Labs 10(partially)-15

13.1.14 Locate a Rogue Wireless Access Point You are the IT security administrator for a small corporate network. To achieve Payment Card Industry Data Security Standard (PCI DSS) certification, you are required to scan for rogue access points quarterly. In this lab, your task is to scan for rogue wireless access points using Terminal as follows: Use airmon-ng to discover and enable the onboard wireless adapter. Use airodump-ng to scan for wireless access points. Answer the questions.

1. From the Favorites bar, open Terminal. 2. At the prompt, type airmon-ng and press Enter to view and find the name of the wireless adapter. 3. Type airmon-ng start wlp1s0 and press Enter to put the adapter in monitor mode. 4. Type airmon-ng and press Enter to view the new name of the wireless adapter. 5. Type airodump-ng wlp1s0mon and press Enter to scan for wireless access points. 6. After a few seconds, press Ctrl + c to stop the scan. Answer Questions. What is most likely the ESSID of the rogue access point? CoffeeShop What is the signal power of the rogue access point? -90 What is the frequency channel used by the rogue access point? 11

13.2.4 Discover Bluetooth Devices You are the IT security administrator for a small corporate network. To protect your Bluetooth devices from hackers, you need to discover which Bluetooth devices are running in your company and gather information on each. In this lab, your task is to scan for Bluetooth devices using Terminal as follows: Use hciconfig to discover and enable the onboard Bluetooth adapter. Use hcitool to scan for Bluetooth devices and find the class ID. Use l2ping to determine if the Bluetooth device is alive and within range. Use sdptool to query Philip's Dell Laptop to determine the Bluetooth services available on the device. Answer the question.

1. From the Favorites bar, open Terminal. 2. At the prompt, type hciconfig and press Enter to view the onboard Bluetooth adapter. 3. Type hciconfig hci0 up and press Enter to initialize the adapter. 4. Type hciconfig and press Enter to verify that the adapter is up and running. 5. Type hcitool scan and press Enter to view the detected Bluetooth devices and their MAC addresses. 6. Type l2ping MAC address and press Enter to determine if the Bluetooth device is in range. 7. Press Ctrl + c to stop the ping process. Repeat steps 6-7 for each device. 8. Type sdptool browse B0:52:23:92:EF:CC and press Enter to view the details for Philip's Dell Laptop. 9. Type hcitool inq and press Enter to determine the clock offset and class for each device. Answer Questions. Using the MAC address, what is the class ID number for the Joanna's Braven speaker? 0x240404

12.1.7 Extract Web Server Information with Nmap You are an ethical hacker consultant working for CorpNet. They want you to discover weaknesses in their network. From outside of the CorpNet network, you found their web server, www.corpnet.xyz, has an IP address of 198.28.1.1. You decide to perform several nmap scans using a few http scripts. In this lab, your task is to run the following nmap scripts on port 80 of 198.28.1.1: http-server-header.nse to display the HTTP server header. http-chrono.nse to measure the time a website takes to deliver a web page. http-headers.nse to perform a HEAD request for the root folder. http-errors.nse to crawl through the website and return any error pages. http-malware-host.nse to look for malware signatures of known server compromises. http-comments-displayer.nse to display HTML and JavaScript comments.

1. From the Favorites bar, open Terminal. 2. At the prompt, type nmap --script=http-server-header -p80 198.28.1.1 and press Enter to run the http-server-header.nse script. 3. In the top right, select Answer Questions. Answer question 1. 4. Type nmap --script=http-chrono -p80 198.28.1.1 and press Enter to run the http-chrono.nse script. Type nmap --script=http-headers -p80 198.28.1.1 and press Enter to run the http-headers.nse script. 5. Type nmap --script=http-errors -p80 198.28.1.1 and press Enter to run the http-errors.nse script. 6. Under Lab Questions, answer question 2. 7. Type nmap --script=http-malware-host -p80 198.28.1.1 and press Enter to run the http-malware-host.nse script. 8. Type nmap --script=http-comments-displayer -p80 198.28.1.1 and press Enter to run the http-comments-displayer.nse script. 9. Under Lab Questions, answer question 3. Questions: Which software is used by www.corpnet.com to offer the HTTP service? Apache 2.4.7 How many error pages were found? 0 What is the last comment listed on line 20 of the web page at http://www.corpnet.xyz:80? <!--END Google Analytics Code-->

11.2.12 Bypass Windows Firewall You are a cybersecurity specialist. The owner of the CorpNet network has hired you to perform a penetration test. They are concerned with the safety of their firewalls. During the reconnaissance phase of your testing, you discovered a firewall with an IP address of 198.28.2.254. From outside of the CorpNet network, you decided to scan this firewall for potential weakness by running an nmap scan. In this lab, your task is to run the firewall-bypass nmap script against the firewall.

