UnbuntuNetwork Team

Mentor: Mr Christopher Edwards

Members:Unquiea WadeGregory Brown

Bryce CarmichaelAnthony Anderson

AbstractUsing Passive Network Discovery to Fingerprint Vulnerabilities within Ethernet Broadcast Frames.

This paper examines how open source embedded network tools were used to perform persistent internal audits of Ethernet Local Area Network broadcast traffic. The initial requirements to define the project phases were developed based on the analysis of each open source learning stage. Open Source UNIX version, Unbuntu, was selected as the platform to prototype because of its ease of use and usable business productivity, internet, drawing and graphics applications. To understand why hosts within the ONR LAB were experiencing a decrease in system performance and transmission speed. A Passive Network Discovery of Ethernet Broadcast Frames was captured and analyzed to determine if Local Area Network traffic between the local and foreign hosts is malicious or valid. The identification of remote active nodes and their system information was collected to build a resource map of all remote hosts requesting services from hosts within the ONR Lab and listing of local hosts listening ports and services running on those ports. The passive analysis approach was selected by the ONR UNIX Network Administration Team, because the collection of active LAN traffic would be not impact ECSU’s LAN/WAN assets. Moreover, this paper goal is to show that persistent packet monitoring of Ethernet traffic can identify weaknesses that reduce LAN performance and possibly harm valuable assets used to support major and/or general support systems.

Self-Boot

• Insert the Unbuntu disc in a CD/DVD Drive.

• Restart the PC and the installation screen will appear momentarily

Loading Data Modules

• Upon completion of selecting the language, location, and keyboard format the installation will begin.

Register Hostname

• Select a hostname for users to identify the computer on the network

Display Resolution

• Select the correct resolution for displaying the Unbuntu desktop.

Unbuntu Desktop

• Unbuntu checks the ide controller for hard drives installed.

• The drives are displayed for partitioning (partitioning allows the user to allocate space according to drive size)

• The Drive will be formatted immediately after.

Unbuntu Desktop

• The setup will prompt the user to enter the full name, shortly after the username will have to be entered.

• The username will be used to login in to the system.

Unbuntu Desktop

• To complete the instalation the user will have to enter and then re-enter a password for confirmation.

VS.Windows Linux

• Linux come from different companies (i.e. Linspire, Red Hat, SuSE, Ubuntu, Mandriva, Knoppix, Slackware, Lycoris).

• Windows has two main lines: "Win9x", which consists of Windows 95, 98, 98SE and Me, and "NT class" which consists of Windows NT, 2000 and XP. Windows actually started, in the old days, with version 3.x which pre-dated Windows 95 by a few years

• Text mode interface is also known as a command interpreter. Windows users sometimes call it a DOS prompt.

• Linux users refer to it as a shell. Each version of

• Windows has a single command interpreter, but the different “flavors” of Windows have different interpreters.

• For desktop or home use, Linux is very cheap or free.

• Windows is expensive. For server use, Linux is very cheap compared to Windows. Microsoft allows a single copy of

• Windows to be used on only one computer. Starting with Windows XP, they use software to enforce this rule (Windows Product Activation at first, later Genuine Windows).

• In contrast, once you have purchased Linux, you can run it on any number of computers for no additional charge.

Free$15

0

• One of the main advantages of Linux is that it can of a disc.

• Windows, must be installed, and can take up to forty-five minutes to a hour.

• Linux has a reputation for fewer bugs than Windows, but it certainly has its fair share.

• This is a difficult thing to judge and finding an impartial source on this subject is also difficult. Fred Langa wrote an interesting article on whether Linux or

• Windows has fewer bugs in Information Week magazine January 27, 2003.

• The article also addressed whether known bugs are fixed faster with Linux or Windows. In brief, he felt that bugs used to be fixed faster in Linux, but things have slowed down.

• Linux is a multi-user system, Windows is not. That is, Windows is designed to be used by one person at a time.

• Databases running under Windows allow concurrent access by multiple users, but the Operating System itself is designed to deal with a single human being at a time.

• Linux, like all Unix variants, is designed to handle multiple concurrent users.

• Windows, of course, can run many programs concurrently, as can Linux.

• There is a multi-user version of Windows called Terminal Server but this is not the Windows pre-installed on personal computers.

Network Tools

•A computer, peripheral or other related communications equipment attached to a network.

•Ethernet_very common method of networking computers in a LAN. There is more than one type of Ethernet. By 2001 the standard type was "100-BaseT" which can handle up to about 100,000,000 bits-per-second and can be used with almost any kind of computer.

•Wifi_f(short for "wireless fidelity") is the popular term for a high-frequency wireless local area network (WLAN).

•USB Ethernet_Universal Serial Bus. An external peripheral interface standard for communication between a computer and external peripherals over a cable using bi-serial transmission.

• Packet Internet Groper, a utility to determine whether a specific IP address is accessible.

• It works by sending a packet to the specified address and waiting for a reply. PING is used primarily to troubleshoot Internet connections.

216.239.37.99

=

Netstat_is a command line tool that displays a list of the active connections a computer currently has, both incoming and outgoing.

• Traceroute is a TCP/IP utility which allows the user to determine the route packets take to reach a particular host.

• Traceroute works by increasing the "time to live" value of each successive packet sent.

• The first packet has a time to live (TTL) value of one, the second two, and so on.

• When a packet passes through a host, the host decrements the TTL value by one and forwards the packet to the next host.

Neotrace - A very convenient traceroute utility. •Displays the traceroute nodes as symbols with country flags.   •Associates the Whois for each network node in the trace. You may also want to download Visual Route, which can overlay your traced route over a geographic map.

PORT NUMBERS

The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic

and/or Private Ports.

