Networking in Windows

Table of Contents

Lab <n> – <Lab Name>. 1

Part n. 1

Preparation. 1

Observations. 1

Lessons Learned. 2

Subject 1: Network Tool Utilities. 4

Ping. 4

Subject 2: Microsoft Network Monitor. 5

Subject 3: cross-site scripting. 6

Subject 4: SNMP Enumeration. 7

Subject 5: Nmap tool 8

Communication. 9

Subject 6: GPG4Win. 9

Subject 7:  RCA Encryption. 10

Bibliography. 13

Lab <n> – <Lab Name>

Part n

Write a description of what this part of the lab is supposed to achieve. Do not copy and paste what is in the provided lab document. This component is mandatory. What you write here should prove to your professor that you understand what you are trying to accomplish.

Preparation

This component is optional. Writing down what you did to prepare is good practice. It can often be used to troubleshoot problems with the lab.

Observations

This component is optional but highly recommended. You should be recording what you did, unless what you did was obvious. For example, if you entered a PowerShell command to complete some assigned task, this a great place to record that so you will know what you did in the future. If you received unexpected feedback once you did something, this is a great place to record that. If you clicked OK to dismiss a dialog page, you may wish to pass on recording that.

Remember that this document should be a key study and comprehension tool. Although it’s challenging, write enough so that you can understand what you did, but keep it brief enough that you don’t get frustrated because you’re trying to read every mouse click and keystroke executed.

You may include a few strategic screenshots if you wish. You should not include trivial screenshots that make it difficult to find the real useful information. For example, if you are saving a file and want to record the name and path, you should write that as a brief note rather than including a screenshot of the file save dialog. If you do include screenshots, each should be easily readable without magnifying and should be clearly labeled to indicate ,what is in the screenshot and why it was included.

Lessons Learned

This component is mandatory. Labs will have a section per part labeled In Your Lab Book that will specify what you must include. You will generally be required to explain one or more results from the lab work. This is where you get to demonstrate that you understood what you did and the outcomes from your work. 

Solution

Contents

Lab <n> – <Lab Name>. 1

Part n. 1

Preparation. 1

Observations. 1

Lessons Learned. 2

Subject 1: Network Tool Utilities. 3

Ping. 3

Subject 2: Microsoft Network Monitor. 4

Subject 3: cross-site scripting. 5

Subject 4: SNMP Enumeration. 6

Subject 5: Nmap tool 7

Communication. 8

Subject 6: GPG4Win. 8

Subject 7:  RCA Encryption. 9

Bibliography. 12

Subject 1: Network Tool Utilities

Network utilities has tools that help the user of the network with tools that help him/her to manage the network during use and troubleshooting. In this subject, this paper discuss various network utility tools that are common across all the networks and are used in a day to day bases. To briefly talk define a network utility, it gives information about all network connections, such as the hardware addresses of the interfaces, the IP addresses assigned to each interface, count of data packets both received and sent, the speed and status, as well as a count of errors of transmission and collisions (Moran, 2017). The main network utility tools are Ping, Tracert, ARP, Netstat, Nbtstat, NSLookup, as well as IPconfig.

These particular tools will assist the user (admin user) to check the status of the network as well as allow the user to troubleshoot as well as test network connection to remote hosts. All the utilities are accessed by clicking on the start button and then go to run (Wilkins, 2011). On the run box, type cmd.

In this short topic, this paper discusses PING utility to bring out some of the functions of the network utilities (Rafacz, 2014).

Ping

This utility is used to test the connectivity between two hosts. The protocol used by PING utility is called the ICMP (Internet Control Message protocol). This protocol is specifically used to test if the remote machine can can receive a test packet as well as send a respond. Pinging is a great way to test if TCP/IP is installed and the network card is working (Rafacz, 2014).

