Project 17: Host Discovery at Layers 2 and 3 (15 pts.)

What You Need

Two Windows machines (any version) networked together. I wrote the instructions using two virtual machines: one running Windows 7 and the other running Windows Server 2008.
Pick one machine to be the SCANNER. The other one is the TARGET. The instructions below assume you are using Windows 7 as the SCANNER and Windows Server 2008 as the TARGET.

Purpose

Understand ARP scans, PING scans, and firewalls.

Turning off the Firewall on the Windows 7 SCANNER Machine

On the Windows 7 SCANNER Machine, Click Start. In the Search box, type FIREWALL

In the search results, click "Windows Firewall".

Be careful not to click "Windows Firewall with Advanced Security".

On the left side of the "Windows Firewall" box, click "Turn Windows Firewall on or off".

Click both "Turn off Windows Firewall (not recommended)" buttons, as shown below:

In the "Customize Settings" box, click the OK button.

Turning off the Firewall on the Windows Server 2008 TARGET Machine

On the Windows Server 2008 TARGET Machine, click Start. In the Search box, type FIREWALL

In the search results, click "Windows Firewall".

Be careful not to click "Windows Firewall with Advanced Security".

On the left side of the "Windows Firewall" box, click "Turn Windows Firewall on or off".

Click the Off" button, as shown below:

In the "Windows Firewall Settings" box, click the OK button.

Finding the TARGET Machine's IP Address

On the Windows Server 2008 TARGET machine, click Start. In the Search box, type CMD

Press the Enter key.

A Command Prompt window opens.

Execute this command:

IPCONFIG /ALL

In the "Ethernet adapter Local Area Connection" section, find your TARGET's "IPv4 Address", as shown below.

Make a note of it.

Testing the Network with PING

On the Windows 7 SCANNER machine, in the Administrator Command Prompt window. execute this command. Replace the IP address with the IP address of your TARGET machine.

PING 192.168.119.191

You should see replies, as shown below.

If you don't see replies, you need to troubleshoot your network before proceeding. Make sure all firewalls are off and that all virtual networks are set to "Bridged" mode.

Monitoring ICMP Traffic with Wireshark on the TARGET machine

On the TARGET machine, start Wireshark. If Wireshark is not installed, get it here:

http://www.wireshark.org/

In Wireshark, on the left side, highlight your real network adapter and click Start.

In Wireshark, at the top left, in the Filter bar, type in this text, and then press the Enter key:

icmp

The filter bar turns green, as shown below.

Discovering the TARGET with PING

On the Windows 7 SCANNER machine, in the Administrator Command Prompt window, execute this command. Replace the IP address with the IP address of your TARGET machine.

PING 192.168.119.191

You should see replies, as shown below.

Viewing the PINGs on the TARGET

On the TARGET machine, in the Wireshark window, click Capture, Stop.

Scroll up if necessary, and find the two packets shown below, in this order.

Echo (ping) Request
Echo (ping) Reply

Hazards of PING Packets

The PING packets reached your TARGET machine, and it replied. This was once considered a normal feature of all networked devices, but now this is regarded as a security risk, because hackers often scan large blocks of IP addresses with PING packets, seeking targets to attack.

So modern Windows computers use a firewall to block PING packets.

Turning on the Firewall on the TARGET Machine

On the Windows Server 2008 TARGET Machine, click Start. In the Search box, type FIREWALL

In the search results, click "Windows Firewall".

Be careful not to click "Windows Firewall with Advanced Security".

On the left side of the "Windows Firewall" box, click "Turn Windows Firewall on or off".

Click both the the On button and the "Block all incoming connections" button, as shown below:

In the "Windows Firewall Settings" box, click the OK button.

Restarting a Wireshark Packet Capture on the TARGET Machine

On the Windows Server 2008 TARGET machine, in Wireshark, click Capture, Start.

A box pops up, asking "Do you want to save...". Click "Continue without Saving".

Attempting TARGET Discovery with PING

On the Windows 7 SCANNER machine, in the Administrator Command Prompt window. execute this command. Replace the IP address with the IP address of your TARGET machine.

PING 192.168.119.191

You should see "Request timed out" messages, as shown below.

Saving a Screen Image

Make sure the "Request timed out" messages are visible, as shown above.

Click on the host machine's taskbar to make it the recipient of keypresses.

On your keyboard, press the PrntScrn key.

Click Start, type in PAINT, and open Paint.

Press Ctrl+V to paste in the image of your desktop.

YOU MUST SUBMIT WHOLE-DESKTOP IMAGES TO GET FULL CREDIT.

Save the image with a filename of "Proj 17a from YOUR NAME".

Viewing the PINGs on the TARGET

On the TARGET machine, in the Wireshark window, click Capture, Stop.

Scroll up if necessary, and find the four "Echo (ping) Request" packets shown below.