1. From the Favorites bar, open Terminal. 2. Type nmap --script=firewall-bypass 198.28.2.254 and press Enter. Answer Questions. Which vulnerabilities were found on the firewall? FTP.

10.3.10 Analyze a DDoS Attack You are the CorpNet IT administrator. Your support team says that CorpNet's customers are unable to browse to the public-facing web server. You suspect that it might be under some sort of denial-of-service attack, possibly a TCP SYN flood attack. Your www_stage computer is on the same network segment as your web server, so you'll use this computer to investigate the problem. In this lab, your task is to: Capture packets from the network segment on www_stage using Wireshark. Analyze the attack using the following filters:tcp.flags.syn==1 and tcp.flags.ack==1tcp.flags.syn==1 and tcp.flags.ack==0 Answer the question.

1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0. 3. From the menu, select the blue fin to begin the capture. 4. In the Apply a display filter field, type tcp.flags.syn==1 and tcp.flags.ack==1 and press Enter to filter the Wireshark display to only those packets with both the SYN flag and ACK flag. You may have to wait several seconds before any SYN-ACK packets are captured and displayed. 5. Select the red square to stop the capture. 6. In the Apply a display filter field, change the tcp.flags.ack ending from 1 to 0 and press Enter to filter the Wireshark display to packets with only the SYN flag. Notice that there are a flood of SYN packets being sent to 128.28.1.1 (www.corpnet.xyz) that were not being acknowledged. Answer the question. There are multiple source addresses for the SYN packets with the destination address 128.28.1.1.

11.2.9 Perform a Decoy Scan You work for a penetration testing consulting company. You need to make sure that you can't be identified by the intrusion detection systems. Use nmap to perform a decoy scan on CorpNet.local. In this lab, your task is to use nmap to perform a decoy scan on enp2s0 and to use Wireshark to see the results. Use Wireshark to capture packets on the enp2s0 network interface. Use nmap to perform a decoy scan targeting the 192.168.0.31 IP address using 10 random IP addresses.

1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0. 3. In the upper left menu, select the blue fin to start a scan. 4. From the Favorites bar, open Terminal. 5. At the prompt, type nmap -D RND:10 192.168.0.31 and press Enter. 6. In Wireshark, scroll down until you see 192.168.0.31 in the Destination column. 7. Under Source, view the different IP addresses used to disguise the scan.

11.2.10 Perform a Decoy Scan with Zenmap You work for a penetration testing consulting company. You need to make sure that you can't be identified by the intrusion detection systems. In this lab, your task is to perform a decoy scan on CorpNet.local as follows: Tools: Wireshark and Zenmap Interface: enp2s0 Random IP addresses:25 IP address: 192.168.0.31

1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0. 3. In the upper left menu, select the blue shark fin to start a scan. 4. From the Favorites bar, open Zenmap. 5. In the Command field, type nmap -D RND:25. 6. In the Target field, type 192.168.0.31. 7. Select Scan. 8. In Wireshark, scroll down until you see 192.168.0.31 in the Destination column. 9. Under Source, view the different IP addresses used to disguise the scan.

10.2.8 Capture HTTP POST Packets with Wireshark You are the cybersecurity specialist for your company. You need to check to see if any clear text passwords are being exposed to hackers through an HTTP login request. In this lab, your task is to analyze HTTP POST packets as follows: Use Wireshark to capture all packets. Filter the captured packets to show only HTTP POST data. Examine the packets captured to find clear text passwords. Answer the questions.