To verify if the TCP/IP is installed in your machine and well configured, ping the loopback address 127.0.0.1. This is done by typing PING 127.0.0.1 and this shows that the TCP/IP as well as the network card are working well. To test if the machine is connecting to a certain website, just type ping espn.com and a window shown below appears. The results verify that the connection is successful as well as showing the presence of any lost packets

Subject 2: Microsoft Network Monitor

This is a packet analyzer which is already deprecated. Its main purpose is to give the ability to capture, view as well as analyze network data. It gives used to decipher network protocols.  Its main use is to troubleshoot problems in the network as well as the applications on the network. The version 1.0 also called Bloodhound was developed by and designed by one Raymond Patch, who is an engineer dealing with network device driver as well as transport protocols. When this packet analyzer deprecated (Bertuit, 2010), it was replaced by the Microsoft Message Analyzer. However in this topic we are going to dwell more on Network monitor for Microsoft window 2008 server.

For windows server 2008, it does not come with an inbuilt network monitor. However one can download latest Microsoft network monitor from the Microsoft web site and install it in the server. The network monitor downloaded and installed can help the user to view traffic of the network as it is being sent and received from the network interface cards that are installed in windows server 2008 computer (Layfield, 2011).
Using a network monitor, you can view in real time the network captures or save the information on a file so that it can be analyzed later. There are two main versions on Microsoft network monitor, the version that one can get from the Microsoft website and install in a windows server is used to capture only traffic sent or from its own network interface. This a powerful tool for this version. But there is another advanced version which is more powerful. This version is only can be accessed from the Microsoft management server as well as the System Center Operations manager. This version of network monitor allows you to operate in an unrestrained mode. This means that the monitor can capture up to 100 percent of the network traffic in the network interface (http://lynnjackson.myefolio2.com, 2014).

The information about the version is crucial especially one wants to set up multiple stations for monitoring in order to access your network as well as using a centralized monitoring point for data collection. It is very important to know who uses which version of the network monitor in a promiscuous mode. This is because it helps you ensure a secure network environment since the data captured and examined might be sensitive.

In case you get reports that a certain windows server 2008 computer is slow in giving response, it is important to segregate the view of the network traffic that is sent to or from that particular server. This is useful because it helps one to determine the reason the application is not working well or even to check if a virus or hacker is trying to access the computer over that network.

To install Windows Network monitor, click the start button, then type \\SEA-DC1\ and press enter. On the right pane, double click the lab files to open. Right-click NM31_Release_x86.msi and copy and the close the window. Click start button again, then the local c drive, click file > new>folder and name the folder “Network Monitor”.  Double click the folder you just created to open it, then paste. Double click NM31_Release_x86.msi and wait for the set up for Microsoft network monitor 3.1 wizard to open. Follow the steps to finish the installation. To use the Network monitor, on SEA-SVR1, double click network monitor 3.1, place a checkmark next to enable conversations checkbox, then click create a new capture tab. After that, click capture-start and then open the cmd and type nslookup SEA-SVR1 and

Subject 3: cross-site scripting

This concept, also abbreviated as XSS is a client-side code injection attack. This attack occurs in a way that the attacker can rum malicious scripts into a legitimate web application or website. This vulnerability is among the most rampant among web applications and it is mostly caused by the web applications using unvalidated or unencoded user input in the output generated (Acunetix, 2017).

In XSS the attacker does not target directly to a victim, instead, the attacker uses a website or web application vulnerability that the victim is likely to visit. This eventually delivers a malicious script to the browser in the victim’s machine. In all this the web application or the web application was just used as a vehicle to deliver the malicious script (Kallin & Valbuena, 2016).

It is possible to take advantage of XSS when using VBScript, ActiveX as well as Flash. However, the most widely abused is JavaScript just because it is fundamental in most of browsing experiences.

How XSS Works

To be able to execute a malicious script in the victim’s web page, the attacker need to access the particular web page. The re so many ways the attacker will use to lure the victim and inject payload in his or her web page. One of the ways include social engineering or using information that will make the victim visit a page that is vulnerable. The vulnerable page will have the injected JavaScript payload (Veracode, 2017).

For the XSS to be successful, it must be done on a pages that directly asks for user input the attacker will then insert a string that will be seen interpreted as code by the victim’s browser and used within the web page. Below is an example of a script that can be used to carry out XSS.

