Training and Exercises
In addition to performing penetration tests, some organizations choose to run wargame exercises that pit teams of security professionals against each other in a cyber defense scenario. These exercises are typically performed in simulated environments,rather than on production networks, and seek to improve the skills of security professionals on both sides by exposing them to the
tools and techniques used by attackers.
Three teams are involved inmost cybersecurity wargames:
The red team plays the role of the attacker and uses reconnaissance and exploitation tools to attempt to gain access to the protected network. The red team’s work is similar to that of the testers during a penetration test.
The blue team is responsible for securing the targeted environment and keeping the red team out by building, maintaining, and monitoring a comprehensive set of security controls.
The white team coordinates the exercise and serves as referees, arbitrating disputes between the team, maintaining the technical environment, and monitoring the results. Cybersecurity wargames can be an effective way to educate security professionals on modern attack and defense tactics
There's a free Honeypot software called HoneyBot that you could install on a Windows machine. Just follow the HoneyBot installation wizard.
You can customize the Honeypot settings by clicking Options (two gear icons).
You can also edit the Services (ports) run by the Honeypot by going to View > Services.
You'll need to start the Honeypot service by going to File > Start. Or just click the Start (play) icon.
Click Allow access on Windows Firewall pop-up in order to allow the opened services or ports on the honeypot.
You can test the Honeypot (192.168.1.50) by scanning for opened ports or services using Nmap (or Zenmap) on Kali Linux (192.168.1.120). The Nmap scan took several minutes to finish.
root@kali:~# ping 192.168.1.50
PING 192.168.1.50 (192.168.1.50) 56(84) bytes of data.
64 bytes from 192.168.1.50: icmp_seq=1 ttl=128 time=1.05 ms
64 bytes from 192.168.1.50: icmp_seq=2 ttl=128 time=1.27 ms
64 bytes from 192.168.1.50: icmp_seq=3 ttl=128 time=1.00 ms
64 bytes from 192.168.1.50: icmp_seq=4 ttl=128 time=1.04 ms
64 bytes from 192.168.1.50: icmp_seq=5 ttl=128 time=1.70 ms
^C
--- 192.168.1.50 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4010ms
rtt min/avg/max/mdev = 1.009/1.215/1.701/0.263 ms
root@kali:~# nmap 192.168.1.50
Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-21 20:05 PST
Nmap scan report for 192.168.1.50
Host is up (0.0015s latency).
Not shown: 755 filtered ports
PORT STATE SERVICE
1/tcp open tcpmux
3/tcp open compressnet
4/tcp open unknown
6/tcp open unknown
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
20/tcp open ftp-data
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
24/tcp open priv-mail
25/tcp open smtp
33/tcp open dsp
37/tcp open time
42/tcp open nameserver
43/tcp open whois
49/tcp open tacacs
53/tcp open domain
70/tcp open gopher
79/tcp open finger
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
84/tcp open ctf
85/tcp open mit-ml-dev
88/tcp open kerberos-sec
89/tcp open su-mit-tg
90/tcp open dnsix
99/tcp open metagram
100/tcp open newacct
106/tcp open pop3pw
109/tcp open pop2
110/tcp open pop3
111/tcp open rpcbind
113/tcp open ident
119/tcp open nntp
125/tcp open locus-map
143/tcp open imap
144/tcp open news
146/tcp open iso-tp0
161/tcp open snmp
163/tcp open cmip-man
