PArt IV DeteCtIoN AND reSPoNSe: HoW Do We DeteCt
Lab 2.2l: Linux-Based Port Connection Status
You will need the following: BackTrack
•
Metasploitable
•
Lab Steps at a Glance
Step 1: Log on to the Metasploitable and BackTrack PCs.
Step 2: Use the netstat command to look at the open ports on the Metasploitable PC.
Step 3: Using the BackTrack PC, establish an FTP connection and an HTTP connection to the
Metasploitable PC.
Step 4: Use the netstat command to look at the connections on the Metasploitable PC. Step 5: Trace the port to a process.
Step 6: Close Firefox and log out of the GUI on the BackTrack PC. Step 7: Log off from both the Metasploitable and BackTrack PCs.
Lab Steps
Step 1: Log on to the Metasploitable and BackTrack PCs.
To log on to the Metasploitable PC:
1. At the login prompt, type user and press enter.
2. At the password prompt, type user and press enter.
➜ Note
You will not see any characters as you type in the password.
To log on to the BackTrack PC:
1. At the login prompt, type root and press enter.
2. At the password prompt, type toor and press enter.
Step 2: Use the netstat command to look at the open ports on the Metasploitable PC.
A server will have several ports in a listening state. A port that is in a listening state is waiting for a request for a connection to be established to it.
To use the netstat command on the Metasploitable PC:
1. At the command line, type netstat -h and press enter.
Observe the options.
a.
What option displays the ports in use by number?
b.
What option shows all connections and listening ports?
c.
2. At the command line, type netstat –tuna and press enter.
➜ Note
If the text scrolls up off the screen, maximize the command prompt window and use the scroll bar on the right to adjust your view of the text.
Chapter 2: Network Transports 54
Lab Manual / Principles of Computer Security CompTIA Security+ and Beyond Lab Manual, Second Edition / Nestler / 174856-3 / Chapter 2 Lab Manual / Principles of Computer Security CompTIA Security+ and Beyond Lab Manual, Second Edition / Nestler / 174856-3 / Chapter 2 Lab Manual / Principles of Computer Security CompTIA Security+ and Beyond Lab Manual, Second Edition / Nestler / 174856-3 / Chapter 2 Lab Manual / Principles of Computer Security CompTIA Security+ and Beyond Lab Manual, Second Edition / Nestler / 174856-3 / Chapter 2
Observe the ports that are in a “listening” state.
a.
How many ports are in a listening state?
b.
What port numbers are used for HTTP and FTP?
c.
Are those ports in a listening state?
d.
Why are so many ports open, and do they all need to be open?
e.
Should you be concerned that so many ports are open?
f.
Step 3: Using the BackTrack PC, establish an FTP connection and an HTTP connection to the Metasploitable PC.
You will now connect to the Metasploitable PC on well-known ports (FTP and HTTP) from ephemeral ports (ports with a number greater than 1023). The output listed shows a connection between port 1065 locally and port 21 (FTP) on the remote machine. The local machine is connected from port 1068 to port 80 (HTTP).
1. On the command line, type startx and press enter.
2. On the BackTrack PC, click the Konsole icon to open the Konsole Shell, as shown in Figure 2-5.
3. At the command line, type ftp 192.168.100.202 and press enter.
4. At Name (192.168.100.202:root), type user and press enter.
5. At Password, type user and press enter.
Now view a web page on the server:
1. On the taskbar, click the Firefox icon.
2. In the address bar, type http://192.168.100.202/ and press enter.
Step 4: Use the netstat command to look at the connections on the Metasploitable PC. 1. Click on the Konsole icon in the taskbar to open a new Konsole.
2. At the command line, type netstat –tn.
3. After a brief pause you should get output that looks like the following:
tcp 0 0 192.168.100.202:80 192.168.100.201:1059 ESTABLISHED tcp 0 0 192.168.100.202:21 192.168.100.201:1040 ESTABLISHED
➜ Note
If you do not see port 80 the first time you do this, refresh Firefox and then, at the command line, retype netstat –tn and press enter.
