CIS 3700 Lab 1

MIS 4850

Systems Security

| | |

Lab 2

Target Attacks

Exercise 1: Using Netbus 1.7 for remote control

You need to work in teams of two. One teammate (referred to as Student 1) will download and start the server portion of Netbus (Patch.exe) on his/her computer. The other teammate will install the client version of Netbus (Netbus.exe) to be used for controlling the first machine.

To be done on Student 1’s computer

Downloading and starting Patch.exe


0) Identify Student 1’s computer: Computer #_____. IP address: 10.1.10.__

1) From your computer, click Start/Run, and then type in the following, then click OK:


2) Select all five files available in the folder. Copy them (Edit/Copy menu), and close the opened window

3) Double-click My Computer on your computer’s desktop. Locate and open the C: drive. Then, paste the five files to the root of C: drive

4) Double-click the NetBus.exe.sda.exe file. When the dialog window opens, uncheck the Hide Typing checkbox and type password as the password in the textbox. This will reveal the patch.exe and the Netbus.exe files.

5) Open the Command prompt (Start/Run, then type cmd followed by the ENTER key)

6) Type cd\ and hit ENTER to get to the root of the C: drive

7) To start the patch.exe program, type patch /noadd and hit ENTER

8) Your computer is ready to be taken over remotely by someone using Netbus client!

9) To make sure it is, at the Command prompt type in netstat -a and hit ENTER

10) You should see that port 12345 (and possibly 12346 too) is now open (and listening) for communication with any computer that has the client portion of Netbus.

11) Copy the open window by simultaneously pressing ALT+PRINT-SCRN

12) Open Wordpad (Start/All Programs/Accessories/Wordpad), and then paste.

13) Press the right arrow key. Then, hit the ENTER key twice to create two blank lines below the pasted image.

14) Save the file at the root of the C: drive under the name Last1-Last2Lab2.rtf (where Last1 and Last2 are the teammates last names)

To be done on Student 2’s computer

Installing Netbus.exe

0) Identify Student 2’s computer: Computer #: ____. IP address: 10.1.10.__

1) From your computer, click Start/Run and then type in the following:


2) Select all five files available in the folder. Copy them (Edit/Copy menu), and then close the opened window

3) Double-click My Computer on your computer’s desktop. Locate and open the C: drive. Then, paste the five files to the root of the C: drive

4) Double-click the NetBus.exe.sda.exe file. When the dialog window opens, uncheck the Hide Typing checkbox and type password as the password in the textbox. This will reveal the patch.exe and the Netbus.exe files

5) Run the program called Netbus.exe by double-clicking it

6) You should see the Netbus remote control console with port 12345 or 12346

7) In the Host Name/IP: text box, type in the other computer's IP address (see the IP address that was written down on the previous page), and click the Connect button

8) You should see Connected to at the bottom of the console window

9) You have total control over your teammate’s computer!

10) Note: This may not work for those who have a computer with the new secured CD drive. Try to open the other computer's CD-ROM drive by clicking the Open CD-ROM button

11) Close the CD-ROM drive

12) Click the Msg Manager button and send a message (like "Hi, How are you doing") to the controlled computer.

13) Display the image of the cat (cat.jpg) on your teammate’s computer. Note that cat.jpg is one of the files you and your teammate both downloaded to your computers. Then, explain what do you need to do in order for the cats.jpg file to be shown on the controlled computer? Explain:





14) Can the user on the controlled computer remove the picture that is shown on their desktop? YES NO

15) eastwood.wav is one of the files you and your teammate both downloaded to your computers. Because your computer does not have speaker, you cannot play sound. But check Netbus and explain what you need to do in order for the music to play on the controlled computer? Explain:





16) Click File Manager, and then the Show Files button. Take the steps necessary to display the files that are on the C: disk of the controlled computer. Name two of the folders: __________________________, ___________________________.

15) Open Wordpad (Start/All Programs/Accessories/Wordpad).

16) Copy the open window showing the files on the controlled computer by simultaneously pressing ALT+PRINT-SCRN.

17) Paste the copied window to Wordpad.

18) Press the right arrow key. Then, hit the ENTER key twice to create two blank lines below the pasted image.

17) Save the file at the root of the C: drive under the name Last1-Last2Lab2-2.rtf (where Last1 and Last2 are the teammates last names)

18) Locate the wb32.exe file available in the C:\Program Files\NetMeeting folder of your local C; drive and upload it to the root of the controlled computer’s C: drive.

19) Check to make sure the file is copied to the root of your teammate’s computer.

20) Given the options in the File Manager tool of Netbus, which of the following is true?

a. You can use Netbus to download a file from a controlled computer.

b. You can use Netbus to delete a file located on a controlled computer.

c. You can use Netbus to rename a file located on a controlled computer.

d. All of the above.

21) Start the dialer.exe program located in the C:\Windows folder of your local C: drive so that the program starts on the controlled computer.

