b%ecti&e At the end of this lab, students will be able to install and use BackOfficer Friendly to detect port scans, as well as attempts to connect to servers via telnet, FTP, HTTP, and email. 'oney(ots A thief breaks into a home and discovers it is empty. The occupants are away, but there is a savor in the air produced by a meal in a crock pot, and the contents of a bread machine. !urely he has time to take in a little flounder before takin" his loot, unaware that a secret alarm has been tripped. Another scenario mi"ht have the thief notice smud"es on a paintin" frame. The safe behind it is an easy tar"et, but the contents turn out to be worthless. #eanwhile, a secret camera has recorded the event. Both of these e$amples illustrate the principle of a honeypot. %etwork resources are fei"ned in order to allure an intruder into thinkin" he is accessin" them. &hile the intruder wastes time e$plorin" insi"nificant resources, system administrators have time for detection. Honeypots fre'uently are in the form of special pro"rams that mimic resources, but not always. For e$ample, an administrator can make a file directory structure that is not difficult for an intruder to access, and which appears to be sensitive data. Buried within the directory structure mi"ht be what appears to be a data file of users. &hile the intruder spends time e$plorin" frivolous, fake resources, he is cau"ht. BackOfficer Friendly, distributed by %etwork Fli"ht (ecorder), *nc., is an e$ample of a honeypot mimickin" server resources. *t can detect hosts attemptin" to connect via telnet, FTP, HTTP, !T#P, and POP+.
Copyright Center for Systems Security and Information Assurance
*nformation Assurance , *
-ab #anual ./0.12
(eleased3 4514
Pa"e 4.61.6 -1
I#enti!y )ttack an# *ar+et ,Cs 6. (ecord the *P address of your Attack P73 88888 . 88888 . 88888 . 88888 0. (ecord the *P address of your Tar"et P73 88888 . 88888 . 88888 . 88888
)c-uire t.e /ecessary So!t0are (Bot. ,Cs$ 6. 9ownload lab5-10so!t0are.1i( from the class website. .http355ca.htc.mnscu.edu5ccis0:112 0. ;$tract this file to a folder on your 9esktop.
Install Back !!icer "rien#ly (*ar+et ,C$ +. ;$tract back-o!!icer-!rien#ly.1i( to your 9esktop. :. -aunch the installation pro"ram .n!rbo!l.e2e2. <ou should accept most of the default values for installation, but be sure to answer the followin" 'uestions as follows3 9o you want BackOfficer Friendly to start listenin" to the network every time you start windows= Answer3 /o 9o you want BackOfficer Friendly to start listenin" to the network now= Answer3 3es
Copyright Center for Systems Security and Information Assurance
*nformation Assurance , *
-ab #anual ./0.12
(eleased3 4514
Pa"e 4.61.6 -2
Con!i+ure Back !!icer "rien#y (*ar+et ,C$ 6. After installation, BOF will simply appear in your system tray .near the clock2. 9ouble click the task bar icon to brin" up the BOF dialo" bo$. 0. 7lick the Options menu and all listenin" options as well as fake replies. This will activate the BOF honeypot.
+. From the "ile menu, click Clear so any intrusion attempts are easily seen.
Launc. t.e 4)ttack5 ()ttack-,C$ 1. Open a 9O! Prompt window and Telnet to your Tar"et P73 telnet 66666 . 66666 . 66666 . 66666 Target-PCs address 0. Attempt to lo"in. &hat feedback do you receive=
+. Open a browser and attempt an http connection to your Tar"et P7. &hat feedback do you receive=
:. >sin" your browser, attempt an ftp connection to your Tar"et P7. &hat feedback do you receive=
Copyright Center for Systems Security and Information Assurance
*nformation Assurance , *
-ab #anual ./0.12
(eleased3 4514
Pa"e 4.61.6 -7
bser&e t.e 4)ttack5 (*ar+et-,C$ 6. As the ?attacker@ is attemptin" Telnet, HTTP, and FTP connections, Aust watch BackOfficer Friendly. 0. (ecord the BOF messa"es related to Telnet3
+. (ecord the BOF messa"es related to HTTP3
:. (ecord the BOF messa"es related to FTP3
4. From the "ile menu, click Clear so future intrusion attempts are easily seen.
8un a ,ort-Scan ()ttack-,C$ !ome intruders may wish to invoke the use of a port scanner to try and see if any >9P5T7P ports are vulnerable. This is like a prowler checkin" around the nei"hborhood to see if all the doors are locked. 6. ;$tract ya(s.1i( to your 9esktop. 0. -aunch the installation pro"ram .setu(.e2e2. <ou may accept all the defaults as you complete the installation. Note: this is a 30-day trial version of YAPS. +. 7lick the Con!i+ure button to e$amine e$actly which T7P5>9P ports will be scanned. %o chan"es are necessary, so click Cancel. :. ;nter your Tar"et P7Bs address for both the be"innin" and endin" addresses, then click the Be+in Scan button. (ecord the ports5services that <AP! discovered3
Copyright Center for Systems Security and Information Assurance
*nformation Assurance , *
-ab #anual ./0.12
(eleased3 4514
Pa"e 4.61.6 -4
bser&e t.e Scan (*ar+et-,C$ 6. As the ?attacker@ is runnin" the port scan, Aust watch BackOfficer Friendly. 0. (ecord the BOF messa"es other than those related to services other than Telnet, HTTP, and FTP.
+. From the "ile menu, click Clear so future intrusion attempts are easily seen.
)((en#i2 This lab was performed usin" BackOfficer Friendly version6.1.6.6, Back Orifice client version 6.01, Back Orifice 0C version 6.1, and <AP! version 6.0 on hosts runnin" &indows DP. BackOfficer Friendly can be found at 000.n!r.co9 under the dropdown (esource 7enter. <AP! can be found at .ale.tni.net:te#0are:3a(s:3a(s..t9l
Copyright Center for Systems Security and Information Assurance
