SECURITY PRO 10/11 LABS

You are the IT security administrator for a small corporate network. You are increasing network security by implementing application whitelisting. Your first step is to prevent applications not located in the operating system directory or the program files directory from running on your computers. In addition, the call center application used by the support team runs from C:\CallCenter\CallStart.exe and must be allowed to run. You also want any future versions of the call center application to run without changing any settings.

Access the CorpNet.local domain under Group Policy Management.From Server Manager's menu bar, select Tools > Group Policy Management.Maximize the window for better viewing.Expand Forest: CorpNet.local > Domains > CorpNet.local. Access the AppLocker policy.Right-click Default Domain Policy and select Edit.Maximize the window for better viewing.Under Computer Configuration, expand and select:Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker. Configure rule enforcement.From the right pane, select Configure rule enforcement.Under Executable rules, select Configured.Make sure Enforce rules is selected in the drop-down list.Select OK. Configure a Publisher rule and allow the Support group to run the call center software.From the left pane, expand AppLocker.Right-click Executable Rules and then select Create New Rule.Select Next.Make sure Allow is selected.For User or group, click Select.In the Enter the object names to select box, type Support and then select OK.Select Next.Make sure Publisher is selected; then select Next.For the Reference file, select Browse.Browse to and select the C:\CallCenter\CallStart.exe file.Select Open.Slide the pointer from File version to Publisher and then select Next.Select Next.Accept the default name and select Create.Select Yes to create the default rules.Notice that the Publisher rule was created.

A recent breach of a popular 3rd party service has exposed a password database. The security team is evaluating the risk of the exposed passwords for the company. The password hashes are saved in the root user's home directory, /root/captured_hashes.txt. You want to attempt to hack these passwords using a rainbow table. The password requirements for your company are as follows:

Create and sort an md5 and sha1 rainbow crack table.From the Favorites bar, select Terminal.At the prompt, type rtgen md5 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a md5 rainbow crack table.Type rtgen sha1 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a sha1 rainbow crack table.Type rtsort . and press Enter to sort the rainbow table. Crack the password hashes using -l or -h.To crack the password contained in a hash file, type rcrack . -l /root/captured_hashes.txt and press Enter.This command lists the hashes continued in the hash file and shows the passwords.To crack the password contained in a hash, type rcrack . -h hash_value and press Enter.This command only shows the password for the specified hash.Repeat step 2b for the remaining hashes.

You use Google Chrome as your web browser on the desktop computer in your dorm room. You are concerned about privacy and security while surfing the web. You are also concerned about exploits that harvest data from your Google Chrome browsing history. In this lab, your task is to delete the following items from your Google Chrome browser history for all time:

Delete all items from your Google Chrome history.From the Windows taskbar, select Google Chrome.In the upper right, select the ellipsis (three dots) and then select History > History.Maximize the window for easier viewing.Select Clear browsing data.Select Advanced.For the Time range field, use the drop-down menu to select All time.Make sure the following items are checked:Browsing historyDownload historyCookies and other site dataCached images and filesHosted app dataSelect Clear data.

You are the IT security administrator for a small corporate network. You want to spoof the DNS to redirect traffic as part of a man-in-the-middle attack. In this lab, your task is to:

From the Support computer, use Ettercap to begin sniffing and scanning for hosts.From the Favorites bar, select Ettercap.Select Sniff > Unified sniffing.From the Network Interface drop-down menu, select enp2s0.Select OK.Select Hosts >Scan for hosts. Configure the Exec computer (192.168.0.30) as the target 1 machine.Select Hosts > Host list.Under IP Address, select 192.168.0.30.Select Add to Target 1 to assign it as the target. Initiate DNS spoofing.Select Plugins > Manage the plugins.Select the Plugins tab.Double-click dns_spoof to activate it.Select Mitm > ARP poisoning.Select Sniff remote connections and then select OK. From the Exec computer, access rmksupplies.com.From the top navigation tabs, select Floor 1 Overview.Under Executive Office, select Exec.From the taskbar, select Google Chrome.In the URL field, type rmksupplies.com and then press Enter.Notice that the page was redirected to RUS Office Supplies despite the web address staying the same.

You are the IT security administrator for a small corporate network. You currently run a website on the CorpWeb server. You want to allow SSL connections to this website. In this lab, your task is to add a binding to the CorpNet website using the following settings:

Open the IIS Manager to the CorpNet.xyz site.From the Server Manager's menu bar, select Tools > Internet Information Services (IIS) Manager.Expand CorpWeb(CorpNet.com\Administrator) > Sites.Select CorpNet.xyz. Add a binding to the CorpNet website.From the Actions pane (far right), select Bindings.Select Add.Using the Type drop-down menu, select HTTPS.Make sure the port is set to 443.Using the SSL certificate drop-down menu, select www.CorpNet.xyz and then select OK.Select Close.

