ĐẠI HỌC QUỐC GIA HÀ NỘI

TRƯỜNG ĐẠI HỌC CÔNG NGHỆ

BÀI THỰC HÀNH GIỮA KÌ

MÔN HỌC AN TOÀN VÀ AN NINH
MẠNG

Giảng viên: TS. Nguyễn Đại Thọ

Sinh viên thực hiện: Đinh Nho Hoàng
Mã sinh viên: 21021496
Mã học phần: INT3307E_20
Contents
Lab 4.1 Installing certificate services ...........................................................................3
Review Questions ......................................................................................................................... 23
Lab 4.2 Configuring Secure Sockets Layer ................................................................ 24
Review question: .......................................................................................................................... 29
Lab 4.4 Configuring Certificate Auto-Enrollment ...................................................... 31
Review Questions ......................................................................................................................... 34
Lab 5.1 Getting Started with Kali Linux .................................................................... 34
Review Questions: ........................................................................................................................ 46
Lab 5.2 IP Spoofing with Hping3 ............................................................................... 46
Review Questions: ........................................................................................................................ 59
Lab 5.3 ARP Poisoning .............................................................................................. 60
Review Questions: ........................................................................................................................ 70
Lab 5.4 Man-in-the-Middle Attack ............................................................................. 71
Review Questions: ........................................................................................................................ 75
Lab 9.1 Verifying the Integrity of the Hots File .......................................................... 75
Review Questions: ........................................................................................................................ 81
Lab 9.2 Installing the FTP Server Service and Wireshark ........................................... 81
Review Questions: ........................................................................................................................ 88
Lab 9.3 Capturing and Analyzing FTP Traffic ............................................................ 89
Review Questions: ........................................................................................................................ 90
Lab 4.1 Installing certificate services
1- 6 : Download Window Server 2016 ISO
7-9: Create a new VM named Windows Server
10. Start the Windows Server VM.
11. When prompted to select a start-up disk, navigate to the Windows Server 2016

13. Click Next in the Language, Time, and Keyboard dialog box.
14. Click Install now.
15. Select Windows Server 2016 Standard Evaluation (Server with GUI) and click
Next.
16. Accept the license terms and click Next

17. Select Custom: Install Windows only (advanced) and accept the default setting
from this point on.
18. Set the default Administrator password as Pa$$word.

19. Next, you need to make sure the server has Active Directory services installed.
Open Server Manager, click Manage, then click Add Roles and Features. Click
Next until you see the Server Roles window.

20. Select the Active Directory Domain Services check box and then, when
prompted, click Add Features. Click Next three times. Click Install. This could
take some time to finish
21. Once the server has restarted, click the notifications flag and select Promote this
server to a domain controller.
22. Select Add a new forest. Enter Test.local for the Root domain name. Click Next.

23. Enter the password Pa$$word, confirm it and click Next twice.
24. Enter TEST for the NetBIOS domain name and click Next three times.

25. Allow the prerequisites check to run. Don’t be concerned if you see warning
messages, but if you receive errors, review your settings and make any necessary
corrections. Once you have successfully completed the prerequisites check, click
Install. The server will restart once it is finished.
26. Open Server Manager, click Manage, and then click Add Roles and Features.
Click Next until you reach the Server Roles window.

27. Select the Active Directory Certificate Services check box, and then, when
prompted, click Add Features. Click Next twice.
28. Read the Active Directory Certificate Services (AD CS) page and click Next. In the
Role Services window, select the Certification Authority and Certification
Authority Web Enrollment check box. If you are prompted to add features that
are required for Certification Authority Web Enrollment, click Add Features. Click
Next three times. In the Confirmation window, click Install.
29. Click Close after the installation has completed.

30. Click the notifications flag at the top of Server Manager, and then click Configure
Active Directory Certificate Services on the destination server. Click Next in the
Credentials window, and then select the Certification Authority and Certificate
Authority Web Enrollment check box. Click Next.