22) Have your teammate capture the dialer window (by simultaneously pressing ALT+PRINT-SCRN), and copy the captured window to the Last1-Last2Lab2.rtf (where Last1 and Last2 are the teammates last names) file he/she has created.

23) Can the user on the controlled computer close the started program? YES NO

24) Use the appropriate Netbus tool to remotely “listen” to keystrokes when the user on the controlled computer is typing using the keyboard. After you have started the tool, have your teammate start a new Notepad session (Start/All Programs/Accessories/Notepad). Then ask the teammate to type a sentence like “I am coming in 10 mutes”.

25) When the text shows on your Netbus dialog window, you should capture the screen and paste it to the end bottom of your Last1-Last2Lab2-2.rtf file.

26) Disconnect.

Exercise 2: Using the At command to start system processes

Objective: One weakness of many operating systems including Windows is that they provide means of starting programs on remote computers; which opens the door to attackers. In this activity you will learn how easy it is to use the At command to schedule an executable file to run on a remote computer at a specific time.

1. (If not already done) Log on to your Windows 2003 Server as Administrator

2. Press Ctrl+Alt+Del. Click Task Manager, then select the Processes tab

3. Notice that notepad.exe is NOT among the processes that are currently running

4. Your neighbor have noticed exactly the same thing on his/her server

5. Click Start/All Programs/Accessories, and then click Command Prompt.

6. In the Command prompt, change the directory to the root of the C: drive by typing cd\ and hitting the ENTER key

Note: The net time command could be used to tell the current time on any computer connected to the network. Next, you will use it to determine the time on your neighbor’s computer.

7. At the command line type net time \\srvdcXX (where XX is the number assigned to your neighbor’s computer), then press ENTER. Write down the time: ___________

Next, you will schedule the execution of notepad.exe on your neighbor’s computer

8. At the command line type at \\srvdcXX time /interactive “notepad.exe” (where XX is the number assigned to your neighbor’s computer, and time is the time you wrote down + 3 minutes to allow for a delay), then press ENTER.

Hint: Not using the /interactive switch with the At command will hide the starting of the process from your partner.

9. If your neighbor has used the At command to start the notepad.exe process on your server, notepad will automatically open on your server as scheduled.

10. The notepad.exe process might not appear if your neighbor didn’t use the /interactive switch with the At command as mentioned in the Hint above. But you can still check the Task Manager to see that the notepad.exe process is running on your server.

11. Close all open windows.

Question: what kind of harm can be done using the At command. Explain.






Exercise 3: Manipulating the ARP table


In a P2P network where all computers are connected to a 2-layer switch, ARP tables (available on each computer) are used by stations to send messages to the switch, which forwards the messages to the destination station based on the MAC address. Consider the exhibit shown above. Suppose that the user who regularly uses Workstation 3 has physical access to Workstation 5. How could that user manipulate the ARP table in order to hijack all communications from Workstation 5 to Workstation 6 so that all messages destined to Workstation 6 are automatically forwarded by the switch to Workstation 3 instead? Explain.





Exercise 4: Ping-based attacks

1) Open Wordpad (NOT Notepad) and create a file called FirstLastPing.rtf (where First and Last are your first and last names). Save the file in a folder to be called Lab2. Type in the following as the first lines in the file:

MIS 4850 Systems Security

Lab 2

First Last (where First and Last are your first and last names)

2) Open Windows’ Command Prompt

3) At the prompt, type ping /? to display the options you can use with Ping

4) Make sure that your neighbor (or Lab partner) has a computer he/she is using. Write down the neighbor’s (or Lab partner’s) computer IP address: 10.1.10.___

5) What command should you use to ping the computer that has the IP address by pretending that the ping message originates from your neighbor’s computer? Assume that your neighbor IP address is an IPv6 address.

Answer (write the full command): ___________________________________________________

6) Which of the following probe attack technique is used in the command you mentioned when answering previous question?

a. Flooding

b. SYN attack

c. Fingerprinting

d. spoofing

7) In another exercise, you will use the NMAP tool to perform the same probe attack with an IPv4 IP address.

8) Issue a basic Ping to ping the computer with the

9) What is the size in bytes of the ping message being sent to

10) Answer: ____________ bytes

11) If needed use ping /? to display the options you can use with the ping command. What command should you use to ping the computer that has the IP address with a packet (or buffer) size that is 50000 bytes?

Answer (write the full command): _______________________________________

12) From the Command Prompt, type the command you mentioned when answering the question above to see its outcome. Then, capture the Command Prompt window (Ctrl-Alt-PrintScreen) with command and its outcome displayed. Make sure you have captured the command and all its outcome. Switch to your FirstLastPing.rtf file. Create a blank line at the bottom of the file. Then, paste the screen capture right below.

