c
  

 

p
  


Lab 1: Researching Network Attacks and Security Audit
Tools




 
Part 1: Researching Network Attacks
‡ Research network attacks that have occurred.
‡ Select a network attack and develop a report for presentation to the class.
Part 2: Researching Security Audit Tools
‡ Research network security audit tools.
‡ Select a tool and develop a report for presentation to the class.
  

Network attacks have resulted in the loss of sensitive data and significant network downtime.
When a network
or the resources in it are inaccessible, worker productivity can suffer, and business income may
be lost.
Attackers have developed many tools over the years to attack and compromise the networks of
organizations.
These attacks take many forms, but in most cases, they seek to obtain sensitive information,
destroy
resources, or deny legitimate users access to resources.
To understand how to defend a network against attacks, an administrator must first identify
network
vulnerabilities. Specialized security audit software developed by equipment and software
manufacturers can
be used to help identify potential weaknesses. In addition, the same tools used by attackers can
be used to
test the ability of a network to mitigate an attack. After the vulnerabilities are known, steps can be
taken to
help mitigate the network attacks.
This lab provides a structured research project that is divided into two parts: Researching
Network Attacks
and Researching Security Audit Tools. You can elect to perform Part 1, Part 2, or both. Let your
instructor
know what you plan to do so to ensure that a variety of network attacks and vulnerability tools are
reported on
by the members of the class.
In Part 1, you research various network attacks that have actually occurred. You select one of
these and
describe how the attack was perpetrated and how extensive the network outage or damage was.
You also
investigate how the attack could have been mitigated or what mitigation techniques might have
been
implemented to prevent future attacks. You prepare a report based on a predefined form included
in the lab.
In Part 2, you research network security audit tools and investigate one that can be used to
identify host or
network device vulnerabilities. You create a one-page summary of the tool based on a predefined
form
included in the lab. You prepare a short (5±10 minute) presentation to present to the class.
You may work in teams of two with one person reporting on the network attack and the other
reporting on the

   !"#"$ % "

& 
c'c()*c

c
  
 

security audit tools. Each team member delivers a short overview (5±10 minutes) of their findings.
You can
use live demonstrations or PowerPoint to summarize your findings.
iip  


All contents are Copyright © 1992±2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 5
 
    
‡ Computer with Internet access for research.
‡ Presentation computer with PowerPoint or other presentation software installed.
‡ Video projector and screen for demonstrations and presentations.

 
p
To maintain tighter control over what the students report, you can provide the
students a list
of recent network attacks and security audit tools from which to choose. You might want to ask
the students to
email you their desired research project by a specific time, or you will assign them a topic. In the
email, they
should provide some background information (description, links, and so on) to make sure that no
one is doing
the same thing.

 
p


 
In Part 1 of this lab, you research various network attacks that have actually occurred and select
one on
which to report. Fill in the form below based on your findings.

 
 


 
List some of the attacks you identified in your search.
Possible examples include: Code Red, Nimba, Back Orifice, Blaster, MyDoom, SQL Slammer,
SMURF, Tribe
flood network (TFN), Stacheldraht, Sobig, Netsky, Witty, and Storm.
The Code Red attack is used as an example here.

 
p
: An extensive list of viruses and worms listed by the year they were discovered
can be found
at %$++ $ 
,+ +
 !-
.$-""- -
.".




 ! 
!"!
 


 

p" !

Code Red
# !

Worm
$
!

 July 2001
i"
 
%

 !! 
Infected an estimated 359,000
computers in one day.
&

 




Instructor Note: Most of the following is from Wikipedia.
Code Red exploited buffer-overflow vulnerabilities in unpatched Microsoft Internet Information
Servers. It launched Trojan code in a denial-of-service attack against fixed IP addresses. The
worm spread itself using a common type of vulnerability known as a buffer overflow. It used a
long
string repeating the character 'N' to overflow a buffer, which then allowed the worm to execute
arbitrary code and infect the machine.
The payload of the worm included:
iip  


All contents are Copyright © 1992±2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 5
‡ Defacing the affected website with the message: HELLO! Welcome to http://www.worm.com!
Hacked By Chinese!
‡ It tried to spread itself by looking for more IIS servers on the Internet.
‡ It waited 20±27 days after it was installed to launch DoS attacks on several fixed IP
addresses. The IP address of the White House web server was among them.
‡ When scanning for vulnerable machines, the worm did not check whether the server running
on a remote machine was running a vulnerable version of IIS or whether it was running IIS at
all.

   !"#"$ % "

& 
c'c()*c

c
  
 

ð






 :
To prevent the exploitation of the IIS vulnerability, organizations needed to apply the IIS patch
from Microsoft.
 !   
!
 
