Network Security

CIS 534 - Advanced Network Security Design
CIS 534
Advanced Network Security Design
Table of Contents
Toolwire Lab 1:Analyzing IP Protocols with Wireshark ........................................................................ 6
Introduction ............................................................................................................................................. 6
Learning Objectives ................................................................................................................................ 6
Tools and Software ................................................................................................................................. 7
Deliverables ............................................................................................................................................. 7
Evaluation Criteria and Rubrics ........................................................................................................... 7
Hands-On Steps ....................................................................................................................................... 8
Part 1: Exploring Wireshark ............................................................................................................... 8
Part 2: Analyzing Wireshark Capture Information .......................................................................... 12
Lab #1 - Assessment Worksheet .............................................................................................................. 19
Analyzing IP Protocols with Wireshark ............................................................................................. 19
Overview ................................................................................................................................................ 20
Lab Assessment Questions & Answers ............................................................................................... 20
Toolwire Lab 2: Using Wireshark and Netwitness Investigator to Analyze Wireless Traffic ........... 22
Introduction ........................................................................................................................................... 22
Learning Objectives .............................................................................................................................. 23
Tools and Software ............................................................................................................................... 23
Deliverables ........................................................................................................................................... 23
Evaluation Criteria and Rubrics ......................................................................................................... 23
Hands-On Steps ..................................................................................................................................... 24
Part 1: Analyzing Wireless Traffic with Wireshark .......................................................................... 24
Part 2: NetWitness Investigator ......................................................................................................... 31
Using Wireshark and NetWitness Investigator to Analyze Wireless Traffic .................................. 34
Overview ................................................................................................................................................ 34
Toolwire Lab 3: Configuring a pfSense Firewall on the Client ............................................................ 36
Introduction ........................................................................................................................................... 36
Deliverables ........................................................................................................................................... 37
Hands-On Steps ..................................................................................................................................... 38

Part 1: Planning the Configuration .................................................................................................. 38
Part 2: Configuring the Firewall ....................................................................................................... 46
Configuring a pfSense Firewall on the Client..................................................................................... 48
Overview ................................................................................................................................................ 48
Lab Assessment Questions ................................................................................................................... 49
Toolwire Lab 4: Configuring a pfSense Firewall on the Server ........................................................... 50
Introduction ........................................................................................................................................... 50
Deliverables ........................................................................................................................................... 51
Hands-On Steps ..................................................................................................................................... 52
Part 1: Planning the Configuration .................................................................................................. 52
Part 2: Configuring the Firewall ....................................................................................................... 59
Configuring a pfSense Firewall on the Server .................................................................................... 63
Overview ................................................................................................................................................ 63
Toolwire Lab 5: Penetration Testing a pfSense Firewall ...................................................................... 65
Introduction ........................................................................................................................................... 65
Deliverables ........................................................................................................................................... 66
Hands-On Steps ..................................................................................................................................... 67
Part 1: Configuring a pfSense Server Firewall ................................................................................ 67
Part 2: Penetration Testing................................................................................................................ 68
Penetration Testing a pfSense Firewall ............................................................................................... 72
Overview ................................................................................................................................................ 72
Toolwire Lab 6: Using Social Engineering Techniques to Plan an Attack .......................................... 74

Introduction ........................................................................................................................................... 74
Deliverables ........................................................................................................................................... 75
Hands-On Steps ..................................................................................................................................... 76
Part 1: Targeted Social Engineering Attack ..................................................................................... 76
Part 2: Targeted Reverse Social Engineering Attack ....................................................................... 82
Using Social Engineering Techniques to Plan an Attack .................................................................. 84
Overview ................................................................................................................................................ 84
Lab Assessment Questions ................................................................................................................... 84
Toolwire Lab 7: Configuring a Virtual Private Network Server ......................................................... 87
Introduction ........................................................................................................................................... 87
Deliverables ........................................................................................................................................... 88
Hands-On Steps ..................................................................................................................................... 89
Part 1: Configuring the VPN: Server Side........................................................................................ 89
Configuring a Virtual Private Network Server .................................................................................. 98
Overview ................................................................................................................................................ 98
Host-to-Host Configuration Worksheet .............................................................................................. 99
IPsec.conf file ......................................................................................................................................... 99
Toolwire Lab 8: Configuring a VPN Client for Secure File Transfers .............................................. 100
Introduction ......................................................................................................................................... 100
Learning Objectives ............................................................................................................................ 101
Tools and Software ............................................................................................................................. 101
Deliverables ......................................................................................................................................... 101
Evaluation Criteria and Rubrics ....................................................................................................... 102
Hands-On Steps ................................................................................................................................... 102

Part 1: Configuring a Windows VPN Client to work with a Linux VPN Server ........................... 102
Part 2: Comparing Secure and Non-secure File Transfers in Wireshark ..................................... 107
Lab #8 - Assessment Worksheet ............................................................................................................ 116
Configuring a VPN Client for Secure File Transfers ...................................................................... 116
Overview .............................................................................................................................................. 117
Lab Assessment Questions & Answers ............................................................................................. 117
Toolwire Lab 9: Attacking a Virtual Private Network........................................................................ 118
Introduction ......................................................................................................................................... 118
Deliverables ......................................................................................................................................... 119
Hands-On Steps ................................................................................................................................... 120
Part 1: Social Engineering / Reverse Social Engineering Attack .................................................. 120
Part 2: Creating Spam Emails ......................................................................................................... 126
Lab #9 - Assessment Worksheet ............................................................................................................ 129
Attacking a Virtual Private Network ................................................................................................ 129
Overview .............................................................................................................................................. 129
Toolwire Lab 10: Investigating and Responding to Security Incidents ............................................. 131
Introduction ......................................................................................................................................... 131
Deliverables ......................................................................................................................................... 132
Hands-On Steps ................................................................................................................................... 133
Part 1: Gather System Performance Information .......................................................................... 133
Part 2: Scan a Windows 2008 Server for Vulnerabilities ............................................................... 136
Lab #10 - Assessment Worksheet .......................................................................................................... 138
Investigating and Responding to Security Incidents........................................................................ 138
Overview .............................................................................................................................................. 138
Toolwire Lab 1:Analyzing IP

Protocols with Wireshark
Introduction
Click the link below to view the network topology for this lab:
Topology
Wireshark is probably the most widely used packet capture and analysis software in the world. It
is available free of charge and while it lacks some of the more sophisticated diagnostic tools of
similar commercial products, the use of Wireshark saves many organizations thousands of
dollars and thousands of hours. And, Wireshark allows capture of network packet traffic and the
ability to save frame detail in multiple formats that make them usable by the more sophisticated,
more expensive software tools.
This lab has three parts which you should complete in order.
1. In the first part of the lab, you will either learn the basics of Wireshark, if you have not
already used it, or you will improve and fine tune your Wireshark skills. In either case,
you will learn about probe placement, clocking/timing issues, Wireshark traffic capture
and the use of filters.
2. In the second part of the lab, you will utilize a capture file to answer basic questions
about key IP protocols and the basic configuration of the IP hosts from which traffic is
captured.
3. Finally, if assigned by your instructor, you will explore the virtual environment on your
own in the third part of the lab to answer a set of challenge questions that allow you to
use the skills you learned in the lab to conduct independent, unguided work, similar to
what you will encounter in a real-world situation.
Learning Objectives
Upon completing this lab, you will be able to:
Use basic features of the Wireshark packet capture and analysis software>
Apply appropriate filters to view only the traffic subset of interest
Be able to reliably and consistently place probes to capture packet traffic>
Determine if timing and clocking is synchronized for better reliability and repeatability
Guarantee that all traffic is being captured and that the interface rate and capture rate are
compatible
Capture and analyze basic Internet Protocol transactions and determine basic
configuration information about the IP hosts from which traffic is captured
Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged
to explore the Internet to learn more about the products and tools used in this lab.
Wireshark
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. Lab Assessments file;
2. Optional: Challenge Questions file, if assigned by your instructor.
Evaluation Criteria and Rubrics

The following are the evaluation criteria for this lab that students must perform:
1.
2.
3.
4.
Use basic features of the Wireshark packet capture and analysis software. - [10%]
Apply appropriate filters to view only the traffic subset of interest. - [20%]
Be able to reliably and consistently place probes to capture packet traffic. - [20%]
Determine if timing and clocking is synchronized for better reliability and repeatability. [20%]
5. Guarantee that all traffic is being captured and that the interface rate and capture rate are
compatible. - [20%]
6. Capture and analyze basic Internet Protocol transactions and determine basic
configuration information about the IP hosts from which traffic is captured. - [10%]
Hands-On Steps
Note: This lab contains detailed lab procedures which you should follow as written.
Frequently performed tasks are explained in the Common Lab Tasks document on the
vWorkstation desktop. You should review these tasks before starting the lab.
1. From the vWorkstation desktop, double-click the Common Lab Tasks file to
open the file in Adobe Reader.
If desired, use the File Transfer button to transfer the file to your local
computer and print a copy for your reference. Instructions for transferring the
file can be found in the file itself.
Figure 1 Student Landing workstation
2. On your local computer, create the lab deliverable files.
3. Review the Lab Assessment Worksheet at the end of this lab. You will find
answers to these questions as you proceed through the lab steps.
Part 1: Exploring Wireshark

Note: Wireshark is already loaded on the vWorkstation, as indicated by the Wireshark
shortcut on the desktop. Wireshark can be downloaded, free of charge, from
http://www.wireshark.org if you would like to have your own personal copy, though
doing so is not a requirement for this lab.
1. Double-click the Wireshark icon on the desktop to start the Wireshark
application.
Figure 2 Wireshark splash screen
The main screen of Wireshark includes several shortcuts to make your job
easier. There are four categories of shortcuts.
Wireshark Screen Sections
SECTION TITLE DESCRIPTION

Capture
Files
Online
Capture Help
This section displays a list of the network interfaces, or machines,

that Wireshark has identified, and from which packets can be
captured and analyzed.
This section displays the most recent list of files that you were
analyzing in Wireshark. The default status for this section is blank
because no files have been opened yet.
This section displays shortcuts to the Wireshark website.
This section displays shortcuts to the Wireshark website for help in
using the tool.
2. Click Interface List to bring up a list of active interfaces.

Figure 3 Wireshark Capture Interfaces
Notice that only one interface, the student workstation, is available for
capturing packets in the virtual lab. This Capture Interface is a virtual interface
described as Citrix with an IP address of 172.30.0.2.
Note: If you were running Wireshark on your local computer, it is possible that
would see many interfaces. It is also possible that some interfaces you were
expecting to see may not appear on the list at all. If you know that a logical or
physical interface exists but it does not show up on the list, check the
installation of winpcap and troubleshoot accordingly. Very often it is necessary
to reinstall or update the Network Interface Card (NIC) drivers.
3. Click the checkbox to the left of the Student device to select it, and click
Details to display additional information about the interface.
The Interface Details dialog box displays a great deal of information about the
interface that may be useful in troubleshooting and resolving packet capture
problems, for instance if you are not capturing all of the packets you may be
exceeding the transmit and/or receive buffers. Take a moment to review the
information in this dialog box before proceeding with the lab.
Figure 4 Wireshark Capture Interface Details
4. Click Close to close the Interface Details dialog box.
5. With the Student checkbox still checked, click Start to open Wireshark and
begin capturing data packets affecting the Students virtual workstation.
Note: Because Wireshark is capturing traffic live, your default content will be
different from the screen captures in this part of the lab. However, in Part 2,
you will load a static file and your results should match the examples almost
10
exactly once. All of these steps are not needed for every packet analysis, but it
is a good way of familiarizing yourself with the various capabilities of
Wireshark.
6. Maximize the Wireshark window.
The Wireshark window opens with the detailed information about the first
packet captured, Frame 1, displayed in the middle pane. Use your mouse to
drag the borders of any pane up or down to change its size.
o
The top pane of the Wireshark window contains all of the packets that
Wireshark has captured, in time order and provides a summary of the
contents of the packet in a format close to English. Keep in mind that the
content will be different depending upon where you capture packets in
the network. Also remember that the source and destination is
relative to where a packet is captured. This area of the Wireshark
window will be referred to as the frame summary.
The middle pane of the Wireshark window is used to display the packet
structure and contents of fields within the packet. This area of the
Wireshark window will be referred to as the frame detail.
The bottom pane of the Wireshark window displays the byte data. All of
the information in the packet is displayed in hexadecimal on the left and
in decimal, in characters when possible, on the left. This can be a very
useful feature, especially if passwords for which you are looking are
unencrypted. This area of the Wireshark window will be referred to as
the byte data.
Figure 5 Wireshark application window

How Does Wireshark Work?
Wireshark can be used in a variety of ways. The following figures illustrate the
Wireshark Capture Environment. In the simplest terms, Wireshark is used to capture all
packets to and from the IP Host on the left (a computer workstation) and the IP Host on
the right (a server).
Figure 6 Wireshark capture environment
The most common configuration for Wireshark, and the configuration that we are
running in this lab, has the software running on a local host.
Figure 7 Wireshark running on local host
11
In the next figure, Wireshark is running on the Local Area Network of the IP Host.
Wireshark can also run within the network.
Figure 8 Wireshark capturing packets from a probe or hub
In the final figure, Wireshark is running in a peer-to-peer configuration, as opposed to a
client-server configuration, with Wireshark running on the right IP Host.
Figure 9 Wireshark capturing packets in a peer-to-peer configuration
Where packets are captured and how they are captured has a big impact on how the
packets are analyzed. By running the Wireshark software on the same computer that is
generating the packets, the capture is specific to that machine but Wireshark may impact
the operation of the machine itself and its applications. On the other hand, using a
network probe or hub device, or the capture port (frequently called a SPAN port
(Switched Port Analyzer)) of a LAN switch can provide more accurate timing
information but requires use of filters to identify traffic between the proper endpoints.
7. Click Capture on the Wireshark menu and Stop to stop the packet capture.
Packet Capture must be stopped before packets can be analyzed. You may wish
to look through the packets that have been captured live during this session
before continuing to see the variety of data captured by Wireshark.
8. Drag the frame borders of the frame detail pane to expand it.
Notice, that Wireshark displays the content in the frame detail pane in reverse
order of the Open Systems Interconnection (OSI) Reference Model. In
Wireshark, the physical layer appears at the top of the list and the application
layer appears at the bottom of the list.
Note: Remember, because Wireshark is capturing traffic live, your default
content will be different from the screen captures in this part of the lab. Explore
your Wireshark traffic to see how it compares.
Figure 10 Frame detail pane
9. Click the plus sign at the beginning of the frame number line to expand the
fields. Notice the number of fields related to time.
Figure 11 Expanded frame detail
Note: There are two very important considerations relative to how Wireshark handles
time. Very often certain events are reported relative to clock time. It is important to
12
consider the fact that clock time may or may not be the same as the system time of the
device or devices used to run Wireshark and capture packets. The timestamp used by
Wireshark is the current system time on the machine upon which Wireshark is
running. Attempting to synchronize Wireshark captures made on two different
machines requires consideration of time differences, including time zone. The
potential problems can be alleviated somewhat by using Network Time Protocol
(NTP) on both machines but there are still a myriad issues such as which clocks were
used for synchronization and even if the same clock is used there is propagation delay
for the timing packets which could introduce discrepancies which, though small,
matter a lot especially when capturing packets from high speed interfaces. In order to
overcome time zone mismatches, a common best practice is to use the UTC
(Coordinated Universal Time) time zone.
Part 2: Analyzing Wireshark Capture

Information
Note: In this part of the lab, you will load a file of traffic that has been previously
captured by Wireshark so that all of the packets reviewed within the lab are the same
for every student and match the instructions. Throughout this part of the lab, you
should spend a few moments looking at the data captured by Wireshark and
familiarize yourself with the Wireshark format and the English language descriptions
Wireshark uses to explain frame details. You may need this information to answer the
questions at the end of the lab.
1. Select File > Open from the Wireshark menu to open the labs capture file.
A pop-up alert will remind you to consider saving your data. Opening any new
capture file will overwrite the packets already in the Wireshark window unless
those packets are explicitly saved.
Figure 12 Wireshark save warning
2. At the prompt, click Continue without Saving for this part of the lab.
3. In the Open Capture File dialog box, navigate to the Desktop, select the
PacketCapture file, and click Open.
13
The PacketCapture.pcapng capture file will open in the Wireshark application

window. The first column in Wireshark is the packet frame number. These
numbers appear sequentially, and there are 765 frames in the
PacketCapture.pcapng file.
Figure 13 PacketCapture.pcapng displayed in Wireshark
4. Click frame 546. Use the scrollbar in the frame summary pane to find the
appropriate frame number.
5. In the frame detail pane, click the plus sign at the beginning of the Frame 546
line to expand the fields. If necessary, drag the frame borders of the frame
detail pane to expand it.
6. Look at the frame header for frame 546. The number of bytes captured (175)
was the same number as bytes on the wire (175).
A difference between bytes on the wire and bytes captured can indicate that not
everything is being captured or that partial or malformed packets may be
captured which could lead to incorrect analysis. If there are regularly more
bytes on the wire than captured it is possible that the computer on which
Wireshark is running is not able to keep up with the interface.
Figure 14 Wireshark frame header information
7. Click the minus sign at the beginning of the frame 546 line to close the
Physical Layer detail.
8. Click the plus sign at the beginning of the Ethernet II line to expand the
Ethernet II detail.
Wireshark takes a lot of the work out of analyzing packets and presents a wide
range of information. In this detail layer, Wireshark has determined the
following:
The frame type is Ethernet II

The source is Intel Core hardware
The destination is IPv4 multicast
The type of traffic carried in the next layer is Internet Protocol (IP)
Note: The MAC address for the source device is 00:22:fa:1c:eb:e6. To the left of the
full MAC address Wireshark shows IntelCor_1c:eb:e6. It means that Wireshark has
interpreted 00:22:fa as the IEEE-assigned manufacturers unique ID. This information
is almost always correct but can be manipulated. The first 6 hexadecimal characters of
the MAC address are called the OUI (Organizationally Unique Identifier) and denote
14
the company that manufactured the devices network card. The company associated
with each unique OUI can be found online at
http://standards.ieee.org/develop/regauth/oui/public.html.
Figure 15 Ethernet II frame detail
1. Record the complete hexadecimal representation for the source and destination
Media Access Control (MAC) addresses. You may choose to make a screen
capture of the data and paste it into a new word processing document for later
reference.
2. Record the code assigned by the IEEE to Intel for use in identifying Intel Core
network interfaces. You may choose to make a screen capture of the data and
paste it into your document for later reference.
3. Record the MAC address used for IPv4 multicast. You may choose to make a
screen capture of the data and paste it into your document for later reference.
4. Click the minus sign at the beginning of the Ethernet II line to close the Data
Link Layer detail.
5. Click the plus sign at the beginning of the Internet Protocol line to expand the
Internet Protocol detail.
Figure 16 Internet Protocol frame detail
6. Record the version of the Internet Protocol is being used. You may choose to
make a screen capture of the data and paste it into your document for later
reference.
A variety of packets can exist on any given network. The IP version will
determine how the rest of the packet is interpreted. Almost all modern
networks, except for academic and research networks, use IP version 4 or IP
version 6. A different number can be faked by malicious software or might
mean that a packet has been corrupted. As IPv6 gains in popularity it is
increasingly likely that IPv4 and IPv6 will be encountered on the same
network. Both IPv4 and IPv6 will use the same lower layer protocols, such as
Ethernet, but may have their own specialized version of higher layer protocols.
7. Record the source IP address number. The source IP address is the IP address
of the local IP host (workstation) from which Wireshark is capturing packets.
You may choose to make a screen capture of the data and paste it into your
document for later reference.
8. Click the minus sign at the beginning of the Internet Protocol line to close the
Internet Protocol detail.
15
9. Click the plus sign at the beginning of the User Datagram Protocol line to
expand the Transport Layer detail.
The information in the User Datagram Protocol confirms that the source port in
this capture file is an ephemeral, or temporary, port on the source computer.
We know this because of its numeric range. The port on the destination
computer, however, is in the range of assigned port numbers. Port number 1900
is assigned to SSDP, the Simple Service Discovery Protocol, and indicates that
SSDP is being queried for the existence of services on the network.
Note: The Internet Assigned Numbers Authority (IANA) maintains the official
list of service names and port numbers for all services such as TCP, UDP, and
SSDOP that run over the Transport Layer. See the complete list at
http://www.iana.org/assignments/service-names-port-numbers/service-namesport-numbers.xhtml.
Figure 17 User Datagram Protocol frame detail
10. Click the minus sign at the beginning of the User Datagram Protocol line to
close the Transport Layer detail.
11. Click the plus sign at the beginning of the Hypertext Transfer Protocol line
to expand the In Application Layer detail.
Figure 18 Hypertext Transfer Protocol frame detail
12. Click the minus sign at the beginning of the Hypertext Transfer Protocol line
to close the Application Layer detail.
Note: In the next steps, you will explore the content of the related frame,
number 545. This too is a UDP SSDP requests. While frame 546 used IPv4,
frame 545 uses IPv6, but both carry a similarly formatted SSDP request.
13. Click frame 545. Use the scrollbar in the frame summary pane to find the
appropriate frame number.
14. In the frame detail pane, click the plus sign at the beginning of the Frame 545
line to expand the fields. If necessary, drag the frame borders of the frame
detail pane to expand it.
Figure 19 Frame detail for frame 545
16
15. Repeat steps 9-20 to explore the content of this packet and note any
differences between the two frames as this information may be needed to
complete the lab deliverables.
Note: In the next steps, you will see how applying filters can make analyzing
your data much easier. Filters are one of the most powerful tools in Wireshark.
They allow a very complex set of criteria to be applied to the captured packets
and only the result is displayed. The rest of the packets are still there, they are
just not included in a filtered analysis but can be restored very easily. It is also
possible to save a filtered view of the packets without the additional packets.
Filter expressions may either be built with the Filter Edit dialog widow or be
typed in directly into the Filter field. For the lab we will start by focusing just
on any packets in the file relating to a visit to Google.com. The IP address for
Google is 74.125.227.112, an IP version 4 address.
16. Click the Expression button next to the Filter text box below the Wireshark
menu to open the Filter Expression dialog box.
Figure 20 The Expression button
17. In the Filter Expression dialog box, use the scrollbars in the Field name box to
locate IPv4 - Internet Protocol Version 4.
18. Click the plus sign at the beginning of the IPv4 - Internet Protocol Version 4
option to reveal the many different fields within IPv4 that can be used in a
filter expression.
19. Click ip.addr to select it.
Figure 21 Starting a filter expression
20. In the Relation box, click == (the double equal sign) to select the equivalent of
equals.
21. In the Value box, type 74.125.227.112 (the IP address for Google.com).
Figure 22 Building a filter expression
22. Click OK to complete the filter and close the Filter Expression dialog box.
Notice that the filter expression that you built now appears in the Filter field
below the Wireshark menu, but there is no change to your data view.
Figure 23 Wireshark filter expression
17
23. Click the Apply button. Notice the change in the frame number column. All of
the packets visible in the frame summary pane now apply only to Google. All
of the other packets still exist, they are just not displayed.
24. Click Statistics from the Wireshark menu, and select Flow Graph to open the
Flow Graph dialog box.
Figure 24 Flow Graph dialog box
25. Click the TCP flow radio button and click OK.
Wireshark opens the Graph Analysis window. By selecting a TCP flow in the
Flow Graph, you are telling Wireshark that you want to see all of the elements
in a TCP three-way handshake (SYN, SYN-ACK, ACK).
In the filter expression that you applied earlier in the lab, you filtered the
packets to show only the traffic with Google.com (IP Address 74.125.227.112).
Figure 25 Wireshark Flow Graph
26. Expand the center pane of the Flow Graph dialog box until you can see both
the local IP host (192.168.1.64) and the Google.com IP address
(74.125.227.112).
Pay attention to the arrows in this pane. The arrows direction indicates the
direction of the TCP traffic, and the length of the arrow indicates between
which two addresses the interaction is taking place.
27. Use the scrollbar on the right side of the Flow Graph to locate the first threeway TCP handshake between the local IP host and Google.
28. In your document, record the time (found in the Time box on the left) that each
step (SYN, SYN-ACK and ACK) occurred. You may choose to make a screen
capture of the data and paste it into your document.
Note: This situation is a bit tricky. You will notice if you look closely at the
flow graph, also known very commonly as a ladder diagram, that the
interaction between 192.168.1.64 (the local IP host) and 74.125.227.112
(google.com) is already occurring when the new connection is requested. What
is seen in the diagram is the SYN for the new connection at -14408.59765 but it
is not followed immediately by the SYN-ACK and ACK. It is followed
immediately by the PSH-ACK, ACK, PSH-ACK which is required to close the
existing connection. Only then can the SYN-ACK and ACK be exchanged to
open the new connection.
18
29. Click Close to close the Graph Analysis window.

