Carnivore is a surveillance tool for data networks. At the heart of the project is CarnivorePE, a software application that listens to all Internet traffic (email, web surfing, etc.) on a specific local network. Next, CarnivorePE serves this data stream to interfaces called "clients." These clients are designed to animate, diagnose, or interpret the network traffic in various ways. Use CarnivorePE to run Carnivore clients from your own desktop, or use it to make your own clients.
Apllication found at this location:
http://www.r-s-g.org/carnivore/
to download:
Download CarnivorePE v2.2.1 for WinXP [829 k]
Requirements for Windows XP version
Requires Java version 1.5
Requires WinPcap
here is the Library location:
Download Carnivore Library for Processing Version 2.2.1 [709 k]
Thursday, 7 June 2007
Thursday, 5 April 2007
Class Notes
Tool to sniff and hack the switches and routres:
Cain & Abel
a softwre that runs on the new routers and switches which is working as IDS
DRAGON
Cain & Abel
a softwre that runs on the new routers and switches which is working as IDS
DRAGON
Thursday, 22 March 2007
Thursday, 15 March 2007
class notes
starting slide 23
end slide: 28
DMZ
bastion hosts
application gateways
Handson Lab 242-245
ipchains -- iptables
end slide: 28
DMZ
bastion hosts
application gateways
Handson Lab 242-245
ipchains -- iptables
Thursday, 8 March 2007
Class notes
packet tracer : Solarwinds
stop at slide 23
discuessing the case study:
due date : 5th April for all of the cases
Case 1: Pretend that the classroom network is a self-contained network. You wish to draft a security policy that maintains security for all devices and users in the network. Make a list of all needed equipment and software to implement this policy.
example: --
client securing desktop (physical security - workstation - OS - antivirus - firewall)
server ( NOS - centrlized Antivirus - group policy -
switch (physical - vlan - config / pass - trunking
cables: physical - conduits - ohs regulations - type of cables
routers: physical - configuration (password 2 levels console /remote - ACL)\
firewall (H/W): Location - physical - environment
topolgy: perimeter - physical access (smart cards /biometric) - type of cables and connecters (specific adaptors - documentation of security policies - UPS - backup strategy - configure IPC
Case 2:
Devise (draft) a company policy regarding removable media (storage needs) that both provides employees with the functionality they need to best get their job done yet does not compromise the security of company data. Be sure to include media disposal in the policy.
removable media
http://infosyssec.org/
Case 3:
Find out more about security options on desktop switches. Use the Cisco 2950 series as an example. Go to the Cisco web site and find the documentation for this switch. Read the documentation and list as many different security features as you can find – explain each feature as you list it as it pertains to securing a network.
Case 4:
Look up the documentation for Cisco 2950 switches at http://cisco.com/en/US/products/hw/switches/index.html and explain how to configure a SPAN port. List any considerations you should take when configuring SPAN.
Case 5:
Research some of the security options for the BIND program. You can start with http://www.isc.org/products/BIND/. Make a short report that includes the best practices for configuring BIND for optimal security.
stop at slide 23
discuessing the case study:
due date : 5th April for all of the cases
Case 1: Pretend that the classroom network is a self-contained network. You wish to draft a security policy that maintains security for all devices and users in the network. Make a list of all needed equipment and software to implement this policy.
example: --
client securing desktop (physical security - workstation - OS - antivirus - firewall)
server ( NOS - centrlized Antivirus - group policy -
switch (physical - vlan - config / pass - trunking
cables: physical - conduits - ohs regulations - type of cables
routers: physical - configuration (password 2 levels console /remote - ACL)\
firewall (H/W): Location - physical - environment
topolgy: perimeter - physical access (smart cards /biometric) - type of cables and connecters (specific adaptors - documentation of security policies - UPS - backup strategy - configure IPC
Case 2:
Devise (draft) a company policy regarding removable media (storage needs) that both provides employees with the functionality they need to best get their job done yet does not compromise the security of company data. Be sure to include media disposal in the policy.
removable media
http://infosyssec.org/
Case 3:
Find out more about security options on desktop switches. Use the Cisco 2950 series as an example. Go to the Cisco web site and find the documentation for this switch. Read the documentation and list as many different security features as you can find – explain each feature as you list it as it pertains to securing a network.