CERT Advisory CA-2001-19
eEye Code Red advisory
Code Red II analysis
 


 

 '
   

!
"  
 (
Wikipedia, Animation on "The Spread of the Code-Red Worm (CRv2)". CAIDA Analysis.
Retrieved
on 2006-10-03. www.networkworld.com/slideshows/2008/031108-worst-moments-in-netsecurity.
html?nwwpkg=slideshows

 
  

 

# 
In Part 2 of this lab, you research network security audit tools and attacker tools and investigate
one that can
be used to identify host or network device vulnerabilities. Fill in the report below based on your
findings.

 
   

 





 
List some of the tools that you identified in your search.
Possible examples include: Microsoft Baseline Security Analyzer (MBSA), NMAP, Cisco IOS
AutoSecure,
Cisco Security Device Manager (SDM) Security Audit Wizard. Sourceforge Network Security
Analysis Tool
(NSAT), Solarwinds Engineering Toolset.
Attacker tools may also be investigated, including L0phtcrack, Cain and Abel, John the Ripper,
Netcat, THC
Hydra, Chkrootkit, DSniff, Nessus, AirSnort, AirCrack, WEPCrack,
The SDM Security Audit tool is used as an example here.

 
p
: Additional sources of information include the following:
http://www.yolinux.com/TUTORIALS/LinuxSecurityTools.html
#))p
  

# !))*
iip  


All contents are Copyright © 1992±2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 5
http://sectools.org/index.html
 i  
http://sectools.org/crackers.html

!!  
http://sectools.org/sniffers.html
+  


 
http://sectools.org/vuln-scanners.html
,   
http://sectools.org/web-scanners.html
,
 
http://sectools.org/wireless.html
-. 




http://sectools.org/sploits.html

i!
 
http://sectools.org/packet-crafters.html




 ! 
!"!
   

 





 


p" !
 SDM Security Audit
$   Cisco Systems
# !
 '
/  01(Cisco router GUI-based security
analysis
1 '
 
 "

(Router

   !"#"$ % "

& 
c'c()*c

c
  
 

i
Free to download
$ 


! ! 
 



! 

 
SDM Security Audit wizard runs a series of predefined checklists to assess a router¶s security
configuration. When finished, SDM presents a list of recommended actions, which you can
selectively choose to apply. SDM also allows you to directly perform a one-step router lockdown
option. One-step lockdown configures the router with a set of defined security features with
recommended settings.
Security Audit is a feature of SDM that examines an existing router configuration and then
provides a list of recommended configuration changes to make a router and network more
secure.
For a complete list of functions that Security Audit checks for, see the online help topics in SDM.
Security audit does the following:
‡ Checks the router¶s running configuration against a list of predefined security configuration
settings.
‡ Lists identified problems and provides recommendations for fixing them.
‡ Allows the user to choose which problems to fix and displays the appropriate user interface
iip  


All contents are Copyright © 1992±2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 5
for fixing them.
‡ Delivers commands to configure the router with the chosen security configuration.
Examples of security-related issues that Security Audit can address include services that should
be disabled, password requirements, warning banners, Telnet settings, SSH access, firewalls,
logging, and AAA. SDM and the Security Audit wizard provide context-sensitive help.
 !   
!
 



" 1 
  
2
22  

2 
 2"
 3 !
  
  

" 
 


 

 
Live demo of SDM 2.5 Security Audit and one-step lockdown if available. Screenshots of
SDM Security Audit from Google:
http://images.google.com/images?hl=en&q=SDM+Security+Audit&gbv=2

4 ! 


a. What is the prevalence of network attacks and what is their impact on an organization¶s
operation?
What are some key steps organizations can take to help protect their networks and resources?
Answers will vary. Massive network attacks like Code Red, which can affect large portions of the
Internet, are less common because of mitigation strategies that have been implemented.
However,
smaller targeted attacks, especially those intended to acquire personal information, are more
common than ever. Networking devices and hosts on a network have many potential
vulnerabilities
that can be exploited.
Vulnerability analysis tools can help identify security holes so that network administrators can
take
steps to correct the problem before an attack occurs. Other steps that can be taken include: The
use
of firewalls, intrusion detection and prevention, hardening of network devices, endpoint protection,
AAA, user education and security policy development.
b. Have you actually worked for an organization or know of one where the network was
compromised? If
so, what was the impact to the organization and what did they do about it?
Answers will vary, and the results can be interesting.
c. What steps can you take to protect your own PC or laptop computer? Answers will vary but
could
include: Keep the operating system and applications up to date with patches and service packs,
use a

   !"#"$ % "

& 
c'c()*c

c
  
 

personal firewall, configure passwords to access the system, configure screensavers to timeout
and
require a password, protect important files by making them read-only, encrypt confidential files
and
backup files for safe keeping.

   !"#"$ % "

& 
c'c()*c