30. Click Cancel to close Flow Graph Options.
Note: In the next steps, you will manually apply a new filter to examine all
DNS-related packets. You will have the opportunity to trace a recursive query
to resolve a DNS request.
31. In the Filter box below the Wireshark menu, highlight ip.addr ==
74.125.227.112 (the existing filter expression) and type dns to overwrite the
existing filter.
32. Click Apply to display on the DNS and DNS-related packets.
Figure 26 DNS filter applied
33. In the frame summary pane, click Frame 115 to select it.
Frame 115 is the request from the local IP host (192.168.1.64) to its local
Domain Name Server (192.168.1.254) to resolve the name of issaseries.org into
an IP address.
34. Drag the frame borders of the frame detail pane to expand it.
Note: In some browsers we have noticed the pane of the graphic analysis
window may show the captured text in Wireshark display as small boxes for
some browsers. The lab is still functional. Please ignore and continue to the
next step.
35. Click the plus sign at the beginning of the Domain Name System (query) line
to expand the detail.
In this section of the detail pane, we learn that the query was a standard query
with 1 question: what is issaseries.org, and that the response to this query can
be found in Frame 116. Youll examine that frame later in this lab.
36. Click the plus sign at the beginning of the Queries line.
37. Click the plus sign at the beginning of the issaseries.org line.
Figure 27 DNS query of the issaseries.org domain
38. Click the plus sign at the beginning of the Flags line.
Within the Flags detail is a flag titled recursion desired. This flag indicates
whether or not the local Domain Name Server should continue to query other
19
DNSs if it is unable to resolve the current query (in this case issaseries.org). As
this DNS is local it may or may not have the enough information to allow
issaseries.org to be resolved. If the recursion flag is set (as it is in this query),
the local DNS will continue to query higher level DNSs until it is able to
resolve the address. The resolution of this recursive query should appear later
in the frame summary.
Figure 28 Display DNS Detail
39. In the frame summary pane, click Frame 116 (the response to the issaseries.org
query).
In the Queries section of this packet we can confirm that this is the response to
the query for issaseries.org. Further, in the Flags section of this packet, we
learn that the response was No such name indicating that the local DNS
could not find the issaseries.org domain. This does not necessarily mean that
issaseries.org does not exist but, rather, that issaseries.org is not known to any
of the Domain Name Servers that were searched. But, because the recursive
flag is on it is likely that issaseries.org does not exist or no longer exists.
Figure 29 Display DNS Detail
40. Close the virtual lab, or proceed with Part 3 to answer the challenge questions
for this lab.
Lab #1 - Assessment Worksheet

Analyzing IP Protocols with Wireshark
Course Name and Number: _____________________________________________________
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
20
Lab Due Date: ________________________________________________________________
Overview
In this lab, you exercised a wide variety of capabilities of the Wireshark packet capture and
analysis software. In the first part of the lab, you learned about probe placement, clocking/timing
issues, Wireshark traffic capture, and the use of filters. In the second part of the lab, you utilized
a capture file to answer basic questions about key IP protocols and the basic configuration of the
IP hosts from which traffic is captured. Finally, in the third part of the lab, you explored
Wireshark on your own to answer a set of challenge questions.
Lab Assessment Questions & Answers

1. What are some causes of the number of bytes on the wire exceeding the number of bytes being
captured?
2. What are the source and destination MAC address in Frame 546?
3. What is the manufacturer specific ID for Intel Core?
4. What is the MAC address used for IPv4 multicast?
5. What version of IP is present in Frame 546? What is the source IP address?
6. At what times did the various steps of the Google three step TCP handshake occur?
7. A DNS query failure is referred to a higher level Domain Name Server under what condition?
21
8. The descriptive text that accompanies the packet analysis is provided by Wireshark. True or
False?
22
Toolwire Lab 2: Using Wireshark and

Netwitness Investigator to Analyze
Wireless Traffic
Introduction
Topology
The Wireshark protocol analyzer is multi-faceted. In fact, a person can use Wireshark for many
years and not use all of the various capabilities of Wireshark. For instance, Wireshark can be
used by a security analyst to find anomalies in network traffic indicative of viruses or exfiltration
of information while at the same time, even on the same traffic from same organization, it can be
used to troubleshoot application performance issues or benchmark VoIP latencies. In this lab, we
begin by using Wireshark to analyze some of the specifics of wireless transmissions and then
move on to analyze the network packets using a more security-specific tool, NetWitness
Investigator. It is also noteworthy that Wireshark is available at no charge while NetWitness is a
commercial product that is widely utilized and may be encountered in any well-equipped cyber
forensics lab and in many field investigations.
This lab has three parts that should be completed in the order specified.
1. In the first part of the lab, you will use an existing capture file to view some of the
wireless aspects of networks as well as some of the aspects of network traffic that remain
the same regardless of the physical transport, be it wired or wireless.
2. In the second part of the lab, you will utilize the same capture file but with a more
security-focused tool, NetWitness Investigator.
own in the third part of the lab to answer a set of challenge questions. The questions
allow you to use the skills you learned in the lab to conduct independent, unguided work,
similar to what you will encounter in a real-world situation.
23
Learning Objectives
Analyze the wireless-specific portion of network traffic using Wireshark

Identify the portions of network traffic that remain the same regardless of whether the
packets traverse wires or fly through the air wirelessly
Use features of the NetWitness Investigator tool to analyze traffic with wireless content
Determine which tool, Wireshark or NetWitness Investigator, is the preferred tool for a
given task
Utilize both Wireshark and NetWitness Investigator together to provide a complete
picture of the interactions being investigated.
Be able to generalize your new knowledge of Wi-Fi traffic to other types of wireless
traffic analyzed by using the Wireshark analyzer
Differentiate between the more generalized capabilities of Wireshark and the more
specialized cybersecurity analysis-focused uses of NetWitness Investigator
Tools and Software

Wireshark
NetWitness Investigator
Deliverables
instructor:
1. Lab Report file including screen captures of the following steps: Part 1 Step 15, Part 1
Step 29, Part 2 Step 8, and Part 2 Step 10;

24
1. Analyze the wireless-specific portion of network traffic using Wireshark. [20%]

2. Identify the portions of network traffic that remain the same regardless of whether the
packets traverse wires or fly through the air wirelessly. [10%]
3. Use features of the NetWitness Investigator tool to analyze traffic with wireless content.
[20%]
4. Determine which tool, Wireshark or NetWitness Investigator is the preferred tool for a
given task. [10%]
5. Utilize both Wireshark and NetWitness Investigator together to provide a complete
picture of the interactions being investigated. [20%]
6. Be able to generalize your new knowledge of Wi-Fi traffic to other types of wireless
traffic analyzed by using the Wireshark analyzer. [10%]
7. Differentiate between the more generalized capabilities of Wireshark and the more
specialized cybersecurity analysis-focused uses of NetWitness Investigator. [10%]
Hands-On Steps
Note: This lab contains detailed lab procedures which you should follow as written. Frequently
performed tasks are explained in the Common Lab Tasks document on the vWorkstation
desktop. You should review these tasks before starting the lab.
1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the
file in Adobe Reader.
If desired, use the File Transfer button to transfer the file to your local computer and print
a copy for your reference. Instructions for transferring the file can be found in the file
itself.
3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to
these questions as you proceed through the lab steps.
Part 1: Analyzing Wireless Traffic with

Wireshark
1. Double-click the Wireshark icon on the desktop to start the Wireshark application.
Figure 2 Main Wireshark Screen
25
The main screen of Wireshark include several shortcuts to make your job easier. There
are four categories of shortcuts.
Wireshark Screen Sections
SECTION
DESCRIPTION
TITLE
This section displays a list of the network interfaces, or machines, that
Capture
Wireshark has identified, and from which packets can be captured and
analyzed.
This section displays the most recent list of files that you were analyzing in
Files
Wireshark. The default status for this section is blank because no files have
been opened yet.
Online
This section displays shortcuts to the Wireshark website.
This section displays shortcuts to the Wireshark website for help in using
Capture Help
the tool.
2. Click Open to display a list of files that are on the desktop.
Figure 3 Wireshark Open Capture File
3. Double-click the DemoCapturepcap.pcapng file to load the packet capture data into the
Wireshark window.
Note: Wireshark capture files, like the DemoCapture file found in this lab, have a
.pcapng extension, which stands for packet capture, next generation.
Figure 4 Wireshark Frame Summary
Note: Many people believe that it is necessary to enable the Wireless Toolbar (View >
Wireless Toolbar) any time they are looking at wireless traffic. However, even if you
were to enable the Wireless Toolbar at this point, the option would remain greyed out
because the toolbar is only used when capturing live traffic, and then only if the AirPcap
interface is enabled. In this virtual lab, we are using a pre-captured file and are not
capturing live traffic, so it is not necessary to turn on the Wireless Toolbar.
4. Drag the top border of the Frame Detail pane up to expand it until only the summaries
of frames 1, 2, and 3 are shown.
Figure 5 Wireshark window with enlarged Frame Detail pane
5. Click the plus sign at the beginning of the Frame 1 line in the Frame Detail pane to
expand the fields. Notice the number of fields related to time. This part of the display will
be the same for wired or wireless traffic. However, the Encapsulation type: Per-Packet
Information indicator, a field unique to wireless traffic, confirms that this is a wireless
packet.
26
Figure 6 Expanded frame physical detail

6. Click the minus sign at the beginning of Frame 1 line in the Frame Detail pane to
collapse the fields.
Note: Double-clicking headings in the Frame Detail pane will also expand or collapse the
detail below.
7. Click the plus sign at the beginning of the PPI version 0 line in the Frame Detail pane to
expand the fields and display the Per-Packet Information encapsulation.
8. Click the plus sign at the beginning of the Flags line in the Frame Detail pane to expand
the fields.
Figure 7 Expanded PPI encapsulation frame detail
9. Notice the following information contained within these headers:
Alignment is set to 0, or not aligned, which means that the next byte after the field
contains the next field.
Header length is 84 octets refers to the length of the PPI header only and does not include
any other headers that may be present in the frame.
A Data Link Type (DLT) of 105, indicates that data is transferred over an 802.11n
wireless network.
Note: All of this information can be verified, if one wishes, by consulting the
hexadecimal representation of the field at the bottom of the window in the Byte Data
pane.
10. Click the plus sign at the beginning of the 802.11-Common line in the Frame Detail
pane to expand the fields relative to fields common to all 802.11 wireless protocols.
Along with some very specific information about radio frequencies and channels, the
fields indicate that the maximum rate of transmission is 300 Mbps (Rate: 300.0 Mbps).
Figure 8 Expanded 802.11-Common frame detail
11. Click the plus sign at the beginning of the 802.11n MAC+PHY line to expand those
fields.
12. Use the scrollbar as necessary to view all of the newly expanded fields. Notice that data
reveals a large amount of data about the 802.11n connection including signal strengths,
noise ratios and other information about the antennae.
Figure 9 Expanded 802.11n MAC+PHY frame detail
27
Note: The detailed information the Wireshark provides about the antennae, signal
strengths, and other aspects of the wireless communications environment can be very
useful for installation, antenna placement, and troubleshooting. It can also be very
valuable in terms of computer forensics because it can be used to map who was able to
communicate with whom, the measured strength of signals, what frequencies are used,
and other data. In addition to forensics on standard Wi-Fi and other forms of traditional
wireless communications, this information can also be very useful for jamming certain
frequencies, determining which devices likely were used to set off remote bombs and
Improvised Explosive Devices (IEDs), and a spectrum of other things.
13. If desired, click the minus sign in front of the PPI version 0 line to collapse the
information relative to the Per-Packet Information encapsulation.
You may have to use the scrollbar to return to this header line.
14. Click the plus sign at the beginning of the IEEE 802.11 QoS Data, Flags line to expand
the 802.11 Quality of Service information and Flags fields.
In this group of fields, Wireshark displays information about the transmitters and
receivers of the data, which allow the network administrator to determine which Media
Access Control (MAC) addresses match each transmitter and receiver.
Figure 10 Frame Address Information
15. Make a screen capture showing the receiver address, the transmitter address, the source
address, and the destination address found in the IEEE 802.11 QoS Data fields.
Note: Remember, Wireshark displays transmitter/receiver addresses in both full
hexadecimal (00:14:a5:cd:74:7b) and a kind of shorthand, in this case,
GemtekTe_cd:74:7b. That shorthand code is Wiresharks translation of the first part of
the receiver address (00:14:a5) into the manufacturers name or alphanumeric designation
(GemtekTe_). The IEEE has compiled a list of company names that correspond to the
first six characters of the MAC ID, which can be accessed on their Web site at
http://standards.ieee.org/develop/regauth/oui/public.html).
While Wiresharks translation is most likely correct, it is also possible that some
manufacturers, especially those that have acquired other companies, will have more than
one numeric designation that resolves to their name or alphanumeric designation. It is
therefore better to refer to the entire hexadecimal representation of the address rather than
the shorthand.
It is also possible, though not likely, for sophisticated criminals to spoof, or send false
information to, Wireshark. It is unlikely that common criminals, even savvy
cybercriminals, take into account the receiver and transmitter addresses or, even if they
do, have the knowledge and skills to modify the hardware to spoof this information. It is
much more common that the MAC addresses (source and/or destination addresses) are
28
spoofed, but matching them to their appropriate transmitter and receiver addresses can
provide the needed forensic evidence of which devices were involved in a particular
communication and their role in the suspect activity.
16. Click the plus sign in front of the Frame check sequence line to expand those additional
fields.
17. Click the plus sign in front of the QoS Control line to expand those additional fields.
Study the fields and their values. It is within the scope of this lab to understand that the
fields exist but beyond the scope of this lab to explain what each field means and the
interaction of the fields.
Figure 11 Quality of Service detail
18. Click the minus sign in front of the IEEE 802.11 QoS Data, Flags line to collapse these
fields.
Note: There are literally hundreds of fields of data available, depending upon the wireless
communications protocols that are present and those that are captured, and a thousand
different ways to interpret it.
The fields that have been examined thus far are unique to wireless networking. There are
some important aspects to know about capturing the wireless data with Wireshark.
Wireshark is regularly installed with a packet capture library called WinPcap. Based on
the wireless interfaces and how the capture is set up, Wireshark, using this tool, will
display all of the fields it can capture. However, it is possible that in some cases there is
wireless information that Wireshark cannot capture, or can capture only the essence of
the command and control information, but not the information itself.
For this reason, packet capture add-ons, like AirPcap, are frequently installed with
Wireshark. These add-ons allow you to capture more wireless information than without
it. Most network analysts feel that AirPcap is absolutely required for capturing wireless
traffic between devices or between other devices and, say, a wireless access point
depending on your goals and the objectives of the capture. From this point of the lab
forward, all of the data captured will be common to both wired and wireless networking
and would have been captured with Wireshark using AirPcap or WinPcap.
19. Click the plus sign in front of the Logical-Link Control line to expand the LLC fields
and familiarize yourself with the data available.
20. Click the minus sign in front of the Logical-Link Control line to collapse the LLC
fields.
21. Click the plus sign in front of the Internet Protocol version 4 line to expand the header
and familiarize yourself with the data available.
22. Click the plus sign in front of each subfield and familiarize yourself with the data
available.
29
Figure 12 Internet Protocol data

23. Click the minus sign in front of the Internet Protocol version 4 line to collapse the
fields.
24. Click the plus sign in front of the User Datagram Protocol line and familiarize yourself
with the data available.
25. Click the minus sign in front of the User Datagram Protocol line to collapse the UDP
fields.
26. Click the plus sign in front of the Domain Name System (query) line to expand its
fields. These fields record data related to an Internet query.
27. Click the plus sign in front of the Flags line to expand those fields and familiarize
yourself with the data available.
28. Click the plus sign in front of the Queries line and familiarize yourself with the data
available. Notice that the data indicates that someone tried to access the www.polito.it
Web site.
Note: The ultimate payload, regardless of whether the packet is sent through the air or on
a wire is a Domain Name System query. In this case, the DNS information is being
requested for www.polito.it. Any DNS request, regardless of whether the packet is sent
wirelessly or via wire, includes the same fields in a Wireshark packet capture, but the
wireless portion of the frame information requires special consideration in a forensic
investigation.
Suppose that a forensic investigator needed to monitor all Web traffic within a coffee
shop to determine which Web sites were accessed by the subject of an investigation, then
the fact that the Web query was conducted wirelessly is really unimportant to the
investigation except perhaps that the investigation was aided by getting easy access to
unencrypted airborne packets. An investigator may choose to set a filter on the resulting
capture file that shows only DNS requests. In this way, the investigator can determine
which Web sites the subject wished to visit, and then is able to visit those Web sites
himself later to determine the nature of the Web sites.
It is also possible to set a filter that displays both the DNS requests and their resulting
DNS responses to determine which Web sites existed at the time the capture file was
made, as opposed to which Web sites still existed when subsequent research was done.
Consider, for example, a drug or human trafficking case. The owner of an illegal Web
site may shut down the Web site after a subject is taken into custody, but before the
research is completed. This type of filter will allow investigators to determine that while
they were unable to access the Web site, the subject was able to complete the transaction.
Packet capture files can also be display the results of the Web page requests, such as any
audio and video content, as well as provide further analysis using NetWitness
Investigator.
On the other hand, a key part of another investigation may be to determine what
information was gathered by the subject of an investigation, or to determine by whom
certain information was gathered. The investigator may use information in a packet
30
capture, either by linking the Layer 2 Media Access Control address and/or the Layer 3
IP address to specific wireless information. In this case, the wireless information that is
captured becomes the central point of the investigation. As has happened many times,
forensic investigators, often law enforcement, track illegal content, such as child
pornography, to a quiet residential neighborhood, obtain legal search warrants based on
probable cause and execute a search of the premises only to find that there is no illegal
pornographic content, or other content covered by the warrant present. At this point the
investigators could give up, or they could do further research on the wireless portion of
captured traffic to determine that none of the devices owned by the residents of the home,
or their guests mobile wireless devices, were responsible for the traffic. What could have
happened? Criminals sitting in a car outside the homeor a nearby coffee shop, hotel, or
other locationcould have used the wireless access point to transmit/receive illegal
information and then departed the scene. Investigative tools such as video surveillance,
stakeouts, sting operations, and similar law enforcement tools could be brought into play
to further the investigation, but the wireless part of the captured traffic is a critical part of
guiding the investigation and possibly of ultimate prosecution of the suspects.
29. Click the plus sign in front of the www.polito.it line and familiarize yourself with the
data available. Use the scrollbar, if necessary, to reveal all of the data.
Figure 13 Expanded www.polito.it query frame detail
30. Make a screen capture showing the query name (www.polito.it), the Source IP address,
and the Destination IP address.
31. In the Frame Summary pane, click frame 2 to display the related data in the Frame Detail
pane.
Frame 2 is a wireless command and control packet acknowledging receipt of frame 1.
32. If necessary, click the plus sign at the beginning of the IEEE 802.11 Acknowledgement,
Flags line to expand the fields.
Notice that the receiver address for frame 2 (00:14:a5:cb:6e:1a) is the same as the
transmitter address in frame 1.
Figure 14 802.11 command and control packet detail
33. In the Frame Summary pane, click frame 3 to display the related data in the Frame Detail
pane.
34. If necessary, click the plus sign in front of the Domain Name System (response) line to
expand its fields. Use the scrollbar as necessary to locate this header line.
35. If necessary, click the plus sign in front of the Answers line to expand the fields. Use the
scrollbar as necessary to locate this header line.
36. Click the plus sign in front of each line in the Answers section to expand the fields. Use
the scrollbar as necessary to see the details.
31
These fields detail the response to the DNS query. Data shown in these fields includes the
IP address for polito.it (130.192.73.1), and other DNS information such as a DNS time to
live (or, the time before the DNS cache for this entry must be refreshed) of 23 hours, 59
minutes, 25 seconds.
Figure 15 DNS Response for www.polito.it
Note: In Part 2 of this lab, you will analyze these same packets using NetWitness
Investigator. It is important to realize that NetWitness can also be used to capture and
save network traffic without ever using Wireshark, but if you are using Wireshark for
packet capture and a cursory analysis, as you did in Part 1 of this lab, you will need to
save the captured frames in a format that NetWitness can interpret. The current release of
NetWitness Investigator does not support the pcapng file format, so you must first save
the DemoCapture.pcapng file in the older *.pcap format.
37. Click File > Save As from the Wireshark menu. If necessary, click the Desktop icon,
select Wireshark/tcpdump/ from the drop-down option in the Save as type box. Type
DemoCapture in the File name box.
Figure 16 Wireshark Save As dialog box
38. Click Save to save the new DemoCapturepcap file in the preferred format for
NetWitness.
39. Click File > Quit to close Wireshark.
Part 2: NetWitness Investigator

Note: In this part of the lab, you will use NetWitness Investigator to analyze the same packet
capture file you reviewed in Part 1 of this lab. Because Wireshark is available for free, it is often
used for packet capture and for some initial analysis. NetWitness Investigator, on the other hand,
requires the purchase of a license for use, so it is often only used by more senior, more skilled
and better trained security analysts for specific types of analysis. Often, investigators, or even
clients, with little training can capture needed information with the no-cost Wireshark while a
more in-depth security-focused analysis is later done with NetWitness.
1. Double-click the NetWitness Investigator icon on the desktop to open the application
window.
Figure 17 NetWitness Investigator application window
Note: The Welcome screen in NetWitness Investigator displays a list of frequently asked
questions and links to a YouTube channel
(http://www.youtube.com/user/SecuredByRSA) with demonstration videos for using the
software. You are encouraged, though not required, to review this material. Remember,
32
the virtual lab does not have access to the Internet, so not all of these links will work on
within this environment.
2. On the NetWitness Investigator menu, select Collection > New Local Collection to open
the New Local Collection dialog box.
3. Type DemoCapture in the Collection Name box and click OK.
Similar to creating a new file folder, creating a new local collection within NetWitness
Investigator provides a place to put the packets from the DemoCapture file. This
collection, DemoCapture, will appear in the left pane, the Collection pane, of NetWitness
Investigator.
Figure 18 New Local Collection Creation Window
4. Double-click DemoCapture in the Collection pane to select it and change the status to
Ready.
Figure 19 NetWitness Investigator Collection pane
5. On the NetWitness Investigator menu, select Collection > Import Packets to open the
Open dialog box.
6. If necessary, click the Desktop icon to display the files from the desktop of the
vWorkstation and double-click the DemoCapture file you created in Step 37 of the last
section to begin the import process.
Figure 20 Open dialog box
The Collection pane will display a progress report while the import progress in underway.
When the import is finished, the DemoCapture collection will again display a status of
Ready.
7. Double-click DemoCapture in the Collection pane to open the packet capture file.
The packets from the capture file have been analyzed by NetWitness and all of the
reports generated by NetWitness are displayed in the right pane. Use the scrollbar as
necessary to view the complete list of reports.
Figure 21 Reports from the DemoCapture Collection
Note: The first thing you may notice about the NetWitness reports is that while you will
not find any of the low- level wireless information, such as command and control, you
will find that the kind of sophisticated analysis that requires some work to accomplish
within Wireshark is automated by NetWitness. For instance, the Layer 2 MAC addresses,
which in this case are Ethernet, and the Layer 3 IP addresses are available in both
Wireshark and NetWitness, but you will not find the transmitter and receiver addresses in
NetWitness. What you will find, easily, in NetWitness is information about the
33
geographic location of the transmitter and receiver which, when plotted on Google Earth,
can aid an investigation.
You should also notice that where both tools provide the same information, such as the
DNS request, the two tools differ in how that information is displayed.
8. In the Service Type report, click DNS to drill down and get further information about the
DNS request.
The (1) that follows the DNS label indicates that there is only one DNS request in this
packet capture file. In the next steps, you will investigate this DNS request and compare
the results against the Wireshark findings.
Figure 22 DNS Query Detail for DemoCapturepcap
9. Make a screen capture of the DNS query showing the host name alias, the source IP
address, and the destination IP address. Compare the information provided by
NetWitness to the screen capture you made in Wireshark (step 29 in Part 1 of this lab).
10. Use the scrollbar to locate the Ethernet Source and Ethernet Destination reports.
Figure 23 Ethernet fields
11. Make a screen capture showing the Ethernet source and Ethernet destination addresses.
Compare the information provided by NetWitness to the screen capture you made in
Wireshark (step 15 in Part 1 of this lab).
12. In the NetWitness navigation bar, click DemoCapture to return to the high-level analysis
of the entire packet capture file.
Figure 24 NetWitness Investigator navigation bar
13. Use the scrollbar to locate the Destination City report.
14. Click turin to reveal additional details from this report.
Figure 25 NetWitness Investigator Destination City Turin report
15. Use the scrollbar to investigate all of the data associated with this report. From the
data, you can determine that the transaction originated in Turin, Italy and was an HTTP
get request in which a Web site was retrieved. NetWitness has done a lot of analysis of
the higher level transaction without revealing the lower level frame or packet detail to the
user.
Note: While it is accurate to say that the Top Level Domain (TLD) .it belongs to
Italy, there is no assurance that the web site is physically located in Italy, only that a
domain name is registered with the appropriate registrar for the .it TLD. Only by
physically finding the server hosting the website, using geolocation technology such as
34
IP-geolocation, or triangulation using PINGs, is it possible to determine the actual

physical location of the server.
16. Click Collection > Exit in the NetWitness Investigator menu to close the NetWitness
Investigator window.
Note: Having investigated the very same capture file with both tools, Wireshark and
NetWitness Investigator you are now better equipped to determine when to use which
tool is appropriate for specific tasks. You may also realize that using both tools together
may be required to show a complete picture for a forensic investigation.
Remember, too, that in any forensic investigation special care must be taken to protect
the chain of custody for any evidence which will be used in legal proceedings. It is
important to realize that capture files are just digital files and can easily be manipulated
and edited and should be handled as would any volatile digital evidence. Maintaining
chain of custody is particularly important to ensure the recovered evidence is admissible
in a court of law.
17. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this
lab.

Using Wireshark and NetWitness
Investigator to Analyze Wireless Traffic
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you used two common forensic analysis tools, Wireshark and NetWitness
Investigator, to review wireless traffic in the same packet capture file. You learned to
35
differentiate between the more generalized capabilities of Wireshark and the more specialized
cybersecurity analysis-focused uses of NetWitness Investigator. You also identified those parts
aspects of network traffic that remain the same regardless of the physical transport, be it wired or
wireless. Finally, in the third part of the lab, you explored Wireshark on your own to answer a set
of challenge questions.

1. Which tool, Wireshark or NetWitness, provides information about the wireless antenna
strength during a captured transmission?
2. Which tool displays the MAC address and IP address information and allows them to be
correlated for a given capture transmission?
3. What is the manufacturer specific ID for the GemTek radio transmitter/receiver?
4. The receiver and/or transmitter address is hard-coded in hardware and cannot be changed:
it can always be counted on to correctly identify the device transmitting. True or False.
5. The actual web host name to which www.polito.it resolved was?
6. How can one determine that the website www.polito.it is in Italy?
7. What is the IP address for www.polito.it?
8. What destination organization is the owner of record of www.polito.it?
36
Toolwire Lab 3: Configuring a pfSense

Firewall on the Client
Introduction
Topology
There are a multitude of firewalls commercially available within the market. Some organizations
even build their own, custom solutions. An organization may have a single firewall sitting on the
only connection to the global Internet, or a sophisticated defense in-depth structure of firewalls
providing more protection for certain subnets than for others. Organizations may also establish
internal zones that allow them to use firewalls to protect internal departments from each other
and another system protecting the entire organization from outsiders. According to the 2013 Data
Breach Investigations Report (http://www.verizonenterprise.com/resources/reports/rp_databreach-investigations-report-2013_en_xg.pdf), fourteen percent of all successful data breaches
involved internal attackers.
Firewalls may be completely software-based and run on an endpoint or a server. They may be
implemented in stand-alone hardware, or may be some hybrid. Increasingly, vendors are making
their firewalls available as virtual appliances. In any case the job of the firewall is fairly
straightforward: to examine traffic going between the "outside" and the "inside" and determine if
that traffic adheres to a set of rules and what to do if it does not. It is in defining the rules and in
determining what to do if the traffic does not meet those rules where most firewalls differ: not in
the conceptual function, but, rather, in the implementation and the ongoing management of the
device.
In this lab, you will delve into the configuration of the pfSense Firewall to protect a client
computer. The pfSense Firewall is a current generation product which has most of the
functionality and options that will be found in most firewall products though the implementation
may vary somewhat from firewall to firewall.
This lab has three parts which should be completed in the order specified:
1. In the first part of the lab, you will plan the implementation of a local pfSense Firewall
using a spreadsheet. You will answer all of the configuration questions in advance of
actually making any changes to the firewall.
37
2. In the second part of the lab, you will implement the configuration choices that you
planned in Part 1 of this lab.
Learning Objectives
1. Complete a Physical Configuration planning worksheet and understand the general rules
of physical configuration planning for a firewall which protects a client workstation.
2. Complete the Firewall Rules planning worksheet and understand the general rules for
firewall rules planning for a firewall which protects a client workstation.
3. Configure the physical connectivity of a firewall which protects a client workstation.
4. Configure firewall rules for a firewall which protects a client workstation.
Tools and Software

pfSense Firewall
Deliverables
instructor:
1.
2.
3.
4.
A completed pfSenseFirewallPlanning.xlsx spreadsheet;

Lab Report file including screen captures of the following steps: Part 2, Step 22;
Lab Assessments file;
Optional: Challenge Questions file, if assigned by your instructor.