Understanding Software Firewalls

Why did the requests enter the TARGET machine? They had to, because the Windows Firewall runs in software. Here are the stages the packet passes through:

At layer 1, the packets reach the TARGET, because the network cable is connected.
At layer 2, the NIC accepts the packets, because the firmware of the NIC does that. It doesn't know anything about the Windows firewall. It passes the packets on to Windows.
Two Windows processes are listening to these packets: Wireshark and the Firewall.
Wireshark receives all the packets received by the NIC and displays them in its packet list.
The Windows Firewall examines the packets and decides whether to pass them on to higher-layer processes or not. With the Firewall set to "Block all incoming connections", the PING packets are discarded, and do not reach the Windows process that sends replies.

So although the Requests get in, there are no Replies.

If you were using a hardware firewall, it would block the requests entirely before they reached the TARGET. That is a safer procedure.

Installing Cain on the SCANNER Machine

Cain is a hacking tool, with the ability to perform a layer 2 scan. Some networks block hacking sites, including CCSF, so you'll need to download a sneaky version of Cain I put on my own site.

On the SCANNER machine, open a Web browser and go to this address:

http://samsclass.info/123/proj10/ca_setup.7z

The file downloads, usually into your Downloads folder. Open the folder containing the ca_setup.7z file. Right-click the ca_setup.7z file, and click 7-Zip, "Extract Here".

If you don't have 7-Zip, get it here:

http://7-zip.org/

7-Zip asks for a password. Use this password:

sam

Once the ca_setup.exe file is extracted, double-click it and install Cain with the default options. It will also install WinPcap.

Monitoring ARP Traffic with Wireshark on the TARGET machine

On the TARGET machine, in Wireshark, at the top left, in the Filter bar, type in this text, and then press the Enter key:

arp

The filter bar turns green, as shown below.

In Wireshark, click Capture, Start.

A box pops up, asking "Do you want to save...". Click "Continue without Saving".

Performing a Layer 2 Scan with Cain

Click Start. In the Search box, type CAIN

In the search results, right-click Cain and click "Run as administrator". In the "User Account Control" box, click Yes.

In Cain, in the top center, click the Sniffer tab. From the Cain menu bar, click Configure.

A "Configuration Dialog" box pops up, as shown below. Verify that your real network interface is selected, and click the OK button.

In the Cain toolbar, click the second icon, which looks like a little green network card. A box pops up saying "WARNING !!! TCP Large/Giant Offloading is enabled...". Click the OK button.

The NIC icon should now look indented, indicating that the sniffer is active, as shown below.

In the Cain toolbar, click the + button.

A "Mac Address Scanner" box pops up, as shown below.

Click the top "ARP Test" button, as shown below.

Click the OK button.

Cain completes the scan in a few seconds, and finds all the hosts on your network, as shown below.

Saving a Screen Image

Make sure the TARGET IP address is shown in the Cain results, as shown above.

Click on the host machine's taskbar to make it the recipient of keypresses.

On your keyboard, press the PrntScrn key.

Click Start, type in PAINT, and open Paint.

Press Ctrl+V to paste in the image of your desktop.

YOU MUST SUBMIT WHOLE-DESKTOP IMAGES TO GET FULL CREDIT.

Save the image with a filename of "Proj 17b from YOUR NAME".

Viewing the ARPs on the TARGET

On the TARGET machine, in the Wireshark window, click Capture, Stop.

Scroll through the packets. Cain just scans all the IP addresses in order.

Find the ARP request for your TARGET's IP address, and its reply, as shown below.

Saving a Screen Image

Make sure these two lines are visible in the Info column:

"Who has TARGET-IP?
"TARGET-IP is at ...

Click on the host machine's taskbar to make it the recipient of keypresses.

On your keyboard, press the PrntScrn key.

Click Start, type in PAINT, and open Paint.

Press Ctrl+V to paste in the image of your desktop.

YOU MUST SUBMIT WHOLE-DESKTOP IMAGES TO GET FULL CREDIT.

Save the image with a filename of "Proj 17c from YOUR NAME".

Understanding Layer 2 Scanning

The TARGET machine replies to ARP requests, even though the firewall is set to its maximum setting.

This is normal, because a machine that doesn't answer ARPs cannot make any network connections at all. And there's no reason to even have an IP address if you don't want any network connections.

If an attacker can get onto your LAN and use layer 2, they can layer 2 scans and attacks, which are very difficult to stop.

This is why networks require physical security, keeping attackers out of the building, and wireless networks need to be protected with WPA to keep attackers off the WLAN.

There is only one reason I know of to make a machine that rejects ARP packets--a network scanner. Such a machine can be configured with no IP address, and it scans only at layer 2. That is a very secure technique, because a scanner like that is invisible to layer 3 and layer 2 scans, and it cannot be taken over and controlled remotely because it has no IP address.

That procedure is explained here:

http://www.netresec.com/?page=Blog&month=2011-03&post=Sniffing-Tutorial-part-2---Dumping-Network-Traffic-to-Disk

Turning in Your Project

Email the images to: cnit.106sam@gmail.com with a subject line of Proj 17 From Your Name, replacing Your Name with your own first and last name. Send a Cc to yourself.

Last Modified: 10-23-13 2:18 pm