31. On the Setup Type window, verify that Enterprise CA is selected and click Next.
An enterprise CA uses Active Directory to authenticate users and help manage
certificates. A stand-alone CA requires that an administrator approve every request
for a certificate because Active Directory is not available to provide authentication.
Stand-alone CAs are ideal for permitting secure network access to business
partners, external consultants, or others who do not have Active Directory accounts.
On the CA Type window, verify that Root CA is selected and click Next twice.
32. On the Private Key window, verify that Create a new private key is selected and
click Next. Read the default settings on the Cryptography window and click Next.

33. On the CA Name window, in the Common name for this CA box, note the default
name and click Next.
34. On the Validity Period window, accept the default settings and click Next.

35. Click Next until you reach the Server Certificate. Select Choose and assign a
certificate SSL later. Click Next.
36. In the Confirmation window, click Configure, and then click Close.
37. Open a Microsoft Management Console by clicking Start and typing mmc. Select
the mmc. Click File, the click Add or Remove Snap-ins. Add Certificate
Templates, Certification Authority (local), Enterprise PKI, and Internet Information
Services (IIS) Manager (not Internet Information Services 6.0) snap-ins, Save the
console on your desktop as PKI.
38. Pasta a Screen shot and here of your PKI console completed

39. Close all windows and log off.

Common name for CA box is Test-WIN-2HA8TRVDLG8-CA

Review Questions
1. bc
2. bcd
3. acd
4. False.
In Active Directory Certificate Services (AD CS), the private key
associated with a digital certificate is not duplicated on every digital
signature or digital certificate issued by the Certificate Authority (CA).
Each certificate request generates a unique key pair, which consists of
a private key and a corresponding public key. The private key is kept
securely on the entity (user, computer, or service) for which the
certificate is issued.
When a CA issues a digital certificate, it only includes the public key
and information about the entity being certified, not the private key. The
private key remains confidential and should only be known to the entity
to which the certificate was issued. This separation of the private and
public keys is fundamental to the security of public key cryptography
and ensures that the private key is not exposed to others during the
certificate issuance process.

5. bd
Lab 4.2 Configuring Secure Sockets Layer
Review question:
1. a
2. d
3. d
4. c
5. True.
When anonymous authentication is used with Internet Information Services (IIS), the
client's request is processed without requiring the client to provide a username or
password. While this can simplify access for certain scenarios, it also means that the
data transmitted between the client and the server is not encrypted. Therefore, if
sensitive information is being transmitted, it's vulnerable to interception and
unauthorized access. For secure communication, especially over the internet, it's
recommended to use other authentication methods that involve encryption, such as
Basic Authentication over HTTPS or other more secure authentication mechanisms.
Lab 4.4 Configuring Certificate Auto-Enrollment
Review Questions
1. Which of the following is considered a best practice in the handling of EFS certificates?
- d. EFS key pairs should always be encrypted.
2. You are a network administrator of a Windows Server 2016 domain tasked with imple-
menting the auto-enrollment of user certificates, which will be used to digitally sign emails.
You perform the following procedures:
- c. only administrators can manually trigger the enrollment and installation of certificates
3. In Lab 4.4, Anthony Newman received a certificate based on the User template. Which of
the following statements regarding these certificates is correct?
- a. Both certificates allow Anthony Newman to use the Encrypting File System.
- b. Once a User certificate is issued to a user, the best practice is to revoke the user's EFS
certificate.
4. In this lab, the auto-enrollment policy was configured so that all domain users could receive
the certificate based on the User certificate template. - True
5. Anthony used the certificate he received in Lab 4.4 to place his digital signature on an
email to a customer named Helene Grimaud. For Helene to be sure that the email came from
Anthony, she must
- c. compare the thumbprint on Anthony's certificate with the result of her own hashing of his
certificate

Lab 5.1 Getting Started with Kali Linux

In this lab, you will run Kali Linux in a VirtualBox instance and configure network
connectivity.
1. Download Kali Linux ISO: open web browser, enter www.kali.org, Kali Linux 64 bit ISO.
 Download Kali Linux 64 bit ISO

2. Launch Oracle VM VirtualBox and click New.

3. In the Name textbox use the name Kali Linux.
4. Type Linux.
5. Version is Linux 2.6/3.x/4.x(64-bit).

6. Click Next.
7. Leave the Memory as the default amount and click Next.
8. Choose Create a virtual hard disk now and click Create.