38
1. Complete the Physical Configuration planning spreadsheet for a firewall which protects a
client workstation. - [20%]
2. Complete the Firewall Rules planning spreadsheet for a firewall which protects a client
workstation. - [20%]
3. Configure the physical connectivity of the firewall which protects a client workstation. [30%]
4. Configure the firewall rules for a firewall which protects a client workstation. - [30%]
Hands-On Steps
itself.
Part 1: Planning the Configuration

Note: There are two different approaches to configuring a firewall, or any computer software for
that matter. The first, and most common, is to dive right in and trust that the process will be
fairly easy and straight-forward. The second approach is to plan the configuration steps in
advance before implementing your choices. While the dive right in approach is very common,
especially in smaller shops or for individuals, the more prudent, careful and professional
approach is to plan the configuration in advance. By documenting the configuration choices in
advance, carefully considering each in the proper context, you streamline your process. And,
since even the most diligent planner can overlook something, by recording any changes that
made during the implementation process, you will have a starting point for replicating the
configuration in the futureeither to assist in adding new firewalls or replacing the existing one
(in case of an outage).
39
In the next steps, you will complete the pfSenseFirewallPlanner spreadsheet. This spreadsheet
contains two worksheets: Physical Configuration and Firewall Rules. The spreadsheet was
designed to document answers to the questions prompted by the pfSense Firewall Setup Wizard,
in the order you will be required to answer them. You will record the configuration settings for
the pfSense Firewall in this spreadsheet as you proceed through the lab. It is a good idea to scan
Part 2 of this lab if you are unfamiliar with firewall configurations. Seeing how the questions are
posed by the wizard might help you understand how the pfSenseFirewallPlanner spreadsheet
works in conjunction with the wizard.
Many of the steps in this part of the lab follow basic Windows conventions on a Windows 2008
server. If you are an experienced Windows user who is already familiar with these steps, feel free
to write down the information provided and move ahead with the lab exercises. If you are not
familiar with these functions, please follow the steps and see the results but also understand that
they very somewhat between different versions of Windows and vary greatly from the way
similar information is derived in other operating systems.
1. Click the File Transfer button on the vWorkstation desktop to transfer the
pfSenseFirewallPlanner file from the virtual desktop to your local computer.
2. Open the pfSenseFirewallPlanner spreadsheet on your local computer.
The first item on the Physical Configuration worksheet is Hostname. A hostname is the
unique name of the computer (host) on the network capable of originating or responding
to an interaction using the Internet Protocol. The hostname can be found in the Windows
Control Panel.
3. Click Start > Control Panel on the vWorkstation desktop to open the Windows Control
Panel.
Figure 2 Windows Control Panel
4. Click the Network and Internet icon to open the related option list.
Figure 3 Network and Internet options
5. Click View network status and tasks under the Network and Sharing Center heading.
The first icon in the network map at the top of the window indicates that BASEWIN2008 is the name of this computer.
Figure 4 Network and Sharing Center
6. In the Settings column of the Physical Configuration worksheet, type base-win2008.
Note: Because security is heavily influenced by the practices of the Linux and Unix
operating systems, and because Windows does not differentiate between upper and lower
40
case, standard practice in network security is to use the lowercase whenever possible.
Therefore, the hostname of BASE-WIN2008 will be entered in the spreadsheet as basewin2008. You might notice also that this hostname is unusual as it does not include a
unique ID such as a number (besides the year 2008), but it is still a valid name, so it is
added to the worksheet. We may wish to make some special mark, such as an asterisk (*)
or plus sign (+) to indicate that this information will vary for each computer we
configure.
7. In the Comments column of the Physical Configuration worksheet, type *changed for
each configuration to indicate that this information will vary with each computer that
will be configured.
Figure 5 Hostname configuration
8. The next item on the Physical Configuration worksheet is Domain. As this is a local
firewall, type local in the Settings column.
9. The next two items are Primary DNS Server and Secondary DNS Server. The local
DHCP service will provide the IP addresses that work for local DNS, wherever we
happen to turn on this computer. Leave these fields blank, and add a note in the
Comments column.
Note: DNS Server questions are potentially problematic and could leave the local
computer open to various security problems, and could even cause the local PC not to
work properly. There are a number of pieces of malicious software which will change the
Domain Name Server addresses to its own DNS Servers in order to monitor what sites
are being visited, hijack the browser sessions, or other, more nefarious things. If this field
is left blank then the computer will use Dynamic Host Configuration Protocol (DHCP) to
identify the two best DNS servers, and provide the IP addresses for those servers. This
leaves the computer at the mercy of the local DHCP available when the computer
attaches to a local network. If, on the other hand, DNS IP addresses are provided for
internal DNS servers, those servers may not be available at the time the computer needs
them and may not operate properly. This is true for well-known DNS servers, such as
Google, openDNS, or Verizon too.
10. The next item on the Physical Configuration worksheet is the Time Server Hostname.
This information has been provided by the network administrator, so type the IP address
172.21.4.10 in the Settings column. Include a note in the Comments column to indicate
the source of the hostname.
Note: The pfSense firewall timestamps log entries therefore it is essential that all logs use
the same time and date so that they may be easily correlated. Also, one benefit to
specifying an IP address here, as opposed to an actual hostname, is that the Domain
Name Service is not used to resolve an alphanumeric hostname to an IP address and,
therefore, it will be faster and will not be subject to problemsbe it security or any other
problemassociated with DNS. The obvious downside to specifying an IP address is that
whenever the IP address of the server is changed, it must be changed everywhere it
41
appears. Using a hostname instead of an IP address eliminates this step if the IP address
changes.
11. The next item on the Physical Configuration worksheet is Timezone. This information
has been provided by the network administrator, so type Etc/UTC in the Settings
column. Include a note in the Comments column to indicate the source of the Timezone
information.
12. The next item on the Physical Configuration worksheet is the WAN Interface. The
pfSense Firewall wizard allows a choice of DHCP, Static, PPPoE, and PPTP WAN
interface types. According to the network administrator, this computer uses a Point-toPoint over Ethernet connection, so type PPPoE in the Settings column.
In general, this will be the Layer 2 protocol for all local machines, even if the machines
are in travel status or use a wireless physical interface.
13. The next item on the Physical Configuration worksheet is the MAC Address. If required
by your network configuration, enter the source MAC address field. In this lab, there is
no interface that will require this feature. Leave this field blank, and add a note in the
Comments column.
14. The next item on the Physical Configuration worksheet is the MTU (Maximum
Transmission Unit). For compatibility with the widest range of networks pfSense allows
us to specify an MTU size, but in this lab, you have already specified a PPPoE WAN
interface, so you will use the default value of 1,492 octets maximum. Leave this field
blank, and add a note in the Comments column to indicate the default value is accurate.
15. The next items on the Physical Configuration worksheet are the IPv4 address and
Classless Interdomain Routing (CIDR) /n fields. The pfSense Firewall Setup Wizard
automatically fills in these items, so leave these fields blank, and add a note in the
Comments column to indicate that these items are populated automatically.
16. The next item on the Physical Configuration worksheet is the Gateway. The computer on
the virtual lab uses any available gateway, so a specific Gateway name is not required.
Leave this field blank, and add a note in the Comments column.
17. The next item on the Physical Configuration worksheet is the DHCP Hostname. DHCP
hostname is not required in this configuration, though some Internet Service Providers
require it (for security and verification reasons). Leave this field blank, and add a note
in the Comments column.
18. The next items on the Physical Configuration worksheet are a series of fields related to
the PPPoE WAN interface. The PPPoE connection used by the virtual lab is established
as a permanent connection and requires no specific configuration. Leave these fields
blank, and add a note in the Comments column.
19. The next items on the Physical Configuration worksheet are a series of fields related to
the Point-to-Point Tunneling Protocol (PPTP). The virtual lab does not using Point-toPoint Tunneling Protocol. Leave these fields blank, and add a note in the Comments
column.
20. The next item on the Physical Configuration worksheet is requirement to block RFC1918
Private Networks. Type YES in the Settings column to block traffic from those networks,
since they are likely not from requested sources.
42
Note: RFC1918 is an Internet Activity Board document, called a Request for

Commentwhich is as close as one gets to a standard on the Internetthat describes
what addresses can be used for private networks, or, more accurately, re-used for all
private networks. Under normal circumstances, these addresses are never seen in the
Internet. Hackers often use traffic with these address ranges in an attempt to confuse
hardware and or software in a variety of ways. It is a good idea to force the firewall to
block this traffic and not allow it onto your computer.
21. The next item on the Physical Configuration worksheet is requirement to block bogon
networks. Type Dont block in the Settings column since there are no longer any
unassigned IPv4 address blocks.
Note: Packets with addresses in address spaces not yet assigned by the Internet Assigned
Names and Numbers Authority (IANA), but are not described in RFC1918, are referred
to as bogons, or packets with bogus addresses. By setting this configuration option to
Dont block, you are allowing traffic with those addresses. The IANA assigned all of
the IPv4 address blocks as of mid-2011, therefore eliminating the possibility of bogus
address blocks, even though there is no assurance that addresses in those blocks are valid.
22. The next item on the Physical Configuration worksheet is the LAN IP Address
(172.30.0.5) and Subnet Mask of the LAN (/24). The pfSense Firewall Setup Wizard will
automatically fill this field, and it will change from configuration to configuration. Leave
these fields blank, and add a note in the Comments column.
23. The final item on the Physical Configuration worksheet is the Admin password. The
network administrator has asked you to use a specific password, P&ss9999. Type
P&ss9999 in the Settings column as a record of the password, and add a note in the
Comments column.
Note that the new password has the following characteristics: an uppercase character, at
least one special character (the ampersand - &) and numbers, in this case 9999.
Passwords are admittedly poor secrets to secure our assets but are still used extensively
within the Internet and by security tools.
Note: Up to this point, you have planned for the administrative configuration of the local
firewall using the pfSense Firewall Planner spreadsheet. Now, you will complete the
Firewall Rules worksheet.
The first consideration you will encounter is the order of your definition lists. You can
compare the process of defining firewall rules to the process of defining most Access
Control Lists (ACLs). In both cases, the simplest approach is best. These are not
sophisticated programs with conditional branching logic, but rather simple lists of rules
that are evaluated in order, and when there are two conflicting rules, the first rule in the
list that applies is used. For example, if the line 3 of the definition, says dont allow X
for a certain condition, but in line 22 you decide to allow X for a certain condition, the
first rule that matches a certain condition is in line 3, so that is the rule that will always
be followed.
43
The second consideration is whether the firewall is, by default, permissive or restrictive.
That is to say whether everything is allowed by default (permissive) or not allowed by
default (restrictive). In the first case (permissive), very few support calls are generated
and users are usually happier because everything that they wish to do is allowed by
default as rules exist only for known security problems which rarely interfere with what a
user wants to do. However, this approach also leaves the door open for a wide variety of
security risks. The restrictive approach says that, by default, everything is restricted
unless it is specifically allowed. From a security standpoint, this is the preferred
approach, though it requires more thoughtful configuration of the rules. The second
approach, restrictive, is applied by the pfSense Firewall: every type of packet that is not
explicitly passed is blocked by default. In other words, every packet that comes into the
computer is evaluated by the firewall rules and is blocked by the firewall if it is not
explicitly allowed (or passed).
In the next steps, you will use the Firewall Rules worksheet to plan the configuration of a
local firewall for this virtual computer. You will allow specific actions and block
everything else. You will begin by deciding which actions to allow. You must recognize
that any actions you allow may have security implications in and of themselves, but to be
useful you have to allow the computer to do some actions and have some interactions
with the network.
24. Click the Firewall Rules tab at the bottom of the pfSenseFirewallPlanner spreadsheet to
open the Firewall Rules worksheet.
Figure 6 Firewall Rules worksheet
25. Compare the headings in the Firewall Rules worksheet with the following table.
Each field in the worksheet is described in this table. You will need this information to
complete the firewall rules configuration.
Column
A
Column Title
Action
Description
Action indicates the action you wish the pfSense Firewall
to take when it encounters a certain type of network
traffic. The choices are pass, block, or reject. The
difference between block and reject is important and only
works when the protocol is set to one of the Internet
Protocols: Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP), but not TCP/UDP. In the case
of block, the questionable incoming packet is blocked and
discarded (or logged, based upon the setting for that
option). There is no indication to the sender that the
packet has not reached the intended destination. If reject is
chosen, then a packet is returned to the sender indicating
that the packet or packets they sent were not accepted.
There are numerous cases of the rejected packets being

Column
D
E-H
I-J
L-O
P-Q
R
S
44
Column Title
Description
used by malicious software and malicious individuals to
verify that a computer exists at the designated IP address,
and then to attempt additional infiltration. It is, therefore,
recommended that traffic be rejected only in very specific
cases.
Disabled
Disabled allows a rule to be disabled but not deleted. This
can be used for testing purposes or to temporarily allow a
certain action.
Interface
Interface allows a firewall rule to be applied only to a
specific interface (WAN or LAN) or type of tunnel within
the interface (PPPoE, PPTP or IPSec).
Protocol
Protocol allows rules to be applied only to certain type of
packets which use a specific protocol.
Source IP
Source IP Address allows inverting the address
Address
comparison (if NOT is marked) as well as specification of
the IPv4 address and CIDR (/n) indicator.
Source Port
Source Port Range allows the rule to be applied only to
Range
specific source port ranges or to any source port ranges.
Because the source computer uses the ephemeral ports
(usually port numbers from 49152 to 65535) as the source
port and can use any available ephemeral port, this option
is usually left blank or Any.
Source O/S
Source O/S allows for traffic to be allowed by a certain
rule only from specific operating systems and only for
Transmission Control Protocol (TCP) traffic.
Destination IP Destination IP Address allows inverting the address
address
Destination Port Destination Port Range allows the rule to be applied only
Range
to specific destination port ranges or to any source port
ranges.
Log
Log indicates if the packets handled by this specific rule
should be logged.
Description
Description allows a brief alphanumeric description of
each rule to be entered.
26.
27. Note: In the next steps, you will use the Firewall Rules worksheet to plan the
configuration of a local firewall for this virtual computer. You will allow specific actions
and block everything else. You will begin by deciding which actions to allow. You must
recognize that any actions you allow may have security implications in and of
themselves, but to be useful you have to allow the computer to do some actions and have
some interactions with the network. In this lab, you will allow the traffic displayed in this
figure.
45
Figure 7 Firewall Rules allowable traffic

The pfSense Firewall requires a different rule for Secure Hypertext Transfer Protocol
(HTTPS) traffic. At this time we will not specify a rule for HTTPS traffic. This means
that when the browser encounters a web site that utilizes the HTTPS protocol that traffic
will not be passed through the firewall. Keep in mind, that this is a good example for a
lab exercise, but not for practical implementation. In actual implementations there should
also be a rule to pass, block, or reject HTTPS traffic.
28. In Column S of the Firewall Rules worksheet, type Internet browsing.
You will create a rule to allow browsing of the Internet according to the following
definition: Pass (Column A) all traffic on the LAN interface (Column C) using TCP
protocol (Column D) from any type of address with any value with any subnet mask
(Column E-H) for the standard port range for Hyper Text Transport Protocol (HTTP)
(Column I-J) for any operating system (Column K) for any Destination IP Address
(Column L-O) for the HTTP port range (Column P-Q) and there is no need to log the
traffic (Column R).
29. In Column A of the Firewall Rules worksheet, select Pass from the drop-down list to
allow Internet traffic.
30. In Column C, type LAN.
31. In Column D, type TCP.
32. In Column F and G, type Any.
33. In Column I and J, type Any.
34. In Column K, type Any.
35. In Column M and N, type Any.
36. In Column P and Q, type HTTP.
37. In Column R, type No.
38. Repeat steps 26-35 to create the following rule descriptions. If necessary, use the table
following to determine which adjustments to make.
o Allow email to/from anyone, specify the port range as that used by the Simple
Mail Transfer Protocol (SMTP)
o Allow File Transfer Protocol (FTP) so that users can send files back and forth
o Allow Domain Name Service (DNS) so that users can type URLs, instead of
requiring them to know specific IP addresses of any Web sites they wish to visit
o Allow Internet Control Message Protocol (ICMP) messages, such as the PING
diagnostic message
o Allow Dynamic Host Configuration Protocol (DHCP) so that the computer will
get an IP address dynamically
Firewall Rule
Allow SMTP
Allow FTP
Allow DNS
Allow ICMP
Protocol
TCP
TCP
TCP
ICMP
Destination Port Range

Any-Any
Any-Any
Any-Any
Any-Any

Allow DHCP
UDP
46
67-68
39. Close the Network and Sharing Center window.
Part 2: Configuring the Firewall

1. Double-click the pfSense firewall icon on the virtual desktop to open the pfSense
Firewall application within an Internet Explorer window.
Figure 8 pfSense Firewall splash screen
2. Click OK to accept the default username and password and open the application.
3. Maximize the application window, if necessary.
Figure 9 pfSense Firewall System Overview
4. Click System > Setup wizard from the pfSense menu.
Figure 10 pfSense Setup Wizard initial configuration screen
5. Click Next to continue.
6. Refer to the Physical Configuration worksheet from the pfSenseFirewallPlanner
spreadsheet that you completed in Part 1 of this lab.
7. Use the entries in the Settings column of the Physical Configuration worksheet to
complete the fields on the pfSense Firewall Setup Wizard.
Figure 11 pfSense configuration settings
9. Repeat steps 7-8 for the remaining fields of the pfSense Firewall Setup Wizard.
10. When prompted by the pfSense Firewall Setup Wizard, click Reload to reload pfSense
with new changes.
Figure 12 pfSense Firewall Setup Wizard Reload prompt
11. When prompted, type P&ss9999, the new pfSense Firewall password to continue.
While reloading, the pfSense Firewall will display a progress meter. When the process is
completed, the pfSense Firewall System Overview screen will be displayed.
12. Click Firewall > Rules from the pfSense Firewall menu to configure the firewall with
the rules you defined in Part 1 of this lab.
47
Notice that there is already a rule on the WAN tab: Block private networks. This rule
was created as a result of running the pfSense Configuration Wizard because of the action
you took in Step 20 of Part 1 of this lab. In that step, you opted to block RFC1918 Private
Networks, and you selected that checkbox during the Configuration Wizard process.
Those actions are reflected here.
Figure 13 pfSense Rules specification screen
13. Refer to the Firewall Rules worksheet of the pfSenseFirewallPlanner spreadsheet and
add the Block private networks rule definition.
Note:The purpose of the pfSenseFirewallPlanner spreadsheet is to plan the firewall
configuration in advance; however, as you learned earlier even the most diligent planner
can overlook something (the rule definition to block private networks, in this case), so
recording any changes to the original plan make the completed pfSenseFirewallPlanner
spreadsheet an excellent starting point for replicating this configuration in the future.
14. Click the LAN tab to begin adding the new rules that you configured in Part 1 of this
lab.
Notice that there is already a rule on the LAN tab: Default LAN -> Any. This rule
allows any traffic that originates on, or goes through, the Local Area Network to which
the computer is attached. This is safe and reasonable on a desktop computer that will not
be moved to a public location such as a coffee shop or airport lounge, but might not be
the wisest choice for a laptop. For the purposes of this lab, leave the rule as is. You will
need to add this existing rule to the pfSenseFirewallPlanner spreadsheet.
15. Double-click the Default LAN -> any row to open the Firewall: Rules: Edit screen.
16. Use the data in the Firewall: Rules: Edit fields to record the rule in the
pfSenseFirewallPlanner.
17. Click Cancel to return to the Firewall Rules screen without making any changes to the
existing rule.
18. Click the Plus button (the Add new rule button) at the bottom right side of the Rules
table on the pfSense Firewall application window to add a new rule.
Figure 14 Add new rule button
19. Use the entries in the Firewall Rules worksheet to create a rule for Internet browsing.
You will notice that there are additional fields in this screen (Advanced Options, State
Type, No XMLRPC Sync, Schedule and Gateway). Do not make any changes to those
fields for the purposes of this lab.
Figure 15 New Firewall Rules: Edit screen
20. Click Save to save the rule and return to the Firewall Rules screen.
48
Figure 16 pfSense Rules table

21. Repeat steps 18-20 for the remaining rules on the Firewall Rules worksheet.
Figure 17 Completed pfSense Rules table
22. Make a screen capture showing your completed Rules table and paste it into your Lab
Report file.
23. After any discrepancies in the rules have been corrected, click the Apply changes button
above the Rules table to apply the rule changes that you have made to the firewall.
Figure 18 Apply changes button
After the settings have been applied, the red message bar will change to indicate that fact.
Figure 19 Confirmation message
24. Save the completed spreadsheet as yourname_pfSenseFirewallPlanner.xls, replacing
yourname with your own name and submit the file with your lab deliverables.
lab.

Configuring a pfSense Firewall on the Client
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you first planned a configuration of the pfSense Firewall to protect a client computer
using a spreadsheet, the pfSenseFirewallPlanner. The pfSense Firewall is a current generation
49
product which has most of the functionality and options that will be found in most firewall
products though the implementation may vary somewhat from firewall to firewall. In the second
part of the lab, you configured the pfSense Firewall using the planning spreadsheet that you
created in Part 1 of the lab.
Lab Assessment Questions

1. TCP stands for?
2. UDP stands for?
3. The File Transfer Protocol (FTP) uses which transport protocol, TCP or UDP?
4. The PING diagnostic is part of which protocol?
5. TCP uses which Layer 3 protocol?
6. UDP uses which Layer 3 protocol?
7. Hyper Text Transfer Protocol (HTTP) and Secure HTTP (HTTPS) are the same protocol
from a standpoint of passing or blocking them with a firewall. True or False?
8. A Host is defined as ___________________
50
Toolwire Lab 4: Configuring a pfSense

Firewall on the Server
Introduction
Topology
The term firewall is actually adopted from aircraft or auto engineering - take your pick. The
firewall in an aircraft or car, just as it does in network security, blocks bad stuff from the area
that contains people. In an aircraft or car the firewall is the actual, physical, fireproof wall
between the cockpit and the passenger compartment, or between the engine compartment and the
driver and passengers. In networking, a firewall is either software or dedicated hardware that
exists between the network and the resource being protected. The firewall used in this virtual
environment is pfSense Firewall software application.
In this lab, you will delve into the configuration of the pfSense Firewall to protect a server. The
pfSense Firewall is a current-generation product with most of the functionality and options that
are found in most firewall products, though the implementation may vary from firewall to
firewall. The actual keystrokes will vary little between configuring a firewall to protect a server
and configuring one to protect a client machine, but the thought process - the logic - will be very
different.
This lab has three parts, which should be completed in the following order:
1. In the first part of the lab, you will plan the implementation of a remote pfSense Firewall
using a spreadsheet. You will answer all of the configuration questions in advance of
actually making any changes to the firewall.
2. In the second part of the lab, you will implement the configuration choices that you
planned in Part 1 of this lab.
51
Learning Objectives
of physical configuration planning for a firewall that protects a server.
firewall rules planning for a firewall that protects a server.
3. Configure the physical connectivity of a firewall that protects a server.
4. Configure firewall rules for a firewall that protects a server.
Tools and Software

pfSense Firewall
Deliverables
instructor:
1. A completed pfSenseFirewallPlanning_EmailServer.xlsx spreadsheet;
2. Lab Report file including a screen capture of successful local firewall configuration (Part
2, Step 29);

of physical configuration planning of a firewall that protects a server. - [5%]
52
firewall rules planning of a firewall that protects a server. - [60%]
3. Configure the physical connectivity of a firewall that protects a server. - [5%]
4. Configure firewall rules of a firewall that protects a server. - [30%]
Hands-On Steps
itself.
Part 1: Planning the Configuration