1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0. 3. Select the blue fin to begin a Wireshark capture. 4. Capture packets for five seconds. 5. Select the red box to stop the Wireshark capture. 6. In the Apply a display filter field, type http.request.method==POST and press Enter to show the HTTP POST requests. 7. From the middle pane, expand HTML Form URL Encoded for each packet. 8. Examine the information shown to find clear text passwords. In the top right, select Answer Questions. How many HTTP POST packets were captured? 3 What is the source IP address of the packet containing the clear text password? 192.168.0.98 What is the clear text password captured? St0ne$@

10.3.7 Analyze ICMP Traffic in Wireshark You are the IT administrator for a small corporate network, and you want to know how to find and recognize an ICMP flood attack. You know that you can do this using Wireshark and hping3. In this lab, your task is to create and examine the results of an ICMP flood attack as follows: From Kali Linux, start a capture in Wireshark for the esp20 interface. Ping CorpDC at 192.168.0.11. Examine the ICMP packets captured. Use hping3 to launch an ICMP flood attack against CorpDC. Examine the ICMP packets captured. Answer the questions.

1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0. 3. Select the blue fin to begin a Wireshark capture. 4. From the Favorites bar, open Terminal. 5. At the prompt, type ping 192.168.0.11 and press Enter. 6. After some data exchanges, press Ctrl + c to stop the ping process. 7. In Wireshark, select the red box to stop the Wireshark capture. 8. In the Apply a display filter field, type icmp and press Enter. Notice the number of packets captured and the time between each packet being sent. 9. Select the blue fin to begin a new Wireshark capture. 10. In Terminal, type hping3 --icmp --flood 192.168.0.11 and press Enter to start a ping flood against CorpDC. 11. In Wireshark, select the red box to stop the Wireshark capture. Notice the type, number of packets, and the time between each packet being sent. 12. In Terminal, type Ctrl + c to stop the ICMP flood. Answer the question. - With the icmp flood, the icmp packets are sent more rapidly. - With the flood, all packets come from the source.

10.3.9 Perform a DoS Attack As the IT administrator for a small corporate network, you want to know how to find and recognize a TCP SYN flood attack. You know you can do this using the Wireshark packet analyzer and a Linux tool named hping3. In this lab, your task is to use Wireshark to capture and analyze TCP SYN flood attacks as follows: Filter captured packets to show TCP SYN packets for the enp2s0 interface. Use hping3 to launch a SYN flood attack against rmksupplies.com using Terminal. Examine a SYN packet with the destination address of 208.33.42.28 after capturing packets for a few seconds. Answer the question.

1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0. 3. Select the blue fin to begin a Wireshark capture. 4. In the Apply a display filter field, type tcp.flags.syn==1 and press Enter. 5. From the Favorites bar, open Terminal. 6. At the prompt, type hping3 --syn --flood rmksupplies.com and press Enter to start a TCP SYN flood against the CorpDC domain controller. 7. After a few seconds of capturing packets, select the red box to stop the Wireshark capture. 8. In the top pane of Wireshark, select one of the packets captured with a destination address of 208.33.42.28. 9. In the middle pane of Wireshark, expand Transmission Control Protocol. 10. Scroll down to Flags. Notice that both Flags in this pane and the Info column in the top pane show this as a SYN packet. Answer the question. 0x002

12.1.8 Crack FTP Credentials with Wireshark You are the cypersecurity specialist for your company. You are conducting a penetration test to see if anyone is using FTP against company policy. In this lab, your task is to capture FTP packets as follows: Use Wireshark to capture packets for five seconds. Filter for FTP packets. Answer the questions.

1. From the Favorites bar, open Wireshark. Under Capture, select enp2s0. 2. Select the blue fin to begin a Wireshark capture. 3. Capture packets for five seconds. 4. Select the red box to stop the Wireshark capture. 5. In the Apply a display filter field, type ftp and press Enter. Answer the questions. What is the name used to log into the FTP session? Admin What is the password used to log into the FTP site? P@ssword What is the name of the file downloaded during the FTP session?usage.txt

12.3.6 Perform an SQL Injection Attack You are the penetration tester for a small corporate network. You have decided to see how secure your online bank's web page is. In this lab, your task is to perform a simple SQL injection attack on MySecureOnlineBank.com using the following information: Make an account query for account number 90342. Perform a simple SQL attack using 0 OR 1=1. Answer the questions.