WELL KNOWN PORT NUMBERS

•The Well Known Ports are assigned by the IANA and on most systems canonly be used by system (or root) processes or by programs executed byprivileged users.

•Ports are used in the TCP to name the ends of logicalconnections which carry long term conversations. For the purpose ofproviding services to unknown callers, a service contact port isdefined.

•This list specifies the port used by the server process asits contact port. The contact port is sometimes called the"well-known port".

• This site does a reverse DNS lookup of an IP address by searching domain name registry and registrar tables.

• You may be able to identify the domain name of a spammer sending you spam email or the domain name of a computer trying to break into your firewall.

• You may also be able to use this information to determine the name of the internet service provider assigned to a particular IP address.

• Finger is an Internet software tool for locating people on other Internet sites.

• A finger is also sometimes used to give access to non-personal information, but the most common use is to see if a person has an account at a particular Internet site.

• Not all sites allow incoming finger requests.

•WHOIS databases contain nameserver, registrar, and in some cases, full contact information about a domain name. •Each registrar must maintain a WHOIS database containing all contact information for the domains they 'host'. •A central registry WHOIS database is maintained by the InterNIC. •This database contains only registrar and nameserver information for all .com, .net and .org domains.

Applying a subnet mask to an IP address allows you to identify the network and node parts of the address. The network bits are represented by the 1s in the mask, and the node bits are represented by the 0s. Performing a bitwise

logical AND operation between the IP address and the subnet mask results in the Network Address or Number.

For example, using our test IP address and the default Class B subnet mask, we get:

10001100.10110011.11110000.11001000 140.179.240.200 Class B IP Address 11111111.11111111.00000000.00000000 255.255.000.000 Default Class B Subnet Mask -------------------------------------------------------- 10001100.10110011.00000000.00000000 140.179.000.000 Network

Address

Default subnet masks: Class A - 255.0.0.0 - 11111111.00000000.00000000.00000000

Class B - 255.255.0.0 - 11111111.11111111.00000000.00000000 Class C - 255.255.255.0 - 11111111.11111111.11111111.00000000

Subnet Masking

•An IP (Internet Protocol) address is a unique identifier for a node or host connection on an IP network. An IP address is a 32 bit binary number usually represented as 4 decimal values, each representing 8 bits, in the range 0 to 255 (known as octets) separated by decimal points. This is known as "dotted

decimal" notation.

Example: 140.179.220.200 It is sometimes useful to view the values in their binary form. 140 .179 .220 .200 10001100.10110011.11011100.11001000

•Every IP address consists of two parts, one identifying the network and one identifying the node. The Class of the address and the subnet mask

determine which part belongs to the network address and which part belongs to the node address

IP Addressing

There are 5 different address classes. You can determine which class any IP address is in by examining the first 4 bits of the IP address. Class A addresses begin with 0xxx, or 1 to 126 decimal.

Class B addresses begin with 10xx, or 128 to 191 decimal. Class C addresses begin with 110x, or 192 to 223 decimal. Class D addresses begin with 1110, or 224 to 239 decimal. Class E addresses begin with 1111, or 240 to 254 decimal.

Address Classes

There are three IP network addresses reserved for private networks. The addresses are 10.0.0.0/8,

172.16.0.0/12, and 192.168.0.0/16.• They can be used by anyone setting up internal IP networks, such as a lab or home LAN behind a NAT

or proxy server or a router. •It is always safe to use these because routers on

the Internet will never forward packets coming from these addresses.

Private Subnets

•TCP (Transmission Control Protocol) A set of rules that enables a broad spectrum of different kinds of computers to establish a connection and exchange streams of data. •TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent, so it is considered "reliable." Most long-haul traffic on the Internet uses TCP.

•TCP handshake A three-step process computers go through when negotiating a connection with one another.

•Simplistically described, in a normal TCP handshake: 1. Computer A sends a SYN packet (for "synchronize"); 2. Computer B acknowledges the connection attempt and sends back its own SYN packet (thus, a SYN/ACK packet), and 3. Computer A acknowledges Computer B's response. Once both computers are synchronized and acknowledged, they can begin passing data back and forth.

TCP Handshake

TCP Handshake

TCP Handshake

• In the initial packet, the sender, Host #1, inserts a self-assigned initial sequence number in the TCP header Sequence Number field (21371727)

TCP Handshake

• Host #2

defined its

starting

sequence

number as

135471

TCP Handshake

• Host 1’s sequence

number is now 2371728

• The Acknowledgement

Number field value is

now set to 135472

•The Internet Control Message Protocol (ICMP) protocol is classic example of a client server application. The ICMP server executes on all IP end system computers and all IP intermediate systems (i.e routers). •The protocol is used to report problems with delivery of IP datagrams within an IP network. It can be used to show when a particular End System (ES) is not responding, when an IP network is not reachable, when a node is overloaded, when an error occurs in the IP header information, etc.• The protocol is also frequently used by Internet managers to verify correct operations of End Systems (ES) and to check that routers are correctly routing packets to the specified destination address.

Internet Control Message Protocol

ReferencesDistroWatch: Put the fun back into computing. Use Linux, BSD.News and feature lists of Linux and BSD distributions.http://distrowatch.com/

Unbuntu: Unbuntu is a complete Linux-based operating system, freely available with both community and professional support. It is developed by a large community and we invite you to participate too!http://www.ubuntu.com/

Linux: Linux is a free Unix-type operating system originally created by Linus Torvalds with the assistance of developers around the world. Developed under the GNU General Public License , the source code for Linux is freely available to everyone. Click on the link below to find out more about the operating system that is causing a revolution in the world of computers.http://www.linux.com

Nettools: The most useful tools available online, discussion forums, security news, ...Sends out an echo request to a specific computer on the network.http://www.all-nettools.com/toolbox,net