Note: There are two different approaches to configuring a firewall, or any computer software for
that matter. The first, and most common, is to dive right in and trust that the process will be
fairly easy and straight-forward. The second approach is to plan the configuration steps in
advance before implementing your choices. While the dive right in approach is very common,
especially in smaller shops or for home environments, the more prudent, careful, and
professional approach is to plan the configuration in advance. By documenting the configuration
choices in advance, carefully considering each in the proper context, you streamline your process
and increase the chances of the desired outcome on the first pass. Even the most diligent planner
can overlook something. By recording any changes made during the implementation process,
you will have a starting point for replicating the configuration in the future-either to assist in
adding new firewalls or replacing the existing one.
In the next steps, you will complete the pfSenseFirewallPlanner_EmailServer spreadsheet. This
53
spreadsheet contains two worksheets: Physical Configuration and Firewall Rules. The
spreadsheet was designed to document answers to the questions prompted by the pfSense
Firewall Configuration Wizard, in the order you will be required to answer them. You will
record the configuration settings for the pfSense Firewall in this spreadsheet as you proceed
through the lab. It is a good idea to scan Part 2 of this lab if you are unfamiliar with firewall
configurations. Seeing how the questions are posed by the wizard might help you understand
how the pfSenseFirewallPlanner_EmailServer spreadsheet works in conjunction with the wizard.
Many of the steps in this part of the lab follow basic Windows conventions in Windows Server
2008. If you are an experienced Windows user who is already familiar with these steps, feel free
to write down the information provided and move ahead with the lab exercises. If you are not
familiar with these functions, please follow the steps and see the results but also understand that
they vary somewhat between different versions of Windows and vary greatly from the way
similar information is derived in other operating systems.
1. Click the File Transfer button on the vWorkstation desktop to transfer the
pfSenseFirewallPlanner_EmailServer spreadsheet from the virtual desktop to your local
computer.
2. Open the pfSenseFirewallPlanner_EmailServer spreadsheet on your local computer.
This is a blank firewall planning spreadsheet that you will use to plan the configuration of
the Firewall software prior to making any changes in the software itself. It is also used to
record any configuration changes to this original plan.
Note: There are many factors to consider when planning how a server will be set up and
secured. Because the lab environment is intended to be as straightforward as possible,
you will configure a single, stand-alone server that provides only a single service: e-mail.
In an actual production environment, it is possible that multiple e-mail servers are
configured on the same, shared, hardware or that the same hardware be used to support
multiple services, such as Web services and the File Transfer Protocol, in addition to email. Look at each service offered in the following figure and determine what must be
configured and why.
Figure 2 Server configuration environment
In this figure, the server is the machine on the right. The first protocol allowed for the
server is the File Transfer Protocol (FTP). Allowing this protocol will allow new software
to be loaded to the server and other support files to be copied as needed. A more secure
approach would be to not allow FTP at all, instead, loading new software and other
needed files locally via CD/DVD or USB memory stick. While this approach is more
secure, it is not as convenient and requires that a human be seated at the e-mail server,
rather than remotely connected. In this virtual lab, you will turn off the firewall rule that
allows FTP except when the server is being updated. Another option would to use secure
FTP (sFTP) protocol, which encrypts the file transfer commands.
54
Domain Name Service (DNS) is allowed on this server because the e-mail server uses
DNS for a variety of functions, such as resolving IP addresses of domain names
associated with e-mail addresses, and therefore, it must be explicitly allowed.
The Simple Mail Transfer Protocol (SMTP) and the Post Office Protocol (POP3) are both
allowed so that the e-mail server may send (POP3) and receive (SMTP) e-mail. This may
seem backwards from what is normally understood, but remember that the POP3 protocol
is between the e-mail server and the e-mail client and allows the client to receive (and
therefore the server to send) emails. The reverse is true of SMTP: the e-mail client sends
and the e-mail server receives. And what about the more secure POP3S? It will not be
considered in this lab, nor will the more complex Internet Message Access Protocol
(IMAP) which may be used in place of, or in addition to, POP3 or POP3S.
Lastly, Secure Shell (SSH) is allowed on both the remote e-mail server whose firewall is
being configured as well as on the workstation from which the configuration is being
done. As mentioned in the discussion on FTP, it would be far more secure though far less
convenient to require administration of the e-mail server to be performed by a person
sitting directly in front of the server.
3. Refer to the Firewall Rules worksheet of the pfSenseFirewallPlanner_EmailServer
spreadsheet to determine the first item.
The first item on the Physical Configuration worksheet is Hostname. A hostname is the
unique name of the computer (host) on the network capable of originating or responding
to an interaction using the Internet Protocol. The hostname has been assigned by the
system administrator as email-server. The Internet Protocol address, which also serves as
the domain for this server, associated with the e-mail server is an IP version 4 (IPv4)
address of 172.30.0.100.
Note: Do not forget that the e-mail server is a different machine from the vWorkstation
desktop. Later in this lab, you will use the pfSense Firewall software to connect to the email server remotely and configure it.
Figure 3 pfSenseFirewallPlanner_EmailServer spreadsheet
4. In the Settings column of the Physical Configuration worksheet in the Hostname row,
type email-server.
5. In the Comments column of the Physical Configuration worksheet, type *changed for
each configuration to indicate that this information will vary with each computer that
will be configured.
6. In the Settings column of the Physical Configuration worksheet in the Domain row, type
172.30.0.100.
7. In the Comments column of the Physical Configuration worksheet, type Provided by the
administrator to indicate that this information will vary with each computer that will be
configured.
55
8. In the Settings column of the Physical Configuration worksheet in the Allow DNS server
list to be overwritten row, type Yes.
Note: DNS Server questions are potentially problematic and could leave the local
computer open to various security problems, and could even cause the local PC not to
work properly. There are a number of pieces of malicious software that will change the
Domain Name Server addresses to its own DNS Servers in order to monitor what sites
are being visited, hijack the browser sessions, or other, more nefarious things. If the DNS
Server fields are left blank and a numeric IP address is used in the Domain field, as is the
case with this configuration, then the computer will not use Dynamic Host Configuration
Protocol (DHCP), which is not allowed anyway, and security vulnerabilities due to DNS
can be avoided completely.
9. In the Comments column of the Physical Configuration worksheet, type Provided by the
administrator to indicate that this information will vary with each computer that will be
configured.
Note: There are additional physical configuration questions, such as information about
the username and password for this server, which will have already been answered
correctly by the system administrator at the time the server was installed. You will know
that the firewall was properly configured if you are able to remotely access the e-mail
server using the pfSense Firewall software. In the interest of being thorough and secure,
you will review the options used to configure the e-mail server and record them in the
pfSenseFirewallPlanner_EmailServer spreadsheet during Part 2 of this lab.
10. Save the completed spreadsheet as
yourname_pfSenseFirewallPlanner_EmailServer.xls, replacing yourname with your
own name and submit the file with your lab deliverables.
Note: Up to this point, you have planned for the administrative configuration of the
remote e-mail firewall using the pfSenseFirewallPlanner_EmailServer spreadsheet. Now,
you will complete the Firewall Rules worksheet.
The first consideration you will encounter is the order of your definition lists. You can
compare the process of defining firewall rules to the process of defining most access
control lists (ACLs). In both cases, the simplest approach is best. These are not
sophisticated programs with conditional branching logic, but rather simple lists of rules
that are evaluated in order, and when there are two conflicting rules, the first rule in the
list that applies is used. For example, if line 3 of the definition says dont allow X for a
certain condition, but in line 22 you decide to allow X for a certain condition, the first
rule that matches a certain condition is in line 3, so that is the rule that will always be
followed.
The second consideration is whether the firewall is, by default, permissive or restrictive.
That is to say whether everything is allowed by default (permissive) or not allowed by
default (restrictive). In the first case (permissive), very few support calls are generated
56
and users are usually happier because everything they wish to do is allowed by default as
rules exist only for known security problems, which rarely interfere with what a user
wants to do. However, this approach also leaves the door open for a wide variety of
security risks. The restrictive approach says that, by default, everything is restricted
unless it is specifically allowed. This approach is known as default deny. From a
security standpoint, this is the preferred approach, though it requires more thoughtful
configuration of the rules. The second approach, restrictive, is applied by the pfSense
Firewall: every type of packet that is not explicitly allowed (or passed) is blocked by
default. In other words, every packet that comes into the computer is evaluated by the
firewall rules and is blocked by the firewall if it is not explicitly allowed.
In the next steps, you will use the Firewall Rules worksheet to plan the configuration of
the remote e-mail firewall. You will allow specific actions and block everything else.
You will begin by deciding which actions to allow. You must recognize that any actions
you allow may have security implications in and of themselves, but to be useful you have
to allow the computer to do some actions and have some interactions with the network.
11. Click the Firewall Rules tab at the bottom of the pfSenseFirewallPlanner_EmailServer
spreadsheet to open the Firewall Rules worksheet.
Figure 4 Firewall Rules worksheet
12. Compare the headings in the Firewall Rules worksheet with the following table.
Each field in the worksheet is described in this table. You will need this information to
complete the firewall rules configuration.
Column
A
Column Title
Action
Description
Action indicates the action you wish the pfSense Firewall
to take when it encounters a certain type of network
traffic. The choices are pass, block, or reject. The
difference between block and reject is important and only
works when the protocol is set to one of the Internet
protocols: Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP), but not TCP/UDP. In the case
of block, the questionable incoming packet is blocked and
discarded (or logged, based upon the setting for that
option). There is no indication to the sender that the
packet has not reached the intended destination. If reject
is chosen, a packet is returned to the sender indicating that
the packet or packets they sent were not accepted. There
are numerous cases of the rejected packets being used by
malicious software and malicious individuals to verify
that a computer exists at the designated IP address, and
then to attempt additional infiltration. It is, therefore,
recommended that traffic be rejected only in specific
cases.

Column
B
D
E-H
I-J
L-O
P-Q
R
S
57
Column Title
Disabled
Description
Disabled allows a rule to be disabled but not deleted. This
can be used for testing purposes or to temporarily allow a
certain action.
Interface
Interface allows a firewall rule to be applied only to a
specific interface (WAN or LAN) or type of tunnel within
the interface (PPPoE, PPTP, or IPSec).
Protocol
Protocol allows rules to be applied only to certain types of
packets that use a specific protocol.
Source IP
Source IP Address allows inverting the address
Address
Source Port
Source Port Range allows the rule to be applied only to
Range
specific source port ranges or to any source port ranges.
Because the source computer uses the ephemeral ports
(usually port numbers from 49152 to 65535) as the source
port and can use any available ephemeral port, this option
is usually left blank or Any.
Source O/S
Source O/S allows for traffic to be allowed by a certain
rule only from specific operating systems and only for
Transmission Control Protocol (TCP) traffic.
Destination IP Destination IP Address allows inverting the address
address
Destination Port Destination Port Range allows the rule to be applied only
Range
to specific destination port ranges or to any source port
ranges.
Log
Log indicates if the packets handled by this specific rule
should be logged.
Description
Description allows a brief alphanumeric description of
each rule to be entered.
13.
14. Note: In the next steps, you will use the Firewall Rules worksheet to plan the
configuration of a local firewall for this virtual computer. You will allow specific actions
and block everything else. You will begin by deciding which actions to allow. You must
recognize that any actions you allow may have security implications in and of
themselves, but to be useful you have to allow the computer to do some actions and have
some interactions with the network. In this lab, you will allow the traffic displayed in this
figure.
Figure 5 Firewall Rules allowable traffic
The pfSense Firewall requires a different rule for Secure Hypertext Transfer Protocol
58
(HTTPS) traffic. At this time we will not specify a rule for HTTPS traffic. This means
that when the browser encounters a Web site that utilizes the HTTPS protocol, traffic will
be blocked by the firewall. Keep in mind that this is a good example for a lab exercise but
not for practical implementation. In actual implementations there should also be a rule to
pass, block, or reject HTTPS traffic.
15. In Column S of the Firewall Rules worksheet, type File Transfer Protocol. Dont forget
that we are going to configure the server, the device on the right-hand side of the diagram
in Figure 5.
You will create a rule to allow file transfers to and from the Internet to facilitate the
loading and updating of the software on the e-mail server, according to the following
definition: Pass (Column A) all traffic on the LAN interface (Column C) using TCP
protocol (Column D) from any type of address with any value with any subnet mask
(Columns E-H) for the standard port range (Columns I-J) for any operating system
(Column K) for any destination IP address (Columns L-O) for the FTP port range
(Columns P-Q) and there is no need to log the traffic (Column R).
16. In Column A of the Firewall Rules worksheet, select Pass from the drop-down list to
allow Internet traffic.
17. In Column C, type LAN.
18. In Column D, type TCP.
19. In Columns F and G, type Any.
20. In Columns I and J, type Any.
21. In Column K, type Any.
22. In Columns M and N, type Any.
23. In Columns P and Q, type FTP.
24. In Column R, type No.
25. Repeat steps 13-22 to create the following rule descriptions, making adjustments where
necessary. Use the following table as a guide.
Allow Domain Name Service (DNS) so that the e-mail software can resolve text URLs,
into numeric IP addresses instead of requiring them to be typed in as IP addresses. This is
very useful for the e-mail server in functions varying from resolving destination
addresses such as email.user@emailserver.com to checking allowed and blacklisted email servers so that Unsolicited Commercial Email (UCE/SPAM) can be detected and,
potentially, blocked.
Allow e-mail to be received to/from anyone using Simple Mail Transfer Protocol
(SMTP).
Allow Post Office Protocol, version 3 (POP3) so that users can retrieve e-mail from the
server.
Allow Secure Shell (SSH) so that the e-mail server can be remotely managed by a secure
command-line interface. (SSH is quickly replacing Telnet for this purpose.)
Firewall Rule
Allow DNS
Allow SMTP
Protocol
TCP
TCP
Destination Port Range

Any-Any
Any-Any

Allow POP3
Allow SSH
TCP
TCP
59
Any-Any
Any-Any
Note: Three very important protocols are not defined on the e-mail server in this lab: HTTP,
DHCP, and ICMP. If you wish to use a browser for any reason on the e-mail server, either HTTP
and/or its secure version, HTTPS, must be defined. In our case, the server will be managed
remotely using an application that communicates with the e-mail server using the Secure Shell
(SSH) protocol. The Dynamic Host Configuration Protocol is not used because the server will be
statically configured with a non-changing IP address and other characteristics. In addition,
Internet Control Message Protocol (ICMP) will not be allowed in this lab because it is not
desirable for the e-mail server in this environment to respond to ICMP requests and be
susceptible to the associated vulnerabilities. This is an individual decision of the organization
that owns and/or administers the server and varies from environment to environment.
Part 2: Configuring the Firewall

1. Double-click the pfSense firewall icon on the virtual desktop to open the pfSense
Firewall application within an Internet Explorer window.
Figure 6 pfSense Firewall splash screen
2. Click OK to accept the default username and password and open the application.
3. Maximize the application window, if necessary.
Figure 7 pfSense Firewall System Overview
4. Click System > General Setup from the pfSense menu.
5. Refer to the Physical Configuration worksheet from the
pfSenseFirewallPlanner_EmailServer spreadsheet that you completed in Part 1 of this
lab.
6. Use the entries in the Settings column of the Physical Configuration worksheet to
complete the Hostname and Domain fields on the pfSense Firewall System: General
Setup screen.
You will be configuring the firewall on the e-mail server, not the local virtual computer,
so you will need to overwrite any existing information on the General Setup screen to
properly configure the server.
Figure 8 pfSense System General Setup
60
7. Use the data from the System: General Setup screento complete the Physical
Configuration worksheet of the pfSenseFirewallPlanner_EmailServer spreadsheet and
properly document the server firewall.
Note: Remember, the purpose of the pfSenseFirewallPlanner_EmailServer spreadsheet is

to plan the firewall configuration in advance. However, as you learned earlier, even the
most diligent planner can overlook something (the rule definition to block private
networks, in this case). Recording any changes to the original plan makes the completed
pfSenseFirewallPlanner_EmailServer spreadsheet an excellent starting point for
replicating this configuration in the future.
8. Compare the data from the Physical Configuration worksheet of the
pfSenseFirewallPlanner_EmailServer spreadsheet with the fields on the System: General
Setup screen, and record any missing information in the spreadsheet.
9. Click Save at the bottom of the System: General Setup screen to continue.
The following message will appear at the top of the pfSense Firewall System: General
Setup screen indicating that the configuration changes, if any, have been applied.
Figure 9 pfSense has saved the desired changes
10. On the pfSense Firewall menu, click Firewall > Rules to open the Firewall: Rules screen
on the WAN tab.
Figure 10 pfSense Firewall WAN Rules table
11. Click the LAN tab to begin adding the new rules that you configured in Part 1 of this
lab.
Figure 11 Firewall LAN Rules table
Notice that there is already a rule on the LAN tab: Default LAN -> any. This rule
allows any traffic that originates on, or goes through, the local area network to which the
computer is attached.
12. Double-click the Default LAN -> any row to open the Firewall: Rules: Edit screen.
13. Use the data in the Firewall: Rules: Edit fields to record the rule after the last entry in
the Firewall Rules worksheet of the pfSenseFirewallPlanner_EmailServer spreadsheet.
14. Click Cancel to return to the Firewall Rules screen without making changes to the
existing rule.
You will notice that there is an additional field in this screen (Theme). Do not make any
changes to that field for the purposes of this lab.
61
15. Click the Plus button at the bottom right side of the Rules table on the pfSense Firewall
application window to add a new rule.
Figure 12 Add new rule button
16. Use the entries in the Firewall Rules worksheet to create a rule for File Transfer
Protocol.
Figure 13 New Firewall Rules: Edit screen
17. Click Save to return to the Firewall Rules screen.
18. Repeat steps 15-17 for the remaining rules on the Firewall Rules worksheet.
19. Compare your Rules table with the one in the following figure.
Figure 14 pfSense Firewall LAN Rules table
20. After any discrepancies in the rules have been corrected, click the Apply changes button
above the Rules table to apply the rule changes that you have made to the firewall.
Figure 15 Apply changes button
After the settings have been applied, the red message bar will change to indicate that fact.
Figure 16 Confirmation message
Note: Up to this point, configuration of the firewall has been done using the Telnet
protocol. However, it is more secure to use the Secure Shell (SSH) protocol, which
makes it more difficult for hackers to reconfigure our e-mail server firewall remotely. In
the next steps, you will change the remote configuration protocol to SSH.
21. From the pfSense Firewall menu, click System > Advanced.
22. Use the scrollbar on the pfSense Firewall as necessary to locate the Secure Shell portion
of the System: Advanced functions screen.
23. Click the Enable Secure Shell checkbox to enable this option.
For this lab all of the remaining fields will be left at their defaults, though it is strongly
advised to use authorized keys to authenticate users in an actual implementation.
Figure 17 System: Advanced functions screen
24. Click Save to complete the change.
Note: There is only one administrative step left: saving a copy of the configuration file
that so that this configuration may be easily restored if there is a problem. Problems that
would require restoration of the configuration file could be unintentional, such as a
complete hardware crash of the server, an unintentional modification of the configuration
62
due to careless typing, or even memory modification due to a cause such as static
electricity. Intentional problems could also warrant restoration of the configuration file.
Malicious insiders could intentionally replace or modify the configuration file. Malicious
outsiders or malware could do the same. The backup configuration file for this lab will be
stored, and restored if needed, locally, but it is common practice for backup copies of
configuration files to be stored in a separate, secure server and transferred either via FTP
or, better yet, by an external USB memory stick.
25. From the pfSense Firewall menu, select Diagnostics > Backup/Restore.
Figure 18 Diagnostics: Backup/restore screen
26. Click the Download configuration button.
27. Click Save on the resulting File Download dialog box to open the Save As dialog box
and click Downloads to save the file in the Downloads folder.
Figure 19 Save As dialog box
28. Accept the default options in this dialog box, and click Save.
Figure 20 Download complete dialog box
29. Make a screen capture showing the Download complete dialog box and paste it into
your Lab Report file.
Note: At this point of the lab, you may click Close to close the dialog box and end this
part of the lab; however, the configuration information in this backup/restore file is stored
in a human and machine readable format call eXtensible Markup Language (XML) that is
a couple of evolutionary steps up from Hypertext Markup Language (HTML) and some
other markup languages used in the Internet. If you are interested in learning more about
this topic, click Open to open the text file containing the XML code and inspect what is
displayed. You will note that there are <tags> defined to contain all of the information in
the firewall configuration and that they contain values that were either entered as a part of
this lab or are default values provided by the pfSense Firewall application.
It will probably also occur to you that humans with editor programs (such as this one) or
other programs could read, and potentially modify, this file. It may also occur to you that
you could bypass the clunky and cumbersome menu structure and go right to entering the
XML in the configuration file, as many professionals do. You could also write code to
generate different, custom configuration files to assure consistency and reduce typos.
There is really no limit to what can be accomplished with this type of code.
30. Save the completed spreadsheet as
yourname_pfSenseFirewallPlanner_EmailServer.xls, replacing yourname with your
own name and submit the file with your deliverables.
63
lab.

Configuring a pfSense Firewall on the Server
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you first planned a configuration of the pfSense Firewall using a spreadsheet, the
pfSenseFirewallPlanner_EmailServer, to protect an e-mail server computer. The pfSense
Firewall is a current-generation product with most of the functionality and options that are found
in most firewall products, though the implementation may vary from firewall to firewall. In the
second part of the lab, you configured the pfSense Firewall using the planning spreadsheet that
you created in Part 1 of the lab.

1. Most remote configuration and administration uses the _______ protocol?
2. SSH stands for?
64
3. The File Transfer Protocol (FTP) uses which transport protocol, TCP or UDP?
4. From a security standpoint, it is more desirable to use the numeric IP address of a static
IP host, such as an e-mail server, than to allow the address to be looked up the Domain
Name Service. True or False?
5. Because the e-mail server will not be required to run a browser, which protocol is not
allowed by the firewall rules?
6. Because the e-mail server uses a fixed, static, predetermined IP address, which protocol is
not used, and, therefore, not specifically allowed to pass through the firewall?
7. Hyper Text Transfer Protocol (HTTP) and Secure HTTP (HTTPS) are the same protocol
from a standpoint of passing or blocking them with a firewall. True or False?
8. Which protocol is used for a variety of functions in the e-mail server, such as resolving
the numeric address of email.user@emailserver.net, and which servers are blacklisted for
being sources of Unsolicited Commercial Email (UCE)?
65
Toolwire Lab 5: Penetration Testing a

pfSense Firewall
Introduction
Topology
Penetration testing tests the strengths and weaknesses of the IT security, as well as the readiness
of the facility and/or employees to respond to an attack. Pen testing, as it is often called, can be
as much of an art as it is a science. It can be done by security professionals, either part of the
organization being tested, or hired by that organization, to assure that the IT defenses are sound
(at least as sound as reasonably possible) and consistent with policy, or it can be done by blackhat hackers, the bad guys, as a part of their targeting rituals. In many cases, pen testing is done
by those clueless beginners known as script kiddies in their search for a great story to tell.
In any case, effective penetration testing consists of five main steps: reconnaissance, scanning,
vulnerability analysis (enumeration), exploitation (the actual attack), and post-attack activities,
including remediation of the vulnerabilities. Before attacking a system, the pen tester first
utilizes an automated tool or tools, at least initially, to scan for and identify the various
vulnerabilities which can be exploited. It is important to realize that not all automated tools are
the same. Some tools work against a variety of target environments (any device with an IP
address on the network) while other tools work against only a subset of possible targets (e.g.:
802.11 Wi-Fi network, ERP system, email server, etc.). Often, pen testers will use more than one
tool to help identify vulnerabilities from a number of sources: in fact it is beneficial to run more
than one vulnerability scan because different vulnerability scanners may get different results.
Regardless of their effectiveness against specific targets, all share the characteristic that they
replace the laborious, time-consuming job of typing commands out the old-fashioned way. Many
times the automated tools can be used to complete the entire task of identifying vulnerabilities,
but many times the automated tools are used only for targeting with humans typing specialized
commands for specialized circumstances.
In this lab, you will use a popular automated tool, OpenVAS, to expedite the beginning of the
hacking process, and identify the logic and strategy behind the attack or attacks. Though you will
stop short of actually attacking the system, you will gain a better understanding of the
capabilities of this and other widely-available vulnerability assessment tools.
This lab has three parts which should be completed in the order specified.
66
1. In the first part of the lab, you will validate the existing pfSense Firewall rules in
preparation for completing a penetration test.
2. In the second part of the lab, you will use OpenVAS to check for the vulnerabilities on a
virtual Windows server, and then reconfigure the firewall eliminate those vulnerabilities.
own to answer a set of challenge questions that allow you to use the skills you learned in
the lab to conduct independent, unguided work, similar to what you will encounter in a
real-world situation.
Learning Objectives
1. Describe the steps of a penetration test.
2. Perform a penetration test against a system protected by a pfSense firewall.
3. Discuss measures that can be taken to harden a target against attacks while balancing
system access and usability needs.
Tools and Software

pfSense Firewall
OpenVAS
Deliverables
instructor:
1. Lab Report file including:
a. screen captures of the following steps: Part 2, Steps 6, 9, 16, and 23,
b. DCE Services Enumeration research from Part 2, Step 11;
67
1. Describe the steps of a Penetration Test. - [30%]
2. Perform a Penetration Test against a system which is behind a pfSense firewall. - [50%]
3. Discuss measures that can be taken to harden a target against attacks while balancing
system access and usability needs. - [20%]
Hands-On Steps
itself.
Figure 1 "Student Landing" workstation
Part 1: Configuring a pfSense Server Firewall

Note: White-hat hackers, whether employees of the target company or hired for the specific
purpose, generally know the security configuration of the IT system they are trying to penetrate.
There are many possible security postures of any network and its constituent parts (the
workstations, servers, firewalls, load balancers and the like), from highly secure to not secure at
all. Knowing information about the configuration including its IP addresses, software and
versions, and the logical and physical configurations of a network can be very useful in terms of
understanding what defenses must be built and how to check the vulnerabilities of a system, but
is also very unrealistic because actual attackers are unlikely to know as much about your
environment and may devise attacks which are outside your ability to easily predict.
This lab begins by validating a pfSense firewall for a basic network which will be pen tested in
Part 2.
68
1. Double-click the pfSense Firewall icon to open the firewall configuration in an Internet
Explorer window
2. Click OK to accept the default credentials and open the pfSense Firewall application.
Figure 2 pfSense firewall overview
3. Select Firewall > Rules from the pfSense toolbar.
4. Click the LAN tab to validate the existing firewall rules meet the following criteria.
o Allow File Transfer Protocol (FTP) so that users can send files back and forth
o Allow Domain Name Service (DNS) so that users can type URLs, instead of
requiring them to know specific IP addresses of any Web sites they wish to visit
o Allow email to be received to/from anyone, specify the port range as that used by
the Simple Mail Transfer Protocol (SMTP)
o Allow Post Office Protocol, version 3 (POP3) so that users can retrieve email
from the server
o Allow Secure Shell (SSH) so that the email server can be remotely managed by a
secure command line interface (SSH is quickly replacing TELNET for this
purpose).
o Allow Internet browsing using the HTTP protocol
o Allow secure Internet browsing using the HTTPS protocol
o Allow Internet Control Message Protocol (ICMP) messages, such as the PING
diagnostic message
Figure 3 pfSense firewall rules
5. Minimize the pfSense Firewall window.
Note: As you just verified, the pfSense Firewall has been configured as shown in the
following figure. Remember that this information is available to you because you are the
defender of the information system you are testing. If you were an actual attacker, you
would not have access to this information and you would have to use some alternate
means (reconnaissance) to gain access it.
Figure 4 Lab configuration
Part 2: Penetration Testing

Note: Every penetration tester, from script kiddies to the most serious professional hackers, has
their own set of steps but they all fall into the same rough categories: network scanning, port
scanning, vulnerability analysis, and exploitation. For defenders, there is also a remediation step
during which vulnerabilities are fixed and then the steps are repeated to ensure the attack can't
occur again. For attackers, the last step is often an attempt to cover their tracks by destroying or
modifying log files or other bits of forensic information that will prove that they were there.
69
The security industry is adopting what it calls the attacker kill chain to describe the process of
attack. Reconnaissance can use a combination of technical and social engineering approaches
and leads to the weaponization of specific tools, such as spear-fishing emails or mobile apps. The
delivery phase, often left to specialists, wherein the malicious software is delivered to the
intended victim or victims. Often a pen test is a precursor to delivery. Next, is the exploitation
phase in which the attack is unleashed. Most modern attacks have a C2, or command and control,
component during which, at minimum, the results of exploitation are reported but can also
include additional targeting and tasks. Certain disruptive software does not have a C2 phase,
such as malware intended to operate without reporting results or requesting additional direction
from an outside source.
During the final phase, extraction, logs may be modified, malicious software may "self-destruct"
to avoid detection, or other steps. In a strange egomaniacal twist, it has also become common
practice for attackers to leave some sort of indication that they were present, often as a dare to
defenders and/or law enforcement but often in an attempt to redirect blame to other parties.
Figure 5 Attacker kill chain
Automated tools, such as OpenVAS or the Retina Network Security Scanner, can be used to
perform the vulnerability assessment portion of a penetration test. In the next step you will use
OpenVAS to check for any vulnerabilities in the virtual environment and then craft a plan to
reduce or eliminate those vulnerabilities hopefully without creating new ones.
1. Double-click the OpenVAS Web icon to start the OpenVAS application. The Greenbone
Security Assistant will open in a new Internet Explorer tab.
The OpenVAS server takes several minutes to initialize. Do not click any other buttons;
you will be prompted for a password when the server is ready.
2. When prompted, type the following credentials and click Login to open the Greenbone
Security Assistant window.
o Username: openvasadmin
o Password: pass
Figure 6 Greenbone Security Assistant
3. In the IP address or hostname box under the Quick Start section of the page, type
192.168.16.15 (the IP address for the Windows 2008 Server on Network 2) and press
Start Scan.
When the scan is completed, you will see a blue Done button in the Status column of the
table. The scan can take several minutes to complete. You can manually refresh the page
during this time, or set the page to automatically refresh.
Figure 7 Scan 192.168.16.15
70
4. In the Tasks header, select Refresh every 10 Sec from the first drop-down menu and
click the Set Button (green refresh arrows button) to its right.
Figure 8 Refresh the screen
5. When the scan completes, click today's date in the Reports table on the main screen,
which corresponds to the scan you just ran, to open the Reports Summary.
Note: At this point of your review, the Report Summary simply tells you that the tool has
identified medium- and low-ranked vulnerabilities. You will explore these findings later
in this lab. Security analysts use this type of report to compare the findings of several
scans over time.
6. Make a screen capture showing the number of Medium and Low security issues
found on the Reports Summary and paste it into your Lab Report file.
7. Use the scrollbar to locate the Results Filtering portion of the report.
Note: The results can be filtered a number of different ways. This is less important for
this lab where you are scanning one IP address with a minimum or ports and there are
only a minimum of results, but it can be a significant time saver when a specific
vulnerability is being searched for.
Figure 9 Result Filtering for scan of 192.168.16.15
8. Use the scrollbar to locate the Filtered Results portion of the report.
Note: In the Results Filtering portion of the report, the findings are sorted by port and
then threat in ascending order. Notice that the port summary above the first vulnerability
in the report includes port 135 indicating that the first vulnerability, or set of
vulnerabilities, is related to Windows Client Server communication. The detailed
summary information that follows this summary table provides a plain-English high-level
description of the problem as well as a hint at the solution (which in this case is to filter
port 135).
Figure 10 First detailed security issue
9. Make a screen capture showing the security issues reported for 192.168.16.15 and
paste it into your Lab Report file. You may need to make multiple images to capture the
entire summary.
Note: Because the virtual Workstation has no direct Internet connection, in the next
steps, you will explore the threats identified by OpenVAS using your own computer's
Internet connection.
10. On your local computer, open a new Internet browser session.
71
11. From your favorite search engine, search for DCE Services Enumeration (the first
security issue identified by OpenVAS) to determine why port 135 should be filtered and
document this information in your Lab Report file.
12. On the vWorkstation, click the firewall.local tab in the Internet Explorer window.
Recall that the first pfSense firewall rule in the existing configuration is a default permit
(allow any) rule.
Figure 11 Default permit rule
13. Click the Default LAN -> any checkbox and click the Delete button to remove that
firewall rule.
Figure 12 Delete Default permit rule
14. When prompted, click OK to confirm the change.
15. Click the Apply changes button.
Figure 13 Apply changes
16. Make a screen capture showing the modified firewall rules and paste it into your Lab
Report file.
17. Click the Greenbone Security Assistant (OpenVAS) tab in the Internet Explorer
window.
18. Click the Greenbone Security Assistant logo at the top of the page to return to the home
page.
19. In the OpenVAS Tasks table, click the start icon (green arrow) to re-start the scan of
192.168.16.15.
Figure 14 Re-start the scan
20. Repeat step 4 to automatically refresh the screen.
Note: Pen testing is an excellent security control, but you should always rescan a system
or network to validate changes. It is also important to rerun a vulnerability scan after
patching programs or closing vulnerabilities because in closing some you may have
opened others.
When the scan is complete note that the Trend arrow is pointed down indicating that
there are fewer vulnerabilities found in this scan as compared to the last scan.
Figure 15 Trend indicator
21. When the scan completes, click today's date in the Reports table on the main screen,
which corresponds to the scan you just ran, to open the Reports Summary.
22. In the Reports Summary, note the number of Medium and Low security issues found.
72
23. Make a screen capture showing the number of Medium and Low security issues
found on the Reports Summary and paste it into your Lab Report file.
24. Use the scrollbar to locate the Filtered Results portion of the report.
Notice that the threat on port 135 is no longer an issue because of the changes you've
made to the firewall rules.
lab.