The snippet below is a pseudo code to get the recent comments on a web page;

print”<html>”print”<h1>Most recent comment</h1>”printdatabase.latestCommentprint”</html>” The script above is used to search the comments database and get the most recent comments and then display them on the browser as an html page given the assumption that the comments printed only comprises pure text. The page above is vulnerable to XSS attack because the attacker may submit a comment that contains a malicious payload like <script>doSomethingEvil () ;< /script>. If a user visits the page, the webpage will be served with:<Html><h1>most recent comment</h1><Script>doSomethingEvil () ;< /script></html> and this completes the attack.

Subject 4: SNMP Enumeration

SNMP Enumeration is a process whereby SNMP is used to enumerate accounts of the user on the target system.  There are two major types of software that are used by SNMP for communication, these include, SNMP agent (which is situated at the networking device) and SNMP management station for communicating with the agent. Most, if not all network devices has a SNMP agent to maintain the system or the device. These network devices include switches, routers, as well as windows systems.

The SNMP management stations send requests to the agents while the agents’ relays replies. The requests as well as the replies are the configuration variables which can be accessed by the agent software. The management stations can also use to set up values for some variables. In the process of requests and response, Traps are used to inform the management station that something of great importance has happened in the agent software. The events happening in agent software may be a system reboot or an interface failure. The database of the configuration variables (Management Information Base (MIB)) is located on the network device.

There are two password in SNMP that can be used to access as well as configure the SNMP agent while at the management station. The first of them is called read community string. This is a password that allows you to view the configuration of the device or system. The second password is read/write community string. This password is used for editing as well as configure the device. In General the de default read community string is public while the read/write community string is private. When the community strings are left on their default settings, it is a big loophole that can be taken advantage of by the hackers

Subject 5: Nmap tool

Network mapper is a free as well as open source utility that is used for network discovery and also security auditing. Most of Network and system administrators use it for network inventory, monitoring host or uptime as well as managing service upgrade schedules. By using raw IP packets, Nmap tool can determine what hosts are available on the network, the services those hosts are offering (including application name and version), the operating system the hosts are running on, the packet filters and firewalls in use as well as dozens of other host characteristics.

The tool is designed to purposely scan large networks but still works well in single host networks. Nmap tool runs in all operating systems while for Linux, Windows and MAC OS X, there are binary packages available. To improve usability, on top of the classic Nmap executable command line, Nmap also has a GUI as well as results viewer, redirection, malleable data transfer, debugging tool, a utility for comparing scan results, response analysis tool as well as packet generation tool.

Characteristics of Nmap tool

  1. It is flexible-the tool supports various techniques for mapping networks with IP filters, routers, firewalls as well as other obstacles
  2. It is powerful-the tool has been used to scan huge networks of hundreds of thousands machines.
  3. Nmap is portable
  4. It is easy to use
  5. Can be accessed freely
  6. It is well documented and therefore great support
  7. Nmap is acclaimed because it has won several awards
  8. And it is popular.

Nmap tool produces accurate results. All the insights given by Nmapis based on the packets that are returned by the target machines. The packets can also be returned by firewalls. These hosts are in some cases untrustworthy and can send responses basically to confuse or mislead the Nmap tool.  Most common in this class of hosts is the non RFC compliant hosts that do not respond the way they are supposed to respond to Nmap probes.

Communication

To get all the news letters from Nmap, subscribe to their Nmap Hackers mailing list. This forum is where you get all the updates of the Nmap too including advanced and new features

Subject 6: GPG4Win

In this topic, this paper discuses basics of GPG including the installation of the GPA and how to use it to encrypt and decrypt messages.

BACKGROUND of PGP

Ever individual has a PGP key and in the GPA program, one is supposed to import peoples unique keys and add them to your list of keys. When one wants to write a PGP message, you just type it in the normal way in the clipboard, then press the Encrypt button.  Once you click the encrypt button, you will be able to select the key you want to use from your list of keys. Remember the person with the key you used to encrypt the message with is the only person who will be able to read the message.

THE STEPS

– Step One –

The first step is to install PGP program. In this paper we are dwelling on the GpG4win which is a popular program which contains GPA. When installing the gpg4win, you can choose the programs you want from the package. Make sure the GPA is checked before continuing with the installation.