Case 4:
Look up the documentation for Cisco 2950 switches at http://cisco.com/en/US/products/hw/switches/index.html and explain how to configure a SPAN port. List any considerations you should take when configuring SPAN.
Case 5:
Research some of the security options for the BIND program. You can start with http://www.isc.org/products/BIND/. Make a short report that includes the best practices for configuring BIND for optimal security.
Thursday, 22 February 2007
LAB 366 Install Sygate personal
sygate been purchased by symantec
installation of this software went as smooth for "Sygate Personal Firewall version 5.6 (Now by Symantec Corp.)"
new product is: Symantec Sygate Enterprise Protection
Symantec Sygate Enterprise Protection 5.1 provides advanced endpoint protection and seamless integration with network access control in a single management architecture. With Sygate Enterprise Protection, organizations can protect managed endpoints against known and unknown attacks with desktop firewall, host-based intrusion prevention, and adaptive protection technologies - while simultaneously securing networks against non-compliant endpoints and enforcing compliance on contact.
Symantec Sygate Enterprise Protection 5.1 provides advanced endpoint protection and seamless integration with network access control in a single management architecture. With Sygate Enterprise Protection, organizations can protect managed endpoints against known and unknown attacks with desktop firewall, host-based intrusion prevention, and adaptive protection technologies - while simultaneously securing networks against non-compliant endpoints and enforcing compliance on contact.
installation of this software went as smooth for "Sygate Personal Firewall version 5.6 (Now by Symantec Corp.)"
after working the interface is looking as this:
C$ how to disable it
we tried to disable the sahres especially c$
How can I disable the Administrative Share creation in Windows NT/2000/XP/2003?
Every Windows NT/W2K/XP/2003 machine automatically creates a share for each drive on the system. These shares are hidden, but available with full control to domain administrators. The drive letter, followed by the $ sign is the name, and it is shared from the root. When trying to attain a highly secure network, you may wish to address this potential security issue by disabling these shares, or at least restricting their permissions to specific users or services.
The default-hidden shares are:
· C$ D$ E$ - Root of each partition. For a Windows NT workstation/W2K/2003/XP Professional computer only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows NT Server/W2K Server computer, members of the Server Operators group can also connect to these shared folders.
· ADMIN$ - %SYSTEMROOT% This share is used by the system during any remote administration of a computer. The path of this resource is always the path to the W2K/NT system root (the directory in which W2K/NT is installed usually C:\Winnt and in XP it's C:\Windows).
· FAX$ - On W2K Server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
· IPC$ - Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer's shared resources. This share can be very dangerous and can be used to extract large amounts of information about your network, even by an anonymous account.
· NetLogon - This share is used by the Net Logon service of a W2K, 2003 and NT Server computer while processing domain logon requests, and by Pre-W2K computers when running logon scripts.
· PRINT$ - %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of printers.
It is possible to simply remove the share from Server Manager (in NT) or Shared Folders (in W2K/XP/2003) but the problem with this method is that the shares will automatically be recreated when the machine reboots.
You can disable the automatic administrative share creation via Group Policy, but this is a much simpler way:
In order to disable these shares permanently, a registry edit will be necessary.
Servers
For NT 4.0/W2K/Windows Server 2003s, the change is:
Hive: HKEY_LOCAL_MACHINEKey: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareServerData Type: REG_DWORDValue: 0
Idiot proof note: If you can't find the value in the registry under the exact location (i.e. it does not exist) - please right click in the right pane of the window and create it.
Note: A reboot is necessary for this to take effect.
Workstations
For NT 4.0 Workstation/W2K Pro/XP Pro, the change is:
Hive: HKEY_LOCAL_MACHINEKey: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareWksData Type: REG_DWORDValue: 0
A double idiot proof note: If you can't find the value in the registry under the exact location (i.e. it does not exist) - please right click in the right pane of the window and create it.
Note: Again, a reboot is necessary for this to take effect.If you want the administrative shares to be re-created, you can change the value back to 1.