179/tcp open bgp
199/tcp open smux
211/tcp open 914c-g
212/tcp open anet
222/tcp open rsh-spx
256/tcp open fw1-secureremote
259/tcp open esro-gen
264/tcp open bgmp
280/tcp open http-mgmt
311/tcp open asip-webadmin
366/tcp open odmr
389/tcp open ldap
407/tcp open timbuktu
416/tcp open silverplatter
427/tcp open svrloc
443/tcp open https
444/tcp open snpp
465/tcp open smtps
500/tcp open isakmp
512/tcp open exec
513/tcp open login
514/tcp open shell
515/tcp open printer
543/tcp open klogin
544/tcp open kshell
545/tcp open ekshell
548/tcp open afp
554/tcp open rtsp
555/tcp open dsf
593/tcp open http-rpc-epmap
617/tcp open sco-dtmgr
666/tcp open doom
800/tcp open mdbs_daemon
808/tcp open ccproxy-http
888/tcp open accessbuilder
901/tcp open samba-swat
902/tcp open iss-realsecure
903/tcp open iss-console-mgr
911/tcp open xact-backup
993/tcp open imaps
995/tcp open pop3s
999/tcp open garcon
1000/tcp open cadlock
1001/tcp open webpush
1002/tcp open windows-icfw
1011/tcp open unknown
1022/tcp open exp2
1023/tcp open netvenuechat
1024/tcp open kdm
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1028/tcp open unknown
1029/tcp open ms-lsa
1030/tcp open iad1
1031/tcp open iad2
1032/tcp open iad3
1034/tcp open zincite-a
1037/tcp open ams
1038/tcp open mtqp
1039/tcp open sbl
1046/tcp open wfremotertm
1063/tcp open kyoceranetdev
1070/tcp open gmrupdateserv
1080/tcp open socks
1112/tcp open msql
1114/tcp open mini-sql
1234/tcp open hotline
1433/tcp open ms-sql-s
1434/tcp open ms-sql-m
1494/tcp open citrix-ica
1600/tcp open issd
1720/tcp open h323q931
1723/tcp open pptp
1900/tcp open upnp
1998/tcp open x25-svc-port
1999/tcp open tcp-id-port
2000/tcp open cisco-sccp
2001/tcp open dc
2002/tcp open globe
2003/tcp open finger
2004/tcp open mailbox
2005/tcp open deslogin
2006/tcp open invokator
2020/tcp open xinupageserver
2022/tcp open down
2030/tcp open device2
2033/tcp open glogger
2034/tcp open scoremgr
2035/tcp open imsldoc
2038/tcp open objectmanager
2040/tcp open lam
2041/tcp open interbase
2042/tcp open isis
2043/tcp open isis-bcast
2045/tcp open cdfunc
2046/tcp open sdfunc
2047/tcp open dls
2048/tcp open dls-monitor
2049/tcp open nfs
2065/tcp open dlsrpn
2105/tcp open eklogin
2106/tcp open ekshell
2111/tcp open kx
2301/tcp open compaqdiag
2401/tcp open cvspserver
2500/tcp open rtsserv
2525/tcp open ms-v-worlds
2601/tcp open zebra
2602/tcp open ripd
2604/tcp open ospfd
2605/tcp open bgpd
2967/tcp open symantec-av
2968/tcp open enpp
3000/tcp open ppp
3005/tcp open deslogin
3006/tcp open deslogind
3030/tcp open arepa-cas
3128/tcp open squid-http
3168/tcp open poweronnud
3301/tcp open unknown
3306/tcp open mysql
3333/tcp open dec-notes
3372/tcp open msdtc
3389/tcp open ms-wbt-server
3986/tcp open mapper-ws_ethd
4000/tcp open remoteanything
4045/tcp open lockd
4321/tcp open rwhois
4444/tcp open krb524
4445/tcp open upnotifyp
4567/tcp open tram
4899/tcp open radmin
5000/tcp open upnp
5001/tcp open commplex-link
5002/tcp open rfe
5190/tcp open aol
5357/tcp open wsdapi
5432/tcp open postgresql
5555/tcp open freeciv
5631/tcp open pcanywheredata
5800/tcp open vnc-http
5801/tcp open vnc-http-1
5900/tcp open vnc
5950/tcp open unknown
6000/tcp open X11
6001/tcp open X11:1
6002/tcp open X11:2
6003/tcp open X11:3
6004/tcp open X11:4
6005/tcp open X11:5
6006/tcp open X11:6
6007/tcp open X11:7
6009/tcp open X11:9
6101/tcp open backupexec
6112/tcp open dtspc
6129/tcp open unknown
6346/tcp open gnutella
6666/tcp open irc
