Researching Network Attacks and Security Audit Tools

CCNA Security Chapter 1 Lab A: Researching Network Attacks and Security Audit Tools
Instructor Version Objectives
Part 1: Researching Network Attacks . Research network attacks that have occurred.
. Select a network attack and develop a report for presentation to the
class. Part 2: Researching Security Audit Tools . Research network security audit tools.
. Select a tool and develop a report for presentation to the class. Background/Scenario
Network attacks have resulted in the loss of sensitive data and
significant network downtime. When a network or the resources in it are
inaccessible, worker productivity can suffer, and business income may be
lost.
Attackers have developed many tools over the years to attack and
compromise the networks of organizations. These attacks take many forms,
but in most cases, they seek to obtain sensitive information, destroy
resources, or deny legitimate users access to resources.
To understand how to defend a network against attacks, an administrator
must first identify network vulnerabilities. Specialized security audit
software developed by equipment and software manufacturers can be used to
help identify potential weaknesses. In addition, the same tools used by
attackers can be used to test the ability of a network to mitigate an
attack. After the vulnerabilities are known, steps can be taken to help
mitigate the network attacks.
This lab provides a structured research project that is divided into two
parts: Researching Network Attacks and Researching Security Audit Tools.
You can elect to perform Part 1, Part 2, or both. Let your instructor
know what you plan to do so to ensure that a variety of network attacks
and vulnerability tools are reported on by the members of the class.
In Part 1, you research various network attacks that have actually
occurred. You select one of these and describe how the attack was
perpetrated and how extensive the network outage or damage was. You also
investigate how the attack could have been mitigated or what mitigation
techniques might have been implemented to prevent future attacks. You
prepare a report based on a predefined form included in the lab.
In Part 2, you research network security audit tools and investigate one
that can be used to identify host or network device vulnerabilities. You
create a one-page summary of the tool based on a predefined form included
in the lab. You prepare a short (5-10 minute) presentation to present to
the class.
You may work in teams of two with one person reporting on the network
attack and the other reporting on the security audit tools. Each team
member delivers a short overview (5-10 minutes) of their findings. You
can use live demonstrations or PowerPoint to summarize your findings.
Required Resources . Computer with Internet access for research.
. Presentation computer with PowerPoint or other presentation software
installed.
. Video projector and screen for demonstrations and presentations. Instructor Note: To maintain tighter control over what the students
report, you can provide the students a list of recent network attacks and
security audit tools from which to choose. You might want to ask the
students to email you their desired research project by a specific time,
or you will assign them a topic. In the email, they should provide some
background information (description, links, and so on) to make sure that
no one is doing the same thing.
Part 1. Researching Network Attacks
In Part 1 of this lab, you research various network attacks that have
actually occurred and select one on which to report. Fill in the form
below based on your findings.
Step 1: Research various network attacks.
List some of the attacks you identified in your search.
Possible examples include: Code Red, Nimba, Back Orifice, Blaster,
MyDoom, SQL Slammer, SMURF, Tribe flood network (TFN), Stacheldraht,
Sobig, Netsky, Witty, and Storm.
The Code Red attack is used as an example here.
Instructor Note: An extensive list of viruses and worms listed by the
year they were discovered can be found at
http://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms.
Step 2: Fill in the following form for the network attack selected.
|Name of attack: |Code Red |
|Type of attack: |Worm |
|Dates of attacks: |July 2001 |
|Computers / Organizations affected: |Infected an estimated 359,000 |
| |computers in one day. |
|How it works and what it did: |
|Instructor Note: Most of the following is from Wikipedia. |
|Code Red exploited buffer-overflow vulnerabilities in unpatched |
|Microsoft Internet Information Servers. It launched Trojan code in a |
|denial-of-service attack against fixed IP addresses. The worm spread |
|itself using a common type of vulnerability known as a buffer overflow.|
|It used a long string repeating the character 'N' to overflow a buffer,|
|which then allowed the worm to execute arbitrary code and infect the |
|machine. |
| |
|The payload of the worm included: |
|Defacing the affected website with the message: HELLO! Welcome to |
|http://www.worm.com! Hacked By Chinese! |
|It tried to spread itself by looking for more IIS servers on the |
|Internet. |
|It waited 20-27 days after it was installed to launch DoS attacks on |
|several fixed IP addresses. The IP address of the White House web |
|server was among them. |
|When scanning for vulnerable machines, the worm did not check whether |
|the server running on a remote machine was running a vulnerable version|
|of IIS or whether it was running IIS at all. |
|Mitigation options: |
|To prevent the exploitation of the IIS vulnerability, organizations |
|needed to apply the IIS patch from Microsoft. |
|References and info links: |
|CERT Advisory CA-2001-19 |
|eEye Code Red advisory |
|Code Red II analysis |
|Presentation support graphics (include PowerPoint filename or web |
|links): |
|Wikipedia, Animation on "The Spread of the Code-Red Worm (CRv2)". CAIDA|
|Analysis. Retrieved on 2006-10-03. |
|www.networkworld.com/slideshows/2008/031108-worst-moments-in-net-securi|
|ty.html?nwwpkg=slideshows | Part 2. Researching Security Audit Tools
In Part 2 of this lab, you research network security audit tools and
attacker tools and investigate one that can be used to identify host or
network device vulnerabilities. Fill in the report below based on your
findings.
Step 1: Research various security audit and network attack tools.
List some of the tools that you identified in your search.
Possible examples include: Microsoft Baseline Security Analyzer (MBSA),
NMAP, Cisco IOS AutoSecure, Cisco Security Device Manager (SDM) Security
Audit Wizard. Sourceforge Network Security Analysis Tool (NSAT),
Solarwinds Engineering Toolset.
Attacker tools may also be investigated, including L0phtcrack, Cain and
Abel, John the Ripper, Netcat, THC Hydra, Chkrootkit, DSniff, Nessus,
AirSnort, AirCrack, WEPCrack,
The SDM Security Audit tool is used as an example here.
Instructor Note: Additional sources of information include the following: http://www.yolinux.com/TUTORIALS/LinuxSecurityTools.html
Top 100 Network Security Tools of 2006:
http://sectools.org/index.html
Password Crackers:
http://sectools.org/crackers.html
Sniffers:
http://sectools.org/sniffers.html
Vulnerability Scanner:
http://sectools.org/vuln-scanners.html
Web Scanners:
http://sectools.org/web-scanners.html
Wireless:
http://sectools.org/wireless.html
Exploitation:
http://sectools.org/sploits.html
Packet Crafters:
http://sectools.org/packet-crafters.html Step 2: Fill in the following form for the security audit or network attack
tool selected.
|Name of tool: |SDM Security Audit |
|Developer: |Cisco Systems |
|Type of tool (character-based or GUI): |Cisco router GUI-based security|
| |analysis |
|Used on (network device or computer |Router |
|host): | |
|Cost: |Free to download |
|Description of key features and capabilities of product or tool: |
|SDM Security Audit wizard runs a series of predefined checklists to |
|assess a router's security configuration. When finished, SDM presents a|
|list of recommended actions, which you can selectively choose to apply.|
|SDM also allows you to directly perform a one-step router lockdown |
|option. One-step lockdown configures the router with a set of defined |
|security features with recommended settings. |
|S