Listen to simulation instructions You are the IT security administrator for a small corporate network. You need to use a vulnerability scanner to check for security issues on your Linux computers. In this lab, your task is to:

Run a Security Evaluator report for 192.168.0.45.From the taskbar, open Security Evaluator.Next to Target: Local Machine, select the Target icon.Select IPv4 Address.Enter 192.168.0.45Select OK.Next to Status: No Results, select the Status Run/Rerun Security Evaluation icon.Review the results.In the top right, select Answer Questions.Answer Question 1. Run a Security Evaluator report for the IP address range of 192.168.0.60 through 192.168.0.69.From Security Evaluator, select the Target icon to select a new target.Select IPv4 Range.In the left field, type 192.168.0.60In the right field, type 192.168.0.69Select OK.Select the Status Run/Rerun Security Evaluation icon.Review the results.Answer Questions 2 and 3.Select Score Lab. For the Linux computer with the 192.168.0.45 address, which security vulnerability passed? Run a Security Evaluator report for the IP address range of 192.168.0.60 through 192.168.0.69 Q2Which IP addresses in the 192.168.0.60 through 192.168.0.69 range had issues that needed to be resolved? Q3For the Linux computer with the 192.168.0.65 address, what is the name of the vulnerability that only has a warning?

You are the IT security administrator for a small corporate network. You have some security issues on a few Internet of Things (IoT) devices. You have decided to use the Security Evaluator to find these problems. In this lab, your task is to use the Security Evaluator to: Find a device using the IP address of 192.168.0.54. Find all devices using an IP address in the range of 192.168.0.60 through 192.168.0.69. Answer the questions.

Run a Security Evaluator report for 192.168.0.54.From the taskbar, open Security Evaluator.Next to Target Local Machine, select the Target icon.Select IPv4 Address.Enter 192.168.0.54 as the IP address.Select OK.Next to Status No Results, select the Run/Rerun Security Evaluation icon to run a security evaluation.In the top right, select Answer Questions.Answer Questions 1 and 2. Run a Security Evaluator report for an IP range of 192.168.0.60 through 192.168.0.69.From the Security Evaluator, select the Target icon to select a new target.Select IPv4 Range.In the left field, type 192.168.0.60 as the beginning IP address.In the right field, type 192.168.0.69 as the ending IP address.Select OK.Next to Status No Results, select the Run/Rerun Security Evaluation icon to run a security evaluation.Answer Question 3.Select Score Lab.

You are the IT security administrator for a small corporate network. You perform vulnerability scans on your network. You need to verify the security of your wireless network and your Ruckus wireless access controller. In this lab, your task is to:

Run a Security Evaluator report.From the taskbar, select Security Evaluator.Next to Target: Local Machine, select the Target icon to select a new target.Select IPv4 Address.Enter 192.168.0.6 for the wireless access controller.Select OK.Next to Status No Results, select the Status Run/Rerun Security Evaluation icon to run the security evaluation.Review the results to determine which issues you need to resolve on the wireless access controller. Use Google Chrome to go into the Ruckus wireless access controller.From the taskbar, open Google Chrome.Maximize Google Chrome for easier viewing.In the address bar, type 192.168.0.6 and press Enter.For Admin name, enter admin (case-sensitive).For Password, enter password.Select Login. Change the admin username and password for the Ruckus wireless access controller.Select the Administer tab.Make sure Authenticate using the admin name and password is selected.In the Admin Name field, replace admin with a username of your choice.In the Current Password field, enter password.In the New Password field, enter a password of you choice.In the Confirm New Password field, enter the new password.On the right, select Apply. Enable intrusion detection and prevention.Select the Configure tab.On the left, select WIPS.Under Intrusion Detection and Prevention, select Enable report rogue devices.On the right, select Apply. Verify that all the issues were resolved using the Security Evaluator.From the taskbar, select Security Evaluator.Next to Status Needs Attention, select the Status Run/Rerun Security Evaluation icon to re-run the security evaluation.Remediate any remaining issues.