6667/tcp open irc
6668/tcp open irc
6699/tcp open napster
6881/tcp open bittorrent-tracker
6969/tcp open acmsoda
7000/tcp open afs3-fileserver
7001/tcp open afs3-callback
7002/tcp open afs3-prserver
7004/tcp open afs3-kaserver
7007/tcp open afs3-bos
7100/tcp open font-service
7200/tcp open fodms
7201/tcp open dlip
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8008/tcp open http
8010/tcp open xmpp
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
8443/tcp open https-alt
8888/tcp open sun-answerbook
9000/tcp open cslistener
9080/tcp open glrpc
9090/tcp open zeus-admin
9100/tcp open jetdirect
9415/tcp open unknown
9535/tcp open man
9876/tcp open sd
9898/tcp open monkeycom
10000/tcp open snet-sensor-mgmt
10082/tcp open amandaidx
11111/tcp open vce
12174/tcp open unknown
12345/tcp open netbus
13722/tcp open netbackup
20000/tcp open dnp
20005/tcp open btx
20031/tcp open unknown
31337/tcp open Elite
65000/tcp open unknown
MAC Address: 08:00:27:9E:3F:83 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 224.54 seconds
You can run Wireshark in Kali Linux by going to Applications > 09 - Sniffing & Spoofing > wireshark.
Telnet is an insecure management protocol which sends packets in clear text. It's recommended to use secure management protocol such as SSH. I tried to Telnet to a Cisco device R2 and run Wireshark to perform a packet capture.
Go to Analyze > Follow > TCP Stream in order to display the detailed packet information.
Notice the Telnet password of cisco is displayed in the output.
You can also run a tcpdump in Kali Linux terminal using the tcpdump -i eth0 command.
In addition to performing penetration tests, some organizations choose to run wargame exercises that pit teams of security professionals against each other in a cyber defense scenario. These exercises are typically performed in simulated environments,rather than on production networks, and seek to improve the skills of security professionals on both sides by exposing them to the
tools and techniques used by attackers.
Three teams are involved inmost cybersecurity wargames:
There's a free Honeypot software called HoneyBot that you could install on a Windows machine. Just follow the HoneyBot installation wizard.
You can customize the Honeypot settings by clicking Options (two gear icons).
You can also edit the Services (ports) run by the Honeypot by going to View > Services.
You'll need to start the Honeypot service by going to File > Start. Or just click the Start (play) icon.
Click Allow access on Windows Firewall pop-up in order to allow the opened services or ports on the honeypot.
You can test the Honeypot (192.168.1.50) by scanning for opened ports or services using Nmap (or Zenmap) on Kali Linux (192.168.1.120). The Nmap scan took several minutes to finish.
root@kali:~# ping 192.168.1.50
PING 192.168.1.50 (192.168.1.50) 56(84) bytes of data.
64 bytes from 192.168.1.50: icmp_seq=1 ttl=128 time=1.05 ms
64 bytes from 192.168.1.50: icmp_seq=2 ttl=128 time=1.27 ms
64 bytes from 192.168.1.50: icmp_seq=3 ttl=128 time=1.00 ms
64 bytes from 192.168.1.50: icmp_seq=4 ttl=128 time=1.04 ms
64 bytes from 192.168.1.50: icmp_seq=5 ttl=128 time=1.70 ms
^C
--- 192.168.1.50 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4010ms
rtt min/avg/max/mdev = 1.009/1.215/1.701/0.263 ms
root@kali:~# nmap 192.168.1.50
Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-21 20:05 PST
Nmap scan report for 192.168.1.50
Host is up (0.0015s latency).