Penetration Testing a pfSense Firewall
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab you began by configuring a pfSense firewall. You then analyzed the vulnerabilities
and potential attack strategies against the firewall and a server which is on Network 2, beyond
the firewall from your attack position. If assigned by your instructor you performed an additional
vulnerability scan and researched the details and possible threats of the vulnerabilities.

1. What does an effective penetration test consist of?
2. Which is not part of the Attacker Kill Chain?

a.
b.
c.
d.
73
Reconnaissance
Exploitation
Weaponization
System Hardening
3. Time and dollar budgets permitting, it is beneficial to run more than one vulnerability
scan because different vulnerability scanners may get different results. True or False?
4. It is important to rerun a vulnerability scan after patching programs or closing

vulnerabilities because in closing some you may have opened others. True or False?
5. Domain Name Service runs on port ___.
6. Network 1, including the host connection for the firewall, is a part of the _________
Class C or CIDR /24 subnetwork.
74
Toolwire Lab 6: Using Social

Engineering Techniques to Plan an
Attack
Introduction
Topology
It is often said within the security community that to be the best defender one must be the best
attacker. It is very common during security exercises to have the Red Team and Blue Team
change places and allow the attackers to become the defenders and the defenders to become the
attackers. Very often, the best security professionals will go "outside the wall" and look back in
with the intention of getting an attacker's-eye view and use that experience to see their own
defenses in a different light. This lab will demonstrate the thinking process an attacker might use
when attacking a firewall-protected site using primarily social engineering and reverse social
engineering. Take note that these same concepts and methods can be applied to any other
attack/defend situation.
There are two major categories of attacks: the bulk, non-targeted attacks and the highly targeted
attack. Targeted attacks may be an attack against a class of targets, such as hospitals or networks
protected by XYZ Company firewalls, or Windows 2008 servers for instance. An attacker may
also target a single, specific target. Generally, non-specific attacks are termed "attacks of
convenience" and the targeted variety are called "targeted attacks".
Very often, attackers will use a wide-sweeping attack of convenience to gather information for
an attack, for instance, to uncover a certain vulnerability, before targeting a specific subject or
subjects (perhaps those in a particular industry, such as finance or healthcare).
This lab will concentrate on the targeted attack. Targeted attacks are growing in popularity as
defenders improve their defenses against the historically successful attacks of convenience and
attackers narrow their objectives to get bigger and bigger pay-offs from a smaller list of targets,
often coupling real-world crime or terrorism with cybercrime and cyberterrorism.
This lab has three parts which should be completed in the order specified.
75
1. The first part of the lab will focus on social engineering. By following the sample attack,
you will learn many of the ways in which information can be gathered from a subject, or
subjects, and combined for either real-world or cybercrimes.
2. The second part of the lab will concentrate on reverse social engineering. By following
the example provide, you will learn the importance of open source intelligence in
designing a reverse social engineering attack.
3. Finally, if assigned by your instructor, you will do further research on the technical
aspects of the attack plan and develop a social engineering campaign against a target.
This lab is a paper-based lab and requires the use of the Virtual Security Cloud Lab (VSCL) only
to access the relevant documents.
Learning Objectives
1. Recognize some of the key characteristics of a social engineering attack.
2. Identify some of the key signs of a reverse social engineering attack.
3. Describe the differences and similarities of an attack of convenience and a targeted
attack.
4. Implement countermeasures to social and reverse social engineering attacks.
Tools and Software

None
Deliverables
instructor:
1. Lab Report file including screen captures of the following steps: Part 1, Steps 7, 12, 15,
18, and 22;
3. Optional: Challenge Questions answers and a sample open source intelligence plan if
assigned by your instructor.
76

1. Recognize some of the key characteristics of a social engineering attack. .- [20%]
2. Identify some of the key signs of a reverse social engineering attack. .- [20%]
3. Describe the differences and similarities of an attack of convenience and a targeted
attack. .- [10%]
4. Implement countermeasures to social and reverse social engineering attacks.- [50%]
Hands-On Steps
itself.
Part 1: Targeted Social Engineering Attack

Note: Many attacks are achieved either by purely technical (such as determining IP address
ranges and performing port and vulnerability scans) or purely socially engineered methods.
Increasingly, however, attacks blend social engineering with technical means in complicated,
sophisticated, and mature targeted attacks. Very often senior criminals or terrorist leaders will
coordinate the efforts of specialists, paying each for their services, to bring about the most
effective attacks. In this way, among others, cyber criminality is beginning to resemble
traditional criminal enterprises: in the non-cyber world there are specialists for picking locks,
77
cracking safes, and driving get-away cars. The same sort of specialization is happening in
cyberspace.
In Part 1 of this lab, you will be shadowing a cybercriminal specializing in social engineering
techniques. You will follow the steps in the lab to discover just how he gathers the information
he needs to develop an attack on the targeted company. The documents required for this lab are
located on the vWorkstation desktop. It is imperative to maximize your learning from the lab that
you not read ahead and that you stop and execute the various steps of the lab as instructed. Each
section will show a series of vignettes which may be successful in and of themselves or may be
woven together with other social and reverse social engineering methods, and possibly technical
hacking, to represent an entire campaign against the target.
While the scenario in this lab targets a fictitious company and simulates the information
gathering phase of the hacking process, the steps described are typical of the real-world.
Your cybercriminal mentor has informed you that the targeted company for this attack is an
organization called Global Enterprises, Inc., located in Dalton, Georgia. You have been hired to
collect enough information to enable an attack on their email system. Though you anticipate that
the email server will be protected by a firewall, you don't know what firewall or what type of
email server.
The first step in this reconnaissance mission is to conduct a simple Internet search to find the
correct target company. The easiest things are frequently overlooked by highly technical hackers:
most enterprises try to get a URL that is some variation of their name. Your mentor knows better
and types www.globalenterprises.com into his browser.
1. Double-click the website.pdf icon on the vWorkstation desktop to see the result of the
browser search.
Figure 2 Global Enterprises home page (Photo copyright MIXA next/Thinkstock)
Note: Remember, the only thing we know about the targeted is the name and location.
The home page of this Web site confirms the name of the company is the same as the
targeted company, but doesn't provide the location. Further research is required. Your
mentor informs you that most companies will list address and phone numbers on the
Contact Us page, so that's that next step.
2. Close the website.pdf file.
3. Double-click the contact.pdf icon to open the Contact Us page.
Figure 3 Global Enterprises Contact Us page
Note: Because of the relatively small size of Dalton, Georgia and the reassurance you
gained from the fact that the company's name appears in the URL, you can be fairly
confident that this is the correct Global Enterprises, but it may be wise to double check
with the client.
78
You might be tempted to take time to guess at what the client might want to accomplish
with an attack on the email system of an engineered flooring company based in north
Georgia: Are they a competitor who wishes to get inside information? To exfiltrate
intellectual processes such as manufacturing methods, customer lists or information to
support, or derail, an upcoming merger? Is there a financial or personal motive? In the
end, as a professional hacker, you don't really care: you are being hired to provide
information which can be used by others to mount the attack so the "why" is interesting,
but not important.
What is important, then, is to learn as much more about the target as possible.
4. Close the contact.pdf file.
Note: A general Internet search using Google, Bing or some other search engine returns
thousands of references, most of which refer to some other Global Enterprises, but don't
refer to the target Global Enterprises, so you must keep looking.
Perhaps you could find information about employees of the company. Start by checking
the email address format for the target company, Global Enterprises. The Contact Us
page on the company's Web site lists an email link as sales@globalenterprises.com,
rather than sales@gobal-enterprises.com, or some other variant. This is as you would
expect from inspecting the site's URL but, as usual, it is good to verify the information
and avoid a waste of time and effort.
You might think that you could just type "@globalenterprises.com" into your search
engine as a starting point for your search, but you can't. There are no major search
engines that search email addresses, so you must take another approach.
One thing to consider, but which is beyond the scope of this exercise, is the hacking of
Google itself or of purchasing lists that are the result of hacking Google or other email
collection efforts, known as harvesting. Hacking Google itself is very risky and could
lead to jail time faster than hacking other sites due to Google's investment in security and
legal action. However, purchasing bulk mailing lists from organizations that sell such
things openly on the Internet and searching the doc or txt files that you have purchased
may yield the results for which you are looking at a very low price.
Another common source of information is a domain name registration service, such as
whois.net. These sites, and there are dozens of them, have provided a lot of useful
information in the past, so that's the next step. The newer registrations protect employee
privacy, but older registrations can yield technical and administrative contact names,
addresses, phone numbers, and a host of other details that can be very useful in putting
together in putting together a very effective social engineering campaign.
5. Double-click the whois.pdf icon to see the whois.net results for Global Enterprises.
79
Figure 4 Whois information for Global Enterprises

6. Make a screen capture showing the whois information for Global Enterprises and
paste it into your Lab Report file.
Note: The whois information for Global Enterprises reveals very little useful information
largely because the useful information is hidden from view. The most useful information,
according to your mentor, are the names of the name servers which could be used to
launch some sort of DNS poisoning or similar DNS attack. Keep this information on
hand in case it is needed at a later date, but for now this is a dead end.
In many cases, however, whois returns some very useful information. In a real situation,
you would try several different whois sites to see if any reveal more, or different,
information than the others.
7. Close the whois.pdf file.
Note: Having reached a dead end with the whois tools, your mentor wants to use a
variety of social engineering and open source intelligence tools to collect information
about the site, company or their servers or services.
For publicly-traded companies, one excellent open source intelligence approach would be
to download the Security and Exchange Commission's 10K report and Annual Report to
Stock Holders for the company. Either as an intelligence-gathering exercise of its own, or
as a precursor to further research, these are invaluable documents because they generally
list officers of the company, the company's financial state, any legal settlements affecting
the company, and short- and long-term development plans. Since this information is not
available for Global Enterprises from their Web site, you must continue to look elsewhere
for the information your client is paying you to find.
Because you are currently searching for people who work at a business, as opposed to
school children, artists, model ship hobbyists, or some other specific, non-business group,
you might want to consider using a business contact or networking site, such as
LinkedIn.com. For this lab, you will use a similar, though not real, site called
GetConnected.com. You will search for employees of Global Enterprises and are located
in Georgia.
8. Double-click the getconnected.pdf icon to open the results of a search for Global
Enterprises in the fictitious business networking site, GetConnected.com.
Figure 5 GetConnected search results (Silhouette copyright John
Takai/iStock/Thinkstock; Headshot copyright Comstock Images/Stockbyte/Thinkstock)
Note: Take a look at the search results generated by GetConnected.com. The networking
site found five people who are currently employed at a company called Global
Enterprises, and one employee who worked there previous to his current position. The
80
search criteria you entered eliminated anyone who works for any Global Enterprises
located anywhere other than Dalton or North Georgia, even if they are working at a
different location of the same target company. For this hacking assignment, you would
not consider them good candidates for an attack if they are located elsewhere.
Your mentor helps you determine which of the employees in the search research might be
good candidates for further research. Remember, the information you are looking for:
anything about the firewall or email server that Global Enterprises is using.
Anne Lawrence: Because she is in HR recruiting, she might know the information you
need, and because her job involves talking to people, she might be open about revealing
the information if you approach her in the right manner. She is your number one
candidate right now.
Steve Burns: Steve is a project manager and PMP (Project Management Professional)
who previously worked at Rich's Department Stores which means that he is probably
more of a physical project manager, not an IT person, so does not move to the top of your
list.
Ravi Purim: Mr. Purim is not a current employee and he was a high-level executive
when he did work at Global Enterprises. Best not to include him in your list; he will not
easily give up the information you need.
Heath Andreeson: As Assistant Director of Systems Development, he makes a great
candidate. He probably knows what we want to know and there are a number of ways
you might be able to approach him to obtain the information with or without his
knowledge; however, he was formerly with the Los Angeles Police Department. Without
knowing what his role was in the police department, you will need to investigate further.
If he was ever a law enforcement officer, as opposed to a civilian support person, he
might be trained in detecting deception, even on the telephone or via email, and has a
high chance of revealing our true intentions. Keep him on the list, but continue seeking a
better candidate.
LouAnne Garfinkle: She is Director of Global IT and Global Enterprises is small
enough that she probably knows what we need to know. Because this job is a promotion
from her previous position at Rugs-R-Us as Assistant Director, you can assume that was
her goal in leaving Rugs-R-Us. In addition, her name is relatively unique, so it will be
easier to find her in subsequent Internet searches. She has just moved to number one in
your list of possible candidates.
Bryan Smythe: As a director of business development, he is further removed from the
information you need, and with a common name, he is added to the bottom of your list.
So now you know that the best option for your social engineering attack on Global
Enterprises is LouAnne Garfinkle with Anne Lawrence a close second. You need to find
out a little more about LouAnne, so you decide to view her GetConnected profile.
81
9. Close the getconnected.pdf file.

10. Double-click the profile.pdf icon to review LouAnne Garfinkle's GetConnected profile.
Figure 6 GetConnected profile (Headshot copyright Comstock
Images/Stockbyte/Thinkstock)
11. Make a screen capture showing LouAnne's profile and paste it into your Lab Report
file.
Note: You've hit the jackpot with this profile: LouAnne writes a blog, IT Insights, so it
may not even be necessary to contact her directly to gain a great deal of information
about Global Enterprises. Even if she is security conscious and does not post the name of
her employer on her blog, you can be fairly confident that anything posted since 2009,
her date of employment at Global Enterprises, is likely to be relevant to your open
intelligence gathering goals.
A simple Internet search for LouAnne's name and the name of her blog should lead you
to the blog. From there, it is a matter of searching her blog for information about Global
Enterprises' firewall and email server. Your search results in two promising blog entries.
12. Close the profile.pdf file.
13. Double-click the blog1.pdf icon to open the first important blog entry.
Figure 7 IT Insights blog header (Headshot copyright Comstock
Images/Stockbyte/Thinkstock)
14. Make a screen capture showing the entire blog entry and paste it into your Lab Report
file.
15. Close the blog1.pdf file.
16. Double-click the blog2.pdf icon to open the next important blog entry.
17. Make a screen capture showing the entire blog entry and paste it into your Lab Report
file.
18. Close the blog2.pdf file.
Note: It is very likely that you now know which email server Global Enterprises is using
and the type of firewall and version that LouAnne has installed, though it is possible that
she may have upgraded if there is a later version of the firewall software.
19. On your local computer, open an Internet browser session for your favorite search
engine.
20. Perform an Internet search to find the current version of the firewall software used by
Global Enterprises.
21. Make a screen capture showing the current version number and paste it into your Lab
Report file.
22. Minimize the local browser session.
82
Note: What else can LouAnne's blog tell us? The rest of LouAnne's blog is a treasure
trove of open source intelligence. Other blog entries reveal additional technical details
and specific problems she has had with the software and how most of those problems
were fixed. She even lists user group meetings and conferences she will be attending,
and, best of all, those at which she will be speaking! Even people who should know
better, are not always aware of the trail they leave behind. They leave traces of
information behind in a variety of places never thinking that someone else might be
trying to connect the pieces together. Information gathering is often as simple as
following the breadcrumbs.
Sometimes a simple Internet search is the best approach. In this case, you could search
for "LouAnne Garfinkle and Global Enterprises", or variants of her possible email
address, such as "lgarfinkle" or "lagarfinkle". The search would likely result in a large
amount of unrelated results, but could provide some open intelligence hits, especially for
someone you already know has a Web presence via her own blog and speaking
engagements. Be especially aware of hits related to technical support Web sites since the
questions and answers she might have posted on those sites might be very revealing.
Another approach is to concentrate on personal details, such as hobbies, family and other
personal interests revealed in a blog that might become very useful in building a targeted
social engineering campaign, spearfishing (phishing) emails, or even direct contact via
telephone or personal contact. Depending upon your client's budget, the sky is the limit
for data mining and LouAnne Garfinkle is only one of several Global Enterprises
employees that may be good targets for gathering intelligence about the company.
No matter which approach you follow, you certainly know a lot more than you did before
and with no intrusive hacking and no likelihood that you will be detected in any way. In
the worst case scenario, your browser history will give you away, but a quick scrub of the
browser's cache will alleviate that problem. Secure storage and ultimate destruction of
your screen captures will erase any forensic evidence.
Part 2: Targeted Reverse Social Engineering

Attack
Note: At the most basic level, social engineering is a fancy term for a con job. The goal of the
social engineer is to in some way to create a set of "facts" so believable by the subject, often
called the target or mark, to get them to take some action that reveals some information of
importance to you. In many cases, such as those where the information may be
compartmentalized-that is to say that no one person or source knows all the facts-a single person
is only part of the overall puzzle, a puzzle whose pieces must be collected, vetted for
misinformation and properly assembled.
In true social engineering, the social engineer approaches the subject and attempts to extract
83
information or to get the subject to take some action that will cause the desired information to be
revealed. However, there is a subset of social engineering called reverse social engineering in
which a set of circumstances are set up that cause the subject to approach the social engineer and
reveal the desired information.
In Part 2 of this lab, you will see how your hacking mentor used a common reverse social
engineering technique to obtain more information from LouAnne Garfinkle. After studying
LouAnne's GetConnected profile, your mentor made an educated guess that LouAnne might
have left her old job (Assistant Director of IT) for her new job (Director of Global IT) for a
promotion. He has also guessed that visibility and responsibility were more important to her than
salary, as long as salary was similar. Based on this very simple psychological profile, and
knowing that LouAnne has already been in her current job since 2009, your mentor thinks
LouAnne might be in the market for another promotion. He places an ad in several newspaper
near Dalton, Georgia, to see if LouAnne Garfinkle will respond.
Figure 8 Ad used to lure LouAnne Garfinkle
1. Double-click the ad.pdf icon on the vWorkstation desktop to view the details of the job
ad.
2. Close the ad.pdf file.
Note: So, did this ruse work? Like a charm. LouAnne not only responded to the ad, but
she submitted her resume via email as requested and went through what seemed to be a
normal hiring process. LouAnne participated in a number of phone interviews with the
"VP of Global IT" for the hiring company, the person whom she would replace if she was
the successful candidate. During these interviews LouAnne unwittingly revealed a great
deal of very specific information about the technology in place at Global Enterprisesinformation that would have been very difficult to get any other way. The final interview
was held at a downtown hotel with a "corporate recruiter" because, as LouAnne was told,
the prospective employer did not want to reveal its identity for reasons of confidentiality,
but LouAnne was assured that any job offers would come directly from the company.
Three days later LouAnne was contacted by the "recruiter" and was let down easily. She
was told that the individual whom she was to replace had decided to put off retirement for
another year, but that she impressed everyone throughout the interview process and could
expect a call within the year.
LouAnne didn't realize it but all phone interviews were conducted with your hacking
mentor using burner cell phones that were discarded after the desired information was
obtained. The email address she submitted her resume to was an anonymous account,
which she was told was being directed to the recruiter's private account because the
hiring company wanted confidentiality until the final candidate was offered a job.
How can an organization guard against social engineering and reverse social
engineering? The answer is awareness training and constant vigilance, but that does not
come without a price. An organization must be very careful that the awareness training
initiatives, including the use of formal classes, posters, rewards for leads on intellectual
84
property leaks, and occasional internal news stories of how social engineering could
happen even within the company, do not curtail or destroy the cooperation and teambuilding that the organization strives so hard to build. It is a tough balance but one that
organizations can achieve with a strong program that defines clearly what is acceptable
and what is not, does so in writing, and asks the employee to acknowledge in writing, at
time of hire and annually thereafter, that they have read, understand and will abide by the
rules. It is also important for an organization to be prepared to enforce the policy by
terminating employees, contractors, and subcontractors who do not abide by the policy.
lab.

Using Social Engineering Techniques to Plan
an Attack
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you followed a social engineering scenario. You acted as a cybercriminal and used
social engineering techniques to gather enough information to develop an attack on a targeted
company. You learned the importance of open source intelligence in designing a reverse social
engineering attack.
Lab Assessment Questions
85
1. What firewall does Global Enterprises use?
2. What version of firewall did Global Enterprises install?
3. What is the current version number of the firewall software used by Global Enterprises?
4. What email server does Global Enterprises use?
5. What are Global Enterprises Domain Name Servers?
6. Which Global Enterprises employee used to work for the Los Angeles Police
Department?
7. Where did LouAnne Garfinkle work before coming to Global Enterprises?
8. Job applicants often feel as if the job description were written especially for them, in
LouAnnes case that was true. Briefly describe what elements of the job ad from Part 2 of
the lab might appeal specifically to LouAnne Garfinkle.
9. What is the difference between social engineering and reverse social engineering?
a. Social engineering is used in the real world. Reverse social engineering is used in
the cyber world.
b. Social engineering is used on most people. Reverse social engineering is used on
people with specialized law enforcement training.
c. In social engineering the con artist goes to the target, in reverse social engineering
the con artist gets the target to come to them.
d. In social engineering email is taken from the subject, in reverse social engineering
the subject is sent email or SPAM.
e. Only script kiddies do social engineering, Reverse social engineering is done by
professional cyber criminals.
86
10. What is the top objective of an anti-social engineering campaign within an organization?
a. Penalties
b. Awareness
c. Spying on co-workers
d. Spying on bosses
e. Spying on subordinates
f. All of c-e above
87
Toolwire Lab 7: Configuring a Virtual

Private Network Server
Introduction
Topology
A Virtual Private Network (VPN) is a private network that enables remote users (for example,
employees, suppliers, partners, and customers) to leverage the inherently insecure public Internet
to connect to an enterprise's private network resources in a secure manner. To do this, companies
create a secure tunnel from the client to the server and use encryption to keep unauthorized
parties from viewing or intercepting the data in transit.
A VPN is typically built using keys and certificates which must also be kept secure. But that
method is not infallible. It is widely felt, for instance, that massive security breaches perpetrated
by Edward Snowden against the allegedly most secure organization in the world, the National
Security Administration (NSA), involved, at least in part, compromising keys and certificates
and creating and using false credentials.
Another way in which VPN security can be compromised is through hairpinning. Hairpinning
involves an unauthorized access of a computer connected to a VPN, usually by malicious
software, but sometimes by active hacking. For example, malicious software can be
surreptitiously loaded on a computer connected to a VPN which allows the malware to enter the
VPN tunnel as valid traffic. In this way, the malware enters the tunnel, without having to break
the encryption or deal with any of the protective mechanisms. In other words, it gains access to
the network at the other side of the VPN tunnel completely unchallenged.
Unfortunately, VPNs are often established and administered by network operations or system
administrators with little or no security training. To make matters worse, advances in attack
sophistication have rendered the protection tools of the 1990s ineffective, yet not all
organizations regularly update their VPN configurations and associated policies. Other
organizations are quick to adopt the "latest and greatest" approaches and leave themselves
vulnerable to attacks which are as yet unknown within the community of defenders but which are
exploited routinely within the attacker community.
In light of advances in both attacks and defenses the configuration of an organization's VPN
should be reviewed periodically, some might argue as often as once per month, but in no case
less often than annually. In addition, the VPN infrastructure should routinely be subjected to a
88
penetration test to ascertain the likelihood and impact of a potential breach. Any changes to the
configuration should be applied uniformly to all VPN connections within the organization.
In this lab, you will configure the server side of the Linux Debian Openswan VPN. Only
someone with security knowledge and an understanding of the organization's operating
environment can properly protect the network's resources. Once the server side of the VPN is
configured, the systems operational personnel can apply the configuration to the client devices,
reboot both machines, and test the VPN connection. You will configure the other side of the
VPN in the Configuring the Linux Debian Openswan VPN: Client Side lab later in this lab
manual.
This lab has two parts which you should complete in order.
1. In the first part of the lab, you will configure the server side of a Linux Debian Openswan
VPN.
own in the Challenge Questions section of the lab and use the skills you learned in the lab
to and practice a basic, but important, skill required of systems operators and security
analysts and engineers alike.
Learning Objectives
1. Configure the server side of a Linux Debian Openswan VPN.
2. Describe the advantages and disadvantages of different VPN configuration options.
3. Discuss how to prevent attacks against data in transit using a properly configured VPN.
Tools and Software

PuTTY
Openswan VPN
Deliverables
instructor:

1.
2.
3.
4.
89
Lab Report file including screen captures of the following steps: Part 1, Step 49;
A completed Openswan Host-Host Configuration your name.xlsx file;
Lab Assessments file;
Optional: Challenge Questions file, if assigned by your instructor.