9. Select VDI (VirtualBox Disk Image) and click Next.

10. Select Dynamically allocated and click Next.

11. Set the File location as size to at least 25GB and click Create.

12. Select the Kali Linux and click Start.

13. The first time you run the VM it will ask you for a start-up disk. Navigate to the Kali Linux
ISO. Click Start.

14. Choose the Graphical install option.

15. Select all defaults. When you are prompted to configure the network, enter Test.com and
click Continue.

Type in full name and username

 Enter admin for an administrator password and click Continue.

16. When asked to partition disks, select the default option and click Continue 4 times.
Then select Yes when asked “Write the changes to disk?” and click Continue.
 Choose software to install
and click Continue.

Wait for installation

17. When asked to configure the package manager, select No and click Continue.
18. When asked to install the GRUB boot loader to your primary drive, select Yes and click
Continue.
 Once installation is completed, click Continue to reboot.
19. Enter root for the user name and admin for the password to login.

20. When you reach the Kali Linux desktop, check your network interface by clicking the
Terminal button on the panel on the left of the desktop.
21. At the command prompt, type ifconfig and press Enter.
 If the value for inet addr (your IP address) is 127.0.0.1, you may need to start the
networking service and/or you may need to configure your IP address manually. If you
have an IP address on your classroom network, skip to Step 25.
22. To start the networking service, at the command prompt, type /etc/init.d/networking start
and press Enter. Enter ifconfig at the command line and see if you have an IP address on
your classroom network. If you do, proceed to Step 25. If not, proceed to Step 24.

23. At the VirtualBox menu choose Machine/Settings/Network. Verify that VirtualBox rec-
ognizes your network adapter either with a wired connection or a wireless connection.
24. On Kali Linux, from the command prompt, type ping www.yahoo.com and press Enter.

25. Once you have verified connectivity between Kali Linux and the Internet, spend some time
exploring the Kali Linux interface.
26. Launch the nmap application from the Applications/Information Gathering menu.

27. In the Terminal, enter your school web address (uet.vnu.edu.vn) and scan.
28. Once the scan completes, explore the output. Click the Topology tab and see how many
jumps the software had to make before it found the web address.
29. On the Nmap Output, check for any vulnerabilities.
30. Log off all systems.

Review Questions:
1. Which of the following were previous versions of Kali Linux?
b. BackTrack
c. Debian
2. An ISO file is a stand-alone operating system that can be installed on its own? - False
3. Which of the following programs is a Kali Linux text editor?
d. GVim
4. When a Kali Linux system runs a ping command, in each ping packet___ bytes are sent
c. 64
5. On Kali Linux, from a command prompt, you can display the contents of the /etc directory
by typing.
d. ls /etc

Lab 5.2 IP Spoofing with Hping3

1. In VirtualBox Manager, click File -> Preferences -> Network -> Adds new Nat, click OK.
2. In the VirtualBox Manager, click the Win Server you created in Lab 4.1. Click Settings,
then click Network. In the Network Adapter 1, select Nat Network. Click OK.

3. Repeat the steps for the Kali Linux VM you created in Lab 5.1.

4. Launch the Windows Server VM. Right click the Start button and select Control Panel.
In the Control Panel, click Network and Internet.
 Open Network and Sharing Center, click Ethernet, and then click Properties. Select
Internet Protocol Version 4 and click Properties.

5. Choose Use the following IP address. For the IP Address enter 192.168.0.1 with a Subnet
mask of 255.255.255.0.
 Click OK or Close until you are back to the Networking and Sharing center.
6. Create a new Windows 10 VM with the ISO. Accept all the defaults.
 User name: Administrator
Password: Pa$$word
7. Launch the Windows 10 VM. Right click the Start button and select Control Panel. Click
the View by down arrow and select Small icons. Click Network and Sharing Center.