Not shown: 755 filtered ports
PORT STATE SERVICE
1/tcp open tcpmux
3/tcp open compressnet
4/tcp open unknown
6/tcp open unknown
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
20/tcp open ftp-data
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
24/tcp open priv-mail
25/tcp open smtp
33/tcp open dsp
37/tcp open time
42/tcp open nameserver
43/tcp open whois
49/tcp open tacacs
53/tcp open domain
70/tcp open gopher
79/tcp open finger
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
84/tcp open ctf
85/tcp open mit-ml-dev
88/tcp open kerberos-sec
89/tcp open su-mit-tg
90/tcp open dnsix
99/tcp open metagram
100/tcp open newacct
106/tcp open pop3pw
109/tcp open pop2
110/tcp open pop3
111/tcp open rpcbind
113/tcp open ident
119/tcp open nntp
125/tcp open locus-map
143/tcp open imap
144/tcp open news
146/tcp open iso-tp0
161/tcp open snmp
163/tcp open cmip-man
179/tcp open bgp
199/tcp open smux
211/tcp open 914c-g
212/tcp open anet
222/tcp open rsh-spx
256/tcp open fw1-secureremote
259/tcp open esro-gen
264/tcp open bgmp
280/tcp open http-mgmt
311/tcp open asip-webadmin
366/tcp open odmr
389/tcp open ldap
407/tcp open timbuktu
416/tcp open silverplatter
427/tcp open svrloc
443/tcp open https
444/tcp open snpp
465/tcp open smtps
500/tcp open isakmp
512/tcp open exec
513/tcp open login
514/tcp open shell
515/tcp open printer
543/tcp open klogin
544/tcp open kshell
545/tcp open ekshell
548/tcp open afp
554/tcp open rtsp
555/tcp open dsf
593/tcp open http-rpc-epmap
617/tcp open sco-dtmgr
666/tcp open doom
800/tcp open mdbs_daemon
808/tcp open ccproxy-http
888/tcp open accessbuilder
901/tcp open samba-swat
902/tcp open iss-realsecure
903/tcp open iss-console-mgr
911/tcp open xact-backup
993/tcp open imaps
995/tcp open pop3s
999/tcp open garcon
1000/tcp open cadlock
1001/tcp open webpush
1002/tcp open windows-icfw
1011/tcp open unknown
1022/tcp open exp2
1023/tcp open netvenuechat
1024/tcp open kdm
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1028/tcp open unknown
1029/tcp open ms-lsa
1030/tcp open iad1
1031/tcp open iad2
1032/tcp open iad3
1034/tcp open zincite-a
1037/tcp open ams
1038/tcp open mtqp
1039/tcp open sbl
1046/tcp open wfremotertm
1063/tcp open kyoceranetdev
1070/tcp open gmrupdateserv
1080/tcp open socks
1112/tcp open msql
1114/tcp open mini-sql
1234/tcp open hotline
1433/tcp open ms-sql-s
1434/tcp open ms-sql-m
1494/tcp open citrix-ica
1600/tcp open issd
1720/tcp open h323q931
1723/tcp open pptp
1900/tcp open upnp
1998/tcp open x25-svc-port
1999/tcp open tcp-id-port
2000/tcp open cisco-sccp
2001/tcp open dc
2002/tcp open globe
2003/tcp open finger
2004/tcp open mailbox
2005/tcp open deslogin
2006/tcp open invokator
2020/tcp open xinupageserver
2022/tcp open down
2030/tcp open device2
2033/tcp open glogger
2034/tcp open scoremgr
2035/tcp open imsldoc
2038/tcp open objectmanager
2040/tcp open lam
2041/tcp open interbase
2042/tcp open isis
2043/tcp open isis-bcast
2045/tcp open cdfunc
2046/tcp open sdfunc
2047/tcp open dls
2048/tcp open dls-monitor
2049/tcp open nfs
2065/tcp open dlsrpn
2105/tcp open eklogin
2106/tcp open ekshell
2111/tcp open kx
2301/tcp open compaqdiag
2401/tcp open cvspserver