Next, you want to make a PGP key. Remember, none of the details need to be valid. I’d use your online name or a different alias when making your key. Something that isn’t your gamer tag for online games, or anything that may lie to you.A completely new alias. The e-mail doesn’t need to be valid at all. Here are some pictures to help you through the process. Also make a backup of your key!!!

– Step 2 – Finding Your Key –

Find where you put the key you backed it up. The key should be in an .asc file. Open the file using notepad. When sharing the key with others, just copy everything in the key including the beginning dashes. If you got other people s keys, copy the keys to a notepad file and then import them using GPA program. After saving the notepad file check in keys menu and choose import keys, select the file you just saved and complete the process. The keys will be shown if the import was successful.

Now to send an encrypted message, open the clipboard, either through the clipboard task bar of the windows menu. Then type the message you want to send and then select encrypt button which is at the top of the clipboard. When you click encrypt, you shall see a menu to select the key from. Select the key you want to encrypt with then send. The recipient will decrypt the message using their private keys.

Subject 7:  RCA Encryption

Introduction

RSA is a private key that is based on the RSA algorithm. This key is used to authenticate and for exchange of symmetric key when establishing STL/TLS session. RSA is a part of the public key cryptography infrastructure that assumes an asymmetric encryption there someone uses two types of encryption keys. The infrastructure is also used in SSL certificates. The keys involved are the private key and the public key (which is included in the SSL certificate).  Given that transmission of encrypted data takes much time when using asymmetric encryption, this encryption type is mostly when a secure symmetric key exchange is needed.  Symmetric encryption is used for encryption of actual transmitted data as well as decryption.

Normally the RSA private key is generated in pair using CSR. Therefore, neither the RSA team nor the Certificate authorities have the copy of the private key. This means that it’s only its only you who has access to your private key and nobody else.  The private key is generated remotely on your server and then send to the Certificate authorities. This means that the key just looks like a block of code with header

BEGIN RSA PRIVATE KEY

During the generation of the private key there is a rule that, it is to specify the key size. In recent times, many of the certificate authorities (CA) prefer 2048- bit as the optimum key size for a RSA private key. This is because this size is more secure and does not overload the size of thee server’s CPU. However, if interested, you can use 4096-bit size for your private key however this slows down the CPU of the server since doubling the key size slows the speed of the CPU and also the SSL/TLS handshake by averagely 6 to s7 times

Make sure you back up the private key once it is generated since it is a requirement when installing the certificate when received. Do not share your private key with anybody, keep it in a safe place where it cannot be accessed by anybody since it is possible to decode a session if the key is compromised

To explain better below is a screenshot of replicated an ssl/tls session using starttls during connection to our ftp, and analyzed the session’s traffic. You can find below a part of the encoded stream:

Since it has been a tested, we had an appropriate private key for it, so it was easy to decode the whole session:

In case you have a suspicion that your private key has been compromised, we highly recommend you to reissue the certificate.

Bibliography

Acunetix. (2017). Cross-site Scripting (XSS) Attack. Acunetix.

Bertuit, M. (2010, September 10). Microsoft Network Monitor 3.4 a great tool for vieThe contents of network packets that are being sent and received over a live network connection. System-Center.fr.

http://lynnjackson.myefolio2.com. (2014). Windows Network Monitor. http://lynnjackson.myefolio2.com.

Kallin, J., & Valbuena, I. L. (2016, July 9). Excess XSS. A comprehensive tutorial on cross-site scripting.

Layfield, R. (2011, October 18). Microsoft Network Monitor – Part 2. Microsoft Network Monitor – Part 2.

Moran, J. (2017). 20 Great, Free Networking Utilities. Practically Networked.

Rafacz, R. (2014, july 8). Top 7 TCP/IP Utilities Every Networking Pro Should Know. Plural Sigy.

Veracode. (2017). XSS – What Is Cross-Site Scripting? Veracode.

Wilkins, S. (2011, July 14). Top 10 Basic Network Troubleshooting Tools Every IT Pro Should Know . Plural Sight.