8. Click Change adapters settings.

9. Right-click Ethernet and select Properties.

10. Select Internet Protocol Version 4 and then click Properties. In the IP Address enter
192.168.0.2 with a Subnet mask of 255.255.255.0. Close all windows until you are at the
Windows 10 desktop.

c
11. Launch the Kali Linux VM. Click the Show application icon on the menu bar on the left-
hand side of the window and then click Settings.
12. Click Advanced Network Configuration. Click the Wired connection 1. Click IPv4
Settings. Change Method to Manual. Click Add and enter the address 192.168.0.3, the
subnet mask 255.255.255.0, the gateway 0.0.0.0.
13. Click Apply. Close all windows and Restart the machine.
 Type ifconfig in terminal to examine the new ip address:

14. On the Kali Linux Virtual machine, open a terminal window, type hping3 -help and then
press Enter. Examine the syntax and options available in hping3. In the sections titled IP,
ICMP, and UDP/TCP, you can see options that allow you to craft packets. For example, in
the UDP/TCP section, you can use the -s option to specify a port address, the -R option to
set a reset flag, or the -O option to set a faked TCP data offset.
15. In the Kali Linux VM, click the Terminal button. At the command prompt, type
wireshark and press Enter.
16. Wireshark is a protocol analyzer; it captures incoming and outgoing packets at your
network interface. Before you start capturing traffic, you will start an hping3 probe of
Windows Server.
17. Open a terminal window. At the command prompt, type hping3 -S ipAddress and press
Enter, replacing ipAddress with the IP address of Windows Server.

18. In the Capture area of the Welcome to Wireshark window, click etho, then click
Capture/Start.
19. Allow the hping3 command to run while you return to the Wireshark Capture Interfaces
window. Wait 10 seconds and then, from the Capture menu, click Stop.
20. On the terminal window, where hping3 is still running, press Ctrl+c to stop hping3.

21. Next, you again will use hping3 to send packets between Kali Linux and Windows Server,
but this time you will spoof the source IP address so that it appears that the packets have
come from Windows 10 VM, not from Kali Linux. At the terminal window, type hping3 -
S ipAddressOfWindows 10 VM -a ipAddressOfServer. Although you don't see the same
output at the terminal window as you did in Step 17, the packets are being sent.
22. Start a capture from Wireshark. Click Continue without Saving, wait 10 seconds, and
then stop the capture. It should appear that Windows 10 VM (192.168.0.2) is the source of
the packets being sent to Windows Server (192.168.0.1), when, in reality, the source of the
packets is Kali Linux (192.168.0.3).

23. Go to the command prompt in Kali Linux and press Ctrl+c to stop hping3.
Review Questions:
1. In step 22 of this lab, you captured hping3 packets that were sent to Win Server from kali
Linux. However, unlike the capture discussed in Step 18, there were no response packets
from Windows Server. Why not?
- In step 22, we spoof the hostname with the command “-a 192.168.0.1” which set a
fake IP source address, this ensures that target will not gain your real address.
- As the results, replies will be sent to spoofed address, so we can't see them.
2. When you click one of the spoofed frames in Wireshark from this lab and then, in the
middle frame, expand the Ethernet II node, you see a destination and a source address.
What types of addresses are these, and at which layer of the Operating Systems
Interconnection model are they processed?
- The source IP is the address of the device sending IP packet.
- The destination IP is the IP address of the device to which the packets is being sent.
- They are working on the Layer 3 of the OSI model. Hping3 is a command line
oriented TCP/IP packet assembler.
 3. While examining the frame discussed in Question2, you determine that Wireshark has
identified the packet as abnormal. You discover this by
- a. clicking the frame, expanding the Transmission Control Protocol node in the
middle frame, and seeing that the Flags item lists (RST).

4. Which of the following options in hping3 splits packers into fragments?

- a. -f
5. Which of the following options in hping3 sets the ACK flag?
- a. -A

Lab 5.3 ARP Poisoning

In this lab, you monitor pings between 2 computer before and after the systems have been
ARP poisoned.
1. Launch the Kali Linux VM and configure network connectivity as described in Lab 5.1.
Click the Terminal button icon to open a terminal window. At the command prompt, type
ifconfig and press Enter. You will need this information to complete the table in Step 2.
2. Log on to Windows Server as the administrator. On both Server and Windows 10 VM,
perform the following steps to complete and take note of the physical address and the IPV4
address. Click Start. In the Search box, type cmd and press Enter. At the command
prompt, type ipconfig /all and press Enter.
Window Server:

Window 10 VM:
3. On Windows Server, from a command prompt, type ping Windows10VMIPaddress and
press Enter.

