In this lab we will examine communications between hosts running on the local network.
In this lab we would be utlising, RT-LAN, WIN2016-DC, Kali Linux, and WIN10-MS operating system.
EXERCISE 1 – Configuring the VM’s
First of all we have to configure VM of Windows 2016-DC.
Instead of configuring our VM’s on Mirroring mode we have one dedicated promiscuous switch (INT-03) which has been given permissions.
and we have to repeat the same steps for Windows 10 and KALI OS.
Now lets open KALI VM and got to network settings and we will enter following network configuration.
EXERCISE 2 – Using Wireshark
In this exercise you will capture some network traffic and identify the main features of the Wireshark network analyzer.
We have to open wireshark program and identify/capture various ip addresses.
Above we have observed various fields such as Frame, Ethernet II, IPv4, User Datagram Protocol, DNS, SMB2 frame and various TCP Streams.
After that few have to select any SMB2 frame and right click and follow the TCP Stream
EXERCISE 3 – Examining Unsecured Traffic
In this exercise, we will examine the risks involved in unsecured network traffic.
Now lets get into Windows 2016 DC, go into c:\ root folder, lets create a new subfolder called secret and create a new txt file named Confidential.
and now we will enter the following text: The password is Courage! Save and then close.
Now we will go into File and Storage Service > Shares and then we will aim to share that secret folders and share the secret$ folder.
Now we will switch to Kali-Linux VM and perform new capture. After that we will open a new connection window from WIN10-WS VM and sign in as classroom\Administrator
Then Open a Run dialog (Start+R) and enter \\WIN2016-DC.
Question asked: Does Secret$ share appear?
Ans: No, it has not appeared.
After that in the File Explorer bar we have to enter \\WIN2016-DC\secret$
Switch Back to Kali and click on Stop Capture button. After that enter “NetShareEnumAll Response” or “SRVSVC” in the description field to sort the one’s which server uses to send its share list to the client.
EXERCISE 4 – Using Netcat
Now, Let’s imagine that a rogue administrator wants to exfiltrate this confidential data file and has installed a backdoor to facilitate this (we’ll leave aside the question of why this file might be important when he has a whole domain controller to exploit). In this exercise we will use Nmap’s version of Netcat (ncat.exe).
Now lets get into KALI VM and perform a new capture.
After that let’s switch to Windows 2016 VM and begin the transfer.
Now switch to windows 10 vm and open command prompt and Run the following commands to try to connect to the listener and download the file.
That command didn’t ran so now we will do another quick test via netstat -abp TCP in Windows 2016 – DC / Server VM. Write which port it was listening to: 127.0.0.1 (in my case)
After that we will run few commands to open the port on Windows Firewall:
CT & A
The lab try to demonstrate that these simple tools are easy to detect. Cyber adversaries require a much more sophisticated toolkit to bypass firewalls and perform data ex-filtration covertly (or target a company with no monitoring controls).
Problems
last few steps didn’t work tried few times to transfer the confidential file and before then adding the netsh command and doing few other things to make sure the file transfers but it didn’t. So i left after spending good amount of time to resolve and moved on to next lab.
Imagine in IT 