Even though you are connected to the same machine twice, the use of port assignments keeps information from the FTP session separate from information from the Telnet session. The combination of IP address and port number is called a socket.
From the output displayed by the netstat command, what port is connected to FTP?
a.
From the output displayed by the netstat command, what port is connected to HTTP?
b.
Step 5: Trace the port to a process.
1. At the command line, type lsof –i > /tmp/lsofi and press enter.
2. Type less /tmp/lsofi and press enter.
What is the process ID for the FTP connection?
3. Type q to exit the less output.
4. At the command line, type ps –ax and press enter.
What information is given for the FTP process ID?
Chapter 2: Network Transports 56
Lab Manual / Principles of Computer Security CompTIA Security+ and Beyond Lab Manual, Second Edition / Nestler / 174856-3 / Chapter 2 Lab Manual / Principles of Computer Security CompTIA Security+ and Beyond Lab Manual, Second Edition / Nestler / 174856-3 / Chapter 2 Lab Manual / Principles of Computer Security CompTIA Security+ and Beyond Lab Manual, Second Edition / Nestler / 174856-3 / Chapter 2 Lab Manual / Principles of Computer Security CompTIA Security+ and Beyond Lab Manual, Second Edition / Nestler / 174856-3 / Chapter 2
Step 6: Close Firefox and log out of the GUI on the BackTrack PC. 1. In the Firefox window, click the × in the upper-right corner.
2. On the BackTrack PC, choose K Menu | Log Out and click Log Out again.
Step 7: Log off from both the Metasploitable and BackTrack PCs. 1. At the Metasploitable PC command line, type logout and press enter.
2. At the BackTrack PC command line, type logout and press enter.
Lab 2.2 Analysis Questions
The following questions apply to the labs in this section:
1. What is the netstat command used for?
2. What options would you use with the netstat command to show only TCP connections?
3. What option would you use with the netstat command to show statistics for each protocol?
4. Look at the following output from the netstat command and explain what it means.
Proto Local Address Foreign Address State TCP 0.0.0.0:21 0.0.0.0:0 LISTENING
5. Look at the following output from the netstat command and explain what it means.
Proto Local Address Foreign Address State TCP 192.168.2.2:3545 192.168.1.104:21 ESTABLISHED
6. You need to look at the routing table for a computer connected to your local area network. What command would you use to view the routing table?
Lab 2.2 Key Terms Quiz
Use these key terms from the labs to complete the sentences that follow: established state HTTP listening state netstat port session socket states TCP connections UDP connections
1. Active connections on a computer system can be displayed by entering ____________________ at the command line.
2. The line 216.239.39.147:80 ESTABLISHED indicates an active connection to a computer system on
____________________ 80.
3. The ____________________ information displayed by the netstat command shows the current status of the connection.
4. The combination of an IP address and its associated port is referred to as a(n) ____________________.
5. The command netstat -p tcp will show ____________________.
Follow-Up Lab
Lab 6.1: Trojan Attacks
• Commands used in this lab will help to show when your computer may be infected with a Trojan.
Suggested Experiments
1. On your computer at home, run the netstat command and look at the ports that are open. List the ports that are open and identify what they are used for. Which ports are open that don’t need to be?
2. Install and run the utility fport from Foundstone (www.foundstone.com). fport will show you the applications associated with the ports that are open.
Chapter 2: Network Transports 58
Lab Manual / Principles of Computer Security CompTIA Security+ and Beyond Lab Manual, Second Edition / Nestler / 174856-3 / Lab Manual / Principles of Computer Security CompTIA Security+ and Beyond Lab Manual, Second Edition / Nestler / 174856-3 / Chapter 2
References
Netstat • www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/netstat. • mspx www.linuxhowtos.org/Network/netstat.htm •Principles of Computer Security: CompTIA Security+™ and Beyond, Second Edition •
(McGraw-Hill Professional, 2010), Chapters 9, 11, 17
TCP • RFC 793: TCP • http://www.faqs.org/rfcs/rfc793.html UDP • RFC 768: UDP • http://www.faqs.org/rfcs/rfc768.html ch02.indd 58 11/17/10 10:39:56 AM