Ping from Window 10 VM:

4. As a result of the ping command in Step 3, Windows Server and Windows 10 VM had to
resolve each resolve each other's IP address to a MAC address. This resolution can be
found in each system's ARP cache. On both Windows Server and Windows 10 VM, at the
command prompt, type arp -a and press Enter. You are looking at the system's ARP
cache. Both have resolved the other's IP address to a MAC address correctly.
Windows Server:

Windows 10 VM:
5. Return to Kali Linux. If necessary, click the Terminal button, then type wireshark and
press Enter. Configure Wireshark to start capturing traffic on your network interface, as
you did in Lab 5.2.

6. On Windows Server, repeat the ping from Step 3 of this lab.

7. Return to Kali Linux and stop the Wireshark capture. You will not see evidence of the
pings between Server and Windows 10 VM.
8. Click the Applications button, click Sniffing/Spoofing, then click ettercap-graphical.
 Click Accept button at the top right to start Unified sniffing.

9. At the top left corner, click the Scan for hosts button (biểu tượng kính lúp).

Click Hosts list (bên phải nút scan for hosts). The addresses listed for Windows Server and
Windows 10 VM's should match the addresses you noted in Step 2.
10. You will now begin ARP poisoning so that Windows Server and Windows 10 VM will be
communicating with Kali Linux even though they think they are communicating with each
other.
Click the listing for Windows Server and click the Add to Target 1 button, click the
listing for Windows 10 VM and click the Add to Target 2 button.

11. From the Mitm (man-in-the-middle) menu (global icon at top right corner), click Arp
poisoning.
 In the MITM Attack: ARP Poisoning window, select the Sniff remote connections
checkbox and click OK.

Notice the ARP poisoning victims listed in the lower frame of the ettercap window.

12. On Windows Server, perform another ping of Windows 10 VM. Check the ARP cache
with the arp -a command on both Windows Server and Windows 10 VM. Notice that each
lists the other's MAC address as being the same as Kali Linux's MAC address.
 Window Server:

Window 10 VM:

13. Repeat the ping, but this time, capture the result with Wireshark on Kali Linux. This time,
there is evidence of the pings between Windows Server and Windows 10 VM.
14. Close the ettercap program. To repair the ARP cache on both Windows Server and
Windows 10 VM, from a command prompt, type arp -d* and press Enter.
Window Server:
 Window 10 VM:

This clears the ARP cache; and now, since ettercap is no longer poisoning the ARP cache,
when Windows Server and Windows 10 VM ping, they will broadcast ARP queries and
obtain accurate resolutions.

15. Close all windows and log off.

Review Questions:
1. Which of the following attacks is available on ettercap?
- a. ICMP redirection
- c. Port stealing
- d. DHCP spoofing.
2. Why did you not see evidence of the pings between Windows Server and Windows 10
VM in Step 7 of this lab?
- Because the table has been updated before the capturing.
3. Why did you see evidence of the pings between Windows Server and Windows 10 VM in
Step 13 of this lab?
 - Because it works as ICMP.
4. The ettercap log analyzer can handle only uncompressed logfiles. True or False?
- False.
5. The configuration file for ettercap is
- b. /etc/ettercap/etter.conf

Lab 5.4 Man-in-the-Middle Attack

In this lab, you use ettercap to perform a man-in-the-middle attack. Then, you intercept and
transmit a victim’s attempts to access webpages.
1. Log on to Windows Server as administrator. Open your web browser, access any website
to verify that you have Internet connectivity, and then close your web browser.
2. Launch Kali Linux, open a terminal window, and ping Windows Server to verify
connectivity. If the ping is not successful, then troubleshoot the connectivity.

3. Click the Applications button, click Sniffing/Spoofing, then click ettercap-graphical.

Click Accept button at the top right to start Unified sniffing

4. At the top left corner, click the Scan for hosts button (biểu tượng kính lúp). From the
Hosts menu, click Hosts list.
5. Select the Hosts list entry that represents the router (default gateway) as identified by your
instructor. Click Add to Target 1. Select the entry that represents Windows Server and
click Add to Target 2.