1. From the taskbar, open Chrome. 2. In the URL field, type mysecureonlinebank.com Press Enter. 3. In the Enter your Account Number field, enter 90342. Select Lookup. 4. The account balance is $582.29. 5. In the Enter your Account Number field, enter: 0 OR 1=1. Select Lookup. Answer questions. What is your account balance? $582.29 What is the account number of Nisha Dickson? 90003

15.3.6 Encrypt a Hard Drive You work as the IT Security Administrator for a small corporate network. The employee in Office 1 is working on a very sensitive project. Management is concerned that if the hard drive in the computer were stolen, sensitive information could be compromised. As a result, you have been asked to encrypt the entire System volume. The Office1 computer has a built-in TPM on the motherboard. In this lab, your task is to configure BitLocker drive encryption as follows: Turn on TPM in the BIOS. Activate TPM in the BIOS. Turn on BitLocker for the System (C:) drive. Save the recovery key to \\CorpServer\BU-Office1. Run the BitLocker system check. Encrypt the entire System (C:) drive.

1. In the search field on the taskbar, enter Control Panel. 2. Select System and Security. 3. Select BitLocker Drive Encryption. 4. Select Turn on BitLocker next to C:. Notice, at the bottom of the window, that Windows indicates that a TPM was not found. 5. Select Cancel. 6. Select Start. 7. Select Power. 8. Select Restart to restart Office1 and activate TPM. 9. When the TestOut logo appears, press Delete to enter the BIOS. Turn on and activate TPM as follows: 1. In the left pane, expand Security. 2. Select TPM Security.In the right pane, select TPM Security to turn TPM security on. 3. Select Apply. 4. Select Activate. 5. Select Apply. 6. Select Exit. Turn on BitLocker as follows: 1. After Office1 finishes rebooting, in the search field, enter Control Panel. 2. Select System and Security. 3. Select BitLocker Drive Encryption. 4. Select Turn on BitLocker. Now Windows is able to begin the Drive Encryption setup. 5. Select Next. 6. Select Restart. 7. Press F10. 8. Select Next. Save the recovery key to \\CorpServer\BU-Office1 as follows: 1. Select Save to a file to back up your recovery key to a file. 2. Browse the network to \\CorpServer\BU-Office1. 3. Select Save.After your recovery key is saved, click Next. 4. Select Encrypt entire drive; then click Next. 5. Leave the default setting selected when choosing the encryption mode and click Next. 6. Select Run BitLocker system check; then click Continue. 7. Select Restart now. 8. When encryption is complete, click Close. 9. Open File Explorer and verify that the Local Disk (C:) drive shows the lock icon.

10.2.11 Hijack a Web Session You are the IT security administrator for a small corporate network. The HR director is concerned that an employee is doing something sneaky on the company's employee portal and has authorized you to hijack his web session so you can investigate. In this lab, your task is to hijack a web session as follows: On IT-Laptop, use Ettercap to sniff traffic between the employee's computer in Office1 and the gateway. Initiate a man-in-the-middle attack to capture the session ID for the employee portal logon. On Office1, log in to the employee portal on rmksupplies.com using Chrome and the following credentials:Username: bjacksonPassword: $uper$ecret1 On IT-Laptop, copy the session ID detected in Ettercap. On Office2, navigate to rmksupplies.com and use the cookie editor plug-in in Chrome to inject the session ID cookie. Verify that you hijacked the session.

1. On IT-Laptop, open Terminal from the sidebar. 2. At the prompt, type host office1 and press Enter to get the IP address of Office1. 3. Type route and press Enter to get the gateway address. Use Ettercap to sniff traffic between Office1 and the gateway as follows: 1. From the Favorites bar, open Ettercap. 2. Select Sniff > Unified sniffing. 3. From the Network Interface drop-down list, select enp2s0. Click OK. 4. Select Hosts > Scan for hosts.Select Hosts > Host list. 5. Under IP Address, select 192.168.0.5. Select Add to Target 1. 6. Select 192.168.0.33. Select Add to Target 2. Initiate a man-in-the-middle attack as follows: 1. Select Mitm > ARP poisoning. 2. Select Sniff remote connections. 3. Click OK. You are ready to capture traffic. On Office1, log in to the employee portal on rmksupplies.com as follows: 1. From the top navigation tabs, select Floor 1 Overview. Under Office 1, select Office1. 2. From the taskbar, open Chrome. In the URL field, enter rmksupplies.com. 3. In the Username field, enter bjackson. 4. In the Password field, enter $uper$ecret1. On IT-Laptop, copy the session ID detected in Ettercap as follows: 1. From the top navigation tabs, select Floor 1 Overview. Under IT Administration, select IT-Laptop. 2. In the Ettercap console, find bjackson's username, password, and session cookie (.login) captured in Ettercap. 3. Highlight the session ID. Press Ctrl + C to copy. On Office2, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie as follows: 1. From the top navigation tabs, select Floor 1 Overview. Under Office 2, select Office2. 2. From the taskbar, open Chrome.In Chrome's URL field, enter rmksupplies.com. Press Enter. 3. In the top right corner, select cookie to open the cookie editor. 4/ At the top, select the plus + sign to add a new session cookie. 5. In the Name field, enter .loginIn the Value field, press Ctrl + V to paste in the session cookie you copied from Ettercap. Make sure rmksupplies.com is in the Domain field. 6. Select the green check mark to save the cookie. 7. Click outside the cookie editor to close the editor. 8. At the bottom of the rkmsupplies page, select Employee Portal. You are now on Blake Jackson's web session.

