all open TCP, UDP ports, when used with proper options

Webmin

Logchk Nikto

Firestarter John Ettercap Nessus Apache Webserver Nmap Whisker Snort Portsentry

NIDS : Network Intrusion Detection System. Intrusion Detection(Attack detection and prevention Tool) Functions at Layer 1,2 This tool monitors the TCP and UDP ports on a system and, depending on how the system is configured, will respond appropriately to an identified scan.

Page 17 of 17 Wireshark Modsecurity Packet Sniffer Need apache. If already running stop apache, install modsecurity and then recompile apache using ./configure enable unique id(need to check the syntax of this command)