1. Configure the server side of a Linux Debian Openswan VPN. - [10%]
2. Describe the advantages and disadvantages of different VPN configuration options. [70%]
3. Discuss how to prevent attacks against data in transit using a properly configured VPN. [20%]
Hands-On Steps
itself.
Part 1: Configuring the VPN: Server Side

Note: In the virtual lab environment, you have access to the vWorkstation (shown on the left in
the following diagram) and a Linux Debian server (shown on the right), on which you will later
90
configure the Openswan VPN. In the next steps, you will use PuTTY, a terminal emulator, to
connect to remote server. The PuTTY application is being used in this lab, but any terminal
emulator will yield the same results. It is also possible to log onto the VPN server directly.
Figure 2 Virtual lab configuration
1. Double-click the putty.exe icon on the vWorkstation desktop to open the application
window.
2. In the Host Name box, type 172.30.0.100 (the IP address of the Linux Debian Openswan
VPN server).
Figure 3 PuTTY Configuration dialog box
3. If necessary, click the SSH radio button to use a Secure Shell (SSH) connection.
4. Click Open to complete the connection.
5. Log in to the server using the following credentials.
o Login: student and press Enter.
o password: type ISS316Security and press Enter.
You are now logged into Debian Linux in the student account. In order to configure the
Openswan VPN, you must have super user (su) privileges.
6. Log in to the server using the super user credentials.
7. At the prompt, type su and press Enter.
8. When prompted for a password, type toor and press Enter.
You are now logged into the Linux Debian machine with super user access.
Note: The Openswan software has already been installed on the server by the system
administrator. In the next steps, you will use the ipsec verify command to assure that the
ipsec is properly installed and working, use the ipsec whack command to check for any
existing VPN tunnels, and then update the ipsec configuration file.
9. At the prompt, type ipsec verify and press Enter.
A cursory glance will indicate that the results for the ipsec verify command include
mostly OKs and no FAILURES, which it good. The IPSec Verify sidebar will explain
each check in detail.
Figure 4 Results of ipsec verify command
IPsec Verify
The ipsec verify command is used to confirm that the ipsec is active and communicating
properly. The following table describes each of the checks that the command performs.
91
Check Performed
Description of Results
The version of IPsec is correct (or at least consistent with the
Version check and
rest of the installed modules), and the IPsec software
ipsec on-path
components are where they are supposed to be.
Openswan is installed with the NETKEY IPsec protocol stack.
Linux Openswan
This check will return one of two choices: the native NETKEY
U2.6.37-g955aaafbprotocol stack or the new alternative KLIPS. Each choice has its
dirty/K3.2.0-4-amd64
own advantages and disadvantages, but because the virtual lab
(netkey)
uses IPv4, NETKEY has been chosen.
Checking for IPsec
IPsec was successful installed in the operating system.
support in kernel
Support for Security Association reference (SAref) is not
SAref kernel support
applicable for this installation.
The XFRM (transform) procedures which provide additional
NETKEY: Testing
XFRM related proc policy management and enforcement for establishing and
operating Security Associations (SAs) are working properly.
values
The daemon that performs the Internet Key Exchange (IKE)
Checking that pluto is
functions configured with the build is called pluto, and it is
running
running.
Pluto is listening for IKE requests on port 500 and is using the
Pluto listening for
User Datagram Protocol (UDP).
IKE on udp 500
Pluto is listening for Network Address Translation Traversal
Pluto listening for
NAT-T on udp 4500 (NAT-T) on port 4500 using UDP.
Checking for 'ip'
The ip command is operational.
command
The sh shell is required to assure support consistency in
Checking /bin/sh is
Openswan. This check assures that the shell is sh, and not dash.
not /bin/dash
This check assures that the iptables command is operational. The
iptables command allows configuration of certain options and
Checking for
'iptables' command rules for IPv4. The ipv6tables command is required for similar
functionality for the IPv6 protocol.
Opportunistic Encryption (OE) begins the connection
negotiation process with encrypted messages, but if the
encrypted messages are not responded to, or not responded to
Opportunistic
Encryption Support properly, the fallback is unencrypted support. In the case of this
configuration, OE is disabled therefore the systems must use
encrypted messages to negotiate connection establishment.
Note: Next we will use the ipsec whack --status command to display the status of the
IPsec installation and verify the status of any existing tunnels prior to configuring a VPN
tunnel. Tunnel set-up can be done manually or automatically. Automatic configuration is
done by accepting the software's default configuration. Contrary to common practice, in
most cases a manual configuration is easier, less error prone, and gives the security
engineer more control. Within Openswan; however, the automatic approach is usually
preferred so that is the approach you will use in this lab.
92
Prior to beginning the configuration process, there is one more very serious security
consideration. What if you inadvertently make a configuration change, select a
configuration option improperly, or properly select an option, but improperly document
it. Any of these actions could cause the two systems to stop communicating with each
other. This would be the IT equivalent of locking your keys in the house. If you left the
back door unlocked or hid a key under the mat, you would be able to access your house.
You could do the same thing in an IT situation, if you don't mind the system being less
secure. In most cases, however, systems are most secure if either two people with
administrative rights are physically sitting each at the local and remote keyboards, or if
both systems are physically brought to the same place so that one person, with admin
rights, has access to both systems. Either option is valid, but the second approach is the
most secure.
10. At the prompt, type ipsec whack --status and press Enter.
11. Use the scrollbar to scroll back to the top of the results.
The first part of the ipsec whack --status results confirms that NETKEY is used as the
protocol stack and explains how the interfaces are configured. The results also indicate
that debug mode is turned off.
Figure 5 Result of ipsec whack --status command (Part 1)
The second part of the ipsec whack --status results delineates which virtual private
networks are allowed and which are disallowed. The warning message here points out
that no virtual private subnets are disallowed. Pay close attention to the list of allowed
virtual private networks. fd00::/8 and fe80::/10 are allowed. These are IPv6 addresses,
whereas the others are IPv4 with Classless Inter-Domain Routing (CIDR) designations.
The third part of the ipsec whack --status results specifies the configuration of all possible
Encapsulating Security Payload (ESP) values and ESP authorization (auth) attributes
(attr). The ESP encryption configurations include the name, Initialization Vector Length
(ivlen), minimum and maximum key sizes (keysizemin and keysizemax) allowed, and
also includes the name of the algorithm. The last algorithm, id=251, is a null
authentication with a minimum and maximum key size of zero, which indiciates no key
at all.
The final part of the results shows the configuration of the allowable Internet Key
Exchange (IKE) types. First, you will see the encryption algorithm, the block size and
key length. Next, the results display the hashing algorithms and hash size. The DiffieHellman group and bit length follow, and finally, database statistics are shown.
93

Note: There is no perfect way to configure a VPN. The correct configuration depends on
the needs of the organization and the environment. In this lab, you will establish what is
generally called a Host-to-Host VPN or Host-to-Host Tunnel.
To begin, review the following diagram of the virtual lab environment. In contrast to the
diagram in Figure 2, this diagram follows the convention of placing the VPN server on
the left, and the vWorkstation on the right. The left side of the diagram is usually
reserved for the local machine (the one you are currently working on), and the right side
is usually the remote machine. This makes it easy to remember because the first letter of
both left and local is L, and the first letter of both right and remote is R. It is important to
remember that these machines can have any name (Tom/Jerry, East/West, or
Black/White), but the convention of left and right is used in this diagram.
Figure 9 VPN configuration diagram
Now that the machines have been identified, the next step is to create the configuration
file (ipsec.conf). As is the case with most VPN software packages, the configuration file
for Openswan is configured by entering a series of configuration statements using a
general purpose text editor, such as the vi editor which ships with Debian7. Other
software packages use menus and other graphical user interface (GUI) devices to make
the job easier for less knowledgeable users, but the command line approach can actually
be faster and easier.
It is common practice for experienced security engineers to sit down and enter commands
from memory or scraps of paper. These security engineers start from the existing
configuration file and edit it to create a new file, but it is a bad practice that can often lead
to lengthy troubleshooting and sometimes to errors that can go undetected but can leave a
system vulnerable to certain kinds of attacks. For this reason, it is a strongly
recommended best practice to begin fresh and create a new configuration file each time.
In this lab, you will use the Openswan Host-to-Host Configuration worksheet to generate
a set of commands you will need to create a new configuration file.
12. Double-click the Openswan Host-Host Configuration icon on the vWorkstation
desktop to open the spreadsheet in OpenOffice. If necessary, move or minimize the
PuTTY window: Do not close the window.
This spreadsheet will generate the correct spacing and syntax required to create the new
ipsec configuration file, ipsec.conf. Review the instructions at the top of the worksheet
before proceeding.
Figure 10 Openswan Host-to-Host Configuration worksheet
94
Note: While this spreadsheet does not include all possible configuration options, it does
include more options that you will need for this lab. The Options column includes the
configuration options for the commands generated by the worksheet. For any cell in the
Options column, click the arrow to display a drop-down menu of available options.
13. In cell C2 of the spreadsheet, type your own name, replacing the text already in that cell.
14. In cell D20, type 2 to identify the specification version that the file conforms to.
This statement is required in configuration files after version 1.
15. In cell D23, type %defaultroute to allow Debian to fill in the relevant IP addresses
when the configuration file is run.
If you were configuring a specific route, you would type the IP address for that route in
this cell.
16. In cell F24, type Y to exclude the klipsdebug configuration statement.
Unless asked to do so by a developer or security analyst, this command should not be
enabled.
17. In cell F25, type Y to exclude the plutodebug configuration statement.
Unless asked to do so by a developer or security analyst, this command should not be
enabled.
18. In cell D26, type /var/run/pluto to specify the dump directory.
Though not required, it is good practice to include a dumpdir statement.
19. Leave cell F27 blank to include the NAT traversal statement.
The statement is not required in the virtual lab because there is no Network Address
Translation gateway in the configuration, let alone one to be traversed. It is included in
the spreadsheet because it is common in most VPN configurations. This statement tells
Openswan to properly handle the unencrypted header information prepended to encrypted
IPSec packets that must traverse NAT gateways.
20. In cell D28, select auto to allow the protocol stack to be selected dynamically.
The NETKEY or KLIPS protocol stacks may be specified, or the protocol stack may be
selected dynamically. The default is NETKEY if no protostack= statement exists, if both
ends have protostack=auto, or if there is a conflict.
95
21. In cell C30, type %default to add the section title that begins the group of commands
that configures the Security Associations (SA), and their related tunnels for negotiating
key administration.
The second conn section, beginning in cell C42, creates the section title that begins the
group of commands that configures the actual tunnel between the Local/Left and
Remote/Right machines that are used securely carry the user's information.
22. In cell C31, select ignore, the default auto configuration statement.
23. In cell C32, review the options in the cell's drop-down menu. The default authentication
method is RSA signatures (rasig). Leave cell F32 blank to include the default statement.
Another option is to use Pre-Shared Keys (PSK) or a more sophisticated approach, such
as Rivest-Shamir-Adelman (RSA). Very often, PSK is chosen because it appears to be
easier to set up; however, a passphrase, or even a string of random keyboard characters,
used as a pre-shared key, can be cracked fairly easily with modern techniques and
hardware. On the other hand, RSA creates the keys using an algorithm that intentionally
creates keys that are much harder to crack. There are ways to make PSK more secure, but
in this lab, you will use RSA.
24. In cell C33, select 3des from the cell's drop-down menu to establish the desired IKE
ciphers. Leave cell F33 blank to include the command.
It is noteworthy that with Openswan's automatic configuration mode the Internet Key
Exchange (IKE) protocol is used to automate certain aspects of the set-up. The IKE
statement in cell A33 will include the options selected in the next two rows of the
spreadsheet, so selections made in those rows will change the statement in cell A33.
25. In cell C34, select md5 from the cell's drop-down menu to specify the IKE hash in cell
A33. In cell F34, the Y excludes a separate IKE hashes statement.
26. In cell C35, select modp1024 from the cell's drop-down menu to specify the IKE
pfsgroup in cell A33. In cell F35, the Y excludes a separate IKE pfsgroups statement.
27. In cell F36, type Y to exclude the Phase 2 algorithm statement.
28. In cell C37, review the options in the cell's drop-down menu. In cell F37, type Y to
accept any Phase 2 combinations and exclude a separate Phase 2 ciphers statement.
The Phase 2 statement will include the options selected in the next two rows of the
spreadsheet; however, in this lab, you will exclude these statements and accept any
default Phase 2 combinations.
29. In cell C38, review the options in the cell's drop-down menu. In cell F38, the Y excludes
a separate Phase 2 hashes statement.
30. In cell C39, review the options in the cell's drop-down menu. In cell F39, the Y excludes
a separate Phase 2 pfsgroups statement.
31. In cell F40, type Y to exclude the IKE key statement.
96
32. In cell C43, select 0.0.0.0 from the cell's drop-down menu to allow any address on that
side of the VPN to work with the VPN.
There are several options for handling the left IP address, as one can see by selecting the
drop-down menu in the Options column. If you wanted to enter a specific IP address,
select [ip address] from the drop-down menu in the Options column and type the IP
address in cell D43.
33. In cell D44, type 172.30.0.0/24, the subnet address for the Local machine, specified in
Classless Inter-Domain Routing (CIDR) notation.
34. In cell D45, type 172.30.0.2, the IP address of the Remote machine in Figure 9.
35. In cell D46, type 172.30.0.0/24, the subnet address for the Remote machine, specified in
Classless Inter-Domain Routing (CIDR) notation.
36. In cell C47, select tunnel from the cell's drop-down menu to establish a VPN tunnel as
the connection type. Leave cell F47 blank to include the command.
37. There is no Left RSA signature authentication key for this lab. In cell C48, select %none
from the cell's drop-down menu. Leave cell F48 blank to include the command.
38. There is no Right RSA signature authentication key for this lab. In cell C49, select
%none from the cell's drop-down menu. Leave cell F49 blank to include the command.
39. Select File > Save As from the OpenOffice menu. If necessary, click the Desktop icon,
select Microsoft Excel 97/2000/XP (.xls)(*.xls) from the Save as type drop-down menu,
type Openswan Host-Host Configuration your name in the File name box, and click
Save. When prompted, click Keep Current Format to close the popup message.
Replace your name with your own name.
Note: In the previous steps, the options you selected in the Openswan Host-to-Host
Configuration worksheet created a set of command lines in column A with the correct
spacing and syntax required to create an ipsec configuration file. The # signs indicate
comments and are not executed. The blank lines and white space are required and are
properly set-up. This approach is far more consistent and less error-prone than typing in
commands and then troubleshooting the results. Every organization should have some
procedures in place, whether an Excel spreadsheet, a word processing document or a
formal program that provides consistent guidance in the creation of the ipsec.conf file as
well as other important configuration files.
In the next steps, you will use the command lines you created in this worksheet to create
the ipsec.conf file. This file is found in the /etc/ directory.
40. Select cells A19 through A50 of the worksheet, right-click within the highlighted cells,
and select Copy from the context menu to copy the text to the system clipboard.
Figure 11 Highlighted command lines in the configuration worksheet
41. Minimize the OpenOffice window.
97
Note: In the next steps, you will save a copy of the existing ipsec.conf file before editing
it using the vi editor, a standard text editor that ships with Debian7. Other text editors will
work as well, but you will use the vi editor in this virtual environment.
You may get additional help with the configuration at any time by using the command
man ipsec.conf at the command line in the PuTTY window. A cheat sheet of vi
commands is also available on the virtual desktop. If necessary, type :q! and press Enter
at the vi command prompt to exit the editor without saving your changes and return to the
command prompt.
42. Click anywhere in the PuTTY window to activate it.
43. At the prompt, type cp /etc/ipsec.conf /etc/ipsec_conf.old and press Enter to save a
copy of the existing configuration file.
It is good practice to save a copy of the existing file before you begin editing in case you
need to restore the original. In this virtual lab, this step is added only as a reminder.
44. At the prompt, type vi /etc/ipsec.conf and press Enter to open the existing configuration
file in the vi editor.
45. At the prompt, type A to enter the append mode and move the cursor to the end of the
current line.
46. Right-click to paste the copied text from the configuration worksheet.
Figure 12 Text copied from configuration worksheet
47. Press Ctrl+C twice to leave the append mode and return to the vi command prompt.
48. Expand the PuTTY window as necessary to see the entire contents of the configuration
file.
49. Make a screen capture showing the entire contents of the configuration file and paste it
into your Lab Report file.
50. Type :x and press Enter to save your changes, exit the editor, and return to the Linux
command prompt.
51. In the PuTTY window, type exit and press Enter to exit superuser root access, and type
exit and press Enter again to close the terminal emulator.
Note: The server side of the VPN tunnel is now configured. In order to test the
connection the other end of the VPN connection must be configured and Openswan must
be restarted on both machines in order for the configuration changes to take effect. The
other end of the connection will be configured in a separate lab, Configuring a VPN
Client for Secure File Transfers.
52. Maximize the OpenOffice window and close the application.
53. Click Save when prompted to save your changes.
54. Click the File Transfer button on the vWorkstation desktop to transfer the Openswan
Host-Host Configuration your name file from the virtual desktop to your local
computer for your own future use.
98
Note: Refer to the Preface of this lab manual for more detailed instructions on the File
Transfer process.
55. If desired, click the File Transfer button on the vWorkstation desktop to transfer the VI
Cheat Sheet file from the virtual desktop to your local computer for your own future use.
lab.

Configuring a Virtual Private Network
Server
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you learned that a Virtual Private Network (VPN) is a private network that enables
remote users (for example, employees, suppliers, partners, and customers) to leverage the
inherently insecure public Internet to connect to an enterprise's private network resources in a
secure manner. To do this, companies create a secure tunnel from the client to the server and use
encryption to keep unauthorized parties from viewing or intercepting the data in transit. You
used a worksheet to guide your configuration decisions and created a new ipsec.conf file to
configure the server side of a Linux Debian Openswan VPN.

1. The traditional IPsec protocol stack that is installed with Openswan is ________. The
new alternative is ________.
99
2. Which command displays the status of the IPsec installation?

3. Tunnels may either be established using manual mode or automatic mode. Which mode
preferred?
4. The convention when drawing configuration diagrams of the VPN connection is to place
the VPN server on the left or right (circle one), and the vWorkstation on the left or right
(circle one). In this way, the left side of the diagram is usually reserved for the ________
machine, and the right side is usually the ________ machine.
5. Which of the following commands can be used to place a section break between sections
when creating the ipsec.conf file?
a. A # character
b. A blank line
c. section=%break
d. SECTION-%break
e. None of the above
6. The klipsdebug and/or plutodebug should only be __________.
a. loaded in Openswan versions greater than 2.5.
b. enabled if specifically requested.
c. generated on systems with aggregate bandwidth greater than 100 Mbps.
d. used by Government Intelligence Agencies.
7. What is the name of the ipsec configuration file? In which directory is it stored?
8. Which of the following are valid options for the tunnel= command?
a. ESP, AH, null
b. Diffie-Hellman, OAKLEY, IKE
c. IKE and TINA
d. Tunnel, transport and passthrough
e. Tunnel, transport, *null*
Lab #7 - Completed Configuration Worksheet and IPsec.conf File
Host-to-Host Configuration Worksheet

Figure 13 Completed Host-to-Host Configuration worksheet
IPsec.conf file
Figure 14 Content of the new ipsec.conf file
100
Toolwire Lab 8: Configuring a VPN

Client for Secure File Transfers
Introduction
Topology
Virtual Private Networks (VPNs) enable the secure (virtually private, in fact) transmission of
data across a network that may inherently not have security built-in, for example, the Internet.
There are actually three major types of Virtual Private Network (VPN) connections, which can
be implemented as a dedicated form or as some combination of all three depending upon the
security needs of the given environment.
A tunnel VPN, the most common type, encrypts and sends the content using a secure
path, or tunnel, between two points across an unencrypted network. Tunnel mode
encrypts the entire data packet including the headers and the payload.
A transport VPN encrypts the transported content, the data payload, but leaves the header
information, including IP addresses unencrypted. Transport mode is generally used when
both end points are known, for example in remote desktop services or terminal emulators.
A passthrough VPN, used primarily by small and home offices (SOHOs), enables the
VPN traffic to pass through the router. The traffic on a passthrough VPN is not
interpreted, decoded or encoded in any way.
A tunnel VPN establishes a secure information tunnel, rather than a physical tunnel, that uses a
sophisticated combination of encryption and authentication, most often via the IPsec protocol.
Although most VPN tunnels typically employ some encryption, they do not necessarily have to.
One example of a VPN tunnel that logically separates connections without using encryption is a
Multiprotocol Label Switching (MPLS) VPN in which labels are used to identify the contents of
a packet and allows the packet to use any transport protocol.
Another versatile feature of VPNs is that they may be implemented between endpoints which do
not share the same operating system or even the same VPN application software as long as they
use the same VPN protocol. In the same way that browsers communicate with web servers: the
browsers and web servers may be mismatched in a variety of ways, but as long as both ends
interpret HTML the same way, they will work just fine.
This lab, potentially, has three parts which should be completed in the order specified.
101
1. In the first part of this lab, you will configure the vWorkstation, a Windows Server 2008
machine, as a VPN client to connect to a Linux Debian Openswan VPN.
2. In the second part of this lab, you will use the Wireshark protocol analyzer to look at the
tunneled VPN traffic using the IPsec protocol, and compare it with the non-tunneled
traffic. You will look at the detailed packet interactions of the File Transfer Protocol
(FTP) and Secure Shell (SSH) protocol.
3. If assigned by your instructor, you will get some additional hands-on experience in a less
structured environment in the Challenge Questions section of the lab.
Learning Objectives
1. Recognize and explain the differences between secure and non-secure file transfers.
2. Determine the password and content of non-secure file transfers.
3. Configure a Windows Server 2008 VPN client to work with a Linux Debian Openswan
VPN.
4. Describe the differences between non-tunneled and tunneled connections.
5. Discuss the roles and functions of encryption, authentication and different elements of the
IPsec protocol, such as ESP and AH.
6. Explain different phases and modes of operation of the IPsec protocol.
Tools and Software

Openswan VPN
PuTTY
Windows Server
Wireshark
Deliverables
instructor:
1. Lab Report file including screen captures of the following steps: Part 1, Steps 39 and 55,
and Part 2, Steps 12, 38, 43, 53, and 62;
102

1. Recognize and explain the differences between secure and non-secure file transfers. [10%]
2. Determine the password and content of non-secure file transfers. - [5%]
3. Configure a Windows Server 2008 VPN client to work with a Linux Debian Openswan
VPN. - [30%]
4. Describe the differences between non-tunneled and tunneled connections. - [15%]
5. Discuss the roles and functions of encryption, authentication and different elements of the
IPsec protocol, such as ESP and AH. - [30%]
6. Explain different phases and modes of operation of the IPsec protocol. - [10%]
Hands-On Steps
itself.
Part 1: Configuring a Windows VPN Client to

work with a Linux VPN Server
103
Note: In this part of the lab, you will use an IPsec configuration file to configure a VPN tunnel
between a Windows Server 2008 client machine and a Linux Debian Openswan VPN server.
Figure 2 VPN configuration diagram
The IPsec configuration file establishes all of the options used to configure the VPN tunnel on
the VPN server. It is considered a best practice in many organizations to document the
configuration of VPN connections, firewalls, and load balancers, using a configuration
spreadsheet, a manual checklist, or some other form of documentation, such as a printed copy of
the configuration file. In this lab, you will work from a copy of the IPsec configuration file
(ipsec.conf) provided by the security analyst or sysadmin of the Linux Debian VPN server to
configure the VPN client.
Following additional best practice protocol, the documentation version of the configuration file
has been named ipsec-debian-vpn.conf to better describe its contents. Many organizations also
include a version number and an implementation date in the file names.
1. Right-click the ipsec-debian-vpn.conf icon on the vWorkstation desktop to select it.
2. Click Open on the context menu.
3. When prompted, click the Select a program from a list of installed programs option
and click OK.
4. Click the Wordpad icon in the resulting window to select that program.
Note: Any text editor, such as Windows NotePad, or a word processing program can be
used to view *.conf files. Wordpad is used here simply because it is available on the
vWorkstation desktop.
5. Resize the Wordpad window to display the entire contents of the file and move the
application to the far right of the desktop as shown in the following figure.
Note: You will refer to this file throughout this part of the lab. Resizing the Wordpad
window keeps it in view as your proceed with the lab steps.
Figure 3 ipsec-debian-vpn.conf file displayed in Wordpad
6. Double-click the Network icon on the vWorkstation desktop.
Figure 4 Windows Network Window
7. Click the Network and Sharing Center link beneath the menu bar at the top of the
window.
Figure 5 Network and Sharing Center
8. Click the Set up a new connection or network link at the bottom of the window.
104
Figure 6 Set Up a Connection or Network window

9. Double-click the Connect to a workplace icon.
Figure 7 Connect to a Workplace window
10. Click the Use my Internet connection (VPN) option to establish a VPN connection.
11. In the Internet address box, type 172.30.0.100, the IPv4 address of the VPN server as
specified in the ipsec-debian-vpn.conf file.
12. In the Destination name box, type Debian-VPN.
Note: The name for the VPN, which must be unique in your Network and Sharing
Center, may be dictated by your organization's naming conventions. If not, the choice of
the VPN connection name should be immediately identifiable. In this case, the name
matches the configuration file name: ipsec-debian-vpn.conf.
13. Click the Don't connect now, just set it up so I can connect later checkbox.
Figure 8 Connect to a Workplace window (Part 2)
15. In the User name box, type student.
16. Click the Show characters checkbox to view the password in clear text as you type.
17. Click the Remember this password checkbox.
18. In the Password box, type ISS316Security.
19. Click Create to continue.
20. Click Close to close the Connect to a Workplace window and return to the Network and
Sharing Center.
21. Click the Change adapter settings link at the top left of the Network and Sharing
Center to view the Debian-VPN connection icon.
Figure 11 Debian-VPN connection
22. Double-click the Debian-VPN icon in the Network Connections window to open the
Connect Debian-VPN dialog box.
23. Click Properties to open the Debian-VPN Properties dialog box.
Figure 12 Connect Debian-VPN dialog box
24. Click the Networking tab.
105
25. Double-click Internet Protocol Version 4 to open the Internet Protocol Version 4
(TCP/IPv4) Properties dialog box.
26. Click the Advanced button to open the Advanced TCP/IP Settings dialog box.
27. Click the Use default gateway on remote system checkbox to remove the checkmark.
Note: The Debian-VPN connection will not use a gateway on the destination machine or
network. The nat_traversal=yes statement in the configuration file indicates that the VPN
connection will not traverse a Network Address Translation gateway. Though not
detailed, the VPN configuration diagram in Figure 2 confirms this lack of a gateway
requirement.
Figure 13 Advanced TCP/IP Settings dialog box
28. Click OK to close the Advanced TCP/IP Settings dialog box.
29. Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.
30. Click the Security tab in the Debian-VPN Properties dialog box.
31. Click the Advanced settings button.
Note: In the ipsec-deban-vpn.conf file, the statement also=L2TP-PSK-noNat indicates
that this connection uses the Layer 2 Tunneling Protocol with Pre-Shared Keys.
32. In the L2TP tab, click the Use preshared key for authentication radio button.
Note: A preshared key is a passphrase that shared by the security analyst or systems
administrator with anyone authorized to use the VPN. Often, these keys are a complex
series of upper and lower case, numbers and symbols making it difficult for a hacker to
guess. It is a best practice to copy and paste the pre-shared key to ensure that no
keyboarding errors are made in establishing the VPN client connection. In this case, the
preshared key is a simple phrase: this is the life.
33. In the Key box, type this is the life, the preshared key for this VPN connection.
Figure 14 L2TP Advanced Properties dialog box
34. Click OK to close the Advanced Properties dialog box.
Note: In the ipsec-debian-vpn.conf file, the statement pfs=no indicates that Perfect
Forward Secrecy is not required by the encryption methodology. The encryption
methodology in this case will be negotiated at time of connection and does not need to be
specified.
35. Select Optional encryption (connect even if no encryption) from the Data encryption
drop-down menu on the Security tab of the Debian-VPN Properties dialog box.
Figure 15 Select a data encryption method
106
36. Click OK to close the Debian-VPN Properties dialog box.