15.1.8 Compare an MD5 Hash You are the IT administrator at a small corporate office. You just downloaded a new release for a program you use. You need to make sure the file was not altered before you received it. Another file containing the original file hash was also downloaded. The files are located in C:\Downloads. In this lab, your task is to use MD5 hash files to confirm that the Release.zip file was unaltered as follows: Use Windows PowerShell to generate a file hash for Release.zip. Examine the release821hash.txt file for the original hash. Compare the original hash of the Release.zip file to its calculated hash in PowerShell to see if they match.At the prompt, type "calculated hash" -eq "known hash" and press Enter.The calculated hash is the hash generated by the get-filehash file_name -a md5 command and the known hash is the hash generated by the get-content file_name.txt command. Remember to include the quotation marks and the file extensions with the file names in the commands.

1. Right-click Start and select Windows PowerShell (Admin). 2. At the prompt, type cd \downloads and press Enter to navigate to the directory that contains the files. 3. Type dir and press Enter to view the available files. 4. Type get-filehash Release.zip -a md5 and press Enter to view the MD5 hash. 5. Type get-content release821hash.txt and press Enter to view the known hash contained in the .txt file. 6. Type "calculated hash" -eq "known hash" and press Enter to determine if the file hashes match. Answer Question. Do the file hashes match? No

11.2.7 Configure a Perimeter Firewall You work as the IT security administrator for a small corporate network. You recently placed a web server in the DMZ. You need to configure the perimeter firewall on the network security appliance to allow access to the web server from the LAN and the WAN. You would also like to improve security by utilizing the attack security features provided by the firewall. In this lab, your task is to: Add an HTTP firewall rule that allows traffic from the WAN to the web server in the DMZ Add an HTTPS firewall rule that allows traffic from the WAN to the web server in the DMZ Add a firewall rule to allow traffic from the LAN to the DMZ. Enable all the firewall attack checks.

Configure the firewall as follows: 1. From the top menu of the Security Appliance Configuration Utility, select Firewall. 2. From the left pane, select IPv4 Rules. 3. In the right pane, select Add. 4. Modify the firewall rule parameters. Click Apply. 5. Repeat steps 1c-1e for each firewall rule. Enable firewall attack checks as follows: 1. From the left pane, select Attacks. 2. Select all the WAN security checks. 3. Select all the LAN security checks. 4. Select all the ICSA settings. Click Apply.

11.1.10 Implement Intrusion Detection You are enhancing your network's security, and you want to enable Intrusion Detection and Prevention on the network security appliance (NSA). In this lab, your task is to: Enable the IPS on the LAN and DMZ interface. Manually update the IPS signature using C:\signatures\sbips000018.bin Use the following credentials to configure the NSA to automatically update the signature in the future:Username: mary.r.brownPassword: Upd@teN0w (0 is a zero) Set the IPS policies to detect and prevent all known threats.

Enable IPS as follows: 1. In the Security Appliance Configuration utility, select IPS. 2. Under IPS Enable, select Enable IPS Protection for LAN. 3. Select Enable IPS Protection for DMZ. 4.Select Apply. Update the IPS signature as follows: 1. Under Manual Signature Updates, select Browse. Browse to and select C:\Signatures\SBIPS000018.bin. Select Open. Select Upload. 2. Refresh the page to update the IPS Signatures status. 3. Select Automatically Update Signatures. 4. In the Cisco.com User Name field, enter mary.r.brown. 5. In the Password field, enter Upd@teN0w (0 is a zero). Select Apply. Configure IPS policies as follows: 1. In the left menu, select IPS Policy. 2. For each IPS Category, select Detect and Prevent. 3. Select Apply.