6. From the Mitm menu, click Arp poisoning. In the MITM Attack: ARP Poisoning
window, select the Sniff remote connections checkbox and click OK.
7. From the Plugins menu, click Manage the plugins. Scroll down and double-click the
plugin named remote_browser.

8. On Windows Server, open your web browser. In the address window, type
www.google.com and press Enter. The website appears.

Notice what happens in the lower frame of the ettercap window.

9. Close ettercap.
10. On Windows Server, enter www.yahoo.com in your browser's address window and press
Enter. Notice that the website does not appear.
11. Open a command prompt, type arp -d* and then press Enter.

12. Return to your web browser and enter www.yahoo.com in your browser's address window,
and then press Enter. Notice that the website now appears.
13. You may want to leave your systems running and use the arp command and Wireshark as
you answer the Review Questions.

Review Questions:
1. Why did the website not appear in Step 11 of this lab?
- Because first we need to delete all entries from the ARP table.
2. Why did the website appear in Step 13 of this lab?
- With the command arp –d* we deleted all the entries from ARP table.
3. During the man-in-the-middle attack in this lab,
- a. an analysis of the network layer headers would indicate that Server was
communicating directly with the Internet.
- c. an analysis of the network layer headers would indicate that Server was
communicating directly with Kali Linux
4. Which of the following attacks is supported by ettercap?
- b. DNS spoofing.
5. Which of the following actions could limit ARP poisoning as performed in this lab?
- a. Static IP addressing
- c. Static ARP tables.

Lab 9.1 Verifying the Integrity of the Hots File

In this lab, you download a cryptographic hashing tool and text the integrity of your hosts file
before and after its modification.
1. Log on to either Windows 10 VM or Windows Server with an administrative account,
open your web browser, and go to https://github.com/jessek/hashdeep/releases.
2. Scroll down and click md5deep-4.4 zip link to download it.
3. Click Show in Folder.

4. Close your web browser.

5. Right-click the hashdeep-release-4.4 archive file on your desktop. Click Extract all.
In the Extract Compressed (Zipped) Folders window, click the Browse button and navigate
to Local Disk (C:). Click OK in the Select a destination window, and click Extract.
6. For ease in navigation from the command prompt, rename the md5deep-4.4 folder to md5.

7. Open This PC and navigate to C:\Windows\System32\ drivers\etc, then double-click the

hosts file and open it with Notepad.
8. The first lines are preceded by the #sign. This symbol tells the operating system to
disregard the lines. These lines are remarks for the user to read and are said to have been
“rem’ed out” (remarked out). The last 2 lines provide the system’s IPv4 and IPv6 loopback
addresses, which tell the system how to refer to itself. Note that on Windows 10 VM and
Windows Server these last 2 lines are rem’ed out.
9. Close the hosts file. Click Start, type cmd, and press Enter.
10. At the command prompt, type cd C:\md5 to navigate to the md5 directory and then type
dir and press Enter.

11. Notice that several files have an .exe extension. These allow you to hash files using
different hashing algorithm.
12. At the command prompt, type sha256deep C:\Windows\System32\Drivers\etc\hosts and
press Enter.
13. Highlight and copy the hash to the clipboard.

14. Open Notepad, right-click anywhere inside the blank Notepad document, and select Paste.
Your hash of the hosts file should appear. From the File menu, click Save As. In the File
name box, type hosthash. In the Save as type box, verify that Text Documents (.txt) is
selected. Navigate to your desktop, click Save, and then close the file.

15. Open Notepad with Administrative privileges and, if necessary, click Yes in the User
Account Control box. From the File menu, click Open, navigate to the hosts file, and open
it. Add the following line to the bottom of the file: 69.32.133.79
www.boguswebaddress.net. From the File menu, click Save and then close the host file.
16. Repeat Steps 13 and 14, then open hosthash.txt and paste the second hash in the file.
The hash of the host file has changed because we have changed its content.

