University of Baltimore
Merrick School of Business

Mini-project 5: scanning for remote control, Trojans and rootkits. Setup of firewalls and IDS.

This project can be done using the PCs of members of the group, or one PC in the MISLAB and one PC of one of the members of the group.

1. Install VNC client in the MISLab, or in one of the group members' PC, and VNC server in another PC from a group member. Note: if the PC with the VNC server installed uses a dynamic IPaddress, type ipconfig or similar at the shell/DOS prompt in the server PC. Let the other group member(s) know the current IP address so that a connection can be established between VNC client and server. Capture the screen of the client PC after the connection was established.

2. Use Nmap SYN Stealth (other forms of scans and tools may be seen as an attack) to scan the PC hosting VNC (of a group member) for remote control software open ports as seen in class. You should find an open port for VNC in the PC. Show me the results of the scan.

3. Use the on-line Symantec check to see if the MIS Lab or the PC you are using has any known Trojan, or backdoor programs listening for commands. Show me the results you obtained, similarly to what we saw in class. Can you trust completely in these results, Why (yes or no)?

4. Use Nmap or SuperScan to scan your PC at the MIS Lab, or to scan a PC of one of the group members, for Trojans. Be sure to build a table of Trojan ports based on the references given in class. Show me (include in your report) the results you obtained and the table you used.

5. Download and intall RootkitRevealer and check if your MIS Lab or home PC has a persistent rootkit. Why should RootkitRevealer be run as a service?

6. Install Zone Alarm in Windows. Define which hosts are in your LAN and capture the image. Set the security level to low in the LAN and high in the Internet. Use telnet, ftp and a browser, see what happens (get one image) and authorize their use. Show me the list of authorized programs to access the Internet.

7. Uninstall ZoneAlarm and install the Kerio firewall in Windows, explain how it works and manually block access to some ports (see prior class meetings for suggestion of ports which should be blocked), both for inbound and outbound traffic. Download and install the LeakTest. Run the Leak Test and show me the result.

8. Download and install Winpcap and Snort in Windows. Have one group member register with Snort. Download and unzip signatures and rules for Snort. This slide will help you to do it. Show me what you did.

9. Start Snort at the command prompt and make snort log events to the Windows Event Viewer. Show me what you did, an image of the Event Viewer with a few alerts, and show me a message of one of the alerts. This other slide may help you.

10. Finally, explain how you can use Task manager in Windows to stop programs you are suspicious of, when reading one of the scans obtained in prior items.

Submitting the report

• Open Firefox or Internet Explorer in Windows, and post your group project report in the Mini-project 5 entry of the Assignments folder of one of the group members in WebTycho.
• Use a screen capture software to capture some of the screens you saw as result of the above assignment items. Include the images in the final report.
• You should submit just one file per group in MS Word format.

This page is maintained by Al Bento who can be reached at abento@ubalt.edu This page was last updated on November 6, 2007. Although we will attempt to keep this information accurate, we can not guarantee the accuracy of the information provided.