Scanning Networks - p.15

Lab 14

HTTP Tunneling Using HTTPort

HTTPo/f is a program from HTTHosf that mates a transparent tunnel through a proxy server or firenal!

Lab Scenario

Attackers are always in a hunt for clients that can be easily compromised and they can enter these networks with IP spoofing to damage or steal data. The attacker can get packets through a firewall by spoofing die IP address. If attackers are able to capture network traffic, as you have learned to do in the previous lab, they can perform Trojan attacks, registry attacks, password hijacking attacks, etc., which can prove to be disastrous for an organization’s network. An attacker may use a network probe to capture raw packet data and then use this raw packet data to retrieve packet information such as source and destination IP address, source and destination ports, flags, header length, checksum, Time to Live (TIL), and protocol type.

Therefore, as a network administrator you should be able to identify attacks by extracting information from captured traffic such as source and destination IP addresses, protocol type, header length, source and destination ports, etc. and compare these details with modeled attack signatures to determine if an attack has occurred. You can also check the attack logs for the list of attacks and take evasive actions.

Also, you should be familiar with the HTTP tunneling technique by which you can identify additional security risks that may not be readily visible by conducting simple network and vulnerability scanning and determine the extent to which a network IDS can identify malicious traffic within a communication channel. in this lab you will learn HTTP Tunneling using HTTPort.

Lab Objectives

This lab will show you how networks can be scanned and how to use HTTPort
and HTTHost

Lab Environment

in the lab, you need die HTTPort tool.

■ HTTPortis located at D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Tunneling Tools\HTTPort
■ You can also download the latest version o f HTTPort from die link littp://www. targeted.org/
■ If you decide to download the latest version, then screenshots shown in the lab might differ
■ Install HTTHost 011 Windows Server 2008 Virtual Machine
■ Install HTTPort 011 Windows Server 2012 Host Machine
■ Follow the wizard-driven installation steps and install it.
■ Administrative privileges is required to run diis tool
■ This lab might not work if remote server filters/blocks HTTP tunneling packets
Lab Duration

Time: 20 Minutes
Overview of HTTPort

HTTPort creates a transparent tunneling tunnel dirough a proxy server 01 firewall. HTTPort allows using all sorts of Internet Software from behind die proxy. It bypasses HTTP proxies and HTTP, firewalls, and transparent accelerators.

Lab Tasks

Before running die tool you need to stop IIS Admin Service and World Wide Web Publishing services on Windows Server 2008 virtual machine. Go to Administrative Privileges Services IIS Admin Service, right click and click the Stop option.

FIGURE 14.1: Stopping IIS Admin Service in Windows Server 2008

3. Go to Administrative Privileges Services World Wide Web Publishing Services, right-click and click die Stop option.

FIGURE 142: Stopping World Wide Web Services in Windows Server 2008

4 .Open Mapped Network Drive “CEH-Tools" Z:\CEHv8 Module 03 Scanning Networks\Tunneling Tools\HTTHost

5 . Open HTTHost folder and double click htthost.exe.

6 .Tlie HTTHost wizard will open; select die Options tab.

7. On die Options tab, set all die settings to default except Personal Password field, which should be filled in widi any other password. in the lab, die personal password is kmagic.'?

8. Check die Revalidate DNS names and Log Connections options and click Apply

FIGURE 14.3: HTTHost Options tab

9. Now leave HTTHost intact, and don’t turn off Windows Server 2008 Virtual Machine.

10. Now switch to Windows Server 2012 Host Machine, and install HTTPort fiom D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Tunneling Tools\HTTPort and double-click httport3snfm.exe

11. Follow die wizard-driven installation steps.

12. Launch the Start menu by hovering die mouse cursor in the lower-left corner of the desktop.

FIGURE 14.4: Windows Server 2012 - Desktop view

13. Click die HTTPort 3.SNFM app to open die HTTPort 3.SNFM window.

FIGURE 14.5: Windows Server 2012 - Apps

14. The HTTPort 3.SNFM window appears as shown in die figure diat follows

FIGURE 14.6: HTTPort Main Window

15. Select die Proxy tab and enter die host name or IP address of targeted machine.

16. Here as an example: enter Windows Server 2008 virtual machine IP address, and enter Port number 80

17. You cannot set die Username and Password fields.

18. 111 die User personal remote host at section, click start and dien stop and dien enter die targeted Host machine IP address and port, which should be 80.

19. Here any password could be used. Here as an example: Enter die password as ‘magic'

FIGURE 14.7: HTTPort Proxv settings \rindow

20. Select die Port Mapping tab and click Add to create New Mapping

FIGURE 14.8: HTTPort creating a New Mapping

21. Select New Mapping Node, and right-click New Mapping, and click Edit

FIGURE 14.9: HTTPort Editing to assign a mapping

22. Rename this to ftp certified hacker, and select Local port node; then lightclick Edit and enter Port value to 21

23. Now right click on Remote host node to Edit and rename it as ftp.certifiedhacker.com

24. Now right click on Remote port node to Edit and enter die port value to 21

FIGURE 14.10: HITPort Static TCP/IP port mapping

25. Click Start on die Proxy tab of HTTPort to run die HTTP tunneling

FIGURE 14.11: HTTPort to start tunneling

26. Now switch to die Windows Server 2008 virtual machine and click die Applications log tab.

27. Check die last line if Listener listening at 0.0.0.0:80, and then it is running properly.

FIGURE 14.12 HTTHost Application log section

28. Now7 switch to die Windows Server 2012 host machine and turn ON die Windows Firewall

29. Go to Windows Firewall with Advanced Security

30. Select Outbound rules from die left pane of die window, and dien click New Rule in die right pane of die window

FIGURE 14.13: W1ndcra*s Firewall with Advanced Secunty window in Window's Server 2008

31. 111 die New Outbound Rule Wizard, select die Port option in die Rule Type section and click Next

FIGURE 14.14: Windows Firewall selecting a Rule Type

32. Now select All remote ports in die Protocol and Ports section, and click Next

FIGURE 14.15: Windows Firewall assigning Protocols and Ports

33. 111 die Action section, select die Block the connection'’ option and click Next

FIGURE 14.16: Windows Firewall setting an Action

34. 111 die Profile section, select all three options. The rule will apply to: Domain, Public. Private and then click Next

FIGURE 14.17: Windows Firewall Profile settings

35. Type Port 21 Blocked in die Name field, and click Finish

FIGURE 14.18: Windows Firewall assigning a name to Port

36. The new rule Port 21 Blocked is created as shown in die following figure.

FIGURE 14.19: Windows Firewall New rule

37. Right-click die newly created rule and select Properties

FIGURE 14.20: Windows Firewall new rule properties

38. Select die Protocols and Ports tab. Change die Remote Port option to Specific Ports and enter die Port number as 21

39. Leave die other settings as dieir defaults and click Apply dien click OK

FIGURE 14.21: Firewall Port 21 Blocked Properties

40. Type ftp ftp.certifiedhacker.com in the command prompt and press Enter. The connection is blocked in Windows Server 2008 by firewall

FIGURE 14.22: ftp connection is blocked

41. Now open die command prompt 011 die Windows Server 2012 host machine and type ftp 127.0.0.1 and press Enter

FIGURE 14.23: Executing ftp command

Lab Analysis

Document all die IP addresses, open ports and running applications, and protocols you discovered during die lab.

Questions

1. How do you set up an HTTPort to use an email client (Oudook, Messenger, etc.)?
2. Examine if software does not allow editing die address to connect to.