Graduate Program in Information Science and Telecommunications and Networking School of Information Sciences University of Pittsburgh TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Computer Forensics Version 1.0, Last Edited 10/28/2005 Group Members: ______________________________________________________ ______________________________________________________ ______________________________________________________ ______________________________________________________ Date of Experiment: ______________________________________________________Graduate Program in Information Science and Telecommunications and Networking School of Information Sciences University of Pittsburgh Part I: Objective The objective of this laboratory exercise is twofold: 1. Introduce you to some of the tools and techniques used for forensic analysis. 2. Demonstrate some of the mechanisms used by malicious attackers as well as forensic experts to disrupt computer networks and manipulate information access. This lab session will cover data storage and access, bypassing filtered [blocked] ports, reviewing Internet activity, and the use of steganography. Open-source forensic tools will be introduced and demonstrated for each exercise. The lab has been setup for all of the exercises and the required executables are accessible through linked short-cuts on the desktop of the administrator (no password needed to logon). The desktop is shown below: Å Data storage Å Steganography Å Port redirection Å IE Cache If you would like to do the exercise in your own computer the installation instructions are given in the Appendix. If you need further assistance, contact the GSA S. R. Joshi. Part II: Equipment/Software Most of the tools used for this lab exercise is freely available for non-commercial testing purposes and opensource software, either freeware or shareware. Hidden Files: • Hex Workshop v4.23 hex editor (Shareware download from www.hexworkshop.com) • MD5Hash (Freeware download from www.digital-detective.co.uk/freetools/md5.asp) • Text editor (Notepad is good enough) Port Redirection: • Quick 'n Easy FTP Server (Freeware download from http://www.pablovandermeer.nl) • FPIPE (Freeware download from http://www.foundstone.com)Graduate Program in Information Science and Telecommunications and Networking School of Information Sciences University of Pittsburgh • FPORT (Freeware download from www.digital-detective.co.uk/freetools/md5.asp) IE Activity analysis: • Pasco (Freeware download from http://www.foundstone.com) • Galleta (Freeware download from http://www.foundstone.com) • Internet Explorer cache file (index.dat) • Internet Explorer cookie files Steganography: • JPHS (Jpeg Hide and Seek) v0.5 (Freeware download from www.stegoarchive.com) • Text editor (i.e. Notepad) • Image file in jpeg format Part III: Exercises You can do the following exercises either in laboratory in the Windows 2000 Professional machines, or re-create the exercise environment in any other Windows 2000 environment of your choice. Instructions are provided in Part IV: Appendix. Exercise 1: Port Redirection Objective The purpose of this lab is to demonstrate how an attacker could exploit a machine and obtain access to a server with a filtered port by piping another unfiltered port. Because of sophisticated Trojans, it could be hard for a virus detection program to detect the problem. Because of that, a port scanner/listener must be used to determine if/what ports are actively carrying traffic. Scenario Imagine that an IT department has an FTP server on an IBM server that they use to share source code between other departments within the organization in various locations throughout the US on the same LAN/WAN. By default, the information security department blocks certain known ports from being exposed to the internet through a firewall. Some of these ports include the well known 21, 23, 80, 8080, etc. FirewallPort 21 BlockedAttackerPort 30Port 21FPIPEPort 30 pi pedto port 21Port 30FTP Ser ver (Port 21)Graduate Program in Information Science and Telecommunications and Networking School of Information Sciences University of Pittsburgh A users logs onto this IBM server with Windows 2000 through Windows Remote Desktop Connection and accidentally downloads a Trojan that is meant to get access to and FTP server. However, if port 21 is blocked through the Firewall, how could the attacker connect to the FTP server? There is a very simple technique known as port redirection. Port redirection is a sophisticated way of bypassing port filtering, firewalls, and IPSEC. Steps i. Login to a Windows machine in the lab. • Username: Administrator • Password: (no password) ii. Get the FTP server running • Double Click the link “Start FTP Server” to open the FTP Server configuration tool. • Click the START button on the top left of the FTP Server configuration panel. iii. Confirm that the FTP server is running on port 21. • Double Click the link “View Ports” to run a windows terminal showing the various ports being used. • Which port is the FTP Server running on? (………………..) • Do not close the terminal. This terminal will be referred to later as “FPORT terminal.” iv. Redirect the network traffic on port 21 to port 30 (or any arbitrary port number). • Double Click on the link “Redirect FTP port to 30” to open a windows terminal. • Enter command: ipconfig • What is the IP address of the computer? (……………………….) • Enter command: fpipe –l 30 –s 30 –r 21 –v <ip-address> • Do not close the terminal. This terminal will be referred to later as “FPIPE terminal.” • Check the FPORT terminal by entering command: fport • What port is the executable “fpipe” running on? (………………………..) v. Start a ftp-client session and connect to the server (Assume that port 21 is blocked) • Click on Start in the Windows machine and then Run. Type cmd and Enter key. Now you have a new Windows terminal. • At the prompt enter command: ftp • If you are connected, check the FPIPE terminal. What is the response. (…………………………………………………………………….) • Enter command: open • At the “to” prompt, type: <ip-address> 30Graduate Program in Information Science and Telecommunications and
View Full Document
Unlocking...