10.2.7 Perform an MITM Attack from a Remote Computer CorpNet.xyz has hired you as a penetration testing consultant. While visiting the company, you connected a small computer to the switch in the Networking Closet. This computer also functions as a rogue wireless access point. Now you are sitting in your van in the parking lot of CorpNet.xyz, where you have connected to the internal network through the rogue wireless access point. Using the small computer you left behind, you can perform remote exploits against the company. In this lab, your task is to complete the following: On Consult-Lap2, use ssh -X to connect to your rogue computer using the following parameters: - IP address: 192.168.0.251 - Password: $uper$neaky Use Ettercap and the following parameters to launch a DHCP spoofing man-in-the-middle attack on your rogue computer and attempt to capture any unsecure passwords: - Network Interface: enp2s0 - Netmask: 255.255.255.0 - DNS Server IP address: 192.168.0.11 On Exec, release and renew the IP address assigned by DHCP. Log in to the rmksupplies.com employee portal using the following credentials: - Username: bjackson - Password: $uper$ecret1 On Consult-Lap2, copy the session ID detected in Ettercap. On Consult-Lap, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie. Verify that you have hijacked the session.

From Conult-Lap2, connect to your rogue computer as follows: 1. From the Favorites bar, open Terminal. 2. At the prompt, type ssh -X 192.168.0.251 and press Enter. 3. For the password, type $uper$neaky and press Enter. Use Ettercap to launch a DHCP spoofing man-in-the-middle attack as follows: 1. At the prompt, type ettercap and press Enter to launch Ettercap remotely.Ettercap is running on the remote computer, but you see the screen locally. 2. Select Sniff. 3. Select Unified sniffing. 4. From the Network Interface drop-down list, select enp2s0. Click OK. 6. Select Mitm. 7. Select DHCP spoofing. - nIn the Netmask field, enter 255.255.255.0. - In the DNS Server IP field, enter 192.168.0.11. Click OK. On Exec, release and renew the IP address as follows: 1. From top navigation tabs, select Buildings. Under Building A, select Floor 1. Under Executive Office, select Exec. 2. Right-click Start and select Windows PowerShell (Admin). 3. Type ipconfig /release and press Enter to release the currently assigned addresses. 4. Type ipconfig /renew and press Enter to request a new IP address from the DHCP server. Log into the rmksupplies.com employee portal as follows: 1. From the taskbar, open Chrome. 2. In the URL field, enter rmksupplies.com and press Enter. At the bottom of the page, select Employee Portal. 3. In the Username field, enter bjackson. In the Password field, enter $uper$ecret1. On Consult-Lap2, copy the session ID detected in Ettercap as follows: 1. From the top navigation tabs, select Building A. Under Red Cell, select Consult-Lap2. 2. In the Ettercap console, find bjackson's username, password, and session cookie (.login) captured in Ettercap. 3. Highlight the session ID. Press Ctrl + C to copy. On Consult-Lap, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie as follows: 1. From the top navigation tabs, select Building A. Under Red Cell, select Consult-Lap. From the taskbar, open Chrome. 2. In Chrome's URL field, enter rmksupplies.com.Press Enter. 3. In the top right corner, select cookie to open the cookie editor. 4. At the top, select the plus + sign to add a new session cookie. 5. In the Name field, enter .login 6. In the Value field, press Ctrl + V to paste in the session cookie you copied from Ettercap.Make sure rmksupplies.com appears in the Domain field. 7. Select the green check mark to save the cookie. 8. Click outside the cookie editor to close the editor. 9. At the bottom of the rkmsupplies page, select Employee Portal.

10.3.6 Perform and Analyze a SYN Flood Attack In this lab, your task is to perform and monitor a SYN flood attack using the following information: Use Zenmap to find the FTP port on CorpServer (192.168.0.10). Use Metasploit to send a SYN flood attack as follows:Remote host: 192.168.0.10Source host: 192.168.0.33Set the FTP port to match the FTP port used by CorpServer. Use Wireshark to capture the SYN flood on the enp2s0 network interface. Filter to show only TCP SYN packets. Find the MAC address of the computer causing the SYN flood. Answer the questions.