37. Click Connect in the Connect Debian-VPN dialog box to open a connection to the VPN
server.
When the Connecting to Debian-VPN window disappears from the screen, the connection
has been fully established.
Figure 16 Connecting to Debian-VPN window
38. Double-click the Debian-VPN icon in the Network Connections window to open the
Debian-VPN Status dialog box and view the connection details.
39. Make a screen capture showing the Debian-VPN Status window and paste it into the
Lab Report file.
40. Click Close to close the Debian-VPN Status dialog box without disconnecting the VPN
connection.
Note: In the next steps, you will use PuTTY to connect to the Linux Debian VPN server
and verify that the IPsec is running correctly.
41. Minimize the Network Connections window.
42. Double-click the putty.exe icon on the vWorkstation desktop to open the application
window.
43. In the Host Name (or IP address) box, type 172.30.0.100 (the IP address of the Linux
Debian Openswan VPN server).
Figure 17 PuTTY Configuration dialog box
44. If necessary, click the SSH radio button to use a Secure Shell (SSH) connection.
45. Click Open to complete the connection.
46. Log in to the server using the following credentials.
o Login: student and press Enter.
o Student@172.30.0.100's password: type ISS316Security and press Enter.
You are now logged into Debian Linux in the student account. In order to configure the
Openswan VPN, you must have super user (su) privileges.
47. Log in to the server using the super user credentials.
48. At the prompt, type su and press Enter.
49. When prompted for a password, type toor and press Enter.
You are now logged into the Linux Debian machine with super user access. Note that the
prompt has changed to root@Debian7:/home/students#.
50. At the prompt, type ipsec verify and press Enter.
107
A cursory glance will indicate that the results for the ipsec verify command include
mostly OKs and no FAILURES, which it good.
Figure 18 Results of ipsec verify command
Note: This PuTTY connection was made across the VPN and a command (ipsec verify)
has been executed and verified on the Debian Openswan VPN server.
51. In the PuTTY window, type exit and press Enter to return exit the superuser account
and return to the student prompt.
52. In the PuTTY window, type exit and press Enter to close the terminal emulator.
53. Maximize the Network Connections window.
54. Right-click the Debian-VPN icon and select Status from the context menu to open the
Debian-VPN Status dialog box.
55. Make a screen capture showing the Debian-VPN Status window and paste it into the
Lab Report file.
Compare the bytes sent and received with those same fields from step 38. This data
reflects the activity that took place during the PuTTY connection.
56. Click Disconnect to close the VPN connection.
57. Close the Network Connections window.
58. Close the Wordpad window.
Part 2: Comparing Secure and Non-secure

File Transfers in Wireshark
Note: In this part of the lab, you will use Wireshark to review several file transfer beginning
non-secure file transfers using the File Transfer Protocol (FTP). Later, you will review more
secure file transfers using SSH. In this lab, you will use a set of pre-captured files to ensure that
the frame numbers and content exactly match the lab contents.
1. Double-click the Wireshark icon to open the Wireshark application.
Figure 19 Wireshark interface
2. Select File > Open from the Wireshark menu and click the Desktop icon to view the files
on the vWorkstation desktop.
3. Double-click the ftp-capture.pcapng file to open the file in Wireshark.
4. If necessary, maximize the Wireshark window.
108
The Wireshark window opens with the detailed information about the first packet
captured, Frame 1, displayed in the middle pane. Use your mouse to drag the borders of
any pane up or down to change its size.
The top pane of the Wireshark window contains all of the packets that Wireshark
has captured, in time order and provides a summary of the contents of the packet
in a format close to English. Keep in mind that the content will be different
depending upon where you capture packets in the network. Also remember that
the "source" and "destination" is relative to where a packet is captured. This area
of the Wireshark window will be referred to as the frame summary.
o The middle pane of the Wireshark window is used to display the packet structure
and contents of fields within the packet. This area of the Wireshark window will
be referred to as the frame details.
o The bottom pane of the Wireshark window displays the byte data. All of the
information in the packet is displayed in hexadecimal on the left and in decimal,
in characters when possible, on the right. This can be a very useful feature,
especially if passwords for which you are looking are unencrypted. This area of
the Wireshark window will be referred to as the byte data.
o
Figure 20 Wireshark application window

5. In the Filter box below the Wireshark menu, type ftp to create a filter isolating only the
FTP packets.
Figure 21 Wireshark's Filter toolbar
Note: Clicking the Expression button on the Filter toolbar will open a dialog box that
allows you to build a filter by selecting options from a list. To create a filter isolating
only the FTP packets using this method, select FTP - File Transfer Protocol (FTP) from
the Field name options and click "is present" in the Relation box, then click OK to load
the expression in the Filter box.
As you proceed through the next steps, take time to explore the frame details and byte
data panes for each frame discussed. As you will see, one of the big security drawbacks
of FTP is that all information is sent in clear text and easily deciphered with common
analysis tools like Wireshark.
When managing multiple servers in an organization, it is easy to become overwhelmed
by the number of file transfers and servers. It is a good practice, though not necessary in
this lab, to build a filter that isolates the IP addresses you are analyzing as part of an
investigation.
6. Click Apply to complete the filter process.
With the filter applied, the frame summary pane now displays only those packets that
relate to an FTP file transfer.
109
Figure 22 Filtered FTP frames 12-17

7. Click frame 12.
Frame 12 indicates that the FTP server is ready for a new user and that the server is a
Debian server. You will also see that the communication is from 172.30.0.100 (the source
IP address) and to 172.30.0.2 (the destination IP address).
8. Click frame 13.
Frame 13 indicates that 172.30.0.2 is attempting to logon as an anonymous user.
9. Click frame 15.
Frame 15 indicates that the user was passed some kind of message that a password is
required for anonymous.
Note: The exact messages, windows, or prompts displayed to the user will vary based on
the application being used. The information in frame 15 does not indicate whether or not
the user received the message, or that the message was delivered correctly.
10. Click frame 16.
Frame 16 shows that the user attempted to use the password User@.
11. Click frame 17.
Frame 17 indicates that the User@ password was rejected.
Note: It is a very common practice to allow outbound file transfers for large files without
a password, via anonymous FTP. It is best practice for files which are to be distributed in
a non-secure fashion, such as general white papers or other documentation. It is less
common, though still not rare, to allow inbound anonymous FTP, for instance, students
using FTP to send papers to an instructor. It is more common, however, to have folders
for each user and a password to assure some level of integrity and tracking. Most FTP
servers also have log files to track senders/receivers and their data. It is possible to track
individual contributions with anonymous FTP, but much simpler with individual FTP
accounts.
12. Make a screen capture showing the Frame Summary for frames 12-17, including the
source and destination IP addresses, and paste it into your Lab Report file.
13. Click frame 30.
Frame 30 shows that the FTP server is once again ready to accept a new user.
110
14. Click frame 31.

Frame 31 indicates that a user is attempting to sign in with a username of student.
15. Click frame 33.
Frame 33 indicates that a password is required to for the user student.
16. Click frame 34.
Frame 34 indicates that the password ISS366Security was attempted for user account.
17. Click frame 36.
Frame 36 indicates that the attempted password was rejected as incorrect.
Note: Notice that there is no specific error code that indicates whether or not the user
account information or password is correct, which makes it a bit more difficult to hack
the account, but keep in mind that hackers often obtain account information by other
means before ever attempting to crack the password.
18. Click frame 49.
Frame 49 shows that the FTP server is once again ready to accept a new user.
19. Click frame 50.
Frame 50 indicates that someone is attempting to sign in with the username student.
20. Click frame 52.
Frame 52 indicates that a password is required for the user account student.
21. Click frame 53.
Frame 53 displays the password attempted: ISS316Security.
22. Click frame 55.
Frame 55 indicates that the login was accepted and user student is logged in.
Note: In the next steps, you will analyze how a file transferred using FTP appears within
Wireshark.
111
23. Click frame 61.

24. In the frame detail pane, click the plus sign at the beginning of the File Transfer
Protocol (FTP) line to expand the fields.
25. If necessary, click the plus sign at the beginning of the SIZE line to see which file is
being retrieved: ipsec.conf.
Figure 25 Frame 61 detail
Note: Notice the file path displayed in the Request arg portion of the frame detail. This
information is captured whether it was passed using a Windows Graphical User Interface
(GUI) application or by manually typing the command /home/student/ipsec.conf\r\n.
26. Click frame 62.
Frame 62 is a file status message in response to the request in frame 61. It indicates that
the transferred file was 2,075 octets (8 bit bytes) in length.
27. Click frame 63.
Frame 63 is a retrieve request (RETR) for the /home/student/ipsec.conf file.
28. Click frame 67.
Frame 67 is a response to frame 63 and indicates that a binary mode data connection has
been opened.
29. Click frame 73.
30. Click the plus sign at the beginning of the Transmission Control Protocol line to
expand the fields.
31. Click the plus sign at the beginning of the [SEQ/ACK analysis] line. Use the scrollbar
as necessary to locate this line.
32. Click the plus sign at the beginning of the TCP Analysis Flags line.
Note: The frame detail indicates that Wireshark's expert mode suspects that frame 73 is a
retransmission. A retransmission could be the result of an intentional packet injection or a
false retransmission intended to cause some problem or further some exploit. Take a
moment to expand more fields in the frame detail to learn more about this packet.
112
33. Click frame 76.

34. Click the minus sign at the beginning of the Transmission Control Protocol line to
collapse these fields.
Note: Frame 76 indicates that the requested file transfer has completed. But, where is the
file itself? And, if the contents of the file are in clear text, why can't we see them? In
many cases it is enough just to know which file was transferred, how it was transferred,
when the transfer took place, the size of the file and other information that can be
determined from what we already have.
The actual transfer of the information is done by a sub-set of FTP called ftp-data. In the
next steps, you will re-filter the Wireshark packets and review how this information is
displayed in Wireshark.
35. In the Filter box, type ftp-data and click Apply to create a new filter.
Figure 31 Wireshark's Filter toolbar
Figure 32 Frame Summary for the ftp-data filter
36. Click frame 68.
37. Resize the borders of each pane to approximate the following figure.
Note: The last line of the Frame Detail pane, FTP Data, displays the transferred file name
(/etc/ipsec.conf) and the first part of that file's contents. The Byte Data pane displays the
complete contents of the file in clear text on the right side of the pane and the
corresponding hexadecimal (base 16) code on the left side.
38. Make a screen capture showing the Frame Summary and Byte Data for Frame 68
and paste it into your Lab Report file.
39. Click frame 69.
The FTP Data line of the Frame Details for frame 69 displays the last part of the
transferred file's content. This file is short and is only broken into two pieces for
transmission by FTP. Shorter files could be transmitted as a single unit; longer files
would be broken into more pieces.
Note: One way that FTP can be used in a more secure manner is to encrypt the file before
transferring it. The file contents would still be visible as a part of a file transfer analysis
using Wireshark, or any similar packet analysis program, but it would not be readable and
could not even be deciphered unless we had the key. It is also noteworthy that certain
secure protocols allow us to enter the proper key in Wireshark so that Wireshark can
113
decrypt the contents of a file and display it even though non-authorized persons-who do
not possess the decryption key-could not read the file contents.
In the next steps, you will analyze the Wireshark packets of an encrypted transfer of a
new file, ipsec2.conf using the Secure Shell (SSH) protocol. The ipsec2.conf file is larger
than the ipsec.conf file transferred using the FTP protocol.
40. Click File > Open and double-click the ssh-capture.pcapng file to open the file in
Wireshark. Use the scrollbar as necessary to locate the file.
The Wireshark Frame Summary will display no frames when the file is loaded because
the ftp-data filter is still applied. You could click the Clear button in the Filter toolbar to
display all of the packets, or apply a new filter.
41. In the Filter box, type ssh and click Apply to create a new filter that will display only
those packets related to the SSH file transfer.
42. Resize the borders of each pane to display frames 12-49 in the Frame Summary pane.
Figure 34 Frame Summary for the ssh filter
Note: The Secure Shell (SSH) protocol replaces the older, insecure Telnet protocol for
keyboard mode, or as it is sometimes still called, command line interface, for the
interaction between systems, such as configuration of servers, routers and switches.
Telnet is still used in many cases even though it suffers from many of the same
shortcomings as FTP: it operates in clear text mode and is easy to hack. In the next steps,
you will see how SSH can be used to securely transfer files.
Notice that this file transfer, which uses SSHv2 rather than FTP, is also between
172.30.0.2 and 172.30.0.100 so all other things about the environment are the same.
Explore the Frame Details and Byte Data for each step that follows to see how this
exchange differs from the FTP file transfer.
43. Make a screen capture showing the Frame Summary for Frames 12-49 and paste it
44. Click frame 12.
Frame 12 indicates this file transfer the destination machine as 172.30.0.2, a Debian
implementation of SSHv2.
45. Click frame 13.
Frame 13 indicates this file transfer the destination machine as 172.30.0.100, a Windows
implementation of SSHv2.
46. Click frame 15.
114
Frames 15 and 18 are the Key Exchange initialization between the two systems. If you
look at the detail at Frame 15 you will see that the server (172.30.0.100) proposes use of
aes128-ctr (a stream cipher which utilizes an underlying block mode algorithm) as the
encryption method with hmac-md5 as the authentication mechanism and no compression.
Initialization strings are also proposed. In Frame 18, the proposals of the server are
accepted by the client (172.30.0.2).
47. Click frame 20.
Frames 20 and 21 are the Diffie-Hellman Key Exchange initialization.
Figure 35 The SEQ/ACK analysis for frame 21
48. Click frame 22.
Frames 22 and 24 are the initial exchange in which the Client requests new keys.
49. Click frame 28.
Frames 28-49 are the transfer of the ipsec2.conf file. The contents are encrypted and are
unreadable except by authorized persons who have the appropriate keys or unauthorized
persons who have obtained the keys in some other way.
Figure 36 SSH file transfer in frame 28
Note: Though SSH encrypts files during the file transfer process, the content can be
decrypted if the SSH encryption keys are compromised. However, if a file is encrypted
prior to transfer, outside of the FTP utility, an additional measure of security is provided.
Even if the SSH encryption keys are compromised, the attacker will still end up with
unreadable content.
In the next steps, you will analyze Wireshark packets related to a VPN file transfer of the
ipsec.conf file. For each step, review the Frame Details and Byte Data for each frame.
50. Click File > Open and double-click the ipsec-capture.pcapng file to open the new file
in Wireshark.
The Wireshark Frame Summary will display the SSH filtered results of the capture file.
51. Click Clear in the Filter toolbar to view the entire contents of the entire packet.
52. Resize the pane borders to view the Frame Summary for frames 1-21.
Figure 37 Frame Summary for frames 1-21
53. Make a screen capture showing the Frame Summary for frames 1-21 and paste it into
115
54. Click frame 1.

Frames 1-6 establish the communication between the Windows machine (172.30.0.2) and
the VPN server (172.30.0.100) you configured in Part 1 of this lab. Frames 1-6 use the
Internet Security Association and Key Management Protocol (ISAKMP) to perform the
first step in setting up the IPsec tunnel between the two systems.
Note: The first step to establishing an administrative tunnel, the ISAKMP, for the
exchange of information such as the keys and other initialization data that will be used to
set up a secondary tunnel for the actual information exchange, is called Identify
Protection. The Information column of the Frame Summary, refers to this first step as
Main Mode, but Identity Protection, is preferable because this step and the second step,
Quick Mode, are not really modes at all, but rather are two sequential phases of the same
transfer. It is not a matter of choosing a mode, rather it is a matter of performing the main
mode phase and then quick mode phase.
ISAKMP is a protocol used to establishing Security Associations (or tunnels) and
cryptographic keys in an Internet environment. Review the Request for Comment related
to the ISAKMP protocol (RFC2408) at http://www.ietf.org/rfc/rfc2408.txt.
55. Click frame 7.
The Quick Mode, the second phase of setting up the IPsec virtual private network, is
displayed in frames 7-9.
56. Click frame 10.
Once the ISAKMP exchange is completed and the administrative tunnel is established,
the actual information exchange occurs in frames 10-21 using Encapsulating Security
Payload (ESP) protocol. The alternative to ESP is the Authentication Header (AH).
Note: Frame 16 is an unencrypted NetBios Name Service (NBNS) name query, and is
outside of the IPsec tunnel.
57. Click frame 47.
Frames 47-67 continue the secure IPsec exchange between 172.30.0.2 and 172.30.0.100
using the occasional Internet Group Management Protocol v3 (in frames 48, 49, 51, 64
and 66), Link Local Multicast Name Resolution (in frames 53, 58, and 63) and Address
Resolution Protocol (in frame 67).
58. Click frame 252.
116
Frames 252-272 represent a Secure Shell (SSH) transfer between 172.30.0.2 and
172.30.100.
Figure 40 SSH file transfer in frames 252-272
59. To see the SSH packets in more detail, type ssh in the Filter box and click Apply to
create a new filter that will display only those packets related to the SSH file transfer.
60. Click frame 271.
Frame 271 is the beginning of the file transfer.
61. Click the last frame in the SSH file transfer.
Use what you have learned in the lab to identify the end of the file transfer packets.
62. Make a screen capture showing the last frame in the SSH file transfer and paste it
Note: Among the noteworthy things about this capture file is the fact that the SSH
transfer occurs outside of the IPsec tunnel, otherwise it would not be possible to see the
details of the SSH interaction between the two machines because the SSH protocol
transactions would be encrypted within the ESP frames. The ESP frames between these
two machines was carrying other traffic than SSH. What traffic? Without the keys or
access to the machines (such as screen shots, key loggers or possibly log entries) it would
be impossible to say but there are other types of analysis, such as traffic analysis, that
could reveal more about the exchange.
63. To see the ESP exchanges over the IPsec VPN tunnel, type esp in the Filter box and click
Apply.
64. Click File > Quit from the Wireshark menu to close Wireshark.
lab.

Configuring a VPN Client for Secure File
Transfers
117
Student Name: ________________________________________________________________

Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab you configured the vWorkstation, a Windows Server 2008 machine, as a VPN client
to connect to a Linux Debian Openswan VPN. You also used the Wireshark protocol analyzer to
look at the tunneled VPN traffic using the IPsec protocol, and compare it with the non-tunneled
traffic. You reviewed detailed packet interactions of the File Transfer Protocol (FTP) and Secure
Shell (SSH) protocol.

1. The alternative to Encapsulating Security Protocol (ESP) is __________________.
2. One of the main drawbacks of the File Transfer Protocol (FTP) is that
________________.
3.
4.
5.
6.
7.
8.
a. It was the first file transfer protocol invented in the IP suite

b. It does not encrypt content.
c. It does not encrypt passwords.
d. It is widely used by web sites.
e. Both b and c
An IPSec tunnel is step up in two stages. In the Information column of the Frame
Summary, these steps are called _________.
The first phase of setting up an IPsec tunnel is called _______ _______.
The second phase of setting up an IPsec tunnel is called ________ _______.
SA stands for Security Association. An equivalent word would be _________
The protocol used for setting up the "administrative" tunnel in IPsec is __________.
ISAKMP stands for ________.
a. a. Internet Security Association and Key Management Protocol
b. b. Internet Secure Admission Key Management Protocol
c. c. Internet Security Association and Key Maintenance Protocol
d. d. Internet Secure Admission Key Maintenance Protocol
e. e. Internet Security Association and Key Management Provisioning
118
Toolwire Lab 9: Attacking a Virtual

Private Network
Introduction
Topology
Social Engineering is when an attacker attempts to take advantage of a weakness in a human
being (vs. a network, device or application). Social engineering is often looked upon by "real"
security professionals as child's play because it isn't "technical", but social engineering can be an
important part of most sophisticated attacks or, in and of itself, social engineering can be every
bit as effective as a traditional technical attack. Many a hacker, cybercriminal, or cyberterrorist
has saved time and very often achieved what they could not otherwise by simply asking. One of
the most extreme documented examples is from page 22 of Betty Medsger's book, The Burglary:
The Discovery of J. Edgar Hoover's Secret FBI:
As burglars, they used some unusual techniques, ones Davidon enjoyed recalling years later,
such as what some of them did in 1970 at a draft board office in Delaware. During their casing,
they had noticed that the interior door that opened to the draft board office was always locked.
There was no padlock to replace, as they had done at a draft board raid in Philadelphia a few
months earlier, and no one in the group was able to pick the lock. The break-in technique they
settled on at that office must be unique in the annals of burglary. Several hours before the
burglary was to take place, one of them wrote a note and tacked it to the door they wanted to
enter: "Please don't lock this door tonight." Sure enough, when the burglars arrived that night,
someone had obediently left the door unlocked. The burglars entered the office with ease, stole
the Selective Service records, and left. They were so pleased with themselves that one of them
proposed leaving a thank-you note on the door. More cautious minds prevailed. Miss Manners be
damned, they did not leave a note.
In this lab, you will learn how to use social engineering techniques to unlock the secrets of a
targeted individual or organization by attacking their Virtual Private Network. While there are a
number of possible technical exploits, this lab focuses on the damage that can be done using
social engineering.
This lab has two parts which should be completed in the order specified:
119
1. The first part of the lab will focus on social engineering and reverse social engineering.
By following the sample attack, you will learn many of the ways in which information
can be gathered from a subject or subjects and combined for either real-world or
cybercrimes.
2. In the second part of the lab, you will research email scams and use social engineering to
create a believable spam email to solicit funds for a fictitious fund-raising opportunity.
3. Finally, if assigned by your instructor, you will use the skills you learned in the lab to
design social and reverse social engineering attacks against several targets. Even if not
assigned, you are encouraged to review to explore these real-world situations.
This lab is a paper-based lab and requires the use of the Virtual Security Cloud Lab (VSCL) only
to access the relevant documents.
Learning Objectives
1. Recognize some of the key characteristics of a social engineering attack.
2. Identify some of the key signs of a reverse social engineering attack.
3. Implement countermeasures to social and reverse social engineering attacks.
Tools and Software

None
Deliverables
instructor:
1. Lab Report file including screen captures of the following steps: Part 1, Steps 8 and 14,
and Part 2, Step 4.
120

1. Recognize some of the key characteristics of a social engineering attack. - [25%]
2. Identify some of the key signs of a reverse social engineering attack. - [25%]
3. Implement countermeasures to social and reverse social engineering attacks. - [50%]
Hands-On Steps
itself.
Part 1: Social Engineering / Reverse Social

Engineering Attack
Note: A properly configured Virtual Private Network which uses IPsec and adheres very closely
to best practices, such as strong authentication, network segmentation, device validation, posture
assessment, etc. is very formidable and protects all types of information while it is in transit from
one location to the other. Actually breaking into a VPN tunnel is on the order of technical
prowess that it may require the resources of the NSA or a nation-state intelligence apparatus to
do routinely. However, VPN security is broken every day by less technically savvy
cybercriminals, hackers and others. How do they do it? One way is to exploit the weaknesses of
121
improperly configured VPNsstill a technical challengebut fairly common. Another way is

by using social engineering and reverse social engineering to gain access by pretending to be a
legitimate user. While the scenario in this lab targets a fictitious company, the social engineering
steps described are typical of the real-world.
In this scenario, you are the owner of a local cupcake bakery. Your biggest competitor, Marina
and Ritas Cupcakes, only came into the market about 18 months ago, but they are taking the
stand-alone cupcake bakery market by storm. Since they opened a store in your neighborhood,
your market presence has dwindled and their growth has crippled your franchise expansion
plans. You have read all of the fine print on their website only to find that the product and
franchise terms are not very different from your own.
1. Double-click the mandrwebsite.pdf icon on the vWorkstation desktop to see the Marina
and Ritas Cupcakes web site.
Figure 2 Marina and Ritas Cupcakes Web site
Photo credits: Profile Yuri Arcurs/ShutterStock, Inc.; Cupcakes luminaimages/ShutterStock, Inc.
2. Close the mandrwebsite.pdf file.