Listen to simulation instructions You work as the IT security administrator for a small corporate network. In an effort to protect your network against security threats and hackers, you have added Snort to pfSense. With Snort already installed, you need to configure rules and settings and then assign Snort to the desired interface. In this lab, your task is to use pfSense's Snort to complete the following:

Sign into the pfSense management console.In the Username field, enter admin.In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Access the Snort Global Settings.From the pfSense menu bar, select Services > Snort.Under the Services breadcrumb, select Global Settings. Configure the required rules to be downloaded.Select Enable Snort VRT.In the Sort Oinkmaster Code field, enter 359d00c0e75a37a4dbd70757745c5c5dg85aa. You can copy and paste this from the scenario.Select Enable Snort GPLv2.Select Enable ET Open. Configure the Sourcefire OpenAppID Detectors to be downloaded.Under Sourcefire OpenAppID Detectors, select Enable OpenAppID.Select Enable RULES OpenAppID. Configure when and how often the rules will be updated.Under Rules Update Settings, use the Update Interval drop-down menu to select 1 Day.For Update Start Time, change to 01:00.Select Hide Deprecated Rules Categories. Configure Snort General Settings.Under General Settings, use the Remove Blocked Hosts Interval drop-down menu to select 1 HOUR.Select Startup/Shutdown Logging.Select Save. Configure the Snort Interface settings for the WAN interface.Under the Services breadcrumb, select Snort Interfaces and then select Add.Under General Settings, make sure Enable interface is selected.For Interface, use the drop-down menu to select WAN (PFSense port 1).For Description, use WANSnort.Under Alert Settings, select Send Alerts to System Log.Select Block Offenders.Scroll to the bottom and select Save. Start Snort on the WAN interface.Under the Snort Status column, select the arrow.Wait for a checkmark to appear, indicating that Snort was started successfully

You are the IT security administrator for a small corporate network. You believe a hacker has penetrated your network and is using ARP poisoning to infiltrate it. In this lab, your task is to discover whether ARP poisoning is taking place as follows:

Use Wireshark to capture packets on enp2s0.From the Favorites bar, select Wireshark.Maximize the window for easier viewing.Under Capture, select enp2s0. From the menu bar, select the blue fin to begin a Wireshark capture.After capturing packets for five seconds, select the red box to stop the Wireshark capture. Filter for only ARP packets.In the Apply a display filter field, type arp and press Enter to only show ARP packets.In the Info column, look for the lines containing the 192.168.0.2 IP address. Answer the questions.In the top right, select Answer Questions.Answer the questions.Select Score Lab.

Listen to simulation instructions You are the CorpNet IT administrator. Your support team says that CorpNet's customers are unable to browse to the public-facing web server. You suspect that it might be under some sort of denial-of-service attack, possibly a TCP-SYN flood attack. Your www_stage computer is on the same network segment as your web server, so you should use this computer to investigate the problem. In this lab, your task is to:

Using Wireshark, only capture packets containing both the SYN flag and ACK flags.From the Favorites bar, select Wireshark.Under Capture, select enp2s0.From the menu, select the blue fin to begin the capture.In the Apply a display filter field, type tcp.flags.syn==1 and tcp.flags.ack==1 and press Enter to filter Wireshark to display only those packets with both the SYN flag and ACK flag.You may have to wait up to a minute before any SYN-ACK packets are captured and displayed.Select the red square to stop the capture. Change the filter to only display packets with the SYN flag.In the Apply a display filter field, change the tcp.flags.ack ending from the number 1 to the number 0 and press Enter.Notice that there are a flood of SYN packets being sent to 128.28.1.1 (www.corpnet.xyz) that are not being acknowledged.In the top right, select Answer Questions.Answer the question.Select Score Lab.

You are the IT security administrator for a small corporate network. You've received a zip file that contains sensitive password-protected files. You need to access these files. The zip file is located in the home directory. In this lab, your task is to use John the Ripper to:

View the current John the Ripper password file.From the Favorites bar, select Terminal.At the prompt, type cd /usr/share/john and press Enter.Type ls and press Enter.Type cat password.lst and press Enter to view the password list.Type cd and press Enter to go back to the root. Crack the root password on the Support computer.Type john /etc/shadow and press Enter. The password is shown. Can you find it?Type john /etc/shadow and press Enter to attempt to crack the Linux passwords again.Notice that it does not attempt to crack the password again. The cracked password is already stored in the john.pot file.Use alternate methods of viewing the previously cracked password.Type john /etc/shadow --show and press Enter.Type cat ./.john/john.pot and press Enter to view the contents of the john.pot file.In the top right, select Answer Questions and then answer question 1. Open a terminal on the IT-Laptop.From the top navigation tabs, select Floor 1 Overview.Under IT Administration, select IT-Laptop.From the Favorites bar, select Terminal. Export the contents of the protected.zip file to a text file.At the prompt, type ls and press Enter.Notice the protected.zip file you wish to crack.Type zip2john protected.zip > ziphash.txt and press Enter.Type cat ziphash.txt and press Enter to confirm that the hashes have been copied. Using the text file, crack the password of the protected.zip file.Type john --format=pkzip ziphash.txt and press Enter to crack the password.The password is shown. Can you find it?Type john ziphash.txt --show and press Enter to show the previously cracked password.In the top right, select Answer Questions.In the top right, select Answer Questions and then answer Question 2.Select Score Lab.