From Zenmap, use nmap to find the FTP port used on CorpServer as follows: 1. From the Favorites bar, open Zenmap. 2. In the Command field, type nmap -p 0-100 192.168.0.10 Select Scan. 2. CorpServer is using port 21 for FTP. Close Zenmap. Use Metasploit to send a SYN flood as follows: 1. From the Favorites bar, open Metasploit Framework. 2. Type use auxiliary/dos/tcp/synflood and press Enter to select the SYN flood module. 3. Type show options and press Enter to view the current options for the SYN flood module. 4. Type set rhost 192.168.0.10 and press Enter to set the RHOST address. 5. Type set shost 192.168.0.33 and press Enter to set the SHOST address. 6. Type set rport 21 and press Enter to set the FTP port. 7. Type show options and press Enter to view the new options for the SYN flood module. 8. Type exploit. Press Enter. Capture SYN flood attacks on the CorpServer machine as follows: 1. From the Favorites bar, open Wireshark. Under Capture, select enp2s0. 2. In the Apply a display filter field, type host 192.168.0.10 and tcp.flags.syn==1 Press Enter. 3. Select the blue fin to begin a Wireshark capture. 4. In Wireshark, select the red box to stop the Wireshark capture. Answer Questions. What is the source IP address of the SYN attack? 192.168.0.33 Which of the following MAC addresses is initiating the SYN flood attack? 00:60:98:7F:41:E0 (IT Laptop)

13.1.9 Discover a Hidden Network You are a cybersecurity consultant. The company hiring you suspects that employees are connecting to a rogue access point (AP). You need to find the name of the hidden rogue AP so it can be deauthorized. The computer suspected of using the rogue access point is Exec-Laptop. In this lab, your task is to complete the following: On IT-Laptop, use airmon-ng to put the wireless adapter in monitor mode. Use airodump-ng to find the hidden access point. On Exec-Laptop, connect to the rogue AP using the CoffeeShop SSID. Answer the question.

On IT-Laptop, configure the wlp1s0 card to run in monitor mode as follows: 1. From the Favorites bar, open Terminal. 2. At the prompt, type airmon-ng and press Enter to find the name of the wireless adapter. 3. Type airmon-ng start wlp1s0 and press Enter to put the adapter in monitor mode. 4. Type airmon-ng and press Enter to view the new name of the wireless adapter. Use airodump-ng to discover and isolate the hidden access point as follows: 1. Type airodump-ng wlp1s0mon and press Enter to discover all of the access points. 2. Press Ctrl + c to stop airodump-ng. 3. In Terminal, type airodump-ng wlp1s0mon --bssid bssid_number and press Enter to isolate the hidden access point. (bssid_number is 00:00:1B:11:22:33) Switch to the Exec-Laptop and connect to the Wi-Fi network as follows: 1. From the top navigation tabs, select Floor 1 Overview. Under Executive Office, select Exec-Laptop. 2. From the notification area, select the Wi-Fi network icon. 3. Select Hidden Network.e:Select Connect. 4. In the Enter the name (SSID) for the network field, type CoffeeShop. 5. Select Next. Select Yes. Answer Question. What is the BSSID of the rogue access point?00:00:1B:11:22:33

14.2.11 Scan for IoT Devices You are the IT security administrator for a small corporate network. You have some security issues on a few Internet of Things (IoT) devices. You can use the Security Evaluator to find these problems. In this lab, your task is to: Find a device using the IP address of 192.168.0.54. Find all devices using an IP address in the range of 192.168.0.60 through 192.168.0.69. Answer the questions.