2500/tcp open rtsserv
2525/tcp open ms-v-worlds
2601/tcp open zebra
2602/tcp open ripd
2604/tcp open ospfd
2605/tcp open bgpd
2967/tcp open symantec-av
2968/tcp open enpp
3000/tcp open ppp
3005/tcp open deslogin
3006/tcp open deslogind
3030/tcp open arepa-cas
3128/tcp open squid-http
3168/tcp open poweronnud
3301/tcp open unknown
3306/tcp open mysql
3333/tcp open dec-notes
3372/tcp open msdtc
3389/tcp open ms-wbt-server
3986/tcp open mapper-ws_ethd
4000/tcp open remoteanything
4045/tcp open lockd
4321/tcp open rwhois
4444/tcp open krb524
4445/tcp open upnotifyp
4567/tcp open tram
4899/tcp open radmin
5000/tcp open upnp
5001/tcp open commplex-link
5002/tcp open rfe
5190/tcp open aol
5357/tcp open wsdapi
5432/tcp open postgresql
5555/tcp open freeciv
5631/tcp open pcanywheredata
5800/tcp open vnc-http
5801/tcp open vnc-http-1
5900/tcp open vnc
5950/tcp open unknown
6000/tcp open X11
6001/tcp open X11:1
6002/tcp open X11:2
6003/tcp open X11:3
6004/tcp open X11:4
6005/tcp open X11:5
6006/tcp open X11:6
6007/tcp open X11:7
6009/tcp open X11:9
6101/tcp open backupexec
6112/tcp open dtspc
6129/tcp open unknown
6346/tcp open gnutella
6666/tcp open irc
6667/tcp open irc
6668/tcp open irc
6699/tcp open napster
6881/tcp open bittorrent-tracker
6969/tcp open acmsoda
7000/tcp open afs3-fileserver
7001/tcp open afs3-callback
7002/tcp open afs3-prserver
7004/tcp open afs3-kaserver
7007/tcp open afs3-bos
7100/tcp open font-service
7200/tcp open fodms
7201/tcp open dlip
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8008/tcp open http
8010/tcp open xmpp
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
8443/tcp open https-alt
8888/tcp open sun-answerbook
9000/tcp open cslistener
9080/tcp open glrpc
9090/tcp open zeus-admin
9100/tcp open jetdirect
9415/tcp open unknown
9535/tcp open man
9876/tcp open sd
9898/tcp open monkeycom
10000/tcp open snet-sensor-mgmt
10082/tcp open amandaidx
11111/tcp open vce
12174/tcp open unknown
12345/tcp open netbus
13722/tcp open netbackup
20000/tcp open dnp
20005/tcp open btx
20031/tcp open unknown
31337/tcp open Elite
65000/tcp open unknown
MAC Address: 08:00:27:9E:3F:83 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 224.54 seconds
You can run Wireshark in Kali Linux by going to Applications > 09 - Sniffing & Spoofing > wireshark.
Double-click on eth0 to start the packet
capture.
Open Firefox ESR in Kali Linux and type http://192.168.1.50. I’ve enabled IIS and
temporarily disabled Windows Firewall in my Windows 7 virtual machine.
Click Stop (red square icon) to stop the packet capture. Type http on
the search or filter bar to only display HTTP traffic. Expand the Hypertext Transfer Protocol to see the HTTP response.
Telnet is an insecure management protocol which sends packets in clear text. It's recommended to use secure management protocol such as SSH. I tried to Telnet to a Cisco device R2 and run Wireshark to perform a packet capture.
Go to Analyze > Follow > TCP Stream in order to display the detailed packet information.
Notice the Telnet password of cisco is displayed in the output.
You can also run a tcpdump in Kali Linux terminal using the tcpdump -i eth0 command.
No comments:
Post a Comment