17. Open your web browser and go to www.boguswebaddress.net.

 When we include this line “69.32.133.79 www.boguswebaddress.net” in the hosts file, we
associate the domain name: www.boguswebaddress.net with the IP address: 69.32.133.79
which override the DNS resolution process. Because this IP address is not the correct IP
address for the website we are trying to access, it will be blocked.
18. Close all windows and log off.

Review Questions:
1. What is the DNS record type for an IPv6 address?
- c. AAAA
2. What is the IPv6 loopback address?
- d. ::1
3. How many hexadecimal characters are needed to express 256 bits?
- c. 64
4. Which of the following statements regarding hashes is true?
- a. When a 200 MB file that has been previously hashed has one byte changed, a
second hash of the file will be nearly similar to the first hash.
5. Hashing is a useful tool in
- a. intrusion detection
- c. prevention of unauthorized file modification
- d. the development of secure cryptographic algorithms.

Lab 9.2 Installing the FTP Server Service and Wireshark

In this lab, you install and configure an FTP server on Windows Server 2016 and download
and install the protocol analyzer Wireshark.
1. Log on to Windows Server as Administrator.
2. In Server Manager click Manage, then click Add Roles and Features, and click Next at
the Before You Begin window. In the Installation Type window, click Next. In the Server
Selection window, click Next.
4. In the Server Roles window, place a check mark in the box to the left of Web Server (IIS).
5. Expand the Web Service (IIS), expand the FTP Server, and place a check mark in the FTP
Service check box.
6. Click Next 2 times.
7. Click Install.
8. When the installation has completed, click Close in the Roles and Features Wizard dialog
box.

9. In Server Manager, click Tools, then click Internet Information Services (IIS) Manager.
10. You must configure your IIS server to handle FTP protocols. In the Server Manager Dash-
board, click Add roles and features.
11.  17. Click Next 4 times and Close.
18. On the Windows server, create a folder named FTP Data on the C: drive. Within that
folder, create a file called Credentials.txt that contains your name and the current date.

19. Open the IIS Manager dialog box and expand the Windows Server node. Right click the
Sites node and select Add FTP site.
20. In the FTP site name text box, enter FTP Data. In the Physical Path, navigate to the FTP
Data folder you created in step 19. Click Next.
21. Notice in the Bindings and SSL Settings window that the FTP server will be listening for
requests for FTP service at TCP port 21, the standard FTP control port. In the IP Address drop
down, select the server's IP address. Select the No SSL option and click Next.

22. Select Basic and Anonymous in the Authentication area.

23. In the Authorization area, select All users from the dropdown and verify that Permissions
are set to both Read and Write. Click Finish.
24. In the search box type wf.msc to open Windows Firewall. Click Windows Firewall
Properties. Turn off the firewall for Domain, Private, and Public. Click Apply and then OK.
25. Log on to Windows 10 VM with an administrative account.
26. Open your web browser and go to www.wireshark.org.

27. Click the Download-Get Started Now button. On the Download Wireshark page, click
Windows Installer (XX-bit) where XX is the numbers of bits for your version of the OS. In
the File Download window, click Save and save the file to your desktop.

28. In the Download complete window, click Run.

29. Click Next on the Welcome to the Wireshark Setup Wizard page, click I Agree at the
License Agreement page, accept the default components on the Choose Components page,
and click Next. Accept the default settings on the Select Additional Tasks page and click
Next, accept the default Destination Folder and click Next, and then accept the default
settings on the Install WinPcap page and click Install.

30. Click Next at the Welcome to the WinPcap Setup Wizard page, click Next again, and then
click I Agree at the License Agreement page.

31. Click Install, click Finish at the Completing the WinPCap Setup Wizard, click Next, and
then click Finish on the final page.
 31. Close all windows and log off.