Note: Some applications depend on the presence of these shares. If things stop working you'll know to re-enable the shares.
Security note: Unfortunately this registry hack does NOT stop the IPC$ share and this is a share that is often used by hackers to enumerate systems before attack since it can yield a wealth of information about your system names, your user names, and more. If your ACL permissions are not correct or you haven't disabled anonymous user access or you haven't disabled the guest account then this port can lead to total system compromise within minutes!
-----------------------------------------------------------------------------------------------
The system automatically creates hidden "administrative shares" for its logical drives C:, D:, and so forth which it names C$, D$ and so forth. It also creates the admin$ hidden share for to the \winnt folder. These shares are designed for remote access support by domain administrators. By default, if you delete these admin shares, they will be recreated when you reboot. To disable permanently so they will not be recreated on the next reboot, use the following Windows NT / Windows 2000 / Windows XP registry hack:
Hive: HKEY_LOCAL_MACHINEKey: SYSTEM\CurrentControlSet\Services\LanManServer\ParametersName:
AutoShareServer for serversName:
AutoShareWks for workstationsType: REG_DWORDValue: 0
For background: Q156365. For details on disabling in Windows XP, see Q314984. In Windows 2000 and Windows XP, you disable the shares via
Start
Settings
Control Panel
Systems Tools panel
Shared Folders
Double-click the Shared Folders branch to expand it
Click Shares
In the Shared Folder column, right-click the share you want to disable
Click Stop sharing
Cick OK. NOTE: If you disable an administrative share that you have created, it will not be automatically enabled after you restart your computer, and you will need to recreate the share.
Perhaps the best approach to protect hard drive resources on workstations is to disable the server service if you can. There are a few workstation applications that need server service running, in particular, some SNA emulation packages.
How can I disable the Administrative Share creation in Windows NT/2000/XP/2003?
Every Windows NT/W2K/XP/2003 machine automatically creates a share for each drive on the system. These shares are hidden, but available with full control to domain administrators. The drive letter, followed by the $ sign is the name, and it is shared from the root. When trying to attain a highly secure network, you may wish to address this potential security issue by disabling these shares, or at least restricting their permissions to specific users or services.
The default-hidden shares are:
· C$ D$ E$ - Root of each partition. For a Windows NT workstation/W2K/2003/XP Professional computer only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows NT Server/W2K Server computer, members of the Server Operators group can also connect to these shared folders.
· ADMIN$ - %SYSTEMROOT% This share is used by the system during any remote administration of a computer. The path of this resource is always the path to the W2K/NT system root (the directory in which W2K/NT is installed usually C:\Winnt and in XP it's C:\Windows).
· FAX$ - On W2K Server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
· IPC$ - Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer's shared resources. This share can be very dangerous and can be used to extract large amounts of information about your network, even by an anonymous account.
· NetLogon - This share is used by the Net Logon service of a W2K, 2003 and NT Server computer while processing domain logon requests, and by Pre-W2K computers when running logon scripts.
· PRINT$ - %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of printers.
It is possible to simply remove the share from Server Manager (in NT) or Shared Folders (in W2K/XP/2003) but the problem with this method is that the shares will automatically be recreated when the machine reboots.
You can disable the automatic administrative share creation via Group Policy, but this is a much simpler way:
In order to disable these shares permanently, a registry edit will be necessary.
Servers
For NT 4.0/W2K/Windows Server 2003s, the change is:
Hive: HKEY_LOCAL_MACHINEKey: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareServerData Type: REG_DWORDValue: 0
Idiot proof note: If you can't find the value in the registry under the exact location (i.e. it does not exist) - please right click in the right pane of the window and create it.
Note: A reboot is necessary for this to take effect.
Workstations
For NT 4.0 Workstation/W2K Pro/XP Pro, the change is:
Hive: HKEY_LOCAL_MACHINEKey: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareWksData Type: REG_DWORDValue: 0
A double idiot proof note: If you can't find the value in the registry under the exact location (i.e. it does not exist) - please right click in the right pane of the window and create it.