13) If needed use ping /? to display the options you can use with the ping command. What command should you use to ping the computer that has the IP address so that the IP address is revolved to the computer host name, allowing you to see the host name displayed in the command result?

Answer (write the full command): __________________________________

14) From the Command Prompt, type the command you mentioned when answering the question above to see its outcome. Then, capture the Command Prompt window (Ctrl-Alt-PrintScreen) with the command and its outcome displayed. Make sure you have captured the command and all its outcome. Switch to your FirstLastPing.rtf file. Create a blank line at the bottom of the file. Then, paste the screen capture right below.

Write down the host name of the computer with the IP address as it appears in the result you got: ____________________________________

15) In this LAN, there is no router or firewall that your message would go through before reaching its destination. Type the following command to verify that:

Ping –r

16) If needed use ping /? to display the options you can use with the ping command. What command should you use to ping the computer that has the IP address until you decide to stop the pinging yourself. Test your answer and, then, write down the command:

Answer: ________________________________________________

Using the NMAP network scanning program

Copying NMAP (Network Mapping)

1) Click Start/Run and type in \\mainserver

2) Select the NMAP folder and copy it (Ctrl-C)

3) Close the open window

4) Open My Computer on your computer (Click Start/My Computer)

5) Paste (Ctrl-V) the NMAP folder

Install the Ping Tester program

Note: If asked to replace any existing file during the installation, click YES and, if prompted, uninstall the old version.

1) Open the NMAP folder that you just copied

2) Double-click the nmap-6.47-setup.exe file to instart the installation

3) Follow the instructions to install the program with all default options

4) If/When asked, start the other programs that come (WinPcap, etc.) with NMAP

5) When the installation is complete, close (x) the My Computer window

Starting and using NMAP

1) From the Start menu, click All Programs/Nmap/ Nmap – Zenmap GUI to start the program

2) From the main window, perform a Quick scan (NOT an Intense Scan) of the target with IP address

3) Write down the ports that are open on the target computer along with the corresponding services:

|Port |Service |

| | |

| | |

| | |

| | |

4) From the main window perform an Intense Scan of the target with IP address

5) Was the scan able to detect the Operating System installed on the target computer? Check the Host Details tab to report your answers.

Name of the OS: ____________________________ How accurate is the scan result? ____%

Number of ports scanned: ____________________ Number of ports open: __________

6) From the main window, perform an Intense Scan of the computer with the IP address. Answer the following questions based on the result:

01. Which of the following services are installed and running on the target computer? Use a check mark (√) to answer

| |Oracle Database service |

| |File Transfer Protocol service |

| |Web service |

| |DB2 service |

| |SMTP email service |

| |NetBIOS |

02. If the target computer hosts Internet-related services, which of the following Web service software is used to provide the services

a) Apache 2.4

b) IIS 5.0

c) Apache 2.0

d) Nginx

e) IIS 6.0

03. What is the target computer’s MAC address?

Answer: __________________________________________

04. If the computer is part of a domain, what is its domain name?

Answer: ___________________________________________________

05. How much time did the scan last? _______________

7) From the Profile menu, select New Profile or Command to open the Profile Editor in order to hide your identity (i.e. your IP address) to the target computer you are trying to scan. Explain how you can do that.





8) With the Profile Editor still open, determine what existing script can be used in NMAP in order to perform a brute force password auditing against an http basic authentication system.

Name of the script: _________________________________

Write down the command the command that can be entered in Nmap – Zenmap to attempt such an attack against an HTTP server that has the IP address:


Student Name: __________________________________________

Exercise 5: Understanding Target Attacks’ Questions

1. Which of the following is not considered a single-message DoS attack?

a) LAND attack

b) Teardrop

c) Ping of Death

d) None of the above

2. Which of the following DoS attacks takes advantage of IP fragmentation? (Choose all that apply)

a) LAND attack

b) Teardrop

c) Ping of Death

d) None of the above

3. Which of the following do Denial of Service attacks primarily attempt to jeopardize?

a) confidentiality

b) integrity

c) availability

4. Typically, which of the following malware could harm a host computer by consuming processor time and random access memory?

a) a virus

b) a worm

c) a logic bomb

d) None of the above

5. In which of the following may the victim crash after receiving a single attack packet?


b) Smurf

c) Both of the above.

d) Neither a. nor b.

6. In which of the following DoS attacks the attacker makes use of IP spoofing?

a) LAND attack

b) Teardrop

c) Ping of Death

d) None of the above

7. The attacker sends an attack message to a target computer using IP fragmentation. The attack packet is about 80000 bytes in size. What kind of attack does the attacker attempted?

a) Teardrop attacks

b) Ping of Death attack

c) Land attack

d) None of the above


This should be the computer # with no leading zero in case there is one. Example of valid IP address:

This should be the computer # with no leading zero in case there is one. Example of valid IP address:

Example: 1:05p or 1:05pm