Run a Security Evaluator report for 192.168.0.54 as follows: 1. From the taskbar, open Security Evaluator. 2. Next to Target, select the Target icon to select a new target. 3. Select IPv4 Address. Enter 192.168.0.54 as the IP address. Click OK. 4. Next to Status, select the Run/Rerun Security Evaluation icon to run a security evaluation. Run a Security Evaluator report for an IP range of 192.168.0.60 through 192.168.0.69 as follows: 1. From the Security Evaluator, select the Target icon to select a new target. Select IPv4 Range. 2. In the left field, type 192.168.0.60 as the beginning IP address. 3. In the right field, type 192.168.0.69 as the ending IP address. Click OK. 4. Next to Status, select the Run/Rerun Security Evaluation icon to run a security evaluation. Answer Questions. What is the name of the IoT device with the IP address of 192.168.0.54? Wireless Thermostat How many issues exist for the device with the IP address of 192.168.0.54? 3 In the IP address range of 192.168.0.60 through 192.168.0.69, which IP addresses had issues? 192.168.0.66

13.3.6 Secure a Mobile Device You are the IT administrator for a small corporate network. The receptionist, Maggie Brown, uses an iPad to manage employee schedules and messages. You need to help her make the iPad more secure. The current simple passcode is 1542. In this lab, your task is to: Set a secure passcode on the iPad as follows:Require a passcode: After 5 minutesNew passcode: KeepOutOfMyPad Configure the iPad to erase data after 10 failed passcode attempts.

Set a secure passcode on the iPad as follows: 1. Select Settings.From the left menu, select Touch ID & Passcode. 2. Enter 1542 for the passcode. 3. Select Require PasscodeSelect After 5 minutes. 4. Next to Simple Passcode, slide the switch to turn off simple passcodes. 5. Enter 1542 for the passcode. 6. Enter KeepOutOfMyPad as the new passcode. Select Next. 7. Enter KeepOutOfMyPad to re-enter the new passcode. Select Done. Configure the iPad to erase data after 10 failed passcode attempts as follows: 1. On the Touch ID & Passcode page next to Erase Data, slide the switch to enable Erase Data. 2. Select Enable.

11.3.6 Create a Honeypot with Pentbox You are the IT security administrator for a small corporate network. You are concerned about unauthorized activity in your DMZ, so you decide to set up a honeypot to study hacking attempts. In this lab, your task is to: Use Pentbox to create a honeypot on www_stage. Test the honeypot on Consult-Lap using www_stage.corpnet.xyz in Chrome. Verify the intrusion on www_stage. Answer the questions.

Use Pentbox to create a honeypot on www_stage as follows: 1. From the Favorites bar, open Terminal. 2. At the prompt, type cd pentbox-1.8 and press Enter to change to the pentbox directory. 3. Type ./pentbox.rb and press Enter to start Pentbox. 4. Type 2 and press Enter to select Network Tools. 5. Type 3 and press Enter to select Honeypot. 6. Type 1 and press Enter to select Fast Auto Configuration. Test the honeypot using Chrome as follows: 1. From the top navigation tabs, select Buildings. Under Red Cell, select Consult-Lap. From the task bar, open Chrome. In the URL field, enter www_stage.corpnet.xyz and press Enter. Review the effects of the intrusion on www_stage as follows: 1. From the top navigation tabs, select Buildings. Under Building A, select Basement. Under Basement, select www_stage. 2. Notice the INTRUSION ATTEMPT DETECTED message at the bottom of the Pentbox window. Answer Questions. What message is displayed? Access denied What is the IP address associated with the intrusion attempt? 147.191.29.25

13.1.13 Discover a Rogue DHCP Server You are the IT security administrator for a small corporate network. Several of your users have reported that they are unable to connect to the network. After examining their computers, they all seem to be getting bad IP address information from a rogue DHCP server. In this lab, your task is to identify the rogue DHCP server using Wireshark: Use Wireshark to capture and filter DHCP traffic. Disable and enable the enp2s0 network interface to request a new IP address from the DHCP server. Find the rogue DHCP server. Answer the questions.

Use Wireshark to capture and filter DHCP traffic as follows: 1. From the Favorites bar, open Wireshark. Under Capture, select enp2s0. Select the blue fin to begin a Wireshark capture. 2. In the Apply a display filter field, type bootp and press Enter. Disable and enable the enp2s0 network interface as follows: 1. From the Favorites bar, open Terminal. 2. At the prompt, type ip addr show and press Enter to view the current IP configuration. 3. Type ip link set enp2s0 down and press Enter. 4. Type ip link set enp2s0 up and press Enter to enable the interface and request an IP address from the DHCP server. 5. In Wireshark, under the Source column, find the IP addresses of the rogue and legitimate DHCP servers that sent the DHCP Offer packets. Answer Questions. What is the IP address of the rogue DHCP server? 10.10.10.240 What is the IP address of the legitimate DHCP server? 192.168.0.14