Review Questions:
1. Your Windows Server 2106 is named servero2.acme.com. It is running the FTP server
service. While reviewing the FTP logs, you notice entries indicating that a user named
IUSR_SERVERO2 has been logging on and accessing the FTP directory. What is the
significance of these log entries?
a. Anonymous access is permitted by your FTP server.
2. Which of the following is a capture file format that can be read by Wireshark?
a. Microsoft Network Monitor captures
c. Novell LANalyzer captures
d. tcpdump
3. Which of the following statements best describes the function of WinPcap?
b. WinPcap allows applications to capture and transmit network packets bypassing the
protocol stack.
4. In a Windows Server 2106 FTP server, configuration options in the FTP site's Proper-
ties/Directory Security permit administrators to block specific computers from connect- ing
with the FTP server based on the client's IP address or NetBIOS name. True or False?
True.
5. You have decided to track user activity on your Windows Server 2106 FTP server by
storing your FTP log file information on a Microsoft Access database. What would be the
most sensible choice of formats in which to save your FTP log files?
b. ODBC logging.
Lab 9.3 Capturing and Analyzing FTP Traffic
In this lab, you use a protocol analyzer to capture FTP traffic and analyze the results.
1. Log on to Windows 10 VM as the administrator.
2. Open Wireshark program.

3. Select the Ethernet controller you wish to capture packets from.

4. Click the Start button. Unless there is no network traffic, you will see frames, appearing as
rows, added to your screen. If you are on a switched network, you will not see all the traffic
on the network. Focus on the communication between Windows 10 VM and Window Server.
On the Capture menu, click Stop so you can set up your connection to the FTP server

5. Start the Wireshark capture.

6. Open a command prompt from Windows Server, type cd \, and press Enter.
7. Type ftp IP address of Windows Server and press Enter.

8. Log into the FTP server using the administrator account credentials.
9. In Server Manager, click Tools, then click Active Directory Users and Computers,
expand your domain, right-click the Users container, click New, and click User. Create a user
with the full name Molly C Bloom, the User login name mbloom, and the password
Pa$$word. Select User cannot change password.

10. Log on to the FTP server as mbloom. Type Molly Bloom's password as Pa$$word and
press Enter.

11. At the ftp> prompt, type dir and press Enter to see what files are in the FTP server's home
directory. You should now see the file Confidential.txt listed.

12. Download Confidential.txt to your C: drive as follows: Type get Confidential.txt and
press Enter. Type bye and press Enter to disconnect from the FTP server; return to
Wireshark and, from the Capture menu, click Stop.

14. Open C:\ to verify that the Credentials.txt file has been downloaded successfully.

15. Return to Wireshark and examine the captured packets.

16. In the Source and Destination columns, you see a lot of IP addresses or MAC addresses
that don't belong to your Windows 10 VM or your FTP server, click Capture and then select
Capture Filters. This opens the dialog box, where you can filter the addresses Wireshark is
listening for.

17. Examine the frames and look at the Info column for clues to the purpose or content of the
frame; keep an eye on the ASCII representation of the data portion of the frame in the lower
window. What parts of the FTP session would be readable to an attacker sniffing the network
with a protocol analyzer like Wireshark?
- If FTP is used in plain text mode (FTP without encryption, such as FTP over TCP port
21), an attacker can intercept and read usernames and passwords.
- In active mode FTP data transfers, where the FTP server initiates the data connection,
an attacker can potentially capture the content of transferred files.

18. Return to the Windows Server and restore Windows Firewall to its original settings.

19. Close Wireshark without saving the capture. Close all open windows and log off.
Review Questions:
1. You have been asked to install an FTP server on the company’s internal network, to be
used only by an employee committee that will be working on an advertising campaign to
encourage employees to donate to a charity. Which of the following would be the most
secure configuration of the FTP server ?
a. Require users to authenticate using their domain account.
2. In this lab, what is listed in the Info column of the frame in which the content of the file
Confidential.txt is visible?
a. FTP Data.
3. Which of the following statements is the most accurate description of the communication
between Windows 10 VM and the FTP server in this lab?
c. Windows 10 VM initiated the connection by sending to the FTP server a packet
with TCP flag SYN set
4. Which of the following statements is the most accurate description of the communication
between the Windows 10 VM system and the FTP server in this lab?
d. The FTP server was not first contacted by Windows io VM; it advertised its FTP
ser- vice, and Windows 10 VM responded.
5. Which of the following statements is the most accurate description of the communication
between the Windows 10 VM system and the FTP server in this lab?
b. The teardown of the TCP session began when Windows 10 VM sent a FIN packet
to the FTP server.