Note: You have interviewed past and present Marina and Ritas Cupcakes employees and
have purchased all of the market intelligence that you can locate from legitimate sources.
You have Googled until you cant Google anymore, but you need more information and
you are willing to do anything to get it. You are desperate now and willing to do anything
that it takes to stop the continuing loss of business. Anything
As part of your research you stumbled across something called the darknet. It is,
apparently, a hidden part of the Internet where one can buy just about any product or
service one might want, pay in a currency called bitcoins, and transact business
anonymouslyaway from the prying eyes of law enforcement and without tracking
cookies and geo-location concerns. This sounds like the place to go. But how to get
there?
Just days later, you find yourself at a social gathering at a local watering hole known as
The Club. You fall into the most interesting conversation with a fellow club member
with whom you have never had much in common. The conversation soon turns to
bitcoins and the demise of something called Silk Road, a web site that was a black market
for drugs, weapons, and killers for hire. It turns out that your club-mate was familiar with
the FBI shut down of Silk Road, but tells you that he knows it has been replaced by Silk
Road v2. Wanting to share your own recent knowledge, you quip, Sounds like the
darknet.
It is, he replies.
After another half an hour of hushed conversation, your new darknet mentor gives you a
number: 179.37.7.79:4096. He explains that it is an IP address that should be typed into
your browser in place of a website name, after https://. He further tells you that this is not
122
the actual IP address. You should subtract 7 from each of the first four numbers when
you type it in. To protect the darknet, he tells you can write down the number he gave
you, but you must remember to subtract 7.
You head to the library first thing the next morning and access the site.
3. Double-click the darknetwebsite.pdf icon on the vWorkstation desktop to see the
Hackers R Us web page.
Figure 3 Hackers R Us DarkNet home page
Photo iStockphoto/Thinkstock
Note: After some emails back and forth with a mysterious person known to you only as
Kitty Kat (KK), you have made a deal. Hackers R Us will provide you with remote
access to Marina and Ritas Cupcakes internal network via their Virtual Private Network
in exchange for a rather large sum of money, payable in bitcoin. Youve already set up a
Bitcoin account and made an initial payment of 50%, with the balance due as soon as you
access Marina and Ritas VPN for the first time.
All you have to do is sit back and wait for KK to perform her magic.
4. Close the darknetwebsite.pdf file.
Note: KK begins her work with a quick Google search to view the companys Web site,
locate biography information about the sisters, including their birthdates, and find any
news she can about the company and its owners that will help her reach her goal of
accessing the companys VPN. She finds a recent article about the company in the local
business journal.
5. Double-click the newspaper.pdf icon to read the article from the business section of the
Cincinnati Journal.
Figure 4 Article from business section of Cincinnati Journal
6. Close the newspaper.pdf file.
Note: From this article, KK learns that the top sales team as well as the founders, Marina
and Rita, will be flying to Hawaii in time for their February 16th meeting. Her next step
is to get the actual travel itinerary. Presumably the entire HQ and East US group will
travel together, so KK calls Marina and Ritas headquarters in Lakewood, Ohio, and
claims to be a new hire in the US West division and that her boss, Lisa Lipscombe, asked
her to make travel arrangements to Lakewood, but she has lost the name and number of
the travel consultant. The helpful operator at Marina and Ritas headquarters tells her that
the travel consultant is David Spivey at Air, Land and Sea Travel. The operator also
provides a direct number to assure that KK gets better service.
123
KK calls David Spivey, identifies herself as a temp at Marina and Ritas Cupcakes and
asks that Marinas and Ritas travel itinerary for the Hawaii Presidents Club trip be
faxed to a Lakewood, Ohio phone number. David is not suspicious because it is a normal
request and the phone number appears correct. He does not realize that the number is for
a fax drop box that allows the fax to be retrieved from anywhere on the Internet.
7. Double-click the travel.pdf icon to see the travel itinerary for Marina and Rita Sugarton.
Figure 5 Marina and Rita Sugartons travel itinerary
8. Make a screen capture showing the entire travel itinerary for Marina and Rita and paste
it into your Lab Report file.
9. Close the travel.pdf file.
Note: KK now has the travel itinerary, and she knows what Marina and Rita look like
from the pictures on their Web site, so KK can start to assemble an attack plan. She plans
to enlist the aid of a couple of accomplices to steal a tablet or smartphone from one of the
Marina and Rita team on their way to Hawaii. Knowing how vulnerable these devices
will be in the airport, KK will intercept the group at the airport and, along with two
accomplices, will steal the device as the individual goes through the security checkpoint.
KKs team has tried this successfully before, so successfully in fact that some travel
agencies are issuing warnings to their clients. The good news for KK, and for you as her
client, most travelers ignore these warnings.
10. On your local computer, open an Internet browser session.
11. In the address box of the browser, type http://www.corporatetravelsafety.com/safetytips/category/airport-safety/tip/thefts-at-airport-screening-stations and press Enter
to read the travel warning that describes how this type of theft works.
12. Minimize the local browser session.
Note: On the day of the flight, KK uses the Paradise Flyer Priority number from the
travel itinerary and Marina Sugartons birthdate found during an initial Google search to
confirm, via a quick telephone call to Paradise Airlines, that Marina and Rita checked in
via Internet and will be checking two pieces of luggage.
KK and her accomplices arrive at the airport early and position themselves to watch for
the Sugarton sisters arrival. Right on time, a sleek black limousine arrives and delivers
the two Sugarton sisters, VP North American Franchise Sales, Sara Collier, and six large
bags. The baggage porter loads a cart curbside and transports the checked luggage inside.
The group is tailed by KK to the security checkpoint where KK quickly goes through the
security checkpoint and waits patiently on the other side. Her accomplices position
themselves in order to delay Marina, Rita, and Sara at the metal detectors long enough for
one of the accomplices to grab whatever electronic devices are placed in the bowl before
they go on the conveyor belt.
124
The thieves grab Marina Sugartons smartphone and surreptitiously pass the device to
KK who is able to pass back through security to the safety of the airport terminal. Marina,
Rita, and Sara collect their belongings and rush to catch their flight to Atlanta without
noticing the missing phone.
Unless their domestic flight from Cleveland to Atlanta has onboard telephones, Marina
will not be able to report the loss or theft of her device until she arrives in Atlanta. This
gives the criminals at least a two hour window. KK contacts her client, you, and agrees
that for an extra fee KK will exploit this vulnerability window and download any
information that she can.
Figure 6 Marinas smartphone
Photo Anatolii Babii/123RF
Note: As with many busy people, Marina has neglected to include a screen lock on her
smartphone, which means that anyone, including KK, can gain immediate access to her
contacts and other private information. The graphic icon-based interface makes it very
easy to find the access point for the Marina and Ritas Cupcakes Virtual Private Network
and, subsequently, her email.
KK is able to access the Marina and Ritas Cupcakes email via the VPN, which is set-up
for Marinas convenience to use a pre-stored password for the VPN and automatic sign-in
for the email. Even though it is likely that the smartphone is fairly new, KK is quickly
and easily able to determine that Marina and Ritas email uses the IMAP protocol and,
therefore, copies of all emails are stored on the server. KK is able to download a
malicious piece of code which copies all email, with attachments, to KKs server.
In addition, KK is able to determine all of the characteristics required for sign-in to the
Marina and Ritas Cupcakes VPN except for the encrypted password. She might be able
to use the encrypted password in a replay attack, but it would be far better off if she
actually knew the password.
In order to cover her tracks, KK deletes the malicious code and pays a teenager $20 to
take the device and a copy of the itinerary to the Paradise Airlines counter and tell the
airline representative that he found this near the baggage check-in.
The Paradise Airlines agent sends a message to the gate agent in Atlanta who informs
Marina that her lost device has been found and assures her that the airline will deliver it
to the hotel in Maui tomorrow. Marina was unaware that her phone had ever been lost,
but is glad that it will be returned, safe and sound. And she is unaware that all of her
emails, with attachments, for the last several years, including the 18 months since her
retail stores had begun popping up, were now in the hands of a competitor.
You deposit the balance of KKs professional services fee into her bitcoin account.
In many cases this would be the end of the story, but you are still not satisfied. Youve
analyzed the emails and are tantalized by the gaps in the information. Gaps that could be
125
filled in if only you had access to the archived emails from other key people in the
company. You again contact KK for advice and KK suggests a way to get those key
people to change their VPN passwords so that you can attack them in the same way that
Marina was attacked: download all of their emails without their knowledge.
Arrangements are made for a second set of payments via the bitcoin account and KK gets
to work.
KK knows that the most efficient way to get the most information is to find a way to open
the VPN while Marina and Rita are still in Hawaii. With the VPN tunnel open, she can
download anything she wants. She decides to send an email from Marina Sugartons
email account to several employees at the company. The email asks everyone to reset
their VPN passwords.
13. Double-click the email.pdf icon to view the email sent by KK to employees of Marina
and Ritas Cupcakes.
Figure 7 Fake email sent from Marina Sugartons email account
Photo luminaimages/ShutterStock, Inc.
14. Make a screen capture showing Marinas email and paste it into your Lab Report file.
15. Close the email.pdf file.
Note: All of the employees complied with the email request since they were asked to do so by
one of the co-presidents. No one noticed that none of the Top Achievers who were with Marina
in Hawaii (and who might have mentioned the email to Marina herself) were included in the
email distribution list. With the VPN now open, KK is able to collect all of the emails from all of
these email accounts. This new batch of data included information about markets, strategies,
franchising and related business issues, and recipes, as well as personal information such as
travel itineraries, receipts for web purchases, relationships, and gossip, that you, as KKs client
and Marina Sugartons competitor, will be able to exploit. In other words, a treasure trove of
information about all aspects of Marina and Ritas Cupcakes.
What can be done to strengthen access procedures and make a VPN more secure? The first thing
is to be sure that all parameters for the VPN, such as algorithms, Perfect Forward Secrecy, key
length, and frequency of key changes are proper for the type of information being protected and
are applied uniformly. All configuration procedures should be reviewed periodically and updated
as needed according to current best practices. It is also possible to increase security by allowing
VPN connections only from specific MAC addresses or MAC/IP address pairs. Security can also
be increased by using devices that generate one-time use passwords or parts of passwords, such
as RSA SecurID. Other forms of multi-factor authentication such as biometrics are possible,
again, considering the value or information being protected and other factors. For more
information on VPN Security, review the publication at
http://www.infosec.gov.hk/english/technical/files/vpn.pdf
126
Part 2: Creating Spam Emails

Note: There are many types of spam emails, each used for a different purpose. A good spam
email writer can expect roughly the same number of click-throughs as a legitimate marketing
campaign. The email must take into account the relationship and amount of trust, if any, between
the sender and receiver and what the email is asking the receiver to do. A spam email can be part
of a larger campaign of deception, or it can be the entire campaign.
A term often used for spam emails that attempt to get the recipient to perform some action is
phishing emails. Phishing emails that are targeted to a specific individual, or group of
individuals, are called spear phishing emails. Both types are highly effective, but spear phishing
is even more effective than a general phishing email because they use social engineering
techniques to appeal to their target.
Spear phishing emails are routinely used to either get credentials that make breaking into or
using a VPN easier, or are designed to ask users to do things like send money, disclose VPN
credentials, or change passwords, as was done in Part 1 of this lab.
1. Maximize the browser on your local computer.
2. In the address box of the browser, type
http://netforbeginners.about.com/od/scamsandidentitytheft/ig/Phishing-Scams-andEmail-Cons/index.01.htm and press Enter to learn more about phishing scams.
3. Read at least three sample scam emails.
4. Make a screen capture showing your favorite scam email or a representative of a scam
email that you have received in the past and paste it into your Lab Report file.
5. Minimize the browser.
Note: In the next steps, you will create your own spear phishing email following the
example in this lab. Actually sending the emails is beyond the scope of this lab. It is
possible to use free/hobbyist, hacker, and commercial email senders or web-based
services. Some sellers of email lists also have services that allow you to manage an email
campaign. Some allow anonymous sending of email. Sending of emails for malicious or
deceptive purposes is an entire branch of social engineering and reverse social
engineering worthy of time and effort to learn about in order to have a well-rounded
background in the tools of the hacker.
6. In your Lab Report file, insert a page break to place your email text on a new page.
7. In your Lab Report file, insert a 2x4 cell table and add email labels (To:, From:,Date:,
and Subject:) similar to the one in the following figure.
Figure 8 Table layout for email sample
8. In the To content cell, type Charlie Roberts <croberts@beingattacked.com>.
127
Note: >Every email campaign has a specific addressee on whom it is expected to work.
This may be a single person or a list of people. Lists may be purchased, from legitimate
or illegal sources, or harvested by you. It is best practice for spammers to send emails to
only one person at a time, even if they intend to target a large group of individuals, unless
the particular group of people being targeted might be more likely to believe the email
when they see the other recipients. In this case, Charlie Roberts is being specifically
targeted.
9. In the From content cell, type Susan Dougherty <susand@innocentbystander.com>.
Note: The senders identity is just as important. It has to be a person or entity with which
the recipient has, or can develop, a trust relationship. This is why so many spammers
compromise personal email lists from sources such as Gmail and Yahoo Mail. In many
cases, malicious emails use an actual sender email addresses, but more often the emails
use a temporary email address created by the spammer for the specific email campaign.
The decision to use a real or false sender address depends on whether or not the spammer
wishes the recipient to respond to the sender. In this case, Susan Dougherty is a known
contact of the target, Charlie Roberts, and that increases the odds that the email will be
believable. When the sender is a known contact of the target, using their actual email
address increases the appearance that the email is proper.
10. In the Date content cell, type todays date.
Note: The date and time of an email are usually automatically generated by the email
sending software but, often, sending can be delayed until a specific date and time, or
otherwise spoofed.
11. In the Subject content cell, type A favor?.
Note: Many professional spear phishers rely on a catchy subject line to increase the
chance of a curious recipient opening an email. How many real emails do you receive
from friends or business associates with the subject line save money or big sale? In this
case, since you are using real sender and recipient names, it would be best to use a more
casual subject.
Figure 9 Completed table layout for email sample
Note: The body of the email is arguably the most important, and depends entirely on the
goals of the spammer. If the intent is as simple as wanting to verify that the email account
is active, the recipient only has to open the email and the content is of lesser importance.
If the intent is to encourage the recipient to do something, then the content becomes more
important. In this case, the spammers intent is to gather funds and collect credit card
credentials that exploited later to steal their identity. To accomplish this goal, the
spammer would need to have a Web site set up to collect this information. The spammer
secures an address, https://www.NotCFSCDS.com or simply an IP address, such as
128
https://172.30.0.99, which is even harder to trace.

The spammer researched Susan Dougherty, the apparent sender of this email, online prior
to selecting her as an identity for this email campaign and learned that Charlie Roberts
works for Susan, and that she is associated with the Cure Strange Childhood Diseases
Society. This non-profit organization is an excellent front for the spammers goals, so he
copies the look and feel of the real Cure Strange Childhood Diseases Societys donation
page and redirects the form to forward any money received into his own foreign bank
account, and stores the credit card information for later use or sale.
12. On the vWorkstation desktop, double-click the NotCSCDSwebsite.pdf icon to see the
false donation processing page.
Figure 10 False donation processing page
13. Close the NotCSCDSwebsite.pdf file.
Note: Now that there is a place for Charlie Roberts to send his money, you are ready to
create the body of your spear phishing email.
14. Below the email header table in your Lab Report file, type a message to Charlie from
Susan that might encourage him to make a donation to the Cure Strange Childhood
Diseases Society. Include the words click here to send Charlie to the fake donation Web
site.
15. In your email text, highlight the words click here.
16. Use your word processing software to add a hyperlink that link the words click here to
the donation form on the fake Web site at https://172.30.0.99.
Note: Refer to the Help menu on your word processing software for more details on
creating a hyperlink.
Figure 11 Deceptive email sample
17. Maximize the browser on your local computer.
18. In the address box of the browser, type http://www.verizonenterprise.com/DBIR/2013/
and press Enter. Download the 2014 Data Breach Investigations Report. Read the
report to learn more about phishing scams.
19. Close the browser.
lab.
129

Attacking a Virtual Private Network
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
A properly configured Virtual Private Network which uses IPsec and adheres very closely to best
practices, such as strong authentication, network segmentation, device validation, posture
assessment, etc. is very formidable and protects all types of information while it is in transit from
one location to the other. In this lab, you learned how to use social engineering techniques to
unlock the secrets of a targeted individual or organization by attacking their Virtual Private
Network. You also researched email scams and used social engineering to create a believable
spam email to solicit funds for a fictitious fund-raising opportunity.
1. What is the darknet?
a. An Internet for non-English speaking people
b. The criminal side of the Internet
c. An Internet just for law enforcement
d. The old, IPv4 Internet that is being retired as IPv6 takes over
e. None of the above
2. What email protocol does Marina and Rita's Cupcakes use and why is it important?
3. Text in an email must match the URL to which it links. True or false?
4. Instead of relying just on a user ID and password systems, VPN access can be protected
by tokens like SecurID and other ____________ methods.
130
5. In many instances an IP address is used to access a server rather than a URL because a
URL is more difficult to set up and easier to track. True or False.
6. A well designed malicious email campaign can expect ____________ number of

responses, or click-throughs, as a legitimate commercial email campaign.
a. fewer
b. more
c. about the same
7. Were Charlie Roberts and Susan Dougherty known to each other, and did they have a
trust relationship that could be exploited?
8. Which of the following steps can make VPN access more secure?
a. Assure Perfect Forward Secrecy during IKE key exchange
b. Allow access only from specific MAC addresses
c. Allow access only from specific MAC/IP address pairs
d. Use foreign words as passwords
e. Change password letters to numbers, such as all Ls to 7s and all Os to 0s.
131
Toolwire Lab 10: Investigating and

Responding to Security Incidents
Introduction
Topology
Even with security measures such as firewalls, properly configured virtual private networks, and
secure network procedures, security incidents can arise from a number of sources. Sometimes, an
incident is caused by human error or mistakes. Other times, a security incident can occur as a
result of deliberate actions intended to cause loss or harm to the organization. To reduce the
impact of security incidents and minimize the costs to the organization, actions must be taken to
prevent, detect, respond, control, and document security incidents. This five step formula serves
as the basis for incident response processes and procedures.
System administrators and incident response teams use a variety of automated tools to
investigate and respond to security incidents. These tools range from basic system utilities that
report on the performance and configuration of a single workstation or server to enterprise-wide
tools capable of finding, identifying, scanning, and reconfiguring information systems.
System information tools, e.g. Windows Computer Management and Windows Task
Manager, provide information about the current operating state of a computer system.
Windows Task Manager provides information about currently running tasks, use of
system resources, and system performance. Windows Computer Management provides
more detailed information about the system including: lists of services (applications and
operating system components) and their current state, computer hardware configuration,
security and system events, and scheduled tasks.
System configuration tools are used to scan an operating system and key software
applications for security issues. Microsoft Baseline Security Analyzer (MBSA) is a
system scanning tool that scans workstations and servers running Microsoft Windows
operating systems. MBSA will check for system administration and mis-configuration
problems, applications software issues including missing patches and updates, and
missing or partially installed system security updates. MBSA can be configured to check
for missing updates and recommended security settings for Internet Explorer, Internet
Information Server (IIS), Microsoft Office, and SQL Server. MBSA is more powerful
than Windows Update since it checks system and software settings in the registry in
addition to checking for required software updates. After the scan completes, MBSA will
generate a report which identifies security issues and provides recommendations for
132
system configuration changes required to mitigate or remove the vulnerabilities

associated with those issues.
This lab has three parts which you should complete in order.
1. In the first part of the lab, you will remotely connect to a Windows 2008 server to gather
information about system performance and running tasks including memory and
bandwidth usage. This type of information supplements information gathered by
automated tools.
2. In the second part of the lab, you will run a security scan on the Windows 2008 server
using Microsoft Baseline Security Analyzer (MBSA).
Learning Objectives
Use system administration tools to gather information.

Scan a computer system for vulnerabilities using automated tools.
Explain the use of automated tools to gather information as part of an incident response
process.
Tools and Software

Windows Task Manager

Windows Computer Management
Microsoft Baseline Security Analyzer
Deliverables
instructor:
133
1. Lab Report file including screen captures of the following steps: Part 1, Steps 9, 11, 15,
20, and 24. Part 2, Steps 6 and 9;

1. Use system administration tools to gather information. - [40%]
2. Scan a computer system for vulnerabilities using automated tools. - [40%]
3. Explain the use of automated tools to gather information as part of an incident response
process. - [20%]
Hands-On Steps
itself.
Part 1: Gather System Performance

Information
134
Note: System performance information supplements information gathered by automated tools.

Some IT Help Desks will ask an end user to perform these tasks while on the phone with a Level
1 support technician. In this part of the lab, you will also look at the running processes to see if
remote desktop services are available. In an enterprise environment, the support technician may
walk a user through this verification and, if necessary, provide instruction on how to enable
remote desktop services so that the technician can log into the workstation to gather additional
information and run tests.
Remote desktop services are a double-edged sword. Remote desktop services can save an
organization significant amounts of time and money by eliminating the need for many desk-side
support visits by IT Help Desk technicians. But, those same remote login services can become a
vulnerability that is exploited by both internal and external threat agents.
1. Double-click the RDP folder on the vWorkstation desktop to open the folder.
2. Double-click the Targetw2k8a icon in the RDP folder to open the Remote Desktop
Connection dialog box. If prompted, click Yes to dismiss the pop-up window.
Figure 2 Open a remote desktop connection
3. Click Connect to accept the default IP address, 172.30.0.15.
4. If you are prompted for a password, type ISS316Security and click OK to logon.
If you are not prompted for a password, the remote desktop and its icons will replace the
vWorkstation desktop immediately with the IP address displayed in the title bar.
Figure 3 TargetWindows01 title bar
Note: Refer to the Common Lab Tasks.pdf file for more detailed instructions on opening
and working with remote connections.
5. Right-click the taskbar at the bottom of the remote desktop to bring up the context
menu. Select Start Task Manager from the menu.
Figure 4 Windows taskbar context menu
6. Click the Services tab.
7. Click the Name column to sort the list of services alphabetically.
8. Scroll through the list of services until you find processes associated with Remote
Desktop Services.
9. Repeat step 7 on the Description column to sort the description of services
alphabetically.
The words Remote Desktop Services may appear in either the Name or Description
columns.
Figure 5 Windows Task Manager: Services tab
135
10. Make a screen capture showing all the processes associated with Remote Desktop
Services and paste it into your Lab Report file.
11. Click the Performance tab and wait 45-60 seconds for the history graphs to display data
on 50% or more of the graph.
Figure 6 Windows Task Manager: Performance tab
12. Make a screen capture showing the current system performance and paste it into
13. Close the Windows Task Manager.
Use the scrollbars as necessary to view the Windows Start button.
14. Click the Windows Start button and navigate to Administrative Tools > Computer
Management to open the Windows Computer Management tool.
Resize the Computer Management window so that the entire window is visible.
Figure 7 Computer Management application window
15. Navigate to System Tools > Event Viewer > Windows Logs > Application by clicking
on the plus signs to open the sub menus.
The Windows Application Log records information about events. It will record successful
operations, system warnings, error messages about failed operations, as well as
information about both successful and unsuccessful logon attempts.
Figure 8 Windows Application Log
16. Make a screen capture showing the Application Log and paste it into your Lab Report
file.
17. Click Filter Current Log from the Actions pane on the right-hand side of the window.
18. In the Event level portion of the filter form, click each of the following checkboxes to
select those event levels:
o Critical
o Warning
o Error
Verify that the Verbose and Information checkboxes are unchecked.
Figure 9 Filter Current Log form
19. Click OK to filter the log entries.
20. Scroll down to find the first Error event entry in the log file and click the Error line item
to display the log entry. Review the Log Entry.
136
Figure 10 Filtered Application Log

21. Make a screen capture showing the current log entry and paste it into your Lab Report
file.
Note: Many log files contain thousands of entries making them difficult to scan by eye
when looking for evidence. Using a filter can help an analyst to quickly find events of
interest especially when other information is available about the type of attack or when
the attack occurred. The drawbacks to using filtering to reduce the number of entries is
that the filter may exclude events that would be of interest if the analyst had seen them.
22. In the left navigation pane, click Security to open the Security Log and compare the
information displayed in this log with that displayed in the Application Log.
23. In the left navigation pane, click System to open the System Log and compare the
information displayed in this log with that displayed in the other logs.
24. Click the plus sign in front of Services and Applications at the bottom of the left
navigation pane and click Services.
25. Click the Standard tab at the bottom of the Computer Management window to change the
view.
26. Scroll through the list of services to find the group of services that manage the Remote
Desktop.
Figure 11 List of windows services that manage the Remote Desktop Services
27. Make a screen capture showing the run status and startup type for the Windows
services that manage Remote Desktop Services and paste it into your Lab Report file.
28. Close the Windows Computer Management window.
Part 2: Scan a Windows 2008 Server for

Vulnerabilities
Note: Many log files contain thousands of entries making them difficult to scan by eye when
looking for evidence. Using a filter can help an analyst to quickly find events of interest
especially when other information is available about the type of attack or when the attack
occurred. The drawbacks to using filtering to reduce the number of entries is that the filter may
exclude events that would be of interest if the analyst had seen them.
1. Double-click the Microsoft Baseline Security Analyzer 2.2 icon on the remote desktop
to launch the application.
Resize the Computer Management window so that the entire window is visible.
Figure 12 Microsoft Baseline Security Analyzer
137
2. Click Scan a computer to begin the security scan.

3. Click the Check for security updates checkbox to remove the check.
The computers in the virtual lab environment do not have direct Internet access, which is
required to perform this check for updates. (If you were running this scan on a computer
with Internet access, you would leave this option selected.)
Figure 13 Setting scan options
4. Click the Start Scan button.
5. Review the Report Details for VLABS scan results.
Figure 14 Report Details for VLABS scan results
6. Make a screen capture showing the first page, including the header and the
Administrative Vulnerabilities report and paste it into your Lab Report file.
You may need to use the scrollbars and take multiple screen captures to view the entire
report.
7. Scroll to the Additional System Information section of the report and find the entry for
Shares.
Figure 15 Additional System Information report
8. Click Result Details to display the results.
Figure 16 Result details of the Shares information
9. Make a screen capture showing the result details for the Shares entry and paste it into
10. Close the Results Details window.
11. Close the Microsoft Baseline Security Analysis window.
12. Close the Remote Desktop Connection.
Note: Refer to the Common Lab Tasks.pdf file for more detailed instructions on closing
remote connections.
lab.
138

Investigating and Responding to Security
Incidents
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you gathered information about system performance and running tasks including
memory and bandwidth usage, and looked for remote desktop services. You also ran a security
scan on the Windows 2008 server using Microsoft Baseline Security Analyzer (MBSA) to
identify any missing software updates or updates which were not completely installed, and detect
changes to system configuration parameters which could have occurred as the result of an
intrusion or the actions of a malicious insider.

1. List five types of system information that can be obtained from the Windows Task
Manager? How can you use this information to confirm the presence of malware on a
system? (Hint: Look at the bandwidth and CPU utilization.)
2. Windows Task Manager and Windows Computer Manager both provide information
about system services. Compare and contrast the types of information (about system
services) that can be obtained from these tools.
139
3. Explain how you could use one or more of the Windows log files to investigate a
potential malware infection on a system. What types of information are available to you
in your chosen log file?
4. Should you filter log files during an investigation into a security incident? Why or why
not?
5. Should remote desktop services be enabled on employee workstations for use by IT Help
Desk personnel? Why or why not?
6. How does Microsoft Baseline Security Analyzer (MBSA) differ from Windows Update?
Why are Shares a source of system vulnerabilities?

Network Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security

Uploaded by

Copyright:

Available Formats

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

Hands-On Steps ..................................................................................................................................... 38

CIS 534 - Advanced Network Security Design

Toolwire Lab 6: Using Social Engineering Techniques to Plan an Attack .......................................... 74

CIS 534 - Advanced Network Security Design

Hands-On Steps ................................................................................................................................... 102

CIS 534 - Advanced Network Security Design

Toolwire Lab 1:Analyzing IP

CIS 534 - Advanced Network Security Design

Tools and Software

Evaluation Criteria and Rubrics

CIS 534 - Advanced Network Security Design

Part 1: Exploring Wireshark

CIS 534 - Advanced Network Security Design

This section displays a list of the network interfaces, or machines,

2. Click Interface List to bring up a list of active interfaces.

CIS 534 - Advanced Network Security Design

Figure 5 Wireshark application window

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

Part 2: Analyzing Wireshark Capture

CIS 534 - Advanced Network Security Design

The PacketCapture.pcapng capture file will open in the Wireshark application

The frame type is Ethernet II

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

29. Click Close to close the Graph Analysis window.

CIS 534 - Advanced Network Security Design

Lab #1 - Assessment Worksheet

CIS 534 - Advanced Network Security Design

Lab Due Date: ________________________________________________________________

Lab Assessment Questions & Answers

3. What is the manufacturer specific ID for Intel Core?

4. What is the MAC address used for IPv4 multicast?

5. What version of IP is present in Frame 546? What is the source IP address?

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

Toolwire Lab 2: Using Wireshark and

CIS 534 - Advanced Network Security Design

Analyze the wireless-specific portion of network traffic using Wireshark

Tools and Software

Evaluation Criteria and Rubrics

CIS 534 - Advanced Network Security Design

1. Analyze the wireless-specific portion of network traffic using Wireshark. [20%]

Part 1: Analyzing Wireless Traffic with

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

Figure 6 Expanded frame physical detail

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

Figure 12 Internet Protocol data

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

Part 2: NetWitness Investigator

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

CIS 534 - Advanced Network Security Design

IP-geolocation, or triangulation using PINGs, is it possible to determine the actual