Note: Again, a reboot is necessary for this to take effect.If you want the administrative shares to be re-created, you can change the value back to 1.
Note: Some applications depend on the presence of these shares. If things stop working you'll know to re-enable the shares.
Security note: Unfortunately this registry hack does NOT stop the IPC$ share and this is a share that is often used by hackers to enumerate systems before attack since it can yield a wealth of information about your system names, your user names, and more. If your ACL permissions are not correct or you haven't disabled anonymous user access or you haven't disabled the guest account then this port can lead to total system compromise within minutes!
-----------------------------------------------------------------------------------------------
The system automatically creates hidden "administrative shares" for its logical drives C:, D:, and so forth which it names C$, D$ and so forth. It also creates the admin$ hidden share for to the \winnt folder. These shares are designed for remote access support by domain administrators. By default, if you delete these admin shares, they will be recreated when you reboot. To disable permanently so they will not be recreated on the next reboot, use the following Windows NT / Windows 2000 / Windows XP registry hack:
Hive: HKEY_LOCAL_MACHINEKey: SYSTEM\CurrentControlSet\Services\LanManServer\ParametersName:
AutoShareServer for serversName:
AutoShareWks for workstationsType: REG_DWORDValue: 0
For background: Q156365. For details on disabling in Windows XP, see Q314984. In Windows 2000 and Windows XP, you disable the shares via
Start
Settings
Control Panel
Systems Tools panel
Shared Folders
Double-click the Shared Folders branch to expand it
Click Shares
In the Shared Folder column, right-click the share you want to disable
Click Stop sharing
Cick OK. NOTE: If you disable an administrative share that you have created, it will not be automatically enabled after you restart your computer, and you will need to recreate the share.
Perhaps the best approach to protect hard drive resources on workstations is to disable the server service if you can. There are a few workstation applications that need server service running, in particular, some SNA emulation packages.
Thursday, 15 February 2007
notes from the class
Endian firewall ( http://www.endian.it )
Sanitization tool for destroying data
honey bot
Bastion Host
HIDS (Host IDS)
NIDS (Network Intrusiion dediction )
dual - homed
cabletron - dragon -- for cisco routers IOS
netework analyzers to tesst your firewall and check the configuratuions
Sanitization tool for destroying data
honey bot
Bastion Host
HIDS (Host IDS)
NIDS (Network Intrusiion dediction )
dual - homed
cabletron - dragon -- for cisco routers IOS
netework analyzers to tesst your firewall and check the configuratuions
Reprot Writing
cover sheet
context
body of the report
conclusions and your reflection of the findings
In approximately 1000-word report, answer all the above questions.
Submit the soft copy to your teacher on a CDR in HTML layout and make sure that to meet the following requirements:
context
body of the report
conclusions and your reflection of the findings
In approximately 1000-word report, answer all the above questions.
Submit the soft copy to your teacher on a CDR in HTML layout and make sure that to meet the following requirements:
- To get the html file to start when the CD is inserted
- Tightly secure the CD by disallowing any replication action
- Add a notice box for a message before the html file starts
- Add a legal disclaimer when your CD starts
- Add an icon file to appear in Windows Explorer
Case Projects
Case 1:
Pretend that the classroom network is a self-contained network. You wish to draft a security policy that maintains security for all devices and users in the network. Make a list of all needed equipment and software to implement this policy.
Case 2:
Devise a company policy regarding removable media that both provides employees with the functionality they need to best get their job done yet does not compromise the security of company data. Be sure to include media disposal in the policy.
Case 3:
Find out more about security options on desktop switches. Use the Cisco 2950 series as an example. Go to the Cisco web site and find the documentation for this switch. Read the documentation and list as many different security features as you can find – explain each feature as you list it as it pertains to securing a network.
Case 4:
Look up the documentation for Cisco 2950 switches at http://cisco.com/en/US/products/hw/switches/index.html and explain how to configure a SPAN port. List any considerations you should take when configuring SPAN.
Case 5:
Research some of the security options for the BIND program. You can start with http://www.isc.org/products/BIND/. Make a short report that includes the best practices for configuring BIND for optimal security.
Subscribe to:
Posts (Atom)